# Evidence Locker Golden Fixtures (EB10)

Purpose: reference bundles and replay records used by CI to prove deterministic packaging, DSSE subject stability, and portable redaction behaviour.

## Layout
- `sealed/` – sealed `bundle.tgz` artifacts with matching `manifest.json`, `checksums.txt`, and expected Merkle root in `expected.json`.
- `portable/` – redacted `portable-bundle-v1.tgz` paired with `expected.json` noting masked fields.
- `replay/` – `replay.ndjson` records aligned to the bundle fixtures; ordering is canonical (recordedAtUtc, scanId).

## Expectations
- Gzip timestamp pinned to `2025-01-01T00:00:00Z`; tar entries use `0644` perms and fixed mtime.
- `checksums.txt` sorted lexicographically by `canonicalPath`; Merkle root equals `sha256sum checksums.txt`.
- DSSE subject ties to the Merkle root; manifest validates against `schemas/bundle.manifest.schema.json`.
- Portable bundles must exclude tenant identifiers and include redaction metadata in the manifest.

## How to (re)generate
1. Set `TZ=UTC` and ensure deterministic tool versions.
2. Run EvidenceLocker pipeline to produce sealed bundle; copy outputs here with expected hash values.
3. Produce portable bundle and replay records using the same input set; write `expected.json` capturing root hashes and replay digests.
4. Update xUnit tests in `StellaOps.EvidenceLocker.Tests` to consume these fixtures without network calls.