feat: Add new provenance and crypto registry documentation

- Introduced attestation inventory and subject-rekor mapping files for tracking Docker packages.
- Added a comprehensive crypto registry decision document outlining defaults and required follow-ups.
- Created an offline feeds manifest for bundling air-gap resources.
- Implemented a script to generate and update binary manifests for curated binaries.
- Added a verification script to ensure binary artefacts are located in approved directories.
- Defined new schemas for AdvisoryEvidenceBundle, OrchestratorEnvelope, ScannerReportReadyPayload, and ScannerScanCompletedPayload.
- Established project files for StellaOps.Orchestrator.Schemas and StellaOps.PolicyAuthoritySignals.Contracts.
- Updated vendor manifest to track pinned binaries for integrity.

docs/events/samples/advisoryai.evidence.bundle@0.sample.json

@@ -0,0 +1,32 @@
+{
+  "bundleId": "19bd7cf7-c7a6-4c1c-9b9c-6f2f794e9b1a",
+  "advisoryId": "CVE-2025-12345",
+  "tenant": "demo-tenant",
+  "generatedAt": "2025-11-18T12:00:00Z",
+  "schemaVersion": 0,
+  "observations": [
+    {
+      "observationId": "obs-001",
+      "source": "vendor.psirt",
+      "purl": "pkg:maven/org.example/app@1.2.3",
+      "cve": "CVE-2025-12345",
+      "severity": "critical",
+      "cvss": {
+        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+        "score": 9.8
+      },
+      "summary": "Remote code execution via deserialization of untrusted data.",
+      "evidence": {
+        "statement": "Vendor confirms unauthenticated RCE in versions <1.2.4",
+        "references": ["https://example.com/advisory"]
+      }
+    }
+  ],
+  "signatures": [
+    {
+      "signature": "MEQCID...==",
+      "keyId": "authority-root-1",
+      "algorithm": "ecdsa-p256-sha256"
+    }
+  ]
+}