# Predicate Schema: stella.ops/federatedConsent@v1 ## Overview This predicate type represents a consent attestation for federated telemetry participation. A valid consent proof must exist before any telemetry data can be aggregated and shared with federation peers. ## Predicate Type ``` stella.ops/federatedConsent@v1 ``` ## Schema ```json { "$schema": "https://json-schema.org/draft/2020-12/schema", "type": "object", "required": ["tenantId", "grantedBy", "grantedAt", "type"], "properties": { "tenantId": { "type": "string", "description": "Identifier of the tenant granting consent" }, "grantedBy": { "type": "string", "description": "Identity of the actor who granted consent (email or service account)" }, "grantedAt": { "type": "string", "format": "date-time", "description": "UTC timestamp when consent was granted" }, "expiresAt": { "type": ["string", "null"], "format": "date-time", "description": "Optional expiry timestamp; null means consent has no TTL" }, "type": { "type": "string", "const": "stella.ops/federatedConsent@v1" } } } ``` ## Consent Lifecycle States | State | Description | Transition | |-------|-------------|------------| | Not Granted | Default state; no federation data shared | -> Granted (via POST /consent/grant) | | Granted | Active consent; federation data flows | -> Revoked (via POST /consent/revoke) or -> Expired (TTL) | | Expired | TTL-based automatic revocation | -> Granted (re-grant) | | Revoked | Explicit admin revocation | -> Granted (re-grant) | ## Validation Rules 1. `tenantId` must be non-empty and match the requesting tenant. 2. `grantedBy` must be a valid identity string. 3. `grantedAt` must be a valid UTC timestamp not in the future. 4. If `expiresAt` is set, it must be after `grantedAt`. 5. The consent proof is DSSE-signed; the digest is stored as `sha256:`. ## Example Payload ```json { "tenantId": "org-acme-production", "grantedBy": "admin@acme.com", "grantedAt": "2026-02-20T10:00:00Z", "expiresAt": "2026-03-20T10:00:00Z", "type": "stella.ops/federatedConsent@v1" } ```