# Supply-Chain Fuzz Corpus

This corpus is the deterministic seed set for `tests/supply-chain`.

## Layout

- `fixtures/sboms/`: CycloneDX-like SBOM samples used for JCS and mutation lanes.
- `fixtures/attestations/`: DSSE envelope examples.
- `fixtures/vex/`: OpenVEX-like samples.
- `fixtures/malformed/`: intentionally malformed JSON payloads.

## Update Procedure (Deterministic)

1. Add new fixture files under the correct `fixtures/*` directory.
2. Keep file names stable and monotonic (`*-001`, `*-002`, ...).
3. Regenerate archive manifest with:
   - `python tests/supply-chain/05-corpus/build_corpus_archive.py --output out/supply-chain/05-corpus`
4. Run suite smoke profile:
   - `python tests/supply-chain/run_suite.py --profile smoke --seed 20260226`
5. If a crash is fixed, add the minimized repro fixture before merge.

## Notes

- No network I/O is required to consume this corpus.
- All lane scripts use fixed seed defaults to keep replay deterministic.