Add tests for SBOM generation determinism across multiple formats

- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.

docs2/release/promotion-attestations.md

@@ -0,0 +1,41 @@
+# Promotion attestations
+
+Purpose
+- Capture promotion-time evidence in a DSSE predicate for offline audit.
+
+Predicate: stella.ops/promotion@v1
+- subject: image name and digest.
+- materials: SBOM and VEX digests with format and OCI uri.
+- promotion: from, to, actor, timestamp, pipeline, ticket, notes.
+- rekor: uuid, logIndex, inclusionProof, checkpoint.
+- attestation: bundle_sha256 and optional witness.
+
+Producer workflow
+1. Resolve and freeze image digest.
+2. Hash SBOM and VEX artifacts and publish to OCI if needed.
+3. Obtain Rekor inclusion proof and checkpoint.
+4. Build promotion predicate JSON.
+5. Sign with Signer to produce DSSE bundle.
+6. Store bundle in Evidence Locker and Export Center.
+
+Verification flow
+- Verify DSSE signature using trusted roots.
+- Verify Merkle inclusion using the embedded proof and checkpoint.
+- Hash SBOM and VEX artifacts and compare to materials digests.
+- Confirm promotion metadata and ticket evidence.
+
+Storage and APIs
+- Signer: /api/v1/signer/sign/dsse
+- Attestor: /api/v1/rekor/entries
+- Export Center: serves promotion bundles for offline kits
+- Evidence Locker: long-term retention of DSSE and proofs
+
+Security considerations
+- Promotion metadata is tenant scoped.
+- Rekor proofs must be embedded for air-gap verification.
+- Key rotation follows Signer and Authority policies.
+
+Related references
+- release/release-engineering.md
+- provenance/attestation-workflow.md
+- security/forensics-and-evidence-locker.md

docs2/release/release-engineering.md

@@ -23,6 +23,7 @@ Artifact signing
 - Cosign for containers and bundles
 - DSSE envelopes for attestations
 - Optional Rekor anchoring when available
+- Promotion attestations capture release evidence for offline audit
 
 Offline update kit (OUK)
 - Monthly bundle of feeds and tooling
@@ -41,3 +42,5 @@ Related references
 - docs/ci/*
 - docs/devops/*
 - docs/release/* and docs/releases/*
+- release/promotion-attestations.md
+- release/release-notes.md

docs2/release/release-notes.md

@@ -0,0 +1,22 @@
+# Release notes and templates
+
+Release notes
+- Historical release notes live under docs/releases/.
+- Use release notes for time-specific changes; refer to docs2 for current behavior.
+
+Determinism snippet template
+- Use a deterministic score summary in release notes when publishing scans.
+
+Template
+```
+- Determinism score: {{overall_score}} (threshold {{overall_min}})
+  - {{image_digest}} score {{score}} ({{identical}}/{{runs}} identical)
+- Inputs: policy {{policy_sha}}, feeds {{feeds_sha}}, scanner {{scanner_sha}}, platform {{platform}}
+- Evidence: determinism.json and artifact hashes (DSSE signed, offline ready)
+- Actions: rerun stella detscore run --bundle determinism.json if score < threshold
+```
+
+Related references
+- release/release-engineering.md
+- operations/replay-and-determinism.md
+- docs/release/templates/determinism-score.md