STUDIO evidence emitter¶

scpn_mif_core.evidence maps MIF's result artifacts onto the SCPN STUDIO v1 studio.*.v1 evidence bundle — the provenance-first result envelope shared across the SCPN ecosystem (PROV-O graph, RO-Crate profile, evidence-kind/level axes, formal certificates, the claim-boundary lattice, recompute provenance, an in-toto-style attestation, and content-addressed cross-studio derivation edges).

It is a forward-compatibility surface, not a studio user interface and not a fork of the shared platform: it emits the locked-schema JSON shape so MIF's evidence is provenance-grade today and its eventual studio vertical adopts the contract with no rework. Once scpn-studio-platform is extracted, the hand-built envelope here is replaced by that SDK's signing emit API — the attestation.signature is deliberately left for the platform signer, and the field shapes do not change because the v1 contract is additive-only.

What maps where¶

MIF artifact	Verb	Bundle schema	Distinctive fields
Merge-trigger decision (`MergeTriggerReport`)	`evaluate`	`studio.merge-trigger.v1`	`claim_boundary.admission` from fire/abort/hold; `numeric_provenance.exactness = tolerance-aware`
MIF-010 formal proof (`formal_manifest` entry)	`prove`	`studio.formal-proof.v1`	`evidence_kind = formally-proven`; `formal_certificate` with `checker = symbiyosys`, the `.sby` as `proof_digest`, the `hdl/src` RTL as `subject_digest`

A formal proof renders as a distinct evidence kind (formally-proven), not a higher empirical level — the two axes are orthogonal. The subject_digest is the hash of the synthesisable RTL that was proven: the Hub voids the proof the moment that subject drifts, exactly as MIF's formal-manifest drift gate already does.

`evidence` ¶

Emit MIF artifacts as SCPN STUDIO studio.*.v1 evidence bundles.

This maps MIF's existing result artifacts onto the locked SCPN STUDIO v1 schema-B evidence bundle (the provenance-first result envelope: PROV-O graph, RO-Crate profile, evidence-kind/level axes, formal certificates, claim-boundary lattice, recompute provenance, in-toto-style attestation, and content-addressed cross-studio derivation edges).

It is a forward-compatibility surface, not a studio UI and not a fork of the shared platform: it produces the locked-schema JSON shape so MIF's evidence is provenance-grade today and its eventual studio vertical adopts the contract with no rework. Once scpn-studio-platform is extracted, the hand-built envelope here is replaced by that SDK's signing emit API (the attestation.signature is deliberately left for the platform signer); the field shapes do not change because the v1 contract is additive-only.

The two emitters cover MIF's most distinctive evidence: the merge-trigger decision (evaluate) and the MIF-010 formal proof (prove, the formally-proven kind).

`content_digest(payload)` ¶

Return the content-addressed sha256: digest of a JSON-serialisable payload.

The payload is serialised canonically (sorted keys, compact separators) so the digest is reproducible across runs and hosts — the basis for both the PROV-O entity digest and the durable content-addressed derived_from edges.

`build_evidence_bundle(*, schema, verb, result, started, ended, regenerated_by, host, studio_version, evidence_kind, scpn_evidence_level, claim_boundary, operator='opaque-id:local', numeric_provenance=None, formal_certificate=None, derived_from=None, verified_citations=None, hmac_key=None)` ¶

Assemble a schema-B studio.*.v1 evidence bundle from its parts.

result is the raw MIF result payload; it is embedded as the bundle result and content-addressed — its digest becomes the PROV-O entity digest and the attestation hash chain, so the embedded summary cannot drift from its own attestation. Optional blocks (numeric_provenance, formal_certificate, verified_citations) are included only when supplied, matching the contract's additive-field model.

`merge_trigger_evidence(report, *, started, ended, host, studio_version, regenerated_by='scpn-mif run scenario.json', operator='opaque-id:local', derived_from=None, hmac_key=None)` ¶

Emit a merge-trigger decision as a studio.merge-trigger.v1 bundle.

The fire/abort/hold outcome maps to the claim-boundary admission; the decision runs the float kinematic/physics path, so the exactness is tolerance-aware with the Rust backend active when its extension is importable.

`formal_proof_evidence(task, *, started, ended, host, studio_version, checker_version, regenerated_by='python tools/run_formal.py --suite all', operator='opaque-id:local', hmac_key=None)` ¶

Emit a MIF-010 formal proof task (a formal_manifest entry) as studio.formal-proof.v1.

The proof is a distinct evidence kind (formally-proven), not a higher empirical level. The .sby script is the proof artifact (proof_digest) and the synthesisable RTL under hdl/src/ is the proven subject (subject_digest) — the Hub voids the proof if that subject drifts, exactly as MIF's formal-manifest drift gate already does.

`cosim_evidence(*, harness, bit_true, mismatch_count, started, ended, host, studio_version, regenerated_by='make cosim', operator='opaque-id:local', hmac_key=None)` ¶

Emit a bit-true cosimulation result as a studio.cosim.v1 bundle.

A cosimulation checks the Python golden reference against the Verilator RTL for exact (bit-exact) equality, so the parity tolerance is zero. A bit-true run is reference-validated and admitted; any mismatch is a validation gap and rejected, with the mismatch count recorded as the parity error.

`benchmark_evidence(*, name, metrics, active_backend, regenerated_by, host, started, ended, studio_version, exactness='tolerance-aware', status='reference-validated', operator='opaque-id:local', hmac_key=None)` ¶

Emit a benchmark artifact as a studio.benchmark.v1 bundle.

The recompute provenance is the point: regenerated_by (the command) and host make the number reproducible, not merely attested. status lets the caller declare the honest claim boundary — e.g. bounded-model for a budget whose tiers are modelled rather than measured — defaulting to a fully measured, recomputable reference-validated number.

`validate_studio_bundle(bundle)` ¶

Fail closed unless bundle conforms to the locked v1 schema-B contract.

This is MIF's consumer-driven contract check (v1 contract §7): it verifies the required PROV-O envelope, the enumerated axes (evidence kind/level, claim-boundary status, exactness), and the conditional rule that a formally-proven bundle carries a well-formed formal_certificate. It raises a single ValueError listing every violation, so a malformed bundle can never be silently admitted.

STUDIO evidence emitter¶

What maps where¶

evidence ¶

content_digest(payload) ¶

build_evidence_bundle(*, schema, verb, result, started, ended, regenerated_by, host, studio_version, evidence_kind, scpn_evidence_level, claim_boundary, operator='opaque-id:local', numeric_provenance=None, formal_certificate=None, derived_from=None, verified_citations=None, hmac_key=None) ¶

merge_trigger_evidence(report, *, started, ended, host, studio_version, regenerated_by='scpn-mif run scenario.json', operator='opaque-id:local', derived_from=None, hmac_key=None) ¶

formal_proof_evidence(task, *, started, ended, host, studio_version, checker_version, regenerated_by='python tools/run_formal.py --suite all', operator='opaque-id:local', hmac_key=None) ¶

cosim_evidence(*, harness, bit_true, mismatch_count, started, ended, host, studio_version, regenerated_by='make cosim', operator='opaque-id:local', hmac_key=None) ¶

benchmark_evidence(*, name, metrics, active_backend, regenerated_by, host, started, ended, studio_version, exactness='tolerance-aware', status='reference-validated', operator='opaque-id:local', hmac_key=None) ¶

validate_studio_bundle(bundle) ¶