feat: Add DigestUpsertRequest and LockEntity models

- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil.
- Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt.

feat: Implement ILockRepository interface and LockRepository class

- Defined ILockRepository interface with methods for acquiring and releasing locks.
- Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations.

feat: Add SurfaceManifestPointer record for manifest pointers

- Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest.

feat: Create PolicySimulationInputLock and related validation logic

- Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests.
- Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements.

test: Add unit tests for ReplayVerificationService and ReplayVerifier

- Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios.
- Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic.

test: Implement PolicySimulationInputLockValidatorTests

- Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions.

chore: Add cosign key example and signing scripts

- Included a placeholder cosign key example for development purposes.
- Added a script for signing Signals artifacts using cosign with support for both v2 and v3.

chore: Create script for uploading evidence to the evidence locker

- Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.

docs/modules/scanner/fixtures/adapters/README.md

@@ -0,0 +1,4 @@
+# Downgrade Adapters (SC4)
+- Location for mapping CSVs converting CVSS v4→v3.1, CDX 1.7→1.6, SLSA 1.2→1.0.
+- Each CSV must include BLAKE3 and SHA256 hash recorded in accompanying `hashes.txt`.
+- Adapters are pure (no network); determinism enforced in CI.

docs/modules/scanner/fixtures/adapters/hashes.txt

@@ -0,0 +1 @@
+mapping-cdx17-to-cdx16.csv: BLAKE3=<TBD> SHA256=<TBD>

docs/modules/scanner/fixtures/cdx17-cbom/README.md

@@ -0,0 +1,4 @@
+# CDX 1.7 + CBOM Fixtures (SC2/SC5/SC8)
+- Golden payloads: `sample-cdx17-cbom.json`, downgraded `sample-cdx16.json`, with `hashes.txt` (BLAKE3, SHA256).
+- Must include CVSS v4 + v3.1 ratings, CBOM ingress/egress, evidence properties, SLSA Source Track fields.
+- Used by determinism CI to assert stable ordering/hashes.

docs/modules/scanner/fixtures/cdx17-cbom/hashes.txt

@@ -0,0 +1,3 @@
+# placeholder; compute BLAKE3 and SHA256 after schemas stabilize
+sample-cdx17-cbom.json: BLAKE3=<TBD> SHA256=<TBD>
+sample-cdx16.json: BLAKE3=<TBD> SHA256=<TBD>

docs/modules/scanner/fixtures/cdx17-cbom/sample-cdx17-cbom.json

@@ -0,0 +1,41 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:00000000-0000-4000-8000-000000000001",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2025-01-01T00:00:00Z",
+    "component": {
+      "type": "application",
+      "name": "demo-app",
+      "version": "1.0.0",
+      "purl": "pkg:demo/demo-app@1.0.0",
+      "hashes": [ { "alg": "SHA-256", "content": "d" } ],
+      "evidence": { "properties": [ { "name": "evidence:source", "value": "fixture" } ] }
+    },
+    "tools": [ { "vendor": "stellaops", "name": "scanner", "version": "0.0.0-fixture" } ]
+  },
+  "services": [
+    {
+      "name": "api",
+      "properties": [
+        { "name": "cbom:ingress", "value": "https" },
+        { "name": "cbom:egress", "value": "postgres" }
+      ]
+    }
+  ],
+  "components": [
+    { "type": "library", "name": "lib-a", "version": "1.2.3", "purl": "pkg:demo/lib-a@1.2.3" },
+    { "type": "library", "name": "lib-b", "version": "2.0.0", "purl": "pkg:demo/lib-b@2.0.0" }
+  ],
+  "vulnerabilities": [
+    {
+      "id": "CVE-0000-0001",
+      "source": { "name": "NVD" },
+      "ratings": [
+        { "source": { "name": "NVD" }, "method": "CVSSv4", "score": 8.0, "vector": "CVSS:4.0/AV:N/AC:L" },
+        { "source": { "name": "NVD" }, "method": "CVSSv3.1", "score": 7.5, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }
+      ]
+    }
+  ]
+}

docs/modules/scanner/fixtures/competitor-adapters/README.md

@@ -0,0 +1,4 @@
+# Competitor Adapters (CM1–CM10)
+- Place mapping CSVs for Syft/Trivy/Clair → StellaOps normalized schema.
+- Store golden fixtures under `fixtures/` with expected normalized output + `hashes.txt` (BLAKE3, SHA256).
+- Keep coverage matrix in `coverage.csv`; benchmark logs/hashes alongside fixtures.

docs/modules/scanner/fixtures/competitor-adapters/fixtures/hashes.txt

@@ -0,0 +1 @@
+# Golden outputs for Syft/Trivy/Clair fixtures; fill after adapter code lands