{
  "schema": "spartan.sample_capsule_demo.v0.1",
  "bundle_name": "SPARTAN Sample Capsule Demo v0.1",
  "generated_at": "2026-05-04T04:36:01Z",
  "source_benchmark": "examples/demo-repo (intentionally-vulnerable demo repository in the SPARTAN source tree)",
  "spartan_command_surface_used": [
    "spartan capsule build latest --redact --out evidence.tar.gz",
    "spartan capsule verify evidence.tar.gz",
    "spartan capsule view evidence.tar.gz --format html --out report.html",
    "spartan capsule sarif evidence.tar.gz --out findings.sarif"
  ],
  "capsule_id": "6409463f0c788d8c5602b280bd7405fd1ee0080a8233c26caa72bfa6e7dbd4e7",
  "capsule_content_root_hash": "29ff4ddc279883bf17c5cfdc278aebf60a6abb83d6a2d0ee22d4c55baf5a7ba1",
  "source_run_id": "run_2026-05-04T04-36-01.158Z_60156b4c",
  "verification_levels": {
    "STRUCTURE": "PASS",
    "REDACTION": "PASS",
    "AUDIT_DIGEST": "PASS",
    "SIGNATURE": "NOT_PRESENT",
    "REPLAY": "NOT_PRESENT"
  },
  "finding_summary": {
    "total": 11,
    "by_evidence_tier": {
      "EVIDENCE_BACKED": 2,
      "ANALYST_HYPOTHESIS": 9
    },
    "by_finding_type": {
      "hardcoded_secrets": 1,
      "vulnerable_dependencies": 1,
      "missing_auth_on_declared_routes": 5,
      "path_traversal_patterns": 2,
      "sql_string_interpolation": 1,
      "unsafe_deserialization_patterns": 1
    }
  },
  "wrapper_archive": {
    "name": "spartan-sample-capsule-v0.1.zip",
    "size_bytes": 24102,
    "sha256": "cf53aad4b2693fbb86d2a0d26a02607b79a492ffe62ab3a15aa376bab5d352c1",
    "contained_file_count": 8,
    "compression": "DEFLATE",
    "note": "Single-file download of this bundle. The archive contains exactly eight files: `index.html`, `report.html`, `evidence.tar.gz`, `findings.sarif`, `verify-output.txt`, `README_VERIFY_IT_YOURSELF.md`, `CLAIMS_AND_NON_CLAIMS.md`, and `MANIFEST.json`. The seven non-MANIFEST files appear in `files[]` above with their size and SHA-256; the in-zip `MANIFEST.json` is the eighth file. The in-zip MANIFEST does not hash itself and does not carry a `wrapper_archive` block \u2014 recording the zip's hash inside a MANIFEST that is itself inside the zip is self-referential and cannot be made byte-identical. The on-disk MANIFEST.json (this file) is therefore one revision ahead of the in-zip copy. Recipients verify the zip by downloading the on-disk MANIFEST.json (e.g., from the source tree at `dist/spartan-sample-capsule-v0.1/MANIFEST.json`) and checking the zip's SHA-256 against `wrapper_archive.sha256` here. After unzipping, the seven sibling files verify against the in-zip MANIFEST's `files[]` array."
  },
  "wrapper_artifact_substitutions": {
    "reason": "The producer's absolute filesystem path appeared in `capsule_path` fields emitted by `spartan capsule view` and `spartan capsule verify` because the CLI resolves the input path before passing it to the verifier. The capsule itself is unchanged and verifies clean (REDACTION: PASS); the substitution is applied only to the wrapper artifacts so this public sample bundle does not leak the producer's username or workspace path.",
    "from": "<producer absolute path>/dist/spartan-sample-capsule-v0.1/evidence.tar.gz",
    "to": "dist/spartan-sample-capsule-v0.1/evidence.tar.gz",
    "applied_to": [
      "report.html",
      "verify-output.txt"
    ],
    "applied_to_capsule_itself": false
  },
  "non_claims": [
    "not signed",
    "not replay-bearing",
    "not hermetic execution",
    "not compliance certification",
    "not production / deploy gating",
    "not universal DLP",
    "not a vulnerability scanner replacement"
  ],
  "files": [
    {
      "path": "evidence.tar.gz",
      "size_bytes": 5468,
      "sha256": "dad452d71b28e4ba638198ab059e6cb5dc8db19fc72bdb0f4fd34583b0f98962"
    },
    {
      "path": "report.html",
      "size_bytes": 15031,
      "sha256": "9b7ea11344d95124395c707e7b64d0762320ea3da5cd71e16916b5832298bbb0"
    },
    {
      "path": "verify-output.txt",
      "size_bytes": 771,
      "sha256": "1438fecb435db4aa4175fc81a47ea1d0521d4ab374bae2d7d816c3c67baa50e4"
    },
    {
      "path": "README_VERIFY_IT_YOURSELF.md",
      "size_bytes": 9127,
      "sha256": "26b930d1c07997b824f9605ff87b49956f01e3c5874f7fcb9d99ad0db5a2d619"
    },
    {
      "path": "CLAIMS_AND_NON_CLAIMS.md",
      "size_bytes": 5205,
      "sha256": "bb6dbfb9b66b983843a9eba47b12d81dbc6d9934df47072411be0b6cc7692eb1"
    },
    {
      "path": "index.html",
      "size_bytes": 8880,
      "sha256": "7ab8b854f7c9792e51ee015b94cb5c1b40dd1ae30e256f37b3dec88dd671faab"
    },
    {
      "path": "findings.sarif",
      "size_bytes": 17992,
      "sha256": "d2de2496c23c2f0b36faecabd4427021b070f1dfd107f4a2e7e7e9160c9eba08"
    }
  ]
}