{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://stella-ops.org/schemas/rekor-receipt.schema.json",
  "title": "StellaOps Rekor Receipt Schema",
  "description": "Schema for offline Rekor receipt payloads (rekor-receipt.json) used for air-gapped verification. See docs/modules/attestor/transparency.md and docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md (Section 1.4).",
  "type": "object",
  "additionalProperties": false,
  "required": ["uuid", "logIndex", "rootHash", "hashes", "checkpoint"],
  "properties": {
    "uuid": {
      "type": "string",
      "minLength": 1,
      "description": "Rekor entry UUID."
    },
    "logIndex": {
      "type": "integer",
      "minimum": 0,
      "description": "Rekor log index."
    },
    "rootHash": {
      "type": "string",
      "pattern": "^[a-f0-9]{64}$",
      "description": "Expected Merkle tree root hash as lowercase hex (32 bytes)."
    },
    "hashes": {
      "type": "array",
      "description": "Merkle inclusion path hashes ordered as provided by Rekor (each is lowercase hex, 32 bytes).",
      "items": {
        "type": "string",
        "pattern": "^[a-f0-9]{64}$"
      }
    },
    "checkpoint": {
      "type": "string",
      "minLength": 1,
      "description": "Signed checkpoint note (UTF-8) either inline (body lines: origin, tree size, base64 root, optional timestamp, and optional signature block(s)) or a path resolved relative to the receipt file (e.g., checkpoint.sig or tlog/checkpoint.sig)."
    }
  }
}