feat: Add DigestUpsertRequest and LockEntity models

- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil.
- Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt.

feat: Implement ILockRepository interface and LockRepository class

- Defined ILockRepository interface with methods for acquiring and releasing locks.
- Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations.

feat: Add SurfaceManifestPointer record for manifest pointers

- Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest.

feat: Create PolicySimulationInputLock and related validation logic

- Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests.
- Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements.

test: Add unit tests for ReplayVerificationService and ReplayVerifier

- Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios.
- Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic.

test: Implement PolicySimulationInputLockValidatorTests

- Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions.

chore: Add cosign key example and signing scripts

- Included a placeholder cosign key example for development purposes.
- Added a script for signing Signals artifacts using cosign with support for both v2 and v3.

chore: Create script for uploading evidence to the evidence locker

- Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.

src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/HmacDsseEnvelopeSigner.cs

@@ -8,6 +8,8 @@ using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using StellaOps.Scanner.Surface.Env;
+using StellaOps.Scanner.Surface.Secrets;
 using StellaOps.Scanner.Worker.Options;
 
 namespace StellaOps.Scanner.Worker.Processing.Surface;
@@ -26,7 +28,8 @@ internal sealed class HmacDsseEnvelopeSigner : IDsseEnvelopeSigner, IDisposable
 
     public HmacDsseEnvelopeSigner(
         IOptions<ScannerWorkerOptions> options,
-        ILogger<HmacDsseEnvelopeSigner> logger)
+        ILogger<HmacDsseEnvelopeSigner> logger,
+        IServiceProvider serviceProvider)
     {
         ArgumentNullException.ThrowIfNull(options);
         _logger = logger ?? throw new ArgumentNullException(nameof(logger));
@@ -41,6 +44,12 @@ internal sealed class HmacDsseEnvelopeSigner : IDsseEnvelopeSigner, IDisposable
         }
 
         var secretBytes = LoadSecret(signing);
+
+        if ((secretBytes is null || secretBytes.Length == 0) && serviceProvider.GetService<ISurfaceSecretProvider>() is { } secretProvider)
+        {
+            secretBytes = TryLoadFromSurfaceSecrets(secretProvider, serviceProvider.GetService<ISurfaceEnvironment>());
+        }
+
         if (secretBytes is not null && secretBytes.Length > 0)
         {
             _hmac = new HMACSHA256(secretBytes);
@@ -50,6 +59,10 @@ internal sealed class HmacDsseEnvelopeSigner : IDsseEnvelopeSigner, IDisposable
         {
             throw new InvalidOperationException("DSSE signing enabled but no shared secret provided and deterministic fallback is disabled.");
         }
+        else
+        {
+            _logger.LogWarning("DSSE signing fallback engaged: no signing secret found; emitting deterministic envelopes only.");
+        }
     }
 
     public Task<DsseEnvelope> SignAsync(string payloadType, ReadOnlyMemory<byte> content, string suggestedKind, string merkleRoot, string? view, CancellationToken cancellationToken)
@@ -112,6 +125,44 @@ internal sealed class HmacDsseEnvelopeSigner : IDsseEnvelopeSigner, IDisposable
         return null;
     }
 
+    private static byte[]? TryLoadFromSurfaceSecrets(ISurfaceSecretProvider provider, ISurfaceEnvironment? environment)
+    {
+        try
+        {
+            var tenant = environment?.Settings.Tenant ?? "default";
+            var request = new SurfaceSecretRequest(tenant, component: "scanner-worker", secretType: "attestation", name: "dsse-signing");
+            var handle = provider.TryGetSecret(request, CancellationToken.None);
+            if (handle is null)
+            {
+                return null;
+            }
+
+            if (handle.Secret.TryGetProperty("privateKeyPem", out var privateKeyPem) && privateKeyPem.ValueKind == JsonValueKind.String)
+            {
+                var pem = privateKeyPem.GetString();
+                if (!string.IsNullOrWhiteSpace(pem))
+                {
+                    return Encoding.UTF8.GetBytes(pem);
+                }
+            }
+
+            if (handle.Secret.TryGetProperty("token", out var token) && token.ValueKind == JsonValueKind.String)
+            {
+                var value = token.GetString();
+                if (!string.IsNullOrWhiteSpace(value))
+                {
+                    return Encoding.UTF8.GetBytes(value);
+                }
+            }
+        }
+        catch
+        {
+            // ignored; fallback handled by caller
+        }
+
+        return null;
+    }
+
     private static byte[]? DecodeFlexible(string value)
     {
         // Try base64 (std)