{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://stella-ops.io/schemas/evidence-pack-manifest/v1.0.0", "title": "Release Evidence Pack Manifest", "description": "Schema for Stella Ops Release Evidence Pack manifest.json files", "type": "object", "required": [ "bundleFormatVersion", "releaseVersion", "createdAt", "sourceCommit", "artifacts" ], "properties": { "bundleFormatVersion": { "type": "string", "description": "Version of the evidence pack format", "pattern": "^\\d+\\.\\d+\\.\\d+$", "examples": ["1.0.0"] }, "releaseVersion": { "type": "string", "description": "Version of the Stella Ops release", "examples": ["2.5.0", "1.2.3-beta.1"] }, "createdAt": { "type": "string", "format": "date-time", "description": "ISO 8601 timestamp when the evidence pack was created" }, "sourceCommit": { "type": "string", "description": "Git commit SHA of the source code", "pattern": "^[a-f0-9]{40}$" }, "sourceDateEpoch": { "type": "integer", "description": "Unix timestamp used for reproducible builds (SOURCE_DATE_EPOCH)", "minimum": 0 }, "artifacts": { "type": "array", "description": "List of release artifacts in this pack", "items": { "$ref": "#/$defs/artifactEntry" }, "minItems": 1 }, "checksums": { "type": "object", "description": "Checksum files included in the pack", "properties": { "sha256": { "$ref": "#/$defs/checksumEntry" }, "sha512": { "$ref": "#/$defs/checksumEntry" } } }, "sboms": { "type": "array", "description": "Software Bill of Materials files", "items": { "$ref": "#/$defs/sbomReference" } }, "provenanceStatements": { "type": "array", "description": "SLSA v1.0 provenance statements", "items": { "$ref": "#/$defs/provenanceReference" } }, "attestations": { "type": "array", "description": "DSSE attestation bundles", "items": { "$ref": "#/$defs/attestationReference" } }, "rekorProofs": { "type": "array", "description": "Rekor transparency log inclusion proofs", "items": { "$ref": "#/$defs/rekorProofEntry" } }, "signingKeyFingerprint": { "type": "string", "description": "SHA-256 fingerprint of the signing public key" }, "rekorLogId": { "type": "string", "description": "Rekor log ID (tree ID) for transparency log entries" } }, "$defs": { "artifactEntry": { "type": "object", "required": ["name", "path", "sha256"], "properties": { "name": { "type": "string", "description": "Display name of the artifact" }, "path": { "type": "string", "description": "Relative path within the evidence pack" }, "sha256": { "type": "string", "description": "SHA-256 hash of the artifact", "pattern": "^[a-f0-9]{64}$" }, "sha512": { "type": "string", "description": "SHA-512 hash of the artifact", "pattern": "^[a-f0-9]{128}$" }, "signaturePath": { "type": "string", "description": "Relative path to the detached signature file" }, "size": { "type": "integer", "description": "File size in bytes", "minimum": 0 }, "platform": { "type": "string", "description": "Target platform (e.g., linux-x64, macos-arm64, windows-x64)" }, "mediaType": { "type": "string", "description": "MIME type of the artifact" } } }, "checksumEntry": { "type": "object", "required": ["path"], "properties": { "path": { "type": "string", "description": "Relative path to the checksum file" }, "signaturePath": { "type": "string", "description": "Relative path to the signature of the checksum file" } } }, "sbomReference": { "type": "object", "required": ["path", "format"], "properties": { "path": { "type": "string", "description": "Relative path to the SBOM file" }, "format": { "type": "string", "description": "SBOM format", "enum": ["cyclonedx", "spdx"] }, "version": { "type": "string", "description": "SBOM format version (e.g., 1.5 for CycloneDX)" }, "signaturePath": { "type": "string", "description": "Relative path to the signature file" }, "component": { "type": "string", "description": "Component this SBOM describes" } } }, "provenanceReference": { "type": "object", "required": ["path", "predicateType"], "properties": { "path": { "type": "string", "description": "Relative path to the provenance file" }, "predicateType": { "type": "string", "description": "SLSA predicate type URI", "examples": ["https://slsa.dev/provenance/v1"] }, "signaturePath": { "type": "string", "description": "Relative path to the signature file" }, "builderId": { "type": "string", "description": "Builder ID from the provenance" }, "slsaLevel": { "type": "integer", "description": "SLSA level of this provenance (1-4)", "minimum": 1, "maximum": 4 } } }, "attestationReference": { "type": "object", "required": ["path", "type"], "properties": { "path": { "type": "string", "description": "Relative path to the attestation file" }, "type": { "type": "string", "description": "Attestation type", "enum": ["dsse", "sigstore-bundle", "in-toto"] }, "predicateType": { "type": "string", "description": "Predicate type URI for in-toto/DSSE attestations" } } }, "rekorProofEntry": { "type": "object", "required": ["uuid", "logIndex"], "properties": { "uuid": { "type": "string", "description": "Rekor entry UUID" }, "logIndex": { "type": "integer", "description": "Index in the Rekor log", "minimum": 0 }, "integratedTime": { "type": "integer", "description": "Unix timestamp when entry was added to log" }, "inclusionProofPath": { "type": "string", "description": "Relative path to the inclusion proof JSON file" }, "artifactName": { "type": "string", "description": "Name of the artifact this proof applies to" } } } } }