Add sample proof bundle configurations and verification script

- Introduced sample proof bundle configuration files for testing, including `sample-proof-bundle-config.dsse.json`, `sample-proof-bundle.dsse.json`, and `sample-proof-bundle.json`.
- Implemented a verification script `test_verify_sample.sh` to validate proof bundles against specified schemas and catalogs.
- Updated existing proof bundle configurations with new metadata, including versioning, created timestamps, and justification details.
- Enhanced evidence entries with expiration dates and hashes for better integrity checks.
- Ensured all new configurations adhere to the defined schema for consistency and reliability in testing.

docs/modules/evidence-locker/schemas/bundle.manifest.schema.json

@@ -0,0 +1,142 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stellaops.local/schemas/evidence/bundle.manifest.schema.json",
+  "title": "StellaOps Evidence Bundle Manifest (EB1)",
+  "description": "Canonical manifest for deterministic evidence bundles; aligns with EvidenceLocker build models and EB1–EB10 advisory gaps.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "bundleId",
+    "tenantId",
+    "kind",
+    "createdAt",
+    "metadata",
+    "entries"
+  ],
+  "properties": {
+    "bundleId": {
+      "type": "string",
+      "description": "Bundle identifier in UUID v4 N-format (no dashes).",
+      "pattern": "^[0-9a-fA-F]{32}$"
+    },
+    "tenantId": {
+      "type": "string",
+      "description": "Tenant identifier in UUID v4 N-format (no dashes).",
+      "pattern": "^[0-9a-fA-F]{32}$"
+    },
+    "kind": {
+      "description": "Bundle category; numeric values mirror EvidenceBundleKind enum.",
+      "oneOf": [
+        { "type": "string", "enum": ["evaluation", "job", "export"] },
+        { "type": "integer", "enum": [1, 2, 3] }
+      ]
+    },
+    "createdAt": {
+      "type": "string",
+      "format": "date-time",
+      "description": "Bundle creation timestamp (UTC, RFC3339)."
+    },
+    "metadata": {
+      "type": "object",
+      "description": "Arbitrary key/value metadata captured at bundle creation.",
+      "additionalProperties": { "type": "string" }
+    },
+    "entries": {
+      "type": "array",
+      "description": "Canonical file inventory used to derive checksums and Merkle root.",
+      "minItems": 1,
+      "items": { "$ref": "#/$defs/manifestEntry" }
+    },
+    "hashSummary": {
+      "type": "object",
+      "description": "Optional Merkle root summary that binds the manifest to checksums.txt.",
+      "additionalProperties": false,
+      "required": ["algorithm", "merkleRoot"],
+      "properties": {
+        "algorithm": { "type": "string", "enum": ["sha256"] },
+        "merkleRoot": { "type": "string", "pattern": "^[0-9a-f]{64}$" },
+        "checksumsPath": {
+          "type": "string",
+          "description": "Relative path to canonical checksums file inside the bundle.",
+          "default": "checksums.txt"
+        }
+      }
+    },
+    "replayProvenance": {
+      "type": "object",
+      "description": "Optional replay linkage proving how the bundle was produced for deterministic re-run.",
+      "additionalProperties": false,
+      "required": ["recordDigest"],
+      "properties": {
+        "recordDigest": { "type": "string", "pattern": "^sha256:[0-9a-f]{64}$" },
+        "sequence": { "type": "integer", "minimum": 0 },
+        "ledgerUri": { "type": "string", "format": "uri" },
+        "dsseEnvelope": {
+          "type": "string",
+          "description": "Base64-encoded DSSE envelope for replay record provenance.",
+          "contentEncoding": "base64"
+        },
+        "transparencyLog": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "rekorUuid": { "type": "string" },
+            "logIndex": { "type": "integer", "minimum": 0 },
+            "inclusionProof": { "type": "string" }
+          }
+        }
+      }
+    },
+    "incident": {
+      "type": "object",
+      "description": "Incident-mode activation/exit records captured at bundle time.",
+      "additionalProperties": false,
+      "properties": {
+        "activatedAt": { "type": "string", "format": "date-time" },
+        "activatedBy": { "type": "string" },
+        "reason": { "type": "string" },
+        "deactivatedAt": { "type": "string", "format": "date-time" },
+        "deactivatedBy": { "type": "string" }
+      }
+    },
+    "redaction": {
+      "type": "object",
+      "description": "Portable-bundle redaction details to prove tenant isolation.",
+      "additionalProperties": false,
+      "properties": {
+        "portable": { "type": "boolean", "default": false },
+        "maskedFields": {
+          "type": "array",
+          "items": { "type": "string" }
+        },
+        "tenantToken": {
+          "type": "string",
+          "description": "Opaque token replacing tenantId in portable bundles."
+        }
+      }
+    }
+  },
+  "$defs": {
+    "manifestEntry": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["section", "canonicalPath", "sha256", "sizeBytes", "mediaType"],
+      "properties": {
+        "section": { "type": "string", "minLength": 1 },
+        "canonicalPath": {
+          "type": "string",
+          "description": "Deterministic path within the bundle using '/' separators.",
+          "pattern": "^(?:[A-Za-z0-9_.-]+/)*[A-Za-z0-9_.-]+$"
+        },
+        "sha256": { "type": "string", "pattern": "^[0-9a-f]{64}$" },
+        "sizeBytes": { "type": "integer", "minimum": 0 },
+        "mediaType": { "type": "string" },
+        "attributes": {
+          "type": "object",
+          "description": "Section-specific attributes (e.g., sbom format, dsse predicate).",
+          "additionalProperties": { "type": "string" }
+        }
+      }
+    }
+  }
+}

docs/modules/evidence-locker/schemas/checksums.schema.json

@@ -0,0 +1,47 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stellaops.local/schemas/evidence/checksums.schema.json",
+  "title": "StellaOps Evidence Bundle Checksums (EB2)",
+  "description": "Canonical checksum map used to derive the Merkle root and DSSE subject for evidence bundles.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["algorithm", "root", "entries"],
+  "properties": {
+    "algorithm": { "type": "string", "enum": ["sha256"] },
+    "root": { "type": "string", "pattern": "^[0-9a-f]{64}$" },
+    "generatedAt": { "type": "string", "format": "date-time" },
+    "bundleId": { "type": "string", "pattern": "^[0-9a-fA-F]{32}$" },
+    "tenantId": { "type": "string", "pattern": "^[0-9a-fA-F]{32}$" },
+    "entries": {
+      "type": "array",
+      "minItems": 1,
+      "description": "Sorted list of entry hashes; order must be lexicographic on canonicalPath.",
+      "items": { "$ref": "#/$defs/checksumEntry" }
+    },
+    "chunking": {
+      "type": "object",
+      "description": "Optional chunked/CAS hashing strategy for large payloads.",
+      "additionalProperties": false,
+      "properties": {
+        "strategy": { "type": "string", "enum": ["none", "fixed", "buzhash"] },
+        "chunkSizeBytes": { "type": "integer", "minimum": 1024 },
+        "casDigestAlgorithm": { "type": "string", "enum": ["sha256"] }
+      }
+    }
+  },
+  "$defs": {
+    "checksumEntry": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["canonicalPath", "sha256", "sizeBytes"],
+      "properties": {
+        "canonicalPath": {
+          "type": "string",
+          "pattern": "^(?:[A-Za-z0-9_.-]+/)*[A-Za-z0-9_.-]+$"
+        },
+        "sha256": { "type": "string", "pattern": "^[0-9a-f]{64}$" },
+        "sizeBytes": { "type": "integer", "minimum": 0 }
+      }
+    }
+  }
+}