# Security Test Scenarios

## ST-ENC-01: Encryption produces different ciphertext each time (random IV)
- **Input**: Same 1024 bytes, same key, encrypt twice
- **Action**: Compare two ciphertexts
- **Expected**: Ciphertexts differ (random IV ensures non-deterministic output)
- **Traces**: AC: AES-256-CBC with random IV

## ST-ENC-02: Wrong key cannot recover plaintext
- **Input**: Encrypt with "key-a", attempt decrypt with "key-b"
- **Action**: `Security.decrypt_to(encrypted, "key-b")`
- **Expected**: Output != original plaintext
- **Traces**: AC: Key-dependent encryption

## ST-ENC-03: Model encryption key is deterministic
- **Input**: Call `Security.get_model_encryption_key()` twice
- **Action**: Compare results
- **Expected**: Identical strings
- **Traces**: AC: Static model encryption key

## ST-HSH-01: Hardware hash is deterministic for same input
- **Input**: Same hardware info string
- **Action**: `Security.get_hw_hash()` called twice
- **Expected**: Identical output
- **Traces**: AC: Hardware fingerprinting determinism

## ST-HSH-02: Different hardware produces different hash
- **Input**: Two different hardware info strings
- **Action**: `Security.get_hw_hash()` on each
- **Expected**: Different outputs
- **Traces**: AC: Hardware-bound uniqueness

## ST-HSH-03: API encryption key depends on credentials + hardware
- **Input**: Same credentials with different hardware hashes
- **Action**: `Security.get_api_encryption_key()` for each
- **Expected**: Different keys
- **Traces**: AC: Hardware-bound API encryption

## ST-HSH-04: API encryption key depends on credentials
- **Input**: Different credentials with same hardware hash
- **Action**: `Security.get_api_encryption_key()` for each
- **Expected**: Different keys
- **Traces**: AC: Credential-dependent API encryption