{ "$id": "https://stella.ops/schema/provenance-feed.json", "$schema": "https://json-schema.org/draft/2020-12/schema", "title": "ProvenanceFeed", "description": "SGSI0101 provenance feed contract for runtime facts and signal ingestion with attestation support", "type": "object", "required": [ "schemaVersion", "feedId", "feedType", "generatedAt", "records" ], "properties": { "schemaVersion": { "type": "integer", "const": 1, "description": "Schema version for compatibility" }, "feedId": { "type": "string", "format": "uuid", "description": "Unique feed generation identifier" }, "feedType": { "type": "string", "enum": [ "RUNTIME_FACTS", "SIGNAL_ENRICHMENT", "CAS_PROMOTION", "SCORING_OUTPUT", "AUTHORITY_SCOPES" ], "description": "Type of provenance feed" }, "generatedAt": { "type": "string", "format": "date-time", "description": "ISO-8601 timestamp of feed generation" }, "sourceService": { "type": "string", "description": "Service that generated this feed", "examples": ["scanner-worker", "signal-aggregator", "cas-promoter"] }, "tenantId": { "type": "string", "description": "Tenant scope for multi-tenant isolation" }, "correlationId": { "type": "string", "description": "Correlation ID for tracing across services" }, "records": { "type": "array", "items": { "$ref": "#/$defs/ProvenanceRecord" }, "description": "Provenance records in this feed" }, "metadata": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional feed metadata" }, "attestation": { "$ref": "#/$defs/FeedAttestation", "description": "Attestation covering this feed" } }, "$defs": { "ProvenanceRecord": { "type": "object", "required": ["recordId", "recordType", "subject", "occurredAt"], "properties": { "recordId": { "type": "string", "format": "uuid", "description": "Unique record identifier" }, "recordType": { "type": "string", "description": "Type of provenance record", "examples": [ "runtime.process.observed", "runtime.network.connection", "runtime.file.access", "signal.cache.available", "signal.enrichment.applied", "cas.promotion.completed", "scoring.output.generated" ] }, "subject": { "$ref": "#/$defs/ProvenanceSubject", "description": "Subject of this provenance record" }, "occurredAt": { "type": "string", "format": "date-time", "description": "When this event occurred" }, "observedBy": { "type": "string", "description": "Agent/sensor that observed this record" }, "confidence": { "type": "number", "minimum": 0, "maximum": 1, "description": "Confidence score (0.0 - 1.0)" }, "facts": { "type": "object", "additionalProperties": true, "description": "Type-specific facts for this record" }, "evidence": { "$ref": "#/$defs/RecordEvidence", "description": "Evidence supporting this record" } } }, "ProvenanceSubject": { "type": "object", "required": ["type", "identifier"], "properties": { "type": { "type": "string", "enum": ["CONTAINER", "PROCESS", "PACKAGE", "FILE", "NETWORK", "IMAGE"], "description": "Type of subject" }, "identifier": { "type": "string", "description": "Subject identifier (image ref, package PURL, etc.)" }, "digest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$", "description": "Subject content digest if applicable" }, "namespace": { "type": "string", "description": "Namespace context (k8s namespace, etc.)" } } }, "RecordEvidence": { "type": "object", "properties": { "sourceDigest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$", "description": "Digest of evidence source" }, "captureMethod": { "type": "string", "enum": ["eBPF", "PROC_SCAN", "API_CALL", "LOG_ANALYSIS", "STATIC_ANALYSIS"], "description": "How evidence was captured" }, "rawDataRef": { "type": "string", "format": "uri", "description": "Reference to raw evidence data" } } }, "FeedAttestation": { "type": "object", "required": ["predicateType", "signedAt"], "properties": { "predicateType": { "type": "string", "format": "uri", "description": "in-toto predicate type", "examples": ["https://stella.ops/attestation/provenance-feed/v1"] }, "signedAt": { "type": "string", "format": "date-time", "description": "When the attestation was signed" }, "keyId": { "type": "string", "description": "Signing key identifier" }, "envelopeDigest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$", "description": "DSSE envelope digest" }, "transparencyLog": { "type": "string", "format": "uri", "description": "Transparency log entry (Rekor)" } } } }, "examples": [ { "schemaVersion": 1, "feedId": "550e8400-e29b-41d4-a716-446655440000", "feedType": "RUNTIME_FACTS", "generatedAt": "2025-11-21T10:00:00Z", "sourceService": "scanner-worker", "tenantId": "acme-corp", "correlationId": "scan-job-12345", "records": [ { "recordId": "660e8400-e29b-41d4-a716-446655440001", "recordType": "runtime.process.observed", "subject": { "type": "CONTAINER", "identifier": "registry.example.com/app:v1.2.3", "digest": "sha256:7d9cd5f1a2a0dd9a41a2c43a5b7d8a0bcd9e34cf39b3f43a70595c834f0a4aee" }, "occurredAt": "2025-11-21T09:55:00Z", "observedBy": "ebpf-agent", "confidence": 0.95, "facts": { "processName": "python3", "execPath": "/usr/bin/python3", "loadedLibraries": ["libssl.so.1.1", "libcrypto.so.1.1"] }, "evidence": { "captureMethod": "eBPF", "rawDataRef": "s3://evidence-bucket/runtime/12345.json" } } ], "attestation": { "predicateType": "https://stella.ops/attestation/provenance-feed/v1", "signedAt": "2025-11-21T10:00:01Z", "keyId": "scanner-signing-key-001" } } ] }