license switch agpl -> busl1, sprints work, new product advisories

docs/modules/attestor/README.md

@@ -40,6 +40,7 @@ All predicates capture subjects, issuer metadata, policy context, materials, opt
 - **Console:** Evidence browser, verification reports, chain-of-custody graph, issuer/key management, attestation workbench, and bulk verification flows.
 - **CLI / SDK:** `stella attest sign|verify|list|fetch|key` commands plus language SDKs to integrate build pipelines and offline verification scripts.
 - **Policy Studio:** Verification policies author required predicate types, issuers, witness requirements, and freshness windows; simulations show enforcement impact.
+Reference: `docs/modules/attestor/guides/timestamp-policy.md` for RFC-3161 policy assertions.
 
 ## Storage, offline & air-gap posture
 - PostgreSQL stores entry metadata, dedupe keys, and audit events; object storage optionally archives DSSE bundles.

docs/modules/attestor/guides/README.md

@@ -10,9 +10,12 @@ StellaOps SBOM interoperability tests ensure compatibility with third-party secu
 
 | Format | Version | Status | Parity Target |
 |--------|---------|--------|---------------|
-| CycloneDX | 1.6 | ✅ Supported | 95%+ |
+| CycloneDX | 1.7 | ✅ Supported | 95%+ |
 | SPDX | 3.0.1 | ✅ Supported | 95%+ |
 
+Notes:
+- SPDX 3.0.1 generation currently emits JSON-LD `@context`, `spdxVersion`, core document/package/relationship elements, software package/file/snippet metadata, build profile elements with output relationships, security vulnerabilities with assessment relationships, verifiedUsing hashes/signatures, and external references/identifiers. Full profile coverage is tracked in SPRINT_20260119_014.
+
 ### Third-Party Tools
 
 | Tool | Purpose | Version | Status |
@@ -162,7 +165,7 @@ If SBOMs fail schema validation:
 
 1. Verify format version:
    ```bash
-   jq '.specVersion' sbom-cyclonedx.json  # Should be "1.6"
+   jq '.specVersion' sbom-cyclonedx.json  # Should be "1.7"
    jq '.spdxVersion' sbom-spdx.json       # Should be "SPDX-3.0"
    ```
 
@@ -203,7 +206,7 @@ Tools are currently installed from `latest`. To pin versions:
 
 ## References
 
-- [CycloneDX 1.6 Specification](https://cyclonedx.org/docs/1.6/)
+- [CycloneDX 1.7 Specification](https://cyclonedx.org/docs/1.7/)
 - [SPDX 3.0.1 Specification](https://spdx.github.io/spdx-spec/v3.0/)
 - [Syft Documentation](https://github.com/anchore/syft)
 - [Grype Documentation](https://github.com/anchore/grype)

docs/modules/attestor/guides/cosign-integration.md

@@ -607,7 +607,7 @@ stella attest verify-batch \
 - [Sigstore Trust Root Specification](https://github.com/sigstore/root-signing)
 - [in-toto Attestation Specification](https://github.com/in-toto/attestation)
 - [SPDX 3.0.1 Specification](https://spdx.github.io/spdx-spec/v3.0.1/)
-- [CycloneDX 1.6 Specification](https://cyclonedx.org/docs/1.6/)
+- [CycloneDX 1.7 Specification](https://cyclonedx.org/docs/1.7/)
 
 ### StellaOps Documentation
 - [Attestor Architecture](../modules/attestor/architecture.md)

docs/modules/attestor/guides/offline-verification.md

@@ -0,0 +1,48 @@
+# Attestor Offline Verification Guide
+
+> **Audience:** Attestor operators, AirGap owners, CI/Release engineers
+>
+> **Purpose:** Explain how to verify attestations and timestamp evidence in fully offline environments.
+
+## 1. Offline Inputs
+
+Offline verification expects all evidence to be bundled locally:
+
+- DSSE envelopes + certificate chains.
+- Rekor inclusion proofs + a pinned checkpoint.
+- RFC3161 timestamp evidence with bundled TSA chain and revocation data:
+  - `tsa/chain/` (PEM certificates, leaf -> root)
+  - `tsa/ocsp/` (stapled OCSP responses)
+  - `tsa/crl/` (CRL snapshots when OCSP is unavailable)
+
+## 2. Bundle Layout Expectations
+
+Minimum paths for timestamp verification:
+
+- `manifest.json` with `timestamps[]` entries.
+- `tsa/chain/*.pem` for each RFC3161 timestamp.
+- `tsa/ocsp/*.der` or `tsa/crl/*.crl` (revocation evidence).
+
+## 3. CLI Workflow (Offline)
+
+Use the bundle verification flow aligned to domain operations:
+
+```bash
+stella bundle verify --bundle /path/to/bundle --offline --trust-root /path/to/tsa-root.pem --rekor-checkpoint /path/to/checkpoint.json
+```
+
+Notes:
+- Offline mode fails closed when revocation evidence is missing or invalid.
+- Trust roots must be provided locally; no network fetches are allowed.
+
+## 4. Verification Behavior
+
+- TSA chain is validated against the provided trust roots.
+- Revocation evidence is verified using bundled OCSP/CRL data.
+- Rekor proofs are verified against the pinned checkpoint when provided.
+
+## 5. References
+
+- `docs/modules/attestor/guides/timestamp-policy.md`
+- `docs/modules/attestor/airgap.md`
+- `docs/modules/airgap/guides/staleness-and-time.md`

docs/modules/attestor/guides/timestamp-policy.md

@@ -0,0 +1,50 @@
+# RFC-3161 Timestamp Policy Assertions
+
+## Overview
+Attestation timestamp policy rules validate RFC-3161 evidence alongside Rekor
+inclusion proofs. The policy surface is backed by `AttestationTimestampPolicyContext`
+and `TimestampPolicyEvaluator` in `StellaOps.Attestor.Timestamping`.
+
+## Context fields
+`AttestationTimestampPolicyContext` exposes the following fields:
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `HasValidTst` | bool | True when RFC-3161 verification succeeded. |
+| `TstTime` | DateTimeOffset? | Generation time from the timestamp token. |
+| `TsaName` | string? | TSA subject/name from the TST. |
+| `TsaPolicyOid` | string? | TSA policy OID from the TST. |
+| `TsaCertificateValid` | bool | True when TSA certificate validation passes. |
+| `TsaCertificateExpires` | DateTimeOffset? | TSA signing cert expiry time. |
+| `OcspStatus` | string? | OCSP status (Good/Unknown/Revoked). |
+| `CrlChecked` | bool | True when CRL data was checked. |
+| `RekorTime` | DateTimeOffset? | Rekor integrated time for the entry. |
+| `TimeSkew` | TimeSpan? | RekorTime - TstTime, used for skew checks. |
+
+## Example assertions
+The policy engine maps the context into `evidence.tst.*` fields. Example rules:
+
+```yaml
+rules:
+  - id: require-rfc3161
+    assert: evidence.tst.valid == true
+  - id: time-skew
+    assert: abs(evidence.tst.time_skew) <= "5m"
+  - id: freshness
+    assert: evidence.tst.signing_cert.expires_at - now() > "180d"
+  - id: revocation-staple
+    assert: evidence.tst.ocsp.status in ["good","unknown"] && evidence.tst.crl.checked == true
+  - id: trusted-tsa
+    assert: evidence.tst.tsa_name in ["Example TSA", "Acme TSA"]
+```
+
+## Built-in policy defaults
+`TimestampPolicy.Default` enforces:
+- `RequireRfc3161 = true`
+- `MaxTimeSkew = 5 minutes`
+- `MinCertificateFreshness = 180 days`
+- `RequireRevocationStapling = true`
+
+## References
+- `src/Attestor/__Libraries/StellaOps.Attestor.Timestamping/AttestationTimestampPolicyContext.cs`
+- `docs/modules/attestor/architecture.md`

docs/modules/attestor/implementation_plan.md

@@ -0,0 +1,32 @@
+# Attestor Implementation Plan
+
+## Purpose
+Provide a concise, living plan for Attestor feature delivery, timestamping, and offline verification workflows.
+
+## Active work
+- `docs/implplan/SPRINT_20260119_010_Attestor_tst_integration.md`
+- `docs/implplan/SPRINT_20260119_013_Attestor_cyclonedx_1.7_generation.md`
+- `docs/implplan/SPRINT_20260119_014_Attestor_spdx_3.0.1_generation.md`
+
+## Near-term deliverables
+- RFC-3161 timestamping integration (signing, verification, policy context).
+- CycloneDX 1.7 predicate writer updates and determinism tests.
+- SPDX 3.0.1 predicate writer updates and determinism tests.
+- CLI workflows for attestation timestamp handling.
+
+## Dependencies
+- Authority timestamping services and TSA client integrations.
+- EvidenceLocker timestamp storage and verification utilities.
+- Policy evaluation integration for timestamp assertions.
+
+## Evidence of completion
+- Attestor timestamping library changes under `src/Attestor/__Libraries/`.
+- Updated CLI command handlers and tests under `src/Cli/`.
+- Deterministic unit tests and fixtures in `src/Attestor/__Tests/`.
+- Documentation updates under `docs/modules/attestor/`.
+
+## Reference docs
+- `docs/modules/attestor/README.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/attestor/rekor-verification-design.md`
+- `docs/modules/platform/architecture-overview.md`

docs/modules/attestor/rekor-verification-design.md

@@ -432,25 +432,22 @@ In tile-based logs, the Merkle tree is stored in fixed-size chunks (tiles) of 25
 
 #### 3.4.2 Log Version Configuration
 
-StellaOps supports automatic version detection and explicit version selection:
+StellaOps supports automatic selection and explicit version selection:
 
 ```csharp
 public enum RekorLogVersion
 {
-    Auto = 0,   // Auto-detect based on endpoint availability
-    V1 = 1,     // Traditional Trillian-based Rekor (API proofs)
+    Auto = 0,   // Auto-selects v2 tiles
     V2 = 2      // Tile-based Sunlight format
 }
 ```
 
 **Version Selection Logic:**
 
-| Version | PreferTileProofs | Result |
-|---------|------------------|--------|
-| V2 | (any) | Always use tile proofs |
-| V1 | (any) | Always use API proofs |
-| Auto | true | Prefer tile proofs if available |
-| Auto | false | Use API proofs (default) |
+| Version | Result |
+|---------|--------|
+| V2 | Always use tile proofs |
+| Auto | Always use tile proofs |
 
 #### 3.4.3 Checkpoint Format
 
@@ -577,14 +574,12 @@ attestor:
   rekor:
     primary:
       url: https://rekor.sigstore.dev
-      # Version: Auto, V1, or V2
+      # Version: Auto or V2
       version: Auto
       # Custom tile base URL (optional, defaults to {url}/tile/)
       tile_base_url: ""
       # Log ID for multi-log environments (hex-encoded SHA-256)
       log_id: "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
-      # Prefer tile proofs when version is Auto
-      prefer_tile_proofs: false
 ```
 
 **Environment Variables:**
@@ -592,10 +587,9 @@ attestor:
 ```bash
 # Rekor v2 Configuration
 REKOR_SERVER_URL=https://rekor.sigstore.dev
-REKOR_VERSION=Auto           # Auto, V1, or V2
+REKOR_VERSION=Auto           # Auto or V2
 REKOR_TILE_BASE_URL=         # Optional custom tile endpoint
 REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
-REKOR_PREFER_TILE_PROOFS=false
 ```
 
 #### 3.4.8 Offline Verification Benefits