feat: secure build phase 1 — cosign cell-side image verification (warn default) + Dockerfile validation

- config/cosign/cosign.pub: public verification key committed to repo (safe);
  cosign private key lives in /home/roof/.pic-secrets/ and is NEVER committed
- api/config_manager.py: image_verification config block (modes: off|warn|enforce,
  default: warn) so existing deployments are unaffected until images are signed
- api/service_composer.py: cosign verify before pull/up; enforce aborts the
  operation, warn logs and proceeds, off skips entirely; also fixes the prior
  unsafe proceed-on-pull-failure path
- api/service_store_manager.py: store-image digest requirement (warn default,
  reject under enforce)
- api/Dockerfile: cosign binary copied from the official cosign image
- docker-compose.yml: config/cosign/ bind-mounted into cell-api container
- install.sh: ensure/verify bundled cosign pubkey on new cell installs
- api/manifest_validator.py: validate_build_context() — Dockerfile lint
- tests: full coverage for config modes, composer verify paths, store digest
  guard, and validate_build_context

Verification defaults to warn so nothing breaks in production until images are
signed (phase 2). Private key stored outside git at /home/roof/.pic-secrets/.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

tests/test_service_store_manager.py

@@ -679,6 +679,40 @@ class TestInstall(unittest.TestCase):
         self.assertTrue(result['ok'])
         self.assertFalse(result.get('already_installed', False))
 
+    def test_install_enforce_rejects_undigested_image(self):
+        """Under enforce mode a store image without @sha256: pin is fatal."""
+        manifest = _valid_manifest(
+            id='myapp', container_name='cell-myapp',
+            image='git.pic.ngo/roof/myapp:latest',
+        )
+        ssm, cm, _, composer = _make_ssm(manifest=manifest)
+        cm.get_image_verification_mode.return_value = 'enforce'
+        result = ssm.install('myapp')
+        self.assertFalse(result['ok'])
+        self.assertIn('digest', result['error'].lower())
+        composer.install.assert_not_called()
+
+    def test_install_warn_allows_undigested_image(self):
+        """Under warn mode (default) an undigested image still installs."""
+        manifest = _valid_manifest(
+            id='myapp', container_name='cell-myapp',
+            image='git.pic.ngo/roof/myapp:latest',
+        )
+        ssm, cm, _, composer = _make_ssm(manifest=manifest)
+        cm.get_image_verification_mode.return_value = 'warn'
+        result = ssm.install('myapp')
+        self.assertTrue(result['ok'])
+        composer.install.assert_called_once()
+
+    def test_install_enforce_allows_digested_image(self):
+        """Under enforce mode a properly digest-pinned image installs."""
+        manifest = _valid_manifest(id='myapp', container_name='cell-myapp')
+        ssm, cm, _, composer = _make_ssm(manifest=manifest)
+        cm.get_image_verification_mode.return_value = 'enforce'
+        result = ssm.install('myapp')
+        self.assertTrue(result['ok'])
+        composer.install.assert_called_once()
+
     def test_install_without_composer_stores_record(self):
         """When service_composer=None, skip compose but still store the install record."""
         manifest = _valid_manifest(id='myapp', container_name='cell-myapp')