Add tests for SBOM generation determinism across multiple formats

- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.

docs2/observability-logging.md

@@ -0,0 +1,39 @@
+# Logging standards
+
+Goals
+- Deterministic, structured logs for all services.
+- Safe for tenant isolation and offline review.
+
+Required fields
+- timestamp (UTC ISO-8601)
+- tenant, workload, env, region, version
+- level (debug, info, warn, error, fatal)
+- category and operation
+- trace_id, span_id, correlation_id when present
+- message (concise, no secrets)
+- status (ok, error, fault, throttle)
+- error.code, error.message (redacted), retryable when status is not ok
+
+Optional fields
+- resource, http.method, http.status_code, duration_ms
+- host, pid, thread
+
+Offline kit import fields
+- tenant_id, bundle_type, bundle_digest, bundle_path
+- manifest_version, manifest_created_at
+- force_activate, force_activate_reason
+- result, reason_code, reason_message
+- quarantine_id, quarantine_path
+
+Redaction rules
+- Never log auth headers, tokens, passwords, private keys, or full bodies.
+- Redact to "[redacted]" and add redaction.reason.
+- Hash low-cardinality identifiers and mark hashed=true.
+
+Determinism and offline posture
+- NDJSON with LF endings; UTC timestamps only.
+- No external enrichment; rely on bundled metadata.
+
+Sampling and rate limits
+- Info logs rate-limited per component; warn and error never sampled.
+- Audit logs are never sampled and include actor, action, target, result.