mizcausevic-dev/evidence-bundle-spec

# evidence-bundle-spec **Evidence Bundle v0.1 draft.** A portable format for shipping evidence packets between systems — RAG citation packs, audit excerpts, signed compliance disclosures, incident-response artifacts, regulatory submissions. Part of the [Kinetic Gain Protocol Suite](https://suite.kineticgain.com). ## Why When an LLM cites three sources for an answer, an auditor asks for "the evidence behind that decision", or a vendor responds to a SOC2 control request — the artifact that gets handed over is always a directory of files plus some notes about provenance. Today every team invents that directory shape locally. Different fields, different hashing rules, different sign-off conventions, different file layouts. This spec pins it down: one directory, one `manifest.json`, every file hashed, optional cross-references, optional signature. Anyone can read it without our code. ## Shape my-bundle/ manifest.json <- conforms to evidence-bundle.schema.json content/ source-a.pdf source-b.json summary.md { "evidence_bundle_version": "0.1", "bundle": { "id": "…", "subject": "…", "purpose": "…", "created_at": "…", "creator": "…" }, "items": [ { "id": "…", "path": "content/x.pdf", "sha256": "…", "size_bytes": 123 } ], "relationships": [ { "subject": "…", "predicate": "cites", "object": "…" } ], "provenance": { "agent_card_uri": "…", "prompt_provenance_uri": "…", "otel_trace_id": "…" }, "signature": { "algorithm": "ed25519", "signer": "…", "value": "…", "signed_at": "…" } } ## Composes with | Spec | Reference | |---|---| | [`prompt-provenance-spec`](https://github.com/mizcausevic-dev/prompt-provenance-spec) | `provenance.prompt_provenance_uri` | | [`agent-cards-spec`](https://github.com/mizcausevic-dev/agent-cards-spec) | `provenance.agent_card_uri` | | [`mcp-tool-card-spec`](https://github.com/mizcausevic-dev/mcp-tool-card-spec) | `provenance.tool_card_uri` | | [`hash-attestation-rs`](https://github.com/mizcausevic-dev/hash-attestation-rs) | ed25519 signature over the canonical manifest | | [`bls-attestation-broker`](https://github.com/mizcausevic-dev/bls-attestation-broker) | multi-signer BLS aggregate signature | ## CI GitHub Actions validates every `examples/**/manifest.json` against the schema on each push using AJV with the JSON Schema 2020-12 dialect. # Validate locally npx ajv -s evidence-bundle.schema.json -d "examples/**/manifest.json" --strict=false --spec=draft2020 ## License [AGPL-3.0-or-later](./LICENSE)