{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://stellaops.local/schemas/evidence/bundle.manifest.schema.json",
  "title": "StellaOps Evidence Bundle Manifest (EB1)",
  "description": "Canonical manifest for deterministic evidence bundles; aligns with EvidenceLocker build models and EB1–EB10 advisory gaps.",
  "type": "object",
  "additionalProperties": false,
  "required": [
    "bundleId",
    "tenantId",
    "kind",
    "createdAt",
    "metadata",
    "entries"
  ],
  "properties": {
    "bundleId": {
      "type": "string",
      "description": "Bundle identifier in UUID v4 N-format (no dashes).",
      "pattern": "^[0-9a-fA-F]{32}$"
    },
    "tenantId": {
      "type": "string",
      "description": "Tenant identifier in UUID v4 N-format (no dashes).",
      "pattern": "^[0-9a-fA-F]{32}$"
    },
    "kind": {
      "description": "Bundle category; numeric values mirror EvidenceBundleKind enum.",
      "oneOf": [
        { "type": "string", "enum": ["evaluation", "job", "export"] },
        { "type": "integer", "enum": [1, 2, 3] }
      ]
    },
    "createdAt": {
      "type": "string",
      "format": "date-time",
      "description": "Bundle creation timestamp (UTC, RFC3339)."
    },
    "metadata": {
      "type": "object",
      "description": "Arbitrary key/value metadata captured at bundle creation.",
      "additionalProperties": { "type": "string" }
    },
    "entries": {
      "type": "array",
      "description": "Canonical file inventory used to derive checksums and Merkle root.",
      "minItems": 1,
      "items": { "$ref": "#/$defs/manifestEntry" }
    },
    "hashSummary": {
      "type": "object",
      "description": "Optional Merkle root summary that binds the manifest to checksums.txt.",
      "additionalProperties": false,
      "required": ["algorithm", "merkleRoot"],
      "properties": {
        "algorithm": { "type": "string", "enum": ["sha256"] },
        "merkleRoot": { "type": "string", "pattern": "^[0-9a-f]{64}$" },
        "checksumsPath": {
          "type": "string",
          "description": "Relative path to canonical checksums file inside the bundle.",
          "default": "checksums.txt"
        }
      }
    },
    "replayProvenance": {
      "type": "object",
      "description": "Optional replay linkage proving how the bundle was produced for deterministic re-run.",
      "additionalProperties": false,
      "required": ["recordDigest"],
      "properties": {
        "recordDigest": { "type": "string", "pattern": "^sha256:[0-9a-f]{64}$" },
        "sequence": { "type": "integer", "minimum": 0 },
        "ledgerUri": { "type": "string", "format": "uri" },
        "dsseEnvelope": {
          "type": "string",
          "description": "Base64-encoded DSSE envelope for replay record provenance.",
          "contentEncoding": "base64"
        },
        "transparencyLog": {
          "type": "object",
          "additionalProperties": false,
          "properties": {
            "rekorUuid": { "type": "string" },
            "logIndex": { "type": "integer", "minimum": 0 },
            "inclusionProof": { "type": "string" }
          }
        }
      }
    },
    "incident": {
      "type": "object",
      "description": "Incident-mode activation/exit records captured at bundle time.",
      "additionalProperties": false,
      "properties": {
        "activatedAt": { "type": "string", "format": "date-time" },
        "activatedBy": { "type": "string" },
        "reason": { "type": "string" },
        "deactivatedAt": { "type": "string", "format": "date-time" },
        "deactivatedBy": { "type": "string" }
      }
    },
    "redaction": {
      "type": "object",
      "description": "Portable-bundle redaction details to prove tenant isolation.",
      "additionalProperties": false,
      "properties": {
        "portable": { "type": "boolean", "default": false },
        "maskedFields": {
          "type": "array",
          "items": { "type": "string" }
        },
        "tenantToken": {
          "type": "string",
          "description": "Opaque token replacing tenantId in portable bundles."
        }
      }
    }
  },
  "$defs": {
    "manifestEntry": {
      "type": "object",
      "additionalProperties": false,
      "required": ["section", "canonicalPath", "sha256", "sizeBytes", "mediaType"],
      "properties": {
        "section": { "type": "string", "minLength": 1 },
        "canonicalPath": {
          "type": "string",
          "description": "Deterministic path within the bundle using '/' separators.",
          "pattern": "^(?:[A-Za-z0-9_.-]+/)*[A-Za-z0-9_.-]+$"
        },
        "sha256": { "type": "string", "pattern": "^[0-9a-f]{64}$" },
        "sizeBytes": { "type": "integer", "minimum": 0 },
        "mediaType": { "type": "string" },
        "attributes": {
          "type": "object",
          "description": "Section-specific attributes (e.g., sbom format, dsse predicate).",
          "additionalProperties": { "type": "string" }
        }
      }
    }
  }
}