feat: Add DigestUpsertRequest and LockEntity models

- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil.
- Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt.

feat: Implement ILockRepository interface and LockRepository class

- Defined ILockRepository interface with methods for acquiring and releasing locks.
- Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations.

feat: Add SurfaceManifestPointer record for manifest pointers

- Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest.

feat: Create PolicySimulationInputLock and related validation logic

- Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests.
- Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements.

test: Add unit tests for ReplayVerificationService and ReplayVerifier

- Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios.
- Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic.

test: Implement PolicySimulationInputLockValidatorTests

- Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions.

chore: Add cosign key example and signing scripts

- Included a placeholder cosign key example for development purposes.
- Added a script for signing Signals artifacts using cosign with support for both v2 and v3.

chore: Create script for uploading evidence to the evidence locker

- Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.

src/ExportCenter/StellaOps.ExportCenter.RiskBundles/RiskBundleBuilder.cs

@@ -13,6 +13,7 @@ public sealed class RiskBundleBuilder
 {
     private const string ManifestVersion = "1";
     private static readonly string[] MandatoryProviderIds = { "cisa-kev" };
+    private static readonly string[] OptionalOsvIds = { "osv" };
     private static readonly UnixFileMode DefaultFileMode = UnixFileMode.UserRead | UnixFileMode.UserWrite | UnixFileMode.GroupRead | UnixFileMode.OtherRead;
     private static readonly DateTimeOffset FixedTimestamp = new(2024, 01, 01, 0, 0, 0, TimeSpan.Zero);
 
@@ -37,6 +38,10 @@ public sealed class RiskBundleBuilder
         }
 
         var providers = CollectProviders(request, cancellationToken);
+        if (request.IncludeOsv && providers.All(p => p.ProviderId != "osv"))
+        {
+            throw new InvalidOperationException("IncludeOsv was requested but no OSV provider input was supplied.");
+        }
         var manifest = BuildManifest(request.BundleId, providers);
         var manifestJson = JsonSerializer.Serialize(manifest, SerializerOptions);
         var rootHash = ComputeSha256(manifestJson);
@@ -57,7 +62,9 @@ public sealed class RiskBundleBuilder
         var entries = new List<RiskBundleProviderEntry>(request.Providers.Count);
         var seen = new HashSet<string>(StringComparer.Ordinal);
 
-        foreach (var provider in request.Providers.OrderBy(p => p.ProviderId, StringComparer.Ordinal))
+        foreach (var provider in request.Providers
+                     .Where(p => request.IncludeOsv || !OptionalOsvIds.Contains(p.ProviderId, StringComparer.Ordinal))
+                     .OrderBy(p => p.ProviderId, StringComparer.Ordinal))
         {
             cancellationToken.ThrowIfCancellationRequested();
 
@@ -125,6 +132,11 @@ public sealed class RiskBundleBuilder
             }
         }
 
+        if (!request.IncludeOsv)
+        {
+            // Non-OSV builds may still carry optional providers; already filtered above.
+        }
+
         return entries;
     }
 

src/ExportCenter/StellaOps.ExportCenter.RiskBundles/RiskBundleJob.cs

@@ -5,7 +5,9 @@ namespace StellaOps.ExportCenter.RiskBundles;
 public sealed record RiskBundleJobRequest(
     RiskBundleBuildRequest BuildRequest,
     string StoragePrefix = "risk-bundles",
-    string BundleFileName = "risk-bundle.tar.gz");
+    string BundleFileName = "risk-bundle.tar.gz",
+    bool IncludeOsv = false,
+    bool AllowStaleOptional = true);
 
 public sealed record RiskBundleJobOutcome(
     RiskBundleManifest Manifest,

src/ExportCenter/StellaOps.ExportCenter.RiskBundles/RiskBundleModels.cs

@@ -36,7 +36,9 @@ public sealed record RiskBundleBuildRequest(
     string BundlePrefix = "risk-bundles",
     string ManifestFileName = "provider-manifest.json",
     string ManifestDsseFileName = "provider-manifest.dsse",
-    bool AllowMissingOptional = true);
+    bool AllowMissingOptional = true,
+    bool AllowStaleOptional = true,
+    bool IncludeOsv = false);
 
 public sealed record RiskBundleBuildResult(
     RiskBundleManifest Manifest,

src/ExportCenter/StellaOps.ExportCenter.RiskBundles/StellaOps.ExportCenter.RiskBundles.csproj

@@ -7,6 +7,7 @@
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
   </PropertyGroup>
   <ItemGroup>
+    <ProjectReference Include="../StellaOps.ExportCenter/StellaOps.ExportCenter.Infrastructure/StellaOps.ExportCenter.Infrastructure.csproj" />
     <ProjectReference Include="../StellaOps.ExportCenter/StellaOps.ExportCenter.Core/StellaOps.ExportCenter.Core.csproj" />
   </ItemGroup>
   <ItemGroup>