{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://stella.ops/predicates/boundary@v1", "title": "StellaOps Boundary Attestation Predicate", "description": "Predicate for attack surface boundary detection.", "type": "object", "required": ["surface", "exposure", "observedAt"], "properties": { "surface": { "type": "string", "enum": ["http", "grpc", "tcp", "udp", "mqtt", "kafka", "cli", "internal"], "description": "Type of attack surface." }, "exposure": { "type": "string", "enum": ["public", "private", "internal", "localhost"], "description": "Exposure level of the surface." }, "observedAt": { "type": "string", "format": "date-time", "description": "When the boundary was observed." }, "endpoints": { "type": "array", "items": { "$ref": "#/$defs/endpoint" }, "description": "Detected endpoints on this surface." }, "auth": { "type": "object", "properties": { "mechanism": { "type": "string", "enum": ["none", "apikey", "jwt", "oauth2", "mtls", "basic"], "description": "Authentication mechanism." }, "required_scopes": { "type": "array", "items": { "type": "string" }, "description": "Required authorization scopes." } }, "description": "Authentication configuration." }, "controls": { "type": "array", "items": { "type": "string" }, "description": "Security controls in place (e.g., rate-limit, WAF)." }, "expiresAt": { "type": "string", "format": "date-time", "description": "When this boundary observation expires (TTL: 72h)." } }, "$defs": { "endpoint": { "type": "object", "required": ["route", "method"], "properties": { "route": { "type": "string", "description": "Route pattern (e.g., /api/users/:id)." }, "method": { "type": "string", "enum": ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "HEAD"], "description": "HTTP method." }, "auth": { "type": "string", "description": "Authentication requirement for this endpoint." } } } }, "additionalProperties": false }