feat: Add DigestUpsertRequest and LockEntity models

- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil.
- Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt.

feat: Implement ILockRepository interface and LockRepository class

- Defined ILockRepository interface with methods for acquiring and releasing locks.
- Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations.

feat: Add SurfaceManifestPointer record for manifest pointers

- Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest.

feat: Create PolicySimulationInputLock and related validation logic

- Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests.
- Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements.

test: Add unit tests for ReplayVerificationService and ReplayVerifier

- Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios.
- Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic.

test: Implement PolicySimulationInputLockValidatorTests

- Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions.

chore: Add cosign key example and signing scripts

- Included a placeholder cosign key example for development purposes.
- Added a script for signing Signals artifacts using cosign with support for both v2 and v3.

chore: Create script for uploading evidence to the evidence locker

- Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.

tests/AirGap/StellaOps.AirGap.Controller.Tests/ReplayVerificationServiceTests.cs

@@ -0,0 +1,93 @@
+using StellaOps.AirGap.Controller.Endpoints.Contracts;
+using StellaOps.AirGap.Controller.Services;
+using StellaOps.AirGap.Controller.Stores;
+using StellaOps.AirGap.Importer.Contracts;
+using StellaOps.AirGap.Importer.Validation;
+using StellaOps.AirGap.Time.Models;
+using StellaOps.AirGap.Time.Services;
+using Xunit;
+
+namespace StellaOps.AirGap.Controller.Tests;
+
+public class ReplayVerificationServiceTests
+{
+    private readonly ReplayVerificationService _service;
+    private readonly AirGapStateService _stateService;
+    private readonly StalenessCalculator _staleness = new();
+    private readonly InMemoryAirGapStateStore _store = new();
+
+    public ReplayVerificationServiceTests()
+    {
+        _stateService = new AirGapStateService(_store, _staleness);
+        _service = new ReplayVerificationService(_stateService, new ReplayVerifier());
+    }
+
+    [Fact]
+    public async Task Passes_full_recompute_when_hashes_match()
+    {
+        var now = DateTimeOffset.Parse("2025-12-02T01:00:00Z");
+        await _stateService.SealAsync("tenant-a", "policy-x", TimeAnchor.Unknown, StalenessBudget.Default, now);
+
+        var request = new VerifyRequest
+        {
+            Depth = ReplayDepth.FullRecompute,
+            ManifestSha256 = new string('a', 64),
+            BundleSha256 = new string('b', 64),
+            ComputedManifestSha256 = new string('a', 64),
+            ComputedBundleSha256 = new string('b', 64),
+            ManifestCreatedAt = now.AddHours(-2),
+            StalenessWindowHours = 24,
+            BundlePolicyHash = "policy-x"
+        };
+
+        var result = await _service.VerifyAsync("tenant-a", request, now);
+
+        Assert.True(result.IsValid);
+        Assert.Equal("full-recompute-passed", result.Reason);
+    }
+
+    [Fact]
+    public async Task Detects_stale_manifest()
+    {
+        var now = DateTimeOffset.UtcNow;
+        var request = new VerifyRequest
+        {
+            Depth = ReplayDepth.HashOnly,
+            ManifestSha256 = new string('a', 64),
+            BundleSha256 = new string('b', 64),
+            ComputedManifestSha256 = new string('a', 64),
+            ComputedBundleSha256 = new string('b', 64),
+            ManifestCreatedAt = now.AddHours(-30),
+            StalenessWindowHours = 12
+        };
+
+        var result = await _service.VerifyAsync("default", request, now);
+
+        Assert.False(result.IsValid);
+        Assert.Equal("manifest-stale", result.Reason);
+    }
+
+    [Fact]
+    public async Task Policy_freeze_requires_matching_policy()
+    {
+        var now = DateTimeOffset.UtcNow;
+        await _stateService.SealAsync("tenant-b", "sealed-policy", TimeAnchor.Unknown, StalenessBudget.Default, now);
+
+        var request = new VerifyRequest
+        {
+            Depth = ReplayDepth.PolicyFreeze,
+            ManifestSha256 = new string('a', 64),
+            BundleSha256 = new string('b', 64),
+            ComputedManifestSha256 = new string('a', 64),
+            ComputedBundleSha256 = new string('b', 64),
+            ManifestCreatedAt = now,
+            StalenessWindowHours = 48,
+            BundlePolicyHash = "bundle-policy"
+        };
+
+        var result = await _service.VerifyAsync("tenant-b", request, now);
+
+        Assert.False(result.IsValid);
+        Assert.Equal("policy-hash-drift", result.Reason);
+    }
+}

tests/AirGap/StellaOps.AirGap.Importer.Tests/ReplayVerifierTests.cs

@@ -0,0 +1,72 @@
+using StellaOps.AirGap.Importer.Contracts;
+using StellaOps.AirGap.Importer.Validation;
+
+namespace StellaOps.AirGap.Importer.Tests;
+
+public class ReplayVerifierTests
+{
+    private readonly ReplayVerifier _verifier = new();
+
+    [Fact]
+    public void FullRecompute_succeeds_when_hashes_match_and_fresh()
+    {
+        var now = DateTimeOffset.Parse("2025-12-02T01:00:00Z");
+        var request = new ReplayVerificationRequest(
+            "aa".PadRight(64, 'a'),
+            "bb".PadRight(64, 'b'),
+            "aa".PadRight(64, 'a'),
+            "bb".PadRight(64, 'b'),
+            now.AddHours(-4),
+            24,
+            "cc".PadRight(64, 'c'),
+            "cc".PadRight(64, 'c'),
+            ReplayDepth.FullRecompute);
+
+        var result = _verifier.Verify(request, now);
+
+        Assert.True(result.IsValid);
+        Assert.Equal("full-recompute-passed", result.Reason);
+    }
+
+    [Fact]
+    public void Detects_hash_drift()
+    {
+        var now = DateTimeOffset.UtcNow;
+        var request = new ReplayVerificationRequest(
+            "aa".PadRight(64, 'a'),
+            "bb".PadRight(64, 'b'),
+            "00".PadRight(64, '0'),
+            "bb".PadRight(64, 'b'),
+            now,
+            1,
+            null,
+            null,
+            ReplayDepth.HashOnly);
+
+        var result = _verifier.Verify(request, now);
+
+        Assert.False(result.IsValid);
+        Assert.Equal("manifest-hash-drift", result.Reason);
+    }
+
+    [Fact]
+    public void PolicyFreeze_requires_matching_policy_hash()
+    {
+        var now = DateTimeOffset.UtcNow;
+        var request = new ReplayVerificationRequest(
+            "aa".PadRight(64, 'a'),
+            "bb".PadRight(64, 'b'),
+            "aa".PadRight(64, 'a'),
+            "bb".PadRight(64, 'b'),
+            now,
+            12,
+            "bundle-policy",
+            "sealed-policy-other",
+            ReplayDepth.PolicyFreeze);
+
+        var result = _verifier.Verify(request, now);
+
+        Assert.False(result.IsValid);
+        Assert.Equal("policy-hash-drift", result.Reason);
+    }
+}