From 66277f2446e2bd36e781dc928f5bcd9475ce33f0 Mon Sep 17 00:00:00 2001
From: Ricky Jones <ricky.mcjones@gmail.com>
Date: Wed, 4 Mar 2026 23:35:02 +0000
Subject: [PATCH 1/4] fixtures: add crypto posture conformance vector 01
 (nominal approved)

---
 .../vector_01_nominal_approved.json           | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 tests/fixtures/crypto_posture/vector_01_nominal_approved.json

diff --git a/tests/fixtures/crypto_posture/vector_01_nominal_approved.json b/tests/fixtures/crypto_posture/vector_01_nominal_approved.json
new file mode 100644
index 0000000..9526566
--- /dev/null
+++ b/tests/fixtures/crypto_posture/vector_01_nominal_approved.json
@@ -0,0 +1,34 @@
+{
+  "_meta": {
+    "vector_id": "crypto_posture_01",
+    "description": "Nominal approved PQC posture — approved algorithm suite, valid key origin, matching policy",
+    "category": "nominal_approved",
+    "expected_verdict": "ALLOW",
+    "expected_reason_code": "crypto_posture_approved"
+  },
+  "input": {
+    "actor_id": "operator-alpha",
+    "action_class": "sensitive_command",
+    "context": {
+      "mission_phase": "transit",
+      "comms_mode": "DDIL"
+    },
+    "authority_scope": {
+      "level": "operational",
+      "delegation_chain": ["ground_authority", "vessel_commander"]
+    },
+    "invariant_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+    "crypto_posture": {
+      "alg_suite": "ML-KEM-768",
+      "key_origin": "onboard_kms",
+      "rotation_epoch": "2026-03-01T00:00:00Z",
+      "policy_hash": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2",
+      "toolchain_provenance": "genesis-aix-build-2026.03.r1"
+    }
+  },
+  "expected_output": {
+    "verdict": "ALLOW",
+    "reasons": ["crypto_posture_approved"],
+    "schema_version": "0.2.0"
+  }
+}

From 3dde20f7b5bb06f3757810a3d13b21a63f941fdf Mon Sep 17 00:00:00 2001
From: Ricky Jones <ricky.mcjones@gmail.com>
Date: Wed, 4 Mar 2026 23:36:09 +0000
Subject: [PATCH 2/4] fixtures: add crypto posture vector 02 (hybrid PQC
 approved)

---
 .../vector_02_hybrid_pqc_approved.json        | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 tests/fixtures/crypto_posture/vector_02_hybrid_pqc_approved.json

diff --git a/tests/fixtures/crypto_posture/vector_02_hybrid_pqc_approved.json b/tests/fixtures/crypto_posture/vector_02_hybrid_pqc_approved.json
new file mode 100644
index 0000000..db72c35
--- /dev/null
+++ b/tests/fixtures/crypto_posture/vector_02_hybrid_pqc_approved.json
@@ -0,0 +1,34 @@
+{
+  "_meta": {
+    "vector_id": "crypto_posture_02",
+    "description": "Hybrid classic+PQC posture approved by policy",
+    "category": "hybrid_pqc_approved",
+    "expected_verdict": "ALLOW",
+    "expected_reason_code": "crypto_posture_hybrid_approved"
+  },
+  "input": {
+    "actor_id": "operator-bravo",
+    "action_class": "sensitive_command",
+    "context": {
+      "mission_phase": "station_keeping",
+      "comms_mode": "SATCOM"
+    },
+    "authority_scope": {
+      "level": "operational",
+      "delegation_chain": ["ground_authority"]
+    },
+    "invariant_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+    "crypto_posture": {
+      "alg_suite": "ECDH-P384+ML-KEM-768",
+      "key_origin": "HSM",
+      "rotation_epoch": "2026-02-15T00:00:00Z",
+      "policy_hash": "b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3",
+      "toolchain_provenance": "genesis-aix-build-2026.02.r3"
+    }
+  },
+  "expected_output": {
+    "verdict": "ALLOW",
+    "reasons": ["crypto_posture_hybrid_approved"],
+    "schema_version": "0.2.0"
+  }
+}

From 0d8a2ace0da9b4718777173a31eddeb0acad71df Mon Sep 17 00:00:00 2001
From: Ricky Jones <ricky.mcjones@gmail.com>
Date: Wed, 4 Mar 2026 23:37:05 +0000
Subject: [PATCH 3/4] =?UTF-8?q?fixtures:=20add=20crypto=20posture=20vector?=
 =?UTF-8?q?=2003=20(unknown=20suite=20=E2=86=92=20REFUSE)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../vector_03_unknown_posture_refuse.json     | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 tests/fixtures/crypto_posture/vector_03_unknown_posture_refuse.json

diff --git a/tests/fixtures/crypto_posture/vector_03_unknown_posture_refuse.json b/tests/fixtures/crypto_posture/vector_03_unknown_posture_refuse.json
new file mode 100644
index 0000000..5638e48
--- /dev/null
+++ b/tests/fixtures/crypto_posture/vector_03_unknown_posture_refuse.json
@@ -0,0 +1,34 @@
+{
+  "_meta": {
+    "vector_id": "crypto_posture_03",
+    "description": "Misconfigured/unknown algorithm suite — fail-closed to REFUSE",
+    "category": "unknown_posture_refuse",
+    "expected_verdict": "REFUSE",
+    "expected_reason_code": "crypto_posture_unknown_suite"
+  },
+  "input": {
+    "actor_id": "operator-charlie",
+    "action_class": "sensitive_command",
+    "context": {
+      "mission_phase": "transit",
+      "comms_mode": "EMCON"
+    },
+    "authority_scope": {
+      "level": "operational",
+      "delegation_chain": ["ground_authority", "vessel_commander"]
+    },
+    "invariant_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+    "crypto_posture": {
+      "alg_suite": "UNKNOWN-ALG-SUITE-999",
+      "key_origin": "external_ca",
+      "rotation_epoch": "2026-01-01T00:00:00Z",
+      "policy_hash": "c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4",
+      "toolchain_provenance": "vendor-x-build-unknown"
+    }
+  },
+  "expected_output": {
+    "verdict": "REFUSE",
+    "reasons": ["crypto_posture_unknown_suite"],
+    "schema_version": "0.2.0"
+  }
+}

From 972bbdb91ce0de338b1ca57e775b604b5b25b1f0 Mon Sep 17 00:00:00 2001
From: Ricky Jones <ricky.mcjones@gmail.com>
Date: Wed, 4 Mar 2026 23:38:13 +0000
Subject: [PATCH 4/4] =?UTF-8?q?fixtures:=20add=20crypto=20posture=20vector?=
 =?UTF-8?q?=2004=20(invalid=20signature=20=E2=86=92=20REFUSE)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../vector_04_invalid_signature_refuse.json   | 39 +++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 tests/fixtures/crypto_posture/vector_04_invalid_signature_refuse.json

diff --git a/tests/fixtures/crypto_posture/vector_04_invalid_signature_refuse.json b/tests/fixtures/crypto_posture/vector_04_invalid_signature_refuse.json
new file mode 100644
index 0000000..beeda11
--- /dev/null
+++ b/tests/fixtures/crypto_posture/vector_04_invalid_signature_refuse.json
@@ -0,0 +1,39 @@
+{
+  "_meta": {
+    "vector_id": "crypto_posture_04",
+    "description": "Invalid signature or wrong algorithm — algorithm mismatch triggers REFUSE",
+    "category": "invalid_signature_refuse",
+    "expected_verdict": "REFUSE",
+    "expected_reason_code": "crypto_posture_invalid_signature"
+  },
+  "input": {
+    "actor_id": "operator-delta",
+    "action_class": "sensitive_command",
+    "context": {
+      "mission_phase": "return",
+      "comms_mode": "LOS"
+    },
+    "authority_scope": {
+      "level": "tactical",
+      "delegation_chain": ["ground_authority", "vessel_commander", "watch_officer"]
+    },
+    "invariant_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+    "crypto_posture": {
+      "alg_suite": "ML-DSA-65",
+      "key_origin": "onboard_kms",
+      "rotation_epoch": "2026-03-01T00:00:00Z",
+      "policy_hash": "d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5",
+      "toolchain_provenance": "genesis-aix-build-2026.03.r1"
+    },
+    "signature_verification": {
+      "declared_alg": "ML-DSA-65",
+      "actual_alg_used": "Ed25519",
+      "verification_result": "FAIL"
+    }
+  },
+  "expected_output": {
+    "verdict": "REFUSE",
+    "reasons": ["crypto_posture_invalid_signature"],
+    "schema_version": "0.2.0"
+  }
+}