Add tests for SBOM generation determinism across multiple formats

- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.

docs2/risk/profiles.md

@@ -0,0 +1,37 @@
+# Risk profiles
+
+Purpose
+- Define profile schema, lifecycle, and governance for risk scoring.
+
+Schema essentials
+- id, version, description, signals[], weights, metadata.
+- signals[] fields: name, source, type (numeric, boolean, categorical), path, transform, unit.
+- overrides: severity rules and decision rules.
+- Optional: extends, rollout flags, valid_from, valid_until.
+
+Severity levels
+- critical, high, medium, low, informational.
+
+Lifecycle
+1. Author profiles in Policy Studio.
+2. Simulate against deterministic fixtures.
+3. Review and approve with DSSE signatures.
+4. Promote and activate in Policy Engine.
+5. Roll back by activating a previous version.
+
+Governance and determinism
+- Profiles are immutable after promotion.
+- Each version carries a profile_hash and signed manifest entry.
+- Simulation and production share the same evaluation codepath.
+- Offline bundles include profiles and fixtures with hashes.
+
+Explainability and observability
+- Emit per-factor contributions with stable ordering.
+- Track evaluation latency, factor coverage, profile hit rate, and override usage.
+
+Related references
+- risk/overview.md
+- risk/factors.md
+- risk/formulas.md
+- risk/explainability.md
+- risk/api.md