Schema Reference

Complete JSON schemas for PolicyArtifact, Receipts, Evidence Bundles, and Chain structures. All schemas use JCS (RFC 8785) canonicalization for deterministic hashing and signing.

PolicyArtifact Receipt Evidence Bundle Chain Head

PolicyArtifact

The core governance object binding integrity policy, telemetry rules, and enforcement mapping.

JSON

{
  "policy_version": 1,
  "vault_id": "vault_01HXYZ...",
  "artifact_id": "art_01HXYZ...",
  "issued_at": "2025-01-15T00:00:00Z",
  "not_before": "2025-01-15T00:00:00Z",
  "not_after": "2026-01-15T00:00:00Z",
  "issuer": {
    "issuer_id": "iss_01HXYZ...",
    "issuer_public_key": "base64url...",
    "issuer_signature": "base64url..."
  },
  "integrity_policy": {
    "subject_type": "CONTAINER_IMAGE",
    "container_image_digest": "sha256:...",
    "config_digest": "sha256:...",
    "sbom_digest": "sha256:...",
    "drift_rule": "STRICT_EQUALITY"
  },
  "telemetry_policy": {
    "streams": [
      {
        "stream_id": "pressure_psi",
        "cadence_seconds": 60,
        "drift_rule": { "type": "RANGE", "min": 0, "max": 100 },
        "missing_data_tolerance_seconds": 120,
        "enforcement_mapping": {
          "on_drift": "ALERT",
          "on_missing": "ALERT"
        }
      }
    ]
  },
  "enforcement_policy": {
    "on_integrity_drift": "BLOCK_START",
    "on_telemetry_drift": "ALERT",
    "on_signature_invalid": "TERMINATE"
  },
  "key_schedule": {
    "stream_keys": [
      {
        "stream_id": "pressure_psi",
        "sender_public_key": "base64url...",
        "key_id": "36ee3280c62ed537"
      }
    ]
  },
  "policy_hash": "sha256:..."
}

Receipt

Signed event record emitted by the Local Governance Engine, hash-linked to form a chain.

JSON

{
  "receipt_version": 1,
  "receipt_id": "rcpt_01HXYZ...",
  "run_id": "run_01HXYZ...",
  "artifact_id": "art_01HXYZ...",
  "sequence_number": 3,
  "timestamp": "2025-01-15T12:34:56Z",
  "event_type": "DRIFT_DETECTED",
  "payload": {
    "stream_id": "pressure_psi",
    "expected": { "min": 0, "max": 100 },
    "observed": 105,
    "reason_code": "RANGE_EXCEEDED"
  },
  "enforcement": {
    "action": "ALERT",
    "executed_at": "2025-01-15T12:34:56Z"
  },
  "chain": {
    "prev_receipt_hash": "sha256:...",
    "this_receipt_hash": "sha256:..."
  },
  "signer": {
    "key_id": "36ee3280c62ed537",
    "signature": "base64url..."
  }
}

Evidence Bundle

Portable verification package containing all artifacts for offline audit.

Directory Structure + JSON

bundle.zip/
├── bundle_manifest.json
├── policy/
│   └── policy_artifact.json
├── receipts/
│   ├── 0001.json
│   ├── 0002.json
│   ├── 0003.json
│   └── chain_head.json
├── subject/
│   └── subject_manifest.json
├── verifier/
│   ├── verify.js
│   └── VERSION.txt
└── README.txt

bundle_manifest.json:
{
  "bundle_version": 1,
  "created_at": "2025-01-15T13:00:00Z",
  "policy_id": "art_01HXYZ...",
  "run_id": "run_01HXYZ...",
  "receipt_count": 3,
  "chain_head_hash": "sha256:...",
  "files": [
    { "path": "policy/policy_artifact.json", "sha256": "...", "size_bytes": 2048 },
    { "path": "receipts/0001.json", "sha256": "...", "size_bytes": 512 }
  ],
  "verifier": {
    "name": "aga-verifier",
    "version": "1.0.0",
    "entrypoint": "verify.js"
  }
}

Chain Head

Summary of receipt chain state for quick integrity verification.

JSON

{
  "chain_version": 1,
  "run_id": "run_01HXYZ...",
  "receipt_count": 5,
  "head_counter": 5,
  "head_receipt_hash": "sha256:...",
  "head_receipt_path": "receipts/0005.json",
  "genesis_hash": "sha256:...",
  "checkpoints": [
    {
      "counter": 5,
      "merkle_root": "sha256:...",
      "tsa_token": "base64url..."
    }
  ]
}

Implementation Notes

All hashes are SHA-256, encoded as lowercase hex or base64url depending on context
Signatures are Ed25519 (RFC 8032) over JCS-canonicalized bytes
Timestamps are ISO 8601 with mandatory UTC "Z" suffix
ZIP entries must be sorted lexicographically for deterministic bundles

Schema Reference

Contents

PolicyArtifact

Receipt

Evidence Bundle

Chain Head

Implementation Notes