feat: wrap AI agent config in evidence envelope (#2870)

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

Author: jiparis

internal/aiagentconfig/aiagentconfig.go

@@ -23,6 +23,11 @@ const (
 	ConfigFileKindConfiguration ConfigFileKind = "configuration"
 	// ConfigFileKindInstruction is for markdown instruction/rules files.
 	ConfigFileKindInstruction ConfigFileKind = "instruction"
+
+	// EvidenceID is the identifier for the AI agent config material type
+	EvidenceID = "CHAINLOOP_AI_AGENT_CONFIG"
+	// EvidenceSchemaURL is the URL to the JSON schema for AI agent config
+	EvidenceSchemaURL = "https://schemas.chainloop.dev/aiagentconfig/0.1/ai-agent-config.schema.json"
 )
 
 // DiscoveredFile represents a file found during discovery, before reading its content.
@@ -53,16 +58,31 @@ type ConfigFile struct {
 	Content string         `json:"content"`
 }
 
-// Evidence is the AI agent configuration payload
-type Evidence struct {
-	SchemaVersion string       `json:"schema_version"`
-	Agent         Agent        `json:"agent"`
-	ConfigHash    string       `json:"config_hash"`
-	CapturedAt    string       `json:"captured_at"`
-	GitContext    *GitContext  `json:"git_context,omitempty"`
-	ConfigFiles   []ConfigFile `json:"config_files"`
+// Data is the AI agent configuration payload
+type Data struct {
+	Agent       Agent        `json:"agent"`
+	ConfigHash  string       `json:"config_hash"`
+	CapturedAt  string       `json:"captured_at"`
+	GitContext  *GitContext  `json:"git_context,omitempty"`
+	ConfigFiles []ConfigFile `json:"config_files"`
 	// Future fields for richer analysis
 	Permissions any `json:"permissions,omitempty"`
 	MCPServers  any `json:"mcp_servers,omitempty"`
 	Subagents   any `json:"subagents,omitempty"`
 }
+
+// Evidence represents the complete evidence structure for AI agent config
+type Evidence struct {
+	ID     string `json:"chainloop.material.evidence.id"`
+	Schema string `json:"schema"`
+	Data   Data   `json:"data"`
+}
+
+// NewEvidence creates a new Evidence instance
+func NewEvidence(data Data) *Evidence {
+	return &Evidence{
+		ID:     EvidenceID,
+		Schema: EvidenceSchemaURL,
+		Data:   data,
+	}
+}

internal/aiagentconfig/builder.go

@@ -25,15 +25,13 @@ import (
 	"sort"
 	"strings"
 	"time"
-
-	"github.com/chainloop-dev/chainloop/internal/schemavalidators"
 )
 
 // Build reads discovered files and constructs the AI agent config payload.
 // basePath is the base directory, discovered contains files relative to basePath with their kinds.
 // agentName identifies the AI agent (e.g. "claude", "cursor").
 // gitCtx may be nil if not in a git repository.
-func Build(basePath string, discovered []DiscoveredFile, agentName string, gitCtx *GitContext) (*Evidence, error) {
+func Build(basePath string, discovered []DiscoveredFile, agentName string, gitCtx *GitContext) (*Data, error) {
 	// Resolve basePath to its real path so symlink comparisons are reliable
 	realRoot, err := filepath.EvalSymlinks(basePath)
 	if err != nil {
@@ -81,13 +79,12 @@ func Build(basePath string, discovered []DiscoveredFile, agentName string, gitCt
 		})
 	}
 
-	data := Evidence{
-		SchemaVersion: string(schemavalidators.AIAgentConfigVersion0_1),
-		Agent:         Agent{Name: agentName},
-		ConfigHash:    computeCombinedHash(hashes),
-		CapturedAt:    time.Now().UTC().Format(time.RFC3339),
-		GitContext:    gitCtx,
-		ConfigFiles:   configFiles,
+	data := Data{
+		Agent:       Agent{Name: agentName},
+		ConfigHash:  computeCombinedHash(hashes),
+		CapturedAt:  time.Now().UTC().Format(time.RFC3339),
+		GitContext:  gitCtx,
+		ConfigFiles: configFiles,
 	}
 
 	return &data, nil

internal/aiagentconfig/builder_test.go

@@ -53,7 +53,6 @@ func TestBuild(t *testing.T) {
 	}, "claude", gitCtx)
 	require.NoError(t, err)
 
-	assert.Equal(t, "0.1", data.SchemaVersion)
 	assert.Equal(t, "claude", data.Agent.Name)
 	assert.NotEmpty(t, data.CapturedAt)
 	assert.NotEmpty(t, data.ConfigHash)
@@ -136,7 +135,6 @@ func TestBuildJSONFormat(t *testing.T) {
 	var raw map[string]any
 	require.NoError(t, json.Unmarshal(jsonData, &raw))
 
-	assert.NotNil(t, raw["schema_version"])
 	assert.NotNil(t, raw["agent"])
 	assert.NotNil(t, raw["config_hash"])
 	assert.NotNil(t, raw["captured_at"])

internal/schemavalidators/internal_schemas/aiagentconfig/ai-agent-config-0.1.schema.json

@@ -5,17 +5,12 @@
   "title": "AI Agent Configuration",
   "description": "Schema for AI agent configuration data collected during attestation",
   "required": [
-    "schema_version",
     "agent",
     "config_hash",
     "captured_at",
     "config_files"
   ],
   "properties": {
-    "schema_version": {
-      "type": "string",
-      "description": "Schema version identifier"
-    },
     "agent": {
       "type": "object",
       "description": "AI agent provider information",

internal/schemavalidators/testdata/ai_agent_config_empty_config_files.json

@@ -1,5 +1,4 @@
 {
-  "schema_version": "0.1",
   "agent": {
     "name": "claude"
   },

internal/schemavalidators/testdata/ai_agent_config_extra_fields.json

@@ -1,5 +1,4 @@
 {
-  "schema_version": "0.1",
   "agent": {
     "name": "claude"
   },

internal/schemavalidators/testdata/ai_agent_config_minimal.json

@@ -1,5 +1,4 @@
 {
-  "schema_version": "0.1",
   "agent": {
     "name": "claude"
   },

internal/schemavalidators/testdata/ai_agent_config_valid.json

@@ -1,5 +1,4 @@
 {
-  "schema_version": "0.1",
   "agent": {
     "name": "claude",
     "version": "4.0"

pkg/attestation/crafter/collector_aiagentconfig.go

@@ -88,11 +88,12 @@ func (c *AIAgentConfigCollector) uploadAgentConfig(
 	ctx context.Context, cr *Crafter, attestationID string,
 	casBackend *casclient.CASBackend, agentName string, files []aiagentconfig.DiscoveredFile, gitCtx *aiagentconfig.GitContext,
 ) error {
-	evidence, err := aiagentconfig.Build(cr.WorkingDir(), files, agentName, gitCtx)
+	data, err := aiagentconfig.Build(cr.WorkingDir(), files, agentName, gitCtx)
 	if err != nil {
 		return fmt.Errorf("building AI agent config for %s: %w", agentName, err)
 	}
 
+	evidence := aiagentconfig.NewEvidence(*data)
 	jsonData, err := json.Marshal(evidence)
 	if err != nil {
 		return fmt.Errorf("marshaling AI agent config for %s: %w", agentName, err)

pkg/attestation/crafter/materials/chainloop_ai_agent_config.go

@@ -22,6 +22,7 @@ import (
 	"os"
 
 	schemaapi "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1"
+	"github.com/chainloop-dev/chainloop/internal/aiagentconfig"
 	"github.com/chainloop-dev/chainloop/internal/schemavalidators"
 	api "github.com/chainloop-dev/chainloop/pkg/attestation/crafter/api/attestation/v1"
 	"github.com/chainloop-dev/chainloop/pkg/casclient"
@@ -55,12 +56,28 @@ func (c *ChainloopAIAgentConfigCrafter) Craft(ctx context.Context, artifactPath
 		return nil, fmt.Errorf("can't open the file: %w", err)
 	}
 
-	var rawData any
-	if err := json.Unmarshal(f, &rawData); err != nil {
+	// Unmarshal envelope, keeping data as raw JSON for schema validation
+	var envelope struct {
+		Data json.RawMessage `json:"data"`
+	}
+	if err := json.Unmarshal(f, &envelope); err != nil {
 		c.logger.Debug().Err(err).Msg("error decoding file")
 		return nil, fmt.Errorf("invalid JSON format: %w", err)
 	}
 
+	// Unmarshal data into typed struct for agent name extraction
+	var data aiagentconfig.Data
+	if err := json.Unmarshal(envelope.Data, &data); err != nil {
+		c.logger.Debug().Err(err).Msg("error decoding data field")
+		return nil, fmt.Errorf("failed to unmarshal data: %w", err)
+	}
+
+	// Validate using raw JSON to preserve unknown fields for strict schema validation
+	var rawData any
+	if err := json.Unmarshal(envelope.Data, &rawData); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal data for validation: %w", err)
+	}
+
 	if err := schemavalidators.ValidateAIAgentConfig(rawData, schemavalidators.AIAgentConfigVersion0_1); err != nil {
 		c.logger.Debug().Err(err).Msg("schema validation failed")
 		return nil, fmt.Errorf("AI agent config validation failed: %w", err)
@@ -71,14 +88,9 @@ func (c *ChainloopAIAgentConfigCrafter) Craft(ctx context.Context, artifactPath
 		return nil, err
 	}
 
-	// Extract agent name from the validated JSON and surface it as an annotation
-	var envelope struct {
-		Agent struct {
-			Name string `json:"name"`
-		} `json:"agent"`
-	}
-	if err := json.Unmarshal(f, &envelope); err == nil && envelope.Agent.Name != "" {
-		material.Annotations[annotationAIAgentName] = envelope.Agent.Name
+	// Surface agent name as an annotation
+	if data.Agent.Name != "" {
+		material.Annotations[annotationAIAgentName] = data.Agent.Name
 	}
 
 	return material, nil