feat: secure build phase 1 — cosign cell-side image verification (warn default) + Dockerfile validation

- config/cosign/cosign.pub: public verification key committed to repo (safe);
  cosign private key lives in /home/roof/.pic-secrets/ and is NEVER committed
- api/config_manager.py: image_verification config block (modes: off|warn|enforce,
  default: warn) so existing deployments are unaffected until images are signed
- api/service_composer.py: cosign verify before pull/up; enforce aborts the
  operation, warn logs and proceeds, off skips entirely; also fixes the prior
  unsafe proceed-on-pull-failure path
- api/service_store_manager.py: store-image digest requirement (warn default,
  reject under enforce)
- api/Dockerfile: cosign binary copied from the official cosign image
- docker-compose.yml: config/cosign/ bind-mounted into cell-api container
- install.sh: ensure/verify bundled cosign pubkey on new cell installs
- api/manifest_validator.py: validate_build_context() — Dockerfile lint
- tests: full coverage for config modes, composer verify paths, store digest
  guard, and validate_build_context

Verification defaults to warn so nothing breaks in production until images are
signed (phase 2). Private key stored outside git at /home/roof/.pic-secrets/.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

tests/test_service_composer.py

@@ -773,5 +773,107 @@ class TestPerInstanceRender(unittest.TestCase):
         self.assertEqual(ServiceComposer.instance_id_for('conn_a1b2c3d4'), 'a1b2c3d4')
 
 
+# ── Image signature verification ───────────────────────────────────────────
+
+_DIGEST = '@sha256:' + 'a' * 64
+_SIGNED_IMAGE = 'git.pic.ngo/roof/foo' + _DIGEST
+
+
+def _verify_composer(mode):
+    cm = _make_cm()
+    cm.get_image_verification_mode.return_value = mode
+    c = ServiceComposer(config_manager=cm, data_dir='/fake/data')
+    # Isolate verification from disk/docker: stub everything except verify logic.
+    c.write_compose = MagicMock(return_value='')
+    c.up = MagicMock(return_value={'ok': True})
+    c._store_cmd = MagicMock(return_value={'ok': True})
+    return c
+
+
+class TestImageVerification(unittest.TestCase):
+
+    def test_off_mode_skips_cosign(self):
+        c = _verify_composer('off')
+        c._cosign_verify = MagicMock()
+        manifest = {'image': _SIGNED_IMAGE}
+        result = c.install('svc', manifest, 'tpl')
+        self.assertTrue(result['ok'])
+        c._cosign_verify.assert_not_called()
+        c.up.assert_called_once()
+
+    def test_good_signature_proceeds(self):
+        c = _verify_composer('enforce')
+        c._cosign_verify = MagicMock(return_value={'ok': True, 'stdout': '', 'stderr': ''})
+        manifest = {'image': _SIGNED_IMAGE}
+        result = c.install('svc', manifest, 'tpl')
+        self.assertTrue(result['ok'])
+        c._cosign_verify.assert_called_once()
+        c.up.assert_called_once()
+
+    def test_enforce_bad_signature_aborts(self):
+        c = _verify_composer('enforce')
+        c._cosign_verify = MagicMock(return_value={'ok': False, 'stderr': 'no matching signatures'})
+        manifest = {'image': _SIGNED_IMAGE}
+        result = c.install('svc', manifest, 'tpl')
+        self.assertFalse(result['ok'])
+        self.assertIn('verification failed', result['error'])
+        c.up.assert_not_called()
+
+    def test_warn_bad_signature_proceeds(self):
+        c = _verify_composer('warn')
+        c._cosign_verify = MagicMock(return_value={'ok': False, 'stderr': 'no matching signatures'})
+        manifest = {'image': _SIGNED_IMAGE}
+        result = c.install('svc', manifest, 'tpl')
+        self.assertTrue(result['ok'])
+        c.up.assert_called_once()
+
+    def test_enforce_undigested_image_aborts(self):
+        c = _verify_composer('enforce')
+        c._cosign_verify = MagicMock()
+        manifest = {'image': 'git.pic.ngo/roof/foo:latest'}
+        result = c.install('svc', manifest, 'tpl')
+        self.assertFalse(result['ok'])
+        self.assertIn('digest', result['error'])
+        c._cosign_verify.assert_not_called()
+        c.up.assert_not_called()
+
+    def test_warn_undigested_image_proceeds(self):
+        c = _verify_composer('warn')
+        c._cosign_verify = MagicMock()
+        manifest = {'image': 'git.pic.ngo/roof/foo:latest'}
+        result = c.install('svc', manifest, 'tpl')
+        self.assertTrue(result['ok'])
+        c._cosign_verify.assert_not_called()
+        c.up.assert_called_once()
+
+    def test_cosign_verify_builds_expected_command(self):
+        c = _verify_composer('enforce')
+        with patch.object(c, '_run', return_value={'ok': True}) as mock_run:
+            c._cosign_verify(_SIGNED_IMAGE)
+            cmd = mock_run.call_args[0][0]
+            self.assertEqual(cmd[0:2], ['cosign', 'verify'])
+            self.assertIn('--key', cmd)
+            self.assertIn(_SIGNED_IMAGE, cmd)
+
+    def test_enforce_pull_failure_aborts(self):
+        c = _verify_composer('enforce')
+        c._cosign_verify = MagicMock(return_value={'ok': True})
+        c._store_cmd = MagicMock(return_value={'ok': False, 'stderr': 'manifest unknown'})
+        manifest = {'image': _SIGNED_IMAGE}
+        result = c.install('svc', manifest, 'tpl')
+        self.assertFalse(result['ok'])
+        self.assertIn('pull failed', result['error'])
+        c.up.assert_not_called()
+
+    def test_warn_pull_failure_proceeds(self):
+        c = _verify_composer('warn')
+        c._cosign_verify = MagicMock(return_value={'ok': True})
+        c._store_cmd = MagicMock(return_value={'ok': False, 'stderr': 'manifest unknown'})
+        manifest = {'image': _SIGNED_IMAGE}
+        result = c.install('svc', manifest, 'tpl')
+        self.assertTrue(result['ok'])
+        c.up.assert_called_once()
+
+
 if __name__ == '__main__':
     unittest.main()