{
  "schema": "ssx360.evidence-pack.v1",
  "issued_at": "2026-06-01T12:00:00.000Z",
  "account": {
    "email": "redacted@example.com",
    "entitlement_state": "sample",
    "plan": "provenance-pilot",
    "license_id": "DR-SAMPLE-0001"
  },
  "summary": {
    "repos": 2,
    "events": 4,
    "signed": 3,
    "unsigned": 1,
    "blocked": 1,
    "review": 1,
    "trustedActors": 3
  },
  "controls": {
    "maps_to": [
      "DORA ICT change-management evidence",
      "PCI DSS v4.0.1 Req 6.5.1 change control",
      "FS AI RMF traceability",
      "NIST SSDF provenance practices"
    ],
    "language": "aligned to and produces evidence for; no regulation is claimed to require commit signing today"
  },
  "compliance_mappings": [
    {
      "id": "dora-2025",
      "standard": "DORA",
      "effective": "Jan 2025",
      "claim": "Produces immutable change evidence for ICT third-party and internal software change review.",
      "evidence": [
        "Signed actor/tool/scope envelope per commit",
        "Protected-branch policy result",
        "Exportable audit ledger with offline verification"
      ]
    },
    {
      "id": "pci-dss-v4-0-1-req-6-5-1",
      "standard": "PCI DSS v4.0.1 Req 6.5.1",
      "effective": "Jun 2024",
      "claim": "Produces change-control evidence for custom software and agent-assisted modifications.",
      "evidence": [
        "Commit provenance envelope before merge",
        "Unsigned protected-branch block result",
        "Assessor-readable JSON export"
      ]
    },
    {
      "id": "fs-ai-rmf-2026",
      "standard": "FS AI RMF",
      "effective": "Feb 2026",
      "claim": "Produces traceability evidence aligned to voluntary FS AI RMF control objectives for agent actions affecting financial software systems.",
      "evidence": [
        "Approved-agent registry snapshot",
        "Signed commit trail with declared tool metadata",
        "Policy enforcement ledger"
      ]
    },
    {
      "id": "nist-ssdf",
      "standard": "NIST SSDF",
      "effective": "Current",
      "claim": "Produces evidence for provenance, change authorization, and release gate review.",
      "evidence": [
        "Commit provenance envelope",
        "Protected-branch enforcement result",
        "Signed JSON compliance ledger"
      ]
    },
    {
      "id": "eu-ai-act-art12-readiness",
      "standard": "EU AI Act Article 12",
      "effective": "Record-keeping readiness (high-risk obligations Dec 2027)",
      "claim": "Produces record-keeping evidence for high-risk system change review — readiness, not a live mandate claim.",
      "evidence": [
        "Signed actor/tool/scope envelope per commit",
        "Exportable ledger for human review",
        "Offline-verifiable signature trail"
      ]
    },
    {
      "id": "five-eyes-agentic-ai-2026",
      "standard": "Five Eyes Agentic AI guidance",
      "effective": "Apr 2026",
      "claim": "Maps to and produces evidence for secure agentic AI development practices.",
      "evidence": [
        "Approved-agent registry snapshot",
        "Unsigned/untrusted activity ledger",
        "Agentic AI controls crosswalk"
      ]
    }
  ],
  "policy_templates": [
    {
      "id": "financial-infra",
      "name": "Financial infrastructure guard",
      "status": "active",
      "maps_to": [
        "DORA ICT evidence",
        "PCI DSS v4.0.1 Req 6.5.1",
        "SOC 2 CC8 evidence"
      ],
      "rules": [
        "Block unsigned commits to protected branches",
        "Require trusted actor for payments/** and ledger/**",
        "Require human co-sign for release manifests"
      ]
    }
  ],
  "events": [
    {
      "id": "evt_sample_001",
      "timestamp": "2026-05-28T14:24:00.000Z",
      "repo": "payments-core",
      "branch": "main",
      "commit": "a3ef6c8",
      "actor": "cursor-agent",
      "actorType": "agent",
      "tool": "cursor",
      "scope": "src/payments/**",
      "signed": true,
      "trusted": true,
      "policy": "pass",
      "control": "Financial infrastructure guard"
    },
    {
      "id": "evt_sample_002",
      "timestamp": "2026-05-27T16:11:00.000Z",
      "repo": "payments-core",
      "branch": "main",
      "commit": "3c91d0a",
      "actor": "ci-bot",
      "actorType": "ci",
      "tool": "github-actions",
      "scope": ".github/workflows/**",
      "signed": false,
      "trusted": true,
      "policy": "blocked",
      "control": "Unsigned protected branch block"
    }
  ],
  "disclaimer": "Redacted sample export for procurement review. Not a live customer account.",
  "integrity": {
    "algorithm": "sha256",
    "digest": "20d99a5d34c88d200ebcf7023abd8674581e1cb2ba8666e0551489565577e55a"
  },
  "signature": {
    "schema": "ssx360.evidence-pack.signature.v1",
    "algorithm": "ed25519",
    "signed_at": "2026-06-01T12:00:01.000Z",
    "signer": "ssx360-sample-export",
    "public_key": "c8KILpMeopL6XXUFm83OUmfnvK+2cGh4l2vY8t8rYWo=",
    "value": "MeJMoNkwBQo1mJYTNIquyqZBKQQ+cy5mtOl7tUz+BKtwLbLxyevsw2JfoUzKQFz3Eb0rvDjXtFpDWzvVM8qIAw=="
  }
}
