{
  "sample_notice": "Synthetic demo-only software release evidence pack. No real repository, token, build secret or customer artifact.",
  "schema_version": "certisigma.sample.release-pack.v1",
  "id": "sample-software-release-evidence-pack",
  "title": "Software release evidence pack sample",
  "created_at": "2026-05-20T09:00:00Z",
  "positioning": "Release integrity support. This sample does not claim that the software is vulnerability-free or authorized for production.",
  "release": {
    "name": "example-component",
    "version": "0.0.0-demo",
    "build_reference": "synthetic-build-20260520"
  },
  "materials": [
    {
      "id": "artifact-digest",
      "label": "Release artifact digest",
      "hash_hex": "6dcd4ce23d88e2ee9568ba546c007c63d9131c1b7d33dfc525a9925bb1f4fae0",
      "evidence_level": "T1"
    },
    {
      "id": "sbom-digest",
      "label": "SBOM digest",
      "hash_hex": "c0535e4be2b79ffd93291305436bf889314e4a3faec05ecffcbb7df31ad9e51a",
      "evidence_level": "T0"
    },
    {
      "id": "provenance-digest",
      "label": "Provenance statement digest",
      "hash_hex": "2d711642b726b04401627ca9fbac32f5c8530fb1903cc4db02258717921a4881",
      "evidence_level": "T1"
    }
  ],
  "explicit_limits": [
    "No vulnerability-free claim.",
    "No guarantee that the build pipeline was correctly configured.",
    "No assertion that the signer was authorized outside the documented workflow."
  ]
}