{ "$schema": "https://stellaops.org/schemas/policy/determinism-fixture-v1.json", "version": "1.0.0", "description": "Determinism fixtures for Policy Engine scoring and decision APIs", "fixtures": [ { "fixture_id": "DET-001", "name": "Basic Scoring Determinism", "description": "Verify that scoring produces identical output for identical input", "input": { "finding_id": "CVE-2024-0001", "tenant_id": "default", "profile_id": "risk-profile-001", "signals": { "cvss_base": 7.5, "exploitability": 2.8, "impact": 5.9 } }, "expected_output": { "severity": "high", "raw_score": 7.5, "signal_order": ["cvss_base", "exploitability", "impact"], "assertions": [ "signal_contributions keys are alphabetically ordered", "scored_at is from context, not wall clock" ] } }, { "fixture_id": "DET-002", "name": "Multi-Finding Ordering", "description": "Verify that multiple findings are returned in stable order", "input": { "findings": [ {"finding_id": "CVE-2024-0003", "cvss_base": 5.0}, {"finding_id": "CVE-2024-0001", "cvss_base": 9.8}, {"finding_id": "CVE-2024-0002", "cvss_base": 7.5} ] }, "expected_output": { "finding_order": ["CVE-2024-0001", "CVE-2024-0002", "CVE-2024-0003"], "assertions": [ "findings sorted alphabetically by finding_id", "order is stable across multiple runs" ] } }, { "fixture_id": "DET-003", "name": "Decision Summary Ordering", "description": "Verify severity counts are in canonical order", "input": { "decisions": [ {"severity": "low", "count": 5}, {"severity": "critical", "count": 1}, {"severity": "medium", "count": 3}, {"severity": "high", "count": 2} ] }, "expected_output": { "severity_order": ["critical", "high", "medium", "low", "info"], "assertions": [ "severity_counts keys follow canonical order", "missing severities are either omitted or zero-filled consistently" ] } }, { "fixture_id": "DET-004", "name": "Deprecated Field Absence (v2.0)", "description": "Verify deprecated fields are not present in v2.0 output", "input": { "finding_id": "CVE-2024-0001", "cvss_base": 7.5, "version": "2.0" }, "expected_output": { "absent_fields": [ "normalized_score", "top_severity_sources", "source_rank" ], "present_fields": [ "severity", "raw_score", "trust_weights" ], "assertions": [ "normalized_score is not serialized", "trust_weights replaces top_severity_sources" ] } }, { "fixture_id": "DET-005", "name": "Legacy Compatibility Mode (v1.5)", "description": "Verify deprecated fields are present when legacy mode enabled", "input": { "finding_id": "CVE-2024-0001", "cvss_base": 7.5, "options": { "include_legacy_normalized_score": true } }, "expected_output": { "present_fields": [ "normalized_score", "severity", "raw_score" ], "assertions": [ "normalized_score is present for backwards compatibility", "severity is canonical (high, not HIGH)" ] } }, { "fixture_id": "DET-006", "name": "Signal Contribution Ordering", "description": "Verify signal contributions maintain stable key order", "input": { "signals": { "zeta_factor": 0.5, "alpha_score": 1.0, "beta_weight": 0.75 } }, "expected_output": { "contribution_order": ["alpha_score", "beta_weight", "zeta_factor"], "assertions": [ "signal_contributions keys are alphabetically sorted", "contribution values are deterministic decimals" ] } }, { "fixture_id": "DET-007", "name": "Timestamp Determinism", "description": "Verify timestamps come from context, not wall clock", "input": { "finding_id": "CVE-2024-0001", "context": { "evaluation_time": "2025-12-06T10:00:00Z" } }, "expected_output": { "scored_at": "2025-12-06T10:00:00Z", "assertions": [ "scored_at matches context.evaluation_time exactly", "no random GUIDs in output" ] } } ], "test_requirements": { "snapshot_equality": "Identical inputs must produce byte-for-byte identical JSON", "cross_environment": "Output must match across CI, local, and production", "ordering_stability": "Collection order must be deterministic and documented" }, "migration_notes": { "v1.5": "Enable legacy mode with include_legacy_normalized_score for backwards compatibility", "v2.0": "Remove all deprecated fields, trust_weights replaces source ranking" } }