{ "artifacts": { "artifact_hashes": { "path": "artifact-hashes.json", "sha256": "55f24bdc3d28a5596f4f8a36292820356de50aa2e9c5c2fb81397bfe2891ca4d" }, "bundle_dsse": { "path": "mirror-thin-v1.bundle.dsse.json", "sha256": null }, "bundle_meta": { "path": "mirror-thin-v1.bundle.json", "sha256": null }, "manifest": { "path": "mirror-thin-v1.manifest.json", "sha256": "1affb0b796ff037117b46aa1f1d8056a9c80755e925af058ea72132ba158becf" }, "manifest_dsse": { "path": "mirror-thin-v1.manifest.dsse.json", "sha256": null }, "mirror_policy": { "path": "mirror-policy.json", "sha256": "d7059d4b9e7e207f2420520bf73cf69b644eec0e866f039a1f7d0dc2b3bc1192" }, "oci_index": { "path": "oci/index.json", "sha256": "5daf8024f0f3b37c2077497c54ac3d7bda4aaed59b3c47c605c535662f7a53a5" }, "offline_policy": { "path": "offline-kit-policy.json", "sha256": "ae2513f9768f3f7c0b0994b54f539b2a933e1e851c25c26c8fe46fd963d90579" }, "rekor_policy": { "path": "rekor-policy.json", "sha256": "652df157628db73e9aa0110e7390f8773319c24530e00873afcfdf972644717e" }, "tarball": { "path": "mirror-thin-v1.tar.gz", "sha256": "fb1ce26388a1f1ab2eb90aae6d63ac05de326fbbd947fbf7a17b980232c9fc7d" }, "time_anchor": { "path": "time-anchor.json", "sha256": "c27a0fb0dfa8a9558aaabf8011040abcd4170cf62e36d16b5b1767368f7828ff" }, "transport_plan": { "path": "transport-plan.json", "sha256": "df82a56d9bacb00a1882f5d6d9f9ba469b62b89bd949899b7049e123c1e65914" } }, "bundle": "mirror-thin-v1", "chain_of_custody": [ { "sha256": "dd11c674629fe94bf37ac9a29d7ae32241f6a17815bb275532d9a78b3d851049", "step": "build", "tool": "make-thin-v1.sh" }, { "key_present": true, "keyid": "db9928babf3aeb817ccdcd0f6a6688f8395b00d0e42966e32e706931b5301fc8", "step": "sign", "tool": "sign_thin_bundle.py" } ], "checkpoint_freshness_seconds": 86400, "chunk_size_bytes": 5242880, "created": "2025-12-02T18:08:34Z", "environment": "lab", "gaps": { "ms": [ "MS1 mirror schema versioned in mirror-policy.json", "MS2 DSSE/TUF rotation days recorded", "MS3 delta spec includes tombstones + base hash", "MS4 time-anchor freshness enforced", "MS5 tenant/env scoping captured", "MS6 distribution integrity rules documented", "MS7 chunking/size rules recorded", "MS8 verify script pinned", "MS9 metrics/alerts required", "MS10 semver/changelog noted" ], "ok": [ "OK1 key manifest + PQ co-sign recorded in offline-kit-policy.json", "OK2 tool hashing captured in bundle_meta.tooling", "OK3 DSSE top-level manifest planned via bundle.dsse", "OK4 checkpoint freshness enforced with checkpoint_freshness_seconds", "OK5 deterministic packaging flags recorded in offline-kit-policy.json", "OK6 scan/VEX/policy/graph hashes captured in artifact-hashes.json", "OK7 time anchor bundled as layers/time-anchor.json", "OK8 transport + chunking defined in transport-plan.json", "OK9 tenant/environment scoping recorded in bundle meta", "OK10 scripted verify path is scripts/mirror/verify_thin_bundle.py" ], "rk": [ "RK1 enforce dsse/hashedrekord policy in rekor-policy.json", "RK2 payload size preflight rk2_payloadMaxBytes", "RK3 routing policy for public/private recorded", "RK4 shard-aware checkpoints per-tenant-per-day", "RK5 idempotent submission keys enabled", "RK6 Sigstore bundle inclusion flagged true", "RK7 checkpoint freshness seconds recorded", "RK8 PQ dual-sign toggle matches pqDualSign", "RK9 error taxonomy enumerated", "RK10 policy/graph annotations required" ] }, "pq_cosign_required": false, "tenant": "tenant-demo", "tooling": { "make_thin_v1_sh": "dd11c674629fe94bf37ac9a29d7ae32241f6a17815bb275532d9a78b3d851049", "sign_script": "30268f3b6d11a1108a8cb5a5ebc9723c34a67cf1e12944b1014cc76965619b73", "verify_oci": "04b6b0424a725d2081275e67820c580b532646fd640ee9bf62bc75bc7554eb77", "verify_script": "0794f79851bd71c0e07425e6928f038286957f3babc95ca66660acb6c5d8c31b" }, "version": "1.0.0" }