Add tests for SBOM generation determinism across multiple formats

- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.

docs2/risk/overview.md

@@ -0,0 +1,36 @@
+# Risk overview
+
+Purpose
+- Explain risk scoring concepts, lifecycle, and artifacts.
+- Preserve deterministic, provenance-backed outputs.
+
+Core concepts
+- Signals become evidence after validation and normalization.
+- Profiles define weights, thresholds, overrides, and severity mapping.
+- Formulas aggregate normalized factors into a 0-1 score.
+- Provenance carries source hashes and attestation references.
+
+Lifecycle
+1. Submit a risk job with tenant, context, profile, and findings.
+2. Ingest evidence from scanners, reachability, VEX, runtime signals, and KEV.
+3. Normalize and dedupe by provenance hash.
+4. Evaluate profile rules, gates, and overrides.
+5. Assign severity band and emit explainability output.
+6. Export bundles with profile hash and evidence references.
+
+Artifacts
+- Profile schema: id, version, signals, weights, overrides, metadata, provenance.
+- Job and result fields: job_id, profile_hash, normalized_score, severity.
+- Explainability envelope: signal_values, signal_contributions, gates_triggered.
+
+Determinism and offline posture
+- Stable ordering for factors and contributions.
+- Fixed precision math with UTC timestamps only.
+- Fixtures and hashes live under docs/risk/samples/.
+
+Related references
+- risk/factors.md
+- risk/formulas.md
+- risk/profiles.md
+- risk/explainability.md
+- risk/api.md