test fixes and new product advisories work

docs/releases/RELEASE_ENGINEERING_PLAYBOOK.md

@@ -149,7 +149,25 @@ CI job fails if token expiry < 29 days (guard against stale caches).
 6. Verify SBOM attachment with `stella sbom verify stella/backend:X.Y.Z`.  
 7. Run the release verifier locally if CI isn’t available (mirrors the workflow step):  
    `python ops/devops/release/test_verify_release.py`  
-8. Mirror the release debug store into the Offline Kit staging tree and re-check the manifest:
+8. **Verify reproducibility** – rebuild and compare checksums:
+   ```bash
+   export SOURCE_DATE_EPOCH=$(git show -s --format=%ct HEAD)
+   make release
+   sha256sum dist/* | diff - out/release/SHA256SUMS
+   ```
+9. **Generate Release Evidence Pack** – trigger evidence pack workflow:
+   ```bash
+   gh workflow run release-evidence-pack.yml \
+     -f version=X.Y.Z \
+     -f release_tag=vX.Y.Z
+   ```
+10. **Self-verify evidence pack** – extract and run verify.sh:
+    ```bash
+    tar -xzf stella-release-X.Y.Z-evidence-pack.tgz
+    cd stella-release-X.Y.Z-evidence-pack
+    ./verify.sh --verbose
+    ```
+11. Mirror the release debug store into the Offline Kit staging tree and re-check the manifest:
    ```bash
    ./ops/offline-kit/mirror_debug_store.py \
      --release-dir out/release \
@@ -157,9 +175,9 @@ CI job fails if token expiry < 29 days (guard against stale caches).
    jq '.artifacts | length' out/offline-kit/debug/debug-manifest.json
    readelf -n /app/... | grep -i 'Build ID'
    ```
-   Validate that the hash from `readelf` matches the `.build-id/<aa>/<rest>.debug` path created by the script.  
-9. Smoke-test OUK tarball in offline lab.  
-10. Announce in `#stella-release` Mattermost channel.
+   Validate that the hash from `readelf` matches the `.build-id/<aa>/<rest>.debug` path created by the script.
+12. Smoke-test OUK tarball in offline lab.
+13. Announce in `#stella-release` Mattermost channel.
 
 ---
 
@@ -189,11 +207,11 @@ CI job fails if token expiry < 29 days (guard against stale caches).
 ## 9 📌 Non‑Commercial Usage Rules (English canonical)
 
 1. **Free for internal security assessments** (company or personal).  
-2. **SaaS resale / re-hosting prohibited** without prior written consent (policy requirement; not a license restriction).  
-3. If you distribute a fork with UI or backend modifications **you must**:  
-   * Include the LICENSE and NOTICE files.
-   * Mark modified files with prominent change notices.
-   * Retain the original Stella Ops attribution in UI footer and CLI `--version`.
+2. **SaaS resale / re-hosting prohibited** without prior written consent (policy requirement; not a license restriction).  
+3. If you distribute a fork with UI or backend modifications **you must**:  
+   * Include the LICENSE and NOTICE files.
+   * Mark modified files with prominent change notices.
+   * Retain the original Stella Ops attribution in UI footer and CLI `--version`.
 4. All third‑party dependencies remain under their respective licences (MIT, Apache‑2.0, ISC, BSD).  
 5. Deployments in state‑regulated or classified environments must obey**applicable local regulations** governing cryptography and software distribution.