Add tests for SBOM generation determinism across multiple formats

- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.

docs/ui/vulnerability-explorer.md

@@ -1,51 +1,5 @@
-# Vulnerability Explorer
+# Archived: Vulnerability Explorer (UI)
 
-> **Imposed rule:** Any exported or shared view must include the data sources and overlays applied (VEX, policy, reachability) to avoid out-of-context remediation decisions.
+This page was consolidated during docs cleanup.
 
-The Vulnerability Explorer provides deterministic tables and grouping to triage, explain, and act on vulns across SBOM graph data and VEX claims.
-
-## Table anatomy
-- Default columns: CVE/alias, package (PURL), version, severity, exploitability (EPSS/KEV), reachability, VEX status, fix version, policy verdict, last seen.
-- Sorting: primary by severity (desc), secondary by exploitability score, tertiary by PURL; ties broken by CVE.
-- Pagination: server-driven with stable cursors; page size defaults to 50, override via `?limit=`.
-
-## Grouping & pivots
-- Group by **package**, **CVE**, **image**, or **tenant**. Each group shows counts by severity and VEX disposition.
-- “Why am I seeing this?” drawer explains grouping rules and shows upstream data sources for the group.
-- Export follows the active grouping; NDJSON includes `group_key`, `items[]`, and overlay metadata.
-
-## Filters
-- **Severity**: critical/high/medium/low/none.
-- **Exploitability**: KEV flag, EPSS bucket, exploit maturity.
-- **Reachability**: reachable, conditionally reachable, unreachable, unknown.
-- **VEX**: affected, not_affected, under_investigation, disputed, contested.
-- **Fix availability**: has fix, no fix, downgrade available.
-- **Policy verdict**: allow, review, deny, staged verdicts (simulator).
-- **Staleness**: SBOM age, advisory feed age, VEX claim age.
-
-## Why drawer
-- Provides a structured explanation showing: data sources (SBOM digest, overlay epochs), policy inputs, VEX claims contributing to the verdict, and reachability evidence. Includes correlation IDs for API traces.
-- Always shows tenant and `graph_cache_epoch` to keep exports/audits reproducible.
-
-## Fix suggestions
-- Per-row “Fix” chip suggests the nearest patched version and source (vendor vs upstream), plus link to remediation doc if provided by advisory.
-- Bulk fix export produces an actions file: `{purl, vuln, recommended_version, source, rationale}` with SHA-256 manifest.
-- UI warns when fixes rely on contested VEX claims or stale advisories.
-
-## Actions & triage
-- Multi-select with bulk actions: create ticket, generate VEX waiver request, export SBOM diff, or open policy simulator with selected rows.
-- Policy simulator opens with current overlays and generates a simulated verdict for the selection; results can be saved as a “staged policy” view.
-
-## Accessibility
-- Keyboard shortcuts: `g` to toggle grouping, `f` to focus filters, `w` to open Why drawer on selected row, `/` to focus search.
-- Screen reader labels announce VEX and reachability state; focus order matches visual order; table rows support row headers.
-
-## Air-gap posture
-- All exports include overlays and cache epochs; offline bundles can be loaded via `Import view` to replay triage without network.
-- No live CVE enrichment calls from the UI; it relies solely on backend-provided overlays.
-
-## Related docs
-- `docs/ui/sbom-graph-explorer.md`
-- `docs/api/graph.md`
-- `docs/api/vuln.md`
-- `docs/modules/graph/architecture-index.md`
+- Vulnerability Explorer guide: `docs/20_VULNERABILITY_EXPLORER_GUIDE.md`