Appendices
Appendix A: Evidence Artifact Catalogue
Working draft
This page renders the current awoss working draft. It is not a released standard, certification program, compliance framework, legal analysis, endorsement, or public conformance claim.
This appendix gives first-pass evidence examples. It is not exhaustive.
| Artifact | Supports | Expected owner | Minimum metadata | Redaction guidance |
|---|---|---|---|---|
| Scope record | AWOSS-SCP, AWOSS-GOV | Organization or governance | system name, boundary, owners, exclusions, date | avoid exporting unrelated system contents |
| Runtime and tool inventory | AWOSS-SCP, AWOSS-RUN, AWOSS-SRC | Runtime platform | runtime, tools, connectors, skills, versions, owners | avoid secrets in configuration details |
| Connected resource inventory | AWOSS-SCP, AWOSS-WSB, AWOSS-SEC | Workspace or endpoint | repositories, files, SaaS systems, shells, networks, data categories | list categories and scopes, not confidential payloads |
| Owner matrix | AWOSS-SCP, AWOSS-DEL, AWOSS-GOV | Organization or governance | owner roles, responsibilities, review dates | minimize personal data where role data is enough |
| Authority model | AWOSS-DEL, AWOSS-RUN | Organization or governance | user roles, service accounts, delegated authority, approval roles | do not expose credentials or private identity tokens |
| Runtime policy export | AWOSS-RUN, AWOSS-CTX, AWOSS-SEC | Runtime platform | policy version, action classes, allow/deny/approval rules | redact live tokens, prompts, and sensitive examples |
| Approval policy | AWOSS-DEL, AWOSS-RUN, AWOSS-GOV | Organization or governance | approver roles, triggers, expiry, escalation | summarize approver roles when names are unnecessary |
| Workspace boundary configuration | AWOSS-WSB, AWOSS-SEC | Workspace or endpoint | sandbox, filesystem, repository, network, connector scopes | redact sensitive paths only when review remains possible |
| Source register | AWOSS-SRC, AWOSS-GOV | Skill or skill-set source | source, maintainer, version, commit, checksum, approval state | share identifiers and hashes before private source code |
| Source-trust profile record | AWOSS-SRC, AWOSS-LOG, AWOSS-GOV, AWOSS-VAL | Skill or skill-set source, runtime platform, or evidence owner | action-unit ID, registry or source signal, publisher or namespace status, manifest/hash/signature if available, declared permissions, local review state, drift, rollback or retirement path | preserve identifiers, hashes, metadata, and review decisions; avoid proprietary connector internals, tokens, and raw sensitive payloads |
| Dependency or lockfile record | AWOSS-SRC, AWOSS-VAL | Skill or skill-set source | package names, versions, hashes, resolution date | avoid embedding private registry credentials |
| Installation or update receipt | AWOSS-SRC, AWOSS-LOG | Runtime platform | source, version, actor, timestamp, approval state | remove credentials and unrelated payloads |
| High-impact action receipt | AWOSS-RUN, AWOSS-LOG, AWOSS-VAL | Evidence or audit | event ID, timestamp, actor, action class, scope, policy outcome | record metadata and stable references, not raw secrets |
| Denied-action record | AWOSS-RUN, AWOSS-LOG, AWOSS-VAL | Evidence or audit | policy rule, attempted action class, timestamp, actor or runtime | redact attempted payloads that contain sensitive data |
| Sensitive-data handling record | AWOSS-SEC, AWOSS-LOG, AWOSS-VAL | Workspace or endpoint | data category, access rule, redaction state, export outcome | avoid raw personal data or secrets |
| Context-source inventory | AWOSS-CTX, AWOSS-SCP | Runtime platform | instruction sources, memory sources, retrieval sources, trust order | do not export confidential corpus contents unnecessarily |
| Context-boundary test | AWOSS-CTX, AWOSS-VAL | Evidence or audit | scenario, expected policy, result, finding, remediation | summarize exploit details when disclosure would increase risk |
| Validation report | AWOSS-VAL, all families | Evidence or audit | scope, controls reviewed, method, findings, date, reviewer | publish findings and status before raw test data |
| Exception register | AWOSS-GOV, AWOSS-VAL | Organization or governance | exception, owner, rationale, expiry, remediation plan | avoid unnecessary personnel and business-sensitive detail |
| Claim-limit record | AWOSS-GOV, mapping evidence | Organization or governance | statement, scope, control subset, evidence basis, prohibited claims | keep external-facing wording bounded and reviewable |