Add new features and tests for AirGap and Time modules

- Introduced `SbomService` tasks documentation.
- Updated `StellaOps.sln` to include new projects: `StellaOps.AirGap.Time` and `StellaOps.AirGap.Importer`.
- Added unit tests for `BundleImportPlanner`, `DsseVerifier`, `ImportValidator`, and other components in the `StellaOps.AirGap.Importer.Tests` namespace.
- Implemented `InMemoryBundleRepositories` for testing bundle catalog and item repositories.
- Created `MerkleRootCalculator`, `RootRotationPolicy`, and `TufMetadataValidator` tests.
- Developed `StalenessCalculator` and `TimeAnchorLoader` tests in the `StellaOps.AirGap.Time.Tests` namespace.
- Added `fetch-sbomservice-deps.sh` script for offline dependency fetching.

docs/samples/evidence-locker/attestation-v1-sample.json

@@ -0,0 +1,18 @@
+{
+  "subject_digest": "sha256:deadbeef",
+  "bundle_id": "11111111-2222-3333-4444-555555555555",
+  "produced_at": "2025-11-20T00:00:00Z",
+  "producer": "evidence-locker:us-gov-west",
+  "hashes": {
+    "sboms/spdx.json": "abcdef",
+    "vex/osv.json": "123456"
+  },
+  "sbom": [
+    {"digest": "sha256:abcdef", "mediaType": "application/spdx+json"}
+  ],
+  "vex": [
+    {"digest": "sha256:123456", "schema": "openvex-1.0"}
+  ],
+  "signing_profile": "sovereign-default",
+  "transparency": null
+}

docs/samples/excititor/chunk-attestation-sample.json

@@ -0,0 +1,18 @@
+{
+  "subject_digest": "sha256:112233",
+  "predicates": {
+    "stellaops.vex.chunk.meta.v1": {
+      "tenant": "acme",
+      "source": "ghsa",
+      "schema": "stellaops.vex.chunk.v1",
+      "item_count": 1
+    },
+    "stellaops.vex.chunk.integrity.v1": {
+      "items": [
+        {"ordinal": 0, "sha256": "abc"}
+      ]
+    }
+  },
+  "signing_profile": "sovereign-default",
+  "transparency": null
+}

docs/samples/excititor/chunk-sample.ndjson

@@ -0,0 +1 @@
+{"chunk_id":"11111111-2222-3333-4444-555555555555","tenant":"acme","source":"ghsa","schema":"stellaops.vex.chunk.v1","items":[{"advisory_id":"GHSA-123","status":"affected","purl":"pkg:npm/foo@1.0.0"}],"provenance":{"fetched_at":"2025-11-20T00:00:00Z","artifact_sha":"abc"}}

docs/samples/excititor/connector-signer-metadata-sample.json

@@ -0,0 +1,93 @@
+{
+  "schemaVersion": "1.0.0",
+  "generatedAt": "2025-11-20T00:00:00Z",
+  "connectors": [
+    {
+      "connectorId": "excititor:msrc",
+      "provider": { "name": "Microsoft Security Response Center", "slug": "msrc" },
+      "issuerTier": "tier-1",
+      "signers": [
+        {
+          "usage": "csaf",
+          "fingerprints": [
+            {"alg": "sha256", "format": "pgp", "value": "F1C3D9E4A7B28C5FD6E1A203B947C2A0C5D8BEEF"},
+            {"alg": "sha256", "format": "x509-spki", "value": "5A1F4C0E9B27D0C64EAC1F22C3F501AA9FCB77AC8B1D4F9F3EA7E6B4CE90F311"}
+          ],
+          "keyLocator": "oci://mirror.stella.local/keys/msrc-csaf@sha256:793dd8a6..."
+        }
+      ],
+      "bundle": {
+        "kind": "oci-referrer",
+        "uri": "oci://mirror.stella.local/msrc/csaf:2025-11-19",
+        "digest": "sha256:4b8c9fd6e479e1b6dcd2e7ed93a85c1c7d6052f7b4a6b83471e44f5c9c2a1f30",
+        "publishedAt": "2025-11-19T12:00:00Z"
+      },
+      "validFrom": "2025-11-01"
+    },
+    {
+      "connectorId": "excititor:oracle",
+      "provider": { "name": "Oracle", "slug": "oracle" },
+      "issuerTier": "tier-1",
+      "signers": [
+        {
+          "usage": "oval",
+          "fingerprints": [
+            {"alg": "sha256", "format": "x509-spki", "value": "6E3AC4A95BD5402F4C7E9B2371190E0F3B3C11C7B42B88652E7EE0F659A0D202"}
+          ],
+          "keyLocator": "file://offline-kits/oracle/oval/signing-chain.pem",
+          "certificateChain": ["-----BEGIN CERTIFICATE-----\nMIID...oracle-root...\n-----END CERTIFICATE-----"]
+        }
+      ],
+      "bundle": {
+        "kind": "file",
+        "uri": "file://offline-kits/oracle/oval/oval-feed-2025-11-18.tar.gz",
+        "digest": "sha256:b13b1b84af1da7ee3433e0c6c0cc28a8b5c7d3e52d93b9f86d4a4b0f1dcd8f05",
+        "publishedAt": "2025-11-18T09:30:00Z"
+      },
+      "validFrom": "2025-10-15"
+    },
+    {
+      "connectorId": "excititor:oci.openvex.attest",
+      "provider": { "name": "StellaOps Mirror", "slug": "stella-mirror" },
+      "issuerTier": "tier-0",
+      "signers": [
+        {
+          "usage": "openvex",
+          "fingerprints": [
+            {"alg": "sha256", "format": "cosign", "value": "a0c1d4e5f6b7982134d56789e0fab12345cdef6789abcdeffedcba9876543210"}
+          ],
+          "keyLocator": "oci://mirror.stella.local/keys/stella-mirror-openvex:1",
+          "certificateChain": []
+        }
+      ],
+      "bundle": {
+        "kind": "oci-tag",
+        "uri": "oci://mirror.stella.local/stellaops/openvex:2025-11-19",
+        "digest": "sha256:77f6c0b8f2c9845c7d0a4f3b783b0caf00cce6fb899319ff69cb941fe2c58010",
+        "publishedAt": "2025-11-19T15:00:00Z"
+      },
+      "validFrom": "2025-11-15"
+    },
+    {
+      "connectorId": "excititor:ubuntu",
+      "provider": { "name": "Ubuntu Security", "slug": "ubuntu" },
+      "issuerTier": "tier-2",
+      "signers": [
+        {
+          "usage": "oval",
+          "fingerprints": [
+            {"alg": "sha256", "format": "pgp", "value": "7D19E3B4A5F67C103CB0B4DE0FA28F90D6E4C1D2"}
+          ],
+          "keyLocator": "tuf://mirror.stella.local/tuf/ubuntu/targets/oval-signing.pub"
+        }
+      ],
+      "bundle": {
+        "kind": "tuf",
+        "uri": "tuf://mirror.stella.local/tuf/ubuntu/oval/targets/oval-2025-11-18.tar.gz",
+        "digest": "sha256:e41c4fc15132f8848e9924a1a0f1a247d3c56da87b7735b6c6d8cbe64f0f07e5",
+        "publishedAt": "2025-11-18T07:00:00Z"
+      },
+      "validFrom": "2025-11-01"
+    }
+  ]
+}

docs/samples/excititor/connector-signer-metadata-sample.json.sha256

@@ -0,0 +1 @@
+a2f0986d938d877adf01a76b7a9e79cc148f330e57348569619485feb994df1d  connector-signer-metadata-sample.json