feat: Add DigestUpsertRequest and LockEntity models

- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil.
- Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt.

feat: Implement ILockRepository interface and LockRepository class

- Defined ILockRepository interface with methods for acquiring and releasing locks.
- Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations.

feat: Add SurfaceManifestPointer record for manifest pointers

- Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest.

feat: Create PolicySimulationInputLock and related validation logic

- Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests.
- Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements.

test: Add unit tests for ReplayVerificationService and ReplayVerifier

- Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios.
- Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic.

test: Implement PolicySimulationInputLockValidatorTests

- Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions.

chore: Add cosign key example and signing scripts

- Included a placeholder cosign key example for development purposes.
- Added a script for signing Signals artifacts using cosign with support for both v2 and v3.

chore: Create script for uploading evidence to the evidence locker

- Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.

src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/SchedulerQueueContracts.cs

@@ -1,10 +1,11 @@
 using System;
 using System.Collections.Generic;
-using System.Collections.ObjectModel;
-using System.Text.Json.Serialization;
-using System.Threading;
-using System.Threading.Tasks;
-using StellaOps.Scheduler.Models;
+using System.Collections.ObjectModel;
+using System.Text.Json.Serialization;
+using System.Threading;
+using System.Threading.Tasks;
+using StellaOps.Scheduler.Models;
+using StellaOps.Scheduler.Worker.Planning;
 
 namespace StellaOps.Scheduler.Queue;
 
@@ -49,10 +50,11 @@ public sealed class PlannerQueueMessage
     public string? ScheduleId => Run.ScheduleId;
 }
 
-public sealed class RunnerSegmentQueueMessage
-{
-    private readonly ReadOnlyCollection<string> _imageDigests;
-    private readonly IReadOnlyDictionary<string, string> _attributes;
+public sealed class RunnerSegmentQueueMessage
+{
+    private readonly ReadOnlyCollection<string> _imageDigests;
+    private readonly IReadOnlyDictionary<string, string> _attributes;
+    private readonly IReadOnlyDictionary<string, SurfaceManifestPointer> _surfaceManifests;
 
     [JsonConstructor]
     public RunnerSegmentQueueMessage(
@@ -60,12 +62,13 @@ public sealed class RunnerSegmentQueueMessage
         string runId,
         string tenantId,
         IReadOnlyList<string> imageDigests,
-        string? scheduleId = null,
-        int? ratePerSecond = null,
-        bool usageOnly = true,
-        IReadOnlyDictionary<string, string>? attributes = null,
-        string? correlationId = null)
-    {
+        string? scheduleId = null,
+        int? ratePerSecond = null,
+        bool usageOnly = true,
+        IReadOnlyDictionary<string, string>? attributes = null,
+        string? correlationId = null,
+        IReadOnlyDictionary<string, SurfaceManifestPointer>? surfaceManifests = null)
+    {
         if (string.IsNullOrWhiteSpace(segmentId))
         {
             throw new ArgumentException("Segment identifier must be provided.", nameof(segmentId));
@@ -86,14 +89,17 @@ public sealed class RunnerSegmentQueueMessage
         TenantId = tenantId;
         ScheduleId = string.IsNullOrWhiteSpace(scheduleId) ? null : scheduleId;
         RatePerSecond = ratePerSecond;
-        UsageOnly = usageOnly;
-        CorrelationId = string.IsNullOrWhiteSpace(correlationId) ? null : correlationId;
-
-        _imageDigests = new ReadOnlyCollection<string>(NormalizeDigests(imageDigests));
-        _attributes = attributes is null
-            ? EmptyReadOnlyDictionary<string, string>.Instance
-            : new ReadOnlyDictionary<string, string>(new Dictionary<string, string>(attributes, StringComparer.Ordinal));
-    }
+        UsageOnly = usageOnly;
+        CorrelationId = string.IsNullOrWhiteSpace(correlationId) ? null : correlationId;
+
+        _imageDigests = new ReadOnlyCollection<string>(NormalizeDigests(imageDigests));
+        _attributes = attributes is null
+            ? EmptyReadOnlyDictionary<string, string>.Instance
+            : new ReadOnlyDictionary<string, string>(new Dictionary<string, string>(attributes, StringComparer.Ordinal));
+        _surfaceManifests = surfaceManifests is null
+            ? EmptyReadOnlyDictionary<string, SurfaceManifestPointer>.Instance
+            : new ReadOnlyDictionary<string, SurfaceManifestPointer>(new Dictionary<string, SurfaceManifestPointer>(surfaceManifests, StringComparer.Ordinal));
+    }
 
     public string SegmentId { get; }
 
@@ -111,7 +117,10 @@ public sealed class RunnerSegmentQueueMessage
 
     public IReadOnlyList<string> ImageDigests => _imageDigests;
 
-    public IReadOnlyDictionary<string, string> Attributes => _attributes;
+    public IReadOnlyDictionary<string, string> Attributes => _attributes;
+
+    [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingDefault)]
+    public IReadOnlyDictionary<string, SurfaceManifestPointer> SurfaceManifests => _surfaceManifests;
 
     public string IdempotencyKey => SegmentId;