license switch agpl -> busl1, sprints work, new product advisories

docs/modules/attestor/guides/offline-verification.md

@@ -0,0 +1,48 @@
+# Attestor Offline Verification Guide
+
+> **Audience:** Attestor operators, AirGap owners, CI/Release engineers
+>
+> **Purpose:** Explain how to verify attestations and timestamp evidence in fully offline environments.
+
+## 1. Offline Inputs
+
+Offline verification expects all evidence to be bundled locally:
+
+- DSSE envelopes + certificate chains.
+- Rekor inclusion proofs + a pinned checkpoint.
+- RFC3161 timestamp evidence with bundled TSA chain and revocation data:
+  - `tsa/chain/` (PEM certificates, leaf -> root)
+  - `tsa/ocsp/` (stapled OCSP responses)
+  - `tsa/crl/` (CRL snapshots when OCSP is unavailable)
+
+## 2. Bundle Layout Expectations
+
+Minimum paths for timestamp verification:
+
+- `manifest.json` with `timestamps[]` entries.
+- `tsa/chain/*.pem` for each RFC3161 timestamp.
+- `tsa/ocsp/*.der` or `tsa/crl/*.crl` (revocation evidence).
+
+## 3. CLI Workflow (Offline)
+
+Use the bundle verification flow aligned to domain operations:
+
+```bash
+stella bundle verify --bundle /path/to/bundle --offline --trust-root /path/to/tsa-root.pem --rekor-checkpoint /path/to/checkpoint.json
+```
+
+Notes:
+- Offline mode fails closed when revocation evidence is missing or invalid.
+- Trust roots must be provided locally; no network fetches are allowed.
+
+## 4. Verification Behavior
+
+- TSA chain is validated against the provided trust roots.
+- Revocation evidence is verified using bundled OCSP/CRL data.
+- Rekor proofs are verified against the pinned checkpoint when provided.
+
+## 5. References
+
+- `docs/modules/attestor/guides/timestamp-policy.md`
+- `docs/modules/attestor/airgap.md`
+- `docs/modules/airgap/guides/staleness-and-time.md`