consolidation of some of the modules, localization fixes, product advisories work, qa work

tests/supply-chain/README.md

@@ -0,0 +1,47 @@
+# Supply-Chain Hardening Suite
+
+Deterministic, offline-safe hardening lanes for canonicalization, mutation fuzzing, Rekor negative paths, and large DSSE/referrer rejection behavior.
+
+## Lanes
+
+- `01-jcs-property`: canonicalization idempotence/permutation checks + duplicate-key rejection.
+- `02-schema-fuzz`: bounded mutation lane with deterministic seed and crash artifact emission.
+- `03-rekor-neg`: deterministic Rekor fault classification + diagnostic blob generation.
+- `04-big-dsse-referrers`: oversized DSSE + malformed referrer graceful reject tests.
+- `05-corpus`: deterministic fixture corpus and archive manifest builder.
+
+## Run
+
+- Linux/macOS:
+  - `bash tests/supply-chain/run.sh smoke`
+- PowerShell:
+  - `pwsh tests/supply-chain/run.ps1 -Profile smoke`
+- Direct:
+  - `python tests/supply-chain/run_suite.py --profile smoke --seed 20260226`
+
+## Profiles
+
+- `smoke`: CI PR gate (`02-schema-fuzz` limit=1000, time=60s).
+- `nightly`: scheduled lane (`02-schema-fuzz` limit=5000, time=300s).
+
+## Pass/Fail Gates
+
+- JCS lane: zero invariant failures.
+- Fuzz lane: zero `crash` classifications.
+- Rekor negative lane: all cases return expected deterministic error classes.
+- Big DSSE/referrers lane: malformed/oversized cases are rejected with `unknown_state` and `reprocessToken`.
+
+## Failure Artifacts
+
+Each lane writes machine-readable artifacts under `out/supply-chain/<lane>/`.
+
+- `junit.xml`: CI-visible test result summary.
+- `report.json` / `summary.json`: deterministic counters and classifications.
+- `failures/<case>/diagnostic_blob.json`: replay-ready diagnostics.
+- `hypothesis_seed.txt`: deterministic seed (name retained for familiarity).
+
+## Replay
+
+To replay a failing smoke run:
+
+`python tests/supply-chain/run_suite.py --profile smoke --seed 20260226 --output out/supply-chain-replay`