feat: wrap AI agent config in evidence envelope

Use the standard custom schema structure for CHAINLOOP_AI_AGENT_CONFIG,
matching the pattern used by CHAINLOOP_PR_INFO. The payload is now
wrapped with chainloop.material.evidence.id, schema URL, and data fields.

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

Author: jiparis

internal/aiagentconfig/aiagentconfig.go

@@ -23,6 +23,11 @@ const (
 	ConfigFileKindConfiguration ConfigFileKind = "configuration"
 	// ConfigFileKindInstruction is for markdown instruction/rules files.
 	ConfigFileKindInstruction ConfigFileKind = "instruction"
+
+	// EvidenceID is the identifier for the AI agent config material type
+	EvidenceID = "CHAINLOOP_AI_AGENT_CONFIG"
+	// EvidenceSchemaURL is the URL to the JSON schema for AI agent config
+	EvidenceSchemaURL = "https://schemas.chainloop.dev/aiagentconfig/0.1/ai-agent-config.schema.json"
 )
 
 // DiscoveredFile represents a file found during discovery, before reading its content.
@@ -53,8 +58,8 @@ type ConfigFile struct {
 	Content string         `json:"content"`
 }
 
-// Evidence is the AI agent configuration payload
-type Evidence struct {
+// Data is the AI agent configuration payload
+type Data struct {
 	SchemaVersion string       `json:"schema_version"`
 	Agent         Agent        `json:"agent"`
 	ConfigHash    string       `json:"config_hash"`
@@ -66,3 +71,19 @@ type Evidence struct {
 	MCPServers  any `json:"mcp_servers,omitempty"`
 	Subagents   any `json:"subagents,omitempty"`
 }
+
+// Evidence represents the complete evidence structure for AI agent config
+type Evidence struct {
+	ID     string `json:"chainloop.material.evidence.id"`
+	Schema string `json:"schema"`
+	Data   Data   `json:"data"`
+}
+
+// NewEvidence creates a new Evidence instance
+func NewEvidence(data Data) *Evidence {
+	return &Evidence{
+		ID:     EvidenceID,
+		Schema: EvidenceSchemaURL,
+		Data:   data,
+	}
+}

internal/aiagentconfig/builder.go

@@ -33,7 +33,7 @@ import (
 // basePath is the base directory, discovered contains files relative to basePath with their kinds.
 // agentName identifies the AI agent (e.g. "claude", "cursor").
 // gitCtx may be nil if not in a git repository.
-func Build(basePath string, discovered []DiscoveredFile, agentName string, gitCtx *GitContext) (*Evidence, error) {
+func Build(basePath string, discovered []DiscoveredFile, agentName string, gitCtx *GitContext) (*Data, error) {
 	// Resolve basePath to its real path so symlink comparisons are reliable
 	realRoot, err := filepath.EvalSymlinks(basePath)
 	if err != nil {
@@ -81,7 +81,7 @@ func Build(basePath string, discovered []DiscoveredFile, agentName string, gitCt
 		})
 	}
 
-	data := Evidence{
+	data := Data{
 		SchemaVersion: string(schemavalidators.AIAgentConfigVersion0_1),
 		Agent:         Agent{Name: agentName},
 		ConfigHash:    computeCombinedHash(hashes),

pkg/attestation/crafter/collector_aiagentconfig.go

@@ -88,11 +88,12 @@ func (c *AIAgentConfigCollector) uploadAgentConfig(
 	ctx context.Context, cr *Crafter, attestationID string,
 	casBackend *casclient.CASBackend, agentName string, files []aiagentconfig.DiscoveredFile, gitCtx *aiagentconfig.GitContext,
 ) error {
-	evidence, err := aiagentconfig.Build(cr.WorkingDir(), files, agentName, gitCtx)
+	data, err := aiagentconfig.Build(cr.WorkingDir(), files, agentName, gitCtx)
 	if err != nil {
 		return fmt.Errorf("building AI agent config for %s: %w", agentName, err)
 	}
 
+	evidence := aiagentconfig.NewEvidence(*data)
 	jsonData, err := json.Marshal(evidence)
 	if err != nil {
 		return fmt.Errorf("marshaling AI agent config for %s: %w", agentName, err)

pkg/attestation/crafter/materials/chainloop_ai_agent_config.go

@@ -22,6 +22,7 @@ import (
 	"os"
 
 	schemaapi "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1"
+	"github.com/chainloop-dev/chainloop/internal/aiagentconfig"
 	"github.com/chainloop-dev/chainloop/internal/schemavalidators"
 	api "github.com/chainloop-dev/chainloop/pkg/attestation/crafter/api/attestation/v1"
 	"github.com/chainloop-dev/chainloop/pkg/casclient"
@@ -55,12 +56,28 @@ func (c *ChainloopAIAgentConfigCrafter) Craft(ctx context.Context, artifactPath
 		return nil, fmt.Errorf("can't open the file: %w", err)
 	}
 
-	var rawData any
-	if err := json.Unmarshal(f, &rawData); err != nil {
+	// Unmarshal envelope, keeping data as raw JSON for schema validation
+	var envelope struct {
+		Data json.RawMessage `json:"data"`
+	}
+	if err := json.Unmarshal(f, &envelope); err != nil {
 		c.logger.Debug().Err(err).Msg("error decoding file")
 		return nil, fmt.Errorf("invalid JSON format: %w", err)
 	}
 
+	// Unmarshal data into typed struct for agent name extraction
+	var data aiagentconfig.Data
+	if err := json.Unmarshal(envelope.Data, &data); err != nil {
+		c.logger.Debug().Err(err).Msg("error decoding data field")
+		return nil, fmt.Errorf("failed to unmarshal data: %w", err)
+	}
+
+	// Validate using raw JSON to preserve unknown fields for strict schema validation
+	var rawData any
+	if err := json.Unmarshal(envelope.Data, &rawData); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal data for validation: %w", err)
+	}
+
 	if err := schemavalidators.ValidateAIAgentConfig(rawData, schemavalidators.AIAgentConfigVersion0_1); err != nil {
 		c.logger.Debug().Err(err).Msg("schema validation failed")
 		return nil, fmt.Errorf("AI agent config validation failed: %w", err)
@@ -71,14 +88,9 @@ func (c *ChainloopAIAgentConfigCrafter) Craft(ctx context.Context, artifactPath
 		return nil, err
 	}
 
-	// Extract agent name from the validated JSON and surface it as an annotation
-	var envelope struct {
-		Agent struct {
-			Name string `json:"name"`
-		} `json:"agent"`
-	}
-	if err := json.Unmarshal(f, &envelope); err == nil && envelope.Agent.Name != "" {
-		material.Annotations[annotationAIAgentName] = envelope.Agent.Name
+	// Surface agent name as an annotation
+	if data.Agent.Name != "" {
+		material.Annotations[annotationAIAgentName] = data.Agent.Name
 	}
 
 	return material, nil

pkg/attestation/crafter/materials/chainloop_ai_agent_config_test.go

@@ -59,12 +59,12 @@ func TestNewChainloopAIAgentConfigCrafter_CorrectType(t *testing.T) {
 func TestChainloopAIAgentConfigCrafter_Validation(t *testing.T) {
 	testCases := []struct {
 		name    string
-		data    *aiagentconfig.Evidence
+		data    *aiagentconfig.Data
 		wantErr bool
 	}{
 		{
 			name: "valid full config",
-			data: &aiagentconfig.Evidence{
+			data: &aiagentconfig.Data{
 				SchemaVersion: string(schemavalidators.AIAgentConfigVersion0_1),
 				Agent:         aiagentconfig.Agent{Name: "claude", Version: "4.0"},
 				ConfigHash:    "abc123",
@@ -88,7 +88,7 @@ func TestChainloopAIAgentConfigCrafter_Validation(t *testing.T) {
 		},
 		{
 			name: "valid minimal config",
-			data: &aiagentconfig.Evidence{
+			data: &aiagentconfig.Data{
 				SchemaVersion: string(schemavalidators.AIAgentConfigVersion0_1),
 				Agent:         aiagentconfig.Agent{Name: "claude"},
 				ConfigHash:    "abc123",
@@ -107,7 +107,7 @@ func TestChainloopAIAgentConfigCrafter_Validation(t *testing.T) {
 		},
 		{
 			name: "valid cursor config",
-			data: &aiagentconfig.Evidence{
+			data: &aiagentconfig.Data{
 				SchemaVersion: string(schemavalidators.AIAgentConfigVersion0_1),
 				Agent:         aiagentconfig.Agent{Name: "cursor"},
 				ConfigHash:    "def456",
@@ -126,7 +126,7 @@ func TestChainloopAIAgentConfigCrafter_Validation(t *testing.T) {
 		},
 		{
 			name: "valid cursor with multiple file types",
-			data: &aiagentconfig.Evidence{
+			data: &aiagentconfig.Data{
 				SchemaVersion: string(schemavalidators.AIAgentConfigVersion0_1),
 				Agent:         aiagentconfig.Agent{Name: "cursor"},
 				ConfigHash:    "ghi789",
@@ -159,12 +159,12 @@ func TestChainloopAIAgentConfigCrafter_Validation(t *testing.T) {
 		},
 		{
 			name:    "missing required fields",
-			data:    &aiagentconfig.Evidence{},
+			data:    &aiagentconfig.Data{},
 			wantErr: true,
 		},
 		{
 			name: "empty config files",
-			data: &aiagentconfig.Evidence{
+			data: &aiagentconfig.Data{
 				SchemaVersion: string(schemavalidators.AIAgentConfigVersion0_1),
 				Agent:         aiagentconfig.Agent{Name: "claude"},
 				ConfigHash:    "abc123",
@@ -220,9 +220,9 @@ func TestChainloopAIAgentConfigCrafter_InvalidSchema(t *testing.T) {
 	crafter, err := NewChainloopAIAgentConfigCrafter(schema, nil, &logger)
 	require.NoError(t, err)
 
-	// Valid JSON but missing required fields
+	// Valid envelope but data is missing required fields
 	tmpFile := filepath.Join(t.TempDir(), "bad-schema.json")
-	require.NoError(t, os.WriteFile(tmpFile, []byte(`{"foo": "bar"}`), 0o600))
+	require.NoError(t, os.WriteFile(tmpFile, []byte(`{"chainloop.material.evidence.id":"CHAINLOOP_AI_AGENT_CONFIG","schema":"test","data":{"foo":"bar"}}`), 0o600))
 
 	_, err = crafter.Craft(context.Background(), tmpFile)
 	require.Error(t, err)
@@ -253,12 +253,16 @@ func TestChainloopAIAgentConfigCrafter_RejectsExtraFields(t *testing.T) {
 	require.NoError(t, err)
 
 	payload := `{
-		"schema_version": "0.1",
-		"agent": {"name": "claude"},
-		"config_hash": "abc",
-		"captured_at": "2026-03-13T10:00:00Z",
-		"config_files": [{"path": "CLAUDE.md", "kind": "instruction", "sha256": "abc", "size": 1, "content": "Yg=="}],
-		"unknown_field": "should fail"
+		"chainloop.material.evidence.id": "CHAINLOOP_AI_AGENT_CONFIG",
+		"schema": "https://schemas.chainloop.dev/aiagentconfig/0.1/ai-agent-config.schema.json",
+		"data": {
+			"schema_version": "0.1",
+			"agent": {"name": "claude"},
+			"config_hash": "abc",
+			"captured_at": "2026-03-13T10:00:00Z",
+			"config_files": [{"path": "CLAUDE.md", "kind": "instruction", "sha256": "abc", "size": 1, "content": "Yg=="}],
+			"unknown_field": "should fail"
+		}
 	}`
 
 	tmpFile := filepath.Join(t.TempDir(), "extra-fields.json")

pkg/attestation/crafter/materials/testdata/ai-agent-config-claude.json

@@ -1,15 +1,19 @@
 {
-  "schema_version": "0.1",
-  "agent": {"name": "claude"},
-  "config_hash": "abc123",
-  "captured_at": "2026-03-13T10:00:00Z",
-  "config_files": [
-    {
-      "path": "CLAUDE.md",
-      "kind": "instruction",
-      "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
-      "size": 42,
-      "content": "IyBQcm9qZWN0IFJ1bGVz"
-    }
-  ]
+  "chainloop.material.evidence.id": "CHAINLOOP_AI_AGENT_CONFIG",
+  "schema": "https://schemas.chainloop.dev/aiagentconfig/0.1/ai-agent-config.schema.json",
+  "data": {
+    "schema_version": "0.1",
+    "agent": {"name": "claude"},
+    "config_hash": "abc123",
+    "captured_at": "2026-03-13T10:00:00Z",
+    "config_files": [
+      {
+        "path": "CLAUDE.md",
+        "kind": "instruction",
+        "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+        "size": 42,
+        "content": "IyBQcm9qZWN0IFJ1bGVz"
+      }
+    ]
+  }
 }

pkg/attestation/crafter/materials/testdata/ai-agent-config-cursor.json

@@ -1,15 +1,19 @@
 {
-  "schema_version": "0.1",
-  "agent": {"name": "cursor"},
-  "config_hash": "def456",
-  "captured_at": "2026-03-13T10:00:00Z",
-  "config_files": [
-    {
-      "path": ".cursor/rules/coding.md",
-      "kind": "instruction",
-      "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
-      "size": 20,
-      "content": "IyBDb2RpbmcgUnVsZXM="
-    }
-  ]
+  "chainloop.material.evidence.id": "CHAINLOOP_AI_AGENT_CONFIG",
+  "schema": "https://schemas.chainloop.dev/aiagentconfig/0.1/ai-agent-config.schema.json",
+  "data": {
+    "schema_version": "0.1",
+    "agent": {"name": "cursor"},
+    "config_hash": "def456",
+    "captured_at": "2026-03-13T10:00:00Z",
+    "config_files": [
+      {
+        "path": ".cursor/rules/coding.md",
+        "kind": "instruction",
+        "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+        "size": 20,
+        "content": "IyBDb2RpbmcgUnVsZXM="
+      }
+    ]
+  }
 }