stage-2: full pipeline — Classifyline → Sealine → Routeline → Courier → Ledger + mock CERT

Adds the end-to-end demo chain. PyNaCl sealed boxes implement the dossier's Model A
authority public-key encryption; SQLAlchemy ledger records every submission and every
policy-blocked route. Cockpit gains /ledger and an enriched case detail (sealed-package
card, routes panel, per-case audit). Mock CERT FastAPI app on :8770 stands in for the
real authority endpoints. `psyc demo` runs the whole chain on a fresh URLhaus row.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitignore

@@ -8,10 +8,7 @@ dist/
 *.pyc
 
 # data / runtime
-data/*.db
-data/*.db-journal
-data/sealed/
-data/keys/
+data/
 
 # env
 .env