Higgs AI · SPARTAN · Evidence Capsule v0.1

Sample Capsule v0.1 — Demo Bundle

A working, locally-verifiable demonstration of the SPARTAN Evidence Capsule v0.1 loop. See what spartan capsule build / verify / view actually produce — without installing SPARTAN, running a scanner, or trusting Higgs AI.

Files in this bundle

spartan-sample-capsule-v0.1.zip All eight demo files packaged as a single downloadable archive. Size and SHA-256 are recorded in MANIFEST.json under the wrapper_archive field so a recipient can verify the download before unzipping.
report.html Static HTML report rendered from the capsule by spartan capsule view. No JavaScript. No external assets. Light theme is intentional — this is the literal tool output.
evidence.tar.gz The capsule itself. A real, gzipped tar archive. Verify locally with spartan capsule verify evidence.tar.gz.
verify-output.txt Literal terminal output of spartan capsule verify against this capsule. Compare with what your own machine produces.
findings.sarif SARIF v2.1.0 export. Consumable by GitHub code scanning, VS Code SARIF Viewer, Microsoft's Sarif Multitool, or any JSON tool. Every result.level is "note"; risk and evidence tier are in result.properties.
README_VERIFY_IT_YOURSELF.md Full instructions for verifying the bundle yourself.
CLAIMS_AND_NON_CLAIMS.md Explicit claims and non-claims SPARTAN makes about Capsule v0.1.
MANIFEST.json Sizes and SHA-256 hashes for every file in this bundle.

What the demo capsule contains

A real SPARTAN validation run against examples/demo-repo — the intentionally-vulnerable benchmark in the SPARTAN source tree. 11 findings across multiple risk classes and evidence tiers:

Risk	Finding type	Count	Evidence tier
CRITICAL	`hardcoded_secrets`	1	EVIDENCE_BACKED
HIGH	`vulnerable_dependencies`	1	EVIDENCE_BACKED
HIGH	`missing_auth_on_declared_routes`	5	ANALYST_HYPOTHESIS
HIGH	`path_traversal_patterns`	2	ANALYST_HYPOTHESIS
HIGH	`sql_string_interpolation`	1	ANALYST_HYPOTHESIS
HIGH	`unsafe_deserialization_patterns`	1	ANALYST_HYPOTHESIS

Verification summary

Running spartan capsule verify evidence.tar.gz against this capsule reports:

Level	Outcome	What it proves
`STRUCTURE`	PASS	File integrity: every file declared in `manifest.json` exists with the declared size and SHA-256.
`REDACTION`	PASS	Two-pass residue scan over all JSON files finds nothing forbidden (no local paths, hostnames, usernames, git remotes, or suspected-secret patterns).
`AUDIT_DIGEST`	PASS	Audit digest is internally consistent; `digest_root_hash` recomputes from the sorted entries.
`SIGNATURE`	NOT_PRESENT	Capsule v0.1 is intentionally unsigned. Reserved as a verification level for a future schema.
`REPLAY`	NOT_PRESENT	Capsule does not carry runtime artifacts. Reserved for a future schema.

Verify it yourself

If you have a SPARTAN checkout on the same machine:

spartan capsule verify evidence.tar.gz
spartan capsule view evidence.tar.gz --format html --out my-report.html

Without a SPARTAN checkout, you can still:

Open report.html directly in a browser — no JavaScript, no external assets.
Read verify-output.txt for the literal terminal output of spartan capsule verify.
Inspect findings.sarif as JSON, open it in VS Code's SARIF Viewer, or upload it to GitHub code scanning.
Recompute file hashes against MANIFEST.json with any SHA-256 tool — for example, shasum -a 256 evidence.tar.gz on macOS or Linux.

What this demo is NOT

Not production customer evidence. The repository scanned is a synthetic demo.
Not signed. Evidence Capsule v0.1 is intentionally unsigned. SIGNATURE: NOT_PRESENT. It verifies consistency, not origin.
Not replay-bearing. The capsule does not carry runtime artifacts. REPLAY: NOT_PRESENT.
Not hermetic execution. SPARTAN's hermetic specifications are design-only.
Not compliance certification. SPARTAN packages evidence; compliance is a separate process.
Not a claim the demo repository is safe. The repository is intentionally vulnerable; the findings are real.
Not a vulnerability scanner replacement. SPARTAN is the evidence layer that sits next to scanners — not a scanner itself.