Add sample proof bundle configurations and verification script

- Introduced sample proof bundle configuration files for testing, including `sample-proof-bundle-config.dsse.json`, `sample-proof-bundle.dsse.json`, and `sample-proof-bundle.json`.
- Implemented a verification script `test_verify_sample.sh` to validate proof bundles against specified schemas and catalogs.
- Updated existing proof bundle configurations with new metadata, including versioning, created timestamps, and justification details.
- Enhanced evidence entries with expiration dates and hashes for better integrity checks.
- Ensured all new configurations adhere to the defined schema for consistency and reliability in testing.

docs/benchmarks/vex-evidence-playbook.schema.json

@@ -0,0 +1,225 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stellaops.local/docs/benchmarks/vex-evidence-playbook.schema.json",
+  "title": "StellaOps VEX Proof Bundle",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "id",
+    "version",
+    "created_at",
+    "created_by",
+    "graph",
+    "openvex",
+    "justification",
+    "entrypoints",
+    "evidence",
+    "rbac",
+    "reevaluation",
+    "uncertainty",
+    "signatures"
+  ],
+  "properties": {
+    "id": {
+      "type": "string",
+      "description": "Stable proof bundle identifier (URN recommended)."
+    },
+    "version": {
+      "type": "string",
+      "description": "Semantic version of the bundle payload schema."
+    },
+    "created_at": {
+      "type": "string",
+      "format": "date-time",
+      "description": "UTC timestamp when the bundle was produced."
+    },
+    "created_by": {
+      "type": "string",
+      "description": "Issuer of the bundle (service, user, or automation identity)."
+    },
+    "graph": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["hash"],
+      "properties": {
+        "hash": {
+          "$ref": "#/definitions/digest",
+          "description": "BLAKE3-256 (preferred) or SHA-256 hash of the reachability graph."
+        },
+        "dsse": { "$ref": "#/definitions/dsseRef" },
+        "revision_id": {
+          "type": "string",
+          "description": "Optional graph revision identifier or CAS key."
+        }
+      }
+    },
+    "openvex": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["path", "statement_id", "canonical_sha256", "canonical_blake3", "serialization"],
+      "properties": {
+        "path": { "type": "string" },
+        "statement_id": { "type": "string" },
+        "canonical_sha256": { "$ref": "#/definitions/sha256" },
+        "canonical_blake3": { "$ref": "#/definitions/blake3" },
+        "serialization": {
+          "type": "string",
+          "enum": ["canonical-json", "csaf", "cyclonedx"],
+          "description": "Serialization strategy for the OpenVEX payload."
+        }
+      }
+    },
+    "justification": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["id"],
+      "properties": {
+        "id": {
+          "type": "string",
+          "description": "Justification catalog identifier (e.g., VEX1.vulnerable_code_not_present)."
+        },
+        "dsse": { "$ref": "#/definitions/dsseRef" }
+      }
+    },
+    "entrypoints": {
+      "type": "array",
+      "minItems": 1,
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["id", "coverage_percent", "negative_tests", "config_hash", "flags_hash"],
+        "properties": {
+          "id": { "type": "string" },
+          "coverage_percent": {
+            "type": "number",
+            "minimum": 0,
+            "maximum": 100
+          },
+          "negative_tests": { "type": "boolean" },
+          "config_hash": { "$ref": "#/definitions/sha256" },
+          "flags_hash": { "$ref": "#/definitions/sha256" },
+          "evidence_links": {
+            "type": "array",
+            "items": { "type": "string" }
+          }
+        }
+      }
+    },
+    "evidence": {
+      "type": "array",
+      "minItems": 1,
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["type", "cas_uri", "hash", "expires_at"],
+        "properties": {
+          "type": {
+            "type": "string",
+            "enum": ["graph", "coverage", "runtime_trace", "negative_test", "config", "flags", "sbom", "scan", "policy"]
+          },
+          "cas_uri": { "type": "string" },
+          "hash": { "$ref": "#/definitions/digest" },
+          "dsse": { "$ref": "#/definitions/dsseRef" },
+          "expires_at": { "type": "string", "format": "date-time" }
+        }
+      }
+    },
+    "rbac": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["roles_allowed", "approvals_required"],
+      "properties": {
+        "roles_allowed": {
+          "type": "array",
+          "minItems": 1,
+          "items": { "type": "string" }
+        },
+        "approvals_required": {
+          "type": "integer",
+          "minimum": 1
+        },
+        "enforcement": {
+          "type": "string",
+          "description": "How RBAC is enforced (policy, signer, or both)."
+        }
+      }
+    },
+    "reevaluation": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["on_sbom_change", "on_graph_change", "on_runtime_change"],
+      "properties": {
+        "on_sbom_change": { "type": "boolean" },
+        "on_graph_change": { "type": "boolean" },
+        "on_runtime_change": { "type": "boolean" },
+        "ttl_days": {
+          "type": "integer",
+          "minimum": 1,
+          "description": "Maximum lifetime before forced reevaluation."
+        }
+      }
+    },
+    "uncertainty": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["state", "entropy"],
+      "properties": {
+        "state": { "type": "string", "enum": ["U0-none", "U1-low", "U2-medium", "U3-high"] },
+        "entropy": { "type": "number", "minimum": 0, "maximum": 1 },
+        "notes": { "type": "string" }
+      }
+    },
+    "policy": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "decision": { "type": "string" },
+        "decision_reason": { "type": "string" },
+        "openvex_serialization": { "type": "string" },
+        "canonical_encoding": { "type": "string" }
+      }
+    },
+    "signatures": {
+      "type": "array",
+      "minItems": 1,
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["type", "key_id", "envelope_digest"],
+        "properties": {
+          "type": { "type": "string", "enum": ["dsse", "jws"] },
+          "key_id": { "type": "string" },
+          "sig": { "type": "string" },
+          "envelope_digest": { "$ref": "#/definitions/sha256" },
+          "rekor_log_id": { "type": "string" },
+          "rekor_entry_uuid": { "type": "string" },
+          "transparency_checkpoint": { "type": "string" }
+        }
+      }
+    }
+  },
+  "definitions": {
+    "sha256": {
+      "type": "string",
+      "pattern": "^sha256:[A-Fa-f0-9]{64}$"
+    },
+    "blake3": {
+      "type": "string",
+      "pattern": "^blake3:[A-Fa-f0-9]{64}$"
+    },
+    "digest": {
+      "type": "string",
+      "pattern": "^(sha256|blake3):[A-Fa-f0-9]{64}$"
+    },
+    "dsseRef": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["path", "sha256"],
+      "properties": {
+        "path": { "type": "string" },
+        "sha256": { "$ref": "#/definitions/sha256" },
+        "payload_sha256": { "$ref": "#/definitions/sha256" }
+      }
+    }
+  }
+}