consolidate the tests locations

src/__Tests/__Benchmarks/AGENTS.md

@@ -0,0 +1,20 @@
+# src/__Tests/__Benchmarks/AGENTS.md
+
+## Purpose & Scope
+- Working directory: `src/__Tests/__Benchmarks/` (benchmarks, golden corpus, determinism fixtures).
+- Roles: QA engineer, performance/bench engineer, docs contributor.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/19_TEST_SUITE_OVERVIEW.md`
+- `src/__Tests/__Benchmarks/README.md`
+- Sprint-specific guidance for corpus/bench artifacts.
+
+## Working Agreements
+- Deterministic artifacts: stable ordering, fixed seeds, UTC timestamps.
+- Offline-friendly: no network dependencies in benchmarks unless explicitly required.
+- Keep fixtures and manifests ASCII and reproducible; avoid oversized binaries when possible.
+
+## Validation
+- Validate manifests/fixtures with local scripts when available.
+- Document any new fixtures in `src/__Tests/__Benchmarks/README.md` or sprint notes.

src/__Tests/__Benchmarks/README.md

@@ -0,0 +1,132 @@
+# Stella Ops Bench Repository
+
+> **Status:** Active · Last updated: 2025-12-13
+> **Purpose:** Host reproducible VEX decisions, reachability evidence, and comparison data proving Stella Ops' signal quality vs. baseline scanners.
+
+## Layout
+
+```
+bench/
+  README.md                 # this file
+  findings/                 # per CVE/product bundles
+    CVE-YYYY-NNNNN/
+      evidence/
+        reachability.json   # richgraph-v1 excerpt
+        sbom.cdx.json       # CycloneDX SBOM
+      decision.openvex.json # OpenVEX decision
+      decision.dsse.json    # DSSE envelope
+      rekor.txt             # Rekor log index + inclusion proof
+      metadata.json         # finding metadata (purl, CVE, version)
+  tools/
+    verify.sh               # DSSE + Rekor verifier (online)
+    verify.py               # offline verifier
+    compare.py              # baseline comparison script
+    replay.sh               # runs reachability replay manifests
+  results/
+    summary.csv             # aggregated metrics
+    runs/<date>/...         # raw outputs + replay manifests
+  reachability-benchmark/   # reachability benchmark with JDK fixtures
+```
+
+## Related Documentation
+
+| Document | Purpose |
+|----------|---------|
+| [VEX Evidence Playbook](../docs/benchmarks/vex-evidence-playbook.md) | Proof bundle schema, justification catalog, verification workflow |
+| [Hybrid Attestation](../docs/reachability/hybrid-attestation.md) | Graph-level and edge-bundle DSSE decisions |
+| [Function-Level Evidence](../docs/reachability/function-level-evidence.md) | Cross-module evidence chain guide |
+| [Deterministic Replay](../docs/replay/DETERMINISTIC_REPLAY.md) | Replay manifest specification |
+
+## Verification Workflows
+
+### Quick Verification (Online)
+
+```bash
+# Verify a VEX proof bundle with DSSE and Rekor
+./tools/verify.sh findings/CVE-2021-44228/decision.dsse.json
+
+# Output:
+# ✓ DSSE signature valid
+# ✓ Rekor inclusion verified (log index: 12345678)
+# ✓ Evidence hashes match
+# ✓ Justification catalog membership confirmed
+```
+
+### Offline Verification
+
+```bash
+# Verify without network access
+python tools/verify.py \
+  --bundle findings/CVE-2021-44228/decision.dsse.json \
+  --cas-root ./findings/CVE-2021-44228/evidence/ \
+  --catalog ../docs/benchmarks/vex-justifications.catalog.json
+
+# Or use the VEX proof bundle verifier
+python ../scripts/vex/verify_proof_bundle.py \
+  --bundle ../tests/Vex/ProofBundles/sample-proof-bundle.json \
+  --cas-root ../tests/Vex/ProofBundles/cas/
+```
+
+### Reachability Graph Verification
+
+```bash
+# Verify graph DSSE
+stella graph verify --hash blake3:a1b2c3d4...
+
+# Verify with edge bundles
+stella graph verify --hash blake3:a1b2c3d4... --include-bundles
+
+# Offline with local CAS
+stella graph verify --hash blake3:a1b2c3d4... --cas-root ./offline-cas/
+```
+
+### Baseline Comparison
+
+```bash
+# Compare Stella Ops findings against baseline scanners
+python tools/compare.py \
+  --stellaops results/runs/2025-12-13/findings.json \
+  --baseline results/baselines/trivy-latest.json \
+  --output results/comparison-2025-12-13.csv
+
+# Metrics generated:
+# - True positives (reachability-confirmed)
+# - False positives (unreachable code paths)
+# - MTTD (mean time to detect)
+# - Reproducibility score
+```
+
+## Artifact Contracts
+
+All bench artifacts must comply with:
+
+1. **VEX Proof Bundle Schema** (`docs/benchmarks/vex-evidence-playbook.schema.json`)
+   - BLAKE3-256 primary hash, SHA-256 secondary
+   - Canonical JSON with sorted keys
+   - DSSE envelope with Rekor-ready digest
+
+2. **Justification Catalog** (`docs/benchmarks/vex-justifications.catalog.json`)
+   - VEX1-VEX10 justification codes
+   - Required evidence types per justification
+   - Expiry and re-evaluation rules
+
+3. **Reachability Graph** (`docs/contracts/richgraph-v1.md`)
+   - BLAKE3 graph_hash for content addressing
+   - Deterministic node/edge ordering
+   - SymbolID/EdgeID format compliance
+
+## CI Integration
+
+The bench directory is validated by:
+
+- `.gitea/workflows/vex-proof-bundles.yml` - Verifies all proof bundles
+- `.gitea/workflows/bench-determinism.yml` - Runs determinism benchmarks
+- `.gitea/workflows/hybrid-attestation.yml` - Verifies graph/edge-bundle fixtures
+
+## Contributing
+
+1. Add new findings under `findings/CVE-YYYY-NNNNN/`
+2. Include all required evidence artifacts
+3. Generate DSSE envelope and Rekor proof
+4. Update `results/summary.csv`
+5. Run verification: `./tools/verify.sh findings/CVE-YYYY-NNNNN/decision.dsse.json`

src/__Tests/__Benchmarks/baselines/performance-baselines.json

@@ -0,0 +1,22 @@
+{
+  "schema_version": "stellaops.perf.baselines/v1",
+  "updated_at": "2025-01-15T00:00:00Z",
+  "environment": {
+    "runtime": ".NET 10",
+    "os": "ubuntu-22.04",
+    "cpu": "8 cores",
+    "memory_gb": 16
+  },
+  "baselines": {
+    "score_computation_ms": 100,
+    "score_computation_large_ms": 500,
+    "proof_bundle_generation_ms": 200,
+    "proof_signing_ms": 50,
+    "dotnet_callgraph_extraction_ms": 500,
+    "reachability_computation_ms": 100,
+    "reachability_large_graph_ms": 500,
+    "reachability_deep_path_ms": 200
+  },
+  "threshold_percent": 20,
+  "notes": "Initial baselines established on CI runner. Update after algorithm changes."
+}

src/__Tests/__Benchmarks/baselines/ttfs-baseline.json

@@ -0,0 +1,56 @@
+{
+  "$schema": "https://json-schema.org/draft-07/schema#",
+  "title": "TTFS Baseline",
+  "description": "Time-to-First-Signal baseline metrics for regression detection",
+  "version": "1.0.0",
+  "created_at": "2025-12-16T00:00:00Z",
+  "updated_at": "2025-12-16T00:00:00Z",
+  "metrics": {
+    "ttfs_ms": {
+      "p50": 1500,
+      "p95": 4000,
+      "p99": 6000,
+      "min": 500,
+      "max": 10000,
+      "mean": 2000,
+      "sample_count": 500
+    },
+    "by_scan_type": {
+      "image_scan": {
+        "p50": 2500,
+        "p95": 5000,
+        "p99": 7500,
+        "description": "Container image scanning TTFS baseline"
+      },
+      "filesystem_scan": {
+        "p50": 1000,
+        "p95": 2000,
+        "p99": 3000,
+        "description": "Filesystem/directory scanning TTFS baseline"
+      },
+      "sbom_scan": {
+        "p50": 400,
+        "p95": 800,
+        "p99": 1200,
+        "description": "SBOM-only scanning TTFS baseline"
+      }
+    }
+  },
+  "thresholds": {
+    "p50_max_ms": 2000,
+    "p95_max_ms": 5000,
+    "p99_max_ms": 8000,
+    "max_regression_pct": 10,
+    "description": "Thresholds that will trigger CI gate failures"
+  },
+  "collection_info": {
+    "test_environment": "ci-standard-runner",
+    "runner_specs": {
+      "cpu_cores": 4,
+      "memory_gb": 8,
+      "storage_type": "ssd"
+    },
+    "sample_corpus": "tests/reachability/corpus",
+    "collection_window_days": 30
+  }
+}

src/__Tests/__Benchmarks/competitors/corpus/corpus-manifest.json

@@ -0,0 +1,50 @@
+{
+  "version": "1.0.0",
+  "lastUpdated": "2025-12-22T00:00:00Z",
+  "images": [
+    {
+      "digest": "sha256:placeholder-alpine-3.18",
+      "imageRef": "alpine:3.18",
+      "truePositives": [],
+      "falsePositives": [],
+      "categories": ["alpine", "base"],
+      "notes": {}
+    },
+    {
+      "digest": "sha256:placeholder-debian-bookworm",
+      "imageRef": "debian:bookworm-slim",
+      "truePositives": [],
+      "falsePositives": [],
+      "categories": ["debian", "base"],
+      "notes": {}
+    },
+    {
+      "digest": "sha256:placeholder-node-20",
+      "imageRef": "node:20-alpine",
+      "truePositives": [],
+      "falsePositives": [],
+      "categories": ["alpine", "nodejs"],
+      "notes": {}
+    },
+    {
+      "digest": "sha256:placeholder-python-3.12",
+      "imageRef": "python:3.12-slim",
+      "truePositives": [],
+      "falsePositives": [],
+      "categories": ["debian", "python"],
+      "notes": {}
+    }
+  ],
+  "stats": {
+    "totalImages": 4,
+    "byCategory": {
+      "alpine": 2,
+      "debian": 2,
+      "base": 2,
+      "nodejs": 1,
+      "python": 1
+    },
+    "totalTruePositives": 0,
+    "totalFalsePositives": 0
+  }
+}

src/__Tests/__Benchmarks/determinism/README.md

@@ -0,0 +1,129 @@
+# Determinism Benchmark Suite
+
+> **Purpose:** Verify that StellaOps produces bit-identical results across replays.
+> **Status:** Active
+> **Sprint:** SPRINT_3850_0001_0001 (Competitive Gap Closure)
+
+## Overview
+
+Determinism is a core differentiator for StellaOps:
+- Same inputs → same outputs (bit-identical)
+- Replay manifests enable audit verification
+- No hidden state or environment leakage
+
+## What Gets Tested
+
+### Canonical JSON
+- Object key ordering (alphabetical)
+- Number formatting consistency
+- UTF-8 encoding without BOM
+- No whitespace variation
+
+### Scan Manifests
+- Same artifact + same feeds → same manifest hash
+- Seed values propagate correctly
+- Timestamp handling (fixed UTC)
+
+### Proof Bundles
+- Root hash computation
+- DSSE envelope determinism
+- ProofLedger node ordering
+
+### Score Computation
+- Same manifest → same score
+- Lattice merge is associative/commutative
+- Policy rule ordering doesn't affect outcome
+
+## Test Cases
+
+### TC-001: Canonical JSON Determinism
+
+```bash
+# Run same object through CanonJson 100 times
+# All hashes must match
+```
+
+### TC-002: Manifest Hash Stability
+
+```bash
+# Create manifest with identical inputs
+# Verify ComputeHash() returns same value
+```
+
+### TC-003: Cross-Platform Determinism
+
+```bash
+# Run on Linux, Windows, macOS
+# Compare output hashes
+```
+
+### TC-004: Feed Snapshot Determinism
+
+```bash
+# Same feed snapshot hash → same scan results
+```
+
+## Fixtures
+
+```
+fixtures/
+├── sample-manifest.json
+├── sample-ledger.json
+├── expected-hashes.json
+└── cross-platform/
+    ├── linux-x64.hashes.json
+    ├── windows-x64.hashes.json
+    └── macos-arm64.hashes.json
+```
+
+## Running the Suite
+
+```bash
+# Run determinism tests
+dotnet test tests/StellaOps.Determinism.Tests
+
+# Run replay verification
+./run-replay.sh --manifest fixtures/sample-manifest.json --runs 10
+
+# Cross-platform verification (requires CI matrix)
+./verify-cross-platform.sh
+```
+
+## Metrics
+
+| Metric | Target | Description |
+|--------|--------|-------------|
+| Hash stability | 100% | All runs produce identical hash |
+| Replay success | 100% | All replays match original |
+| Cross-platform parity | 100% | Same hash across OS/arch |
+
+## Integration with CI
+
+```yaml
+# .gitea/workflows/bench-determinism.yaml
+name: Determinism Benchmark
+on:
+  push:
+    paths:
+      - 'src/__Libraries/StellaOps.Canonical.Json/**'
+      - 'src/Scanner/__Libraries/StellaOps.Scanner.Core/**'
+      - 'bench/determinism/**'
+
+jobs:
+  determinism:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run Determinism Tests
+        run: dotnet test tests/StellaOps.Determinism.Tests
+      - name: Capture Hashes
+        run: ./bench/determinism/capture-hashes.sh
+      - name: Upload Hashes
+        uses: actions/upload-artifact@v4
+        with:
+          name: hashes-${{ matrix.os }}
+          path: bench/determinism/results/
+```

src/__Tests/__Benchmarks/determinism/run-replay.sh

@@ -0,0 +1,133 @@
+#!/usr/bin/env bash
+# run-replay.sh
+# Deterministic Replay Benchmark
+# Sprint: SPRINT_3850_0001_0001
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+RESULTS_DIR="$SCRIPT_DIR/results/$(date -u +%Y%m%d_%H%M%S)"
+
+# Parse arguments
+MANIFEST_FILE=""
+RUNS=5
+VERBOSE=false
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --manifest)
+            MANIFEST_FILE="$2"
+            shift 2
+            ;;
+        --runs)
+            RUNS="$2"
+            shift 2
+            ;;
+        --verbose|-v)
+            VERBOSE=true
+            shift
+            ;;
+        *)
+            echo "Unknown option: $1"
+            exit 1
+            ;;
+    esac
+done
+
+echo "╔════════════════════════════════════════════════╗"
+echo "║       Deterministic Replay Benchmark           ║"
+echo "╚════════════════════════════════════════════════╝"
+echo ""
+echo "Configuration:"
+echo "  Manifest:    ${MANIFEST_FILE:-<default sample>}"
+echo "  Runs:        $RUNS"
+echo "  Results dir: $RESULTS_DIR"
+echo ""
+
+mkdir -p "$RESULTS_DIR"
+
+# Use sample manifest if none provided
+if [ -z "$MANIFEST_FILE" ] && [ -f "$SCRIPT_DIR/fixtures/sample-manifest.json" ]; then
+    MANIFEST_FILE="$SCRIPT_DIR/fixtures/sample-manifest.json"
+fi
+
+declare -a HASHES
+
+echo "Running $RUNS iterations..."
+echo ""
+
+for i in $(seq 1 $RUNS); do
+    echo -n "  Run $i: "
+    
+    OUTPUT_FILE="$RESULTS_DIR/run_$i.json"
+    
+    if command -v dotnet &> /dev/null; then
+        # Run the replay service
+        dotnet run --project "$SCRIPT_DIR/../../src/Scanner/StellaOps.Scanner.WebService" -- \
+            replay \
+            --manifest "$MANIFEST_FILE" \
+            --output "$OUTPUT_FILE" \
+            --format json 2>/dev/null || {
+                echo "⊘ Skipped (replay command not available)"
+                continue
+            }
+        
+        if [ -f "$OUTPUT_FILE" ]; then
+            HASH=$(sha256sum "$OUTPUT_FILE" | cut -d' ' -f1)
+            HASHES+=("$HASH")
+            echo "sha256:${HASH:0:16}..."
+        else
+            echo "⊘ No output generated"
+        fi
+    else
+        echo "⊘ Skipped (dotnet not available)"
+    fi
+done
+
+echo ""
+
+# Verify all hashes match
+if [ ${#HASHES[@]} -gt 1 ]; then
+    FIRST_HASH="${HASHES[0]}"
+    ALL_MATCH=true
+    
+    for hash in "${HASHES[@]}"; do
+        if [ "$hash" != "$FIRST_HASH" ]; then
+            ALL_MATCH=false
+            break
+        fi
+    done
+    
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo "Results"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    
+    if $ALL_MATCH; then
+        echo "✓ PASS: All $RUNS runs produced identical output"
+        echo "  Hash: sha256:$FIRST_HASH"
+    else
+        echo "✗ FAIL: Outputs differ between runs"
+        echo ""
+        echo "Hashes:"
+        for i in "${!HASHES[@]}"; do
+            echo "  Run $((i+1)): ${HASHES[$i]}"
+        done
+    fi
+else
+    echo "ℹ️  Insufficient runs to verify determinism"
+fi
+
+# Create summary JSON
+cat > "$RESULTS_DIR/summary.json" <<EOF
+{
+  "benchmark": "determinism-replay",
+  "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
+  "manifest": "$MANIFEST_FILE",
+  "runs": $RUNS,
+  "hashes": [$(printf '"%s",' "${HASHES[@]}" | sed 's/,$//')],
+  "deterministic": ${ALL_MATCH:-null}
+}
+EOF
+
+echo ""
+echo "Results saved to: $RESULTS_DIR"

src/__Tests/__Benchmarks/findings/CVE-2015-7547-reachable/decision.dsse.json

@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpiZTMwNDMzZTE4OGEyNTg4NTY0NDYzMzZkYmIxMDk1OWJmYjRhYjM5NzQzODBhOGVhMTI2NDZiZjI2ODdiZjlhIiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL2dsaWJjLUNWRS0yMDIzLTQ5MTEtbG9vbmV5LXR1bmFibGVzQDEuMC4wIn1dLCJzdGF0dXMiOiJhZmZlY3RlZCIsInZ1bG5lcmFiaWxpdHkiOnsiQGlkIjoiaHR0cHM6Ly9udmQubmlzdC5nb3YvdnVsbi9kZXRhaWwvQ1ZFLTIwMTUtNzU0NyIsIm5hbWUiOiJDVkUtMjAxNS03NTQ3In19XSwidGltZXN0YW1wIjoiMjAyNS0xMi0xNFQwMjoxMzozOFoiLCJ0b29saW5nIjoiU3RlbGxhT3BzL2JlbmNoLWF1dG9AMS4wLjAiLCJ2ZXJzaW9uIjoxfQ==",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}

src/__Tests/__Benchmarks/findings/CVE-2015-7547-reachable/decision.openvex.json

@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "action_statement": "Upgrade to patched version or apply mitigation.",
+      "impact_statement": "Evidence hash: sha256:be30433e188a258856446336dbb10959bfb4ab3974380a8ea12646bf2687bf9a",
+      "products": [
+        {
+          "@id": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0"
+        }
+      ],
+      "status": "affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2015-7547",
+        "name": "CVE-2015-7547"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-2015-7547-reachable/evidence/reachability.json

@@ -0,0 +1,25 @@
+{
+  "case_id": "glibc-CVE-2023-4911-looney-tunables",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "glibc-CVE-2023-4911-looney-tunables",
+    "paths": [
+      [
+        "sym://net:handler#read",
+        "sym://glibc:glibc.c#entry",
+        "sym://glibc:glibc.c#sink"
+      ]
+    ],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "reachable"
+  },
+  "paths": [
+    [
+      "sym://net:handler#read",
+      "sym://glibc:glibc.c#entry",
+      "sym://glibc:glibc.c#sink"
+    ]
+  ],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "reachable"
+}

src/__Tests/__Benchmarks/findings/CVE-2015-7547-reachable/evidence/sbom.cdx.json

@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "glibc-CVE-2023-4911-looney-tunables",
+      "purl": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-2015-7547-reachable/metadata.json

@@ -0,0 +1,11 @@
+{
+  "case_id": "glibc-CVE-2023-4911-looney-tunables",
+  "cve_id": "CVE-2015-7547",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0",
+  "reachability_status": "reachable",
+  "variant": "reachable"
+}

src/__Tests/__Benchmarks/findings/CVE-2015-7547-reachable/rekor.txt

@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z

src/__Tests/__Benchmarks/findings/CVE-2015-7547-unreachable/decision.dsse.json

@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpjNDJlYzAxNGE0MmQwZTNmYjQzZWQ0ZGRhZDg5NTM4MjFlNDQ0NTcxMTlkYTY2ZGRiNDFhMzVhODAxYTNiNzI3IiwianVzdGlmaWNhdGlvbiI6InZ1bG5lcmFibGVfY29kZV9ub3RfcHJlc2VudCIsInByb2R1Y3RzIjpbeyJAaWQiOiJwa2c6Z2VuZXJpYy9nbGliYy1DVkUtMjAyMy00OTExLWxvb25leS10dW5hYmxlc0AxLjAuMCJ9XSwic3RhdHVzIjoibm90X2FmZmVjdGVkIiwidnVsbmVyYWJpbGl0eSI6eyJAaWQiOiJodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAxNS03NTQ3IiwibmFtZSI6IkNWRS0yMDE1LTc1NDcifX1dLCJ0aW1lc3RhbXAiOiIyMDI1LTEyLTE0VDAyOjEzOjM4WiIsInRvb2xpbmciOiJTdGVsbGFPcHMvYmVuY2gtYXV0b0AxLjAuMCIsInZlcnNpb24iOjF9",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}

src/__Tests/__Benchmarks/findings/CVE-2015-7547-unreachable/decision.openvex.json

@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "impact_statement": "Evidence hash: sha256:c42ec014a42d0e3fb43ed4ddad8953821e44457119da66ddb41a35a801a3b727",
+      "justification": "vulnerable_code_not_present",
+      "products": [
+        {
+          "@id": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0"
+        }
+      ],
+      "status": "not_affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2015-7547",
+        "name": "CVE-2015-7547"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-2015-7547-unreachable/evidence/reachability.json

@@ -0,0 +1,13 @@
+{
+  "case_id": "glibc-CVE-2023-4911-looney-tunables",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "glibc-CVE-2023-4911-looney-tunables",
+    "paths": [],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "unreachable"
+  },
+  "paths": [],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "unreachable"
+}

src/__Tests/__Benchmarks/findings/CVE-2015-7547-unreachable/evidence/sbom.cdx.json

@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "glibc-CVE-2023-4911-looney-tunables",
+      "purl": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-2015-7547-unreachable/metadata.json

@@ -0,0 +1,11 @@
+{
+  "case_id": "glibc-CVE-2023-4911-looney-tunables",
+  "cve_id": "CVE-2015-7547",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0",
+  "reachability_status": "unreachable",
+  "variant": "unreachable"
+}

src/__Tests/__Benchmarks/findings/CVE-2015-7547-unreachable/rekor.txt

@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z

src/__Tests/__Benchmarks/findings/CVE-2022-3602-reachable/decision.dsse.json

@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjowMTQzMWZmMWVlZTc5OWM2ZmFkZDU5M2E3ZWMxOGVlMDk0Zjk4MzE0MDk2M2RhNmNiZmQ0YjdmMDZiYTBmOTcwIiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL29wZW5zc2wtQ1ZFLTIwMjItMzYwMi14NTA5LW5hbWUtY29uc3RyYWludHNAMS4wLjAifV0sInN0YXR1cyI6ImFmZmVjdGVkIiwidnVsbmVyYWJpbGl0eSI6eyJAaWQiOiJodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAyMi0zNjAyIiwibmFtZSI6IkNWRS0yMDIyLTM2MDIifX1dLCJ0aW1lc3RhbXAiOiIyMDI1LTEyLTE0VDAyOjEzOjM4WiIsInRvb2xpbmciOiJTdGVsbGFPcHMvYmVuY2gtYXV0b0AxLjAuMCIsInZlcnNpb24iOjF9",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}

src/__Tests/__Benchmarks/findings/CVE-2022-3602-reachable/decision.openvex.json

@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "action_statement": "Upgrade to patched version or apply mitigation.",
+      "impact_statement": "Evidence hash: sha256:01431ff1eee799c6fadd593a7ec18ee094f983140963da6cbfd4b7f06ba0f970",
+      "products": [
+        {
+          "@id": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0"
+        }
+      ],
+      "status": "affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2022-3602",
+        "name": "CVE-2022-3602"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-2022-3602-reachable/evidence/reachability.json

@@ -0,0 +1,25 @@
+{
+  "case_id": "openssl-CVE-2022-3602-x509-name-constraints",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "openssl-CVE-2022-3602-x509-name-constraints",
+    "paths": [
+      [
+        "sym://net:handler#read",
+        "sym://openssl:openssl.c#entry",
+        "sym://openssl:openssl.c#sink"
+      ]
+    ],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "reachable"
+  },
+  "paths": [
+    [
+      "sym://net:handler#read",
+      "sym://openssl:openssl.c#entry",
+      "sym://openssl:openssl.c#sink"
+    ]
+  ],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "reachable"
+}

src/__Tests/__Benchmarks/findings/CVE-2022-3602-reachable/evidence/sbom.cdx.json

@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "openssl-CVE-2022-3602-x509-name-constraints",
+      "purl": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-2022-3602-reachable/metadata.json

@@ -0,0 +1,11 @@
+{
+  "case_id": "openssl-CVE-2022-3602-x509-name-constraints",
+  "cve_id": "CVE-2022-3602",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0",
+  "reachability_status": "reachable",
+  "variant": "reachable"
+}

src/__Tests/__Benchmarks/findings/CVE-2022-3602-reachable/rekor.txt

@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z

src/__Tests/__Benchmarks/findings/CVE-2022-3602-unreachable/decision.dsse.json

@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpkOWJhZjRjNjQ3NDE4Nzc4NTUxYWZjNDM3NTJkZWY0NmQ0YWYyN2Q1MzEyMmU2YzQzNzVjMzUxMzU1YjEwYTMzIiwianVzdGlmaWNhdGlvbiI6InZ1bG5lcmFibGVfY29kZV9ub3RfcHJlc2VudCIsInByb2R1Y3RzIjpbeyJAaWQiOiJwa2c6Z2VuZXJpYy9vcGVuc3NsLUNWRS0yMDIyLTM2MDIteDUwOS1uYW1lLWNvbnN0cmFpbnRzQDEuMC4wIn1dLCJzdGF0dXMiOiJub3RfYWZmZWN0ZWQiLCJ2dWxuZXJhYmlsaXR5Ijp7IkBpZCI6Imh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS0yMDIyLTM2MDIiLCJuYW1lIjoiQ1ZFLTIwMjItMzYwMiJ9fV0sInRpbWVzdGFtcCI6IjIwMjUtMTItMTRUMDI6MTM6MzhaIiwidG9vbGluZyI6IlN0ZWxsYU9wcy9iZW5jaC1hdXRvQDEuMC4wIiwidmVyc2lvbiI6MX0=",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}

src/__Tests/__Benchmarks/findings/CVE-2022-3602-unreachable/decision.openvex.json

@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "impact_statement": "Evidence hash: sha256:d9baf4c647418778551afc43752def46d4af27d53122e6c4375c351355b10a33",
+      "justification": "vulnerable_code_not_present",
+      "products": [
+        {
+          "@id": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0"
+        }
+      ],
+      "status": "not_affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2022-3602",
+        "name": "CVE-2022-3602"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-2022-3602-unreachable/evidence/reachability.json

@@ -0,0 +1,13 @@
+{
+  "case_id": "openssl-CVE-2022-3602-x509-name-constraints",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "openssl-CVE-2022-3602-x509-name-constraints",
+    "paths": [],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "unreachable"
+  },
+  "paths": [],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "unreachable"
+}

src/__Tests/__Benchmarks/findings/CVE-2022-3602-unreachable/evidence/sbom.cdx.json

@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "openssl-CVE-2022-3602-x509-name-constraints",
+      "purl": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-2022-3602-unreachable/metadata.json

@@ -0,0 +1,11 @@
+{
+  "case_id": "openssl-CVE-2022-3602-x509-name-constraints",
+  "cve_id": "CVE-2022-3602",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0",
+  "reachability_status": "unreachable",
+  "variant": "unreachable"
+}

src/__Tests/__Benchmarks/findings/CVE-2022-3602-unreachable/rekor.txt

@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z

src/__Tests/__Benchmarks/findings/CVE-2023-38545-reachable/decision.dsse.json

@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpmMWMxZmRiZTk1YjMyNTNiMTNjYTZjNzMzZWMwM2FkYTNlYTg3MWU2NmI1ZGRlZGJiNmMxNGI5ZGM2N2IwNzQ4IiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL2N1cmwtQ1ZFLTIwMjMtMzg1NDUtc29ja3M1LWhlYXBAMS4wLjAifV0sInN0YXR1cyI6ImFmZmVjdGVkIiwidnVsbmVyYWJpbGl0eSI6eyJAaWQiOiJodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAyMy0zODU0NSIsIm5hbWUiOiJDVkUtMjAyMy0zODU0NSJ9fV0sInRpbWVzdGFtcCI6IjIwMjUtMTItMTRUMDI6MTM6MzhaIiwidG9vbGluZyI6IlN0ZWxsYU9wcy9iZW5jaC1hdXRvQDEuMC4wIiwidmVyc2lvbiI6MX0=",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}

src/__Tests/__Benchmarks/findings/CVE-2023-38545-reachable/decision.openvex.json

@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "action_statement": "Upgrade to patched version or apply mitigation.",
+      "impact_statement": "Evidence hash: sha256:f1c1fdbe95b3253b13ca6c733ec03ada3ea871e66b5ddedbb6c14b9dc67b0748",
+      "products": [
+        {
+          "@id": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0"
+        }
+      ],
+      "status": "affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2023-38545",
+        "name": "CVE-2023-38545"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-2023-38545-reachable/evidence/reachability.json

@@ -0,0 +1,25 @@
+{
+  "case_id": "curl-CVE-2023-38545-socks5-heap",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "curl-CVE-2023-38545-socks5-heap",
+    "paths": [
+      [
+        "sym://net:handler#read",
+        "sym://curl:curl.c#entry",
+        "sym://curl:curl.c#sink"
+      ]
+    ],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "reachable"
+  },
+  "paths": [
+    [
+      "sym://net:handler#read",
+      "sym://curl:curl.c#entry",
+      "sym://curl:curl.c#sink"
+    ]
+  ],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "reachable"
+}

src/__Tests/__Benchmarks/findings/CVE-2023-38545-reachable/evidence/sbom.cdx.json

@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "curl-CVE-2023-38545-socks5-heap",
+      "purl": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-2023-38545-reachable/metadata.json

@@ -0,0 +1,11 @@
+{
+  "case_id": "curl-CVE-2023-38545-socks5-heap",
+  "cve_id": "CVE-2023-38545",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0",
+  "reachability_status": "reachable",
+  "variant": "reachable"
+}

src/__Tests/__Benchmarks/findings/CVE-2023-38545-reachable/rekor.txt

@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z

src/__Tests/__Benchmarks/findings/CVE-2023-38545-unreachable/decision.dsse.json

@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjplNGIxOTk0ZTU5NDEwNTYyZjQwYWI0YTVmZTIzNjM4YzExZTU4MTdiYjcwMDM5M2VkOTlmMjBkM2M5ZWY5ZmEwIiwianVzdGlmaWNhdGlvbiI6InZ1bG5lcmFibGVfY29kZV9ub3RfcHJlc2VudCIsInByb2R1Y3RzIjpbeyJAaWQiOiJwa2c6Z2VuZXJpYy9jdXJsLUNWRS0yMDIzLTM4NTQ1LXNvY2tzNS1oZWFwQDEuMC4wIn1dLCJzdGF0dXMiOiJub3RfYWZmZWN0ZWQiLCJ2dWxuZXJhYmlsaXR5Ijp7IkBpZCI6Imh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS0yMDIzLTM4NTQ1IiwibmFtZSI6IkNWRS0yMDIzLTM4NTQ1In19XSwidGltZXN0YW1wIjoiMjAyNS0xMi0xNFQwMjoxMzozOFoiLCJ0b29saW5nIjoiU3RlbGxhT3BzL2JlbmNoLWF1dG9AMS4wLjAiLCJ2ZXJzaW9uIjoxfQ==",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}

src/__Tests/__Benchmarks/findings/CVE-2023-38545-unreachable/decision.openvex.json

@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "impact_statement": "Evidence hash: sha256:e4b1994e59410562f40ab4a5fe23638c11e5817bb700393ed99f20d3c9ef9fa0",
+      "justification": "vulnerable_code_not_present",
+      "products": [
+        {
+          "@id": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0"
+        }
+      ],
+      "status": "not_affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2023-38545",
+        "name": "CVE-2023-38545"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-2023-38545-unreachable/evidence/reachability.json

@@ -0,0 +1,13 @@
+{
+  "case_id": "curl-CVE-2023-38545-socks5-heap",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "curl-CVE-2023-38545-socks5-heap",
+    "paths": [],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "unreachable"
+  },
+  "paths": [],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "unreachable"
+}

src/__Tests/__Benchmarks/findings/CVE-2023-38545-unreachable/evidence/sbom.cdx.json

@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "curl-CVE-2023-38545-socks5-heap",
+      "purl": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-2023-38545-unreachable/metadata.json

@@ -0,0 +1,11 @@
+{
+  "case_id": "curl-CVE-2023-38545-socks5-heap",
+  "cve_id": "CVE-2023-38545",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0",
+  "reachability_status": "unreachable",
+  "variant": "unreachable"
+}

src/__Tests/__Benchmarks/findings/CVE-2023-38545-unreachable/rekor.txt

@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z

src/__Tests/__Benchmarks/findings/CVE-BENCH-LINUX-CG-reachable/decision.dsse.json

@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjoxNTRiYTZlMzU5YzA5NTQ1NzhhOTU2MDM2N2YxY2JhYzFjMTUzZTVkNWRmOTNjMmI5MjljZDM4NzkyYTIxN2JiIiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL2xpbnV4LWNncm91cHMtQ1ZFLTIwMjItMDQ5Mi1yZWxlYXNlX2FnZW50QDEuMC4wIn1dLCJzdGF0dXMiOiJhZmZlY3RlZCIsInZ1bG5lcmFiaWxpdHkiOnsiQGlkIjoiaHR0cHM6Ly9udmQubmlzdC5nb3YvdnVsbi9kZXRhaWwvQ1ZFLUJFTkNILUxJTlVYLUNHIiwibmFtZSI6IkNWRS1CRU5DSC1MSU5VWC1DRyJ9fV0sInRpbWVzdGFtcCI6IjIwMjUtMTItMTRUMDI6MTM6MzhaIiwidG9vbGluZyI6IlN0ZWxsYU9wcy9iZW5jaC1hdXRvQDEuMC4wIiwidmVyc2lvbiI6MX0=",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-LINUX-CG-reachable/decision.openvex.json

@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "action_statement": "Upgrade to patched version or apply mitigation.",
+      "impact_statement": "Evidence hash: sha256:154ba6e359c0954578a9560367f1cbac1c153e5d5df93c2b929cd38792a217bb",
+      "products": [
+        {
+          "@id": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0"
+        }
+      ],
+      "status": "affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-BENCH-LINUX-CG",
+        "name": "CVE-BENCH-LINUX-CG"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-LINUX-CG-reachable/evidence/reachability.json

@@ -0,0 +1,25 @@
+{
+  "case_id": "linux-cgroups-CVE-2022-0492-release_agent",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "linux-cgroups-CVE-2022-0492-release_agent",
+    "paths": [
+      [
+        "sym://net:handler#read",
+        "sym://linux:linux.c#entry",
+        "sym://linux:linux.c#sink"
+      ]
+    ],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "reachable"
+  },
+  "paths": [
+    [
+      "sym://net:handler#read",
+      "sym://linux:linux.c#entry",
+      "sym://linux:linux.c#sink"
+    ]
+  ],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "reachable"
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-LINUX-CG-reachable/evidence/sbom.cdx.json

@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "linux-cgroups-CVE-2022-0492-release_agent",
+      "purl": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-LINUX-CG-reachable/metadata.json

@@ -0,0 +1,11 @@
+{
+  "case_id": "linux-cgroups-CVE-2022-0492-release_agent",
+  "cve_id": "CVE-BENCH-LINUX-CG",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0",
+  "reachability_status": "reachable",
+  "variant": "reachable"
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-LINUX-CG-reachable/rekor.txt

@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z

src/__Tests/__Benchmarks/findings/CVE-BENCH-LINUX-CG-unreachable/decision.dsse.json

@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpjOTUwNmRhMjc0YTdkNmJmZGJiZmE0NmVjMjZkZWNmNWQ2YjcxZmFhNDA0MjY5MzZkM2NjYmFlNjQxNjJkMWE2IiwianVzdGlmaWNhdGlvbiI6InZ1bG5lcmFibGVfY29kZV9ub3RfcHJlc2VudCIsInByb2R1Y3RzIjpbeyJAaWQiOiJwa2c6Z2VuZXJpYy9saW51eC1jZ3JvdXBzLUNWRS0yMDIyLTA0OTItcmVsZWFzZV9hZ2VudEAxLjAuMCJ9XSwic3RhdHVzIjoibm90X2FmZmVjdGVkIiwidnVsbmVyYWJpbGl0eSI6eyJAaWQiOiJodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtQkVOQ0gtTElOVVgtQ0ciLCJuYW1lIjoiQ1ZFLUJFTkNILUxJTlVYLUNHIn19XSwidGltZXN0YW1wIjoiMjAyNS0xMi0xNFQwMjoxMzozOFoiLCJ0b29saW5nIjoiU3RlbGxhT3BzL2JlbmNoLWF1dG9AMS4wLjAiLCJ2ZXJzaW9uIjoxfQ==",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-LINUX-CG-unreachable/decision.openvex.json

@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "impact_statement": "Evidence hash: sha256:c9506da274a7d6bfdbbfa46ec26decf5d6b71faa40426936d3ccbae64162d1a6",
+      "justification": "vulnerable_code_not_present",
+      "products": [
+        {
+          "@id": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0"
+        }
+      ],
+      "status": "not_affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-BENCH-LINUX-CG",
+        "name": "CVE-BENCH-LINUX-CG"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-LINUX-CG-unreachable/evidence/reachability.json

@@ -0,0 +1,13 @@
+{
+  "case_id": "linux-cgroups-CVE-2022-0492-release_agent",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "linux-cgroups-CVE-2022-0492-release_agent",
+    "paths": [],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "unreachable"
+  },
+  "paths": [],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "unreachable"
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-LINUX-CG-unreachable/evidence/sbom.cdx.json

@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "linux-cgroups-CVE-2022-0492-release_agent",
+      "purl": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-LINUX-CG-unreachable/metadata.json

@@ -0,0 +1,11 @@
+{
+  "case_id": "linux-cgroups-CVE-2022-0492-release_agent",
+  "cve_id": "CVE-BENCH-LINUX-CG",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0",
+  "reachability_status": "unreachable",
+  "variant": "unreachable"
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-LINUX-CG-unreachable/rekor.txt

@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z

src/__Tests/__Benchmarks/findings/CVE-BENCH-RUNC-CVE-reachable/decision.dsse.json

@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpjNDRmYjJlMmVmYjc5Yzc4YmJhYTZhOGUyYzZiYjM4MzE3ODJhMmQ1MzU4ZGU4N2ZjN2QxNzEwMmU4YzJlMzA1IiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL3J1bmMtQ1ZFLTIwMjQtMjE2MjYtc3ltbGluay1icmVha291dEAxLjAuMCJ9XSwic3RhdHVzIjoiYWZmZWN0ZWQiLCJ2dWxuZXJhYmlsaXR5Ijp7IkBpZCI6Imh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS1CRU5DSC1SVU5DLUNWRSIsIm5hbWUiOiJDVkUtQkVOQ0gtUlVOQy1DVkUifX1dLCJ0aW1lc3RhbXAiOiIyMDI1LTEyLTE0VDAyOjEzOjM4WiIsInRvb2xpbmciOiJTdGVsbGFPcHMvYmVuY2gtYXV0b0AxLjAuMCIsInZlcnNpb24iOjF9",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-RUNC-CVE-reachable/decision.openvex.json

@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "action_statement": "Upgrade to patched version or apply mitigation.",
+      "impact_statement": "Evidence hash: sha256:c44fb2e2efb79c78bbaa6a8e2c6bb3831782a2d5358de87fc7d17102e8c2e305",
+      "products": [
+        {
+          "@id": "pkg:generic/runc-CVE-2024-21626-symlink-breakout@1.0.0"
+        }
+      ],
+      "status": "affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-BENCH-RUNC-CVE",
+        "name": "CVE-BENCH-RUNC-CVE"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-RUNC-CVE-reachable/evidence/reachability.json

@@ -0,0 +1,25 @@
+{
+  "case_id": "runc-CVE-2024-21626-symlink-breakout",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "runc-CVE-2024-21626-symlink-breakout",
+    "paths": [
+      [
+        "sym://net:handler#read",
+        "sym://runc:runc.c#entry",
+        "sym://runc:runc.c#sink"
+      ]
+    ],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "reachable"
+  },
+  "paths": [
+    [
+      "sym://net:handler#read",
+      "sym://runc:runc.c#entry",
+      "sym://runc:runc.c#sink"
+    ]
+  ],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "reachable"
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-RUNC-CVE-reachable/evidence/sbom.cdx.json

@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "runc-CVE-2024-21626-symlink-breakout",
+      "purl": "pkg:generic/runc-CVE-2024-21626-symlink-breakout@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-RUNC-CVE-reachable/metadata.json

@@ -0,0 +1,11 @@
+{
+  "case_id": "runc-CVE-2024-21626-symlink-breakout",
+  "cve_id": "CVE-BENCH-RUNC-CVE",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/runc-CVE-2024-21626-symlink-breakout@1.0.0",
+  "reachability_status": "reachable",
+  "variant": "reachable"
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-RUNC-CVE-reachable/rekor.txt

@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z

src/__Tests/__Benchmarks/findings/CVE-BENCH-RUNC-CVE-unreachable/decision.dsse.json

@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1Njo5ZmU0MDUxMTlmYWY4MDFmYjZkYzFhZDA0Nzk2MWE3OTBjOGQwZWY1NDQ5ZTQ4MTJiYzhkYzU5YTY2MTFiNjljIiwianVzdGlmaWNhdGlvbiI6InZ1bG5lcmFibGVfY29kZV9ub3RfcHJlc2VudCIsInByb2R1Y3RzIjpbeyJAaWQiOiJwa2c6Z2VuZXJpYy9ydW5jLUNWRS0yMDI0LTIxNjI2LXN5bWxpbmstYnJlYWtvdXRAMS4wLjAifV0sInN0YXR1cyI6Im5vdF9hZmZlY3RlZCIsInZ1bG5lcmFiaWxpdHkiOnsiQGlkIjoiaHR0cHM6Ly9udmQubmlzdC5nb3YvdnVsbi9kZXRhaWwvQ1ZFLUJFTkNILVJVTkMtQ1ZFIiwibmFtZSI6IkNWRS1CRU5DSC1SVU5DLUNWRSJ9fV0sInRpbWVzdGFtcCI6IjIwMjUtMTItMTRUMDI6MTM6MzhaIiwidG9vbGluZyI6IlN0ZWxsYU9wcy9iZW5jaC1hdXRvQDEuMC4wIiwidmVyc2lvbiI6MX0=",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-RUNC-CVE-unreachable/decision.openvex.json

@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "impact_statement": "Evidence hash: sha256:9fe405119faf801fb6dc1ad047961a790c8d0ef5449e4812bc8dc59a6611b69c",
+      "justification": "vulnerable_code_not_present",
+      "products": [
+        {
+          "@id": "pkg:generic/runc-CVE-2024-21626-symlink-breakout@1.0.0"
+        }
+      ],
+      "status": "not_affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-BENCH-RUNC-CVE",
+        "name": "CVE-BENCH-RUNC-CVE"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-RUNC-CVE-unreachable/evidence/reachability.json

@@ -0,0 +1,13 @@
+{
+  "case_id": "runc-CVE-2024-21626-symlink-breakout",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "runc-CVE-2024-21626-symlink-breakout",
+    "paths": [],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "unreachable"
+  },
+  "paths": [],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "unreachable"
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-RUNC-CVE-unreachable/evidence/sbom.cdx.json

@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "runc-CVE-2024-21626-symlink-breakout",
+      "purl": "pkg:generic/runc-CVE-2024-21626-symlink-breakout@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-RUNC-CVE-unreachable/metadata.json

@@ -0,0 +1,11 @@
+{
+  "case_id": "runc-CVE-2024-21626-symlink-breakout",
+  "cve_id": "CVE-BENCH-RUNC-CVE",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/runc-CVE-2024-21626-symlink-breakout@1.0.0",
+  "reachability_status": "unreachable",
+  "variant": "unreachable"
+}

src/__Tests/__Benchmarks/findings/CVE-BENCH-RUNC-CVE-unreachable/rekor.txt

@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z

src/__Tests/__Benchmarks/golden-corpus/README.md

@@ -0,0 +1,72 @@
+# Golden Test Corpus
+
+This directory contains the golden test corpus for StellaOps validation.
+Each test case is a complete, reproducible scenario with known-good inputs and expected outputs.
+
+## Schema Version
+
+**Corpus Version**: `1.0.0`
+**Run Manifest Schema**: `1.0.0`
+**Evidence Index Schema**: `1.0.0`
+**OpenVEX Schema**: `0.2.0`
+**SPDX Version**: `3.0.1`
+**CycloneDX Version**: `1.6`
+
+## Directory Structure
+
+```
+bench/golden-corpus/
+├── README.md
+├── corpus-manifest.json
+├── corpus-version.json
+├── categories/
+│   ├── severity/
+│   ├── vex/
+│   ├── reachability/
+│   ├── unknowns/
+│   ├── scale/
+│   ├── distro/
+│   ├── interop/
+│   ├── negative/
+│   └── composite/
+└── shared/
+    ├── policies/
+    ├── feeds/
+    └── keys/
+```
+
+## Test Case Format
+
+Each test case directory contains:
+
+| Path | Description |
+|------|-------------|
+| `case-manifest.json` | Case metadata |
+| `run-manifest.json` | Run manifest for replay |
+| `input/sbom-cyclonedx.json` | CycloneDX SBOM input |
+| `input/sbom-spdx.json` | SPDX SBOM input |
+| `input/image.tar.gz` | Image tarball (fixture) |
+| `expected/verdict.json` | Expected verdict output |
+| `expected/evidence-index.json` | Expected evidence index |
+| `expected/unknowns.json` | Expected unknowns output |
+| `expected/delta-verdict.json` | Expected delta verdict |
+
+## Running Corpus Scripts
+
+```bash
+python3 scripts/corpus/validate-corpus.py
+python3 scripts/corpus/generate-manifest.py
+python3 scripts/corpus/check-determinism.py
+python3 scripts/corpus/add-case.py --category severity --name SEV-009
+```
+
+## Versioning Policy
+
+- **Patch** (1.0.x): Add new cases, fix existing case data
+- **Minor** (1.x.0): Algorithm tuning that preserves relative ordering
+- **Major** (x.0.0): Algorithm changes that alter expected outputs
+
+When algorithms change:
+1. Increment corpus version
+2. Regenerate case outputs
+3. Update `corpus-manifest.json`

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-001/case-manifest.json

@@ -0,0 +1,17 @@
+{
+    "id":  "EXTRA-001",
+    "description":  "Placeholder corpus case EXTRA-001",
+    "createdAt":  "2025-12-22T13:57:24Z",
+    "inputs":  [
+                   "sbom-cyclonedx.json",
+                   "sbom-spdx.json",
+                   "image.tar.gz"
+               ],
+    "expected":  [
+                     "verdict.json",
+                     "evidence-index.json",
+                     "unknowns.json",
+                     "delta-verdict.json"
+                 ],
+    "category":  "composite"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-001/expected/delta-verdict.json

@@ -0,0 +1,4 @@
+{
+    "changes":  0,
+    "deltaId":  "EXTRA-001-delta"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-001/expected/evidence-index.json

@@ -0,0 +1,10 @@
+{
+    "sboms":  [
+
+              ],
+    "indexId":  "EXTRA-001-index",
+    "attestations":  [
+
+                     ],
+    "createdAt":  "2025-12-22T13:57:24.8027150Z"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-001/expected/unknowns.json

@@ -0,0 +1,5 @@
+{
+    "unknowns":  [
+
+                 ]
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-001/expected/verdict.json

@@ -0,0 +1,5 @@
+{
+    "status":  "pass",
+    "digest":  "sha256:extra-001",
+    "verdictId":  "EXTRA-001"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-001/input/sbom-cyclonedx.json

@@ -0,0 +1,11 @@
+{
+    "bomFormat":  "CycloneDX",
+    "components":  [
+
+                   ],
+    "specVersion":  "1.6",
+    "version":  1,
+    "metadata":  {
+                     "timestamp":  "2025-12-22T13:57:24.8027150Z"
+                 }
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-001/input/sbom-spdx.json

@@ -0,0 +1,8 @@
+{
+    "created":  "2025-12-22T13:57:24.8027150Z",
+    "name":  "EXTRA-001",
+    "elements":  [
+
+                 ],
+    "spdxVersion":  "SPDX-3.0.1"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-001/run-manifest.json

@@ -0,0 +1,44 @@
+{
+    "runId":  "EXTRA-001-run",
+    "environmentProfile":  {
+                               "valkeyEnabled":  false,
+                               "name":  "postgres-only"
+                           },
+    "feedSnapshot":  {
+                         "feedId":  "nvd",
+                         "snapshotAt":  "2025-12-22T13:57:24.8037246Z",
+                         "version":  "v1",
+                         "digest":  "sha256:stub"
+                     },
+    "cryptoProfile":  {
+                          "trustRootIds":  [
+
+                                           ],
+                          "allowedAlgorithms":  [
+
+                                                ],
+                          "profileName":  "default"
+                      },
+    "canonicalizationVersion":  "1.0.0",
+    "toolVersions":  {
+                         "reachabilityEngineVersion":  "0.0.0",
+                         "additionalTools":  {
+
+                                             },
+                         "sbomGeneratorVersion":  "0.0.0",
+                         "attestorVersion":  "0.0.0",
+                         "scannerVersion":  "0.0.0"
+                     },
+    "policySnapshot":  {
+                           "enabledRules":  [
+
+                                            ],
+                           "latticeRulesDigest":  "sha256:stub",
+                           "policyVersion":  "1.0.0"
+                       },
+    "artifactDigests":  [
+
+                        ],
+    "schemaVersion":  "1.0.0",
+    "initiatedAt":  "2025-12-22T13:57:24.8037246Z"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-002/case-manifest.json

@@ -0,0 +1,17 @@
+{
+    "id":  "EXTRA-002",
+    "description":  "Placeholder corpus case EXTRA-002",
+    "createdAt":  "2025-12-22T13:57:24Z",
+    "inputs":  [
+                   "sbom-cyclonedx.json",
+                   "sbom-spdx.json",
+                   "image.tar.gz"
+               ],
+    "expected":  [
+                     "verdict.json",
+                     "evidence-index.json",
+                     "unknowns.json",
+                     "delta-verdict.json"
+                 ],
+    "category":  "composite"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-002/expected/delta-verdict.json

@@ -0,0 +1,4 @@
+{
+    "changes":  0,
+    "deltaId":  "EXTRA-002-delta"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-002/expected/evidence-index.json

@@ -0,0 +1,10 @@
+{
+    "sboms":  [
+
+              ],
+    "indexId":  "EXTRA-002-index",
+    "attestations":  [
+
+                     ],
+    "createdAt":  "2025-12-22T13:57:24.8181543Z"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-002/expected/unknowns.json

@@ -0,0 +1,5 @@
+{
+    "unknowns":  [
+
+                 ]
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-002/expected/verdict.json

@@ -0,0 +1,5 @@
+{
+    "status":  "pass",
+    "digest":  "sha256:extra-002",
+    "verdictId":  "EXTRA-002"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-002/input/sbom-cyclonedx.json

@@ -0,0 +1,11 @@
+{
+    "bomFormat":  "CycloneDX",
+    "components":  [
+
+                   ],
+    "specVersion":  "1.6",
+    "version":  1,
+    "metadata":  {
+                     "timestamp":  "2025-12-22T13:57:24.8181543Z"
+                 }
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-002/input/sbom-spdx.json

@@ -0,0 +1,8 @@
+{
+    "created":  "2025-12-22T13:57:24.8181543Z",
+    "name":  "EXTRA-002",
+    "elements":  [
+
+                 ],
+    "spdxVersion":  "SPDX-3.0.1"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-002/run-manifest.json

@@ -0,0 +1,44 @@
+{
+    "runId":  "EXTRA-002-run",
+    "environmentProfile":  {
+                               "valkeyEnabled":  false,
+                               "name":  "postgres-only"
+                           },
+    "feedSnapshot":  {
+                         "feedId":  "nvd",
+                         "snapshotAt":  "2025-12-22T13:57:24.8191542Z",
+                         "version":  "v1",
+                         "digest":  "sha256:stub"
+                     },
+    "cryptoProfile":  {
+                          "trustRootIds":  [
+
+                                           ],
+                          "allowedAlgorithms":  [
+
+                                                ],
+                          "profileName":  "default"
+                      },
+    "canonicalizationVersion":  "1.0.0",
+    "toolVersions":  {
+                         "reachabilityEngineVersion":  "0.0.0",
+                         "additionalTools":  {
+
+                                             },
+                         "sbomGeneratorVersion":  "0.0.0",
+                         "attestorVersion":  "0.0.0",
+                         "scannerVersion":  "0.0.0"
+                     },
+    "policySnapshot":  {
+                           "enabledRules":  [
+
+                                            ],
+                           "latticeRulesDigest":  "sha256:stub",
+                           "policyVersion":  "1.0.0"
+                       },
+    "artifactDigests":  [
+
+                        ],
+    "schemaVersion":  "1.0.0",
+    "initiatedAt":  "2025-12-22T13:57:24.8191542Z"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-003/case-manifest.json

@@ -0,0 +1,17 @@
+{
+    "id":  "EXTRA-003",
+    "description":  "Placeholder corpus case EXTRA-003",
+    "createdAt":  "2025-12-22T13:57:24Z",
+    "inputs":  [
+                   "sbom-cyclonedx.json",
+                   "sbom-spdx.json",
+                   "image.tar.gz"
+               ],
+    "expected":  [
+                     "verdict.json",
+                     "evidence-index.json",
+                     "unknowns.json",
+                     "delta-verdict.json"
+                 ],
+    "category":  "composite"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-003/expected/delta-verdict.json

@@ -0,0 +1,4 @@
+{
+    "changes":  0,
+    "deltaId":  "EXTRA-003-delta"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-003/expected/evidence-index.json

@@ -0,0 +1,10 @@
+{
+    "sboms":  [
+
+              ],
+    "indexId":  "EXTRA-003-index",
+    "attestations":  [
+
+                     ],
+    "createdAt":  "2025-12-22T13:57:24.8360597Z"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-003/expected/unknowns.json

@@ -0,0 +1,5 @@
+{
+    "unknowns":  [
+
+                 ]
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-003/expected/verdict.json

@@ -0,0 +1,5 @@
+{
+    "status":  "pass",
+    "digest":  "sha256:extra-003",
+    "verdictId":  "EXTRA-003"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-003/input/sbom-cyclonedx.json

@@ -0,0 +1,11 @@
+{
+    "bomFormat":  "CycloneDX",
+    "components":  [
+
+                   ],
+    "specVersion":  "1.6",
+    "version":  1,
+    "metadata":  {
+                     "timestamp":  "2025-12-22T13:57:24.8360597Z"
+                 }
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-003/input/sbom-spdx.json

@@ -0,0 +1,8 @@
+{
+    "created":  "2025-12-22T13:57:24.8360597Z",
+    "name":  "EXTRA-003",
+    "elements":  [
+
+                 ],
+    "spdxVersion":  "SPDX-3.0.1"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-003/run-manifest.json

@@ -0,0 +1,44 @@
+{
+    "runId":  "EXTRA-003-run",
+    "environmentProfile":  {
+                               "valkeyEnabled":  false,
+                               "name":  "postgres-only"
+                           },
+    "feedSnapshot":  {
+                         "feedId":  "nvd",
+                         "snapshotAt":  "2025-12-22T13:57:24.8370133Z",
+                         "version":  "v1",
+                         "digest":  "sha256:stub"
+                     },
+    "cryptoProfile":  {
+                          "trustRootIds":  [
+
+                                           ],
+                          "allowedAlgorithms":  [
+
+                                                ],
+                          "profileName":  "default"
+                      },
+    "canonicalizationVersion":  "1.0.0",
+    "toolVersions":  {
+                         "reachabilityEngineVersion":  "0.0.0",
+                         "additionalTools":  {
+
+                                             },
+                         "sbomGeneratorVersion":  "0.0.0",
+                         "attestorVersion":  "0.0.0",
+                         "scannerVersion":  "0.0.0"
+                     },
+    "policySnapshot":  {
+                           "enabledRules":  [
+
+                                            ],
+                           "latticeRulesDigest":  "sha256:stub",
+                           "policyVersion":  "1.0.0"
+                       },
+    "artifactDigests":  [
+
+                        ],
+    "schemaVersion":  "1.0.0",
+    "initiatedAt":  "2025-12-22T13:57:24.8370133Z"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-004/case-manifest.json

@@ -0,0 +1,17 @@
+{
+    "id":  "EXTRA-004",
+    "description":  "Placeholder corpus case EXTRA-004",
+    "createdAt":  "2025-12-22T13:57:24Z",
+    "inputs":  [
+                   "sbom-cyclonedx.json",
+                   "sbom-spdx.json",
+                   "image.tar.gz"
+               ],
+    "expected":  [
+                     "verdict.json",
+                     "evidence-index.json",
+                     "unknowns.json",
+                     "delta-verdict.json"
+                 ],
+    "category":  "composite"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-004/expected/delta-verdict.json

@@ -0,0 +1,4 @@
+{
+    "changes":  0,
+    "deltaId":  "EXTRA-004-delta"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-004/expected/evidence-index.json

@@ -0,0 +1,10 @@
+{
+    "sboms":  [
+
+              ],
+    "indexId":  "EXTRA-004-index",
+    "attestations":  [
+
+                     ],
+    "createdAt":  "2025-12-22T13:57:24.8588914Z"
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-004/expected/unknowns.json

@@ -0,0 +1,5 @@
+{
+    "unknowns":  [
+
+                 ]
+}

src/__Tests/__Benchmarks/golden-corpus/categories/composite/extra-004/expected/verdict.json

@@ -0,0 +1,5 @@
+{
+    "status":  "pass",
+    "digest":  "sha256:extra-004",
+    "verdictId":  "EXTRA-004"
+}