feat: Add RustFS artifact object store and migration tool

- Implemented RustFsArtifactObjectStore for managing artifacts in RustFS.
- Added unit tests for RustFsArtifactObjectStore functionality.
- Created a RustFS migrator tool to transfer objects from S3 to RustFS.
- Introduced policy preview and report models for API integration.
- Added fixtures and tests for policy preview and report functionality.
- Included necessary metadata and scripts for cache_pkg package.

docs/09_API_CLI_REFERENCE.md

@@ -382,28 +382,65 @@ Request body mirrors policy preview inputs (image digest plus findings). The ser
 ```json
 {
   "report": {
-    "reportId": "report-3def5f362aa475ef14b6",
-    "imageDigest": "sha256:deadbeef",
+    "reportId": "report-9f8cde21aab54321",
+    "imageDigest": "sha256:7dbe0c9a5d4f1c8184007e9d94dbe55928f8a2db5ab9c1c2d4a2f7bbcdfe1234",
+    "generatedAt": "2025-10-23T15:32:22Z",
     "verdict": "blocked",
-    "policy": { "revisionId": "rev-1", "digest": "27d2ec2b34feedc304fc564d252ecee1c8fa14ea581a5ff5c1ea8963313d5c8d" },
-    "summary": { "total": 1, "blocked": 1, "warned": 0, "ignored": 0, "quieted": 0 },
+    "policy": {
+      "revisionId": "rev-42",
+      "digest": "8a0f72f8dc5c51c46991db3bba34e9b3c0c8e944a7a6d0a9c29a9aa6b8439876"
+    },
+    "summary": { "total": 2, "blocked": 1, "warned": 1, "ignored": 0, "quieted": 0 },
     "verdicts": [
       {
-        "findingId": "finding-1",
+        "findingId": "library:pkg/openssl@1.1.1w",
         "status": "Blocked",
-        "ruleName": "Block Critical",
-        "ruleAction": "Block",
-        "score": 40.5,
+        "ruleName": "Block vendor unknowns",
+        "ruleAction": "block",
+        "notes": "Unknown vendor telemetry — medium confidence band.",
+        "score": 19.5,
         "configVersion": "1.0",
         "inputs": {
-          "reachabilityWeight": 0.45,
-          "baseScore": 40.5,
-          "severityWeight": 90,
-          "trustWeight": 1,
-          "trustWeight.NVD": 1,
-          "reachability.runtime": 0.45
+          "severityWeight": 50,
+          "trustWeight": 0.65,
+          "reachabilityWeight": 0.6,
+          "baseScore": 19.5,
+          "trustWeight.vendor": 0.65,
+          "reachability.unknown": 0.6,
+          "unknownConfidence": 0.55,
+          "unknownAgeDays": 5
         },
+        "quietedBy": null,
         "quiet": false,
+        "unknownConfidence": 0.55,
+        "confidenceBand": "medium",
+        "unknownAgeDays": 5,
+        "sourceTrust": "vendor",
+        "reachability": "unknown"
+      },
+      {
+        "findingId": "library:pkg/zlib@1.3.1",
+        "status": "Warned",
+        "ruleName": "Runtime mitigation required",
+        "ruleAction": "warn",
+        "notes": "Runtime reachable unknown — mitigation window required.",
+        "score": 18.75,
+        "configVersion": "1.0",
+        "inputs": {
+          "severityWeight": 75,
+          "trustWeight": 1,
+          "reachabilityWeight": 0.45,
+          "baseScore": 33.75,
+          "reachability.runtime": 0.45,
+          "warnPenalty": 15,
+          "unknownConfidence": 0.35,
+          "unknownAgeDays": 13
+        },
+        "quietedBy": null,
+        "quiet": false,
+        "unknownConfidence": 0.35,
+        "confidenceBand": "medium",
+        "unknownAgeDays": 13,
         "sourceTrust": "NVD",
         "reachability": "runtime"
       }
@@ -412,21 +449,21 @@ Request body mirrors policy preview inputs (image digest plus findings). The ser
   },
   "dsse": {
     "payloadType": "application/vnd.stellaops.report+json",
-    "payload": "<base64 canonical report>",
+    "payload": "eyJyZXBvcnQiOnsicmVwb3J0SWQiOiJyZXBvcnQtOWY4Y2RlMjFhYWI1NDMyMSJ9fQ==",
     "signatures": [
       {
         "keyId": "scanner-report-signing",
         "algorithm": "hs256",
-        "signature": "<base64 signature>"
+        "signature": "MEQCIGHscnJ2bm9wYXlsb2FkZXIAIjANBgkqhkiG9w0BAQsFAAOCAQEASmFja3Nvbk1ldGE="
       }
     ]
   }
 }
 ```
 
-- The `report` object omits null fields and is deterministic (ISO timestamps, sorted keys).
+- The `report` object omits null fields and is deterministic (ISO timestamps, sorted keys) while surfacing `unknownConfidence`, `confidenceBand`, and `unknownAgeDays` for auditability.
 - `dsse` follows the DSSE (Dead Simple Signing Envelope) shape; `payload` is the canonical UTF-8 JSON and `signatures[0].signature` is the base64 HMAC/Ed25519 value depending on configuration.
-- A runnable sample envelope is available at `samples/api/reports/report-sample.dsse.json` for tooling tests or signature verification.
+- Full offline samples live at `samples/policy/policy-report-unknown.json` (request + response) and `samples/api/reports/report-sample.dsse.json` (envelope fixture) for tooling tests or signature verification.
 
 **Response 404** – `application/problem+json` payload with type `https://stellaops.org/problems/not-found` when the scan identifier is unknown.