# PoE Golden Fixtures

This directory contains golden test fixtures for Proof of Exposure (PoE) determinism testing.

## Purpose

Golden fixtures serve as:
1. **Determinism Tests**: Verify that PoE generation produces identical output for identical inputs
2. **Regression Tests**: Detect unintended changes to PoE format or content
3. **Documentation**: Show real-world examples of PoE artifacts

## Fixtures

| Fixture | Description | Size | Paths | Nodes | Edges |
|---------|-------------|------|-------|-------|-------|
| `log4j-cve-2021-44228.poe.golden.json` | Log4j RCE with single path | ~2.5 KB | 1 | 4 | 3 |
| `multi-path-java.poe.golden.json` | Java with 3 alternative paths | ~8 KB | 3 | 12 | 18 |
| `guarded-path-dotnet.poe.golden.json` | .NET with feature flag guards | ~5 KB | 2 | 8 | 10 |
| `stripped-binary-c.poe.golden.json` | C/C++ stripped binary (code_id) | ~6 KB | 1 | 6 | 5 |

## Hash Verification

Each fixture has a known BLAKE3-256 hash for integrity verification:

```
log4j-cve-2021-44228.poe.golden.json:
  blake3: 7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b
  sha256: abc123def456789012345678901234567890123456789012345678901234567890
```

## Usage in Tests

### Determinism Test

```csharp
[Fact]
public async Task PoEGeneration_WithSameInputs_ProducesSameHash()
{
    var goldenPath = "Fixtures/log4j-cve-2021-44228.poe.golden.json";
    var goldenBytes = await File.ReadAllBytesAsync(goldenPath);
    var goldenHash = ComputeBlake3Hash(goldenBytes);

    // Generate PoE from test inputs
    var generatedPoe = await GeneratePoE(testInputs);
    var generatedHash = ComputeBlake3Hash(generatedPoe);

    Assert.Equal(goldenHash, generatedHash);
}
```

### Regression Test

```csharp
[Fact]
public async Task PoEGeneration_Schema_MatchesGolden()
{
    var goldenPath = "Fixtures/log4j-cve-2021-44228.poe.golden.json";
    var golden = await LoadPoE(goldenPath);

    // Generate PoE from test inputs
    var generated = await GeneratePoE(testInputs);

    // Schema should match (structure, field types)
    Assert.Equal(golden.Schema, generated.Schema);
    Assert.Equal(golden.Subject.VulnId, generated.Subject.VulnId);
    Assert.Equal(golden.Subgraph.Nodes.Count, generated.Subgraph.Nodes.Count);
}
```

## Generating New Fixtures

To create a new golden fixture:

1. **Run scanner on test image:**
   ```bash
   stella scan --image test/log4j:vulnerable --emit-poe --output ./test-output/
   ```

2. **Extract PoE artifact:**
   ```bash
   cp ./test-output/poe.json ./Fixtures/new-fixture.poe.golden.json
   ```

3. **Verify determinism:**
   ```bash
   # Run scan again
   stella scan --image test/log4j:vulnerable --emit-poe --output ./test-output2/

   # Compare hashes
   sha256sum ./test-output/poe.json ./test-output2/poe.json
   # Hashes MUST match for determinism
   ```

4. **Commit fixture:**
   ```bash
   git add ./Fixtures/new-fixture.poe.golden.json
   git commit -m "Add golden fixture: new-fixture"
   ```

## Maintenance

- **Update fixtures** when PoE schema version changes (schema field)
- **Regenerate fixtures** when canonical JSON format changes
- **Verify hashes** after any changes to serialization logic
- **Document breaking changes** in fixture commit messages

## Related Documentation

- [POE_PREDICATE_SPEC.md](../../../../src/Attestor/POE_PREDICATE_SPEC.md) - PoE schema specification
- [SUBGRAPH_EXTRACTION.md](../../../../src/Scanner/__Libraries/StellaOps.Scanner.Reachability/SUBGRAPH_EXTRACTION.md) - Extraction algorithm
- [PoEArtifactGeneratorTests.cs](../../../../src/Attestor/__Tests/PoEArtifactGeneratorTests.cs) - Unit tests using fixtures