tests fixes and sprints work

src/Attestor/__Libraries/StellaOps.Attestor.FixChain/FixChainAttestationService.cs

@@ -321,7 +321,7 @@ internal sealed class FixChainAttestationService : IFixChainAttestationService
         try
         {
             // Parse envelope
-            var envelope = JsonSerializer.Deserialize<DsseEnvelopeDto>(envelopeJson);
+            var envelope = JsonSerializer.Deserialize<DsseEnvelopeDto>(envelopeJson, EnvelopeJsonOptions);
             if (envelope is null)
             {
                 return Task.FromResult(new FixChainVerificationResult
@@ -334,14 +334,18 @@ internal sealed class FixChainAttestationService : IFixChainAttestationService
             // Validate payload type
             if (envelope.PayloadType != "application/vnd.in-toto+json")
             {
-                issues.Add($"Unexpected payload type: {envelope.PayloadType}");
+                return Task.FromResult(new FixChainVerificationResult
+                {
+                    IsValid = false,
+                    Issues = [$"Unexpected payload type: {envelope.PayloadType}"]
+                });
             }
 
             // Decode and parse payload
             var payloadBytes = Convert.FromBase64String(envelope.Payload);
             var statementJson = Encoding.UTF8.GetString(payloadBytes);
 
-            var statement = JsonSerializer.Deserialize<FixChainStatement>(statementJson);
+            var statement = JsonSerializer.Deserialize<FixChainStatement>(statementJson, EnvelopeJsonOptions);
             if (statement is null)
             {
                 return Task.FromResult(new FixChainVerificationResult

src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Models/SbomDocument.cs

@@ -853,6 +853,11 @@ public sealed record SbomExternalReference
     /// </summary>
     public required string Url { get; init; }
 
+    /// <summary>
+    /// Optional content type for the referenced resource.
+    /// </summary>
+    public string? ContentType { get; init; }
+
     /// <summary>
     /// Optional comment.
     /// </summary>

src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Writers/SpdxWriterOptions.cs

@@ -0,0 +1,18 @@
+// -----------------------------------------------------------------------------
+// SpdxWriterOptions.cs
+// Sprint: SPRINT_20260119_014_Attestor_spdx_3.0.1_generation
+// Task: TASK-014-009 - Lite profile support
+// Description: Options for SPDX 3.0.1 writer behavior
+// -----------------------------------------------------------------------------
+namespace StellaOps.Attestor.StandardPredicates.Writers;
+
+/// <summary>
+/// Configuration options for SPDX writer behavior.
+/// </summary>
+public sealed record SpdxWriterOptions
+{
+    /// <summary>
+    /// Emit only Lite profile output (minimal document/package/relationship fields).
+    /// </summary>
+    public bool UseLiteProfile { get; init; }
+}

src/Attestor/__Libraries/StellaOps.Attestor.Timestamping/AttestationTimestampPolicyContext.cs

@@ -154,7 +154,8 @@ public sealed class TimestampPolicyEvaluator
         // Check trusted TSAs
         if (policy.TrustedTsas is { Count: > 0 } && context.TsaName is not null)
         {
-            if (!policy.TrustedTsas.Any(t => context.TsaName.Contains(t, StringComparison.OrdinalIgnoreCase)))
+            // Exact match (case-insensitive) against the trusted TSA list
+            if (!policy.TrustedTsas.Any(t => string.Equals(context.TsaName, t, StringComparison.OrdinalIgnoreCase)))
             {
                 violations.Add(new PolicyViolation(
                     "trusted-tsa",