feat: Add DigestUpsertRequest and LockEntity models

- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil.
- Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt.

feat: Implement ILockRepository interface and LockRepository class

- Defined ILockRepository interface with methods for acquiring and releasing locks.
- Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations.

feat: Add SurfaceManifestPointer record for manifest pointers

- Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest.

feat: Create PolicySimulationInputLock and related validation logic

- Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests.
- Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements.

test: Add unit tests for ReplayVerificationService and ReplayVerifier

- Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios.
- Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic.

test: Implement PolicySimulationInputLockValidatorTests

- Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions.

chore: Add cosign key example and signing scripts

- Included a placeholder cosign key example for development purposes.
- Added a script for signing Signals artifacts using cosign with support for both v2 and v3.

chore: Create script for uploading evidence to the evidence locker

- Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.

src/__Libraries/StellaOps.Infrastructure.Postgres/Options/PersistenceBackend.cs

@@ -1,75 +0,0 @@
-namespace StellaOps.Infrastructure.Postgres.Options;
-
-/// <summary>
-/// Persistence backend selection for dual-write/migration scenarios.
-/// </summary>
-public enum PersistenceBackend
-{
-    /// <summary>
-    /// Use MongoDB as the primary backend (legacy).
-    /// </summary>
-    Mongo,
-
-    /// <summary>
-    /// Use PostgreSQL as the primary backend.
-    /// </summary>
-    Postgres,
-
-    /// <summary>
-    /// Dual-write mode: write to both backends, read from primary.
-    /// Used during migration phase for data consistency verification.
-    /// </summary>
-    DualWrite
-}
-
-/// <summary>
-/// Persistence options for module backend selection.
-/// </summary>
-public sealed class PersistenceOptions
-{
-    /// <summary>
-    /// Configuration section name.
-    /// </summary>
-    public const string SectionName = "Persistence";
-
-    /// <summary>
-    /// Backend for Authority module.
-    /// </summary>
-    public PersistenceBackend Authority { get; set; } = PersistenceBackend.Mongo;
-
-    /// <summary>
-    /// Backend for Scheduler module.
-    /// </summary>
-    public PersistenceBackend Scheduler { get; set; } = PersistenceBackend.Mongo;
-
-    /// <summary>
-    /// Backend for Notify module.
-    /// </summary>
-    public PersistenceBackend Notify { get; set; } = PersistenceBackend.Mongo;
-
-    /// <summary>
-    /// Backend for Policy module.
-    /// </summary>
-    public PersistenceBackend Policy { get; set; } = PersistenceBackend.Mongo;
-
-    /// <summary>
-    /// Backend for Concelier (vulnerability) module.
-    /// </summary>
-    public PersistenceBackend Concelier { get; set; } = PersistenceBackend.Mongo;
-
-    /// <summary>
-    /// Backend for Excititor (VEX/graph) module.
-    /// </summary>
-    public PersistenceBackend Excititor { get; set; } = PersistenceBackend.Mongo;
-
-    /// <summary>
-    /// In dual-write mode, which backend to read from.
-    /// </summary>
-    public PersistenceBackend DualWriteReadFrom { get; set; } = PersistenceBackend.Mongo;
-
-    /// <summary>
-    /// Enable comparison logging in dual-write mode.
-    /// Logs discrepancies between backends for debugging.
-    /// </summary>
-    public bool DualWriteComparisonLogging { get; set; }
-}

src/__Libraries/StellaOps.Infrastructure.Postgres/ServiceCollectionExtensions.cs

@@ -25,20 +25,6 @@ public static class ServiceCollectionExtensions
         return services;
     }
 
-    /// <summary>
-    /// Adds persistence backend options from configuration.
-    /// </summary>
-    /// <param name="services">Service collection.</param>
-    /// <param name="configuration">Configuration root.</param>
-    /// <returns>Service collection for chaining.</returns>
-    public static IServiceCollection AddPersistenceOptions(
-        this IServiceCollection services,
-        IConfiguration configuration)
-    {
-        services.Configure<PersistenceOptions>(configuration.GetSection(PersistenceOptions.SectionName));
-        return services;
-    }
-
     /// <summary>
     /// Adds PostgreSQL infrastructure with the specified options.
     /// </summary>

src/__Libraries/StellaOps.Replay.Core/PolicySimulationInputLock.cs

@@ -0,0 +1,110 @@
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Replay.Core;
+
+/// <summary>
+/// Immutable lockfile describing policy simulation inputs and expected digests.
+/// Aligns with POLICY-GAPS-185-006 remediation (PS1–PS10).
+/// </summary>
+public sealed record PolicySimulationInputLock
+{
+    [JsonPropertyName("schemaVersion")]
+    public string SchemaVersion { get; init; } = "1.0.0";
+
+    [JsonPropertyName("generatedAt")]
+    public DateTimeOffset GeneratedAt { get; init; } = DateTimeOffset.UtcNow;
+
+    [JsonPropertyName("policyBundleSha256")]
+    public string PolicyBundleSha256 { get; init; } = string.Empty;
+
+    [JsonPropertyName("graphSha256")]
+    public string GraphSha256 { get; init; } = string.Empty;
+
+    [JsonPropertyName("sbomSha256")]
+    public string SbomSha256 { get; init; } = string.Empty;
+
+    [JsonPropertyName("timeAnchorSha256")]
+    public string TimeAnchorSha256 { get; init; } = string.Empty;
+
+    [JsonPropertyName("datasetSha256")]
+    public string DatasetSha256 { get; init; } = string.Empty;
+
+    [JsonPropertyName("shadowIsolation")]
+    public bool ShadowIsolation { get; init; } = true;
+
+    [JsonPropertyName("requiredScopes")]
+    public IReadOnlyList<string> RequiredScopes { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("notes")]
+    public string? Notes { get; init; }
+}
+
+/// <summary>
+/// Materialized digests for a simulation run, validated against the lock.
+/// </summary>
+public sealed record PolicySimulationMaterializedInputs(
+    string PolicyBundleSha256,
+    string GraphSha256,
+    string SbomSha256,
+    string TimeAnchorSha256,
+    string DatasetSha256,
+    string RunMode,
+    IReadOnlyCollection<string> GrantedScopes,
+    DateTimeOffset NowUtc);
+
+public sealed record PolicySimulationValidationResult(bool IsValid, string Reason)
+{
+    public static PolicySimulationValidationResult Ok(string reason = "ok") => new(true, reason);
+    public static PolicySimulationValidationResult Fail(string reason) => new(false, reason);
+}
+
+public static class PolicySimulationInputLockValidator
+{
+    private static readonly string[] RequiredShadowScopes = { "policy:simulate:shadow" };
+
+    public static PolicySimulationValidationResult Validate(
+        PolicySimulationInputLock expected,
+        PolicySimulationMaterializedInputs actual,
+        TimeSpan? maxAge = null)
+    {
+        if (!IsSha(expected.PolicyBundleSha256) || !IsSha(actual.PolicyBundleSha256))
+            return PolicySimulationValidationResult.Fail("invalid-policy-digest-format");
+        if (!IsSha(expected.GraphSha256) || !IsSha(actual.GraphSha256))
+            return PolicySimulationValidationResult.Fail("invalid-graph-digest-format");
+        if (!IsSha(expected.SbomSha256) || !IsSha(actual.SbomSha256))
+            return PolicySimulationValidationResult.Fail("invalid-sbom-digest-format");
+        if (!IsSha(expected.TimeAnchorSha256) || !IsSha(actual.TimeAnchorSha256))
+            return PolicySimulationValidationResult.Fail("invalid-time-anchor-digest-format");
+        if (!IsSha(expected.DatasetSha256) || !IsSha(actual.DatasetSha256))
+            return PolicySimulationValidationResult.Fail("invalid-dataset-digest-format");
+
+        if (!string.Equals(expected.PolicyBundleSha256, actual.PolicyBundleSha256, StringComparison.OrdinalIgnoreCase))
+            return PolicySimulationValidationResult.Fail("policy-bundle-drift");
+        if (!string.Equals(expected.GraphSha256, actual.GraphSha256, StringComparison.OrdinalIgnoreCase))
+            return PolicySimulationValidationResult.Fail("graph-drift");
+        if (!string.Equals(expected.SbomSha256, actual.SbomSha256, StringComparison.OrdinalIgnoreCase))
+            return PolicySimulationValidationResult.Fail("sbom-drift");
+        if (!string.Equals(expected.TimeAnchorSha256, actual.TimeAnchorSha256, StringComparison.OrdinalIgnoreCase))
+            return PolicySimulationValidationResult.Fail("time-anchor-drift");
+        if (!string.Equals(expected.DatasetSha256, actual.DatasetSha256, StringComparison.OrdinalIgnoreCase))
+            return PolicySimulationValidationResult.Fail("dataset-drift");
+
+        if (maxAge is not null && actual.NowUtc - expected.GeneratedAt > maxAge.Value)
+            return PolicySimulationValidationResult.Fail("inputs-lock-stale");
+
+        if (expected.ShadowIsolation)
+        {
+            if (!string.Equals(actual.RunMode, "shadow", StringComparison.OrdinalIgnoreCase))
+                return PolicySimulationValidationResult.Fail("shadow-mode-required");
+            if (!RequiredShadowScopes.All(scope => actual.GrantedScopes.Contains(scope, StringComparer.OrdinalIgnoreCase)))
+                return PolicySimulationValidationResult.Fail("shadow-scope-missing");
+        }
+
+        return PolicySimulationValidationResult.Ok();
+    }
+
+    private static bool IsSha(string value)
+    {
+        return !string.IsNullOrWhiteSpace(value) && value.Length == 64 && value.All(c => Uri.IsHexDigit(c));
+    }
+}

src/__Libraries/StellaOps.Replay.Core/TASKS.md

@@ -9,6 +9,7 @@ Keep this table in sync with `docs/implplan/SPRINT_0185_0001_0001_shared_replay_
 | REPLAY-CORE-185-003 | DONE (2025-11-25) | Platform Data Guild | Mongo collections (`replay_runs`, `replay_bundles`, `replay_subjects`) and indices aligned with schema doc. |
 | DOCS-REPLAY-185-003 | DONE (2025-11-25) | Docs Guild · Platform Data Guild | `docs/data/replay_schema.md` detailing collections, index guidance, offline sync strategy. |
 | DOCS-REPLAY-185-004 | DONE (2025-11-25) | Docs Guild | Expand `docs/replay/DEVS_GUIDE_REPLAY.md` with integration guidance and deterministic replay checklist. |
+| POLICY-GAPS-185-006 | DONE (2025-12-03) | Policy Guild · Platform Guild | Policy simulation gaps PS1–PS10 remediated: inputs lock schema/sample + DSSE-ready verifier, shadow isolation validator, offline CLI verifier script. |
 
 ## Status rules
 - Use TODO → DOING → DONE/BLOCKED and mirror every change in the sprint Delivery Tracker.