Add tests for SBOM generation determinism across multiple formats

- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.

docs2/security/crypto-and-trust.md

@@ -32,3 +32,6 @@ Related references
 - docs/security/crypto-simulation-services.md
 - docs/security/crypto-compliance.md
 - docs/airgap/staleness-and-time.md
+- operations/key-rotation.md
+- provenance/rekor-policy.md
+- release/promotion-attestations.md

docs2/security/evidence-locker-publishing.md

@@ -0,0 +1,30 @@
+# Evidence locker publishing
+
+Purpose
+- Publish deterministic evidence bundles to the Evidence Locker.
+
+Required inputs
+- Evidence locker base URL (no trailing slash).
+- Bearer token with write scopes for required prefixes.
+- Signing key for final bundle signing (Cosign key or key file).
+
+Publishing flow
+- Build deterministic tar bundles for each producer (signals, runtime, evidence packs).
+- Verify bundle hashes and inner SHA256 lists before upload.
+- Upload bundles to the Evidence Locker using the configured token.
+- Re-sign bundles with production keys when required.
+
+Deterministic packaging rules
+- tar --sort=name
+- fixed mtime (UTC 1970-01-01)
+- owner and group set to 0
+- numeric-owner enabled
+
+Offline posture
+- Transparency log upload may be disabled in sealed mode.
+- Trust derives from local keys and recorded hashes.
+- Upload scripts must fail on hash mismatch.
+
+Related references
+- security/forensics-and-evidence-locker.md
+- provenance/attestation-workflow.md

docs2/security/forensics-and-evidence-locker.md

@@ -28,7 +28,8 @@ Minimum bundle layout
 - signatures/ for DSSE or sigstore bundles
 
 Related references
+- provenance/attestation-workflow.md
+- security/timeline.md
+- security/evidence-locker-publishing.md
 - docs/forensics/evidence-locker.md
-- docs/forensics/provenance-attestation.md
-- docs/forensics/timeline.md
 - docs/evidence-locker/evidence-pack-schema.md

docs2/security/multi-tenancy.md

@@ -0,0 +1,27 @@
+# Multi-tenancy
+
+Purpose
+- Ensure strict tenant isolation across APIs, storage, and observability.
+
+Tenant lifecycle
+- Create tenants with scoped roles and default policies.
+- Suspend or retire tenants with audit records.
+- Migrations and data retention follow governance policy.
+
+Isolation model
+- Tokens carry tenant identifiers and scopes.
+- APIs require tenant headers; cross-tenant actions are explicit.
+- Datastores enforce tenant_id and RLS where supported.
+
+Observability
+- Metrics, logs, and traces always include tenant.
+- Cross-tenant access attempts emit audit events.
+
+Offline posture
+- Offline bundles are tenant scoped.
+- Tenant list in offline mode is limited to snapshot contents.
+
+Related references
+- security/identity-tenancy-and-scopes.md
+- security/row-level-security.md
+- docs/operations/multi-tenancy.md

docs2/security/risk-model.md

@@ -40,3 +40,9 @@ Related references
 - docs/risk/profiles.md
 - docs/risk/api.md
 - docs/guides/epss-integration.md
+- risk/overview.md
+- risk/factors.md
+- risk/formulas.md
+- risk/profiles.md
+- risk/explainability.md
+- risk/api.md

docs2/security/row-level-security.md

@@ -0,0 +1,21 @@
+# Row-level security
+
+Purpose
+- Enforce tenant isolation at the database level with RLS policies.
+
+Strategy
+- Apply RLS to tenant-scoped tables and views.
+- Require app.tenant_id session setting on every connection.
+- Deny access when tenant context is missing.
+
+Policy evaluation
+- Policies filter rows by tenant_id and optional scope.
+- Admin bypass uses explicit roles with audited access.
+
+Validation
+- Run cross-tenant read and write tests in staging.
+- Include RLS checks in deterministic replay suites.
+
+Related references
+- data/postgresql-patterns.md
+- docs/operations/rls-and-data-isolation.md

docs2/security/timeline.md

@@ -0,0 +1,47 @@
+# Timeline forensics
+
+Purpose
+- Provide an append-only event ledger for audit, replay, and incident analysis.
+- Support deterministic exports for offline review.
+
+Event model
+- event_id (ULID)
+- tenant
+- timestamp (UTC ISO-8601)
+- category (scanner, policy, runtime, evidence, notify)
+- details (JSON payload)
+- trace_id for correlation
+
+Event kinds
+- scan.completed
+- policy.verdict
+- attestation.verified
+- evidence.ingested
+- notify.sent
+- runtime.alert
+- redaction_notice (compensating event)
+
+APIs
+- GET /api/v1/timeline/events with filters for tenant, category, time window, trace_id.
+- GET /api/v1/timeline/events/{id} for a single event.
+- GET /api/v1/timeline/export for NDJSON exports.
+- Headers: X-Stella-Tenant, optional X-Stella-TraceId, If-None-Match.
+
+Query guidance
+- Use category plus trace_id to track scan to policy to notify flow.
+- Use tenant and timestamp ranges for SLA audits.
+- CLI parity: stella timeline list mirrors the API.
+
+Retention and redaction
+- Append-only storage; no deletes.
+- Redactions use redaction_notice events that reference the superseded event.
+- Retention is tenant-configurable and exported weekly to cold storage.
+
+Offline posture
+- Offline kits include timeline exports for compliance review.
+- Exports include stable ordering and manifest hashes.
+
+Related references
+- security/forensics-and-evidence-locker.md
+- observability.md
+- docs/forensics/timeline.md