# Replay Payload Contract (Prep for PREP-EVID-REPLAY-187-001)

Status: **Ready for implementation** (2025-12-04 refresh for EB5)
Owners: Evidence Locker Guild · Scanner Guild
Scope: Define deterministic scanner record payload shape required to ingest replay bundles (Sprint 0187) and to link replay provenance into bundle manifests and attestations (EB5).

## Payload shape
- NDJSON per record; sorted by `recordedAtUtc` then `scanId` (stable ordering required by `docs/replay/DETERMINISTIC_REPLAY.md`).
- Fields:
  - `scanId` (GUID), `tenantId`, `subjectDigest` (sha256:...), `scanKind` (sbom|vuln|policy),
  - `startedAtUtc`, `completedAtUtc`, `recordedAtUtc` (ISO-8601, UTC),
  - `artifacts`: array of `{ type: sbom|vex|log, digest, uri }`,
  - `provenance`: `{ dsseEnvelope, transparencyLog? }` (base64 DSSE; optional Rekor entry),
  - `summary`: `{ findings: int, advisories: int, policies: int }`.
- Replay provenance (new, EB5):
  - Evidence Locker records `replayProvenance` in the bundle manifest with `recordDigest`, optional `sequence`, `ledgerUri`, `dsseEnvelope`, and optional `transparencyLog { rekorUuid, logIndex, inclusionProof }`.
  - The `recordDigest` is the sha256 of the canonical NDJSON content (as ingested) and becomes part of `hashSummary` in the manifest and the DSSE predicate.
- Determinism: no wall-clock except the recorded timestamps above; DSSE envelope copied verbatim from scanner output; NDJSON must be UTF-8, LF line endings, and canonical key ordering per record.

## Acceptance criteria
- Scanner Guild provides sample NDJSON (10 records) with DSSE envelope redacted allowed.
- Evidence Locker can ingest and store bundle with deterministic ordering and hash (SHA256) across runs; recomputes `recordDigest` to bind replayProvenance.
- Contract published here and referenced in Sprint 0187 P1/P2/P3 and manifests/attestations per EB5.