# Excititor Locker Manifest (OBS-53-001)

Defines the manifest for evidence snapshots stored in Evidence Locker / sealed-mode bundles.

## Manifest structure
```json
{
  "tenant": "default",
  "manifestId": "locker:excititor:2025-11-23:0001",
  "createdAt": "2025-11-23T23:10:00Z",
  "items": [
    {
      "observationId": "vex:obs:sha256:...",
      "providerId": "ubuntu-csaf",
      "contentHash": "sha256:...",
      "linksetId": "CVE-2024-0001:pkg:maven/org.demo/app@1.2.3",
      "dsseEnvelopeHash": "sha256:...",  
      "provenance": {
        "source": "mirror|ingest",
        "mirrorGeneration": 12,
        "exportCenterManifest": "sha256:..."
      }
    }
  ],
  "merkleRoot": "sha256:...",            // over `items[*].contentHash`
  "signature": null,                       // populated in OBS-54-001 (DSSE)
  "metadata": {"sealed": true}
}
```

## Rules
- `items` sorted by `observationId`, then `providerId`.
- `merkleRoot` uses SHA-256 over concatenated item hashes (stable order above).
- `signature` is a DSSE envelope (hash recorded in `dsseEnvelopeHash`) when OBS-54-001 is enabled; otherwise `null`.
- Manifests are immutable; version using `manifestId` suffix.

## Storage and replay
- Store manifests alongside payloads in object storage; key prefix: `locker/excititor/<tenant>/<manifestId>`.
- Replay tools must verify `merkleRoot` before loading payloads; reject if mismatched.