EVIDE
← Back to Signals
Schema Reference
Public Edition

EVIDE Minimum Intake JSON

Evidentiary Intake Structure and Interoperability Model
Schema v2.0 · Public Specification v2.0 · May 2026
This public edition describes the EVIDE evidentiary intake structure and interoperability model. Operational access details are available to certified API partners only.
⬇ Download Technical PDF Live Schema ↗ EVIDE Overview ↗
Contents
What EVIDE Is

EVIDE (External Evidentiary Deposit) is a structured evidentiary intake layer designed to anchor AI-assisted or human decisions to an independent, cryptographically verifiable record. Each intake transforms a closed decision into a portable evidentiary object that can be validated outside the originating system, without requiring operational access to the source system, its logs, or its infrastructure.

"EVIDE does not standardise how a decision is made.
It standardises the minimum evidentiary object that can survive outside the source system."

EVIDE does not:

  • verify whether the declared authority was legitimate
  • validate the correctness of the decision
  • introduce admissibility logic
  • replace governance frameworks
  • operate inside the decision pipeline
Boundary Semantics

EVIDE operates at a specific and bounded layer. Understanding what it does and does not do prevents misuse and misinterpretation.

  • EVIDE records closure state, not runtime execution
  • EVIDE anchors the externally visible responsibility state at the moment a decision becomes final
  • EVIDE preserves admissibility visibility without enforcing admissibility
  • EVIDE is evidentiary, not supervisory
  • EVIDE does not replay decisions — it anchors closure objects
  • EVIDE does not verify declared oversight — it makes the declaration persistent, portable, and independently verifiable

Behavioral completion vs. Responsibility closure

A finalized decision without a bound authority represents behavioral completion only — the system produced an outcome, but no accountable actor is formally attached to it.

A finalized decision with a bound authority and declared human oversight represents responsibility closure — the outcome is not only produced, but explicitly attributable.

The Layer 2 → Layer 3 boundary requires responsibility closure, not behavioral completion.

Identity-Bound Access Model

EVIDE access provisioning requires DAPI identity verification. This requirement exists because EVIDE operates as an evidentiary responsibility layer. The intake infrastructure must be able to attribute API activity to a verifiable identity source, even when deposited payloads contain declared or non-verified authority states.

DAPI therefore functions as the identity-bound access layer of the EVIDE intake infrastructure, separating:

  • infrastructure access attribution
  • payload-declared authority
  • evidentiary responsibility visibility
Access provisioning details are confidential and available to certified API partners only. Contact info@informaticainazienda.it to request access.
Section 1
1. Schema Structure

The EVIDE intake payload is a JSON object submitted via POST. It is canonicalized and hashed deterministically before storage. The current schema version is "2.0". Versions "1.8" and "1.9" remain supported for compatibility.

Required fields
  • evide_schema — must be "2.0" for current intake. "1.8" supported for compatibility (no handoff). "1.9" supported with handoff as string.
  • source_system — name of the originating system
  • source_reference — unique decision identifier in the source system
  • source_timestamp_utc — ISO 8601 UTC timestamp of decision production
  • decision.type — decision category (e.g. candidate_evaluation, risk_classification)
  • decision.status — must be "finalized"
  • decision.closure_timestamp_utc — UTC timestamp of closure
  • decision.summary — natural-language description of the decision
  • authority.id — authority identifier in the source system
  • authority.role — role of the authority
Notable optional fields
  • authority.verification — DAPI reference code linking the authority to a verified identity. Without it, authority_verification_status returns "declared" instead of "claimed".
  • intervention.type — override / approval / rejection / escalation
  • intervention.classification_context — upstream governance structure visibility (v1.7). Required for evide_schema 2.0.
  • human_oversight.is_declared + declared_level — L1 / L2 / L3
  • fedis_requested — triggers FEDIS forensic certification workflow
  • chain.parent_evide_id — links to a previous intake in a verifiable evidence chain
  • handoff — boundary state declaration for L3 intake. Required when evide_schema = "1.9" or "2.0". In v2.0, boundary_readiness is a structured object with four canonical states. See Section 3.
Minimal payload example (v2.0)
"evide_schema": "2.0", "source_system": "AquariuOS", "source_reference": "CDR-2026-00421", "source_timestamp_utc": "2026-04-07T09:15:00Z", "decision": { "type": "candidate_evaluation", "status": "finalized", "closure_timestamp_utc": "2026-04-07T09:15:00Z", "summary": "AI recommendation overridden by human authority" }, "authority": { "id": "user_87421", "role": "HR Reviewer" }, "intervention": { "type": "override", "classification_context": { // required for v2.0 "taxonomy_reference": "https://example.org/taxonomies/rationale-types-v1.0", "threshold_reference": "https://example.org/rules/hr-review-threshold-v1", "threshold_status": "met" } }, "handoff": { "boundary_readiness": { // structured object in v2.0 "status": "candidate", "readiness_gate": null, "visibility_surface": null, "unresolved_signals": [] }, "reconstruction_independence": "declared", "submission_status": "not_submitted", "acceptance_status": "not_claimed" }

Full schema reference: app.certifywebcontent.com/json

Section 2
2. classification_context (v1.7 + v1.8)

The classification_context object exposes whether the classification act was supported by an upstream taxonomy and threshold structure at the moment of recording. It does not validate the threshold — it makes the presence or absence of such a structure externally visible. Required when evide_schema = "2.0".

threshold_status values
  • met — threshold was defined and the decision satisfied it
  • not_met — threshold was defined but not satisfied
  • unknown — threshold may exist but state is not verifiable at deposit time
  • not_defined — no threshold was formally defined for this classification
Governance gap signal: threshold_status: "not_defined" does not indicate an operational error. It signals that at the moment of decision, no formally defined governance structure existed — a governance gap made externally visible, not a system failure.
threshold_authority (v1.8)

Exposes whether the threshold had a structurally attributable source of authority at closure. attribution_status is required when threshold_authority is present.

  • attributed — single identifiable authority defined at closure
  • fragmented — threshold defined across multiple sources, no single attributable authority
  • implicit — threshold present in practice but not formally defined or attributable
  • unknown — threshold authority not verifiable at the moment of closure
Section 3
3. handoff (v2.0)

The handoff object defines the boundary state of a closure object before EVIDE accepts it for external anchoring. Required when evide_schema is "1.9" or "2.0". In v2.0, boundary_readiness is promoted from a string to a structured object with four canonical states.

v1.9 made the boundary explicit. v2.0 makes the evidentiary quality of the boundary explicit.
boundary_readiness object (v2.0)
  • status — required. One of: candidate, verified, verified_partial, unverifiable.
  • readiness_gate.identifier — required when status ≠ candidate. Name or ID of the gate system that performed the assessment.
  • readiness_gate.scope_reference — required when status ≠ candidate. URL or hash of the gate policy document. Makes verified non-self-referential.
  • visibility_surface — categorical declaration of the gate's observational coverage: null (candidate), partial, declared_complete, insufficient.
  • unresolved_signals — string array of signal identifiers the gate could not resolve. Empty for candidate and verified. Minimum one element for verified_partial and unverifiable.
Canonical state combinations
  • candidate — readiness_gate: null, visibility_surface: null, unresolved_signals: []. No gate has operated. Upstream declaration only.
  • verified — readiness_gate: present, visibility_surface: declared_complete, unresolved_signals: []. Gate confirmed stability across complete visibility.
  • verified_partial — readiness_gate: present, visibility_surface: partial, unresolved_signals: [min. 1]. Gate confirmed what it could see. Gaps declared explicitly.
  • unverifiable — readiness_gate: present, visibility_surface: insufficient, unresolved_signals: [min. 1]. Gate operated but surface was below minimum threshold. Proves diligence, not failure.
Other handoff fields (unchanged from v1.9)
  • reconstruction_independence — must be declared for EVIDE intake.
  • submission_status — must be not_submitted when sent by the upstream system.
  • acceptance_status — must be not_claimed when sent by the upstream system.
Boundary rule: no downstream step should require reconstruction of intent from audit logs, human memory, or system-specific context. The object must be self-contained and independently verifiable before submission.

After a successful intake, EVIDE returns the updated handoff state with submission_status: "submitted" and acceptance_status: "accepted". In v2.0, boundary_readiness is returned as a structured object. The original submitted payload is stored and hashed without modification.

boundary_readiness and runtime conditions - architectural note (v2.0)

EVIDE anchors closure states, not runtime states. It does not monitor conditions after anchoring and does not introduce runtime governance.

"They come from anchoring something that was already drifting at the moment it was externalized."

In v2.0, this failure mode is addressed more precisely. The gate's own observational capacity becomes part of the evidentiary record. What the gate could not see is declared explicitly in unresolved_signals — it is no longer a hidden assumption but a documented variable.

A system cannot self-certify boundary_readiness.status = "verified". That evaluation must come from an independent gate declared in readiness_gate.identifier. If the gate's visibility was incomplete, the honest state is verified_partial with declared gaps — not verified.

unverifiable is not a failure state. It is the most forensically honest state when an independent gate operated but the source system was too opaque to confirm boundary stability.

Gate independence is a governance qualification, not a self-declared payload field in v2.0. Formal gate qualification is deferred to the v2.x Gate Qualification Framework.

Section 4
4. Canonicalization and Hashing

Before computing the SHA-256 hash, the system canonicalizes the JSON: keys are sorted alphabetically at all levels and the result is minified. This guarantees that two semantically identical payloads always produce the same hash regardless of key submission order. The content_hash field is excluded before hashing.

Algorithm
  • Remove the content_hash node if present
  • Recursively sort all keys alphabetically at every nesting level
  • Serialize to minified JSON (UTF-8, no escaped slashes)
  • Compute SHA-256 of the resulting string
Key ordering inside classification_context: taxonomy_referencethreshold_authoritythreshold_referencethreshold_status.

Key ordering inside handoff.boundary_readiness (v2.0): readiness_gatestatusunresolved_signalsvisibility_surface.

These orderings are enforced by recursive ksort and must be respected when computing content_hash on the source side.
Integrity guarantee: the intake hash returned in the API response is the authoritative fingerprint. The source-declared content_hash is an optional client-side reference — it extends the integrity chain to cover the pre-intake transit as well.
Section 5
5. Schema Evolution

EVIDE follows a strict backward-compatible evolution model. Each version adds optional fields or response attributes without breaking existing integrations.

VersionAddition
1.0Base schema — decision, authority, intervention, human_oversight, chain
1.1created_at_utc, object_class, content_hash
1.2intervention.rationale_type
1.3intervention.taxonomy_version — enables classification replay in audit
1.4fedis_requested — triggers FEDIS forensic certification workflow
1.5authority_verification_status (response) — claimed vs declared
1.6intervention.classification_status — stable / provisional / contested
1.7intervention.classification_context — upstream governance structure visibility
1.8classification_context.threshold_authority — threshold ownership attributability
1.9handoff — boundary-ready schema, universal handoff contract for L3 intake. boundary_readiness as string: candidate | verified.
2.0handoff.boundary_readiness promoted from string to structured object. Four canonical states: candidate, verified, verified_partial, unverifiable. Adds readiness_gate (identifier + scope_reference), visibility_surface, unresolved_signals. intervention.classification_context required. decision.status must be "finalized". v1.8 and v1.9 remain supported.

Full architectural backlog: app.certifywebcontent.com/docs/evide-v2-roadmap/

Section 6
6. Interoperability

EVIDE is designed to receive structured closure objects from any system — AI pipelines, workflow engines, governance platforms, runtime agent systems — without requiring integration inside the decision pipeline.

The minimal boundary requirements for the source system are:

  • an explicit closure state (not only behavioral completion)
  • an identified authority bound to that closure
  • an explicit responsibility declaration
  • a stable reference to the upstream trace
  • a coherent classification context (even if initially internal)
Source identity field mapping
  • evidence_idsource_reference (primary object identity)
  • event_idintervention.trace.reference (runtime event identity)
  • trace_referenceintervention.trace.reference (upstream trace continuity)

Reference implementation: RANKIGI × EVIDE Interface Mapping (v0.3)

Section 7
7. FEDIS Compatibility

FEDIS (Forensic Evidence Declaration & Integrity Statement) transforms an EVIDE intake record into a legally presentable forensic artifact. It is not a default system artifact but a formal evidentiary output generated through a certification process, triggered by setting fedis_requested: true in the intake payload.

Reference: certifywebcontent.com — FEDIS

A FEDIS-ready EVIDE record must include:

  • cryptographically fixed closure state (SHA-256 intake hash)
  • independent UTC intake timestamp
  • declared authority bound to the closure
  • classification context sufficient for external interpretation
  • stable upstream trace reference

FEDIS extends the EVIDE record with a qualified eIDAS digital signature, RFC 3161 timestamping, SHA-256 and SHA-512 fingerprints, formal chain of custody declaration, and sworn statement — making the same record usable in audit, regulatory, and judicial contexts without reprocessing.

Architecture in three layers
  • Source system — produces the decision and surfaces the closure object
  • EVIDE — anchors the closure object externally with integrity and timestamp
  • FEDIS — transforms the anchored record into a legally presentable artifact
One closure.
Three layers.
One independent record.
For operational access, contact info@informaticainazienda.it