stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

finish off sprint advisories and sprints

Browse Source
This commit is contained in:
master
2026-01-24 00:12:43 +02:00
parent 726d70dc7f
commit c70e83719e
266 changed files with 46699 additions and 1328 deletions
Download Patch File Download Diff File Expand all files Collapse all files

285
docs/schemas/function-map-v1.schema.json Normal file
View File

@@ -0,0 +1,285 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "https://stellaops.org/schemas/function-map-v1.schema.json",
"title": "StellaOps Function Map v1",
"description": "Predicate schema for declaring expected call-paths for runtime→static linkage verification",
"type": "object",
"required": ["_type", "subject", "predicate"],
"properties": {
"_type": {
"type": "string",
"enum": [
"https://stella.ops/predicates/function-map/v1",
"stella.ops/functionMap@v1"
],
"description": "Predicate type URI"
},
"subject": {
"$ref": "#/definitions/subject",
"description": "Subject artifact that this function map applies to"
},
"predicate": {
"$ref": "#/definitions/predicatePayload",
"description": "The predicate payload containing the function map definition"
}
},
"additionalProperties": false,
"definitions": {
"subject": {
"type": "object",
"required": ["purl", "digest"],
"properties": {
"purl": {
"type": "string",
"description": "Package URL of the subject artifact",
"pattern": "^pkg:[a-z]+/.+"
},
"digest": {
"type": "object",
"description": "Digest(s) of the subject artifact",
"additionalProperties": { "type": "string" },
"minProperties": 1
},
"name": {
"type": ["string", "null"],
"description": "Optional artifact name"
}
},
"additionalProperties": false
},
"predicatePayload": {
"type": "object",
"required": ["schemaVersion", "service", "expectedPaths", "coverage", "generatedAt"],
"properties": {
"schemaVersion": {
"type": "string",
"const": "1.0.0",
"description": "Schema version of this predicate"
},
"service": {
"type": "string",
"description": "Service name that this function map applies to",
"minLength": 1
},
"buildId": {
"type": ["string", "null"],
"description": "Build ID or version of the service"
},
"generatedFrom": {
"$ref": "#/definitions/generatedFrom",
"description": "References to source materials used to generate this function map"
},
"expectedPaths": {
"type": "array",
"description": "Expected call-paths that should be observed at runtime",
"items": { "$ref": "#/definitions/expectedPath" },
"minItems": 1
},
"coverage": {
"$ref": "#/definitions/coverageThresholds",
"description": "Coverage thresholds for verification"
},
"generatedAt": {
"type": "string",
"format": "date-time",
"description": "When this function map was generated"
},
"generator": {
"$ref": "#/definitions/generatorInfo",
"description": "Optional generator tool information"
},
"metadata": {
"type": ["object", "null"],
"description": "Optional metadata for extensions",
"additionalProperties": true
}
},
"additionalProperties": false
},
"generatedFrom": {
"type": ["object", "null"],
"properties": {
"sbomRef": {
"type": ["string", "null"],
"description": "SHA256 digest of the SBOM used"
},
"staticAnalysisRef": {
"type": ["string", "null"],
"description": "SHA256 digest of the static analysis results used"
},
"binaryAnalysisRef": {
"type": ["string", "null"],
"description": "SHA256 digest of the binary analysis results used"
},
"hotFunctionPatterns": {
"type": ["array", "null"],
"description": "Hot function patterns used for filtering",
"items": { "type": "string" }
}
},
"additionalProperties": false
},
"expectedPath": {
"type": "object",
"required": ["pathId", "entrypoint", "expectedCalls", "pathHash"],
"properties": {
"pathId": {
"type": "string",
"description": "Unique identifier for this path within the function map",
"minLength": 1
},
"description": {
"type": ["string", "null"],
"description": "Human-readable description of this call path"
},
"entrypoint": {
"$ref": "#/definitions/pathEntrypoint",
"description": "Entrypoint function that initiates this call path"
},
"expectedCalls": {
"type": "array",
"description": "Expected function calls within this path",
"items": { "$ref": "#/definitions/expectedCall" },
"minItems": 1
},
"pathHash": {
"type": "string",
"description": "Hash of the canonical path representation",
"pattern": "^sha256:[a-f0-9]{64}$"
},
"optional": {
"type": "boolean",
"default": false,
"description": "Whether this entire path is optional"
},
"strictOrdering": {
"type": "boolean",
"default": false,
"description": "Whether strict ordering of expected calls should be verified"
},
"tags": {
"type": ["array", "null"],
"description": "Optional tags for categorizing paths",
"items": { "type": "string" }
}
},
"additionalProperties": false
},
"pathEntrypoint": {
"type": "object",
"required": ["symbol", "nodeHash"],
"properties": {
"symbol": {
"type": "string",
"description": "Symbol name of the entrypoint function",
"minLength": 1
},
"nodeHash": {
"type": "string",
"description": "Node hash for this entrypoint (PURL + normalized symbol)",
"pattern": "^sha256:[a-f0-9]{64}$"
},
"purl": {
"type": ["string", "null"],
"description": "Optional PURL of the component containing this entrypoint"
}
},
"additionalProperties": false
},
"expectedCall": {
"type": "object",
"required": ["symbol", "purl", "nodeHash", "probeTypes"],
"properties": {
"symbol": {
"type": "string",
"description": "Symbol name of the expected function call",
"minLength": 1
},
"purl": {
"type": "string",
"description": "Package URL (PURL) of the component containing this function",
"pattern": "^pkg:[a-z]+/.+"
},
"nodeHash": {
"type": "string",
"description": "Node hash for this function (PURL + normalized symbol)",
"pattern": "^sha256:[a-f0-9]{64}$"
},
"probeTypes": {
"type": "array",
"description": "Acceptable probe types for observing this function",
"items": {
"type": "string",
"enum": ["kprobe", "kretprobe", "uprobe", "uretprobe", "tracepoint", "usdt"]
},
"minItems": 1
},
"optional": {
"type": "boolean",
"default": false,
"description": "Whether this function call is optional"
},
"description": {
"type": ["string", "null"],
"description": "Optional human-readable description"
},
"functionAddress": {
"type": ["integer", "null"],
"description": "Optional function address hint for performance optimization"
},
"binaryPath": {
"type": ["string", "null"],
"description": "Optional binary path where this function is located"
}
},
"additionalProperties": false
},
"coverageThresholds": {
"type": "object",
"properties": {
"minObservationRate": {
"type": "number",
"minimum": 0.0,
"maximum": 1.0,
"default": 0.95,
"description": "Minimum observation rate required for verification to pass"
},
"windowSeconds": {
"type": "integer",
"minimum": 1,
"default": 1800,
"description": "Observation window in seconds"
},
"minObservationCount": {
"type": ["integer", "null"],
"minimum": 1,
"description": "Minimum number of observations required before verification can succeed"
},
"failOnUnexpected": {
"type": "boolean",
"default": false,
"description": "Whether to fail on unexpected symbols (not in the function map)"
}
},
"additionalProperties": false
},
"generatorInfo": {
"type": ["object", "null"],
"properties": {
"name": {
"type": ["string", "null"],
"description": "Name of the generator tool"
},
"version": {
"type": ["string", "null"],
"description": "Version of the generator tool"
},
"commit": {
"type": ["string", "null"],
"description": "Optional commit hash of the generator tool"
}
},
"additionalProperties": false
}
}
}

273
docs/schemas/policy-pack-v2.schema.json Normal file
View File

@@ -0,0 +1,273 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/policy-pack-v2.schema.json",
"title": "Stella Ops PolicyPack v2",
"description": "Canonical policy pack format supporting bidirectional JSON/Rego interop with structured remediation hints.",
"type": "object",
"required": ["apiVersion", "kind", "metadata", "spec"],
"properties": {
"apiVersion": {
"type": "string",
"const": "policy.stellaops.io/v2",
"description": "Schema version identifier."
},
"kind": {
"type": "string",
"enum": ["PolicyPack", "PolicyOverride"],
"description": "Document kind."
},
"metadata": { "$ref": "#/$defs/PolicyPackMetadata" },
"spec": { "$ref": "#/$defs/PolicyPackSpec" }
},
"additionalProperties": false,
"$defs": {
"PolicyPackMetadata": {
"type": "object",
"required": ["name", "version"],
"properties": {
"name": {
"type": "string",
"pattern": "^[a-z0-9][a-z0-9-]{0,62}$",
"description": "Unique name (DNS-label format)."
},
"version": {
"type": "string",
"pattern": "^\\d+\\.\\d+\\.\\d+",
"description": "Semantic version."
},
"description": {
"type": "string",
"maxLength": 500,
"description": "Human-readable description."
},
"digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "SHA-256 digest of canonical content."
},
"createdAt": {
"type": "string",
"format": "date-time",
"description": "Creation timestamp (ISO 8601 UTC)."
},
"exportedFrom": { "$ref": "#/$defs/PolicyExportProvenance" },
"parent": {
"type": "string",
"description": "Parent policy pack name (for PolicyOverride)."
},
"environment": {
"type": "string",
"description": "Target environment (for PolicyOverride)."
}
},
"additionalProperties": false
},
"PolicyExportProvenance": {
"type": "object",
"required": ["engine", "engineVersion"],
"properties": {
"engine": {
"type": "string",
"description": "Exporting engine name."
},
"engineVersion": {
"type": "string",
"description": "Engine version."
},
"exportedAt": {
"type": "string",
"format": "date-time",
"description": "Export timestamp."
}
},
"additionalProperties": false
},
"PolicyPackSpec": {
"type": "object",
"required": ["settings"],
"properties": {
"settings": { "$ref": "#/$defs/PolicyPackSettings" },
"gates": {
"type": "array",
"items": { "$ref": "#/$defs/PolicyGateDefinition" },
"description": "Gate definitions with typed configurations."
},
"rules": {
"type": "array",
"items": { "$ref": "#/$defs/PolicyRuleDefinition" },
"description": "Rule definitions with match conditions."
}
},
"additionalProperties": false
},
"PolicyPackSettings": {
"type": "object",
"required": ["defaultAction"],
"properties": {
"defaultAction": {
"type": "string",
"enum": ["allow", "warn", "block"],
"description": "Default action when no rule matches."
},
"unknownsThreshold": {
"type": "number",
"minimum": 0.0,
"maximum": 1.0,
"default": 0.6,
"description": "Threshold for unknowns budget."
},
"stopOnFirstFailure": {
"type": "boolean",
"default": true,
"description": "Stop evaluation on first failure."
},
"deterministicMode": {
"type": "boolean",
"default": true,
"description": "Enforce deterministic evaluation."
}
},
"additionalProperties": false
},
"PolicyGateDefinition": {
"type": "object",
"required": ["id", "type"],
"properties": {
"id": {
"type": "string",
"pattern": "^[a-z0-9][a-z0-9-]{0,62}$",
"description": "Unique gate identifier."
},
"type": {
"type": "string",
"description": "Gate type (C# gate class name)."
},
"enabled": {
"type": "boolean",
"default": true,
"description": "Whether this gate is active."
},
"config": {
"type": "object",
"description": "Gate-specific configuration.",
"additionalProperties": true
},
"environments": {
"type": "object",
"description": "Per-environment config overrides.",
"additionalProperties": {
"type": "object",
"additionalProperties": true
}
},
"remediation": { "$ref": "#/$defs/RemediationHint" }
},
"additionalProperties": false
},
"PolicyRuleDefinition": {
"type": "object",
"required": ["name", "action"],
"properties": {
"name": {
"type": "string",
"pattern": "^[a-z0-9][a-z0-9-]{0,62}$",
"description": "Unique rule name."
},
"action": {
"type": "string",
"enum": ["allow", "warn", "block"],
"description": "Action when matched."
},
"priority": {
"type": "integer",
"minimum": 0,
"default": 0,
"description": "Evaluation priority (lower = first)."
},
"match": {
"type": "object",
"description": "Match conditions (dot-notation keys, typed values).",
"additionalProperties": true
},
"remediation": { "$ref": "#/$defs/RemediationHint" }
},
"additionalProperties": false
},
"RemediationHint": {
"type": "object",
"required": ["code", "title", "severity"],
"properties": {
"code": {
"type": "string",
"pattern": "^[A-Z][A-Z0-9_]{1,30}$",
"description": "Machine-readable remediation code."
},
"title": {
"type": "string",
"maxLength": 200,
"description": "Human-readable title."
},
"description": {
"type": "string",
"maxLength": 1000,
"description": "Detailed explanation."
},
"actions": {
"type": "array",
"items": { "$ref": "#/$defs/RemediationAction" },
"description": "Ordered remediation actions."
},
"references": {
"type": "array",
"items": { "$ref": "#/$defs/RemediationReference" },
"description": "External references."
},
"severity": {
"type": "string",
"enum": ["critical", "high", "medium", "low"],
"description": "Issue severity."
}
},
"additionalProperties": false
},
"RemediationAction": {
"type": "object",
"required": ["type", "description"],
"properties": {
"type": {
"type": "string",
"enum": ["upgrade", "patch", "vex", "sign", "anchor", "generate", "override", "investigate", "mitigate"],
"description": "Action type."
},
"description": {
"type": "string",
"maxLength": 500,
"description": "What this action does."
},
"command": {
"type": "string",
"maxLength": 500,
"description": "CLI command template with {placeholders}."
}
},
"additionalProperties": false
},
"RemediationReference": {
"type": "object",
"required": ["title", "url"],
"properties": {
"title": {
"type": "string",
"maxLength": 200,
"description": "Display title."
},
"url": {
"type": "string",
"format": "uri",
"description": "Reference URL."
}
},
"additionalProperties": false
}
}
}

35
docs/schemas/predicates/deltasig-v2.schema.json
View File

@@ -58,6 +58,16 @@
"type": "object",
"additionalProperties": true,
"description": "Additional metadata"
},
"sbomDigest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "SHA-256 digest of the associated SBOM document"
},
"largeBlobs": {
"type": "array",
"items": { "$ref": "#/$defs/largeBlobReference" },
"description": "References to large binary blobs stored out-of-band (by digest)"
}
},
"$defs": {
@@ -346,6 +356,31 @@
"description": "Total size of IR diffs stored in CAS"
}
}
},
"largeBlobReference": {
"type": "object",
"required": ["kind", "digest"],
"properties": {
"kind": {
"type": "string",
"enum": ["preBinary", "postBinary", "debugSymbols", "irDiff"],
"description": "Blob kind: preBinary, postBinary, debugSymbols, etc."
},
"digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Content-addressable digest (e.g., sha256:abc123...)"
},
"mediaType": {
"type": "string",
"description": "Media type of the blob"
},
"sizeBytes": {
"type": "integer",
"minimum": 0,
"description": "Size in bytes (for transfer planning)"
}
}
}
}
}