48 lines
1.8 KiB
Markdown
48 lines
1.8 KiB
Markdown
# Supply-Chain Hardening Suite
|
|
|
|
Deterministic, offline-safe hardening lanes for canonicalization, mutation fuzzing, Rekor negative paths, and large DSSE/referrer rejection behavior.
|
|
|
|
## Lanes
|
|
|
|
- `01-jcs-property`: canonicalization idempotence/permutation checks + duplicate-key rejection.
|
|
- `02-schema-fuzz`: bounded mutation lane with deterministic seed and crash artifact emission.
|
|
- `03-rekor-neg`: deterministic Rekor fault classification + diagnostic blob generation.
|
|
- `04-big-dsse-referrers`: oversized DSSE + malformed referrer graceful reject tests.
|
|
- `05-corpus`: deterministic fixture corpus and archive manifest builder.
|
|
|
|
## Run
|
|
|
|
- Linux/macOS:
|
|
- `bash tests/supply-chain/run.sh smoke`
|
|
- PowerShell:
|
|
- `pwsh tests/supply-chain/run.ps1 -Profile smoke`
|
|
- Direct:
|
|
- `python tests/supply-chain/run_suite.py --profile smoke --seed 20260226`
|
|
|
|
## Profiles
|
|
|
|
- `smoke`: CI PR gate (`02-schema-fuzz` limit=1000, time=60s).
|
|
- `nightly`: scheduled lane (`02-schema-fuzz` limit=5000, time=300s).
|
|
|
|
## Pass/Fail Gates
|
|
|
|
- JCS lane: zero invariant failures.
|
|
- Fuzz lane: zero `crash` classifications.
|
|
- Rekor negative lane: all cases return expected deterministic error classes.
|
|
- Big DSSE/referrers lane: malformed/oversized cases are rejected with `unknown_state` and `reprocessToken`.
|
|
|
|
## Failure Artifacts
|
|
|
|
Each lane writes machine-readable artifacts under `out/supply-chain/<lane>/`.
|
|
|
|
- `junit.xml`: CI-visible test result summary.
|
|
- `report.json` / `summary.json`: deterministic counters and classifications.
|
|
- `failures/<case>/diagnostic_blob.json`: replay-ready diagnostics.
|
|
- `hypothesis_seed.txt`: deterministic seed (name retained for familiarity).
|
|
|
|
## Replay
|
|
|
|
To replay a failing smoke run:
|
|
|
|
`python tests/supply-chain/run_suite.py --profile smoke --seed 20260226 --output out/supply-chain-replay`
|