## Pack 20 — Evidence & Audit consolidated around **who needs what evidence, when** (release/bundle/env‑centric; preserves all PoC screens) Below you get: 1. **Evidence menu graph (Mermaid)** 2. For **each screen**: * **Formerly** (old name/location) * **Why moved/reshaped** * **Screen navigation graph (Mermaid)** * **ASCII mock** This pack covers the PoC evidence screens you showed: * **Evidence Bundles** (`evidence bundles.png`) * **Export Center** (`export.png`) * **Replay/Verify (Verdict Replay)** (`reply verify.png`) * **Packets / Proof Chains** (present in the left menu in earlier screenshots; you referenced them) * **Trust & Signing** (`trust and signing .png`) …and makes them decision-connected for **Release / Bundle / Env**. --- # 20.1 Evidence & Audit menu graph (Mermaid) ```mermaid flowchart TD EVID[Evidence & Audit (ROOT)] --> HOME[Evidence Home] EVID --> PACK[Evidence Packs] EVID --> BUND[Evidence Bundles] EVID --> EXP[Export Center] EVID --> CHAIN[Proof Chains] EVID --> VERIFY[Replay & Verify] EVID --> TRUST[Trust & Signing] EVID --> AUDIT[Audit Log] %% Entry points from decision areas REL[Releases] --> HOME APPR[Approvals] --> HOME RCENV[Env Detail] --> HOME BVER[Bundle Version Detail] --> HOME %% Cross-links HOME --> EXP BUND --> CHAIN VERIFY --> CHAIN TRUST --> CHAIN EXP --> BUND ``` **Design rule:** Evidence is not “a folder of files.” It’s **a pipeline artifact** tied to: * a **Release/Hotfix**, * a **Bundle Version**, * an **Environment Promotion Run**, * and the **policy decision** that allowed/blocked it. --- # 20.2 Evidence screen — Evidence Home (new “router” page) ### Formerly * Evidence was scattered under **Evidence** section items: Packets, Proof Chains, Replay/Verify, Export, Bundles. * No single “I’m an auditor / I’m an approver / I’m an operator” entry point. ### Why changed like this Evidence Home is the **entry router**: * “Give me evidence for **Release X**” * “Give me evidence for **Bundle Version digest**” * “Give me evidence for **Env us-prod today**” * “Give me evidence for **Approval request A**” This reduces bounce across Export/Bundles/Proof Chains. ### Screen graph (Mermaid) ```mermaid flowchart TD A[Evidence Home] --> B[Search: Release / Bundle / Env / Approval / Digest] A --> C[Quick tiles: Latest packs, latest bundles, failed verifies] A --> D[Entry: Export Center] A --> E[Entry: Evidence Bundles] A --> F[Entry: Replay & Verify] A --> G[Entry: Proof Chains] A --> H[Entry: Trust & Signing] ``` ### ASCII mock ```text ┌──────────────────────────────────────────────────────────────────────────────────────────────┐ │ EVIDENCE & AUDIT ▸ HOME │ │ Formerly: evidence functions scattered (Packets/Proof Chains/Export/Replay/Bundles) │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Find evidence for: [ Release ▾ ] [ Bundle Version ▾ ] [ Environment ▾ ] [ Approval ▾ ] │ │ Or paste: digest / verdict-id / bundle-id │ │ [Search] │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Quick views │ │ - Latest promotion evidence packs (24h) - Latest sealed bundles (7d) │ │ - Failed verification / replay (7d) - Expiring trust/certs (30d) │ │ │ │ Shortcuts: [Export Center] [Evidence Bundles] [Replay & Verify] [Proof Chains] [Trust & Signing]│ └──────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 20.3 Evidence screen — Evidence Packs (formerly “Packets”) ### Formerly * **Evidence → Packets** (left nav in earlier screenshots) * Not shown as a main content screenshot, but it exists as PoC menu item. ### Why changed like this “Pack” becomes the atomic evidence artifact tied to: * a **promotion run** * a **policy decision** * a **bundle version** * an **environment snapshot** It should be the default evidence object used internally and optionally exported. ### Screen graph (Mermaid) ```mermaid flowchart TD A[Evidence Packs] --> B[Pack Detail] A --> C[Filter: Release / Env / Bundle Version / Time] A --> D[Open linked Approval / Run] A --> E[Export pack -> Export Center] B --> F[Proof Chain refs] B --> G[Verify signatures -> Replay & Verify] ``` ### ASCII mock ```text ┌──────────────────────────────────────────────────────────────────────────────────────────────┐ │ EVIDENCE & AUDIT ▸ EVIDENCE PACKS │ │ Formerly: Evidence ▸ Packets │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Filters: Release ▾ Env ▾ Bundle Version ▾ Status ▾ Time window ▾ │ │ Actions: [Export selected packs] │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Packs │ │ pack-9001 Feb 18 08:33 env us-prod bundle Hotfix 1.2.4 status: sealed ✓ [Open] │ │ pack-9002 Feb 18 07:30 env us-uat bundle web-frontend v2 status: sealed ✓ [Open] │ │ pack-9003 Feb 17 08:30 env us-prod bundle worker v3.1.0 status: sealed ✓ [Open] │ └──────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 20.4 Evidence screen — Pack Detail (new “case file” for a pack) ### Formerly * Evidence details were spread across Export/Bundles/Replay. ### Why changed like this One place to answer: * What decision was made? * Which bundle manifest/digests? * Which SBOM/finding snapshot? * Which signatures / proof chain refs? * What can I export? ### Screen graph (Mermaid) ```mermaid flowchart TD A[Pack Detail] --> B[Decision summary (policy gates + approvals)] A --> C[Artifacts list (SBOM, findings, attestations, provenance)] A --> D[Proof chain refs] A --> E[Verify / Replay] A --> F[Export as bundle / attach to audit report] ``` ### ASCII mock ```text ┌──────────────────────────────────────────────────────────────────────────────────────────────┐ │ EVIDENCE PACK DETAIL: pack-9001 │ │ Formerly: no unified pack “case file” │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Context │ │ Release: Hotfix 1.2.4 Env: us-prod Promotion Run: run-7712 │ │ Bundle manifest: sha256:beef... Created: Feb 18 08:33 by alice.johnson │ │ Decision: PASS policy gates 1/2 (Approval pending) │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Included artifacts │ │ [✓] SBOM snapshot (SPDX) [✓] Findings snapshot (with reachability) │ │ [✓] Attestations (build) [✓] Provenance │ │ [✓] VEX statements [✓] Policy decision record │ │ [✓] Replay log / determinism result (if present) │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Integrity │ │ DSSE envelope: present ✓ Rekor entry: present ✓ Proof chain: chain-9912 │ │ Actions: [Verify now] [Replay verdict] [Export as Audit Bundle] │ └──────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 20.5 Evidence screen — Evidence Bundles ### Formerly * **Evidence → Bundles** (`evidence bundles.png`) “Download and verify sealed evidence bundles for audit and compliance.” ### Why changed like this Keep the screen, but make “bundle” explicitly: * a **compiled export artifact**, usually for external auditors * built from **packs** * and searchable by Release/Env/Approval. ### Screen graph (Mermaid) ```mermaid flowchart TD A[Evidence Bundles] --> B[Bundle Detail] A --> C[Generate bundle -> Export Center] A --> D[Verify bundle -> Replay & Verify] B --> E[Proof chain refs] B --> F[Download] ``` ### ASCII mock (aligned to your current UI, but with better routing) ```text ┌──────────────────────────────────────────────────────────────────────────────────────────────┐ │ EVIDENCE & AUDIT ▸ EVIDENCE BUNDLES │ │ Formerly: Evidence ▸ Bundles (evidence bundles.png) │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Filters: Release ▾ Env ▾ Approval ▾ Status ▾ Time window ▾ │ │ Note: Bundles are compiled exports (from packs) for auditors / compliance teams. │ │ [Go to Export Center] │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Bundles │ │ (none found) │ │ Example rows: │ │ bundle-2026-02-18-us-prod.zip sealed ✓ contains packs: 3 [Open] [Download] │ └──────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 20.6 Evidence screen — Bundle Detail (new) ### Formerly * Bundle list existed, but bundle “composition” was not surfaced as a primary view. ### Why changed like this Auditors ask “what exactly is inside” and “can I verify it independently.” Bundle Detail shows: * included packs * signatures (DSSE) * transparency log references (Rekor) * verification status ### Screen graph (Mermaid) ```mermaid flowchart TD A[Bundle Detail] --> B[Included packs list] A --> C[Included artifacts inventory] A --> D[Signatures / DSSE / certificates] A --> E[Transparency log refs] A --> F[Verify / Replay] A --> G[Download] ``` ### ASCII mock ```text ┌──────────────────────────────────────────────────────────────────────────────────────────────┐ │ EVIDENCE BUNDLE DETAIL: bundle-2026-02-18-us-prod.zip │ │ Formerly: not first-class; users downloaded without seeing composition │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Contents │ │ Packs: pack-9001, pack-9002, pack-9003 │ │ Includes: SBOM, Findings, Attestations, Provenance, VEX, Policy Decisions, Logs │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Integrity │ │ DSSE: present ✓ Rekor entry: present ✓ Cert chain: valid ✓ │ │ Verification status: VERIFIED │ │ Actions: [Verify bundle] [Open Proof Chain] [Download] │ └──────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 20.7 Evidence screen — Export Center ### Formerly * **Evidence → Export** (`export.png`) “Configure export profiles and monitor export runs.” ### Why changed like this Keep it intact, but: * export profiles should be **release/bundle/env aware** * add “Export Env Snapshot” and “Export Approval Decision Pack” as standard profiles * export runs are auditable artifacts tied to proofs ### Screen graph (Mermaid) ```mermaid flowchart TD A[Export Center] --> B[Profiles] A --> C[Export Runs] B --> D[Profile Editor] D --> E[Scope: Release / Bundle / Env / Approval] D --> F[Destinations: S3/OCI/ZIP] A --> G[Generated bundle -> Evidence Bundles] ``` ### ASCII mock ```text ┌──────────────────────────────────────────────────────────────────────────────────────────────┐ │ EVIDENCE & AUDIT ▸ EXPORT CENTER │ │ Formerly: Evidence ▸ Export (export.png) │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Profiles (standardized) │ │ - Approval Decision Pack (ZIP) scope: Approval ID → includes gates + findings + evidence │ │ - Env Snapshot Export (TAR.GZ) scope: Env + time → includes deploy+sbom+reachability+data │ │ - Audit Bundle (ZIP) scope: Release → full auditor bundle │ │ - Daily Compliance Export (TAR) scope: org-wide nightly report │ │ Actions: [Create Profile] │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Export Runs │ │ run-8811 Feb 18 08:40 profile: Env Snapshot (us-prod) status: COMPLETED [Open bundle] │ └──────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 20.8 Evidence screen — Proof Chains ### Formerly * **Evidence → Proof Chains** (menu exists; you referenced proof chains repeatedly) ### Why changed like this Proof chains must be: * searchable by release/bundle/env/pack * linked from every exported artifact and decision * verifiable with a single click trail ### Screen graph (Mermaid) ```mermaid flowchart TD A[Proof Chains] --> B[Chain Detail] A --> C[Filter by pack/bundle/release/env] B --> D[Linked artifacts] B --> E[Transparency log (Rekor) refs] B --> F[Verify chain] ``` ### ASCII mock ```text ┌──────────────────────────────────────────────────────────────────────────────────────────────┐ │ EVIDENCE & AUDIT ▸ PROOF CHAINS │ │ Formerly: Evidence ▸ Proof Chains (menu only in PoC) │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Filters: Release ▾ Env ▾ Pack ▾ Bundle ▾ Status ▾ │ │ Chains │ │ chain-9912 linked: pack-9001 bundle-2026-02-18-us-prod status: VALID [Open] │ │ chain-9913 linked: pack-9002 status: VALID [Open] │ └──────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 20.9 Evidence screen — Replay & Verify (Verdict Replay) ### Formerly * **Evidence → Replay/Verify** (`reply verify.png`) “Re-evaluate verdicts for determinism verification and audit trails.” ### Why changed like this Keep the screen, but integrate it into audit flows: * every pack/bundle can be replayed/verified from within its detail page * the replay results are stored back into a pack (audit trail) ### Screen graph (Mermaid) ```mermaid flowchart TD A[Replay & Verify] --> B[Request Replay (verdict id / image ref)] A --> C[Replay Requests list] A --> D[Determinism overview] A --> E[Open pack detail (source)] A --> F[Write result into proof chain] ``` ### ASCII mock (aligned to your current one, with clearer context) ```text ┌──────────────────────────────────────────────────────────────────────────────────────────────┐ │ EVIDENCE & AUDIT ▸ REPLAY & VERIFY │ │ Formerly: Evidence ▸ Replay/Verify (reply verify.png) │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Request Replay │ │ Verdict ID / Image Ref: [ verdict-123 or registry.example.com/app:v1.2.3 ] │ │ Reason: [ audit verification / policy change test / determinism check ] │ │ [Request Replay] │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Replay Requests │ │ rr-001 api-service:v1.2.3 COMPLETED Feb 18 08:30 [Open Pack] │ │ rr-002 web-frontend:v2.0.0 RUNNING Feb 18 07:30 [Open Pack] │ ├───────────────────────────────────────────────────────────────────────────────┬──────────────┤ │ Determinism Overview │ Notes │ │ total: 2 matching: 1 mismatches: 1 match rate: 50% │ mismatches │ │ │ block exports?│ └──────────────────────────────────────────────────────────────────────────────┴──────────────┘ ``` --- # 20.10 Evidence screen — Trust & Signing ### Formerly * **Settings → Trust & Signing** (`trust and signing .png`) Contains: Signing Keys, Issuers, Certificates, Transparency Log, Trust Scoring, Audit Log. ### Why changed like this This is **evidence infrastructure**, not general “settings”. It should live under Evidence & Audit (root), with a pointer in Settings if needed, because: * VEX verification depends on issuers/certs * Rekor integration depends on transparency log configuration * evidence packs/bundles must be verifiable independently ### Screen graph (Mermaid) ```mermaid flowchart TD A[Trust & Signing] --> B[Signing Keys] A --> C[Issuers] A --> D[Certificates] A --> E[Transparency Log (Rekor)] A --> F[Trust Scoring] A --> G[Audit Log (trust events)] A --> H[Link: VEX Hub issuer status] ``` ### ASCII mock (your card layout preserved) ```text ┌──────────────────────────────────────────────────────────────────────────────────────────────┐ │ EVIDENCE & AUDIT ▸ TRUST & SIGNING │ │ Formerly: Settings ▸ Trust & Signing (trust and signing .png) │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Signing Keys Issuers Certificates │ │ [Manage Keys] [Manage Issuers] [Manage Certificates] │ │ │ │ Transparency Log Trust Scoring Audit Log │ │ [Configure Rekor] [Edit Score Config] [View Audit Log] │ └──────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 20.11 Evidence screen — Audit Log (new consolidated view) ### Formerly * Trust & Signing had its own audit log tile. * Other audit events were likely scattered. ### Why changed like this Auditors don’t want separate “trust audit” vs “export audit” vs “approval audit.” This creates a unified log with filters and links to artifacts. ### Screen graph (Mermaid) ```mermaid flowchart TD A[Audit Log] --> B[Filter: release/env/approval/user/type] A --> C[Event detail with links: pack/bundle/proof chain] A --> D[Export audit log slice -> Evidence export] ``` ### ASCII mock ```text ┌──────────────────────────────────────────────────────────────────────────────────────────────┐ │ EVIDENCE & AUDIT ▸ AUDIT LOG │ │ Formerly: scattered audit signals (Trust & Signing / Export Runs / Approvals) │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Filters: Event type ▾ Release ▾ Env ▾ Approval ▾ User ▾ Time ▾ │ │ Events │ │ Feb 18 08:40 ExportRun created run-8811 profile Env Snapshot us-prod by admin [Open] │ │ Feb 18 08:33 Promotion decision PASS run-7712 pack-9001 by alice.johnson [Open] │ │ Feb 18 07:10 Trust: cert rotated issuer RegistryCA by admin [Open] │ └──────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- ## What this pack accomplishes * Evidence now has a **clear chain**: **Promotion/Decision → Pack → Bundle → Proof Chain → Verify/Replay** with exports available at each step. * **Trust & Signing** is treated as evidence infrastructure and tied to VEX issuer trust and proof verification. * Everything is searchable by **Release / Bundle / Env / Approval**, which is what auditors and release managers actually ask for. --- If you want the next pack, **Pack 21** can consolidate **Settings** into: * **Release Control** (root already) * **Org & Access** * **Integrations** * **Notifications** * **Usage & Limits** * **System Admin** …and provide Mermaid+ASCII for each of those screens with “formerly/why” mapping.