OSCAL export

Export a vendor's claims as a simplified NIST OSCAL Component Definition, so TrustMCP evidence drops into OSCAL-based GRC tooling.

GET /v1/vendors/{vid}/attestations/oscal?framework=soc2     (scope: attestations)

The vendor becomes a service component whose control-implementations are driven by TrustMCP claims mapped to the chosen framework (soc2, nist_800_53, iso_27001):

{
  "component-definition": {
    "metadata": { "title": "Acme Corp - TrustMCP export", "oscal-version": "1.1.2" },
    "components": [{
      "type": "service",
      "title": "Acme Corp",
      "control-implementations": [{
        "source": "https://www.aicpa.org/soc2",
        "implemented-requirements": [
          { "control-id": "CC6.1", "description": "Logical access controls: mfa.enforced=true",
            "props": [{ "name": "trustmcp-claim", "value": "mfa.enforced" }] }
        ]
      }]
    }]
  }
}

This is a pragmatic, interoperable export rather than a full OSCAL validation target - it carries enough to seed an OSCAL workflow with live, vendor-published evidence.