feat: Add new provenance and crypto registry documentation

- Introduced attestation inventory and subject-rekor mapping files for tracking Docker packages.
- Added a comprehensive crypto registry decision document outlining defaults and required follow-ups.
- Created an offline feeds manifest for bundling air-gap resources.
- Implemented a script to generate and update binary manifests for curated binaries.
- Added a verification script to ensure binary artefacts are located in approved directories.
- Defined new schemas for AdvisoryEvidenceBundle, OrchestratorEnvelope, ScannerReportReadyPayload, and ScannerScanCompletedPayload.
- Established project files for StellaOps.Orchestrator.Schemas and StellaOps.PolicyAuthoritySignals.Contracts.
- Updated vendor manifest to track pinned binaries for integrity.

.gitea/workflows/api-governance.yml

@@ -0,0 +1,27 @@
+name: api-governance
+on:
+  push:
+    paths:
+      - "src/Api/**"
+      - ".spectral.yaml"
+      - "package.json"
+  pull_request:
+    paths:
+      - "src/Api/**"
+      - ".spectral.yaml"
+      - "package.json"
+
+jobs:
+  spectral-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "18"
+      - name: Install npm deps
+        run: npm install --ignore-scripts --no-progress
+      - name: Spectral lint (fail on warning+)
+        run: npm run api:lint

.gitea/workflows/build-test-deploy.yml

@@ -84,6 +84,14 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Verify binary layout
+        run: scripts/verify-binaries.sh
+
+      - name: Ensure binary manifests are up to date
+        run: |
+          python3 scripts/update-binary-manifests.py
+          git diff --exit-code local-nugets/manifest.json vendor/manifest.json offline/feeds/manifest.json
+
       - name: Ensure Mongo test URI configured
         run: |
           if [ -z "${STELLAOPS_TEST_MONGO_URI:-}" ]; then