# VEX Consensus JSON (Payload Reference)

This document describes the *shape* of consensus records returned by consensus APIs and exported in Offline Kit snapshots. Field names and structure may vary slightly by gateway serialization, but the semantic contract is stable.

## Consensus Record (Conceptual)

```json
{
  "artifact": "pkg:rpm/redhat/openssl@3.0.9",
  "advisory": "CVE-2025-13579",
  "status": "not_affected",
  "confidence": 0.92,
  "issued_at": "2025-08-30T12:05:00Z",
  "consensus_digest": "sha256:…",
  "derived_from": [
    {
      "source_digest": "sha256:…",
      "issuer": "vendor:redhat",
      "status": "not_affected",
      "timestamp": "2025-08-30T12:00:00Z",
      "trust": { "tier": "vendor", "weight": 1.0 },
      "verification": { "signature": "verified" }
    }
  ],
  "conflicts": [
    {
      "source_digest": "sha256:…",
      "issuer": "vendor:upstream",
      "status": "affected",
      "timestamp": "2025-08-29T00:00:00Z",
      "trust": { "tier": "vendor", "weight": 0.8 }
    }
  ]
}
```

## Determinism Rules

- Timestamps are UTC ISO-8601.
- Arrays (`derived_from`, `conflicts`) are in a stable order (typically the evaluation sort order).
- `consensus_digest` is computed over canonical, deterministic JSON bytes for the record (or over an equivalent canonical projection).

## Related Docs

- Algorithm overview: `docs/vex/consensus-algorithm.md`
- Endpoints: `docs/vex/consensus-api.md`
- Module details: `docs/modules/vex-lens/architecture.md`