Supply-Chain Hardening Suite
Deterministic, offline-safe hardening lanes for canonicalization, mutation fuzzing, Rekor negative paths, and large DSSE/referrer rejection behavior.
Lanes
01-jcs-property: canonicalization idempotence/permutation checks + duplicate-key rejection.02-schema-fuzz: bounded mutation lane with deterministic seed and crash artifact emission.03-rekor-neg: deterministic Rekor fault classification + diagnostic blob generation.04-big-dsse-referrers: oversized DSSE + malformed referrer graceful reject tests.05-corpus: deterministic fixture corpus and archive manifest builder.
Run
- Linux/macOS:
bash tests/supply-chain/run.sh smoke
- PowerShell:
pwsh tests/supply-chain/run.ps1 -Profile smoke
- Direct:
python tests/supply-chain/run_suite.py --profile smoke --seed 20260226
Profiles
smoke: CI PR gate (02-schema-fuzzlimit=1000, time=60s).nightly: scheduled lane (02-schema-fuzzlimit=5000, time=300s).
Pass/Fail Gates
- JCS lane: zero invariant failures.
- Fuzz lane: zero
crashclassifications. - Rekor negative lane: all cases return expected deterministic error classes.
- Big DSSE/referrers lane: malformed/oversized cases are rejected with
unknown_stateandreprocessToken.
Failure Artifacts
Each lane writes machine-readable artifacts under out/supply-chain/<lane>/.
junit.xml: CI-visible test result summary.report.json/summary.json: deterministic counters and classifications.failures/<case>/diagnostic_blob.json: replay-ready diagnostics.hypothesis_seed.txt: deterministic seed (name retained for familiarity).
Replay
To replay a failing smoke run:
python tests/supply-chain/run_suite.py --profile smoke --seed 20260226 --output out/supply-chain-replay