Add new features and tests for AirGap and Time modules

- Introduced `SbomService` tasks documentation.
- Updated `StellaOps.sln` to include new projects: `StellaOps.AirGap.Time` and `StellaOps.AirGap.Importer`.
- Added unit tests for `BundleImportPlanner`, `DsseVerifier`, `ImportValidator`, and other components in the `StellaOps.AirGap.Importer.Tests` namespace.
- Implemented `InMemoryBundleRepositories` for testing bundle catalog and item repositories.
- Created `MerkleRootCalculator`, `RootRotationPolicy`, and `TufMetadataValidator` tests.
- Developed `StalenessCalculator` and `TimeAnchorLoader` tests in the `StellaOps.AirGap.Time.Tests` namespace.
- Added `fetch-sbomservice-deps.sh` script for offline dependency fetching.

docs/modules/evidence-locker/attestation-contract.md

@@ -0,0 +1,43 @@
+# Evidence Locker Attestation Contract (v1 · frozen 2025-11-20)
+
+Scope: Evidence Bundle v1 produced by Evidence Locker and consumed by Concelier, Excititor, Export Center, CLI, and Policy Engine.
+
+## Predicates & subjects
+- **Subject**: OCI manifest digest (`sha256:<digest>`) of the bundle, plus optional replay pack digest.
+- **Predicates (DSSE/In-Toto)**
+  - `stellaops.evidence.bundle.v1`: declares bundle layout (manifests, CAS paths, replay log offsets).
+  - `stellaops.evidence.transparency.v1`: optional Rekor log inclusion proof (UUID, log index, root hash at inclusion).
+  - `stellaops.evidence.integrity.v1`: hashes for each payload (SBOMs, VEX, policy packs, telemetry snapshots), keyed by logical path.
+
+## Required claim set
+- `bundle_id` (UUID v4)
+- `produced_at` (UTC ISO-8601)
+- `producer` (`evidence-locker:<region>`)
+- `subject_digest` (OCI digest string)
+- `hashes` (map: logical path → sha256)
+- `sbom` (array of SPDX/CycloneDX digests and mediaTypes)
+- `vex` (array of VEX doc digests and schema versions)
+- `replay_manifest` (optional; digest + sequence number)
+- `transparency` (optional; Rekor UUID, logIndex, rootHash)
+- `signing_profile` (`sovereign-default` | `fips` | `gost` | `pq-experimental`)
+
+## Bundling & signing rules
+- DSSE envelope using the module’s configured crypto provider; keys must be short-lived (<24h) and recorded in provider registry.
+- Hash list and subject digest MUST match the on-disk CAS objects; deterministic sort by logical path.
+- Rekor entry is optional; when absent, set `transparency=null` and add `transparency_reason="offline"` to provenance note.
+
+## Verification plan
+- Verify DSSE signature against provider registry (per profile) and check key expiry.
+- Recompute sha256 for every CAS object; fail if any mismatch.
+- If `transparency` present, verify inclusion proof against bundled Rekor root; fail closed on mismatch.
+- Emit verification report JSON and store beside bundle as `verify.json` (deterministic key order).
+
+## Fixtures
+- Sample bundle + report: `docs/samples/evidence-locker/bundle-v1-sample.tar.gz` (sha256 TBD at publish time).
+- Sample attestation envelope: `docs/samples/evidence-locker/attestation-v1-sample.json`.
+
+## Ownership
+- Primary: Evidence Locker Guild.
+- Reviewers: Concelier Core Guild, Excititor Guild, Export Center Guild, Policy Guild.
+
+This contract is authoritative for Sprint 110 and blocks CONCELIER-ATTEST-73-001/002 and EXCITITOR-ATTEST-01-003/73-001/73-002.

docs/modules/evidence-locker/crypto-provider-registry-prep.md

@@ -0,0 +1,21 @@
+# ICryptoProviderRegistry Prep — PREP-EVID-CRYPTO-90-001 (Draft)
+
+Status: Draft (2025-11-20)
+Owners: Evidence Locker Guild · Security Guild
+Scope: Capture requirements for crypto provider registry readiness to support sovereign/region-specific profiles.
+
+## Required capabilities
+- Registry interface to resolve crypto providers by profile ID (e.g., `default`, `ru-offline`, `fips140`, `eidass`).
+- Provider metadata: `{algorithms[], key_formats[], offline_supported, hsm_supported, oq_ready}`.
+- Deterministic selection rules: prefer tenant-scoped overrides, fall back to platform defaults; no network fetch.
+
+## Integration points
+- Evidence Locker signing pipeline to request provider by profile when sealing bundles.
+- Replay validation to know which algorithms/hashes are acceptable for DSSE verification.
+
+## Dependencies
+- Final list of sovereign profiles from Security Guild.
+- Key storage/backing (KMS/HSM) availability per profile.
+
+## Handoff
+Use this as the prep artefact for PREP-EVID-CRYPTO-90-001; update once profile list and key storage rules are confirmed.

docs/modules/evidence-locker/replay-payload-contract.md

@@ -0,0 +1,42 @@
+# Replay Payload Contract (Draft) — PREP-EVID-REPLAY-187-001
+
+Status: Draft (2025-11-20)
+Owners: Evidence Locker Guild · Scanner Guild · CLI Guild
+Scope: Capture expected scanner record payloads needed by Evidence Locker replay APIs.
+
+## 1) Payload envelope
+- Content type: `application/vnd.stella.replay.record+json;version=1`.
+- Fields:
+  - `record_id` (ULID, assigned by Scanner).
+  - `tenant_id` (string).
+  - `source` (enum): `scanner`, `attestor`, `cli`.
+  - `digest` (hex): SHA-256 of canonical payload bytes.
+  - `created_at` (RFC3339 UTC).
+  - `schema_version`: `replay.record.v1`.
+
+## 2) Scanner record body (expected from Sprint 0186)
+- `image_digest` (string, required).
+- `sbom_digest` (string, optional) with SBOM pointer.
+- `observations` (array) of `{type, component_purl?, location, evidence, confidence}`.
+- `signals` (array) for runtime/static signals with `{name, value, units?, confidence}`.
+- `attestations` (array) of DSSE statement references `{type, uri, sha256}`.
+- `provenance` (object): `{scanner_version, policy_profile, worker_id}`.
+
+## 3) Evidence Locker ingestion contract
+- API: `POST /replay/records` (internal) accepting NDJSON stream (`record_envelope + body`).
+- Validation:
+  - hash must match `digest` supplied; timestamps UTC.
+  - tenant_id must match auth principal or delegated token.
+  - schema_version must equal `replay.record.v1` until upgraded.
+- Storage layout proposal: bucket prefix `replay/records/{tenant_id}/{record_id}.ndjson`, immutable; metadata indexed in Mongo with `{record_id, image_digest, created_at}`.
+
+## 4) Open dependencies
+- Scanner team to freeze exact `observations` and `signals` schema in Sprint 0186.
+- Need DSSE profile for `attestations` (Authority/Attestor alignment).
+- CLI replay commands depend on finalized pointer format to retrieve records.
+
+## 5) Next actions
+- Once Sprint 0186 publishes sample payloads, update this doc with enumerated observation/signal types and add JSON schema file under `docs/modules/evidence-locker/schemas/replay-record-v1.json`.
+
+## 6) Handoff
+Reference this document from sprint trackers for PREP-EVID-REPLAY-187-001 and related CLI/Attestor PREP tasks. Update when upstream payloads are available.

docs/modules/evidence-locker/validate-bundle-prep.md

@@ -0,0 +1,23 @@
+# Validate Bundle Prep — PREP-VALIDATE-BUNDLE-187-005 (Draft)
+
+Status: Draft (2025-11-20)
+Owners: QA Guild · CLI Guild · Docs Guild
+Scope: Define validation steps for replay bundles once schemas freeze.
+
+## Validation checklist (proposed)
+- Verify archive hash vs manifest `bundle.manifest.json` (`sha256`).
+- Verify DSSE signature (if present) against trusted keys.
+- Recompute Merkle root of bundle file tree; compare to manifest.
+- Schema validation: replay records conform to `replay.record.v1`; policy export bundle conforms to `policy.export.console.v1` when included.
+- Determinism: run `stella replay` twice on same bundle and assert identical outputs (hash comparison).
+
+## Fixtures/tests
+- Place golden bundles under `tests/EvidenceLocker/Fixtures/replay/` with expected hashes and DSSE signatures.
+- CLI validation test: `stella verify --bundle <fixture>` returns exit code 0 and prints `verified: true`.
+
+## Open dependencies
+- Final schemas from Evidence Locker and Policy export contracts.
+- Trust root list for DSSE verification (Authority decision).
+
+## Handoff
+Use this prep doc for PREP-VALIDATE-BUNDLE-187-005; expand with concrete fixtures once schemas are frozen.