feat: Add new provenance and crypto registry documentation

- Introduced attestation inventory and subject-rekor mapping files for tracking Docker packages.
- Added a comprehensive crypto registry decision document outlining defaults and required follow-ups.
- Created an offline feeds manifest for bundling air-gap resources.
- Implemented a script to generate and update binary manifests for curated binaries.
- Added a verification script to ensure binary artefacts are located in approved directories.
- Defined new schemas for AdvisoryEvidenceBundle, OrchestratorEnvelope, ScannerReportReadyPayload, and ScannerScanCompletedPayload.
- Established project files for StellaOps.Orchestrator.Schemas and StellaOps.PolicyAuthoritySignals.Contracts.
- Updated vendor manifest to track pinned binaries for integrity.

src/__Libraries/StellaOps.Orchestrator.Schemas/AdvisoryEvidenceBundle.cs

@@ -0,0 +1,75 @@
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Orchestrator.Schemas;
+
+public sealed record AdvisoryEvidenceBundle
+{
+    [JsonPropertyName("bundleId")]
+    public string BundleId { get; init; } = string.Empty;
+
+    [JsonPropertyName("advisoryId")]
+    public string AdvisoryId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string Tenant { get; init; } = string.Empty;
+
+    [JsonPropertyName("generatedAt")]
+    public DateTimeOffset GeneratedAt { get; init; }
+
+    [JsonPropertyName("schemaVersion")]
+    public int SchemaVersion { get; init; } = 0;
+
+    [JsonPropertyName("observations")]
+    public IReadOnlyList<AdvisoryObservation> Observations { get; init; } = Array.Empty<AdvisoryObservation>();
+
+    [JsonPropertyName("signatures")]
+    public IReadOnlyList<SignatureInfo>? Signatures { get; init; }
+}
+
+public sealed record AdvisoryObservation
+{
+    [JsonPropertyName("observationId")]
+    public string ObservationId { get; init; } = string.Empty;
+
+    [JsonPropertyName("source")]
+    public string Source { get; init; } = string.Empty;
+
+    [JsonPropertyName("purl")]
+    public string? Purl { get; init; }
+
+    [JsonPropertyName("cve")]
+    public string? Cve { get; init; }
+
+    [JsonPropertyName("severity")]
+    public string? Severity { get; init; }
+
+    [JsonPropertyName("cvss")]
+    public CvssVector? Cvss { get; init; }
+
+    [JsonPropertyName("summary")]
+    public string? Summary { get; init; }
+
+    [JsonPropertyName("evidence")]
+    public IDictionary<string, object>? Evidence { get; init; }
+}
+
+public sealed record CvssVector
+{
+    [JsonPropertyName("vector")]
+    public string? Vector { get; init; }
+
+    [JsonPropertyName("score")]
+    public double? Score { get; init; }
+}
+
+public sealed record SignatureInfo
+{
+    [JsonPropertyName("signature")]
+    public string Signature { get; init; } = string.Empty;
+
+    [JsonPropertyName("keyId")]
+    public string KeyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("algorithm")]
+    public string? Algorithm { get; init; }
+}

src/__Libraries/StellaOps.Orchestrator.Schemas/OrchestratorEnvelope.cs

@@ -0,0 +1,72 @@
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Orchestrator.Schemas;
+
+public sealed record OrchestratorEnvelope<TPayload>
+{
+    [JsonPropertyName("eventId")]
+    public Guid EventId { get; init; }
+
+    [JsonPropertyName("kind")]
+    public string Kind { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public int Version { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string Tenant { get; init; } = string.Empty;
+
+    [JsonPropertyName("occurredAt")]
+    public DateTimeOffset OccurredAt { get; init; }
+
+    [JsonPropertyName("recordedAt")]
+    public DateTimeOffset? RecordedAt { get; init; }
+
+    [JsonPropertyName("source")]
+    public string Source { get; init; } = string.Empty;
+
+    [JsonPropertyName("idempotencyKey")]
+    public string IdempotencyKey { get; init; } = string.Empty;
+
+    [JsonPropertyName("correlationId")]
+    public string? CorrelationId { get; init; }
+
+    [JsonPropertyName("traceId")]
+    public string? TraceId { get; init; }
+
+    [JsonPropertyName("spanId")]
+    public string? SpanId { get; init; }
+
+    [JsonPropertyName("scope")]
+    public OrchestratorScope? Scope { get; init; }
+
+    [JsonPropertyName("attributes")]
+    public IDictionary<string, string>? Attributes { get; init; }
+
+    [JsonPropertyName("payload")]
+    public TPayload Payload { get; init; } = default!;
+}
+
+public sealed record OrchestratorScope
+{
+    [JsonPropertyName("namespace")]
+    public string? Namespace { get; init; }
+
+    [JsonPropertyName("repo")]
+    public string Repo { get; init; } = string.Empty;
+
+    [JsonPropertyName("digest")]
+    public string Digest { get; init; } = string.Empty;
+
+    [JsonPropertyName("component")]
+    public string? Component { get; init; }
+
+    [JsonPropertyName("image")]
+    public string? Image { get; init; }
+}
+
+public static class OrchestratorEventKinds
+{
+    public const string ScannerReportReady = "scanner.event.report.ready";
+    public const string ScannerScanCompleted = "scanner.event.scan.completed";
+}

src/__Libraries/StellaOps.Orchestrator.Schemas/ScannerReportReadyPayload.cs

@@ -0,0 +1,124 @@
+using System.Text.Json;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Orchestrator.Schemas;
+
+public sealed record ScannerReportReadyPayload
+{
+    [JsonPropertyName("reportId")]
+    public string ReportId { get; init; } = string.Empty;
+
+    [JsonPropertyName("scanId")]
+    public string? ScanId { get; init; }
+
+    [JsonPropertyName("imageDigest")]
+    public string? ImageDigest { get; init; }
+
+    [JsonPropertyName("generatedAt")]
+    public DateTimeOffset GeneratedAt { get; init; }
+
+    [JsonPropertyName("verdict")]
+    public string Verdict { get; init; } = string.Empty;
+
+    [JsonPropertyName("summary")]
+    public Summary Summary { get; init; } = new();
+
+    [JsonPropertyName("delta")]
+    public Delta? Delta { get; init; }
+
+    [JsonPropertyName("quietedFindingCount")]
+    public int? QuietedFindingCount { get; init; }
+
+    [JsonPropertyName("policy")]
+    public PolicyRevision? Policy { get; init; }
+
+    [JsonPropertyName("links")]
+    public ReportLinks Links { get; init; } = new();
+
+    [JsonPropertyName("dsse")]
+    public DsseEnvelope? Dsse { get; init; }
+
+    [JsonPropertyName("report")]
+    public JsonElement Report { get; init; }
+}
+
+public sealed record Summary
+{
+    [JsonPropertyName("total")]
+    public int Total { get; init; }
+
+    [JsonPropertyName("blocked")]
+    public int Blocked { get; init; }
+
+    [JsonPropertyName("warned")]
+    public int Warned { get; init; }
+
+    [JsonPropertyName("ignored")]
+    public int Ignored { get; init; }
+
+    [JsonPropertyName("quieted")]
+    public int Quieted { get; init; }
+}
+
+public sealed record Delta
+{
+    [JsonPropertyName("newCritical")]
+    public int? NewCritical { get; init; }
+
+    [JsonPropertyName("newHigh")]
+    public int? NewHigh { get; init; }
+
+    [JsonPropertyName("kev")]
+    public IReadOnlyList<string>? Kev { get; init; }
+}
+
+public sealed record PolicyRevision
+{
+    [JsonPropertyName("digest")]
+    public string? Digest { get; init; }
+
+    [JsonPropertyName("revisionId")]
+    public string? RevisionId { get; init; }
+}
+
+public sealed record ReportLinks
+{
+    [JsonPropertyName("report.ui")]
+    public string? ReportUi { get; init; }
+
+    [JsonPropertyName("report.api")]
+    public string? ReportApi { get; init; }
+
+    [JsonPropertyName("policy.ui")]
+    public string? PolicyUi { get; init; }
+
+    [JsonPropertyName("policy.api")]
+    public string? PolicyApi { get; init; }
+
+    [JsonPropertyName("attestation.ui")]
+    public string? AttestationUi { get; init; }
+
+    [JsonPropertyName("attestation.api")]
+    public string? AttestationApi { get; init; }
+}
+
+public sealed record DsseEnvelope
+{
+    [JsonPropertyName("payloadType")]
+    public string PayloadType { get; init; } = string.Empty;
+
+    [JsonPropertyName("payload")]
+    public string Payload { get; init; } = string.Empty;
+
+    [JsonPropertyName("signatures")]
+    public IReadOnlyList<DsseSignature> Signatures { get; init; } = Array.Empty<DsseSignature>();
+}
+
+public sealed record DsseSignature
+{
+    [JsonPropertyName("keyid")]
+    public string? KeyId { get; init; }
+
+    [JsonPropertyName("sig")]
+    public string Sig { get; init; } = string.Empty;
+}

src/__Libraries/StellaOps.Orchestrator.Schemas/ScannerScanCompletedPayload.cs

@@ -0,0 +1,58 @@
+using System.Text.Json;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Orchestrator.Schemas;
+
+public sealed record ScannerScanCompletedPayload
+{
+    [JsonPropertyName("reportId")]
+    public string ReportId { get; init; } = string.Empty;
+
+    [JsonPropertyName("scanId")]
+    public string ScanId { get; init; } = string.Empty;
+
+    [JsonPropertyName("imageDigest")]
+    public string? ImageDigest { get; init; }
+
+    [JsonPropertyName("verdict")]
+    public string Verdict { get; init; } = string.Empty;
+
+    [JsonPropertyName("summary")]
+    public Summary Summary { get; init; } = new();
+
+    [JsonPropertyName("delta")]
+    public Delta? Delta { get; init; }
+
+    [JsonPropertyName("policy")]
+    public PolicyRevision? Policy { get; init; }
+
+    [JsonPropertyName("links")]
+    public ReportLinks Links { get; init; } = new();
+
+    [JsonPropertyName("findings")]
+    public IReadOnlyList<ScanFinding>? Findings { get; init; }
+
+    [JsonPropertyName("dsse")]
+    public DsseEnvelope? Dsse { get; init; }
+
+    [JsonPropertyName("report")]
+    public JsonElement? Report { get; init; }
+}
+
+public sealed record ScanFinding
+{
+    [JsonPropertyName("id")]
+    public string Id { get; init; } = string.Empty;
+
+    [JsonPropertyName("severity")]
+    public string Severity { get; init; } = string.Empty;
+
+    [JsonPropertyName("cve")]
+    public string? Cve { get; init; }
+
+    [JsonPropertyName("purl")]
+    public string? Purl { get; init; }
+
+    [JsonPropertyName("reachability")]
+    public string? Reachability { get; init; }
+}

src/__Libraries/StellaOps.Orchestrator.Schemas/StellaOps.Orchestrator.Schemas.csproj

@@ -0,0 +1,7 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+</Project>

src/__Libraries/StellaOps.PolicyAuthoritySignals.Contracts/Contracts.cs

@@ -0,0 +1,39 @@
+using System.Text.Json.Serialization;
+
+namespace StellaOps.PolicyAuthoritySignals.Contracts;
+
+public sealed record PolicyContract
+{
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public string Version { get; init; } = "0.1-draft";
+
+    [JsonPropertyName("rulesHash")]
+    public string? RulesHash { get; init; }
+}
+
+public sealed record TenantScope
+{
+    [JsonPropertyName("tenantId")]
+    public string TenantId { get; init; } = string.Empty;
+
+    [JsonPropertyName("scopes")]
+    public IReadOnlyList<string> Scopes { get; init; } = Array.Empty<string>();
+}
+
+public sealed record SignalSymbol
+{
+    [JsonPropertyName("symbolId")]
+    public string SymbolId { get; init; } = string.Empty;
+
+    [JsonPropertyName("language")]
+    public string? Language { get; init; }
+
+    [JsonPropertyName("package")]
+    public string? Package { get; init; }
+
+    [JsonPropertyName("version")]
+    public string? Version { get; init; }
+}

src/__Libraries/StellaOps.PolicyAuthoritySignals.Contracts/StellaOps.PolicyAuthoritySignals.Contracts.csproj

@@ -0,0 +1,7 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+</Project>