Add determinism tests for verdict artifact generation and update SHA256 sums script

- Implemented comprehensive tests for verdict artifact generation to ensure deterministic outputs across various scenarios, including identical inputs, parallel execution, and change ordering.
- Created helper methods for generating sample verdict inputs and computing canonical hashes.
- Added tests to validate the stability of canonical hashes, proof spine ordering, and summary statistics.
- Introduced a new PowerShell script to update SHA256 sums for files, ensuring accurate hash generation and file integrity checks.

docs/roadmap/README.md

@@ -0,0 +1,15 @@
+# Roadmap (detailed)
+
+This folder expands `docs/05_ROADMAP.md` into evidence-oriented guidance that stays valid even when timelines shift.
+
+Scheduling and staffing live outside the documentation layer; this roadmap stays date-free on purpose.
+
+## Documents
+- `docs/roadmap/maturity-model.md` — Capability maturity levels and the evidence expected at each level.
+
+## Canonical references by area
+- Architecture overview: `docs/40_ARCHITECTURE_OVERVIEW.md`
+- High-level architecture: `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- Offline posture and workflows: `docs/24_OFFLINE_KIT.md`, `docs/airgap/overview.md`
+- Determinism principles: `docs/key-features.md`, `docs/testing/connector-fixture-discipline.md`
+- Security boundaries and roles: `docs/security/scopes-and-roles.md`, `docs/security/tenancy-overview.md`

docs/roadmap/maturity-model.md

@@ -0,0 +1,66 @@
+# Capability maturity model
+
+This document defines what “shipped” means for StellaOps capabilities. Each area progresses through the same maturity levels; the concrete evidence differs by domain.
+
+## Maturity levels
+
+| Level | Meaning | Evidence posture |
+| --- | --- | --- |
+| **Foundation** | Works end-to-end with deterministic outputs. | Golden fixtures, stable ordering, replay-friendly artifacts. |
+| **Hardened** | Safe for regulated environments. | Isolation boundaries, audit trail, reproducible upgrades, operational runbooks. |
+| **Sovereign** | Crypto + operations are independent by default. | Bring-your-own trust roots, offline bundles, configurable crypto profiles. |
+| **Ecosystem** | Extensible and integrable without losing determinism. | Stable plugin/SDK contracts, compatibility suites, offline distribution story. |
+
+## Scanning & SBOM
+
+| Level | What exists | Minimum evidence |
+| --- | --- | --- |
+| Foundation | Deterministic SBOM generation and stable identifiers. | Fixture-backed scans producing byte-stable SBOMs and normalized findings. |
+| Hardened | Deterministic “replay” of scans and decisions. | Replay test vectors and a documented, versioned artifact layout. |
+| Sovereign | Offline-ready feeds and trust roots. | Fully air-gapped scan runbook and importer/controller workflows. |
+| Ecosystem | Extensible analyzers and outputs. | Compatibility tests for plugins and exporters; no network required. |
+
+## Advisory ingestion
+
+| Level | What exists | Minimum evidence |
+| --- | --- | --- |
+| Foundation | Normalizers and deterministic merges into canonical stores. | Repeatable ingestion runs with stable IDs and ordering. |
+| Hardened | Schema validation and drift controls. | Locked schemas, test fixtures, and failure modes documented. |
+| Sovereign | Mirror-first and offline bundle imports. | Offline bundle format documented; import determinism verified. |
+| Ecosystem | Connector library growth without regressions. | Connector conformance suite and fixture discipline. |
+
+## VEX & verdicts
+
+| Level | What exists | Minimum evidence |
+| --- | --- | --- |
+| Foundation | OpenVEX ingestion and stable verdict outcomes. | Deterministic merges, explainable reasoning, stable verdict IDs. |
+| Hardened | Trust model and audit trail. | Trust lattice rules documented; replay tests for merges/verdicts. |
+| Sovereign | Bring-your-own trust roots and issuer governance. | Offline trust root provisioning and rotation procedures. |
+| Ecosystem | Multiple issuer ecosystems and integrations. | Compatibility tests and validated importer adapters. |
+
+## Policy engine
+
+| Level | What exists | Minimum evidence |
+| --- | --- | --- |
+| Foundation | Deterministic policy evaluation with consistent precedence. | Policy packs + golden decisions with stable ordering. |
+| Hardened | Audit-grade policy traces. | Decision trace artifacts and replay tests for policy outputs. |
+| Sovereign | Operator-controlled policy distribution. | Offline pack distribution and verification story. |
+| Ecosystem | Policy contracts for third parties. | Compatibility suite and safe upgrade policy guarantees. |
+
+## Offline kit & air-gap workflows
+
+| Level | What exists | Minimum evidence |
+| --- | --- | --- |
+| Foundation | Documented offline concepts and supported workflows. | `docs/24_OFFLINE_KIT.md` plus importer/controller docs and examples. |
+| Hardened | Deterministic imports and verified indexes. | Byte-stable indexes with reproducible hash outputs across machines. |
+| Sovereign | Independent trust anchors and mirrors. | Trust-root provisioning docs and an air-gapped “day-2 ops” runbook. |
+| Ecosystem | Third-party bundles and toolchain integrations. | Conformance tests and offline bundle validation tooling. |
+
+## Operations, observability, and security
+
+| Level | What exists | Minimum evidence |
+| --- | --- | --- |
+| Foundation | Clear service boundaries and deployment profiles. | Compose profiles and documented defaults. |
+| Hardened | Runbooks, dashboards, and incident workflows. | Offline-importable dashboards and operational checklists. |
+| Sovereign | Crypto agility and least-privilege by default. | Configurable crypto profiles and role/scopes documentation. |
+| Ecosystem | Stable operator and SDK surfaces. | Versioned APIs and compatibility guarantees. |