Add determinism tests for verdict artifact generation and update SHA256 sums script

- Implemented comprehensive tests for verdict artifact generation to ensure deterministic outputs across various scenarios, including identical inputs, parallel execution, and change ordering.
- Created helper methods for generating sample verdict inputs and computing canonical hashes.
- Added tests to validate the stability of canonical hashes, proof spine ordering, and summary statistics.
- Introduced a new PowerShell script to update SHA256 sums for files, ensuring accurate hash generation and file integrity checks.

docs/23_FAQ_MATRIX.md

@@ -1,61 +1,25 @@
-# Stella Ops — Frequently Asked Questions (Matrix)
-
-## Quick glance
-
-| Question | Short answer |
-|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| What is Stella Ops? | A lightning‑fast, SBOM‑first container‑security scanner written in **.NET {{ dotnet }}** with an **Angular {{ angular }}** web UI. |
-| How fast is it? | Warm scans finish in **\< 5 s** on a 4‑vCPU runner; first scans stay **\< 30 s**. |
-| Is it free? | Yes – **{{ quota_anon }} scans / day** anonymously. Requesting a free JWT lifts the limit to **{{ quota_token }}**. A gentle reminder shows at 200; exceeding the cap throttles speed but never blocks. |
-| Does it run offline? | Yes — download the signed **Offline Update Kit**; see `/offline/`. |
-| Can I extend it? | Yes — restart‑time plug‑ins (`ISbomMutator`, `IVulnerabilityProvider`, `IResultSink`, OPA Rego). Marketplace GA in v1.0. |
-
----
-
-## Road‑map (authoritative link)
-
-The full, always‑up‑to‑date roadmap lives at <https://stella‑ops.org/roadmap/>.  
-Snapshot:
-
-| Version | Target date | Locked‑in scope (freeze at β) |
-|---------|-------------|--------------------------------|
-| **v0.1 α** | *Late 2025* | Δ‑SBOM engine, nightly re‑scan, Offline Kit v1, {{ quota_anon }}/ {{ quota_token }} quota |
-| **v0.2 β** | Q1 2026 | *Zastava* forbidden‑image scanner, registry sweeper, SDK β |
-| **v0.3 β** | Q2 2026 | YAML/Rego policy‑as‑code, SARIF output, OUK auto‑import |
-| **v0.4 RC** | Q3 2026 | AI remediation advisor, LDAP/AD SSO, pluggable TLS providers |
-| **v1.0 GA** | Q4 2026 | SLSA L3 provenance, signed plug‑in marketplace |
-
----
-
-## Technical matrix
-
-| Category | Detail |
-|----------|--------|
-| **Core runtime** | C# 14 on **.NET {{ dotnet }}** |
-| **UI stack** | **Angular {{ angular }}** + TailwindCSS |
-| **Container base** | Distroless glibc (x86‑64 & arm64) |
-| **Data stores** | PostgreSQL 7 (SBOM + findings), Redis 7 (LRU cache + quota) |
-| **Release integrity** | Cosign‑signed images & TGZ, reproducible build, SPDX 2.3 SBOM |
-| **Extensibility** | Plug‑ins in any .NET language (restart load); OPA Rego policies |
-| **Default quotas** | Anonymous **{{ quota_anon }} scans/day** · JWT **{{ quota_token }}** |
-
----
-
-## Quota enforcement (overview)
-
-* Counters live in Redis with 24 h keys: `quota:ip:<sha256>` or `quota:tid:<hash>`.
-* Soft reminder banner at 200 daily scans.
-* Past the limit: first 30 excess requests delayed 5 s; afterwards 60 s.
-* Behaviour is identical online and offline (validation local).
-
-For full flow see `docs/30_QUOTA_ENFORCEMENT_FLOW1.md`.
-
----
-
-## Further reading
-
-* **Install guide:** `/install/`  
-* **Offline mode:** `/offline/`  
-* **Security policy:** `/security/`  
-* **Governance:** `/governance/`  
-* **Community chat:** Matrix `#stellaops:libera.chat`  
+# FAQ (stakeholder matrix)
+
+## Quick answers
+
+| Question | Short answer |
+| --- | --- |
+| What is StellaOps? | A sovereign, offline-first container-security platform focused on deterministic, replayable evidence: SBOMs, advisories, VEX, policy decisions, and attestations bound to image digests. |
+| What makes it “deterministic”? | The same inputs produce the same outputs (stable ordering, stable IDs, replayable artifacts). Determinism is treated as a product feature and enforced by tests and fixtures. |
+| Does it run fully offline? | Yes. Offline operation is a first-class workflow (bundles, mirrors, importer/controller). See `docs/24_OFFLINE_KIT.md` and `docs/airgap/overview.md`. |
+| Which formats are supported? | SBOMs: SPDX 3.0.1 and CycloneDX 1.6. VEX: OpenVEX-first decisioning with issuer trust and consensus. Attestations: in-toto/DSSE where enabled. |
+| How do I deploy it? | Use deterministic bundles under `deploy/` (Compose/Helm) with digests sourced from `deploy/releases/`. Start with `docs/21_INSTALL_GUIDE.md`. |
+| How do policy gates work? | Policy combines VEX-first inputs with lattice/precedence rules so outcomes are stable and explainable. See `docs/policy/vex-trust-model.md`. |
+| Is multi-tenancy supported? | Yes; tenancy boundaries and roles/scopes are documented and designed to support regulated environments. See `docs/security/tenancy-overview.md` and `docs/security/scopes-and-roles.md`. |
+| Can I extend it? | Yes: connectors, plugins, and policy packs are designed to be composable without losing determinism. Start with module dossiers under `docs/modules/`. |
+| Where is the roadmap? | `docs/05_ROADMAP.md` (priority bands + definition of “done”). |
+| Where do I find deeper docs? | `docs/technical/README.md` is the detailed index; `docs/modules/` contains per-module dossiers. |
+
+## Further reading
+- Vision: `docs/03_VISION.md`
+- Feature matrix: `docs/04_FEATURE_MATRIX.md`
+- Architecture overview: `docs/40_ARCHITECTURE_OVERVIEW.md`
+- High-level architecture: `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- Offline kit: `docs/24_OFFLINE_KIT.md`
+- Install guide: `docs/21_INSTALL_GUIDE.md`
+- Quickstart: `docs/quickstart.md`