TRQP-TSPP

Assurance Hub ↔ TSPP Crosswalk

This document maps Assurance Hub evidence expectations to the concrete artifacts emitted by TRQP-TSPP.

Assurance Hub “front door”: https://github.com/sankarshanmukhopadhyay/trqp-assurance-hub
Hub evidence artifacts matrix: https://github.com/sankarshanmukhopadhyay/trqp-assurance-hub/blob/main/docs/guides/evidence-artifacts.md

What TSPP emits

TSPP produces two related outputs:

1) Conformance report JSON (from the harness test run) 2) Posture evidence bundle (a portable wrapper around the report with integrity metadata)

Posture evidence bundle

Created via scripts/create_evidence_bundle.py, the bundle includes:

Artifact	Path	artifact_kind
Posture report	`tspp_posture_report.json`	`tspp_posture_report`
Bundle descriptor	`bundle_descriptor.json`	`tspp_posture_evidence_bundle_descriptor`
Checksums	`checksums.json`	`evidence_bundle_checksums`
Bundle zip	`bundle.zip`	`tspp_posture_evidence_bundle_zip`

AL alignment notes

TSPP uses TSPP_EXPECT_AL (e.g., AL1, AL2, AL3, AL4) to parameterize test expectations for the reference SUT and harness.

For canonical AL definitions and AL3/AL4 artifact expectations, treat the Hub guides as the source of truth:

docs/guides/assurance-levels.md
docs/guides/evidence-artifacts.md

This repo focuses on emitting the posture evidence bundle and making its evidence surface deterministic and machine-checkable.

Schema references

schemas/evidence/tspp_posture_bundle_descriptor.schema.json
schemas/evidence/checksums.schema.json

Assurance Level contract

This repo ships al-contract.json which references the canonical AL definitions in the Assurance Hub and includes the canonical doc SHA-256 (61c599c5fa06e0c9110f40ff71c0174db5502105b97f1391dbd9ae8548115f71).

Version pins

TRQP Assurance Hub: v1.1.0
TRQP Conformance Suite: v0.9.1
TRQP TSPP: v0.7.1

UNTP DIA alignment

Directory evaluations that rely on UNTP Digital Identity Anchor (DIA) SHOULD apply the SAD-1 identity anchoring extension requirements and capture DIA artifacts as evidence (context reference, resolver approach, and status lifecycle).

Supply chain integrity (OpenSSF-aligned) artifacts

TSPP supports optional inclusion of supply chain integrity evidence in the posture bundle to support TSPP-SCI controls:

Artifact	Example path	artifact_kind
SBOM	`sbom.spdx.json`	`software_sbom`
Build provenance	`provenance.json`	`build_provenance`
Scorecard output	`scorecard.json`	`openssf_scorecard_report`

These artifacts are optional, but recommended for AL3+ deployments.

Discovery surface

TSPP posture reports are intended to be bound into the Combined Assurance Manifest and then published through the Assurance Hub Trust Registry reference service together with the selected machine-readable assurance profile.

This site is open source. Improve this page.