feat: Add UI benchmark driver and scenarios for graph interactions

- Introduced `ui_bench_driver.mjs` to read scenarios and fixture manifest, generating a deterministic run plan.
- Created `ui_bench_plan.md` outlining the purpose, scope, and next steps for the benchmark.
- Added `ui_bench_scenarios.json` containing various scenarios for graph UI interactions.
- Implemented tests for CLI commands, ensuring bundle verification and telemetry defaults.
- Developed schemas for orchestrator components, including replay manifests and event envelopes.
- Added mock API for risk management, including listing and statistics functionalities.
- Implemented models for risk profiles and query options to support the new API.

docs/modules/cli/contracts/cli-spec-v1.yaml

@@ -0,0 +1,63 @@
+version: 1
+generated: 2025-12-01T00:00:00Z
+compatibility:
+  policy: "SemVer-like: commands/flags/exitCodes are backwards compatible within major version."
+  deprecation:
+    noticeMinimumDays: 90
+    channels:
+      - release-notes
+      - --compat-report
+commands:
+  - name: advise
+    subcommands:
+      - name: summarize
+        formats: [json, markdown, table]
+        exitCodes:
+          0: success
+          2: validation-error
+          3: backend-unavailable
+      - name: explain
+        formats: [json, markdown, table]
+        exitCodes:
+          0: success
+          2: validation-error
+          3: backend-unavailable
+      - name: remediate
+        flags:
+          - name: strategy
+            required: false
+            values: [minimal, defense-in-depth, fast-track]
+        exitCodes:
+          0: success
+          2: validation-error
+          3: backend-unavailable
+  - name: auth
+    subcommands:
+      - name: doctor
+        exitCodes:
+          0: success
+          4: auth-misconfigured
+          5: token-invalid
+telemetry:
+  defaultEnabled: false
+  envVars:
+    optIn: STELLAOPS_TELEMETRY=1
+    optOut: STELLAOPS_TELEMETRY=0
+  persistField: telemetryEnabled
+install:
+  checksumRequired: true
+  cosignVerifyDefault: true
+  exitCodes:
+    21: checksum-file-missing
+    22: checksum-mismatch
+buildxPlugin:
+  imageDigest: "sha256:0000000000000000000000000000000000000000000000000000000000000000"
+  rollbackCommand: "stella tool buildx rollback --to <digest>"
+determinism:
+  locale: "en-US"
+  timezone: "UTC"
+  jsonFormatting: "stable-sort-keys"
+  tableWidth: 80
+tests:
+  - name: cli-compatibility-regression
+    description: "Ensure commands/flags/exit codes match spec and telemetry defaults are enforced."

docs/modules/cli/contracts/install-integrity.md

@@ -0,0 +1,15 @@
+# CLI Install & Update Integrity (v1) — 2025-12-01
+
+Requirements
+- Checksums: Every release publishes `stellaops-cli-$version.tar.zst` with `SHA256SUMS` + detached `.sig`.
+- Verification: `stella install` and `stella self-update` run `cosign verify` by default against pinned public key fingerprint; `--skip-verify` prohibited.
+- Offline: Provide `install-offline.sh` that reads from kit directory with checksum + signature checks only; no network fetches.
+- Buildx plugin: pin image digest (see `cli-spec-v1.yaml`); rollback command included in help.
+
+Failure modes
+- Missing checksum/signature → command fails with exit code 21 and structured error.
+- Digest mismatch → command fails with exit code 22; log path to offending file.
+
+Artifacts
+- Public key fingerprints recorded in `cli-spec-v1.yaml`.
+- Example verify script to be bundled in release kit: `scripts/cli/verify-install.sh`.

docs/modules/cli/contracts/output-determinism.md

@@ -0,0 +1,19 @@
+# CLI Output Determinism Policy (v1) — 2025-12-01
+
+Scope: `StellaOps.Cli` JSON/table/markdown outputs for advisory verbs and auth doctor.
+
+Rules
+- Time: All timestamps UTC; no local timezone conversion.
+- Locale: `en-US`, `InvariantCulture` for number/date formatting.
+- Ordering: Sort collections by stable key (id/name) before rendering; JSON keys stable-sorted.
+- Width: Table renderer clamps to width 80; no ANSI when `--output json` or non-TTY.
+- Seeds: Randomness forbidden; no wall-clock in hashes; use provided deterministic IDs.
+
+Tests
+- Golden fixtures stored under `src/Cli/__Tests/StellaOps.Cli.Tests/Fixtures/output-determinism/`.
+- Hash check: two consecutive runs of the same command with identical inputs must produce identical SHA256 of stdout.
+- Locale guard: integration test forces `CultureInfo("fr-FR")` and asserts output matches fixtures.
+
+Failure handling
+- Any drift fails CI; diff is printed with unified format.
+- Add new fields behind explicit versioned spec entry in `cli-spec-v1.yaml`.