SPARTAN Sample Capsule v0.1 — Demo Bundle

The capsule proves. The view explains.

This bundle is a working, locally-verifiable demonstration of the SPARTAN Evidence Capsule v0.1 product loop. It exists so you can see, on your own machine, what spartan capsule build / verify / view actually produce — without installing SPARTAN, running a scanner, or trusting Higgs AI.

What you can do with this bundle

spartan-sample-capsule-v0.1.zip — the eight demo files (this index page, report.html, evidence.tar.gz, findings.sarif, verify-output.txt, README_VERIFY_IT_YOURSELF.md, CLAIMS_AND_NON_CLAIMS.md, and MANIFEST.json) packaged as a single downloadable archive. The archive's size and SHA-256 are recorded in MANIFEST.json under the wrapper_archive field so a recipient can verify the download before unzipping.
report.html — the static HTML report rendered from the capsule. Open in any browser. No JavaScript, no external assets.
evidence.tar.gz — the capsule itself. A real, gzipped tar archive.
verify-output.txt — the literal terminal output of spartan capsule verify against the capsule. Compare with what your own machine produces.
findings.sarif — SARIF v2.1.0 export of the same finding set. Consumable by GitHub code scanning (uploaded via the code-scanning REST API or an Actions workflow), viewer-style tools like VS Code's SARIF Viewer or Microsoft's Sarif Multitool, or any JSON tool. Every result.level is "note"; risk and evidence-tier information is in result.properties.
README_VERIFY_IT_YOURSELF.md — full instructions for verifying the bundle yourself.
CLAIMS_AND_NON_CLAIMS.md — the explicit claims and non-claims SPARTAN makes about Capsule v0.1.
MANIFEST.json — sizes and SHA-256 hashes for every file in this bundle.

What the demo capsule contains

A real SPARTAN validation run against a small intentionally-vulnerable demo repository (examples/demo-repo in the SPARTAN source tree). The run produced 11 findings across multiple risk classes and evidence tiers:

Risk	Finding type	Count	Evidence tier
CRITICAL	`hardcoded_secrets`	1	EVIDENCE_BACKED
HIGH	`vulnerable_dependencies`	1	EVIDENCE_BACKED
HIGH	`missing_auth_on_declared_routes`	5	ANALYST_HYPOTHESIS
HIGH	`path_traversal_patterns`	2	ANALYST_HYPOTHESIS
HIGH	`sql_string_interpolation`	1	ANALYST_HYPOTHESIS
HIGH	`unsafe_deserialization_patterns`	1	ANALYST_HYPOTHESIS

Verification summary

Running spartan capsule verify evidence.tar.gz against this capsule reports:

Level	Outcome	What it proves
`STRUCTURE`	PASS	File integrity: every file declared in `manifest.json` exists with the declared size and SHA-256.
`REDACTION`	PASS	Two-pass residue scan over all five JSON files finds nothing forbidden (no local paths, hostnames, usernames, git remotes, or suspected-secret patterns).
`AUDIT_DIGEST`	PASS	Audit digest is internally consistent; `digest_root_hash` recomputes from the sorted entries.
`SIGNATURE`	NOT_PRESENT	Capsule v0.1 is unsigned. Reserved as a verification level for a future schema.
`REPLAY`	NOT_PRESENT	Capsule does not carry runtime artifacts. Reserved for a future schema.

Verify it yourself

If you have a SPARTAN checkout on the same machine, the two commands are:

spartan capsule verify evidence.tar.gz
spartan capsule view evidence.tar.gz --format html --out my-report.html

Without a SPARTAN checkout, you can still:

Open report.html directly in a browser.
Read verify-output.txt for the literal terminal output.
Inspect findings.sarif directly as JSON, open it in VS Code's SARIF Viewer or Microsoft's Sarif Multitool, or upload it to GitHub code scanning via the code-scanning REST API or an Actions workflow.
Recompute file hashes against MANIFEST.json with any standard SHA-256 tool (for example, shasum -a 256 evidence.tar.gz on macOS or Linux).

What this demo is NOT

Not production customer evidence. The repository scanned is a synthetic demo.
Not signed. Evidence Capsule v0.1 is unsigned. SIGNATURE: NOT_PRESENT.
Not replay-bearing. The capsule does not carry runtime artifacts. REPLAY: NOT_PRESENT.
Not hermetic execution. SPARTAN's hermetic specifications are design-only.
Not compliance certification. SPARTAN packages evidence; compliance is a separate process.
Not a claim that the demo repository is safe. The repository is intentionally vulnerable; the findings are real.
Not a vulnerability scanner replacement. SPARTAN is the evidence layer that sits next to scanners; it is not itself a scanner.

This bundle was generated by the SPARTAN Sample Capsule v0.1 packaging slice. The capsule, the report, and the verification output are all artifacts of spartan capsule build / verify / view against a real validation run on the date listed in MANIFEST.json. See the SPARTAN reviewer brief at docs/spartan/SPARTAN_CAPSULE_V0_1_REVIEWER_BRIEF.md for the full product reference.