# Supply-Chain Hardening Suite

Deterministic, offline-safe hardening lanes for canonicalization, mutation fuzzing, Rekor negative paths, and large DSSE/referrer rejection behavior.

## Lanes

- `01-jcs-property`: canonicalization idempotence/permutation checks + duplicate-key rejection.
- `02-schema-fuzz`: bounded mutation lane with deterministic seed and crash artifact emission.
- `03-rekor-neg`: deterministic Rekor fault classification + diagnostic blob generation.
- `04-big-dsse-referrers`: oversized DSSE + malformed referrer graceful reject tests.
- `05-corpus`: deterministic fixture corpus and archive manifest builder.

## Run

- Linux/macOS:
  - `bash tests/supply-chain/run.sh smoke`
- PowerShell:
  - `pwsh tests/supply-chain/run.ps1 -Profile smoke`
- Direct:
  - `python tests/supply-chain/run_suite.py --profile smoke --seed 20260226`

## Profiles

- `smoke`: CI PR gate (`02-schema-fuzz` limit=1000, time=60s).
- `nightly`: scheduled lane (`02-schema-fuzz` limit=5000, time=300s).

## Pass/Fail Gates

- JCS lane: zero invariant failures.
- Fuzz lane: zero `crash` classifications.
- Rekor negative lane: all cases return expected deterministic error classes.
- Big DSSE/referrers lane: malformed/oversized cases are rejected with `unknown_state` and `reprocessToken`.

## Failure Artifacts

Each lane writes machine-readable artifacts under `out/supply-chain/<lane>/`.

- `junit.xml`: CI-visible test result summary.
- `report.json` / `summary.json`: deterministic counters and classifications.
- `failures/<case>/diagnostic_blob.json`: replay-ready diagnostics.
- `hypothesis_seed.txt`: deterministic seed (name retained for familiarity).

## Replay

To replay a failing smoke run:

`python tests/supply-chain/run_suite.py --profile smoke --seed 20260226 --output out/supply-chain-replay`