30 KiB
30 KiB
Pack 20 — Evidence & Audit consolidated around who needs what evidence, when (release/bundle/env‑centric; preserves all PoC screens)
Below you get:
-
Evidence menu graph (Mermaid)
-
For each screen:
- Formerly (old name/location)
- Why moved/reshaped
- Screen navigation graph (Mermaid)
- ASCII mock
This pack covers the PoC evidence screens you showed:
- Evidence Bundles (
evidence bundles.png) - Export Center (
export.png) - Replay/Verify (Verdict Replay) (
reply verify.png) - Packets / Proof Chains (present in the left menu in earlier screenshots; you referenced them)
- Trust & Signing (
trust and signing .png) …and makes them decision-connected for Release / Bundle / Env.
20.1 Evidence & Audit menu graph (Mermaid)
flowchart TD
EVID[Evidence & Audit (ROOT)] --> HOME[Evidence Home]
EVID --> PACK[Evidence Packs]
EVID --> BUND[Evidence Bundles]
EVID --> EXP[Export Center]
EVID --> CHAIN[Proof Chains]
EVID --> VERIFY[Replay & Verify]
EVID --> TRUST[Trust & Signing]
EVID --> AUDIT[Audit Log]
%% Entry points from decision areas
REL[Releases] --> HOME
APPR[Approvals] --> HOME
RCENV[Env Detail] --> HOME
BVER[Bundle Version Detail] --> HOME
%% Cross-links
HOME --> EXP
BUND --> CHAIN
VERIFY --> CHAIN
TRUST --> CHAIN
EXP --> BUND
Design rule: Evidence is not “a folder of files.” It’s a pipeline artifact tied to:
- a Release/Hotfix,
- a Bundle Version,
- an Environment Promotion Run,
- and the policy decision that allowed/blocked it.
20.2 Evidence screen — Evidence Home (new “router” page)
Formerly
- Evidence was scattered under Evidence section items: Packets, Proof Chains, Replay/Verify, Export, Bundles.
- No single “I’m an auditor / I’m an approver / I’m an operator” entry point.
Why changed like this
Evidence Home is the entry router:
- “Give me evidence for Release X”
- “Give me evidence for Bundle Version digest”
- “Give me evidence for Env us-prod today”
- “Give me evidence for Approval request A”
This reduces bounce across Export/Bundles/Proof Chains.
Screen graph (Mermaid)
flowchart TD
A[Evidence Home] --> B[Search: Release / Bundle / Env / Approval / Digest]
A --> C[Quick tiles: Latest packs, latest bundles, failed verifies]
A --> D[Entry: Export Center]
A --> E[Entry: Evidence Bundles]
A --> F[Entry: Replay & Verify]
A --> G[Entry: Proof Chains]
A --> H[Entry: Trust & Signing]
ASCII mock
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ HOME │
│ Formerly: evidence functions scattered (Packets/Proof Chains/Export/Replay/Bundles) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Find evidence for: [ Release ▾ ] [ Bundle Version ▾ ] [ Environment ▾ ] [ Approval ▾ ] │
│ Or paste: digest / verdict-id / bundle-id │
│ [Search] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Quick views │
│ - Latest promotion evidence packs (24h) - Latest sealed bundles (7d) │
│ - Failed verification / replay (7d) - Expiring trust/certs (30d) │
│ │
│ Shortcuts: [Export Center] [Evidence Bundles] [Replay & Verify] [Proof Chains] [Trust & Signing]│
└──────────────────────────────────────────────────────────────────────────────────────────────┘
20.3 Evidence screen — Evidence Packs (formerly “Packets”)
Formerly
- Evidence → Packets (left nav in earlier screenshots)
- Not shown as a main content screenshot, but it exists as PoC menu item.
Why changed like this
“Pack” becomes the atomic evidence artifact tied to:
- a promotion run
- a policy decision
- a bundle version
- an environment snapshot It should be the default evidence object used internally and optionally exported.
Screen graph (Mermaid)
flowchart TD
A[Evidence Packs] --> B[Pack Detail]
A --> C[Filter: Release / Env / Bundle Version / Time]
A --> D[Open linked Approval / Run]
A --> E[Export pack -> Export Center]
B --> F[Proof Chain refs]
B --> G[Verify signatures -> Replay & Verify]
ASCII mock
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ EVIDENCE PACKS │
│ Formerly: Evidence ▸ Packets │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Release ▾ Env ▾ Bundle Version ▾ Status ▾ Time window ▾ │
│ Actions: [Export selected packs] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Packs │
│ pack-9001 Feb 18 08:33 env us-prod bundle Hotfix 1.2.4 status: sealed ✓ [Open] │
│ pack-9002 Feb 18 07:30 env us-uat bundle web-frontend v2 status: sealed ✓ [Open] │
│ pack-9003 Feb 17 08:30 env us-prod bundle worker v3.1.0 status: sealed ✓ [Open] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
20.4 Evidence screen — Pack Detail (new “case file” for a pack)
Formerly
- Evidence details were spread across Export/Bundles/Replay.
Why changed like this
One place to answer:
- What decision was made?
- Which bundle manifest/digests?
- Which SBOM/finding snapshot?
- Which signatures / proof chain refs?
- What can I export?
Screen graph (Mermaid)
flowchart TD
A[Pack Detail] --> B[Decision summary (policy gates + approvals)]
A --> C[Artifacts list (SBOM, findings, attestations, provenance)]
A --> D[Proof chain refs]
A --> E[Verify / Replay]
A --> F[Export as bundle / attach to audit report]
ASCII mock
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE PACK DETAIL: pack-9001 │
│ Formerly: no unified pack “case file” │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Context │
│ Release: Hotfix 1.2.4 Env: us-prod Promotion Run: run-7712 │
│ Bundle manifest: sha256:beef... Created: Feb 18 08:33 by alice.johnson │
│ Decision: PASS policy gates 1/2 (Approval pending) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Included artifacts │
│ [✓] SBOM snapshot (SPDX) [✓] Findings snapshot (with reachability) │
│ [✓] Attestations (build) [✓] Provenance │
│ [✓] VEX statements [✓] Policy decision record │
│ [✓] Replay log / determinism result (if present) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Integrity │
│ DSSE envelope: present ✓ Rekor entry: present ✓ Proof chain: chain-9912 │
│ Actions: [Verify now] [Replay verdict] [Export as Audit Bundle] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
20.5 Evidence screen — Evidence Bundles
Formerly
- Evidence → Bundles (
evidence bundles.png) “Download and verify sealed evidence bundles for audit and compliance.”
Why changed like this
Keep the screen, but make “bundle” explicitly:
- a compiled export artifact, usually for external auditors
- built from packs
- and searchable by Release/Env/Approval.
Screen graph (Mermaid)
flowchart TD
A[Evidence Bundles] --> B[Bundle Detail]
A --> C[Generate bundle -> Export Center]
A --> D[Verify bundle -> Replay & Verify]
B --> E[Proof chain refs]
B --> F[Download]
ASCII mock (aligned to your current UI, but with better routing)
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ EVIDENCE BUNDLES │
│ Formerly: Evidence ▸ Bundles (evidence bundles.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Release ▾ Env ▾ Approval ▾ Status ▾ Time window ▾ │
│ Note: Bundles are compiled exports (from packs) for auditors / compliance teams. │
│ [Go to Export Center] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Bundles │
│ (none found) │
│ Example rows: │
│ bundle-2026-02-18-us-prod.zip sealed ✓ contains packs: 3 [Open] [Download] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
20.6 Evidence screen — Bundle Detail (new)
Formerly
- Bundle list existed, but bundle “composition” was not surfaced as a primary view.
Why changed like this
Auditors ask “what exactly is inside” and “can I verify it independently.” Bundle Detail shows:
- included packs
- signatures (DSSE)
- transparency log references (Rekor)
- verification status
Screen graph (Mermaid)
flowchart TD
A[Bundle Detail] --> B[Included packs list]
A --> C[Included artifacts inventory]
A --> D[Signatures / DSSE / certificates]
A --> E[Transparency log refs]
A --> F[Verify / Replay]
A --> G[Download]
ASCII mock
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE BUNDLE DETAIL: bundle-2026-02-18-us-prod.zip │
│ Formerly: not first-class; users downloaded without seeing composition │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Contents │
│ Packs: pack-9001, pack-9002, pack-9003 │
│ Includes: SBOM, Findings, Attestations, Provenance, VEX, Policy Decisions, Logs │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Integrity │
│ DSSE: present ✓ Rekor entry: present ✓ Cert chain: valid ✓ │
│ Verification status: VERIFIED │
│ Actions: [Verify bundle] [Open Proof Chain] [Download] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
20.7 Evidence screen — Export Center
Formerly
- Evidence → Export (
export.png) “Configure export profiles and monitor export runs.”
Why changed like this
Keep it intact, but:
- export profiles should be release/bundle/env aware
- add “Export Env Snapshot” and “Export Approval Decision Pack” as standard profiles
- export runs are auditable artifacts tied to proofs
Screen graph (Mermaid)
flowchart TD
A[Export Center] --> B[Profiles]
A --> C[Export Runs]
B --> D[Profile Editor]
D --> E[Scope: Release / Bundle / Env / Approval]
D --> F[Destinations: S3/OCI/ZIP]
A --> G[Generated bundle -> Evidence Bundles]
ASCII mock
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ EXPORT CENTER │
│ Formerly: Evidence ▸ Export (export.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Profiles (standardized) │
│ - Approval Decision Pack (ZIP) scope: Approval ID → includes gates + findings + evidence │
│ - Env Snapshot Export (TAR.GZ) scope: Env + time → includes deploy+sbom+reachability+data │
│ - Audit Bundle (ZIP) scope: Release → full auditor bundle │
│ - Daily Compliance Export (TAR) scope: org-wide nightly report │
│ Actions: [Create Profile] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Export Runs │
│ run-8811 Feb 18 08:40 profile: Env Snapshot (us-prod) status: COMPLETED [Open bundle] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
20.8 Evidence screen — Proof Chains
Formerly
- Evidence → Proof Chains (menu exists; you referenced proof chains repeatedly)
Why changed like this
Proof chains must be:
- searchable by release/bundle/env/pack
- linked from every exported artifact and decision
- verifiable with a single click trail
Screen graph (Mermaid)
flowchart TD
A[Proof Chains] --> B[Chain Detail]
A --> C[Filter by pack/bundle/release/env]
B --> D[Linked artifacts]
B --> E[Transparency log (Rekor) refs]
B --> F[Verify chain]
ASCII mock
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ PROOF CHAINS │
│ Formerly: Evidence ▸ Proof Chains (menu only in PoC) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Release ▾ Env ▾ Pack ▾ Bundle ▾ Status ▾ │
│ Chains │
│ chain-9912 linked: pack-9001 bundle-2026-02-18-us-prod status: VALID [Open] │
│ chain-9913 linked: pack-9002 status: VALID [Open] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
20.9 Evidence screen — Replay & Verify (Verdict Replay)
Formerly
- Evidence → Replay/Verify (
reply verify.png) “Re-evaluate verdicts for determinism verification and audit trails.”
Why changed like this
Keep the screen, but integrate it into audit flows:
- every pack/bundle can be replayed/verified from within its detail page
- the replay results are stored back into a pack (audit trail)
Screen graph (Mermaid)
flowchart TD
A[Replay & Verify] --> B[Request Replay (verdict id / image ref)]
A --> C[Replay Requests list]
A --> D[Determinism overview]
A --> E[Open pack detail (source)]
A --> F[Write result into proof chain]
ASCII mock (aligned to your current one, with clearer context)
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ REPLAY & VERIFY │
│ Formerly: Evidence ▸ Replay/Verify (reply verify.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Request Replay │
│ Verdict ID / Image Ref: [ verdict-123 or registry.example.com/app:v1.2.3 ] │
│ Reason: [ audit verification / policy change test / determinism check ] │
│ [Request Replay] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Replay Requests │
│ rr-001 api-service:v1.2.3 COMPLETED Feb 18 08:30 [Open Pack] │
│ rr-002 web-frontend:v2.0.0 RUNNING Feb 18 07:30 [Open Pack] │
├───────────────────────────────────────────────────────────────────────────────┬──────────────┤
│ Determinism Overview │ Notes │
│ total: 2 matching: 1 mismatches: 1 match rate: 50% │ mismatches │
│ │ block exports?│
└──────────────────────────────────────────────────────────────────────────────┴──────────────┘
20.10 Evidence screen — Trust & Signing
Formerly
- Settings → Trust & Signing (
trust and signing .png) Contains: Signing Keys, Issuers, Certificates, Transparency Log, Trust Scoring, Audit Log.
Why changed like this
This is evidence infrastructure, not general “settings”. It should live under Evidence & Audit (root), with a pointer in Settings if needed, because:
- VEX verification depends on issuers/certs
- Rekor integration depends on transparency log configuration
- evidence packs/bundles must be verifiable independently
Screen graph (Mermaid)
flowchart TD
A[Trust & Signing] --> B[Signing Keys]
A --> C[Issuers]
A --> D[Certificates]
A --> E[Transparency Log (Rekor)]
A --> F[Trust Scoring]
A --> G[Audit Log (trust events)]
A --> H[Link: VEX Hub issuer status]
ASCII mock (your card layout preserved)
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ TRUST & SIGNING │
│ Formerly: Settings ▸ Trust & Signing (trust and signing .png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Signing Keys Issuers Certificates │
│ [Manage Keys] [Manage Issuers] [Manage Certificates] │
│ │
│ Transparency Log Trust Scoring Audit Log │
│ [Configure Rekor] [Edit Score Config] [View Audit Log] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
20.11 Evidence screen — Audit Log (new consolidated view)
Formerly
- Trust & Signing had its own audit log tile.
- Other audit events were likely scattered.
Why changed like this
Auditors don’t want separate “trust audit” vs “export audit” vs “approval audit.” This creates a unified log with filters and links to artifacts.
Screen graph (Mermaid)
flowchart TD
A[Audit Log] --> B[Filter: release/env/approval/user/type]
A --> C[Event detail with links: pack/bundle/proof chain]
A --> D[Export audit log slice -> Evidence export]
ASCII mock
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ AUDIT LOG │
│ Formerly: scattered audit signals (Trust & Signing / Export Runs / Approvals) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Event type ▾ Release ▾ Env ▾ Approval ▾ User ▾ Time ▾ │
│ Events │
│ Feb 18 08:40 ExportRun created run-8811 profile Env Snapshot us-prod by admin [Open] │
│ Feb 18 08:33 Promotion decision PASS run-7712 pack-9001 by alice.johnson [Open] │
│ Feb 18 07:10 Trust: cert rotated issuer RegistryCA by admin [Open] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
What this pack accomplishes
- Evidence now has a clear chain: Promotion/Decision → Pack → Bundle → Proof Chain → Verify/Replay with exports available at each step.
- Trust & Signing is treated as evidence infrastructure and tied to VEX issuer trust and proof verification.
- Everything is searchable by Release / Bundle / Env / Approval, which is what auditors and release managers actually ask for.
If you want the next pack, Pack 21 can consolidate Settings into:
- Release Control (root already)
- Org & Access
- Integrations
- Notifications
- Usage & Limits
- System Admin …and provide Mermaid+ASCII for each of those screens with “formerly/why” mapping.