{ "id": "urn:stellaops:proofbundle:sample-hello-1", "version": "1.0.0", "created_at": "2025-12-04T00:00:00Z", "created_by": "StellaOps QA Guild", "graph": { "hash": "blake3:74640754695e6e5cda4156a0ef1fd3a557d802ef118fef8afaed67089cd39cb1", "dsse": { "path": "tests/Vex/ProofBundles/cas/graph.json.dsse.json", "sha256": "sha256:3bb1dc6af5c974635ed387fdf938f5a983c370d77d01a032aa63f5407efcfc7f", "payload_sha256": "sha256:34d8051bb97bd3c034e6a2221474ce2faaaca59357721fa1b47df88a281d057b" } }, "openvex": { "path": "tests/Vex/ProofBundles/openvex-sample.json", "statement_id": "urn:stellaops:vex:statement:sample-hello-1", "canonical_sha256": "sha256:94063a78cc1b0ce363941467c8e67e368c11de4d82625c2cf05cedd773257a3e", "canonical_blake3": "blake3:03504f2b1c3b29870851baebc9e6658b76af2e92620767089cecb4c20072d84b", "serialization": "canonical-json" }, "justification": { "id": "VEX1.vulnerable_code_not_present", "dsse": { "path": "docs/benchmarks/vex-justifications.catalog.dsse.json", "sha256": "sha256:7df3cbd970bc851b51ce35ff1c61f927b62fe3514e5ff6313a5bad26d675b0c7" } }, "entrypoints": [ { "id": "app://api/GET-/healthz", "coverage_percent": 96.3, "negative_tests": true, "config_hash": "sha256:bb490ce4cde60768e2b61571bbe448290e4256d2d930adea0ee24c07e5c63dbc", "flags_hash": "sha256:d060ab8cdf75aeda6363bcc6de495e27b53c9d5938d97f5492e864681d8cbe53" }, { "id": "app://worker/queue/default", "coverage_percent": 95.1, "negative_tests": true, "config_hash": "sha256:bb490ce4cde60768e2b61571bbe448290e4256d2d930adea0ee24c07e5c63dbc", "flags_hash": "sha256:d060ab8cdf75aeda6363bcc6de495e27b53c9d5938d97f5492e864681d8cbe53" } ], "evidence": [ { "type": "graph", "cas_uri": "cas://graph.json", "hash": "blake3:74640754695e6e5cda4156a0ef1fd3a557d802ef118fef8afaed67089cd39cb1", "dsse": { "path": "tests/Vex/ProofBundles/cas/graph.json.dsse.json", "sha256": "sha256:3bb1dc6af5c974635ed387fdf938f5a983c370d77d01a032aa63f5407efcfc7f" }, "expires_at": "2026-12-31T00:00:00Z" }, { "type": "coverage", "cas_uri": "cas://coverage.json", "hash": "sha256:422f9840d6facaae093d6496eeac472e10b19519854953454107c1b14945f510", "dsse": { "path": "tests/Vex/ProofBundles/cas/coverage.json.dsse.json", "sha256": "sha256:606864d2165b9ddfea664dca36318616e5ea575e2e96e7fa2bc204cc3f79fe2f" }, "expires_at": "2026-06-30T00:00:00Z" }, { "type": "runtime_trace", "cas_uri": "cas://runtime-trace.ndjson", "hash": "sha256:c0a91f645b899e4572ec24603916cdfe982934f47ebdaec2ef67ee9303568a77", "expires_at": "2026-06-30T00:00:00Z" }, { "type": "negative_test", "cas_uri": "cas://negative-tests.ndjson", "hash": "sha256:09efda057796b8f0f0fa001505d9e684cf04e05ac8e3c6fe24476a367bb78aaa", "expires_at": "2026-06-30T00:00:00Z" }, { "type": "config", "cas_uri": "cas://config.lock", "hash": "sha256:bb490ce4cde60768e2b61571bbe448290e4256d2d930adea0ee24c07e5c63dbc", "expires_at": "2026-03-31T00:00:00Z" }, { "type": "flags", "cas_uri": "cas://flags.json", "hash": "sha256:d060ab8cdf75aeda6363bcc6de495e27b53c9d5938d97f5492e864681d8cbe53", "expires_at": "2026-03-31T00:00:00Z" } ], "reevaluation": { "on_sbom_change": true, "on_graph_change": true, "on_runtime_change": true, "ttl_days": 30 }, "rbac": { "roles_allowed": [ "vex-author", "policy-admin" ], "approvals_required": 2, "enforcement": "policy+signer" }, "uncertainty": { "state": "U1-low", "entropy": 0.08, "notes": "Coverage >95% and negative tests clean; runtime probes match reachability graph." }, "policy": { "decision": "not_affected", "decision_reason": "vulnerable_code_not_present", "openvex_serialization": "canonical-json", "canonical_encoding": "JCS" }, "signatures": [ { "type": "dsse", "key_id": "demo-root", "sig": "C3miJFhDRdNTxnBJSXSKeiilqTaF44poXV3GHAjfVxQ=", "envelope_digest": "sha256:cacd00d318a3f0b3f579f57322619f99e772cced0c2a7bf14a684c6ce55da7b4", "rekor_log_id": "demo-log", "rekor_entry_uuid": "demo-entry-0001", "transparency_checkpoint": "checkpoint-demo" } ] }