license switch agpl -> busl1, sprints work, new product advisories

docs/doctor/README.md

@@ -52,7 +52,7 @@ WebSocket /api/v1/doctor/stream
 
 ## Available Checks
 
-The Doctor system includes 60+ diagnostic checks across 9 plugins:
+The Doctor system includes 60+ diagnostic checks across 10 plugins:
 
 | Plugin | Category | Checks | Description |
 |--------|----------|--------|-------------|
@@ -65,6 +65,7 @@ The Doctor system includes 60+ diagnostic checks across 9 plugins:
 | `stellaops.doctor.scm.*` | Integration.SCM | 8 | GitHub, GitLab connectivity/auth/permissions |
 | `stellaops.doctor.registry.*` | Integration.Registry | 6 | Harbor, ECR connectivity/auth/pull |
 | `stellaops.doctor.observability` | Observability | 4 | OTLP, logs, metrics |
+| `stellaops.doctor.timestamping` | Security | 22 | RFC-3161 and eIDAS timestamping health |
 
 ### Setup Wizard Essential Checks
 

docs/doctor/plugins.md

@@ -12,6 +12,7 @@ This document describes the Doctor health check plugins, their checks, and confi
 | **Postgres** | `StellaOps.Doctor.Plugin.Postgres` | 3 | PostgreSQL database health |
 | **Storage** | `StellaOps.Doctor.Plugin.Storage` | 3 | Disk and storage health |
 | **Crypto** | `StellaOps.Doctor.Plugin.Crypto` | 4 | Regional crypto compliance |
+| **Timestamping** | `StellaOps.Doctor.Plugin.Timestamping` | 22 | RFC-3161 and eIDAS timestamp health |
 | **EvidenceLocker** | `StellaOps.Doctor.Plugin.EvidenceLocker` | 4 | Evidence integrity checks |
 | **Attestor** | `StellaOps.Doctor.Plugin.Attestor` | 3+ | Signing and verification |
 | **Auth** | `StellaOps.Doctor.Plugin.Auth` | 3+ | Authentication health |
@@ -199,7 +200,7 @@ Verifies backup directory accessibility (skipped if not configured).
 
 ## Crypto Plugin
 
-**Plugin ID:** `stellaops.doctor.crypto`  
+**Plugin ID:** `stellaops.doctor.crypto`
 **NuGet:** `StellaOps.Doctor.Plugin.Crypto`
 
 ### Checks
@@ -284,6 +285,58 @@ Verifies SM2/SM3/SM4 algorithm availability for Chinese deployments.
 
 ---
 
+## Timestamping Plugin
+
+**Plugin ID:** `stellaops.doctor.timestamping`
+**NuGet:** `StellaOps.Doctor.Plugin.Timestamping`
+
+### Checks
+
+- `check.timestamp.tsa.reachable` - TSA endpoints reachable
+- `check.timestamp.tsa.response-time` - TSA latency thresholds
+- `check.timestamp.tsa.valid-response` - TSA returns valid RFC-3161 response
+- `check.timestamp.tsa.failover-ready` - Backup TSA readiness
+- `check.timestamp.tsa.cert-expiry` - TSA signing cert expiry
+- `check.timestamp.tsa.root-expiry` - TSA root trust expiry
+- `check.timestamp.tsa.chain-valid` - TSA certificate chain validity
+- `check.timestamp.ocsp.responder` - OCSP responder availability
+- `check.timestamp.ocsp.stapling` - OCSP stapling enabled
+- `check.timestamp.crl.distribution` - CRL distribution availability
+- `check.timestamp.revocation.cache-fresh` - OCSP/CRL cache freshness
+- `check.timestamp.evidence.staleness` - Aggregate evidence staleness
+- `check.timestamp.evidence.tst.expiry` - TSTs approaching expiry
+- `check.timestamp.evidence.tst.deprecated-algo` - TSTs using deprecated algorithms
+- `check.timestamp.evidence.tst.missing-stapling` - TSTs missing stapled revocation data
+- `check.timestamp.evidence.retimestamp.pending` - Pending retimestamp workload
+- `check.timestamp.eidas.trustlist.fresh` - EU Trust List freshness
+- `check.timestamp.eidas.qts.qualified` - Qualified TSA providers still qualified
+- `check.timestamp.eidas.qts.status-change` - QTS status changes
+- `check.timestamp.timesync.system` - System time synchronization
+- `check.timestamp.timesync.tsa-skew` - TSA time skew
+- `check.timestamp.timesync.rekor-correlation` - TST vs Rekor time correlation
+
+### Configuration
+
+```yaml
+Doctor:
+  Timestamping:
+    TsaEndpoints:
+      - name: PrimaryTsa
+        url: https://tsa.example.org
+      - name: BackupTsa
+        url: https://tsa-backup.example.org
+    WarnLatencyMs: 5000
+    CriticalLatencyMs: 30000
+    MinHealthyTsas: 2
+  Evidence:
+    DeprecatedAlgorithms:
+      - SHA1
+```
+
+Note: evidence staleness, OCSP stapling, and chain validation checks require data providers to be registered by the host.
+
+---
+
 ## Evidence Locker Plugin
 
 **Plugin ID:** `stellaops.doctor.evidencelocker`  
@@ -439,4 +492,4 @@ curl -X POST /api/v1/doctor/run \
 
 ---
 
-_Last updated: 2026-01-17 (UTC)_
+_Last updated: 2026-01-20 (UTC)_