// // SPDX-License-Identifier: AGPL-3.0-or-later // Sprint: SPRINT_20260112_014_CLI_witness_commands (CLI-WIT-001) // using System.Text.Json.Serialization; namespace StellaOps.Cli.Services.Models; ///

/// Request for listing witnesses. ///

public sealed record WitnessListRequest { ///

/// Filter by scan ID. ///

public string? ScanId { get; init; } ///

/// Filter by vulnerability ID (e.g., CVE-2024-1234). ///

public string? VulnerabilityId { get; init; } ///

/// Filter by component PURL. ///

public string? ComponentPurl { get; init; } ///

/// Filter by predicate type. ///

public string? PredicateType { get; init; } ///

/// Maximum number of results. ///

public int? Limit { get; init; } ///

/// Continuation token for pagination. ///

public string? ContinuationToken { get; init; } ///

/// Tenant ID. ///

public string? TenantId { get; init; } } ///

/// Response for listing witnesses. ///

public sealed record WitnessListResponse { ///

/// List of witness summaries. ///

[JsonPropertyName("witnesses")] public IReadOnlyList Witnesses { get; init; } = []; ///

/// Continuation token for next page. ///

[JsonPropertyName("continuation_token")] public string? ContinuationToken { get; init; } ///

/// Total count of matching witnesses. ///

[JsonPropertyName("total_count")] public int TotalCount { get; init; } } ///

/// Summary of a witness for list views. ///

public sealed record WitnessSummary { ///

/// Content-addressed witness ID. ///

[JsonPropertyName("witness_id")] public required string WitnessId { get; init; } ///

/// Vulnerability ID. ///

[JsonPropertyName("vulnerability_id")] public string? VulnerabilityId { get; init; } ///

/// Component PURL. ///

[JsonPropertyName("component_purl")] public string? ComponentPurl { get; init; } ///

/// Entrypoint name. ///

[JsonPropertyName("entrypoint")] public string? Entrypoint { get; init; } ///

/// Sink symbol. ///

[JsonPropertyName("sink")] public string? Sink { get; init; } ///

/// Path length. ///

[JsonPropertyName("path_length")] public int PathLength { get; init; } ///

/// Predicate type URI. ///

[JsonPropertyName("predicate_type")] public string? PredicateType { get; init; } ///

/// Whether the witness has a valid DSSE signature. ///

[JsonPropertyName("is_signed")] public bool IsSigned { get; init; } ///

/// When the witness was created. ///

[JsonPropertyName("created_at")] public DateTimeOffset CreatedAt { get; init; } } ///

/// Detailed witness response. ///

public sealed record WitnessDetailResponse { ///

/// Schema version. ///

[JsonPropertyName("witness_schema")] public string? WitnessSchema { get; init; } ///

/// Content-addressed witness ID. ///

[JsonPropertyName("witness_id")] public required string WitnessId { get; init; } ///

/// Artifact information. ///

[JsonPropertyName("artifact")] public WitnessArtifactInfo? Artifact { get; init; } ///

/// Vulnerability information. ///

[JsonPropertyName("vuln")] public WitnessVulnInfo? Vuln { get; init; } ///

/// Entrypoint information. ///

[JsonPropertyName("entrypoint")] public WitnessEntrypointInfo? Entrypoint { get; init; } ///

/// Call path from entrypoint to sink. ///

[JsonPropertyName("path")] public IReadOnlyList? Path { get; init; } ///

/// Sink information. ///

[JsonPropertyName("sink")] public WitnessSinkInfo? Sink { get; init; } ///

/// Detected gates along the path. ///

[JsonPropertyName("gates")] public IReadOnlyList? Gates { get; init; } ///

/// Evidence digests. ///

[JsonPropertyName("evidence")] public WitnessEvidenceInfo? Evidence { get; init; } ///

/// When the witness was observed. ///

[JsonPropertyName("observed_at")] public DateTimeOffset ObservedAt { get; init; } ///

/// Path hash for deterministic joining. /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash ///

[JsonPropertyName("path_hash")] public string? PathHash { get; init; } ///

/// Top-K node hashes along the path. /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash ///

[JsonPropertyName("node_hashes")] public IReadOnlyList? NodeHashes { get; init; } ///

/// Evidence URIs for traceability. ///

[JsonPropertyName("evidence_uris")] public IReadOnlyList? EvidenceUris { get; init; } ///

/// Predicate type URI. ///

[JsonPropertyName("predicate_type")] public string? PredicateType { get; init; } ///

/// DSSE envelope if signed. ///

[JsonPropertyName("dsse_envelope")] public WitnessDsseEnvelope? DsseEnvelope { get; init; } } ///

/// Artifact information in a witness. ///

public sealed record WitnessArtifactInfo { [JsonPropertyName("sbom_digest")] public string? SbomDigest { get; init; } [JsonPropertyName("component_purl")] public string? ComponentPurl { get; init; } } ///

/// Vulnerability information in a witness. ///

public sealed record WitnessVulnInfo { [JsonPropertyName("id")] public string? Id { get; init; } [JsonPropertyName("source")] public string? Source { get; init; } [JsonPropertyName("affected_range")] public string? AffectedRange { get; init; } } ///

/// Entrypoint information in a witness. ///

public sealed record WitnessEntrypointInfo { [JsonPropertyName("kind")] public string? Kind { get; init; } [JsonPropertyName("name")] public string? Name { get; init; } [JsonPropertyName("symbol_id")] public string? SymbolId { get; init; } } ///

/// A step in the call path. ///

public sealed record WitnessPathStep { [JsonPropertyName("symbol")] public string? Symbol { get; init; } [JsonPropertyName("symbol_id")] public string? SymbolId { get; init; } [JsonPropertyName("file")] public string? File { get; init; } [JsonPropertyName("line")] public int? Line { get; init; } } ///

/// Sink information in a witness. ///

public sealed record WitnessSinkInfo { [JsonPropertyName("symbol")] public string? Symbol { get; init; } [JsonPropertyName("symbol_id")] public string? SymbolId { get; init; } [JsonPropertyName("sink_type")] public string? SinkType { get; init; } } ///

/// Gate (guard/control) information in a witness. ///

public sealed record WitnessGateInfo { [JsonPropertyName("type")] public string? Type { get; init; } [JsonPropertyName("guard_symbol")] public string? GuardSymbol { get; init; } [JsonPropertyName("confidence")] public double Confidence { get; init; } [JsonPropertyName("detail")] public string? Detail { get; init; } } ///

/// Evidence information in a witness. ///

public sealed record WitnessEvidenceInfo { [JsonPropertyName("callgraph_digest")] public string? CallgraphDigest { get; init; } [JsonPropertyName("surface_digest")] public string? SurfaceDigest { get; init; } [JsonPropertyName("analysis_config_digest")] public string? AnalysisConfigDigest { get; init; } [JsonPropertyName("build_id")] public string? BuildId { get; init; } } ///

/// DSSE envelope information. ///

public sealed record WitnessDsseEnvelope { [JsonPropertyName("payload_type")] public string? PayloadType { get; init; } [JsonPropertyName("payload")] public string? Payload { get; init; } [JsonPropertyName("signatures")] public IReadOnlyList? Signatures { get; init; } } ///

/// DSSE signature information. ///

public sealed record WitnessDsseSignature { [JsonPropertyName("keyid")] public string? KeyId { get; init; } [JsonPropertyName("sig")] public string? Signature { get; init; } } ///

/// Response for witness verification. ///

public sealed record WitnessVerifyResponse { ///

/// Whether verification succeeded. ///

[JsonPropertyName("verified")] public bool Verified { get; init; } ///

/// Verification status code. ///

[JsonPropertyName("status")] public string? Status { get; init; } ///

/// Detailed verification message. ///

[JsonPropertyName("message")] public string? Message { get; init; } ///

/// DSSE verification details. ///

[JsonPropertyName("dsse")] public WitnessDsseVerifyInfo? Dsse { get; init; } ///

/// Content hash verification. ///

[JsonPropertyName("content_hash")] public WitnessContentHashInfo? ContentHash { get; init; } ///

/// Verification timestamp. ///

[JsonPropertyName("verified_at")] public DateTimeOffset VerifiedAt { get; init; } } ///

/// DSSE verification details. ///

public sealed record WitnessDsseVerifyInfo { [JsonPropertyName("envelope_valid")] public bool EnvelopeValid { get; init; } [JsonPropertyName("signature_count")] public int SignatureCount { get; init; } [JsonPropertyName("valid_signatures")] public int ValidSignatures { get; init; } [JsonPropertyName("signer_identities")] public IReadOnlyList? SignerIdentities { get; init; } [JsonPropertyName("predicate_type")] public string? PredicateType { get; init; } } ///

/// Content hash verification details. ///

public sealed record WitnessContentHashInfo { [JsonPropertyName("expected")] public string? Expected { get; init; } [JsonPropertyName("actual")] public string? Actual { get; init; } [JsonPropertyName("match")] public bool Match { get; init; } } ///

/// Export format for witnesses. ///

public enum WitnessExportFormat { ///

/// Raw JSON witness payload. ///

Json, ///

/// DSSE-signed envelope. ///

Dsse, ///

/// SARIF format. ///

Sarif }