Skip to content

Add per-file digest provenance to run_manifest #84

Description

@stacknil

run_manifest.json currently records aggregate input_digest and config_digest values. That is enough to detect that a synthetic-local run's input set changed, but it does not identify which specific input or config file changed when a demo has multiple source files.

This matters most for the multi-input demos, for example:

  • config-change combines config changes, policy denials, and follow-on events.
  • window runs combine event input plus rule/config files.
  • future contract checks may need to explain which committed fixture changed without re-running manual diff inspection first.

A possible vNext direction is to add per-file digest maps while preserving the existing aggregate fields, for example:

{
  "input_digest": "sha256:...",
  "config_digest": "sha256:...",
  "input_file_digests": {
    "data/raw/config_changes.jsonl": "sha256:..."
  },
  "config_file_digests": {
    "config/investigation.yaml": "sha256:..."
  }
}

Acceptance criteria for a future PR:

  • Keep the current aggregate input_digest and config_digest fields for compatibility.
  • Add deterministic per-file digest maps to build_run_manifest and schemas/run_manifest.schema.json.
  • Regenerate committed run_manifest.json artifacts for all five demos and both window sample outputs.
  • Add tests for deterministic ordering, line-ending normalization, and multi-file digest sensitivity.
  • Update the schema compatibility matrix to mark the change as additive.

Boundaries:

  • Synthetic local artifacts only.
  • No new demo.
  • No live telemetry or external account integration.
  • No production SIEM, alert routing, or incident-verdict claim.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesttestingTest coverage and edge-case behavior

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions