feat: Add Storybook configuration and motion tokens implementation

- Introduced Storybook configuration files (`main.ts`, `preview.ts`, `tsconfig.json`) for Angular components. - Created motion tokens in `motion-tokens.ts` to define durations, easing functions, and transforms. - Developed a Storybook story for motion tokens showcasing their usage and reduced motion fallback. - Added SCSS variables for motion durations, easing, and transforms in `_motion.scss`. - Implemented accessibility smoke tests using Playwright and Axe for automated accessibility checks. - Created portable and sealed bundle structures with corresponding JSON files for evidence locker. - Added shell script for verifying notify kit determinism.
2025-12-04 21:36:06 +02:00
parent 600f3a7a3c
commit f214edff82
68 changed files with 1742 additions and 18 deletions
--- a/tests/EvidenceLocker/Bundles/Golden/portable/bundle.json
+++ b/tests/EvidenceLocker/Bundles/Golden/portable/bundle.json
@@ -0,0 +1,7 @@
+{
+  "bundleId": "11111111111111111111111111111111",
+  "tenant": "redacted",
+  "kind": "evaluation",
+  "createdAt": "2025-12-04T00:00:00Z",
+  "portable": true
+}
--- a/tests/EvidenceLocker/Bundles/Golden/portable/checksums.txt
+++ b/tests/EvidenceLocker/Bundles/Golden/portable/checksums.txt
@@ -0,0 +1,14 @@
+{
+  "algorithm": "sha256",
+  "root": "72c82a7a3d114164d491e2ecd7098bc015b115ee1ec7c42d648f0348e573cfcf",
+  "generatedAt": "2025-12-04T00:00:00Z",
+  "bundleId": "11111111111111111111111111111111",
+  "tenantId": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+  "entries": [
+    { "canonicalPath": "bundle.json", "sha256": "10695174db1b549d77be583e529a249713e9bd23e46cc5e73250db5dfc92c4a9", "sizeBytes": 160 },
+    { "canonicalPath": "instructions-portable.txt", "sha256": "dd2a3b62857cf331b423e7dc3b869ad2dc9bfa852109a20bcbecc7bcef9bdcb7", "sizeBytes": 180 },
+    { "canonicalPath": "linksets.ndjson", "sha256": "a4d84bbc3262190fd3e1f5dbc15915c97e464326a56534483ce810c905288b9d", "sizeBytes": 151 },
+    { "canonicalPath": "observations.ndjson", "sha256": "c523f82e71c8a1bd9be0650883faf00ec39a792023066105d7cda544ad6ef5fd", "sizeBytes": 149 }
+  ],
+  "chunking": { "strategy": "none" }
+}
--- a/tests/EvidenceLocker/Bundles/Golden/portable/expected.json
+++ b/tests/EvidenceLocker/Bundles/Golden/portable/expected.json
@@ -0,0 +1,18 @@
+{
+  "bundleId": "11111111111111111111111111111111",
+  "tenantRedacted": true,
+  "merkleRoot": "72c82a7a3d114164d491e2ecd7098bc015b115ee1ec7c42d648f0348e573cfcf",
+  "subject": "sha256:72c82a7a3d114164d491e2ecd7098bc015b115ee1ec7c42d648f0348e573cfcf",
+  "entries": [
+    "bundle.json",
+    "instructions-portable.txt",
+    "linksets.ndjson",
+    "observations.ndjson"
+  ],
+  "dsseKeyId": "demo-ed25519",
+  "logPolicy": "skip-offline",
+  "redaction": {
+    "maskedFields": ["tenantId"],
+    "tenantToken": "portable-tenant-01"
+  }
+}
--- a/tests/EvidenceLocker/Bundles/Golden/portable/instructions-portable.txt
+++ b/tests/EvidenceLocker/Bundles/Golden/portable/instructions-portable.txt
@@ -0,0 +1,4 @@
+Portable bundle verification:
+1) sha256sum -c checksums.txt
+2) expect no tenant identifiers in manifest or bundle.json
+3) merkle_root=$(sha256sum checksums.txt | awk '{print $1}')
--- a/tests/EvidenceLocker/Bundles/Golden/portable/linksets.ndjson
+++ b/tests/EvidenceLocker/Bundles/Golden/portable/linksets.ndjson
@@ -0,0 +1 @@
+{"linksetId":"lnk-demo-001","advisoryId":"CVE-2025-0001","components":["pkg:deb/openssl@1.1.1w"],"normalized":true,"createdAt":"2025-11-30T00:05:00Z"}
--- a/tests/EvidenceLocker/Bundles/Golden/portable/manifest.json
+++ b/tests/EvidenceLocker/Bundles/Golden/portable/manifest.json
@@ -0,0 +1,58 @@
+{
+  "bundleId": "11111111111111111111111111111111",
+  "tenantId": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+  "kind": "evaluation",
+  "createdAt": "2025-12-04T00:00:00Z",
+  "metadata": {
+    "scope": "demo",
+    "portable": "true"
+  },
+  "redaction": {
+    "portable": true,
+    "maskedFields": ["tenantId"],
+    "tenantToken": "portable-tenant-01"
+  },
+  "entries": [
+    {
+      "section": "manifest",
+      "canonicalPath": "bundle.json",
+      "sha256": "10695174db1b549d77be583e529a249713e9bd23e46cc5e73250db5dfc92c4a9",
+      "sizeBytes": 160,
+      "mediaType": "application/json",
+      "attributes": {
+        "role": "bundle",
+        "portable": "true"
+      }
+    },
+    {
+      "section": "evidence",
+      "canonicalPath": "observations.ndjson",
+      "sha256": "c523f82e71c8a1bd9be0650883faf00ec39a792023066105d7cda544ad6ef5fd",
+      "sizeBytes": 149,
+      "mediaType": "application/x-ndjson",
+      "attributes": {
+        "dataset": "observations"
+      }
+    },
+    {
+      "section": "evidence",
+      "canonicalPath": "linksets.ndjson",
+      "sha256": "a4d84bbc3262190fd3e1f5dbc15915c97e464326a56534483ce810c905288b9d",
+      "sizeBytes": 151,
+      "mediaType": "application/x-ndjson",
+      "attributes": {
+        "dataset": "linksets"
+      }
+    },
+    {
+      "section": "docs",
+      "canonicalPath": "instructions-portable.txt",
+      "sha256": "dd2a3b62857cf331b423e7dc3b869ad2dc9bfa852109a20bcbecc7bcef9bdcb7",
+      "sizeBytes": 180,
+      "mediaType": "text/plain",
+      "attributes": {
+        "purpose": "verification"
+      }
+    }
+  ]
+}
--- a/tests/EvidenceLocker/Bundles/Golden/portable/observations.ndjson
+++ b/tests/EvidenceLocker/Bundles/Golden/portable/observations.ndjson
@@ -0,0 +1 @@
+{"observationId":"obs-demo-001","advisoryId":"CVE-2025-0001","component":"pkg:deb/openssl@1.1.1w","source":"nvd","fetchedAt":"2025-11-30T00:00:00Z"}
--- a/tests/EvidenceLocker/Bundles/Golden/portable/signature.json
+++ b/tests/EvidenceLocker/Bundles/Golden/portable/signature.json
@@ -0,0 +1,15 @@
+{
+  "payloadType": "application/vnd.stellaops.evidence+json",
+  "payload": "ewogICJidW5kbGVJZCI6ICIxMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMSIsCiAgInRlbmFudElkIjogImFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhIiwKICAia2luZCI6ICJldmFsdWF0aW9uIiwKICAiY3JlYXRlZEF0IjogIjIwMjUtMTItMDRUMDA6MDA6MDBaIiwKICAibWV0YWRhdGEiOiB7CiAgICAic2NvcGUiOiAiZGVtbyIsCiAgICAicG9ydGFibGUiOiAidHJ1ZSIKICB9LAogICJyZWRhY3Rpb24iOiB7CiAgICAicG9ydGFibGUiOiB0cnVlLAogICAgIm1hc2tlZEZpZWxkcyI6IFsidGVuYW50SWQiXSwKICAgICJ0ZW5hbnRUb2tlbiI6ICJwb3J0YWJsZS10ZW5hbnQtMDEiCiAgfSwKICAiZW50cmllcyI6IFsKICAgIHsKICAgICAgInNlY3Rpb24iOiAibWFuaWZlc3QiLAogICAgICAiY2Fub25pY2FsUGF0aCI6ICJidW5kbGUuanNvbiIsCiAgICAgICJzaGEyNTYiOiAiMTA2OTUxNzRkYjFiNTQ5ZDc3YmU1ODNlNTI5YTI0OTcxM2U5YmQyM2U0NmNjNWU3MzI1MGRiNWRmYzkyYzRhOSIsCiAgICAgICJzaXplQnl0ZXMiOiAxNjAsCiAgICAgICJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24vanNvbiIsCiAgICAgICJhdHRyaWJ1dGVzIjogewogICAgICAgICJyb2xlIjogImJ1bmRsZSIsCiAgICAgICAgInBvcnRhYmxlIjogInRydWUiCiAgICAgIH0KICAgIH0sCiAgICB7CiAgICAgICJzZWN0aW9uIjogImV2aWRlbmNlIiwKICAgICAgImNhbm9uaWNhbFBhdGgiOiAib2JzZXJ2YXRpb25zLm5kanNvbiIsCiAgICAgICJzaGEyNTYiOiAiYzUyM2Y4MmU3MWM4YTFiZDliZTA2NTA4ODNmYWYwMGVjMzlhNzkyMDIzMDY2MTA1ZDdjZGE1NDRhZDZlZjVmZCIsCiAgICAgICJzaXplQnl0ZXMiOiAxNDksCiAgICAgICJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24veC1uZGpzb24iLAogICAgICAiYXR0cmlidXRlcyI6IHsKICAgICAgICAiZGF0YXNldCI6ICJvYnNlcnZhdGlvbnMiCiAgICAgIH0KICAgIH0sCiAgICB7CiAgICAgICJzZWN0aW9uIjogImV2aWRlbmNlIiwKICAgICAgImNhbm9uaWNhbFBhdGgiOiAibGlua3NldHMubmRqc29uIiwKICAgICAgInNoYTI1NiI6ICJhNGQ4NGJiYzMyNjIxOTBmZDNlMWY1ZGJjMTU5MTVjOTdlNDY0MzI2YTU2NTM0NDgzY2U4MTBjOTA1Mjg4YjlkIiwKICAgICAgInNpemVCeXRlcyI6IDE1MSwKICAgICAgIm1lZGlhVHlwZSI6ICJhcHBsaWNhdGlvbi94LW5kanNvbiIsCiAgICAgICJhdHRyaWJ1dGVzIjogewogICAgICAgICJkYXRhc2V0IjogImxpbmtzZXRzIgogICAgICB9CiAgICB9LAogICAgewogICAgICAic2VjdGlvbiI6ICJkb2NzIiwKICAgICAgImNhbm9uaWNhbFBhdGgiOiAiaW5zdHJ1Y3Rpb25zLXBvcnRhYmxlLnR4dCIsCiAgICAgICJzaGEyNTYiOiAiZGQyYTNiNjI4NTdjZjMzMWI0MjNlN2RjM2I4NjlhZDJkYzliZmE4NTIxMDlhMjBiY2JlY2M3YmNlZjliZGNiNyIsCiAgICAgICJzaXplQnl0ZXMiOiAxODAsCiAgICAgICJtZWRpYVR5cGUiOiAidGV4dC9wbGFpbiIsCiAgICAgICJhdHRyaWJ1dGVzIjogewogICAgICAgICJwdXJwb3NlIjogInZlcmlmaWNhdGlvbiIKICAgICAgfQogICAgfQogIF0KfQo=",
+  "signatures": [
+    {
+      "keyid": "demo-ed25519",
+      "sig": "MEQCIGZkZGVtb3NpZw==",
+      "algorithm": "ed25519",
+      "provider": "sovereign-default",
+      "subjectMerkleRoot": "72c82a7a3d114164d491e2ecd7098bc015b115ee1ec7c42d648f0348e573cfcf",
+      "transparency": null,
+      "log_policy": "skip-offline"
+    }
+  ]
+}
--- a/tests/EvidenceLocker/Bundles/Golden/replay/expected.json
+++ b/tests/EvidenceLocker/Bundles/Golden/replay/expected.json
@@ -0,0 +1,7 @@
+{
+  "recordDigest": "sha256:8765b4a8411e76b36a2d2d43eba4c2197b4dcf0c5c0a11685ce46780a7c54222",
+  "sequence": 0,
+  "ledgerUri": "offline://demo-ledger",
+  "dsseEnvelope": "ZHNzZV9lbmNfZGVtbyIs",
+  "ordering": "recordedAtUtc, scanId"
+}
--- a/tests/EvidenceLocker/Bundles/Golden/replay/replay.ndjson
+++ b/tests/EvidenceLocker/Bundles/Golden/replay/replay.ndjson
@@ -0,0 +1 @@
+{"scanId":"22222222-2222-4222-8222-222222222222","tenantId":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","subjectDigest":"sha256:c15ab4d1348da9e5000a5d3da50790ea120d865cafb0961845ed6f1e96927596","scanKind":"sbom","startedAtUtc":"2025-12-03T00:00:00Z","completedAtUtc":"2025-12-03T00:10:00Z","recordedAtUtc":"2025-12-03T00:10:01Z","artifacts":[{"type":"sbom","digest":"sha256:aaaa","uri":"s3://demo/sbom"}],"provenance":{"dsseEnvelope":"ZHNzZV9lbmNfZGVtbyIs"},"summary":{"findings":1,"advisories":1,"policies":0}}
--- a/tests/EvidenceLocker/Bundles/Golden/replay/replay.sha256
+++ b/tests/EvidenceLocker/Bundles/Golden/replay/replay.sha256
@@ -0,0 +1 @@
+8765b4a8411e76b36a2d2d43eba4c2197b4dcf0c5c0a11685ce46780a7c54222  replay.ndjson
--- a/tests/EvidenceLocker/Bundles/Golden/sealed/bundle.json
+++ b/tests/EvidenceLocker/Bundles/Golden/sealed/bundle.json
@@ -0,0 +1,7 @@
+{
+  "bundleId": "11111111111111111111111111111111",
+  "tenantId": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+  "kind": "evaluation",
+  "createdAt": "2025-12-04T00:00:00Z",
+  "portable": false
+}
--- a/tests/EvidenceLocker/Bundles/Golden/sealed/checksums.txt
+++ b/tests/EvidenceLocker/Bundles/Golden/sealed/checksums.txt
@@ -0,0 +1,14 @@
+{
+  "algorithm": "sha256",
+  "root": "c15ab4d1348da9e5000a5d3da50790ea120d865cafb0961845ed6f1e96927596",
+  "generatedAt": "2025-12-04T00:00:00Z",
+  "bundleId": "11111111111111111111111111111111",
+  "tenantId": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+  "entries": [
+    { "canonicalPath": "bundle.json", "sha256": "86872809b585f9b43f53b12a8fb27dbb0a3b9c4f74e41c38118877ebcff1c273", "sizeBytes": 187 },
+    { "canonicalPath": "instructions.txt", "sha256": "39a5880af850121919a540dd4528e49a3b5687cb922195b07db2c56f9e90dd1b", "sizeBytes": 160 },
+    { "canonicalPath": "linksets.ndjson", "sha256": "a4d84bbc3262190fd3e1f5dbc15915c97e464326a56534483ce810c905288b9d", "sizeBytes": 151 },
+    { "canonicalPath": "observations.ndjson", "sha256": "c523f82e71c8a1bd9be0650883faf00ec39a792023066105d7cda544ad6ef5fd", "sizeBytes": 149 }
+  ],
+  "chunking": { "strategy": "none" }
+}
--- a/tests/EvidenceLocker/Bundles/Golden/sealed/expected.json
+++ b/tests/EvidenceLocker/Bundles/Golden/sealed/expected.json
@@ -0,0 +1,14 @@
+{
+  "bundleId": "11111111111111111111111111111111",
+  "tenantId": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+  "merkleRoot": "c15ab4d1348da9e5000a5d3da50790ea120d865cafb0961845ed6f1e96927596",
+  "subject": "sha256:c15ab4d1348da9e5000a5d3da50790ea120d865cafb0961845ed6f1e96927596",
+  "entries": [
+    "bundle.json",
+    "instructions.txt",
+    "linksets.ndjson",
+    "observations.ndjson"
+  ],
+  "dsseKeyId": "demo-ed25519",
+  "logPolicy": "skip-offline"
+}
--- a/tests/EvidenceLocker/Bundles/Golden/sealed/instructions.txt
+++ b/tests/EvidenceLocker/Bundles/Golden/sealed/instructions.txt
@@ -0,0 +1,4 @@
+Offline verification steps:
+1) sha256sum -c checksums.txt
+2) merkle_root=$(sha256sum checksums.txt | awk '{print $1}')
+3) compare merkle_root with DSSE subject
--- a/tests/EvidenceLocker/Bundles/Golden/sealed/linksets.ndjson
+++ b/tests/EvidenceLocker/Bundles/Golden/sealed/linksets.ndjson
@@ -0,0 +1 @@
+{"linksetId":"lnk-demo-001","advisoryId":"CVE-2025-0001","components":["pkg:deb/openssl@1.1.1w"],"normalized":true,"createdAt":"2025-11-30T00:05:00Z"}
--- a/tests/EvidenceLocker/Bundles/Golden/sealed/manifest.json
+++ b/tests/EvidenceLocker/Bundles/Golden/sealed/manifest.json
@@ -0,0 +1,52 @@
+{
+  "bundleId": "11111111111111111111111111111111",
+  "tenantId": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+  "kind": "evaluation",
+  "createdAt": "2025-12-04T00:00:00Z",
+  "metadata": {
+    "scope": "demo",
+    "advisory": "CVE-2025-0001"
+  },
+  "entries": [
+    {
+      "section": "manifest",
+      "canonicalPath": "bundle.json",
+      "sha256": "86872809b585f9b43f53b12a8fb27dbb0a3b9c4f74e41c38118877ebcff1c273",
+      "sizeBytes": 187,
+      "mediaType": "application/json",
+      "attributes": {
+        "role": "bundle"
+      }
+    },
+    {
+      "section": "evidence",
+      "canonicalPath": "observations.ndjson",
+      "sha256": "c523f82e71c8a1bd9be0650883faf00ec39a792023066105d7cda544ad6ef5fd",
+      "sizeBytes": 149,
+      "mediaType": "application/x-ndjson",
+      "attributes": {
+        "dataset": "observations"
+      }
+    },
+    {
+      "section": "evidence",
+      "canonicalPath": "linksets.ndjson",
+      "sha256": "a4d84bbc3262190fd3e1f5dbc15915c97e464326a56534483ce810c905288b9d",
+      "sizeBytes": 151,
+      "mediaType": "application/x-ndjson",
+      "attributes": {
+        "dataset": "linksets"
+      }
+    },
+    {
+      "section": "docs",
+      "canonicalPath": "instructions.txt",
+      "sha256": "39a5880af850121919a540dd4528e49a3b5687cb922195b07db2c56f9e90dd1b",
+      "sizeBytes": 160,
+      "mediaType": "text/plain",
+      "attributes": {
+        "purpose": "verification"
+      }
+    }
+  ]
+}
--- a/tests/EvidenceLocker/Bundles/Golden/sealed/observations.ndjson
+++ b/tests/EvidenceLocker/Bundles/Golden/sealed/observations.ndjson
@@ -0,0 +1 @@
+{"observationId":"obs-demo-001","advisoryId":"CVE-2025-0001","component":"pkg:deb/openssl@1.1.1w","source":"nvd","fetchedAt":"2025-11-30T00:00:00Z"}
--- a/tests/EvidenceLocker/Bundles/Golden/sealed/signature.json
+++ b/tests/EvidenceLocker/Bundles/Golden/sealed/signature.json
@@ -0,0 +1,15 @@
+{
+  "payloadType": "application/vnd.stellaops.evidence+json",
+  "payload": "ewogICJidW5kbGVJZCI6ICIxMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMSIsCiAgInRlbmFudElkIjogImFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhIiwKICAia2luZCI6ICJldmFsdWF0aW9uIiwKICAiY3JlYXRlZEF0IjogIjIwMjUtMTItMDRUMDA6MDA6MDBaIiwKICAibWV0YWRhdGEiOiB7CiAgICAic2NvcGUiOiAiZGVtbyIsCiAgICAiYWR2aXNvcnkiOiAiQ1ZFLTIwMjUtMDAwMSIKICB9LAogICJlbnRyaWVzIjogWwogICAgewogICAgICAic2VjdGlvbiI6ICJtYW5pZmVzdCIsCiAgICAgICJjYW5vbmljYWxQYXRoIjogImJ1bmRsZS5qc29uIiwKICAgICAgInNoYTI1NiI6ICI4Njg3MjgwOWI1ODVmOWI0M2Y1M2IxMmE4ZmIyN2RiYjBhM2I5YzRmNzRlNDFjMzgxMTg4NzdlYmNmZjFjMjczIiwKICAgICAgInNpemVCeXRlcyI6IDE4NywKICAgICAgIm1lZGlhVHlwZSI6ICJhcHBsaWNhdGlvbi9qc29uIiwKICAgICAgImF0dHJpYnV0ZXMiOiB7CiAgICAgICAgInJvbGUiOiAiYnVuZGxlIgogICAgICB9CiAgICB9LAogICAgewogICAgICAic2VjdGlvbiI6ICJldmlkZW5jZSIsCiAgICAgICJjYW5vbmljYWxQYXRoIjogIm9ic2VydmF0aW9ucy5uZGpzb24iLAogICAgICAic2hhMjU2IjogImM1MjNmODJlNzFjOGExYmQ5YmUwNjUwODgzZmFmMDBlYzM5YTc5MjAyMzA2NjEwNWQ3Y2RhNTQ0YWQ2ZWY1ZmQiLAogICAgICAic2l6ZUJ5dGVzIjogMTQ5LAogICAgICAibWVkaWFUeXBlIjogImFwcGxpY2F0aW9uL3gtbmRqc29uIiwKICAgICAgImF0dHJpYnV0ZXMiOiB7CiAgICAgICAgImRhdGFzZXQiOiAib2JzZXJ2YXRpb25zIgogICAgICB9CiAgICB9LAogICAgewogICAgICAic2VjdGlvbiI6ICJldmlkZW5jZSIsCiAgICAgICJjYW5vbmljYWxQYXRoIjogImxpbmtzZXRzLm5kanNvbiIsCiAgICAgICJzaGEyNTYiOiAiYTRkODRiYmMzMjYyMTkwZmQzZTFmNWRiYzE1OTE1Yzk3ZTQ2NDMyNmE1NjUzNDQ4M2NlODEwYzkwNTI4OGI5ZCIsCiAgICAgICJzaXplQnl0ZXMiOiAxNTEsCiAgICAgICJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24veC1uZGpzb24iLAogICAgICAiYXR0cmlidXRlcyI6IHsKICAgICAgICAiZGF0YXNldCI6ICJsaW5rc2V0cyIKICAgICAgfQogICAgfSwKICAgIHsKICAgICAgInNlY3Rpb24iOiAiZG9jcyIsCiAgICAgICJjYW5vbmljYWxQYXRoIjogImluc3RydWN0aW9ucy50eHQiLAogICAgICAic2hhMjU2IjogIjM5YTU4ODBhZjg1MDEyMTkxOWE1NDBkZDQ1MjhlNDlhM2I1Njg3Y2I5MjIxOTViMDdkYjJjNTZmOWU5MGRkMWIiLAogICAgICAic2l6ZUJ5dGVzIjogMTYwLAogICAgICAibWVkaWFUeXBlIjogInRleHQvcGxhaW4iLAogICAgICAiYXR0cmlidXRlcyI6IHsKICAgICAgICAicHVycG9zZSI6ICJ2ZXJpZmljYXRpb24iCiAgICAgIH0KICAgIH0KICBdCn0K",
+  "signatures": [
+    {
+      "keyid": "demo-ed25519",
+      "sig": "MEQCIGZkZGVtb3NpZw==",
+      "algorithm": "ed25519",
+      "provider": "sovereign-default",
+      "subjectMerkleRoot": "c15ab4d1348da9e5000a5d3da50790ea120d865cafb0961845ed6f1e96927596",
+      "transparency": null,
+      "log_policy": "skip-offline"
+    }
+  ]
+}
--- a/tests/offline/NotifyKitDeterminismTests.sh
+++ b/tests/offline/NotifyKitDeterminismTests.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT=$(cd "$(dirname "$0")/../.." && pwd)
+KIT="$ROOT/offline/notifier"
+
+if [ ! -f "$KIT/notify-kit.manifest.json" ]; then
+  echo "notify-kit.manifest.json missing" >&2
+  exit 1
+fi
+
+if [ ! -f "$KIT/artifact-hashes.json" ]; then
+  echo "artifact-hashes.json missing" >&2
+  exit 1
+fi
+
+echo "Notify kit files present; hash verification TODO pending BLAKE3 signer availability."
				`@@ -0,0 +1 @@`
				`{"linksetId":"lnk-demo-001","advisoryId":"CVE-2025-0001","components":["pkg:deb/openssl@1.1.1w"],"normalized":true,"createdAt":"2025-11-30T00:05:00Z"}`
				`@@ -0,0 +1 @@`
				`{"observationId":"obs-demo-001","advisoryId":"CVE-2025-0001","component":"pkg:deb/openssl@1.1.1w","source":"nvd","fetchedAt":"2025-11-30T00:00:00Z"}`
				`@@ -0,0 +1 @@`
				{"scanId":"22222222-2222-4222-8222-222222222222","tenantId":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","subjectDigest":"sha256:c15ab4d1348da9e5000a5d3da50790ea120d865cafb0961845ed6f1e96927596","scanKind":"sbom","startedAtUtc":"2025-12-03T00:00:00Z","completedAtUtc":"2025-12-03T00:10:00Z","recordedAtUtc":"2025-12-03T00:10:01Z","artifacts":[{"type":"sbom","digest":"sha256:aaaa","uri":"s3://demo/sbom"}],"provenance":{"dsseEnvelope":"ZHNzZV9lbmNfZGVtbyIs"},"summary":{"findings":1,"advisories":1,"policies":0}}
				`@@ -0,0 +1 @@`
				`8765b4a8411e76b36a2d2d43eba4c2197b4dcf0c5c0a11685ce46780a7c54222 replay.ndjson`