Add sample proof bundle configurations and verification script

- Introduced sample proof bundle configuration files for testing, including `sample-proof-bundle-config.dsse.json`, `sample-proof-bundle.dsse.json`, and `sample-proof-bundle.json`.
- Implemented a verification script `test_verify_sample.sh` to validate proof bundles against specified schemas and catalogs.
- Updated existing proof bundle configurations with new metadata, including versioning, created timestamps, and justification details.
- Enhanced evidence entries with expiration dates and hashes for better integrity checks.
- Ensured all new configurations adhere to the defined schema for consistency and reliability in testing.

tests/EvidenceLocker/Bundles/Golden/README.md

@@ -0,0 +1,20 @@
+# Evidence Locker Golden Fixtures (EB10)
+
+Purpose: reference bundles and replay records used by CI to prove deterministic packaging, DSSE subject stability, and portable redaction behaviour.
+
+## Layout
+- `sealed/` – sealed `bundle.tgz` artifacts with matching `manifest.json`, `checksums.txt`, and expected Merkle root in `expected.json`.
+- `portable/` – redacted `portable-bundle-v1.tgz` paired with `expected.json` noting masked fields.
+- `replay/` – `replay.ndjson` records aligned to the bundle fixtures; ordering is canonical (recordedAtUtc, scanId).
+
+## Expectations
+- Gzip timestamp pinned to `2025-01-01T00:00:00Z`; tar entries use `0644` perms and fixed mtime.
+- `checksums.txt` sorted lexicographically by `canonicalPath`; Merkle root equals `sha256sum checksums.txt`.
+- DSSE subject ties to the Merkle root; manifest validates against `schemas/bundle.manifest.schema.json`.
+- Portable bundles must exclude tenant identifiers and include redaction metadata in the manifest.
+
+## How to (re)generate
+1. Set `TZ=UTC` and ensure deterministic tool versions.
+2. Run EvidenceLocker pipeline to produce sealed bundle; copy outputs here with expected hash values.
+3. Produce portable bundle and replay records using the same input set; write `expected.json` capturing root hashes and replay digests.
+4. Update xUnit tests in `StellaOps.EvidenceLocker.Tests` to consume these fixtures without network calls.

tests/Vex/ProofBundles/cas/config.lock

@@ -0,0 +1,2 @@
+FEATURE_X=false
+MODE=prod

tests/Vex/ProofBundles/cas/coverage.json

@@ -0,0 +1,16 @@
+{
+  "tool": "reach-cov",
+  "entrypoints": [
+    {
+      "id": "app://api/GET-/healthz",
+      "coverage_percent": 96.3,
+      "negative_tests": true
+    },
+    {
+      "id": "app://worker/queue/default",
+      "coverage_percent": 95.1,
+      "negative_tests": true
+    }
+  ],
+  "timestamp": "2025-12-03T23:50:00Z"
+}

tests/Vex/ProofBundles/cas/coverage.json.dsse.json

@@ -0,0 +1,19 @@
+{
+  "payloadType": "application/vnd.stellaops+json",
+  "payload": "ewogICJ0b29sIjogInJlYWNoLWNvdiIsCiAgImVudHJ5cG9pbnRzIjogWwogICAgewogICAgICAiaWQiOiAiYXBwOi8vYXBpL0dFVC0vaGVhbHRoeiIsCiAgICAgICJjb3ZlcmFnZV9wZXJjZW50IjogOTYuMywKICAgICAgIm5lZ2F0aXZlX3Rlc3RzIjogdHJ1ZQogICAgfSwKICAgIHsKICAgICAgImlkIjogImFwcDovL3dvcmtlci9xdWV1ZS9kZWZhdWx0IiwKICAgICAgImNvdmVyYWdlX3BlcmNlbnQiOiA5NS4xLAogICAgICAibmVnYXRpdmVfdGVzdHMiOiB0cnVlCiAgICB9CiAgXSwKICAidGltZXN0YW1wIjogIjIwMjUtMTItMDNUMjM6NTA6MDBaIgp9Cg==",
+  "signatures": [
+    {
+      "keyid": "demo-root",
+      "sig": "9MRq4VDHrDJFAkshof/MS6XAPI2U/ivwmuHnQFuaDrM="
+    }
+  ],
+  "subject": [
+    {
+      "name": "coverage.json",
+      "hashes": {
+        "sha256": "422f9840d6facaae093d6496eeac472e10b19519854953454107c1b14945f510",
+        "blake3": "43bdea3c8b0bc1e0c52d317c5b03d08deb75c5017b6f52a9d703a60efbd87e29"
+      }
+    }
+  ]
+}

tests/Vex/ProofBundles/cas/flags.json

@@ -0,0 +1 @@
+{"feature_gates":{"allow_unknown":false,"strict_vex":true},"release":"2025.12.0"}

tests/Vex/ProofBundles/cas/graph.json

@@ -0,0 +1,18 @@
+{
+  "graph_version": "richgraph-v1",
+  "root": "pkg:demo/app@1.0.0",
+  "nodes": 3,
+  "edges": 2,
+  "hashing": "blake3-256",
+  "generated_at": "2025-12-03T23:45:00Z",
+  "paths": [
+    {
+      "from": "pkg:demo/app@1.0.0#main",
+      "to": "pkg:demo/lib@1.0.0#render"
+    },
+    {
+      "from": "pkg:demo/lib@1.0.0#render",
+      "to": "pkg:demo/lib@1.0.0#helper"
+    }
+  ]
+}

tests/Vex/ProofBundles/cas/graph.json.dsse.json

@@ -0,0 +1,19 @@
+{
+  "payloadType": "application/vnd.stellaops+json",
+  "payload": "ewogICJncmFwaF92ZXJzaW9uIjogInJpY2hncmFwaC12MSIsCiAgInJvb3QiOiAicGtnOmRlbW8vYXBwQDEuMC4wIiwKICAibm9kZXMiOiAzLAogICJlZGdlcyI6IDIsCiAgImhhc2hpbmciOiAiYmxha2UzLTI1NiIsCiAgImdlbmVyYXRlZF9hdCI6ICIyMDI1LTEyLTAzVDIzOjQ1OjAwWiIsCiAgInBhdGhzIjogWwogICAgewogICAgICAiZnJvbSI6ICJwa2c6ZGVtby9hcHBAMS4wLjAjbWFpbiIsCiAgICAgICJ0byI6ICJwa2c6ZGVtby9saWJAMS4wLjAjcmVuZGVyIgogICAgfSwKICAgIHsKICAgICAgImZyb20iOiAicGtnOmRlbW8vbGliQDEuMC4wI3JlbmRlciIsCiAgICAgICJ0byI6ICJwa2c6ZGVtby9saWJAMS4wLjAjaGVscGVyIgogICAgfQogIF0KfQo=",
+  "signatures": [
+    {
+      "keyid": "demo-root",
+      "sig": "USa7UXD1aQyBm6v4gGSBsbQAnMd7IXG1Kw+HwQBXpnU="
+    }
+  ],
+  "subject": [
+    {
+      "name": "graph.json",
+      "hashes": {
+        "sha256": "34d8051bb97bd3c034e6a2221474ce2faaaca59357721fa1b47df88a281d057b",
+        "blake3": "74640754695e6e5cda4156a0ef1fd3a557d802ef118fef8afaed67089cd39cb1"
+      }
+    }
+  ]
+}

tests/Vex/ProofBundles/cas/negative-tests.ndjson

@@ -0,0 +1,2 @@
+{"name": "healthz-no-repro", "result": "pass", "seed": 42}
+{"name": "worker-queue-no-exec", "result": "pass", "seed": 84}

tests/Vex/ProofBundles/cas/runtime-trace.ndjson

@@ -0,0 +1,2 @@
+{"function": "pkg:demo/app@1.0.0#main", "probe": "eventpipe", "ts": "2025-12-03T23:46:00Z"}
+{"function": "pkg:demo/lib@1.0.0#render", "probe": "eventpipe", "ts": "2025-12-03T23:46:01Z"}

tests/Vex/ProofBundles/openvex-config.json

@@ -0,0 +1,28 @@
+{
+  "context": "https://openvex.dev/ns/v0.2.0",
+  "metadata": {
+    "id": "urn:stellaops:vex:config-guard-1",
+    "author": "StellaOps Excititor",
+    "timestamp": "2025-12-04T00:00:00Z"
+  },
+  "statements": [
+    {
+      "vulnerability": "CVE-2024-7777",
+      "products": [
+        "pkg:demo/app@1.0.1"
+      ],
+      "status": "not_affected",
+      "status_notes": "Feature flags disable vulnerable path; negative tests and runtime trace clean.",
+      "justification": "configuration_required",
+      "statementID": "urn:stellaops:vex:statement:config-guard-1",
+      "last_updated": "2025-12-04T00:00:00Z",
+      "known_exploited": false,
+      "references": [
+        {
+          "summary": "Proof bundle",
+          "url": "cas://proofbundles/sample-proof-bundle-config.json"
+        }
+      ]
+    }
+  ]
+}

tests/Vex/ProofBundles/openvex-sample.json

@@ -0,0 +1,35 @@
+{
+  "context": "https://openvex.dev/ns/v0.2.0",
+  "metadata": {
+    "id": "urn:stellaops:vex:sample-hello-1",
+    "author": "StellaOps Excititor",
+    "timestamp": "2025-12-04T00:00:00Z"
+  },
+  "statements": [
+    {
+      "vulnerability": "CVE-2024-9999",
+      "products": [
+        "pkg:demo/app@1.0.0"
+      ],
+      "status": "not_affected",
+      "status_notes": "Entry-point coverage 96% with negative tests; runtime probes clean.",
+      "justification": "vulnerable_code_not_present",
+      "statementID": "urn:stellaops:vex:statement:sample-hello-1",
+      "last_updated": "2025-12-04T00:00:00Z",
+      "known_exploited": false,
+      "references": [
+        {
+          "summary": "Proof bundle",
+          "url": "cas://proofbundles/sample-proof-bundle.json"
+        }
+      ],
+      "subcomponents": [
+        {
+          "product": "pkg:demo/lib@1.0.0",
+          "status": "not_affected",
+          "justification": "vulnerable_code_not_in_execute_path"
+        }
+      ]
+    }
+  ]
+}

tests/Vex/ProofBundles/sample-proof-bundle-config.dsse.json

@@ -0,0 +1,19 @@
+{
+  "payloadType": "application/vnd.stellaops.proofbundle+json",
+  "payload": "eyJjcmVhdGVkX2F0IjoiMjAyNS0xMi0wNFQwMDowMDowMFoiLCJjcmVhdGVkX2J5IjoiU3RlbGxhT3BzIFBvbGljeSBHdWlsZCIsImVudHJ5cG9pbnRzIjpbeyJjb25maWdfaGFzaCI6InNoYTI1NjpiYjQ5MGNlNGNkZTYwNzY4ZTJiNjE1NzFiYmU0NDgyOTBlNDI1NmQyZDkzMGFkZWEwZWUyNGMwN2U1YzYzZGJjIiwiY292ZXJhZ2VfcGVyY2VudCI6OTcuNCwiZmxhZ3NfaGFzaCI6InNoYTI1NjpkMDYwYWI4Y2RmNzVhZWRhNjM2M2JjYzZkZTQ5NWUyN2I1M2M5ZDU5MzhkOTdmNTQ5MmU4NjQ2ODFkOGNiZTUzIiwiaWQiOiJhcHA6Ly9hcGkvR0VULS9oZWFsdGh6IiwibmVnYXRpdmVfdGVzdHMiOnRydWV9LHsiY29uZmlnX2hhc2giOiJzaGEyNTY6YmI0OTBjZTRjZGU2MDc2OGUyYjYxNTcxYmJlNDQ4MjkwZTQyNTZkMmQ5MzBhZGVhMGVlMjRjMDdlNWM2M2RiYyIsImNvdmVyYWdlX3BlcmNlbnQiOjk3LjEsImZsYWdzX2hhc2giOiJzaGEyNTY6ZDA2MGFiOGNkZjc1YWVkYTYzNjNiY2M2ZGU0OTVlMjdiNTNjOWQ1OTM4ZDk3ZjU0OTJlODY0NjgxZDhjYmU1MyIsImlkIjoiYXBwOi8vd29ya2VyL3F1ZXVlL2RlZmF1bHQiLCJuZWdhdGl2ZV90ZXN0cyI6dHJ1ZX1dLCJldmlkZW5jZSI6W3siY2FzX3VyaSI6ImNhczovL2dyYXBoLmpzb24iLCJkc3NlIjp7InBhdGgiOiJ0ZXN0cy9WZXgvUHJvb2ZCdW5kbGVzL2Nhcy9ncmFwaC5qc29uLmRzc2UuanNvbiIsInNoYTI1NiI6InNoYTI1NjozYmIxZGM2YWY1Yzk3NDYzNWVkMzg3ZmRmOTM4ZjVhOTgzYzM3MGQ3N2QwMWEwMzJhYTYzZjU0MDdlZmNmYzdmIn0sImV4cGlyZXNfYXQiOiIyMDI2LTEyLTMxVDAwOjAwOjAwWiIsImhhc2giOiJibGFrZTM6NzQ2NDA3NTQ2OTVlNmU1Y2RhNDE1NmEwZWYxZmQzYTU1N2Q4MDJlZjExOGZlZjhhZmFlZDY3MDg5Y2QzOWNiMSIsInR5cGUiOiJncmFwaCJ9LHsiY2FzX3VyaSI6ImNhczovL2NvdmVyYWdlLmpzb24iLCJkc3NlIjp7InBhdGgiOiJ0ZXN0cy9WZXgvUHJvb2ZCdW5kbGVzL2Nhcy9jb3ZlcmFnZS5qc29uLmRzc2UuanNvbiIsInNoYTI1NiI6InNoYTI1Njo2MDY4NjRkMjE2NWI5ZGRmZWE2NjRkY2EzNjMxODYxNmU1ZWE1NzVlMmU5NmU3ZmEyYmMyMDRjYzNmNzlmZTJmIn0sImV4cGlyZXNfYXQiOiIyMDI2LTA2LTMwVDAwOjAwOjAwWiIsImhhc2giOiJzaGEyNTY6NDIyZjk4NDBkNmZhY2FhZTA5M2Q2NDk2ZWVhYzQ3MmUxMGIxOTUxOTg1NDk1MzQ1NDEwN2MxYjE0OTQ1ZjUxMCIsInR5cGUiOiJjb3ZlcmFnZSJ9LHsiY2FzX3VyaSI6ImNhczovL3J1bnRpbWUtdHJhY2UubmRqc29uIiwiZXhwaXJlc19hdCI6IjIwMjYtMDYtMzBUMDA6MDA6MDBaIiwiaGFzaCI6InNoYTI1NjpjMGE5MWY2NDViODk5ZTQ1NzJlYzI0NjAzOTE2Y2RmZTk4MjkzNGY0N2ViZGFlYzJlZjY3ZWU5MzAzNTY4YTc3IiwidHlwZSI6InJ1bnRpbWVfdHJhY2UifSx7ImNhc191cmkiOiJjYXM6Ly9uZWdhdGl2ZS10ZXN0cy5uZGpzb24iLCJleHBpcmVzX2F0IjoiMjAyNi0wNi0zMFQwMDowMDowMFoiLCJoYXNoIjoic2hhMjU2OjA5ZWZkYTA1Nzc5NmI4ZjBmMGZhMDAxNTA1ZDllNjg0Y2YwNGUwNWFjOGUzYzZmZTI0NDc2YTM2N2JiNzhhYWEiLCJ0eXBlIjoibmVnYXRpdmVfdGVzdCJ9LHsiY2FzX3VyaSI6ImNhczovL2NvbmZpZy5sb2NrIiwiZXhwaXJlc19hdCI6IjIwMjYtMDMtMzFUMDA6MDA6MDBaIiwiaGFzaCI6InNoYTI1NjpiYjQ5MGNlNGNkZTYwNzY4ZTJiNjE1NzFiYmU0NDgyOTBlNDI1NmQyZDkzMGFkZWEwZWUyNGMwN2U1YzYzZGJjIiwidHlwZSI6ImNvbmZpZyJ9LHsiY2FzX3VyaSI6ImNhczovL2ZsYWdzLmpzb24iLCJleHBpcmVzX2F0IjoiMjAyNi0wMy0zMVQwMDowMDowMFoiLCJoYXNoIjoic2hhMjU2OmQwNjBhYjhjZGY3NWFlZGE2MzYzYmNjNmRlNDk1ZTI3YjUzYzlkNTkzOGQ5N2Y1NDkyZTg2NDY4MWQ4Y2JlNTMiLCJ0eXBlIjoiZmxhZ3MifV0sImdyYXBoIjp7ImRzc2UiOnsicGF0aCI6InRlc3RzL1ZleC9Qcm9vZkJ1bmRsZXMvY2FzL2dyYXBoLmpzb24uZHNzZS5qc29uIiwicGF5bG9hZF9zaGEyNTYiOiJzaGEyNTY6MzRkODA1MWJiOTdiZDNjMDM0ZTZhMjIyMTQ3NGNlMmZhYWFjYTU5MzU3NzIxZmExYjQ3ZGY4OGEyODFkMDU3YiIsInNoYTI1NiI6InNoYTI1NjozYmIxZGM2YWY1Yzk3NDYzNWVkMzg3ZmRmOTM4ZjVhOTgzYzM3MGQ3N2QwMWEwMzJhYTYzZjU0MDdlZmNmYzdmIn0sImhhc2giOiJibGFrZTM6NzQ2NDA3NTQ2OTVlNmU1Y2RhNDE1NmEwZWYxZmQzYTU1N2Q4MDJlZjExOGZlZjhhZmFlZDY3MDg5Y2QzOWNiMSJ9LCJpZCI6InVybjpzdGVsbGFvcHM6cHJvb2ZidW5kbGU6Y29uZmlnLWd1YXJkLTEiLCJqdXN0aWZpY2F0aW9uIjp7ImRzc2UiOnsicGF0aCI6ImRvY3MvYmVuY2htYXJrcy92ZXgtanVzdGlmaWNhdGlvbnMuY2F0YWxvZy5kc3NlLmpzb24iLCJzaGEyNTYiOiJzaGEyNTY6N2RmM2NiZDk3MGJjODUxYjUxY2UzNWZmMWM2MWY5MjdiNjJmZTM1MTRlNWZmNjMxM2E1YmFkMjZkNjc1YjBjNyJ9LCJpZCI6IlZFWDMuY29uZmlnX25vdF92dWxuZXJhYmxlIn0sIm9wZW52ZXgiOnsiY2Fub25pY2FsX2JsYWtlMyI6ImJsYWtlMzo3MjA0OGU0ODk0Njg2NTYzMTJlY2FjNDk3ZGE4ZGFlYTczMTgwNGE1MzBmMDFkMTliYjM5M2ZlZjcyNzRjNzM2IiwiY2Fub25pY2FsX3NoYTI1NiI6InNoYTI1NjowYTNmYTY2ZmRkNTBlZjg4YTFiMzRhZTY3NzYwNDVhOGU5YTQzMTc3MjBkN2Q4NzU1MzVkOTE2ZmJiN2Y4MWI5IiwicGF0aCI6InRlc3RzL1ZleC9Qcm9vZkJ1bmRsZXMvb3BlbnZleC1jb25maWcuanNvbiIsInNlcmlhbGl6YXRpb24iOiJjYW5vbmljYWwtanNvbiIsInN0YXRlbWVudF9pZCI6InVybjpzdGVsbGFvcHM6dmV4OnN0YXRlbWVudDpjb25maWctZ3VhcmQtMSJ9LCJwb2xpY3kiOnsiY2Fub25pY2FsX2VuY29kaW5nIjoiSkNTIiwiZGVjaXNpb24iOiJub3RfYWZmZWN0ZWQiLCJkZWNpc2lvbl9yZWFzb24iOiJjb25maWdfbm90X3Z1bG5lcmFibGUiLCJvcGVudmV4X3NlcmlhbGl6YXRpb24iOiJjYW5vbmljYWwtanNvbiJ9LCJyYmFjIjp7ImFwcHJvdmFsc19yZXF1aXJlZCI6MiwiZW5mb3JjZW1lbnQiOiJwb2xpY3krc2lnbmVyIiwicm9sZXNfYWxsb3dlZCI6WyJ2ZXgtYXV0aG9yIiwicG9saWN5LWFkbWluIl19LCJyZWV2YWx1YXRpb24iOnsib25fZ3JhcGhfY2hhbmdlIjp0cnVlLCJvbl9ydW50aW1lX2NoYW5nZSI6dHJ1ZSwib25fc2JvbV9jaGFuZ2UiOnRydWUsInR0bF9kYXlzIjozMH0sInNpZ25hdHVyZXMiOlt7ImVudmVsb3BlX2RpZ2VzdCI6InNoYTI1Njo5YjFjYjUzNjYwMjhiZjY3OThjN2ZmY2QwNzUzOWM0ODM2NjM5YjEyMWY4Nzk4ZDI5NmEyNzNjMmI1ZTVjOTRiIiwia2V5X2lkIjoiZGVtby1yb290IiwicmVrb3JfZW50cnlfdXVpZCI6ImRlbW8tZW50cnktMDAwMiIsInJla29yX2xvZ19pZCI6ImRlbW8tbG9nIiwic2lnIjoiQzNtaUpGaERSZE5UeG5CSlNYU0tlaWlscVRhRjQ0cG9YVjNHSEFqZlZ4UT0iLCJ0cmFuc3BhcmVuY3lfY2hlY2twb2ludCI6ImNoZWNrcG9pbnQtY29uZmlnIiwidHlwZSI6ImRzc2UifV0sInVuY2VydGFpbnR5Ijp7ImVudHJvcHkiOjAuMTcsIm5vdGVzIjoiQ29uZmlnIGdhdGluZyArIG5lZ2F0aXZlIHRlc3RzOyBjb3ZlcmFnZSA+OTclLiIsInN0YXRlIjoiVTItbWVkaXVtIn0sInZlcnNpb24iOiIxLjAuMCJ9",
+  "signatures": [
+    {
+      "keyid": "demo-root",
+      "sig": "ZSKYZw7QR6rUIBOvz2JNcA9Zp3VEnzlbBg6Th5tQsOg="
+    }
+  ],
+  "subject": [
+    {
+      "name": "sample-proof-bundle-config.json",
+      "hashes": {
+        "sha256": "b0830491a68c272b2bb105d665455a7e32e87f087e112edd7b1e657775c87ef5",
+        "blake3": "9f6356dcdea1a2bfc52c82812db922d23ec4d30845bee0b9a951a96153cf24eb"
+      }
+    }
+  ]
+}

tests/Vex/ProofBundles/sample-proof-bundle-config.json

@@ -0,0 +1,126 @@
+{
+  "id": "urn:stellaops:proofbundle:config-guard-1",
+  "version": "1.0.0",
+  "created_at": "2025-12-04T00:00:00Z",
+  "created_by": "StellaOps Policy Guild",
+  "graph": {
+    "hash": "blake3:74640754695e6e5cda4156a0ef1fd3a557d802ef118fef8afaed67089cd39cb1",
+    "dsse": {
+      "path": "tests/Vex/ProofBundles/cas/graph.json.dsse.json",
+      "sha256": "sha256:3bb1dc6af5c974635ed387fdf938f5a983c370d77d01a032aa63f5407efcfc7f",
+      "payload_sha256": "sha256:34d8051bb97bd3c034e6a2221474ce2faaaca59357721fa1b47df88a281d057b"
+    }
+  },
+  "openvex": {
+    "path": "tests/Vex/ProofBundles/openvex-config.json",
+    "statement_id": "urn:stellaops:vex:statement:config-guard-1",
+    "canonical_sha256": "sha256:0a3fa66fdd50ef88a1b34ae6776045a8e9a4317720d7d875535d916fbb7f81b9",
+    "canonical_blake3": "blake3:72048e489468656312ecac497da8daea731804a530f01d19bb393fef7274c736",
+    "serialization": "canonical-json"
+  },
+  "justification": {
+    "id": "VEX3.config_not_vulnerable",
+    "dsse": {
+      "path": "docs/benchmarks/vex-justifications.catalog.dsse.json",
+      "sha256": "sha256:7df3cbd970bc851b51ce35ff1c61f927b62fe3514e5ff6313a5bad26d675b0c7"
+    }
+  },
+  "entrypoints": [
+    {
+      "id": "app://api/GET-/healthz",
+      "coverage_percent": 97.4,
+      "negative_tests": true,
+      "config_hash": "sha256:bb490ce4cde60768e2b61571bbe448290e4256d2d930adea0ee24c07e5c63dbc",
+      "flags_hash": "sha256:d060ab8cdf75aeda6363bcc6de495e27b53c9d5938d97f5492e864681d8cbe53"
+    },
+    {
+      "id": "app://worker/queue/default",
+      "coverage_percent": 97.1,
+      "negative_tests": true,
+      "config_hash": "sha256:bb490ce4cde60768e2b61571bbe448290e4256d2d930adea0ee24c07e5c63dbc",
+      "flags_hash": "sha256:d060ab8cdf75aeda6363bcc6de495e27b53c9d5938d97f5492e864681d8cbe53"
+    }
+  ],
+  "evidence": [
+    {
+      "type": "graph",
+      "cas_uri": "cas://graph.json",
+      "hash": "blake3:74640754695e6e5cda4156a0ef1fd3a557d802ef118fef8afaed67089cd39cb1",
+      "dsse": {
+        "path": "tests/Vex/ProofBundles/cas/graph.json.dsse.json",
+        "sha256": "sha256:3bb1dc6af5c974635ed387fdf938f5a983c370d77d01a032aa63f5407efcfc7f"
+      },
+      "expires_at": "2026-12-31T00:00:00Z"
+    },
+    {
+      "type": "coverage",
+      "cas_uri": "cas://coverage.json",
+      "hash": "sha256:422f9840d6facaae093d6496eeac472e10b19519854953454107c1b14945f510",
+      "dsse": {
+        "path": "tests/Vex/ProofBundles/cas/coverage.json.dsse.json",
+        "sha256": "sha256:606864d2165b9ddfea664dca36318616e5ea575e2e96e7fa2bc204cc3f79fe2f"
+      },
+      "expires_at": "2026-06-30T00:00:00Z"
+    },
+    {
+      "type": "runtime_trace",
+      "cas_uri": "cas://runtime-trace.ndjson",
+      "hash": "sha256:c0a91f645b899e4572ec24603916cdfe982934f47ebdaec2ef67ee9303568a77",
+      "expires_at": "2026-06-30T00:00:00Z"
+    },
+    {
+      "type": "negative_test",
+      "cas_uri": "cas://negative-tests.ndjson",
+      "hash": "sha256:09efda057796b8f0f0fa001505d9e684cf04e05ac8e3c6fe24476a367bb78aaa",
+      "expires_at": "2026-06-30T00:00:00Z"
+    },
+    {
+      "type": "config",
+      "cas_uri": "cas://config.lock",
+      "hash": "sha256:bb490ce4cde60768e2b61571bbe448290e4256d2d930adea0ee24c07e5c63dbc",
+      "expires_at": "2026-03-31T00:00:00Z"
+    },
+    {
+      "type": "flags",
+      "cas_uri": "cas://flags.json",
+      "hash": "sha256:d060ab8cdf75aeda6363bcc6de495e27b53c9d5938d97f5492e864681d8cbe53",
+      "expires_at": "2026-03-31T00:00:00Z"
+    }
+  ],
+  "reevaluation": {
+    "on_sbom_change": true,
+    "on_graph_change": true,
+    "on_runtime_change": true,
+    "ttl_days": 30
+  },
+  "rbac": {
+    "roles_allowed": [
+      "vex-author",
+      "policy-admin"
+    ],
+    "approvals_required": 2,
+    "enforcement": "policy+signer"
+  },
+  "uncertainty": {
+    "state": "U2-medium",
+    "entropy": 0.17,
+    "notes": "Config gating + negative tests; coverage >97%."
+  },
+  "policy": {
+    "decision": "not_affected",
+    "decision_reason": "config_not_vulnerable",
+    "openvex_serialization": "canonical-json",
+    "canonical_encoding": "JCS"
+  },
+  "signatures": [
+    {
+      "type": "dsse",
+      "key_id": "demo-root",
+      "sig": "C3miJFhDRdNTxnBJSXSKeiilqTaF44poXV3GHAjfVxQ=",
+      "envelope_digest": "sha256:ea551c28a3b463f6e510e19674da9051e2e02d5dfd1507697750cc3def649667",
+      "rekor_log_id": "demo-log",
+      "rekor_entry_uuid": "demo-entry-0002",
+      "transparency_checkpoint": "checkpoint-config"
+    }
+  ]
+}

tests/Vex/ProofBundles/sample-proof-bundle.dsse.json

@@ -0,0 +1,19 @@
+{
+  "payloadType": "application/vnd.stellaops.proofbundle+json",
+  "payload": "eyJjcmVhdGVkX2F0IjoiMjAyNS0xMi0wNFQwMDowMDowMFoiLCJjcmVhdGVkX2J5IjoiU3RlbGxhT3BzIFFBIEd1aWxkIiwiZW50cnlwb2ludHMiOlt7ImNvbmZpZ19oYXNoIjoic2hhMjU2OmJiNDkwY2U0Y2RlNjA3NjhlMmI2MTU3MWJiZTQ0ODI5MGU0MjU2ZDJkOTMwYWRlYTBlZTI0YzA3ZTVjNjNkYmMiLCJjb3ZlcmFnZV9wZXJjZW50Ijo5Ni4zLCJmbGFnc19oYXNoIjoic2hhMjU2OmQwNjBhYjhjZGY3NWFlZGE2MzYzYmNjNmRlNDk1ZTI3YjUzYzlkNTkzOGQ5N2Y1NDkyZTg2NDY4MWQ4Y2JlNTMiLCJpZCI6ImFwcDovL2FwaS9HRVQtL2hlYWx0aHoiLCJuZWdhdGl2ZV90ZXN0cyI6dHJ1ZX0seyJjb25maWdfaGFzaCI6InNoYTI1NjpiYjQ5MGNlNGNkZTYwNzY4ZTJiNjE1NzFiYmU0NDgyOTBlNDI1NmQyZDkzMGFkZWEwZWUyNGMwN2U1YzYzZGJjIiwiY292ZXJhZ2VfcGVyY2VudCI6OTUuMSwiZmxhZ3NfaGFzaCI6InNoYTI1NjpkMDYwYWI4Y2RmNzVhZWRhNjM2M2JjYzZkZTQ5NWUyN2I1M2M5ZDU5MzhkOTdmNTQ5MmU4NjQ2ODFkOGNiZTUzIiwiaWQiOiJhcHA6Ly93b3JrZXIvcXVldWUvZGVmYXVsdCIsIm5lZ2F0aXZlX3Rlc3RzIjp0cnVlfV0sImV2aWRlbmNlIjpbeyJjYXNfdXJpIjoiY2FzOi8vZ3JhcGguanNvbiIsImRzc2UiOnsicGF0aCI6InRlc3RzL1ZleC9Qcm9vZkJ1bmRsZXMvY2FzL2dyYXBoLmpzb24uZHNzZS5qc29uIiwic2hhMjU2Ijoic2hhMjU2OjNiYjFkYzZhZjVjOTc0NjM1ZWQzODdmZGY5MzhmNWE5ODNjMzcwZDc3ZDAxYTAzMmFhNjNmNTQwN2VmY2ZjN2YifSwiZXhwaXJlc19hdCI6IjIwMjYtMTItMzFUMDA6MDA6MDBaIiwiaGFzaCI6ImJsYWtlMzo3NDY0MDc1NDY5NWU2ZTVjZGE0MTU2YTBlZjFmZDNhNTU3ZDgwMmVmMTE4ZmVmOGFmYWVkNjcwODljZDM5Y2IxIiwidHlwZSI6ImdyYXBoIn0seyJjYXNfdXJpIjoiY2FzOi8vY292ZXJhZ2UuanNvbiIsImRzc2UiOnsicGF0aCI6InRlc3RzL1ZleC9Qcm9vZkJ1bmRsZXMvY2FzL2NvdmVyYWdlLmpzb24uZHNzZS5qc29uIiwic2hhMjU2Ijoic2hhMjU2OjYwNjg2NGQyMTY1YjlkZGZlYTY2NGRjYTM2MzE4NjE2ZTVlYTU3NWUyZTk2ZTdmYTJiYzIwNGNjM2Y3OWZlMmYifSwiZXhwaXJlc19hdCI6IjIwMjYtMDYtMzBUMDA6MDA6MDBaIiwiaGFzaCI6InNoYTI1Njo0MjJmOTg0MGQ2ZmFjYWFlMDkzZDY0OTZlZWFjNDcyZTEwYjE5NTE5ODU0OTUzNDU0MTA3YzFiMTQ5NDVmNTEwIiwidHlwZSI6ImNvdmVyYWdlIn0seyJjYXNfdXJpIjoiY2FzOi8vcnVudGltZS10cmFjZS5uZGpzb24iLCJleHBpcmVzX2F0IjoiMjAyNi0wNi0zMFQwMDowMDowMFoiLCJoYXNoIjoic2hhMjU2OmMwYTkxZjY0NWI4OTllNDU3MmVjMjQ2MDM5MTZjZGZlOTgyOTM0ZjQ3ZWJkYWVjMmVmNjdlZTkzMDM1NjhhNzciLCJ0eXBlIjoicnVudGltZV90cmFjZSJ9LHsiY2FzX3VyaSI6ImNhczovL25lZ2F0aXZlLXRlc3RzLm5kanNvbiIsImV4cGlyZXNfYXQiOiIyMDI2LTA2LTMwVDAwOjAwOjAwWiIsImhhc2giOiJzaGEyNTY6MDllZmRhMDU3Nzk2YjhmMGYwZmEwMDE1MDVkOWU2ODRjZjA0ZTA1YWM4ZTNjNmZlMjQ0NzZhMzY3YmI3OGFhYSIsInR5cGUiOiJuZWdhdGl2ZV90ZXN0In0seyJjYXNfdXJpIjoiY2FzOi8vY29uZmlnLmxvY2siLCJleHBpcmVzX2F0IjoiMjAyNi0wMy0zMVQwMDowMDowMFoiLCJoYXNoIjoic2hhMjU2OmJiNDkwY2U0Y2RlNjA3NjhlMmI2MTU3MWJiZTQ0ODI5MGU0MjU2ZDJkOTMwYWRlYTBlZTI0YzA3ZTVjNjNkYmMiLCJ0eXBlIjoiY29uZmlnIn0seyJjYXNfdXJpIjoiY2FzOi8vZmxhZ3MuanNvbiIsImV4cGlyZXNfYXQiOiIyMDI2LTAzLTMxVDAwOjAwOjAwWiIsImhhc2giOiJzaGEyNTY6ZDA2MGFiOGNkZjc1YWVkYTYzNjNiY2M2ZGU0OTVlMjdiNTNjOWQ1OTM4ZDk3ZjU0OTJlODY0NjgxZDhjYmU1MyIsInR5cGUiOiJmbGFncyJ9XSwiZ3JhcGgiOnsiZHNzZSI6eyJwYXRoIjoidGVzdHMvVmV4L1Byb29mQnVuZGxlcy9jYXMvZ3JhcGguanNvbi5kc3NlLmpzb24iLCJwYXlsb2FkX3NoYTI1NiI6InNoYTI1NjozNGQ4MDUxYmI5N2JkM2MwMzRlNmEyMjIxNDc0Y2UyZmFhYWNhNTkzNTc3MjFmYTFiNDdkZjg4YTI4MWQwNTdiIiwic2hhMjU2Ijoic2hhMjU2OjNiYjFkYzZhZjVjOTc0NjM1ZWQzODdmZGY5MzhmNWE5ODNjMzcwZDc3ZDAxYTAzMmFhNjNmNTQwN2VmY2ZjN2YifSwiaGFzaCI6ImJsYWtlMzo3NDY0MDc1NDY5NWU2ZTVjZGE0MTU2YTBlZjFmZDNhNTU3ZDgwMmVmMTE4ZmVmOGFmYWVkNjcwODljZDM5Y2IxIn0sImlkIjoidXJuOnN0ZWxsYW9wczpwcm9vZmJ1bmRsZTpzYW1wbGUtaGVsbG8tMSIsImp1c3RpZmljYXRpb24iOnsiZHNzZSI6eyJwYXRoIjoiZG9jcy9iZW5jaG1hcmtzL3ZleC1qdXN0aWZpY2F0aW9ucy5jYXRhbG9nLmRzc2UuanNvbiIsInNoYTI1NiI6InNoYTI1Njo3ZGYzY2JkOTcwYmM4NTFiNTFjZTM1ZmYxYzYxZjkyN2I2MmZlMzUxNGU1ZmY2MzEzYTViYWQyNmQ2NzViMGM3In0sImlkIjoiVkVYMS52dWxuZXJhYmxlX2NvZGVfbm90X3ByZXNlbnQifSwib3BlbnZleCI6eyJjYW5vbmljYWxfYmxha2UzIjoiYmxha2UzOjAzNTA0ZjJiMWMzYjI5ODcwODUxYmFlYmM5ZTY2NThiNzZhZjJlOTI2MjA3NjcwODljZWNiNGMyMDA3MmQ4NGIiLCJjYW5vbmljYWxfc2hhMjU2Ijoic2hhMjU2Ojk0MDYzYTc4Y2MxYjBjZTM2Mzk0MTQ2N2M4ZTY3ZTM2OGMxMWRlNGQ4MjYyNWMyY2YwNWNlZGQ3NzMyNTdhM2UiLCJwYXRoIjoidGVzdHMvVmV4L1Byb29mQnVuZGxlcy9vcGVudmV4LXNhbXBsZS5qc29uIiwic2VyaWFsaXphdGlvbiI6ImNhbm9uaWNhbC1qc29uIiwic3RhdGVtZW50X2lkIjoidXJuOnN0ZWxsYW9wczp2ZXg6c3RhdGVtZW50OnNhbXBsZS1oZWxsby0xIn0sInBvbGljeSI6eyJjYW5vbmljYWxfZW5jb2RpbmciOiJKQ1MiLCJkZWNpc2lvbiI6Im5vdF9hZmZlY3RlZCIsImRlY2lzaW9uX3JlYXNvbiI6InZ1bG5lcmFibGVfY29kZV9ub3RfcHJlc2VudCIsIm9wZW52ZXhfc2VyaWFsaXphdGlvbiI6ImNhbm9uaWNhbC1qc29uIn0sInJiYWMiOnsiYXBwcm92YWxzX3JlcXVpcmVkIjoyLCJlbmZvcmNlbWVudCI6InBvbGljeStzaWduZXIiLCJyb2xlc19hbGxvd2VkIjpbInZleC1hdXRob3IiLCJwb2xpY3ktYWRtaW4iXX0sInJlZXZhbHVhdGlvbiI6eyJvbl9ncmFwaF9jaGFuZ2UiOnRydWUsIm9uX3J1bnRpbWVfY2hhbmdlIjp0cnVlLCJvbl9zYm9tX2NoYW5nZSI6dHJ1ZSwidHRsX2RheXMiOjMwfSwic2lnbmF0dXJlcyI6W3siZW52ZWxvcGVfZGlnZXN0Ijoic2hhMjU2OmI3YmVhNjY1Mjk3M2IzZjY0MWM4MzAyMTU3OTI3NzJlZWQzMzdjMDdkZjkzYzc1ZjJjYTM3MjU1MDhiY2MwZjUiLCJrZXlfaWQiOiJkZW1vLXJvb3QiLCJyZWtvcl9lbnRyeV91dWlkIjoiZGVtby1lbnRyeS0wMDAxIiwicmVrb3JfbG9nX2lkIjoiZGVtby1sb2ciLCJzaWciOiJDM21pSkZoRFJkTlR4bkJKU1hTS2VpaWxxVGFGNDRwb1hWM0dIQWpmVnhRPSIsInRyYW5zcGFyZW5jeV9jaGVja3BvaW50IjoiY2hlY2twb2ludC1kZW1vIiwidHlwZSI6ImRzc2UifV0sInVuY2VydGFpbnR5Ijp7ImVudHJvcHkiOjAuMDgsIm5vdGVzIjoiQ292ZXJhZ2UgPjk1JSBhbmQgbmVnYXRpdmUgdGVzdHMgY2xlYW47IHJ1bnRpbWUgcHJvYmVzIG1hdGNoIHJlYWNoYWJpbGl0eSBncmFwaC4iLCJzdGF0ZSI6IlUxLWxvdyJ9LCJ2ZXJzaW9uIjoiMS4wLjAifQ==",
+  "signatures": [
+    {
+      "keyid": "demo-root",
+      "sig": "v9/Ny2xTMDg14BQjxtMinPM9ByL/9S5zH9JH8uRg6ww="
+    }
+  ],
+  "subject": [
+    {
+      "name": "sample-proof-bundle.json",
+      "hashes": {
+        "sha256": "a66c154c3452bf0445a3548ea96d2a60fa9454eb895283b322fbb29b3607bc51",
+        "blake3": "a578362df67b5d131e70ffa615553cf61cfbce736a60896c0c763d2e4964c1de"
+      }
+    }
+  ]
+}

tests/Vex/ProofBundles/sample-proof-bundle.json

@@ -0,0 +1,126 @@
+{
+  "id": "urn:stellaops:proofbundle:sample-hello-1",
+  "version": "1.0.0",
+  "created_at": "2025-12-04T00:00:00Z",
+  "created_by": "StellaOps QA Guild",
+  "graph": {
+    "hash": "blake3:74640754695e6e5cda4156a0ef1fd3a557d802ef118fef8afaed67089cd39cb1",
+    "dsse": {
+      "path": "tests/Vex/ProofBundles/cas/graph.json.dsse.json",
+      "sha256": "sha256:3bb1dc6af5c974635ed387fdf938f5a983c370d77d01a032aa63f5407efcfc7f",
+      "payload_sha256": "sha256:34d8051bb97bd3c034e6a2221474ce2faaaca59357721fa1b47df88a281d057b"
+    }
+  },
+  "openvex": {
+    "path": "tests/Vex/ProofBundles/openvex-sample.json",
+    "statement_id": "urn:stellaops:vex:statement:sample-hello-1",
+    "canonical_sha256": "sha256:94063a78cc1b0ce363941467c8e67e368c11de4d82625c2cf05cedd773257a3e",
+    "canonical_blake3": "blake3:03504f2b1c3b29870851baebc9e6658b76af2e92620767089cecb4c20072d84b",
+    "serialization": "canonical-json"
+  },
+  "justification": {
+    "id": "VEX1.vulnerable_code_not_present",
+    "dsse": {
+      "path": "docs/benchmarks/vex-justifications.catalog.dsse.json",
+      "sha256": "sha256:7df3cbd970bc851b51ce35ff1c61f927b62fe3514e5ff6313a5bad26d675b0c7"
+    }
+  },
+  "entrypoints": [
+    {
+      "id": "app://api/GET-/healthz",
+      "coverage_percent": 96.3,
+      "negative_tests": true,
+      "config_hash": "sha256:bb490ce4cde60768e2b61571bbe448290e4256d2d930adea0ee24c07e5c63dbc",
+      "flags_hash": "sha256:d060ab8cdf75aeda6363bcc6de495e27b53c9d5938d97f5492e864681d8cbe53"
+    },
+    {
+      "id": "app://worker/queue/default",
+      "coverage_percent": 95.1,
+      "negative_tests": true,
+      "config_hash": "sha256:bb490ce4cde60768e2b61571bbe448290e4256d2d930adea0ee24c07e5c63dbc",
+      "flags_hash": "sha256:d060ab8cdf75aeda6363bcc6de495e27b53c9d5938d97f5492e864681d8cbe53"
+    }
+  ],
+  "evidence": [
+    {
+      "type": "graph",
+      "cas_uri": "cas://graph.json",
+      "hash": "blake3:74640754695e6e5cda4156a0ef1fd3a557d802ef118fef8afaed67089cd39cb1",
+      "dsse": {
+        "path": "tests/Vex/ProofBundles/cas/graph.json.dsse.json",
+        "sha256": "sha256:3bb1dc6af5c974635ed387fdf938f5a983c370d77d01a032aa63f5407efcfc7f"
+      },
+      "expires_at": "2026-12-31T00:00:00Z"
+    },
+    {
+      "type": "coverage",
+      "cas_uri": "cas://coverage.json",
+      "hash": "sha256:422f9840d6facaae093d6496eeac472e10b19519854953454107c1b14945f510",
+      "dsse": {
+        "path": "tests/Vex/ProofBundles/cas/coverage.json.dsse.json",
+        "sha256": "sha256:606864d2165b9ddfea664dca36318616e5ea575e2e96e7fa2bc204cc3f79fe2f"
+      },
+      "expires_at": "2026-06-30T00:00:00Z"
+    },
+    {
+      "type": "runtime_trace",
+      "cas_uri": "cas://runtime-trace.ndjson",
+      "hash": "sha256:c0a91f645b899e4572ec24603916cdfe982934f47ebdaec2ef67ee9303568a77",
+      "expires_at": "2026-06-30T00:00:00Z"
+    },
+    {
+      "type": "negative_test",
+      "cas_uri": "cas://negative-tests.ndjson",
+      "hash": "sha256:09efda057796b8f0f0fa001505d9e684cf04e05ac8e3c6fe24476a367bb78aaa",
+      "expires_at": "2026-06-30T00:00:00Z"
+    },
+    {
+      "type": "config",
+      "cas_uri": "cas://config.lock",
+      "hash": "sha256:bb490ce4cde60768e2b61571bbe448290e4256d2d930adea0ee24c07e5c63dbc",
+      "expires_at": "2026-03-31T00:00:00Z"
+    },
+    {
+      "type": "flags",
+      "cas_uri": "cas://flags.json",
+      "hash": "sha256:d060ab8cdf75aeda6363bcc6de495e27b53c9d5938d97f5492e864681d8cbe53",
+      "expires_at": "2026-03-31T00:00:00Z"
+    }
+  ],
+  "reevaluation": {
+    "on_sbom_change": true,
+    "on_graph_change": true,
+    "on_runtime_change": true,
+    "ttl_days": 30
+  },
+  "rbac": {
+    "roles_allowed": [
+      "vex-author",
+      "policy-admin"
+    ],
+    "approvals_required": 2,
+    "enforcement": "policy+signer"
+  },
+  "uncertainty": {
+    "state": "U1-low",
+    "entropy": 0.08,
+    "notes": "Coverage >95% and negative tests clean; runtime probes match reachability graph."
+  },
+  "policy": {
+    "decision": "not_affected",
+    "decision_reason": "vulnerable_code_not_present",
+    "openvex_serialization": "canonical-json",
+    "canonical_encoding": "JCS"
+  },
+  "signatures": [
+    {
+      "type": "dsse",
+      "key_id": "demo-root",
+      "sig": "C3miJFhDRdNTxnBJSXSKeiilqTaF44poXV3GHAjfVxQ=",
+      "envelope_digest": "sha256:cacd00d318a3f0b3f579f57322619f99e772cced0c2a7bf14a684c6ce55da7b4",
+      "rekor_log_id": "demo-log",
+      "rekor_entry_uuid": "demo-entry-0001",
+      "transparency_checkpoint": "checkpoint-demo"
+    }
+  ]
+}

tests/Vex/ProofBundles/test_verify_sample.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/../../.." && pwd)"
+
+schema="$repo_root/docs/benchmarks/vex-evidence-playbook.schema.json"
+catalog="$repo_root/docs/benchmarks/vex-justifications.catalog.json"
+cas_root="$repo_root/tests/Vex/ProofBundles/cas"
+
+for bundle in "$repo_root"/tests/Vex/ProofBundles/*proof-bundle*.json; do
+  [[ "$bundle" == *.dsse.json ]] && continue
+  python "$repo_root/scripts/vex/verify_proof_bundle.py" \
+    --bundle "$bundle" \
+    --schema "$schema" \
+    --catalog "$catalog" \
+    --cas-root "$cas_root"
+done