Evidence Bundle v0.1 draft. A portable format for shipping evidence packets between systems — RAG citation packs, audit excerpts, signed compliance disclosures, incident-response artifacts, regulatory submissions.
Part of the Kinetic Gain Protocol Suite.
Status: v0.1 draft. Spec at
SPEC.md, schema atevidence-bundle.schema.json, examples atexamples/.
When an LLM cites three sources for an answer, an auditor asks for "the evidence behind that decision", or a vendor responds to a SOC2 control request — the artifact that gets handed over is always a directory of files plus some notes about provenance. Today every team invents that directory shape locally. Different fields, different hashing rules, different sign-off conventions, different file layouts.
This spec pins it down: one directory, one manifest.json, every file hashed, optional cross-references, optional signature. Anyone can read it without our code.
my-bundle/
manifest.json <- conforms to evidence-bundle.schema.json
content/
source-a.pdf
source-b.json
summary.md
| Spec | Reference |
|---|---|
prompt-provenance-spec |
provenance.prompt_provenance_uri |
agent-cards-spec |
provenance.agent_card_uri |
mcp-tool-card-spec |
provenance.tool_card_uri |
hash-attestation-rs |
ed25519 signature over the canonical manifest |
bls-attestation-broker |
multi-signer BLS aggregate signature |
GitHub Actions validates every examples/**/manifest.json against the schema on each push using AJV with the JSON Schema 2020-12 dialect.
# Validate locally
npx ajv -s evidence-bundle.schema.json -d "examples/**/manifest.json" --strict=false --spec=draft2020
{ "evidence_bundle_version": "0.1", "bundle": { "id": "…", "subject": "…", "purpose": "…", "created_at": "…", "creator": "…" }, "items": [ { "id": "…", "path": "content/x.pdf", "sha256": "…", "size_bytes": 123 } ], "relationships": [ { "subject": "…", "predicate": "cites", "object": "…" } ], "provenance": { "agent_card_uri": "…", "prompt_provenance_uri": "…", "otel_trace_id": "…" }, "signature": { "algorithm": "ed25519", "signer": "…", "value": "…", "signed_at": "…" } }