Interoperability

Open Evidence Schema

Public JSON Schemas for every piece of structured evidence ResilienceChain produces. Partners, regulators, and third-party verifiers can implement conforming encoders and decoders without coordinating with us.

Version 1.0.0 · Licensed CC-BY-4.0

Test your implementation

Validate any JSON payload in your browser, or run the CLI in CI: npx @resiliencechain/conform. Passing integrations can apply for the rc-conformant badge.

Why publish this?

Cyber-incident tooling is locked to vendor formats by default — each SIEM, SOAR, and ticketing system publishes its own alert shape and expects integrators to conform. Evidence chains don’t survive the hops. ResilienceChain publishes its formats as a versioned open schema so a customer who exports to us, or a regulator who audits us, can do their own validation without asking for docs. An integration built against v1 stays valid forever; breaking changes ship as /schema/v2.

Published schemas

Evidence Analysis

GET /schema/v1/evidence-analysis

Structured output of AI-assisted analysis for a single piece of evidence (log, screenshot, forensic report, attestation). Defines the summary, suspected IoCs, MITRE tactics, suggested actions, and confidence signals.

Incident Triage

GET /schema/v1/incident-triage

Incident-level AI triage that joins multiple evidence analyses with response state to produce an overall assessment, next actions with role ownership, cross-evidence correlations, and escalation / regulator-report recommendations.

Outbound Webhook Envelope

GET /schema/v1/outbound-webhook-envelope

Wrapper applied to every outbound webhook delivery. Receivers verify X-RC-Signature: sha256=<hex> using HMAC-SHA256 over the raw body with their endpoint's signing secret.

Event Chain Proof

GET /schema/v1/event-chain-proof

Per-incident cryptographic chain verification report. Pre-chain events are counted but not cryptographically verifiable — the report is honest about the split.

Event Hash Canonicalization (spec, not schema)

GET /schema/v1/event-hash-canonicalization

Specification of the deterministic serialisation + SHA-256 chain algorithm, including a Python reference implementation. A third-party auditor can recompute the chain from stored events without running ResilienceChain code.

TSA Anchoring Protocol (spec, not schema)

GET /schema/v1/tsa-anchoring

How each chained event_hash is signed by an RFC 3161 Time-Stamp Authority (FreeTSA default) so an auditor can prove 'this event existed by wall-clock time T' using only the public TSA certificate. Upgrades the chain from tamper-evident to tamper-and-time-evident.

IoC Correlation

GET /schema/v1/ioc-correlation

Cross-tenant correlation of a single Indicator of Compromise, surfaced only at k-anonymity k ≥ 3. Individual tenant identities never cross the API boundary; opt-in is required to contribute AND to see. Feeds the /api/v1/ioc-correlations endpoint and the incident-level 'cross-tenant match' ribbon.

Discovery

The full list of schemas is reachable machine-first at /.well-known/openevidence.json, an RFC 8615 manifest crawlers can GET without prior coordination.

Verify an event chain in 30 lines of Python

This snippet recomputes an incident’s event hash chain from a JSON export, using only the Python standard library. No ResilienceChain dependencies.

import hashlib, json

GENESIS = "0" * 64

def canonical_json(v):
    if isinstance(v, dict):
        items = sorted(v.items(), key=lambda kv: kv[0])
        return "{" + ",".join(json.dumps(k) + ":" + canonical_json(vv) for k, vv in items) + "}"
    if isinstance(v, list):
        return "[" + ",".join(canonical_json(x) for x in v) + "]"
    return json.dumps(v, separators=(",", ":"))

def compute_event_hash(prev_hash, row):
    canonical = "|".join([
        row["event_id"], row["tenant_id"], row["entity_type"], row["entity_id"],
        row["event_type"], row["occurred_at"],
        row.get("actor_user_id") or "",
        row["source_channel"],
        row.get("related_order_id") or "",
        row.get("related_action_item_id") or "",
        canonical_json(row.get("payload", {})),
    ])
    return hashlib.sha256((prev_hash + "|" + canonical).encode()).hexdigest()

def verify_chain(events):
    prev = GENESIS
    for r in sorted(events, key=lambda e: e["chain_sequence_no"]):
        expected = compute_event_hash(r["prev_event_hash"] or GENESIS, r)
        if expected != r["event_hash"]:
            return False, r["chain_sequence_no"]
        prev = r["event_hash"]
    return True, None

# events = json.load(open("incident-events.json"))["data"]
# ok, first_broken = verify_chain(events)
# assert ok, f"chain broken at sequence {first_broken}"

Conformance for receivers

  • Outbound webhook receivers SHOULD verify X-RC-Signature: sha256=<hex> against the endpoint’s signing secret with HMAC-SHA256 over the raw (unmodified) body bytes.
  • Receivers MAY reject deliveries whose timestamp is older than 5 minutes to mitigate replay.
  • The delivery_id is also present in the X-RC-Delivery-Id header to help receivers correlate logs and detect retries.
  • Regulators requesting an evidence chain proof SHOULD accept any report that conforms to event-chain-proof; they do not need ResilienceChain credentials to interpret it.
  • Each chained event carries an RFC 3161 time-stamp token — see tsa-anchoring. A regulator can verify the token offline with openssl ts -verify against the TSA’s public certificate, proving the event existed by wall-clock time T without touching ResilienceChain infrastructure.