syntax = "proto3";

package substrate.attestation.v2;

// ─── Layer 2: Software Claim ────────────────────────────────────────
//
// Software provenance and capability declaration. Binds the running
// image to its build pipeline via QM-notarized build receipts.

message SoftwareClaim {
    uint32 layer = 1;                     // MUST be 2
    string image_id = 2;
    bytes image_hash = 3;
    bytes capability_manifest = 4;       // H(manifest JSON)
    repeated string capabilities = 5;    // Informational
    BuildProvenance build_provenance = 6;
    string qm_build_receipt = 7;
    bytes platform_claim_hash = 8;       // L1 binding
    bytes claim_hash = 9;
}

message BuildProvenance {
    string source_repo = 1;
    string source_commit = 2;
    string builder_identity = 3;         // SPIFFE ID or OIDC sub
    string build_timestamp = 4;          // ISO 8601
    bool build_reproducible = 5;
    uint32 builder_count = 6;
}