{ "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://stellaops.dev/evidence-pack@v1", "title": "StellaOps Evidence Pack Manifest", "description": "Manifest for replayable evidence packs containing complete policy evaluation context", "type": "object", "required": [ "_type", "packId", "generatedAt", "tenantId", "policyRunId", "policyId", "policyVersion", "manifestVersion", "contents", "statistics", "determinismHash" ], "properties": { "_type": { "type": "string", "const": "https://stellaops.dev/evidence-pack@v1", "description": "Evidence pack type identifier" }, "packId": { "type": "string", "description": "Unique evidence pack identifier", "pattern": "^pack:run:[^:]+:[0-9]{8}T[0-9]{6}Z:[a-z0-9]+" }, "generatedAt": { "type": "string", "format": "date-time", "description": "Timestamp when pack was generated (UTC ISO-8601)" }, "tenantId": { "type": "string", "description": "Tenant identifier", "pattern": "^[a-z0-9_-]+$" }, "policyRunId": { "type": "string", "description": "Policy run identifier this pack captures", "pattern": "^run:[^:]+:[0-9]{8}T[0-9]{6}Z:[a-z0-9]+" }, "policyId": { "type": "string", "description": "Policy identifier", "pattern": "^P-[0-9]+$" }, "policyVersion": { "type": "integer", "description": "Policy version number", "minimum": 1 }, "manifestVersion": { "type": "string", "description": "Evidence pack manifest version", "pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$" }, "contents": { "type": "object", "description": "Index of pack contents by category", "required": ["policy"], "properties": { "policy": { "type": "array", "description": "Policy artifacts", "minItems": 1, "items": { "$ref": "#/$defs/contentDescriptor" } }, "sbom": { "type": "array", "description": "SBOM artifacts", "items": { "$ref": "#/$defs/contentDescriptorWithId" } }, "advisories": { "type": "array", "description": "Advisory snapshots", "items": { "$ref": "#/$defs/advisoryDescriptor" } }, "vex": { "type": "array", "description": "VEX statements", "items": { "$ref": "#/$defs/vexDescriptor" } }, "verdicts": { "type": "array", "description": "Verdict attestations", "items": { "$ref": "#/$defs/verdictDescriptor" } }, "reachability": { "type": "array", "description": "Reachability analysis results", "items": { "$ref": "#/$defs/contentDescriptor" } } } }, "statistics": { "type": "object", "description": "Pack content statistics", "required": ["totalFiles", "totalSize"], "properties": { "totalFiles": { "type": "integer", "minimum": 0, "description": "Total number of files in pack" }, "totalSize": { "type": "integer", "minimum": 0, "description": "Total pack size in bytes" }, "componentCount": { "type": "integer", "minimum": 0, "description": "Number of SBOM components" }, "findingCount": { "type": "integer", "minimum": 0, "description": "Number of findings evaluated" }, "verdictCount": { "type": "integer", "minimum": 0, "description": "Number of verdicts issued" }, "advisoryCount": { "type": "integer", "minimum": 0, "description": "Number of advisory snapshots" }, "vexStatementCount": { "type": "integer", "minimum": 0, "description": "Number of VEX statements" } } }, "determinismHash": { "type": "string", "pattern": "^sha256:[a-f0-9]+$", "description": "Determinism hash computed from sorted content digests" }, "signatures": { "type": "array", "description": "Cryptographic signatures over manifest", "items": { "type": "object", "required": ["keyId", "algorithm", "signature", "signedAt"], "properties": { "keyId": { "type": "string", "description": "Signing key identifier" }, "algorithm": { "type": "string", "enum": ["ed25519", "ecdsa-p256", "rsa-pss"], "description": "Signature algorithm" }, "signature": { "type": "string", "description": "Base64-encoded signature" }, "signedAt": { "type": "string", "format": "date-time", "description": "Signature timestamp (UTC ISO-8601)" } } } } }, "additionalProperties": false, "$defs": { "contentDescriptor": { "type": "object", "required": ["path", "digest", "size", "mediaType"], "properties": { "path": { "type": "string", "description": "Relative path within pack" }, "digest": { "type": "string", "pattern": "^(sha256|sha384|sha512):[a-f0-9]+$", "description": "Content digest" }, "size": { "type": "integer", "minimum": 0, "description": "File size in bytes" }, "mediaType": { "type": "string", "description": "Content media type" } } }, "contentDescriptorWithId": { "allOf": [ { "$ref": "#/$defs/contentDescriptor" }, { "type": "object", "required": ["sbomId"], "properties": { "sbomId": { "type": "string", "description": "SBOM identifier" } } } ] }, "advisoryDescriptor": { "allOf": [ { "$ref": "#/$defs/contentDescriptor" }, { "type": "object", "required": ["cveId", "capturedAt"], "properties": { "cveId": { "type": "string", "description": "CVE identifier", "pattern": "^CVE-[0-9]{4}-[0-9]+$" }, "capturedAt": { "type": "string", "format": "date-time", "description": "Snapshot capture timestamp" } } } ] }, "vexDescriptor": { "allOf": [ { "$ref": "#/$defs/contentDescriptor" }, { "type": "object", "required": ["statementId"], "properties": { "statementId": { "type": "string", "description": "VEX statement identifier" } } } ] }, "verdictDescriptor": { "allOf": [ { "$ref": "#/$defs/contentDescriptor" }, { "type": "object", "required": ["findingId", "verdictStatus"], "properties": { "findingId": { "type": "string", "description": "Finding identifier" }, "verdictStatus": { "type": "string", "enum": ["passed", "warned", "blocked", "quieted", "ignored"], "description": "Verdict status" } } } ] } } }