{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "StellaOps Task Pack Offline Bundle",
  "description": "Canonical offline bundle manifest for Task Packs; used by verify_offline_bundle.py and TaskRunner evidence checks.",
  "type": "object",
  "additionalProperties": false,
  "required": [
    "schemaVersion",
    "pack",
    "plan",
    "evidence",
    "security",
    "hashes",
    "slo",
    "tenant",
    "environment",
    "created"
  ],
  "properties": {
    "schemaVersion": {
      "type": "string",
      "const": "stellaops.pack.offline-bundle.v1"
    },
    "pack": {
      "type": "object",
      "additionalProperties": false,
      "required": ["name", "version", "bundle", "digest", "sbom"],
      "properties": {
        "name": { "type": "string", "minLength": 1 },
        "version": { "type": "string", "minLength": 1 },
        "bundle": { "type": "string", "description": "Relative path to the pack bundle tarball or OCI layout." },
        "digest": { "type": "string", "pattern": "^sha256:[0-9a-f]{64}$" },
        "registry": { "type": "string", "description": "Logical registry identifier or OCI reference." },
        "sbom": { "type": "string", "description": "Relative path to CycloneDX/SBOM document for the pack bundle." }
      }
    },
    "plan": {
      "type": "object",
      "additionalProperties": false,
      "required": ["hashAlgorithm", "hash", "canonicalPlanPath", "inputsLock"],
      "properties": {
        "hashAlgorithm": { "type": "string", "enum": ["sha256"] },
        "hash": { "type": "string", "pattern": "^sha256:[0-9a-f]{64}$" },
        "canonicalPlanPath": { "type": "string", "description": "Normalized JSON plan used to compute plan hash." },
        "inputsLock": { "type": "string", "description": "Deterministic lock of resolved inputs/secrets (hashed, redacted)." },
        "rngSeed": { "type": "string", "description": "Seed derived from plan hash for deterministic RNG." },
        "timestampSource": { "type": "string", "enum": ["utc-iso8601"], "description": "Time source requirement." }
      }
    },
    "evidence": {
      "type": "object",
      "additionalProperties": false,
      "required": ["attestation", "approvalsLedger"],
      "properties": {
        "attestation": { "type": "string", "description": "DSSE payload binding run to plan hash." },
        "approvalsLedger": { "type": "string", "description": "DSSE-signed approvals ledger with Authority claims." },
        "timeline": { "type": "string", "description": "Optional timeline NDJSON for steps/policy events." }
      }
    },
    "security": {
      "type": "object",
      "additionalProperties": false,
      "required": ["sandbox", "revocations", "signatures", "secretsRedactionPolicy"],
      "properties": {
        "sandbox": {
          "type": "object",
      "additionalProperties": false,
      "required": ["mode", "egressAllowlist", "cpuLimitMillicores", "memoryLimitMiB", "quotaSeconds"],
      "properties": {
        "mode": { "type": "string", "enum": ["sealed", "restricted"] },
        "egressAllowlist": {
          "type": "array",
          "items": { "type": "string" }
        },
        "cpuLimitMillicores": { "type": "integer", "minimum": 1 },
        "memoryLimitMiB": { "type": "integer", "minimum": 1 },
        "quotaSeconds": { "type": "integer", "minimum": 1 }
      }
    },
        "revocations": { "type": "string", "description": "Revocation list for pack versions/digests." },
        "signatures": {
          "type": "object",
          "additionalProperties": false,
          "required": ["bundleDsse", "attestationDsse"],
          "properties": {
            "bundleDsse": { "type": "string" },
            "attestationDsse": { "type": "string" },
            "registryCertChain": { "type": "string" }
          }
        },
        "secretsRedactionPolicy": { "type": "string", "description": "Policy document describing hashing/redaction of secrets." }
      }
    },
    "hashes": {
      "type": "array",
      "minItems": 1,
      "items": {
        "type": "object",
        "additionalProperties": false,
        "required": ["path", "algorithm", "digest"],
        "properties": {
          "path": { "type": "string" },
          "algorithm": { "type": "string", "enum": ["sha256"] },
          "digest": { "type": "string", "pattern": "^sha256:[0-9a-f]{64}$" }
        }
      }
    },
    "slo": {
      "type": "object",
      "additionalProperties": false,
      "required": ["runP95Seconds", "approvalP95Seconds", "maxQueueDepth"],
      "properties": {
        "runP95Seconds": { "type": "integer", "minimum": 1 },
        "approvalP95Seconds": { "type": "integer", "minimum": 1 },
        "maxQueueDepth": { "type": "integer", "minimum": 1 },
        "alertRules": { "type": "string", "description": "Path to alert rule definitions." }
      }
    },
    "tenant": { "type": "string", "minLength": 1 },
    "environment": { "type": "string", "minLength": 1 },
    "created": { "type": "string", "format": "date-time" },
    "expires": { "type": "string", "format": "date-time" },
    "verifyScriptVersion": { "type": "string", "description": "Version of verify_offline_bundle.py used to validate this bundle." }
  }
}