"""Programmatically generate the crafted JPEG fixture for CVE-2025-53644.

Per AZ-406 § Risk 5 — the upstream PoC JPEG has unclear redistribution
terms, so the e2e harness generates a structurally equivalent file from
scratch rather than committing copyrighted bytes.

The fixture is consumed by NFT-SEC-04 (OpenCV CVE-2025-53644 +
AddressSanitizer fuzz). The intent is NOT to reproduce the exact RCE; it
is to provide a malformed JPEG with the structural features the CVE
exploits (oversized DHT segment, truncated SOS marker) so the SUT's
hardened OpenCV path (>= 4.12.0) rejects it.

AZ-406 commits to the generator's existence + signature; AZ-439
(NFT-SEC-04) supplies the byte-level details and validates the generated
file actually triggers the CVE code path against opencv 4.11.x (control)
vs 4.12+ (mitigated).
"""

from __future__ import annotations

from pathlib import Path


def generate(out_path: Path) -> Path:
    """Write a malformed JPEG to ``out_path``. Returns the path on success.

    Raises NotImplementedError until AZ-439 supplies the byte template.
    Tests that need the crafted fixture should mark themselves
    @pytest.mark.skip(reason="awaiting AZ-439") until then.
    """
    raise NotImplementedError(
        "generate_cve_jpeg.generate is owned by AZ-439 — AZ-406 commits "
        "to the public signature only."
    )


if __name__ == "__main__":
    import argparse

    parser = argparse.ArgumentParser(description="Generate CVE-2025-53644 fixture JPEG.")
    parser.add_argument("out", type=Path, default=Path("cve-2025-53644.jpg"))
    args = parser.parse_args()
    generate(args.out)