fix: restore cosign pubkey on setup so clean reinstall keeps image verification

`make reinstall`/`uninstall` run `rm -rf config/`, which deletes the git-tracked
config/cosign/cosign.pub. Nothing recreated it, so after any clean reinstall the
bind-mounted key was missing and cosign verification failed for EVERY store
service under the default enforce mode ("loading public key: open
/app/config/cosign/cosign.pub: no such file or directory") — store installs were
completely broken on a fresh install. Found during clean-build pic1 verification.

setup_cell.ensure_cosign_pubkey() now restores the key from git HEAD on every
setup (best-effort; warns rather than fails outside a git checkout). Also fixes
the stale service_composer comment that claimed a Dockerfile COPY that never
existed.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

tests/test_setup_cell.py

@@ -0,0 +1,67 @@
+"""Tests for scripts/setup_cell.py setup helpers."""
+import os
+import sys
+import shutil
+import subprocess
+import tempfile
+import unittest
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).parent.parent / 'scripts'))
+import setup_cell  # noqa: E402
+
+
+class TestEnsureCosignPubkey(unittest.TestCase):
+    """ensure_cosign_pubkey restores the tracked key after a `rm -rf config/`.
+
+    Regression: `make reinstall`/`uninstall` wipe config/, deleting the tracked
+    config/cosign/cosign.pub; without restore, enforce-mode store installs break.
+    """
+
+    KEY_REL = os.path.join('config', 'cosign', 'cosign.pub')
+    KEY_BODY = '-----BEGIN PUBLIC KEY-----\nTESTKEYDATA\n-----END PUBLIC KEY-----\n'
+
+    def setUp(self):
+        self.tmp = tempfile.mkdtemp()
+        env = {**os.environ, 'GIT_CONFIG_GLOBAL': '/dev/null', 'GIT_CONFIG_SYSTEM': '/dev/null'}
+        subprocess.run(['git', 'init', '-q', self.tmp], check=True, env=env)
+        subprocess.run(['git', '-C', self.tmp, 'config', 'user.email', 't@t'], check=True)
+        subprocess.run(['git', '-C', self.tmp, 'config', 'user.name', 't'], check=True)
+        self.key = os.path.join(self.tmp, self.KEY_REL)
+        os.makedirs(os.path.dirname(self.key))
+        with open(self.key, 'w') as f:
+            f.write(self.KEY_BODY)
+        subprocess.run(['git', '-C', self.tmp, 'add', '-A'], check=True)
+        subprocess.run(['git', '-C', self.tmp, 'commit', '-qm', 'init'], check=True, env=env)
+        self._root = setup_cell.ROOT
+        setup_cell.ROOT = self.tmp
+
+    def tearDown(self):
+        setup_cell.ROOT = self._root
+        shutil.rmtree(self.tmp, ignore_errors=True)
+
+    def test_restores_key_when_wiped(self):
+        os.remove(self.key)
+        shutil.rmtree(os.path.dirname(self.key))  # mimic `rm -rf config/`
+        self.assertFalse(os.path.exists(self.key))
+        setup_cell.ensure_cosign_pubkey()
+        self.assertTrue(os.path.exists(self.key))
+        self.assertEqual(open(self.key).read(), self.KEY_BODY)
+
+    def test_noop_when_key_present(self):
+        setup_cell.ensure_cosign_pubkey()
+        self.assertEqual(open(self.key).read(), self.KEY_BODY)
+
+    def test_warns_not_raises_outside_git(self):
+        # Not a git checkout and key missing → must warn, never raise.
+        non_git = tempfile.mkdtemp()
+        setup_cell.ROOT = non_git
+        try:
+            setup_cell.ensure_cosign_pubkey()  # should not raise
+            self.assertFalse(os.path.exists(os.path.join(non_git, self.KEY_REL)))
+        finally:
+            shutil.rmtree(non_git, ignore_errors=True)
+
+
+if __name__ == '__main__':
+    unittest.main()