Evidence Report Schema

The JSON evidence report is the canonical machine-readable output of a validation run. All other outputs (PDF, signature) are derived from it.

Schema Version

Current schema version: 1.0

The schema_version field enables forward compatibility. Consumers should check this field and handle unknown versions gracefully.

Top-Level Structure

{
  "schema_version": "1.0",
  "report_id": "validation-9275b4aa-2aeb-4910-a3a6-9e4aa1dc016a",
  "generated_at": "2026-04-09T05:37:49.204+00:00",
  "tool": { },
  "backup": { },
  "restore": { },
  "validation": { },
  "integrity": { },
  "compliance_mappings": { },
  "triggered_by": "weekly-cron-job"
}

Field	Type	Description
`schema_version`	string	Schema version for compatibility (`"1.0"`)
`report_id`	string	Unique identifier for this validation run
`generated_at`	string	ISO-8601 timestamp of report generation
`tool`	object	Information about the tool that generated the report
`backup`	object	Backup metadata
`restore`	object	Restore details (nullable)
`validation`	object	Validation check results
`integrity`	object	Checksums and signature information
`compliance_mappings`	object	Regulatory framework mappings
`triggered_by`	string	Who/what triggered this run (nullable)

tool

{
  "tool": {
    "name": "kafka-backup",
    "version": "0.11.0"
  }
}

backup

{
  "backup": {
    "id": "production-daily-001",
    "source_cluster_id": "prod-kafka-01",
    "source_brokers": ["broker-1:9092", "broker-2:9092"],
    "storage_backend": "s3://my-kafka-backups/production/daily",
    "pitr_timestamp": 1711929600000,
    "created_at": 1711929600000,
    "total_topics": 3,
    "total_partitions": 9,
    "total_segments": 9,
    "total_records": 1000
  }
}

Field	Type	Description
`id`	string	Backup ID
`source_cluster_id`	string	Source cluster identifier (nullable)
`source_brokers`	array	Source bootstrap servers
`storage_backend`	string	Storage backend description
`pitr_timestamp`	int	PITR timestamp in epoch millis (nullable)
`created_at`	int	Backup creation timestamp in epoch millis
`total_topics`	int	Number of topics in the backup
`total_partitions`	int	Total partitions across all topics
`total_segments`	int	Total segment files
`total_records`	int	Total records across all segments

restore

Present when validation was run against a restored cluster.

{
  "restore": {
    "target_bootstrap_servers": ["restored-kafka:9092"],
    "start_time": "2026-04-09T02:00:00Z",
    "end_time": "2026-04-09T02:31:14Z",
    "duration_seconds": 1874
  }
}

validation

{
  "validation": {
    "checks_total": 3,
    "checks_passed": 3,
    "checks_failed": 0,
    "checks_skipped": 0,
    "checks_warned": 0,
    "overall_result": "PASSED",
    "results": [ ],
    "total_duration_ms": 18
  }
}

Field	Type	Description
`overall_result`	string	`PASSED`, `FAILED`, `WARNING`, or `SKIPPED`
`checks_total`	int	Total checks executed
`checks_passed`	int	Checks that passed
`checks_failed`	int	Checks that failed
`total_duration_ms`	int	Total validation duration in milliseconds
`results`	array	Individual check results (see below)

Check Result Object

{
  "check_name": "MessageCountCheck",
  "outcome": "PASSED",
  "detail": "3 topics; 1000 messages expected, 1000 restored; 0 discrepancies",
  "data": {
    "check": "MessageCountCheck",
    "topics_verified": 3,
    "total_messages_expected": 1000,
    "total_messages_restored": 1000,
    "discrepancies": [],
    "sha256_offset_summary": "e3b0c44298fc1c149afb..."
  },
  "duration_ms": 12
}

Field	Type	Description
`check_name`	string	Check identifier
`outcome`	string	`PASSED`, `FAILED`, `WARNING`, or `SKIPPED`
`detail`	string	Human-readable summary
`data`	object	Machine-readable data (varies by check type)
`duration_ms`	int	Check execution time in milliseconds

MessageCountCheck Data

Field	Type	Description
`topics_verified`	int	Number of topics checked
`total_messages_expected`	int	Expected record count from manifest
`total_messages_restored`	int	Actual record count on restored cluster
`discrepancies`	array	Per-partition discrepancies (empty when passed)
`sha256_offset_summary`	string	SHA-256 of the offset summary for evidence

OffsetRangeCheck Data

Field	Type	Description
`partitions_checked`	int	Total partitions verified
`partitions_passed`	int	Partitions with correct offset ranges
`issues`	array	Per-partition issues (empty when passed)

ConsumerGroupOffsetCheck Data

Field	Type	Description
`groups_checked`	int	Consumer groups verified
`total_offsets`	int	Total committed offsets checked
`issues`	array	Per-group issues (empty when passed)

integrity

{
  "integrity": {
    "backup_manifest_sha256": "a1b2c3d4e5f6...",
    "report_sha256": "2482bbdfa113146e...",
    "checksums_valid": true,
    "signature_algorithm": "ECDSA-P256-SHA256",
    "signed_by": "production-signing-key"
  }
}

Field	Type	Description
`backup_manifest_sha256`	string	SHA-256 of the backup manifest.json
`report_sha256`	string	SHA-256 of the canonical JSON report
`checksums_valid`	bool	Whether checksums are consistent
`signature_algorithm`	string	`ECDSA-P256-SHA256` or `none`
`signed_by`	string	Signing identity (nullable)

compliance_mappings

{
  "compliance_mappings": {
    "sox_itgc": {
      "control": "IT General Controls - Backup and Recovery",
      "satisfied_by": ["MessageCountCheck", "OffsetRangeCheck"],
      "evidence_retention_required_years": 7,
      "evidence_retention_configured_days": 2555
    },
    "cmmc_l2": {
      "control": "RE.3.139",
      "description": "Regularly perform and test data back-ups",
      "satisfied_by": ["MessageCountCheck", "OffsetRangeCheck", "ConsumerGroupOffsetCheck"]
    },
    "gdpr_art32": {
      "control": "Article 32 - Testing technical measures",
      "satisfied_by": ["MessageCountCheck", "OffsetRangeCheck"],
      "test_frequency": "on-demand",
      "rto_demonstrated_seconds": 1874
    }
  }
}

Each framework mapping identifies which validation checks satisfy which regulatory control, enabling auditors to trace evidence directly to compliance requirements.

PDF Report Layout

The PDF is generated from the JSON report and contains:

Page	Content
1	Cover — title, report ID, timestamp, overall result (PASSED/FAILED), tool version
2	Validation results — check summary table, per-check detail
3	Integrity & compliance — SHA-256 checksums, signature details, SOX/CMMC/GDPR mappings

The PDF includes the report_sha256 so auditors can independently verify the JSON report matches by computing its SHA-256.

Next Steps

Validation Config Reference — configuration options
Evidence Signing Guide — signing and verification
Backup Validation Guide — complete walkthrough

Schema Version​

Top-Level Structure​

tool​

backup​

restore​

validation​

Check Result Object​

MessageCountCheck Data​

OffsetRangeCheck Data​

ConsumerGroupOffsetCheck Data​

integrity​

compliance_mappings​

PDF Report Layout​

Next Steps​