{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://stella-ops.io/schemas/runtime-evidence/v1.json", "title": "Runtime Evidence Record", "description": "Unified schema for syscall-level and symbol-level runtime evidence collected via eBPF probes.", "type": "object", "required": ["ts_ns", "src", "pid", "comm", "event"], "properties": { "ts_ns": { "type": "integer", "description": "Timestamp in nanoseconds since boot (monotonic)", "minimum": 0 }, "src": { "type": "string", "description": "Event source identifier (probe name)", "examples": [ "sys_enter_openat", "sched_process_exec", "inet_sock_set_state", "uprobe:connect", "uprobe:SSL_read", "uprobe:function_entry" ] }, "pid": { "type": "integer", "description": "Process ID", "minimum": 1 }, "tid": { "type": "integer", "description": "Thread ID", "minimum": 1 }, "cgroup_id": { "type": "integer", "description": "Cgroup ID for container identification", "minimum": 0 }, "container_id": { "type": "string", "description": "Container ID with runtime prefix (enriched post-collection)", "pattern": "^(containerd|docker|cri-o|podman)://[a-f0-9]{64}$", "examples": ["containerd://abc123def456..."] }, "image_digest": { "type": "string", "description": "Image digest (enriched post-collection)", "pattern": "^sha256:[a-f0-9]{64}$" }, "comm": { "type": "string", "description": "Process command name (up to 16 chars)", "maxLength": 16 }, "event": { "description": "Event-specific data", "oneOf": [ { "$ref": "#/$defs/file_open" }, { "$ref": "#/$defs/process_exec" }, { "$ref": "#/$defs/tcp_state" }, { "$ref": "#/$defs/net_connect" }, { "$ref": "#/$defs/ssl_op" }, { "$ref": "#/$defs/function_call" } ] } }, "$defs": { "file_open": { "type": "object", "description": "File open event (sys_enter_openat tracepoint)", "required": ["type", "path"], "properties": { "type": { "const": "file_open" }, "path": { "type": "string", "description": "Opened file path" }, "flags": { "type": "integer", "description": "Open flags (O_RDONLY=0, O_WRONLY=1, O_RDWR=2, etc.)" }, "access": { "type": "string", "description": "Human-readable access mode", "enum": ["read", "write", "read_write", "unknown"] }, "dfd": { "type": "integer", "description": "Directory file descriptor (-100 = AT_FDCWD)" }, "mode": { "type": "integer", "description": "File mode for O_CREAT", "minimum": 0, "maximum": 4095 } } }, "process_exec": { "type": "object", "description": "Process execution event (sched_process_exec tracepoint)", "required": ["type", "filename"], "properties": { "type": { "const": "process_exec" }, "filename": { "type": "string", "description": "Executed file path" }, "ppid": { "type": "integer", "description": "Parent process ID", "minimum": 0 }, "argv0": { "type": "string", "description": "First argument (argv[0])" } } }, "tcp_state": { "type": "object", "description": "TCP state change event (inet_sock_set_state tracepoint)", "required": ["type", "oldstate", "newstate", "daddr", "dport"], "properties": { "type": { "const": "tcp_state" }, "oldstate": { "type": "string", "description": "Previous TCP state", "enum": [ "ESTABLISHED", "SYN_SENT", "SYN_RECV", "FIN_WAIT1", "FIN_WAIT2", "TIME_WAIT", "CLOSE", "CLOSE_WAIT", "LAST_ACK", "LISTEN", "CLOSING", "NEW_SYN_RECV" ] }, "newstate": { "type": "string", "description": "New TCP state" }, "daddr": { "type": "string", "description": "Destination IP address", "oneOf": [ { "format": "ipv4" }, { "format": "ipv6" } ] }, "dport": { "type": "integer", "description": "Destination port", "minimum": 0, "maximum": 65535 }, "saddr": { "type": "string", "description": "Source IP address" }, "sport": { "type": "integer", "description": "Source port", "minimum": 0, "maximum": 65535 }, "family": { "type": "string", "description": "Address family", "enum": ["inet", "inet6"] } } }, "net_connect": { "type": "object", "description": "Network connect/accept event (libc uprobes)", "required": ["type", "addr", "port"], "properties": { "type": { "const": "net_connect" }, "fd": { "type": "integer", "description": "Socket file descriptor" }, "addr": { "type": "string", "description": "Remote IP address" }, "port": { "type": "integer", "description": "Remote port", "minimum": 0, "maximum": 65535 }, "success": { "type": "boolean", "description": "Whether the operation succeeded" }, "error": { "type": "integer", "description": "Error code if failed" } } }, "ssl_op": { "type": "object", "description": "SSL/TLS operation event (OpenSSL uprobes)", "required": ["type", "operation"], "properties": { "type": { "const": "ssl_op" }, "operation": { "type": "string", "description": "Operation type", "enum": ["read", "write"] }, "bytes": { "type": "integer", "description": "Bytes transferred", "minimum": 0 }, "ssl_ptr": { "type": "string", "description": "SSL session pointer (hex) for correlation", "pattern": "^0x[a-fA-F0-9]+$" } } }, "function_call": { "type": "object", "description": "Function call event (generic uprobe)", "required": ["type", "addr"], "properties": { "type": { "const": "function_call" }, "addr": { "type": "string", "description": "Function address (hex)", "pattern": "^0x[a-fA-F0-9]+$" }, "symbol": { "type": "string", "description": "Resolved symbol name" }, "library": { "type": "string", "description": "Library containing the function" }, "runtime": { "type": "string", "description": "Detected runtime type", "enum": ["native", "jvm", "node", "python", "dotnet", "go", "ruby"] }, "stack": { "type": "array", "description": "Call stack addresses (hex)", "items": { "type": "string", "pattern": "^0x[a-fA-F0-9]+$" } }, "node_hash": { "type": "string", "description": "Canonical node hash for reachability joining", "pattern": "^sha256:[a-f0-9]{64}$" } } } }, "examples": [ { "ts_ns": 1737890000123456789, "src": "sys_enter_openat", "pid": 2311, "tid": 2311, "cgroup_id": 12345, "comm": "nginx", "event": { "type": "file_open", "path": "/etc/ssl/certs/ca-bundle.crt", "flags": 0, "access": "read" } }, { "ts_ns": 1737890001123456789, "src": "inet_sock_set_state", "pid": 2311, "tid": 2315, "cgroup_id": 12345, "comm": "nginx", "event": { "type": "tcp_state", "oldstate": "SYN_SENT", "newstate": "ESTABLISHED", "daddr": "93.184.216.34", "dport": 443, "family": "inet" } }, { "ts_ns": 1737890002123456789, "src": "uprobe:SSL_write", "pid": 2311, "tid": 2315, "cgroup_id": 12345, "comm": "nginx", "event": { "type": "ssl_op", "operation": "write", "bytes": 2048, "ssl_ptr": "0x7f1234560000" } } ] }