Add tests for SBOM generation determinism across multiple formats

- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.

docs2/observability-aggregation.md

@@ -0,0 +1,34 @@
+# Aggregation observability
+
+Purpose
+- Track Link-Not-Merge aggregation and overlay pipelines.
+
+Metrics
+- aggregation_ingest_latency_seconds{tenant,source,status}
+- aggregation_conflict_total{tenant,advisory,product,reason}
+- aggregation_overlay_cache_hits_total, aggregation_overlay_cache_misses_total
+- aggregation_vex_gate_total{tenant,status}
+- aggregation_queue_depth{tenant}
+
+Traces
+- Span: aggregation.process
+- Attributes: tenant, advisory, product, vex_status, source_kind, overlay_version, cache_hit
+
+Logs
+- tenant, advisory, product, vex_status
+- decision (merged, suppressed, dropped)
+- reason, duration_ms, trace_id
+
+SLOs
+- Ingest latency p95 < 500ms per statement.
+- Overlay cache hit rate > 80%.
+- Error rate < 0.1% over 10 minutes.
+
+Alerts
+- HighConflictRate: aggregation_conflict_total delta > 100 per minute.
+- QueueBacklog: aggregation_queue_depth > 10k for 5 minutes.
+- LowCacheHit: cache hit rate < 60% for 10 minutes.
+
+Offline posture
+- Export metrics to local Prometheus scrape.
+- Deterministic ordering preserved; cache warmers seeded from bundled fixtures.