feat: Add DigestUpsertRequest and LockEntity models

- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil.
- Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt.

feat: Implement ILockRepository interface and LockRepository class

- Defined ILockRepository interface with methods for acquiring and releasing locks.
- Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations.

feat: Add SurfaceManifestPointer record for manifest pointers

- Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest.

feat: Create PolicySimulationInputLock and related validation logic

- Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests.
- Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements.

test: Add unit tests for ReplayVerificationService and ReplayVerifier

- Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios.
- Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic.

test: Implement PolicySimulationInputLockValidatorTests

- Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions.

chore: Add cosign key example and signing scripts

- Included a placeholder cosign key example for development purposes.
- Added a script for signing Signals artifacts using cosign with support for both v2 and v3.

chore: Create script for uploading evidence to the evidence locker

- Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.

docs/airgap/receipt.schema.json

@@ -0,0 +1,55 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stellaops.local/airgap/receipt.schema.json",
+  "title": "AirGap Ingress/Egress Receipt",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "schemaVersion",
+    "receiptId",
+    "direction",
+    "bundleId",
+    "tenant",
+    "operator",
+    "occurredAt",
+    "decision",
+    "hashes"
+  ],
+  "properties": {
+    "schemaVersion": { "type": "string", "pattern": "^1\\.\\d+\\.\\d+$" },
+    "receiptId": { "type": "string", "pattern": "^receipt:[A-Za-z0-9._:-]+$" },
+    "direction": { "type": "string", "enum": ["ingress", "egress"] },
+    "bundleId": { "type": "string", "pattern": "^offline-kit:[A-Za-z0-9._:-]+$" },
+    "tenant": { "type": "string", "minLength": 1 },
+    "operator": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["id", "role"],
+      "properties": {
+        "id": { "type": "string" },
+        "role": { "type": "string" }
+      }
+    },
+    "occurredAt": { "type": "string", "format": "date-time" },
+    "decision": { "type": "string", "enum": ["allow", "deny", "quarantine"] },
+    "hashes": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["bundleSha256", "manifestSha256"],
+      "properties": {
+        "bundleSha256": { "type": "string", "pattern": "^[A-Fa-f0-9]{64}$" },
+        "manifestSha256": { "type": "string", "pattern": "^[A-Fa-f0-9]{64}$" }
+      }
+    },
+    "dsse": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "envelopeDigest": { "type": "string", "pattern": "^sha256:[A-Fa-f0-9]{64}$" },
+        "signer": { "type": "string" },
+        "rekorUuid": { "type": "string" }
+      }
+    },
+    "notes": { "type": "string" }
+  }
+}