Refactor code structure for improved readability and maintainability; optimize performance in key functions.

2025-12-22 19:06:31 +02:00
parent dfaa2079aa
commit 0536a4f7d4
1443 changed files with 109671 additions and 7840 deletions
--- a/bench/AGENTS.md
+++ b/bench/AGENTS.md
@@ -0,0 +1,20 @@
+# bench/AGENTS.md
+
+## Purpose & Scope
+- Working directory: `bench/` (benchmarks, golden corpus, determinism fixtures).
+- Roles: QA engineer, performance/bench engineer, docs contributor.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/19_TEST_SUITE_OVERVIEW.md`
+- `bench/README.md`
+- Sprint-specific guidance for corpus/bench artifacts.
+
+## Working Agreements
+- Deterministic artifacts: stable ordering, fixed seeds, UTC timestamps.
+- Offline-friendly: no network dependencies in benchmarks unless explicitly required.
+- Keep fixtures and manifests ASCII and reproducible; avoid oversized binaries when possible.
+
+## Validation
+- Validate manifests/fixtures with local scripts when available.
+- Document any new fixtures in `bench/README.md` or sprint notes.
--- a/bench/golden-corpus/README.md
+++ b/bench/golden-corpus/README.md
@@ -1,12 +1,13 @@
-# Golden Test Corpus
+# Golden Test Corpus

-This directory contains the golden test corpus for StellaOps scoring validation.
+This directory contains the golden test corpus for StellaOps validation.
 Each test case is a complete, reproducible scenario with known-good inputs and expected outputs.

 ## Schema Version

 **Corpus Version**: `1.0.0`
-**Scoring Algorithm**: `v2.0` (See `docs/modules/scanner/scoring-algorithm.md`)
+**Run Manifest Schema**: `1.0.0`
+**Evidence Index Schema**: `1.0.0`
 **OpenVEX Schema**: `0.2.0`
 **SPDX Version**: `3.0.1`
 **CycloneDX Version**: `1.6`
@@ -14,94 +15,58 @@ Each test case is a complete, reproducible scenario with known-good inputs and e
 ## Directory Structure

 ```
-golden-corpus/
-├── README.md                    # This file
-├── corpus-manifest.json         # Index of all test cases with hashes
-├── corpus-version.json          # Versioning metadata
-│
-├── severity-levels/             # CVE severity coverage
-│   ├── critical/
-│   ├── high/
-│   ├── medium/
-│   └── low/
-│
-├── vex-scenarios/               # VEX override scenarios
-│   ├── not-affected/
-│   ├── affected/
-│   ├── fixed/
-│   └── under-investigation/
-│
-├── reachability/                # Reachability analysis scenarios
-│   ├── reachable/
-│   ├── unreachable/
-│   └── unknown/
-│
-└── composite/                   # Complex multi-factor scenarios
-    ├── reachable-with-vex/
-    └── unreachable-high-severity/
+bench/golden-corpus/
+├── README.md
+├── corpus-manifest.json
+├── corpus-version.json
+├── categories/
+│   ├── severity/
+│   ├── vex/
+│   ├── reachability/
+│   ├── unknowns/
+│   ├── scale/
+│   ├── distro/
+│   ├── interop/
+│   ├── negative/
+│   └── composite/
+└── shared/
+    ├── policies/
+    ├── feeds/
+    └── keys/
 ```

 ## Test Case Format

 Each test case directory contains:

-| File | Description |
+| Path | Description |
 |------|-------------|
-| `case.json` | Scenario metadata and description |
-| `sbom.spdx.json` | SPDX 3.0.1 SBOM |
-| `sbom.cdx.json` | CycloneDX 1.6 SBOM (optional) |
-| `manifest.json` | Scan manifest with digest bindings |
-| `vex.openvex.json` | OpenVEX document (if applicable) |
-| `callgraph.json` | Static call graph (if reachability applies) |
-| `proof-bundle.json` | Expected proof bundle structure |
-| `expected-score.json` | Expected scoring output |
+| `case-manifest.json` | Case metadata |
+| `run-manifest.json` | Run manifest for replay |
+| `input/sbom-cyclonedx.json` | CycloneDX SBOM input |
+| `input/sbom-spdx.json` | SPDX SBOM input |
+| `input/image.tar.gz` | Image tarball (fixture) |
+| `expected/verdict.json` | Expected verdict output |
+| `expected/evidence-index.json` | Expected evidence index |
+| `expected/unknowns.json` | Expected unknowns output |
+| `expected/delta-verdict.json` | Expected delta verdict |

-## Expected Score Format
-
-```json
-{
-  "schema_version": "stellaops.golden.expected/v1",
-  "score_hash": "sha256:...",
-  "stella_score": 7.5,
-  "base_cvss": 9.8,
-  "temporal_cvss": 8.5,
-  "environmental_cvss": 7.5,
-  "vex_impact": -1.0,
-  "reachability_impact": -1.3,
-  "kev_flag": false,
-  "exploit_maturity": "proof-of-concept",
-  "determinism_salt": "frozen-2025-01-15T00:00:00Z"
-}
-```
-
-## Running Golden Tests
+## Running Corpus Scripts

 ```bash
-# Run all golden tests
-dotnet test tests/integration/StellaOps.Integration.Determinism \
-  --filter "Category=GoldenCorpus"
-
-# Regenerate expected outputs (after algorithm changes)
-dotnet run --project bench/tools/corpus-regenerate -- \
-  --corpus-path bench/golden-corpus \
-  --algorithm-version v2.0
+python3 scripts/corpus/validate-corpus.py
+python3 scripts/corpus/generate-manifest.py
+python3 scripts/corpus/check-determinism.py
+python3 scripts/corpus/add-case.py --category severity --name SEV-009
 ```

-## Adding New Cases
-
-1. Create directory under appropriate category
-2. Add all required files (see Test Case Format)
-3. Run corpus validation: `dotnet run --project bench/tools/corpus-validate`
-4. Update `corpus-manifest.json` hash entries
-5. Commit with message: `corpus: add <case-id> for <scenario>`
-
 ## Versioning Policy

 - **Patch** (1.0.x): Add new cases, fix existing case data
 - **Minor** (1.x.0): Algorithm tuning that preserves relative ordering
- **Major** (x.0.0): Algorithm changes that alter expected scores
+- **Major** (x.0.0): Algorithm changes that alter expected outputs

-When scoring algorithm changes:
+When algorithms change:
 1. Increment corpus version
-2. Regenerate all expected scores
-3. Document changes in CHANGELOG.md
+2. Regenerate case outputs
+3. Update `corpus-manifest.json`
--- a/bench/golden-corpus/categories/composite/extra-001/case-manifest.json
+++ b/bench/golden-corpus/categories/composite/extra-001/case-manifest.json
@@ -0,0 +1,17 @@
+{
+    "id":  "EXTRA-001",
+    "description":  "Placeholder corpus case EXTRA-001",
+    "createdAt":  "2025-12-22T13:57:24Z",
+    "inputs":  [
+                   "sbom-cyclonedx.json",
+                   "sbom-spdx.json",
+                   "image.tar.gz"
+               ],
+    "expected":  [
+                     "verdict.json",
+                     "evidence-index.json",
+                     "unknowns.json",
+                     "delta-verdict.json"
+                 ],
+    "category":  "composite"
+}
--- a/bench/golden-corpus/categories/composite/extra-001/expected/delta-verdict.json
+++ b/bench/golden-corpus/categories/composite/extra-001/expected/delta-verdict.json
@@ -0,0 +1,4 @@
+{
+    "changes":  0,
+    "deltaId":  "EXTRA-001-delta"
+}
--- a/bench/golden-corpus/categories/composite/extra-001/expected/evidence-index.json
+++ b/bench/golden-corpus/categories/composite/extra-001/expected/evidence-index.json
@@ -0,0 +1,10 @@
+{
+    "sboms":  [
+
+              ],
+    "indexId":  "EXTRA-001-index",
+    "attestations":  [
+
+                     ],
+    "createdAt":  "2025-12-22T13:57:24.8027150Z"
+}
--- a/bench/golden-corpus/categories/composite/extra-001/expected/unknowns.json
+++ b/bench/golden-corpus/categories/composite/extra-001/expected/unknowns.json
@@ -0,0 +1,5 @@
+{
+    "unknowns":  [
+
+                 ]
+}
--- a/bench/golden-corpus/categories/composite/extra-001/expected/verdict.json
+++ b/bench/golden-corpus/categories/composite/extra-001/expected/verdict.json
@@ -0,0 +1,5 @@
+{
+    "status":  "pass",
+    "digest":  "sha256:extra-001",
+    "verdictId":  "EXTRA-001"
+}
--- a/bench/golden-corpus/categories/composite/extra-001/input/image.tar.gz
+++ b/bench/golden-corpus/categories/composite/extra-001/input/image.tar.gz
--- a/bench/golden-corpus/categories/composite/extra-001/input/sbom-cyclonedx.json
+++ b/bench/golden-corpus/categories/composite/extra-001/input/sbom-cyclonedx.json
@@ -0,0 +1,11 @@
+{
+    "bomFormat":  "CycloneDX",
+    "components":  [
+
+                   ],
+    "specVersion":  "1.6",
+    "version":  1,
+    "metadata":  {
+                     "timestamp":  "2025-12-22T13:57:24.8027150Z"
+                 }
+}
--- a/bench/golden-corpus/categories/composite/extra-001/input/sbom-spdx.json
+++ b/bench/golden-corpus/categories/composite/extra-001/input/sbom-spdx.json
@@ -0,0 +1,8 @@
+{
+    "created":  "2025-12-22T13:57:24.8027150Z",
+    "name":  "EXTRA-001",
+    "elements":  [
+
+                 ],
+    "spdxVersion":  "SPDX-3.0.1"
+}
--- a/bench/golden-corpus/categories/composite/extra-001/run-manifest.json
+++ b/bench/golden-corpus/categories/composite/extra-001/run-manifest.json
@@ -0,0 +1,44 @@
+{
+    "runId":  "EXTRA-001-run",
+    "environmentProfile":  {
+                               "valkeyEnabled":  false,
+                               "name":  "postgres-only"
+                           },
+    "feedSnapshot":  {
+                         "feedId":  "nvd",
+                         "snapshotAt":  "2025-12-22T13:57:24.8037246Z",
+                         "version":  "v1",
+                         "digest":  "sha256:stub"
+                     },
+    "cryptoProfile":  {
+                          "trustRootIds":  [
+
+                                           ],
+                          "allowedAlgorithms":  [
+
+                                                ],
+                          "profileName":  "default"
+                      },
+    "canonicalizationVersion":  "1.0.0",
+    "toolVersions":  {
+                         "reachabilityEngineVersion":  "0.0.0",
+                         "additionalTools":  {
+
+                                             },
+                         "sbomGeneratorVersion":  "0.0.0",
+                         "attestorVersion":  "0.0.0",
+                         "scannerVersion":  "0.0.0"
+                     },
+    "policySnapshot":  {
+                           "enabledRules":  [
+
+                                            ],
+                           "latticeRulesDigest":  "sha256:stub",
+                           "policyVersion":  "1.0.0"
+                       },
+    "artifactDigests":  [
+
+                        ],
+    "schemaVersion":  "1.0.0",
+    "initiatedAt":  "2025-12-22T13:57:24.8037246Z"
+}
--- a/bench/golden-corpus/categories/composite/extra-002/case-manifest.json
+++ b/bench/golden-corpus/categories/composite/extra-002/case-manifest.json
@@ -0,0 +1,17 @@
+{
+    "id":  "EXTRA-002",
+    "description":  "Placeholder corpus case EXTRA-002",
+    "createdAt":  "2025-12-22T13:57:24Z",
+    "inputs":  [
+                   "sbom-cyclonedx.json",
+                   "sbom-spdx.json",
+                   "image.tar.gz"
+               ],
+    "expected":  [
+                     "verdict.json",
+                     "evidence-index.json",
+                     "unknowns.json",
+                     "delta-verdict.json"
+                 ],
+    "category":  "composite"
+}
--- a/bench/golden-corpus/categories/composite/extra-002/expected/delta-verdict.json
+++ b/bench/golden-corpus/categories/composite/extra-002/expected/delta-verdict.json
@@ -0,0 +1,4 @@
+{
+    "changes":  0,
+    "deltaId":  "EXTRA-002-delta"
+}
--- a/bench/golden-corpus/categories/composite/extra-002/expected/evidence-index.json
+++ b/bench/golden-corpus/categories/composite/extra-002/expected/evidence-index.json
@@ -0,0 +1,10 @@
+{
+    "sboms":  [
+
+              ],
+    "indexId":  "EXTRA-002-index",
+    "attestations":  [
+
+                     ],
+    "createdAt":  "2025-12-22T13:57:24.8181543Z"
+}
--- a/bench/golden-corpus/categories/composite/extra-002/expected/unknowns.json
+++ b/bench/golden-corpus/categories/composite/extra-002/expected/unknowns.json
@@ -0,0 +1,5 @@
+{
+    "unknowns":  [
+
+                 ]
+}
--- a/bench/golden-corpus/categories/composite/extra-002/expected/verdict.json
+++ b/bench/golden-corpus/categories/composite/extra-002/expected/verdict.json
@@ -0,0 +1,5 @@
+{
+    "status":  "pass",
+    "digest":  "sha256:extra-002",
+    "verdictId":  "EXTRA-002"
+}
--- a/bench/golden-corpus/categories/composite/extra-002/input/image.tar.gz
+++ b/bench/golden-corpus/categories/composite/extra-002/input/image.tar.gz
--- a/bench/golden-corpus/categories/composite/extra-002/input/sbom-cyclonedx.json
+++ b/bench/golden-corpus/categories/composite/extra-002/input/sbom-cyclonedx.json
@@ -0,0 +1,11 @@
+{
+    "bomFormat":  "CycloneDX",
+    "components":  [
+
+                   ],
+    "specVersion":  "1.6",
+    "version":  1,
+    "metadata":  {
+                     "timestamp":  "2025-12-22T13:57:24.8181543Z"
+                 }
+}
--- a/bench/golden-corpus/categories/composite/extra-002/input/sbom-spdx.json
+++ b/bench/golden-corpus/categories/composite/extra-002/input/sbom-spdx.json
@@ -0,0 +1,8 @@
+{
+    "created":  "2025-12-22T13:57:24.8181543Z",
+    "name":  "EXTRA-002",
+    "elements":  [
+
+                 ],
+    "spdxVersion":  "SPDX-3.0.1"
+}
--- a/bench/golden-corpus/categories/composite/extra-002/run-manifest.json
+++ b/bench/golden-corpus/categories/composite/extra-002/run-manifest.json
@@ -0,0 +1,44 @@
+{
+    "runId":  "EXTRA-002-run",
+    "environmentProfile":  {
+                               "valkeyEnabled":  false,
+                               "name":  "postgres-only"
+                           },
+    "feedSnapshot":  {
+                         "feedId":  "nvd",
+                         "snapshotAt":  "2025-12-22T13:57:24.8191542Z",
+                         "version":  "v1",
+                         "digest":  "sha256:stub"
+                     },
+    "cryptoProfile":  {
+                          "trustRootIds":  [
+
+                                           ],
+                          "allowedAlgorithms":  [
+
+                                                ],
+                          "profileName":  "default"
+                      },
+    "canonicalizationVersion":  "1.0.0",
+    "toolVersions":  {
+                         "reachabilityEngineVersion":  "0.0.0",
+                         "additionalTools":  {
+
+                                             },
+                         "sbomGeneratorVersion":  "0.0.0",
+                         "attestorVersion":  "0.0.0",
+                         "scannerVersion":  "0.0.0"
+                     },
+    "policySnapshot":  {
+                           "enabledRules":  [
+
+                                            ],
+                           "latticeRulesDigest":  "sha256:stub",
+                           "policyVersion":  "1.0.0"
+                       },
+    "artifactDigests":  [
+
+                        ],
+    "schemaVersion":  "1.0.0",
+    "initiatedAt":  "2025-12-22T13:57:24.8191542Z"
+}
--- a/bench/golden-corpus/categories/composite/extra-003/case-manifest.json
+++ b/bench/golden-corpus/categories/composite/extra-003/case-manifest.json
@@ -0,0 +1,17 @@
+{
+    "id":  "EXTRA-003",
+    "description":  "Placeholder corpus case EXTRA-003",
+    "createdAt":  "2025-12-22T13:57:24Z",
+    "inputs":  [
+                   "sbom-cyclonedx.json",
+                   "sbom-spdx.json",
+                   "image.tar.gz"
+               ],
+    "expected":  [
+                     "verdict.json",
+                     "evidence-index.json",
+                     "unknowns.json",
+                     "delta-verdict.json"
+                 ],
+    "category":  "composite"
+}
--- a/bench/golden-corpus/categories/composite/extra-003/expected/delta-verdict.json
+++ b/bench/golden-corpus/categories/composite/extra-003/expected/delta-verdict.json
@@ -0,0 +1,4 @@
+{
+    "changes":  0,
+    "deltaId":  "EXTRA-003-delta"
+}
--- a/bench/golden-corpus/categories/composite/extra-003/expected/evidence-index.json
+++ b/bench/golden-corpus/categories/composite/extra-003/expected/evidence-index.json
@@ -0,0 +1,10 @@
+{
+    "sboms":  [
+
+              ],
+    "indexId":  "EXTRA-003-index",
+    "attestations":  [
+
+                     ],
+    "createdAt":  "2025-12-22T13:57:24.8360597Z"
+}
--- a/bench/golden-corpus/categories/composite/extra-003/expected/unknowns.json
+++ b/bench/golden-corpus/categories/composite/extra-003/expected/unknowns.json
@@ -0,0 +1,5 @@
+{
+    "unknowns":  [
+
+                 ]
+}
--- a/bench/golden-corpus/categories/composite/extra-003/expected/verdict.json
+++ b/bench/golden-corpus/categories/composite/extra-003/expected/verdict.json
@@ -0,0 +1,5 @@
+{
+    "status":  "pass",
+    "digest":  "sha256:extra-003",
+    "verdictId":  "EXTRA-003"
+}
--- a/bench/golden-corpus/categories/composite/extra-003/input/image.tar.gz
+++ b/bench/golden-corpus/categories/composite/extra-003/input/image.tar.gz
--- a/bench/golden-corpus/categories/composite/extra-003/input/sbom-cyclonedx.json
+++ b/bench/golden-corpus/categories/composite/extra-003/input/sbom-cyclonedx.json
@@ -0,0 +1,11 @@
+{
+    "bomFormat":  "CycloneDX",
+    "components":  [
+
+                   ],
+    "specVersion":  "1.6",
+    "version":  1,
+    "metadata":  {
+                     "timestamp":  "2025-12-22T13:57:24.8360597Z"
+                 }
+}
--- a/bench/golden-corpus/categories/composite/extra-003/input/sbom-spdx.json
+++ b/bench/golden-corpus/categories/composite/extra-003/input/sbom-spdx.json
@@ -0,0 +1,8 @@
+{
+    "created":  "2025-12-22T13:57:24.8360597Z",
+    "name":  "EXTRA-003",
+    "elements":  [
+
+                 ],
+    "spdxVersion":  "SPDX-3.0.1"
+}
--- a/bench/golden-corpus/categories/composite/extra-003/run-manifest.json
+++ b/bench/golden-corpus/categories/composite/extra-003/run-manifest.json
@@ -0,0 +1,44 @@
+{
+    "runId":  "EXTRA-003-run",
+    "environmentProfile":  {
+                               "valkeyEnabled":  false,
+                               "name":  "postgres-only"
+                           },
+    "feedSnapshot":  {
+                         "feedId":  "nvd",
+                         "snapshotAt":  "2025-12-22T13:57:24.8370133Z",
+                         "version":  "v1",
+                         "digest":  "sha256:stub"
+                     },
+    "cryptoProfile":  {
+                          "trustRootIds":  [
+
+                                           ],
+                          "allowedAlgorithms":  [
+
+                                                ],
+                          "profileName":  "default"
+                      },
+    "canonicalizationVersion":  "1.0.0",
+    "toolVersions":  {
+                         "reachabilityEngineVersion":  "0.0.0",
+                         "additionalTools":  {
+
+                                             },
+                         "sbomGeneratorVersion":  "0.0.0",
+                         "attestorVersion":  "0.0.0",
+                         "scannerVersion":  "0.0.0"
+                     },
+    "policySnapshot":  {
+                           "enabledRules":  [
+
+                                            ],
+                           "latticeRulesDigest":  "sha256:stub",
+                           "policyVersion":  "1.0.0"
+                       },
+    "artifactDigests":  [
+
+                        ],
+    "schemaVersion":  "1.0.0",
+    "initiatedAt":  "2025-12-22T13:57:24.8370133Z"
+}
--- a/bench/golden-corpus/categories/composite/extra-004/case-manifest.json
+++ b/bench/golden-corpus/categories/composite/extra-004/case-manifest.json
@@ -0,0 +1,17 @@
+{
+    "id":  "EXTRA-004",
+    "description":  "Placeholder corpus case EXTRA-004",
+    "createdAt":  "2025-12-22T13:57:24Z",
+    "inputs":  [
+                   "sbom-cyclonedx.json",
+                   "sbom-spdx.json",
+                   "image.tar.gz"
+               ],
+    "expected":  [
+                     "verdict.json",
+                     "evidence-index.json",
+                     "unknowns.json",
+                     "delta-verdict.json"
+                 ],
+    "category":  "composite"
+}
--- a/bench/golden-corpus/categories/composite/extra-004/expected/delta-verdict.json
+++ b/bench/golden-corpus/categories/composite/extra-004/expected/delta-verdict.json
@@ -0,0 +1,4 @@
+{
+    "changes":  0,
+    "deltaId":  "EXTRA-004-delta"
+}
--- a/bench/golden-corpus/categories/composite/extra-004/expected/evidence-index.json
+++ b/bench/golden-corpus/categories/composite/extra-004/expected/evidence-index.json
@@ -0,0 +1,10 @@
+{
+    "sboms":  [
+
+              ],
+    "indexId":  "EXTRA-004-index",
+    "attestations":  [
+
+                     ],
+    "createdAt":  "2025-12-22T13:57:24.8588914Z"
+}
--- a/bench/golden-corpus/categories/composite/extra-004/expected/unknowns.json
+++ b/bench/golden-corpus/categories/composite/extra-004/expected/unknowns.json
@@ -0,0 +1,5 @@
+{
+    "unknowns":  [
+
+                 ]
+}
--- a/bench/golden-corpus/categories/composite/extra-004/expected/verdict.json
+++ b/bench/golden-corpus/categories/composite/extra-004/expected/verdict.json
@@ -0,0 +1,5 @@
+{
+    "status":  "pass",
+    "digest":  "sha256:extra-004",
+    "verdictId":  "EXTRA-004"
+}
--- a/bench/golden-corpus/categories/composite/extra-004/input/image.tar.gz
+++ b/bench/golden-corpus/categories/composite/extra-004/input/image.tar.gz
--- a/bench/golden-corpus/categories/composite/extra-004/input/sbom-cyclonedx.json
+++ b/bench/golden-corpus/categories/composite/extra-004/input/sbom-cyclonedx.json
@@ -0,0 +1,11 @@
+{
+    "bomFormat":  "CycloneDX",
+    "components":  [
+
+                   ],
+    "specVersion":  "1.6",
+    "version":  1,
+    "metadata":  {
+                     "timestamp":  "2025-12-22T13:57:24.8588914Z"
+                 }
+}
--- a/bench/golden-corpus/categories/composite/extra-004/input/sbom-spdx.json
+++ b/bench/golden-corpus/categories/composite/extra-004/input/sbom-spdx.json
@@ -0,0 +1,8 @@
+{
+    "created":  "2025-12-22T13:57:24.8588914Z",
+    "name":  "EXTRA-004",
+    "elements":  [
+
+                 ],
+    "spdxVersion":  "SPDX-3.0.1"
+}
--- a/bench/golden-corpus/categories/composite/extra-004/run-manifest.json
+++ b/bench/golden-corpus/categories/composite/extra-004/run-manifest.json
@@ -0,0 +1,44 @@
+{
+    "runId":  "EXTRA-004-run",
+    "environmentProfile":  {
+                               "valkeyEnabled":  false,
+                               "name":  "postgres-only"
+                           },
+    "feedSnapshot":  {
+                         "feedId":  "nvd",
+                         "snapshotAt":  "2025-12-22T13:57:24.8598906Z",
+                         "version":  "v1",
+                         "digest":  "sha256:stub"
+                     },
+    "cryptoProfile":  {
+                          "trustRootIds":  [
+
+                                           ],
+                          "allowedAlgorithms":  [
+
+                                                ],
+                          "profileName":  "default"
+                      },
+    "canonicalizationVersion":  "1.0.0",
+    "toolVersions":  {
+                         "reachabilityEngineVersion":  "0.0.0",
+                         "additionalTools":  {
+
+                                             },
+                         "sbomGeneratorVersion":  "0.0.0",
+                         "attestorVersion":  "0.0.0",
+                         "scannerVersion":  "0.0.0"
+                     },
+    "policySnapshot":  {
+                           "enabledRules":  [
+
+                                            ],
+                           "latticeRulesDigest":  "sha256:stub",
+                           "policyVersion":  "1.0.0"
+                       },
+    "artifactDigests":  [
+
+                        ],
+    "schemaVersion":  "1.0.0",
+    "initiatedAt":  "2025-12-22T13:57:24.8598906Z"
+}
--- a/bench/golden-corpus/categories/composite/extra-005/case-manifest.json
+++ b/bench/golden-corpus/categories/composite/extra-005/case-manifest.json
@@ -0,0 +1,17 @@
+{
+    "id":  "EXTRA-005",
+    "description":  "Placeholder corpus case EXTRA-005",
+    "createdAt":  "2025-12-22T13:57:24Z",
+    "inputs":  [
+                   "sbom-cyclonedx.json",
+                   "sbom-spdx.json",
+                   "image.tar.gz"
+               ],
+    "expected":  [
+                     "verdict.json",
+                     "evidence-index.json",
+                     "unknowns.json",
+                     "delta-verdict.json"
+                 ],
+    "category":  "composite"
+}
--- a/bench/golden-corpus/categories/composite/extra-005/expected/delta-verdict.json
+++ b/bench/golden-corpus/categories/composite/extra-005/expected/delta-verdict.json
@@ -0,0 +1,4 @@
+{
+    "changes":  0,
+    "deltaId":  "EXTRA-005-delta"
+}
--- a/bench/golden-corpus/categories/composite/extra-005/expected/evidence-index.json
+++ b/bench/golden-corpus/categories/composite/extra-005/expected/evidence-index.json
@@ -0,0 +1,10 @@
+{
+    "sboms":  [
+
+              ],
+    "indexId":  "EXTRA-005-index",
+    "attestations":  [
+
+                     ],
+    "createdAt":  "2025-12-22T13:57:24.8751465Z"
+}
--- a/bench/golden-corpus/categories/composite/extra-005/expected/unknowns.json
+++ b/bench/golden-corpus/categories/composite/extra-005/expected/unknowns.json
@@ -0,0 +1,5 @@
+{
+    "unknowns":  [
+
+                 ]
+}
--- a/bench/golden-corpus/categories/composite/extra-005/expected/verdict.json
+++ b/bench/golden-corpus/categories/composite/extra-005/expected/verdict.json
@@ -0,0 +1,5 @@
+{
+    "status":  "pass",
+    "digest":  "sha256:extra-005",
+    "verdictId":  "EXTRA-005"
+}
--- a/bench/golden-corpus/categories/composite/extra-005/input/image.tar.gz
+++ b/bench/golden-corpus/categories/composite/extra-005/input/image.tar.gz
--- a/bench/golden-corpus/categories/composite/extra-005/input/sbom-cyclonedx.json
+++ b/bench/golden-corpus/categories/composite/extra-005/input/sbom-cyclonedx.json
@@ -0,0 +1,11 @@
+{
+    "bomFormat":  "CycloneDX",
+    "components":  [
+
+                   ],
+    "specVersion":  "1.6",
+    "version":  1,
+    "metadata":  {
+                     "timestamp":  "2025-12-22T13:57:24.8751465Z"
+                 }
+}
--- a/bench/golden-corpus/categories/composite/extra-005/input/sbom-spdx.json
+++ b/bench/golden-corpus/categories/composite/extra-005/input/sbom-spdx.json
@@ -0,0 +1,8 @@
+{
+    "created":  "2025-12-22T13:57:24.8751465Z",
+    "name":  "EXTRA-005",
+    "elements":  [
+
+                 ],
+    "spdxVersion":  "SPDX-3.0.1"
+}
--- a/bench/golden-corpus/categories/composite/extra-005/run-manifest.json
+++ b/bench/golden-corpus/categories/composite/extra-005/run-manifest.json
@@ -0,0 +1,44 @@
+{
+    "runId":  "EXTRA-005-run",
+    "environmentProfile":  {
+                               "valkeyEnabled":  false,
+                               "name":  "postgres-only"
+                           },
+    "feedSnapshot":  {
+                         "feedId":  "nvd",
+                         "snapshotAt":  "2025-12-22T13:57:24.8761542Z",
+                         "version":  "v1",
+                         "digest":  "sha256:stub"
+                     },
+    "cryptoProfile":  {
+                          "trustRootIds":  [
+
+                                           ],
+                          "allowedAlgorithms":  [
+
+                                                ],
+                          "profileName":  "default"
+                      },
+    "canonicalizationVersion":  "1.0.0",
+    "toolVersions":  {
+                         "reachabilityEngineVersion":  "0.0.0",
+                         "additionalTools":  {
+
+                                             },
+                         "sbomGeneratorVersion":  "0.0.0",
+                         "attestorVersion":  "0.0.0",
+                         "scannerVersion":  "0.0.0"
+                     },
+    "policySnapshot":  {
+                           "enabledRules":  [
+
+                                            ],
+                           "latticeRulesDigest":  "sha256:stub",
+                           "policyVersion":  "1.0.0"
+                       },
+    "artifactDigests":  [
+
+                        ],
+    "schemaVersion":  "1.0.0",
+    "initiatedAt":  "2025-12-22T13:57:24.8761542Z"
+}
--- a/bench/golden-corpus/categories/composite/extra-006/case-manifest.json
+++ b/bench/golden-corpus/categories/composite/extra-006/case-manifest.json
@@ -0,0 +1,17 @@
+{
+    "id":  "EXTRA-006",
+    "description":  "Placeholder corpus case EXTRA-006",
+    "createdAt":  "2025-12-22T13:57:24Z",
+    "inputs":  [
+                   "sbom-cyclonedx.json",
+                   "sbom-spdx.json",
+                   "image.tar.gz"
+               ],
+    "expected":  [
+                     "verdict.json",
+                     "evidence-index.json",
+                     "unknowns.json",
+                     "delta-verdict.json"
+                 ],
+    "category":  "composite"
+}
--- a/bench/golden-corpus/categories/composite/extra-006/expected/delta-verdict.json
+++ b/bench/golden-corpus/categories/composite/extra-006/expected/delta-verdict.json
@@ -0,0 +1,4 @@
+{
+    "changes":  0,
+    "deltaId":  "EXTRA-006-delta"
+}
--- a/bench/golden-corpus/categories/composite/extra-006/expected/evidence-index.json
+++ b/bench/golden-corpus/categories/composite/extra-006/expected/evidence-index.json
@@ -0,0 +1,10 @@
+{
+    "sboms":  [
+
+              ],
+    "indexId":  "EXTRA-006-index",
+    "attestations":  [
+
+                     ],
+    "createdAt":  "2025-12-22T13:57:24.8951568Z"
+}
--- a/bench/golden-corpus/categories/composite/extra-006/expected/unknowns.json
+++ b/bench/golden-corpus/categories/composite/extra-006/expected/unknowns.json
@@ -0,0 +1,5 @@
+{
+    "unknowns":  [
+
+                 ]
+}
--- a/bench/golden-corpus/categories/composite/extra-006/expected/verdict.json
+++ b/bench/golden-corpus/categories/composite/extra-006/expected/verdict.json
@@ -0,0 +1,5 @@
+{
+    "status":  "pass",
+    "digest":  "sha256:extra-006",
+    "verdictId":  "EXTRA-006"
+}
--- a/bench/golden-corpus/categories/composite/extra-006/input/image.tar.gz
+++ b/bench/golden-corpus/categories/composite/extra-006/input/image.tar.gz
--- a/bench/golden-corpus/categories/composite/extra-006/input/sbom-cyclonedx.json
+++ b/bench/golden-corpus/categories/composite/extra-006/input/sbom-cyclonedx.json
@@ -0,0 +1,11 @@
+{
+    "bomFormat":  "CycloneDX",
+    "components":  [
+
+                   ],
+    "specVersion":  "1.6",
+    "version":  1,
+    "metadata":  {
+                     "timestamp":  "2025-12-22T13:57:24.8941475Z"
+                 }
+}
--- a/bench/golden-corpus/categories/composite/extra-006/input/sbom-spdx.json
+++ b/bench/golden-corpus/categories/composite/extra-006/input/sbom-spdx.json
@@ -0,0 +1,8 @@
+{
+    "created":  "2025-12-22T13:57:24.8941475Z",
+    "name":  "EXTRA-006",
+    "elements":  [
+
+                 ],
+    "spdxVersion":  "SPDX-3.0.1"
+}
--- a/bench/golden-corpus/categories/composite/extra-006/run-manifest.json
+++ b/bench/golden-corpus/categories/composite/extra-006/run-manifest.json
@@ -0,0 +1,44 @@
+{
+    "runId":  "EXTRA-006-run",
+    "environmentProfile":  {
+                               "valkeyEnabled":  false,
+                               "name":  "postgres-only"
+                           },
+    "feedSnapshot":  {
+                         "feedId":  "nvd",
+                         "snapshotAt":  "2025-12-22T13:57:24.8951568Z",
+                         "version":  "v1",
+                         "digest":  "sha256:stub"
+                     },
+    "cryptoProfile":  {
+                          "trustRootIds":  [
+
+                                           ],
+                          "allowedAlgorithms":  [
+
+                                                ],
+                          "profileName":  "default"
+                      },
+    "canonicalizationVersion":  "1.0.0",
+    "toolVersions":  {
+                         "reachabilityEngineVersion":  "0.0.0",
+                         "additionalTools":  {
+
+                                             },
+                         "sbomGeneratorVersion":  "0.0.0",
+                         "attestorVersion":  "0.0.0",
+                         "scannerVersion":  "0.0.0"
+                     },
+    "policySnapshot":  {
+                           "enabledRules":  [
+
+                                            ],
+                           "latticeRulesDigest":  "sha256:stub",
+                           "policyVersion":  "1.0.0"
+                       },
+    "artifactDigests":  [
+
+                        ],
+    "schemaVersion":  "1.0.0",
+    "initiatedAt":  "2025-12-22T13:57:24.8951568Z"
+}
--- a/bench/golden-corpus/categories/composite/extra-007/case-manifest.json
+++ b/bench/golden-corpus/categories/composite/extra-007/case-manifest.json
@@ -0,0 +1,17 @@
+{
+    "id":  "EXTRA-007",
+    "description":  "Placeholder corpus case EXTRA-007",
+    "createdAt":  "2025-12-22T13:57:24Z",
+    "inputs":  [
+                   "sbom-cyclonedx.json",
+                   "sbom-spdx.json",
+                   "image.tar.gz"
+               ],
+    "expected":  [
+                     "verdict.json",
+                     "evidence-index.json",
+                     "unknowns.json",
+                     "delta-verdict.json"
+                 ],
+    "category":  "composite"
+}
--- a/bench/golden-corpus/categories/composite/extra-007/expected/delta-verdict.json
+++ b/bench/golden-corpus/categories/composite/extra-007/expected/delta-verdict.json
@@ -0,0 +1,4 @@
+{
+    "changes":  0,
+    "deltaId":  "EXTRA-007-delta"
+}
--- a/bench/golden-corpus/categories/composite/extra-007/expected/evidence-index.json
+++ b/bench/golden-corpus/categories/composite/extra-007/expected/evidence-index.json
@@ -0,0 +1,10 @@
+{
+    "sboms":  [
+
+              ],
+    "indexId":  "EXTRA-007-index",
+    "attestations":  [
+
+                     ],
+    "createdAt":  "2025-12-22T13:57:24.9253920Z"
+}
--- a/bench/golden-corpus/categories/composite/extra-007/expected/unknowns.json
+++ b/bench/golden-corpus/categories/composite/extra-007/expected/unknowns.json
@@ -0,0 +1,5 @@
+{
+    "unknowns":  [
+
+                 ]
+}
--- a/bench/golden-corpus/categories/composite/extra-007/expected/verdict.json
+++ b/bench/golden-corpus/categories/composite/extra-007/expected/verdict.json
@@ -0,0 +1,5 @@
+{
+    "status":  "pass",
+    "digest":  "sha256:extra-007",
+    "verdictId":  "EXTRA-007"
+}
--- a/bench/golden-corpus/categories/composite/extra-007/input/image.tar.gz
+++ b/bench/golden-corpus/categories/composite/extra-007/input/image.tar.gz
--- a/bench/golden-corpus/categories/composite/extra-007/input/sbom-cyclonedx.json
+++ b/bench/golden-corpus/categories/composite/extra-007/input/sbom-cyclonedx.json
@@ -0,0 +1,11 @@
+{
+    "bomFormat":  "CycloneDX",
+    "components":  [
+
+                   ],
+    "specVersion":  "1.6",
+    "version":  1,
+    "metadata":  {
+                     "timestamp":  "2025-12-22T13:57:24.9243922Z"
+                 }
+}
--- a/bench/golden-corpus/categories/composite/extra-007/input/sbom-spdx.json
+++ b/bench/golden-corpus/categories/composite/extra-007/input/sbom-spdx.json
@@ -0,0 +1,8 @@
+{
+    "created":  "2025-12-22T13:57:24.9243922Z",
+    "name":  "EXTRA-007",
+    "elements":  [
+
+                 ],
+    "spdxVersion":  "SPDX-3.0.1"
+}
--- a/bench/golden-corpus/categories/composite/extra-007/run-manifest.json
+++ b/bench/golden-corpus/categories/composite/extra-007/run-manifest.json
@@ -0,0 +1,44 @@
+{
+    "runId":  "EXTRA-007-run",
+    "environmentProfile":  {
+                               "valkeyEnabled":  false,
+                               "name":  "postgres-only"
+                           },
+    "feedSnapshot":  {
+                         "feedId":  "nvd",
+                         "snapshotAt":  "2025-12-22T13:57:24.9269031Z",
+                         "version":  "v1",
+                         "digest":  "sha256:stub"
+                     },
+    "cryptoProfile":  {
+                          "trustRootIds":  [
+
+                                           ],
+                          "allowedAlgorithms":  [
+
+                                                ],
+                          "profileName":  "default"
+                      },
+    "canonicalizationVersion":  "1.0.0",
+    "toolVersions":  {
+                         "reachabilityEngineVersion":  "0.0.0",
+                         "additionalTools":  {
+
+                                             },
+                         "sbomGeneratorVersion":  "0.0.0",
+                         "attestorVersion":  "0.0.0",
+                         "scannerVersion":  "0.0.0"
+                     },
+    "policySnapshot":  {
+                           "enabledRules":  [
+
+                                            ],
+                           "latticeRulesDigest":  "sha256:stub",
+                           "policyVersion":  "1.0.0"
+                       },
+    "artifactDigests":  [
+
+                        ],
+    "schemaVersion":  "1.0.0",
+    "initiatedAt":  "2025-12-22T13:57:24.9269031Z"
+}
--- a/bench/golden-corpus/categories/composite/extra-008/case-manifest.json
+++ b/bench/golden-corpus/categories/composite/extra-008/case-manifest.json
@@ -0,0 +1,17 @@
+{
+    "id":  "EXTRA-008",
+    "description":  "Placeholder corpus case EXTRA-008",
+    "createdAt":  "2025-12-22T13:57:24Z",
+    "inputs":  [
+                   "sbom-cyclonedx.json",
+                   "sbom-spdx.json",
+                   "image.tar.gz"
+               ],
+    "expected":  [
+                     "verdict.json",
+                     "evidence-index.json",
+                     "unknowns.json",
+                     "delta-verdict.json"
+                 ],
+    "category":  "composite"
+}
--- a/bench/golden-corpus/categories/composite/extra-008/expected/delta-verdict.json
+++ b/bench/golden-corpus/categories/composite/extra-008/expected/delta-verdict.json
@@ -0,0 +1,4 @@
+{
+    "changes":  0,
+    "deltaId":  "EXTRA-008-delta"
+}
--- a/bench/golden-corpus/categories/composite/extra-008/expected/evidence-index.json
+++ b/bench/golden-corpus/categories/composite/extra-008/expected/evidence-index.json
@@ -0,0 +1,10 @@
+{
+    "sboms":  [
+
+              ],
+    "indexId":  "EXTRA-008-index",
+    "attestations":  [
+
+                     ],
+    "createdAt":  "2025-12-22T13:57:24.9436128Z"
+}
--- a/bench/golden-corpus/categories/composite/extra-008/expected/unknowns.json
+++ b/bench/golden-corpus/categories/composite/extra-008/expected/unknowns.json
@@ -0,0 +1,5 @@
+{
+    "unknowns":  [
+
+                 ]
+}
--- a/bench/golden-corpus/categories/composite/extra-008/expected/verdict.json
+++ b/bench/golden-corpus/categories/composite/extra-008/expected/verdict.json
@@ -0,0 +1,5 @@
+{
+    "status":  "pass",
+    "digest":  "sha256:extra-008",
+    "verdictId":  "EXTRA-008"
+}
--- a/bench/golden-corpus/categories/composite/extra-008/input/image.tar.gz
+++ b/bench/golden-corpus/categories/composite/extra-008/input/image.tar.gz
--- a/bench/golden-corpus/categories/composite/extra-008/input/sbom-cyclonedx.json
+++ b/bench/golden-corpus/categories/composite/extra-008/input/sbom-cyclonedx.json
@@ -0,0 +1,11 @@
+{
+    "bomFormat":  "CycloneDX",
+    "components":  [
+
+                   ],
+    "specVersion":  "1.6",
+    "version":  1,
+    "metadata":  {
+                     "timestamp":  "2025-12-22T13:57:24.9436128Z"
+                 }
+}
--- a/bench/golden-corpus/categories/composite/extra-008/input/sbom-spdx.json
+++ b/bench/golden-corpus/categories/composite/extra-008/input/sbom-spdx.json
@@ -0,0 +1,8 @@
+{
+    "created":  "2025-12-22T13:57:24.9436128Z",
+    "name":  "EXTRA-008",
+    "elements":  [
+
+                 ],
+    "spdxVersion":  "SPDX-3.0.1"
+}
--- a/bench/golden-corpus/categories/composite/extra-008/run-manifest.json
+++ b/bench/golden-corpus/categories/composite/extra-008/run-manifest.json
@@ -0,0 +1,44 @@
+{
+    "runId":  "EXTRA-008-run",
+    "environmentProfile":  {
+                               "valkeyEnabled":  false,
+                               "name":  "postgres-only"
+                           },
+    "feedSnapshot":  {
+                         "feedId":  "nvd",
+                         "snapshotAt":  "2025-12-22T13:57:24.9446123Z",
+                         "version":  "v1",
+                         "digest":  "sha256:stub"
+                     },
+    "cryptoProfile":  {
+                          "trustRootIds":  [
+
+                                           ],
+                          "allowedAlgorithms":  [
+
+                                                ],
+                          "profileName":  "default"
+                      },
+    "canonicalizationVersion":  "1.0.0",
+    "toolVersions":  {
+                         "reachabilityEngineVersion":  "0.0.0",
+                         "additionalTools":  {
+
+                                             },
+                         "sbomGeneratorVersion":  "0.0.0",
+                         "attestorVersion":  "0.0.0",
+                         "scannerVersion":  "0.0.0"
+                     },
+    "policySnapshot":  {
+                           "enabledRules":  [
+
+                                            ],
+                           "latticeRulesDigest":  "sha256:stub",
+                           "policyVersion":  "1.0.0"
+                       },
+    "artifactDigests":  [
+
+                        ],
+    "schemaVersion":  "1.0.0",
+    "initiatedAt":  "2025-12-22T13:57:24.9446123Z"
+}
--- a/bench/golden-corpus/categories/distro/distro-001/case-manifest.json
+++ b/bench/golden-corpus/categories/distro/distro-001/case-manifest.json
@@ -0,0 +1,17 @@
+{
+    "id":  "DISTRO-001",
+    "description":  "Placeholder corpus case DISTRO-001",
+    "createdAt":  "2025-12-22T13:57:24Z",
+    "inputs":  [
+                   "sbom-cyclonedx.json",
+                   "sbom-spdx.json",
+                   "image.tar.gz"
+               ],
+    "expected":  [
+                     "verdict.json",
+                     "evidence-index.json",
+                     "unknowns.json",
+                     "delta-verdict.json"
+                 ],
+    "category":  "distro"
+}
--- a/bench/golden-corpus/categories/distro/distro-001/expected/delta-verdict.json
+++ b/bench/golden-corpus/categories/distro/distro-001/expected/delta-verdict.json
@@ -0,0 +1,4 @@
+{
+    "changes":  0,
+    "deltaId":  "DISTRO-001-delta"
+}
--- a/bench/golden-corpus/categories/distro/distro-001/expected/evidence-index.json
+++ b/bench/golden-corpus/categories/distro/distro-001/expected/evidence-index.json
@@ -0,0 +1,10 @@
+{
+    "sboms":  [
+
+              ],
+    "indexId":  "DISTRO-001-index",
+    "attestations":  [
+
+                     ],
+    "createdAt":  "2025-12-22T13:57:24.5401402Z"
+}
--- a/bench/golden-corpus/categories/distro/distro-001/expected/unknowns.json
+++ b/bench/golden-corpus/categories/distro/distro-001/expected/unknowns.json
@@ -0,0 +1,5 @@
+{
+    "unknowns":  [
+
+                 ]
+}
--- a/bench/golden-corpus/categories/distro/distro-001/expected/verdict.json
+++ b/bench/golden-corpus/categories/distro/distro-001/expected/verdict.json
@@ -0,0 +1,5 @@
+{
+    "status":  "pass",
+    "digest":  "sha256:distro-001",
+    "verdictId":  "DISTRO-001"
+}
--- a/bench/golden-corpus/categories/distro/distro-001/input/image.tar.gz
+++ b/bench/golden-corpus/categories/distro/distro-001/input/image.tar.gz
--- a/bench/golden-corpus/categories/distro/distro-001/input/sbom-cyclonedx.json
+++ b/bench/golden-corpus/categories/distro/distro-001/input/sbom-cyclonedx.json
@@ -0,0 +1,11 @@
+{
+    "bomFormat":  "CycloneDX",
+    "components":  [
+
+                   ],
+    "specVersion":  "1.6",
+    "version":  1,
+    "metadata":  {
+                     "timestamp":  "2025-12-22T13:57:24.5401402Z"
+                 }
+}
--- a/bench/golden-corpus/categories/distro/distro-001/input/sbom-spdx.json
+++ b/bench/golden-corpus/categories/distro/distro-001/input/sbom-spdx.json
@@ -0,0 +1,8 @@
+{
+    "created":  "2025-12-22T13:57:24.5401402Z",
+    "name":  "DISTRO-001",
+    "elements":  [
+
+                 ],
+    "spdxVersion":  "SPDX-3.0.1"
+}
--- a/bench/golden-corpus/categories/distro/distro-001/run-manifest.json
+++ b/bench/golden-corpus/categories/distro/distro-001/run-manifest.json
@@ -0,0 +1,44 @@
+{
+    "runId":  "DISTRO-001-run",
+    "environmentProfile":  {
+                               "valkeyEnabled":  false,
+                               "name":  "postgres-only"
+                           },
+    "feedSnapshot":  {
+                         "feedId":  "nvd",
+                         "snapshotAt":  "2025-12-22T13:57:24.5411477Z",
+                         "version":  "v1",
+                         "digest":  "sha256:stub"
+                     },
+    "cryptoProfile":  {
+                          "trustRootIds":  [
+
+                                           ],
+                          "allowedAlgorithms":  [
+
+                                                ],
+                          "profileName":  "default"
+                      },
+    "canonicalizationVersion":  "1.0.0",
+    "toolVersions":  {
+                         "reachabilityEngineVersion":  "0.0.0",
+                         "additionalTools":  {
+
+                                             },
+                         "sbomGeneratorVersion":  "0.0.0",
+                         "attestorVersion":  "0.0.0",
+                         "scannerVersion":  "0.0.0"
+                     },
+    "policySnapshot":  {
+                           "enabledRules":  [
+
+                                            ],
+                           "latticeRulesDigest":  "sha256:stub",
+                           "policyVersion":  "1.0.0"
+                       },
+    "artifactDigests":  [
+
+                        ],
+    "schemaVersion":  "1.0.0",
+    "initiatedAt":  "2025-12-22T13:57:24.5411477Z"
+}
--- a/bench/golden-corpus/categories/distro/distro-002/case-manifest.json
+++ b/bench/golden-corpus/categories/distro/distro-002/case-manifest.json
@@ -0,0 +1,17 @@
+{
+    "id":  "DISTRO-002",
+    "description":  "Placeholder corpus case DISTRO-002",
+    "createdAt":  "2025-12-22T13:57:24Z",
+    "inputs":  [
+                   "sbom-cyclonedx.json",
+                   "sbom-spdx.json",
+                   "image.tar.gz"
+               ],
+    "expected":  [
+                     "verdict.json",
+                     "evidence-index.json",
+                     "unknowns.json",
+                     "delta-verdict.json"
+                 ],
+    "category":  "distro"
+}
--- a/bench/golden-corpus/categories/distro/distro-002/expected/delta-verdict.json
+++ b/bench/golden-corpus/categories/distro/distro-002/expected/delta-verdict.json
@@ -0,0 +1,4 @@
+{
+    "changes":  0,
+    "deltaId":  "DISTRO-002-delta"
+}
--- a/bench/golden-corpus/categories/distro/distro-002/expected/evidence-index.json
+++ b/bench/golden-corpus/categories/distro/distro-002/expected/evidence-index.json
@@ -0,0 +1,10 @@
+{
+    "sboms":  [
+
+              ],
+    "indexId":  "DISTRO-002-index",
+    "attestations":  [
+
+                     ],
+    "createdAt":  "2025-12-22T13:57:24.5532520Z"
+}
--- a/bench/golden-corpus/categories/distro/distro-002/expected/unknowns.json
+++ b/bench/golden-corpus/categories/distro/distro-002/expected/unknowns.json
@@ -0,0 +1,5 @@
+{
+    "unknowns":  [
+
+                 ]
+}
--- a/bench/golden-corpus/categories/distro/distro-002/expected/verdict.json
+++ b/bench/golden-corpus/categories/distro/distro-002/expected/verdict.json
@@ -0,0 +1,5 @@
+{
+    "status":  "pass",
+    "digest":  "sha256:distro-002",
+    "verdictId":  "DISTRO-002"
+}
--- a/bench/golden-corpus/categories/distro/distro-002/input/image.tar.gz
+++ b/bench/golden-corpus/categories/distro/distro-002/input/image.tar.gz
--- a/bench/golden-corpus/categories/distro/distro-002/input/sbom-cyclonedx.json
+++ b/bench/golden-corpus/categories/distro/distro-002/input/sbom-cyclonedx.json
@@ -0,0 +1,11 @@
+{
+    "bomFormat":  "CycloneDX",
+    "components":  [
+
+                   ],
+    "specVersion":  "1.6",
+    "version":  1,
+    "metadata":  {
+                     "timestamp":  "2025-12-22T13:57:24.5522524Z"
+                 }
+}
--- a/bench/golden-corpus/categories/distro/distro-002/input/sbom-spdx.json
+++ b/bench/golden-corpus/categories/distro/distro-002/input/sbom-spdx.json
@@ -0,0 +1,8 @@
+{
+    "created":  "2025-12-22T13:57:24.5522524Z",
+    "name":  "DISTRO-002",
+    "elements":  [
+
+                 ],
+    "spdxVersion":  "SPDX-3.0.1"
+}
--- a/bench/golden-corpus/categories/distro/distro-002/run-manifest.json
+++ b/bench/golden-corpus/categories/distro/distro-002/run-manifest.json
@@ -0,0 +1,44 @@
+{
+    "runId":  "DISTRO-002-run",
+    "environmentProfile":  {
+                               "valkeyEnabled":  false,
+                               "name":  "postgres-only"
+                           },
+    "feedSnapshot":  {
+                         "feedId":  "nvd",
+                         "snapshotAt":  "2025-12-22T13:57:24.5532520Z",
+                         "version":  "v1",
+                         "digest":  "sha256:stub"
+                     },
+    "cryptoProfile":  {
+                          "trustRootIds":  [
+
+                                           ],
+                          "allowedAlgorithms":  [
+
+                                                ],
+                          "profileName":  "default"
+                      },
+    "canonicalizationVersion":  "1.0.0",
+    "toolVersions":  {
+                         "reachabilityEngineVersion":  "0.0.0",
+                         "additionalTools":  {
+
+                                             },
+                         "sbomGeneratorVersion":  "0.0.0",
+                         "attestorVersion":  "0.0.0",
+                         "scannerVersion":  "0.0.0"
+                     },
+    "policySnapshot":  {
+                           "enabledRules":  [
+
+                                            ],
+                           "latticeRulesDigest":  "sha256:stub",
+                           "policyVersion":  "1.0.0"
+                       },
+    "artifactDigests":  [
+
+                        ],
+    "schemaVersion":  "1.0.0",
+    "initiatedAt":  "2025-12-22T13:57:24.5532520Z"
+}
--- a/bench/golden-corpus/categories/distro/distro-003/case-manifest.json
+++ b/bench/golden-corpus/categories/distro/distro-003/case-manifest.json
@@ -0,0 +1,17 @@
+{
+    "id":  "DISTRO-003",
+    "description":  "Placeholder corpus case DISTRO-003",
+    "createdAt":  "2025-12-22T13:57:24Z",
+    "inputs":  [
+                   "sbom-cyclonedx.json",
+                   "sbom-spdx.json",
+                   "image.tar.gz"
+               ],
+    "expected":  [
+                     "verdict.json",
+                     "evidence-index.json",
+                     "unknowns.json",
+                     "delta-verdict.json"
+                 ],
+    "category":  "distro"
+}
--- a/bench/golden-corpus/categories/distro/distro-003/expected/delta-verdict.json
+++ b/bench/golden-corpus/categories/distro/distro-003/expected/delta-verdict.json
@@ -0,0 +1,4 @@
+{
+    "changes":  0,
+    "deltaId":  "DISTRO-003-delta"
+}
--- a/bench/golden-corpus/categories/distro/distro-003/expected/evidence-index.json
+++ b/bench/golden-corpus/categories/distro/distro-003/expected/evidence-index.json
@@ -0,0 +1,10 @@
+{
+    "sboms":  [
+
+              ],
+    "indexId":  "DISTRO-003-index",
+    "attestations":  [
+
+                     ],
+    "createdAt":  "2025-12-22T13:57:24.5673518Z"
+}
--- a/bench/golden-corpus/categories/distro/distro-003/expected/unknowns.json
+++ b/bench/golden-corpus/categories/distro/distro-003/expected/unknowns.json
@@ -0,0 +1,5 @@
+{
+    "unknowns":  [
+
+                 ]
+}
--- a/bench/golden-corpus/categories/distro/distro-003/expected/verdict.json
+++ b/bench/golden-corpus/categories/distro/distro-003/expected/verdict.json
@@ -0,0 +1,5 @@
+{
+    "status":  "pass",
+    "digest":  "sha256:distro-003",
+    "verdictId":  "DISTRO-003"
+}
--- a/bench/golden-corpus/categories/distro/distro-003/input/image.tar.gz
+++ b/bench/golden-corpus/categories/distro/distro-003/input/image.tar.gz
--- a/bench/golden-corpus/categories/distro/distro-003/input/sbom-cyclonedx.json
+++ b/bench/golden-corpus/categories/distro/distro-003/input/sbom-cyclonedx.json
@@ -0,0 +1,11 @@
+{
+    "bomFormat":  "CycloneDX",
+    "components":  [
+
+                   ],
+    "specVersion":  "1.6",
+    "version":  1,
+    "metadata":  {
+                     "timestamp":  "2025-12-22T13:57:24.5673518Z"
+                 }
+}
--- a/bench/golden-corpus/categories/distro/distro-003/input/sbom-spdx.json
+++ b/bench/golden-corpus/categories/distro/distro-003/input/sbom-spdx.json
@@ -0,0 +1,8 @@
+{
+    "created":  "2025-12-22T13:57:24.5673518Z",
+    "name":  "DISTRO-003",
+    "elements":  [
+
+                 ],
+    "spdxVersion":  "SPDX-3.0.1"
+}
--- a/Show More
+++ b/Show More