{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://stellaops.local/schemas/evidence/checksums.schema.json",
  "title": "StellaOps Evidence Bundle Checksums (EB2)",
  "description": "Canonical checksum map used to derive the Merkle root and DSSE subject for evidence bundles.",
  "type": "object",
  "additionalProperties": false,
  "required": ["algorithm", "root", "entries"],
  "properties": {
    "algorithm": { "type": "string", "enum": ["sha256"] },
    "root": { "type": "string", "pattern": "^[0-9a-f]{64}$" },
    "generatedAt": { "type": "string", "format": "date-time" },
    "bundleId": { "type": "string", "pattern": "^[0-9a-fA-F]{32}$" },
    "tenantId": { "type": "string", "pattern": "^[0-9a-fA-F]{32}$" },
    "entries": {
      "type": "array",
      "minItems": 1,
      "description": "Sorted list of entry hashes; order must be lexicographic on canonicalPath.",
      "items": { "$ref": "#/$defs/checksumEntry" }
    },
    "chunking": {
      "type": "object",
      "description": "Optional chunked/CAS hashing strategy for large payloads.",
      "additionalProperties": false,
      "properties": {
        "strategy": { "type": "string", "enum": ["none", "fixed", "buzhash"] },
        "chunkSizeBytes": { "type": "integer", "minimum": 1024 },
        "casDigestAlgorithm": { "type": "string", "enum": ["sha256"] }
      }
    }
  },
  "$defs": {
    "checksumEntry": {
      "type": "object",
      "additionalProperties": false,
      "required": ["canonicalPath", "sha256", "sizeBytes"],
      "properties": {
        "canonicalPath": {
          "type": "string",
          "pattern": "^(?:[A-Za-z0-9_.-]+/)*[A-Za-z0-9_.-]+$"
        },
        "sha256": { "type": "string", "pattern": "^[0-9a-f]{64}$" },
        "sizeBytes": { "type": "integer", "minimum": 0 }
      }
    }
  }
}