{ "$id": "https://stella.ops/schema/mirror-bundle.json", "$schema": "https://json-schema.org/draft/2020-12/schema", "title": "MirrorBundle", "description": "Air-gap mirror bundle format for offline operation with DSSE signature support", "type": "object", "required": [ "schemaVersion", "generatedAt", "domainId", "exports" ], "properties": { "schemaVersion": { "type": "integer", "minimum": 1, "description": "Bundle schema version for compatibility" }, "generatedAt": { "type": "string", "format": "date-time", "description": "ISO-8601 timestamp when bundle was generated" }, "targetRepository": { "type": "string", "description": "Target OCI repository for this bundle (optional)" }, "domainId": { "type": "string", "description": "Domain identifier for bundle categorization", "examples": ["vex-advisories", "vulnerability-feeds", "policy-packs"] }, "displayName": { "type": "string", "description": "Human-readable domain display name" }, "exports": { "type": "array", "items": { "$ref": "#/$defs/BundleExport" }, "minItems": 1, "description": "Exported data sets in this bundle" } }, "$defs": { "BundleExport": { "type": "object", "required": [ "key", "format", "exportId", "createdAt", "artifactDigest" ], "properties": { "key": { "type": "string", "description": "Export identifier key", "examples": ["vex-openvex-all", "vuln-critical-cve"] }, "format": { "type": "string", "enum": ["openvex", "csaf", "cyclonedx", "spdx", "ndjson", "json"], "description": "Export data format" }, "exportId": { "type": "string", "format": "uuid", "description": "Unique export execution identifier" }, "querySignature": { "type": "string", "description": "Hash of query parameters used for this export" }, "createdAt": { "type": "string", "format": "date-time", "description": "When this export was created" }, "artifactSizeBytes": { "type": "integer", "minimum": 0, "description": "Size of the exported artifact in bytes" }, "artifactDigest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$", "description": "SHA-256 digest of the artifact" }, "consensusRevision": { "type": "string", "description": "Consensus revision for VEX exports" }, "policyRevisionId": { "type": "string", "description": "Policy revision ID if policy was applied" }, "policyDigest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$", "description": "Policy content digest" }, "consensusDigest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$", "description": "Consensus document digest" }, "scoreDigest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$", "description": "Score document digest" }, "sourceProviders": { "type": "array", "items": { "type": "string" }, "description": "VEX providers included in this export" }, "attestation": { "$ref": "#/$defs/AttestationDescriptor", "description": "Attestation for this export if signed" } } }, "AttestationDescriptor": { "type": "object", "required": ["predicateType"], "properties": { "predicateType": { "type": "string", "format": "uri", "description": "in-toto predicate type URI" }, "rekorLocation": { "type": "string", "format": "uri", "description": "Sigstore Rekor transparency log entry" }, "envelopeDigest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$", "description": "DSSE envelope digest" }, "signedAt": { "type": "string", "format": "date-time", "description": "When the attestation was signed" } } }, "BundleSignature": { "type": "object", "required": ["algorithm", "keyId", "signedAt"], "properties": { "path": { "type": "string", "description": "Relative path to signature file" }, "algorithm": { "type": "string", "description": "Signing algorithm used", "examples": ["ES256", "RS256", "EdDSA"] }, "keyId": { "type": "string", "description": "Key identifier used for signing" }, "provider": { "type": "string", "description": "Crypto provider name" }, "signedAt": { "type": "string", "format": "date-time", "description": "When the bundle was signed" } } }, "BundleManifest": { "type": "object", "required": ["schemaVersion", "generatedAt", "domainId", "bundle"], "description": "Domain manifest pointing to bundle and exports", "properties": { "schemaVersion": { "type": "integer" }, "generatedAt": { "type": "string", "format": "date-time" }, "domainId": { "type": "string" }, "displayName": { "type": "string" }, "targetRepository": { "type": "string" }, "bundle": { "$ref": "#/$defs/FileDescriptor" }, "exports": { "type": "array", "items": { "$ref": "#/$defs/ManifestExportEntry" } } } }, "FileDescriptor": { "type": "object", "required": ["path", "sizeBytes", "digest"], "properties": { "path": { "type": "string", "description": "Relative file path" }, "sizeBytes": { "type": "integer", "minimum": 0 }, "digest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" }, "signature": { "$ref": "#/$defs/BundleSignature" } } }, "ManifestExportEntry": { "type": "object", "required": ["key", "format", "exportId", "createdAt", "artifactDigest"], "properties": { "key": { "type": "string" }, "format": { "type": "string" }, "exportId": { "type": "string" }, "querySignature": { "type": "string" }, "createdAt": { "type": "string", "format": "date-time" }, "artifactDigest": { "type": "string" }, "artifactSizeBytes": { "type": "integer" }, "consensusRevision": { "type": "string" }, "policyRevisionId": { "type": "string" }, "policyDigest": { "type": "string" }, "consensusDigest": { "type": "string" }, "scoreDigest": { "type": "string" }, "sourceProviders": { "type": "array", "items": { "type": "string" } }, "attestation": { "$ref": "#/$defs/AttestationDescriptor" } } } }, "examples": [ { "schemaVersion": 1, "generatedAt": "2025-11-21T10:00:00Z", "targetRepository": "oci://registry.internal/stella/mirrors", "domainId": "vex-advisories", "displayName": "VEX Advisories", "exports": [ { "key": "vex-openvex-all", "format": "openvex", "exportId": "550e8400-e29b-41d4-a716-446655440000", "querySignature": "abc123def456", "createdAt": "2025-11-21T10:00:00Z", "artifactSizeBytes": 1048576, "artifactDigest": "sha256:7d9cd5f1a2a0dd9a41a2c43a5b7d8a0bcd9e34cf39b3f43a70595c834f0a4aee", "sourceProviders": ["anchore", "github", "redhat"], "attestation": { "predicateType": "https://stella.ops/attestation/vex-export/v1", "signedAt": "2025-11-21T10:00:01Z", "envelopeDigest": "sha256:8d9cd5f1a2a0dd9a41a2c43a5b7d8a0bcd9e34cf39b3f43a70595c834f0a4aef" } } ] } ] }