feat: Add DigestUpsertRequest and LockEntity models

- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil.
- Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt.

feat: Implement ILockRepository interface and LockRepository class

- Defined ILockRepository interface with methods for acquiring and releasing locks.
- Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations.

feat: Add SurfaceManifestPointer record for manifest pointers

- Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest.

feat: Create PolicySimulationInputLock and related validation logic

- Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests.
- Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements.

test: Add unit tests for ReplayVerificationService and ReplayVerifier

- Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios.
- Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic.

test: Implement PolicySimulationInputLockValidatorTests

- Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions.

chore: Add cosign key example and signing scripts

- Included a placeholder cosign key example for development purposes.
- Added a script for signing Signals artifacts using cosign with support for both v2 and v3.

chore: Create script for uploading evidence to the evidence locker

- Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.

tests/AirGap/StellaOps.AirGap.Controller.Tests/ReplayVerificationServiceTests.cs

@@ -0,0 +1,93 @@
+using StellaOps.AirGap.Controller.Endpoints.Contracts;
+using StellaOps.AirGap.Controller.Services;
+using StellaOps.AirGap.Controller.Stores;
+using StellaOps.AirGap.Importer.Contracts;
+using StellaOps.AirGap.Importer.Validation;
+using StellaOps.AirGap.Time.Models;
+using StellaOps.AirGap.Time.Services;
+using Xunit;
+
+namespace StellaOps.AirGap.Controller.Tests;
+
+public class ReplayVerificationServiceTests
+{
+    private readonly ReplayVerificationService _service;
+    private readonly AirGapStateService _stateService;
+    private readonly StalenessCalculator _staleness = new();
+    private readonly InMemoryAirGapStateStore _store = new();
+
+    public ReplayVerificationServiceTests()
+    {
+        _stateService = new AirGapStateService(_store, _staleness);
+        _service = new ReplayVerificationService(_stateService, new ReplayVerifier());
+    }
+
+    [Fact]
+    public async Task Passes_full_recompute_when_hashes_match()
+    {
+        var now = DateTimeOffset.Parse("2025-12-02T01:00:00Z");
+        await _stateService.SealAsync("tenant-a", "policy-x", TimeAnchor.Unknown, StalenessBudget.Default, now);
+
+        var request = new VerifyRequest
+        {
+            Depth = ReplayDepth.FullRecompute,
+            ManifestSha256 = new string('a', 64),
+            BundleSha256 = new string('b', 64),
+            ComputedManifestSha256 = new string('a', 64),
+            ComputedBundleSha256 = new string('b', 64),
+            ManifestCreatedAt = now.AddHours(-2),
+            StalenessWindowHours = 24,
+            BundlePolicyHash = "policy-x"
+        };
+
+        var result = await _service.VerifyAsync("tenant-a", request, now);
+
+        Assert.True(result.IsValid);
+        Assert.Equal("full-recompute-passed", result.Reason);
+    }
+
+    [Fact]
+    public async Task Detects_stale_manifest()
+    {
+        var now = DateTimeOffset.UtcNow;
+        var request = new VerifyRequest
+        {
+            Depth = ReplayDepth.HashOnly,
+            ManifestSha256 = new string('a', 64),
+            BundleSha256 = new string('b', 64),
+            ComputedManifestSha256 = new string('a', 64),
+            ComputedBundleSha256 = new string('b', 64),
+            ManifestCreatedAt = now.AddHours(-30),
+            StalenessWindowHours = 12
+        };
+
+        var result = await _service.VerifyAsync("default", request, now);
+
+        Assert.False(result.IsValid);
+        Assert.Equal("manifest-stale", result.Reason);
+    }
+
+    [Fact]
+    public async Task Policy_freeze_requires_matching_policy()
+    {
+        var now = DateTimeOffset.UtcNow;
+        await _stateService.SealAsync("tenant-b", "sealed-policy", TimeAnchor.Unknown, StalenessBudget.Default, now);
+
+        var request = new VerifyRequest
+        {
+            Depth = ReplayDepth.PolicyFreeze,
+            ManifestSha256 = new string('a', 64),
+            BundleSha256 = new string('b', 64),
+            ComputedManifestSha256 = new string('a', 64),
+            ComputedBundleSha256 = new string('b', 64),
+            ManifestCreatedAt = now,
+            StalenessWindowHours = 48,
+            BundlePolicyHash = "bundle-policy"
+        };
+
+        var result = await _service.VerifyAsync("tenant-b", request, now);
+
+        Assert.False(result.IsValid);
+        Assert.Equal("policy-hash-drift", result.Reason);
+    }
+}

tests/AirGap/StellaOps.AirGap.Importer.Tests/ReplayVerifierTests.cs

@@ -0,0 +1,72 @@
+using StellaOps.AirGap.Importer.Contracts;
+using StellaOps.AirGap.Importer.Validation;
+
+namespace StellaOps.AirGap.Importer.Tests;
+
+public class ReplayVerifierTests
+{
+    private readonly ReplayVerifier _verifier = new();
+
+    [Fact]
+    public void FullRecompute_succeeds_when_hashes_match_and_fresh()
+    {
+        var now = DateTimeOffset.Parse("2025-12-02T01:00:00Z");
+        var request = new ReplayVerificationRequest(
+            "aa".PadRight(64, 'a'),
+            "bb".PadRight(64, 'b'),
+            "aa".PadRight(64, 'a'),
+            "bb".PadRight(64, 'b'),
+            now.AddHours(-4),
+            24,
+            "cc".PadRight(64, 'c'),
+            "cc".PadRight(64, 'c'),
+            ReplayDepth.FullRecompute);
+
+        var result = _verifier.Verify(request, now);
+
+        Assert.True(result.IsValid);
+        Assert.Equal("full-recompute-passed", result.Reason);
+    }
+
+    [Fact]
+    public void Detects_hash_drift()
+    {
+        var now = DateTimeOffset.UtcNow;
+        var request = new ReplayVerificationRequest(
+            "aa".PadRight(64, 'a'),
+            "bb".PadRight(64, 'b'),
+            "00".PadRight(64, '0'),
+            "bb".PadRight(64, 'b'),
+            now,
+            1,
+            null,
+            null,
+            ReplayDepth.HashOnly);
+
+        var result = _verifier.Verify(request, now);
+
+        Assert.False(result.IsValid);
+        Assert.Equal("manifest-hash-drift", result.Reason);
+    }
+
+    [Fact]
+    public void PolicyFreeze_requires_matching_policy_hash()
+    {
+        var now = DateTimeOffset.UtcNow;
+        var request = new ReplayVerificationRequest(
+            "aa".PadRight(64, 'a'),
+            "bb".PadRight(64, 'b'),
+            "aa".PadRight(64, 'a'),
+            "bb".PadRight(64, 'b'),
+            now,
+            12,
+            "bundle-policy",
+            "sealed-policy-other",
+            ReplayDepth.PolicyFreeze);
+
+        var result = _verifier.Verify(request, now);
+
+        Assert.False(result.IsValid);
+        Assert.Equal("policy-hash-drift", result.Reason);
+    }
+}

tests/Replay/StellaOps.Replay.Core.Tests/PolicySimulationInputLockValidatorTests.cs

@@ -0,0 +1,97 @@
+using System;
+using FluentAssertions;
+using StellaOps.Replay.Core;
+using Xunit;
+
+namespace StellaOps.Replay.Core.Tests;
+
+public class PolicySimulationInputLockValidatorTests
+{
+    private readonly PolicySimulationInputLock _lock = new()
+    {
+        PolicyBundleSha256 = new string('a', 64),
+        GraphSha256 = new string('b', 64),
+        SbomSha256 = new string('c', 64),
+        TimeAnchorSha256 = new string('d', 64),
+        DatasetSha256 = new string('e', 64),
+        GeneratedAt = DateTimeOffset.Parse("2025-12-02T00:00:00Z"),
+        ShadowIsolation = true,
+        RequiredScopes = new[] { "policy:simulate:shadow" }
+    };
+
+    [Fact]
+    public void Validate_passes_when_digests_match_and_shadow_scope_present()
+    {
+        var inputs = new PolicySimulationMaterializedInputs(
+            new string('a', 64),
+            new string('b', 64),
+            new string('c', 64),
+            new string('d', 64),
+            new string('e', 64),
+            "shadow",
+            new[] { "policy:simulate:shadow", "graph:read" },
+            DateTimeOffset.Parse("2025-12-02T01:00:00Z"));
+
+        var result = PolicySimulationInputLockValidator.Validate(_lock, inputs, TimeSpan.FromDays(2));
+
+        result.IsValid.Should().BeTrue();
+        result.Reason.Should().Be("ok");
+    }
+
+    [Fact]
+    public void Validate_detects_digest_drift()
+    {
+        var inputs = new PolicySimulationMaterializedInputs(
+            new string('0', 64),
+            new string('b', 64),
+            new string('c', 64),
+            new string('d', 64),
+            new string('e', 64),
+            "shadow",
+            new[] { "policy:simulate:shadow" },
+            DateTimeOffset.Parse("2025-12-02T00:10:00Z"));
+
+        var result = PolicySimulationInputLockValidator.Validate(_lock, inputs, TimeSpan.FromDays(1));
+
+        result.IsValid.Should().BeFalse();
+        result.Reason.Should().Be("policy-bundle-drift");
+    }
+
+    [Fact]
+    public void Validate_requires_shadow_mode_when_flagged()
+    {
+        var inputs = new PolicySimulationMaterializedInputs(
+            new string('a', 64),
+            new string('b', 64),
+            new string('c', 64),
+            new string('d', 64),
+            new string('e', 64),
+            "live",
+            Array.Empty<string>(),
+            DateTimeOffset.Parse("2025-12-02T00:10:00Z"));
+
+        var result = PolicySimulationInputLockValidator.Validate(_lock, inputs, TimeSpan.FromDays(1));
+
+        result.IsValid.Should().BeFalse();
+        result.Reason.Should().Be("shadow-mode-required");
+    }
+
+    [Fact]
+    public void Validate_fails_when_lock_stale()
+    {
+        var inputs = new PolicySimulationMaterializedInputs(
+            new string('a', 64),
+            new string('b', 64),
+            new string('c', 64),
+            new string('d', 64),
+            new string('e', 64),
+            "shadow",
+            new[] { "policy:simulate:shadow" },
+            DateTimeOffset.Parse("2025-12-05T00:00:00Z"));
+
+        var result = PolicySimulationInputLockValidator.Validate(_lock, inputs, TimeSpan.FromDays(1));
+
+        result.IsValid.Should().BeFalse();
+        result.Reason.Should().Be("inputs-lock-stale");
+    }
+}

tests/Replay/StellaOps.Replay.Core.Tests/StellaOps.Replay.Core.Tests.csproj

@@ -0,0 +1,13 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+  </PropertyGroup>
+  <ItemGroup>
+    <ProjectReference Include="../../../src/__Libraries/StellaOps.Replay.Core/StellaOps.Replay.Core.csproj" />
+    <PackageReference Include="xunit" Version="2.5.0" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.5.0" />
+    <PackageReference Include="FluentAssertions" Version="6.12.0" />
+  </ItemGroup>
+</Project>