Add new features and tests for AirGap and Time modules

- Introduced `SbomService` tasks documentation.
- Updated `StellaOps.sln` to include new projects: `StellaOps.AirGap.Time` and `StellaOps.AirGap.Importer`.
- Added unit tests for `BundleImportPlanner`, `DsseVerifier`, `ImportValidator`, and other components in the `StellaOps.AirGap.Importer.Tests` namespace.
- Implemented `InMemoryBundleRepositories` for testing bundle catalog and item repositories.
- Created `MerkleRootCalculator`, `RootRotationPolicy`, and `TufMetadataValidator` tests.
- Developed `StalenessCalculator` and `TimeAnchorLoader` tests in the `StellaOps.AirGap.Time.Tests` namespace.
- Added `fetch-sbomservice-deps.sh` script for offline dependency fetching.

docs/modules/findings-ledger/prep/2025-11-20-ledger-oas-prep.md

@@ -0,0 +1,19 @@
+# Ledger OAS Prep — PREP-LEDGER-OAS-61-001/61-002/62-001/63-001
+
+Status: Draft (2025-11-20)
+Owners: Findings Ledger Guild · API Contracts Guild · SDK Generator Guild
+Scope: Capture OAS baseline, HTTP surface, SDK generation, and deprecation flow for ledger service.
+
+## What’s needed
+- Baseline OAS for ledger API host (61-001).
+- Confirm endpoints and auth scopes to publish (61-002 depends on 61-001).
+- SDK generation targets and language list (62-001).
+- Deprecation header plan once SDK validated (63-001).
+
+## Open decisions
+- Hostname/versioning scheme for ledger API.
+- Auth scopes per endpoint.
+- Languages for SDK generation and package naming.
+
+## Handoff
+Use this prep doc for LEDGER-OAS-61-001/61-002/62-001/63-001; update once API contract is drafted.

docs/modules/findings-ledger/prep/2025-11-20-ledger-obs-54-001-prep.md

@@ -0,0 +1,12 @@
+# Ledger Observability Prep — PREP-LEDGER-OBS-54-001
+
+Status: Draft (2025-11-20)
+Owners: Findings Ledger Guild · Provenance Guild
+Scope: Minimal API surface for `/ledger/attestations` and observability hooks.
+
+## Needs
+- HTTP surface spec (routes, auth scopes) to host `/ledger/attestations`.
+- Telemetry fields to include provenance IDs.
+
+## Handoff
+Use as PREP artefact; update once API contract is drafted.

docs/modules/findings-ledger/prep/2025-11-20-ledger-packs-42-001-prep.md

@@ -0,0 +1,9 @@
+# Ledger Packs Snapshot Prep — PREP-LEDGER-PACKS-42-001
+
+Status: Draft (2025-11-20)
+Owners: Findings Ledger Guild · Mirror Creator Guild
+Scope: Snapshot/time-travel contract for packs simulation.
+
+## Needs
+- Snapshot format and bundle layout for pack simulation/time-travel.
+

docs/modules/findings-ledger/prep/2025-11-20-ledger-risk-66-prep.md

@@ -0,0 +1,11 @@
+# Ledger Risk Schema Prep — PREP-LEDGER-RISK-66-001/002
+
+Status: Draft (2025-11-20)
+Owners: Findings Ledger Guild · Risk Engine Guild
+
+## Needs
+- Risk engine schema/contract inputs: `risk_score`, `risk_severity`, `profile_version`, `explanation_id`, indexes.
+- Migration plan to add fields.
+
+## Handoff
+Use as PREP artefact; update when risk field definitions and rollout plan are available.

docs/modules/findings-ledger/prep/2025-11-20-ledger-risk-prep.md

@@ -0,0 +1,17 @@
+# Ledger Risk Prep — PREP-LEDGER-RISK-68-001 / 69-001 / TEN-48-001
+
+Status: Draft (2025-11-20)
+Owners: Findings Ledger Guild · Export Guild · Observability Guild · Platform
+
+## 68-001 (scored findings export) needs
+- Inputs from 67-001 + Export Center contract for scored findings.
+- Metrics dimensions alignment with Observability.
+
+## 69-001 (metrics) needs
+- Final metrics fields driven by 67-001/68-001 outputs.
+
+## TEN-48-001 (RLS/partitioning) needs
+- Platform-approved tenant/project partitioning and RLS policy.
+
+## Handoff
+Use as PREP artefact for the above tasks; update when upstream exports and RLS decisions are available.

docs/modules/findings-ledger/prep/ledger-attestations-http.md

@@ -0,0 +1,38 @@
+# Ledger attestation HTTP surface (prep for LEDGER-OBS-54-001 / 55-001)
+
+**Goal.** Provide the minimal HTTP contract to expose ledger attestation verifications so PREP-LEDGER-OBS-55-001 can proceed. This complements the OAS baseline (`docs/modules/findings-ledger/openapi/findings-ledger.v1.yaml`) and schema (`docs/modules/findings-ledger/schema.md`).
+
+## Endpoint
+- `GET /v1/ledger/attestations`
+- Tenant header: `X-Stella-Tenant` (required).
+- Auth: bearer `scope=ledger.attest.read` or mTLS.
+- Query params:
+  - `artifactId` (string, optional; OCI digest or SBOM id)
+  - `findingId` (string, optional)
+  - `attestationId` (uuid, optional)
+  - `status` (`verified|failed|unknown`, optional)
+  - `sinceRecordedAt` / `untilRecordedAt` (ISO-8601 UTC)
+  - `limit` (int, default 200, max 1000)
+- Ordering: deterministic by `recordedAt ASC, attestationId ASC`.
+- Response: JSON array (or NDJSON when `Accept: application/x-ndjson`). Each item:
+  - `attestationId` (uuid)
+  - `artifactId` (string)
+  - `findingId` (string)
+  - `verificationStatus` (`verified|failed|unknown`)
+  - `verificationTime` (ISO-8601 UTC)
+  - `dsseDigest` (sha256)
+  - `rekorEntryId` (string, optional)
+  - `evidenceBundleRef` (string, optional)
+  - `ledgerEventId` (uuid) — source ledger event that linked the attestation
+  - `recordedAt` (ISO-8601 UTC)
+  - `merkleLeafHash` (sha256)
+  - `rootHash` (sha256)
+
+## Determinism/offline posture
+- Sorting keys are fixed; pagination token encodes `{recordedAt, attestationId, filtersHash}`.
+- No live Rekor calls; `rekorEntryId` is stored reference only.
+- Hashes remain lowercase SHA-256; times are UTC.
+
+## Artefact location
+- This prep doc: `docs/modules/findings-ledger/prep/ledger-attestations-http.md`.
+- Add path to OAS in a follow-on increment (LEDGER-OAS-61-002/63-001) once approved.