run_manifest.json currently records aggregate input_digest and config_digest values. That is enough to detect that a synthetic-local run's input set changed, but it does not identify which specific input or config file changed when a demo has multiple source files.
This matters most for the multi-input demos, for example:
config-change combines config changes, policy denials, and follow-on events.
window runs combine event input plus rule/config files.
- future contract checks may need to explain which committed fixture changed without re-running manual diff inspection first.
A possible vNext direction is to add per-file digest maps while preserving the existing aggregate fields, for example:
{
"input_digest": "sha256:...",
"config_digest": "sha256:...",
"input_file_digests": {
"data/raw/config_changes.jsonl": "sha256:..."
},
"config_file_digests": {
"config/investigation.yaml": "sha256:..."
}
}
Acceptance criteria for a future PR:
- Keep the current aggregate
input_digest and config_digest fields for compatibility.
- Add deterministic per-file digest maps to
build_run_manifest and schemas/run_manifest.schema.json.
- Regenerate committed
run_manifest.json artifacts for all five demos and both window sample outputs.
- Add tests for deterministic ordering, line-ending normalization, and multi-file digest sensitivity.
- Update the schema compatibility matrix to mark the change as additive.
Boundaries:
- Synthetic local artifacts only.
- No new demo.
- No live telemetry or external account integration.
- No production SIEM, alert routing, or incident-verdict claim.
run_manifest.jsoncurrently records aggregateinput_digestandconfig_digestvalues. That is enough to detect that a synthetic-local run's input set changed, but it does not identify which specific input or config file changed when a demo has multiple source files.This matters most for the multi-input demos, for example:
config-changecombines config changes, policy denials, and follow-on events.windowruns combine event input plus rule/config files.A possible vNext direction is to add per-file digest maps while preserving the existing aggregate fields, for example:
{ "input_digest": "sha256:...", "config_digest": "sha256:...", "input_file_digests": { "data/raw/config_changes.jsonl": "sha256:..." }, "config_file_digests": { "config/investigation.yaml": "sha256:..." } }Acceptance criteria for a future PR:
input_digestandconfig_digestfields for compatibility.build_run_manifestandschemas/run_manifest.schema.json.run_manifest.jsonartifacts for all five demos and both window sample outputs.Boundaries: