Add receipt input JSON and SHA256 hash for CVSS policy scoring tests

- Introduced a new JSON fixture `receipt-input.json` containing base, environmental, and threat metrics for CVSS scoring.
- Added corresponding SHA256 hash file `receipt-input.sha256` to ensure integrity of the JSON fixture.

docs/modules/scanner/design/README.md

@@ -16,6 +16,8 @@ This directory contains deep technical designs for current and upcoming analyzer
 ## OS ecosystem designs
 - `macos-analyzer.md` — Homebrew, pkgutil, `.app` bundle plan.
 - `windows-analyzer.md` — MSI, WinSxS, Chocolatey, registry collectors.
+- `cdx17-cbom-contract.md` — deterministic CycloneDX 1.7 + CBOM export profile (ordering, hashes, downgrade rules).
+- `slsa-source-track.md` — deterministic SLSA Source Track capture (repo/ref/commit, tree hash, invocation hash, provenance DSSE, CAS paths).
 
 ## Demand & dashboards
 - `../../benchmarks/scanner/windows-macos-demand.md` — demand tracker.