{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://stella-ops.org/schemas/export-bundle-shapes.schema.json", "title": "StellaOps Export Bundle Shapes Schema", "description": "Schema for export bundle formats, hashing inputs, and airgap bundle structures. Unblocks DOCS-RISK-68-001, DOCS-RISK-68-002 (2+ tasks).", "type": "object", "definitions": { "ExportBundle": { "type": "object", "description": "Export bundle package", "required": ["bundle_id", "bundle_type", "version", "created_at", "contents"], "properties": { "bundle_id": { "type": "string", "format": "uuid" }, "bundle_type": { "type": "string", "enum": ["findings", "sbom", "vex", "risk", "compliance", "evidence", "full"], "description": "Type of export bundle" }, "version": { "type": "string", "pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$" }, "format": { "type": "string", "enum": ["json", "ndjson", "csv", "xml", "cyclonedx", "spdx", "sarif"], "description": "Output format" }, "created_at": { "type": "string", "format": "date-time" }, "created_by": { "type": "string" }, "tenant_id": { "type": "string" }, "scope": { "$ref": "#/definitions/ExportScope" }, "contents": { "$ref": "#/definitions/BundleContents" }, "metadata": { "$ref": "#/definitions/BundleMetadata" }, "signatures": { "type": "array", "items": { "$ref": "#/definitions/BundleSignature" } }, "manifest_digest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$", "description": "Digest of bundle manifest" } } }, "ExportScope": { "type": "object", "description": "Scope of exported data", "properties": { "projects": { "type": "array", "items": { "type": "string" } }, "assets": { "type": "array", "items": { "type": "string" } }, "time_range": { "type": "object", "properties": { "start": { "type": "string", "format": "date-time" }, "end": { "type": "string", "format": "date-time" } } }, "severities": { "type": "array", "items": { "type": "string", "enum": ["critical", "high", "medium", "low", "info"] } }, "statuses": { "type": "array", "items": { "type": "string" } }, "filters": { "type": "object", "additionalProperties": true, "description": "Additional filter criteria" } } }, "BundleContents": { "type": "object", "description": "Bundle content inventory", "properties": { "files": { "type": "array", "items": { "$ref": "#/definitions/BundleFile" } }, "record_counts": { "type": "object", "additionalProperties": { "type": "integer" }, "description": "Count of records by type" }, "total_size_bytes": { "type": "integer" }, "compressed_size_bytes": { "type": "integer" }, "compression": { "type": "string", "enum": ["none", "gzip", "zstd", "lz4"] } } }, "BundleFile": { "type": "object", "description": "Individual file in bundle", "required": ["path", "digest", "size_bytes"], "properties": { "path": { "type": "string" }, "type": { "type": "string", "enum": ["data", "metadata", "schema", "signature", "index"] }, "format": { "type": "string" }, "digest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" }, "size_bytes": { "type": "integer" }, "record_count": { "type": "integer" }, "schema_ref": { "type": "string", "description": "Reference to schema for this file" } } }, "BundleMetadata": { "type": "object", "description": "Bundle metadata", "properties": { "export_job_id": { "type": "string" }, "source_system": { "type": "string" }, "source_version": { "type": "string" }, "export_profile": { "type": "string" }, "redaction_applied": { "type": "boolean", "default": false }, "redaction_policy": { "type": "string" }, "retention_policy": { "type": "string" }, "classification": { "type": "string", "enum": ["public", "internal", "confidential", "restricted"] }, "custom": { "type": "object", "additionalProperties": true } } }, "BundleSignature": { "type": "object", "description": "Digital signature on bundle", "required": ["signature_type", "signature"], "properties": { "signature_type": { "type": "string", "enum": ["dsse", "cosign", "gpg", "x509"] }, "signature": { "type": "string", "description": "Base64-encoded signature" }, "public_key": { "type": "string", "description": "Public key or key reference" }, "key_id": { "type": "string" }, "signed_at": { "type": "string", "format": "date-time" }, "signer": { "type": "string" }, "certificate_chain": { "type": "array", "items": { "type": "string" } } } }, "AirgapBundle": { "type": "object", "description": "Air-gapped export bundle for offline environments", "required": ["bundle_id", "created_at", "manifest"], "properties": { "bundle_id": { "type": "string", "format": "uuid" }, "bundle_type": { "type": "string", "const": "airgap" }, "created_at": { "type": "string", "format": "date-time" }, "valid_until": { "type": "string", "format": "date-time", "description": "Expiration for time-sensitive data" }, "manifest": { "$ref": "#/definitions/AirgapManifest" }, "advisory_data": { "$ref": "#/definitions/AdvisoryBundle" }, "risk_data": { "$ref": "#/definitions/RiskBundle" }, "policy_data": { "$ref": "#/definitions/PolicyBundle" }, "time_anchor": { "$ref": "#/definitions/TimeAnchor" }, "aggregate_digest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" } } }, "AirgapManifest": { "type": "object", "description": "Manifest of airgap bundle contents", "required": ["version", "files"], "properties": { "version": { "type": "string" }, "format_version": { "type": "string", "const": "1.0" }, "files": { "type": "array", "items": { "$ref": "#/definitions/BundleFile" } }, "dependencies": { "type": "array", "items": { "type": "object", "properties": { "bundle_id": { "type": "string" }, "required": { "type": "boolean" } } } } } }, "AdvisoryBundle": { "type": "object", "description": "Advisory data for airgap bundle", "properties": { "sources": { "type": "array", "items": { "type": "string" }, "description": "Advisory sources included (NVD, OSV, etc.)" }, "advisory_count": { "type": "integer" }, "cve_count": { "type": "integer" }, "last_sync": { "type": "string", "format": "date-time" }, "file_ref": { "type": "string", "description": "Path to advisory data file" }, "digest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" } } }, "RiskBundle": { "type": "object", "description": "Risk scoring data for airgap bundle", "properties": { "profiles": { "type": "array", "items": { "type": "string" }, "description": "Risk profiles included" }, "epss_data": { "type": "object", "properties": { "version": { "type": "string" }, "date": { "type": "string", "format": "date" }, "record_count": { "type": "integer" } } }, "kev_data": { "type": "object", "properties": { "version": { "type": "string" }, "date": { "type": "string", "format": "date" }, "record_count": { "type": "integer" } } }, "file_ref": { "type": "string" }, "digest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" } } }, "PolicyBundle": { "type": "object", "description": "Policy data for airgap bundle", "properties": { "policy_packs": { "type": "array", "items": { "type": "object", "properties": { "pack_id": { "type": "string" }, "version": { "type": "string" }, "digest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" } } } }, "file_ref": { "type": "string" }, "digest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" } } }, "TimeAnchor": { "type": "object", "description": "Time anchor for bundle validity", "required": ["anchor_time", "source"], "properties": { "anchor_time": { "type": "string", "format": "date-time" }, "source": { "type": "string", "enum": ["ntp", "tsa", "rekor", "manual"] }, "tsa_response": { "type": "string", "description": "RFC 3161 timestamp response (base64)" }, "rekor_entry": { "type": "string", "description": "Rekor transparency log entry ID" }, "drift_tolerance": { "type": "string", "description": "Acceptable clock drift (e.g., 1h)" } } }, "HashingInputs": { "type": "object", "description": "Inputs used for deterministic hashing", "required": ["algorithm", "inputs"], "properties": { "algorithm": { "type": "string", "enum": ["sha256", "sha384", "sha512"], "default": "sha256" }, "inputs": { "type": "array", "items": { "$ref": "#/definitions/HashInput" }, "description": "Ordered list of inputs for hash computation" }, "canonicalization": { "type": "string", "enum": ["none", "json-canonical", "xml-c14n"], "description": "Canonicalization method before hashing" }, "encoding": { "type": "string", "enum": ["utf8", "base64"], "default": "utf8" }, "computed_digest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" } } }, "HashInput": { "type": "object", "description": "Single input for hash computation", "required": ["type", "value"], "properties": { "type": { "type": "string", "enum": ["file", "field", "literal", "nested_digest"] }, "path": { "type": "string", "description": "File path or JSON path" }, "value": { "type": "string", "description": "Literal value or computed digest" }, "order": { "type": "integer", "description": "Order in hash computation" } } }, "ExportProfile": { "type": "object", "description": "Export profile configuration", "required": ["profile_id", "name", "bundle_type"], "properties": { "profile_id": { "type": "string" }, "name": { "type": "string" }, "description": { "type": "string" }, "bundle_type": { "type": "string", "enum": ["findings", "sbom", "vex", "risk", "compliance", "evidence", "full"] }, "format": { "type": "string" }, "scope_defaults": { "$ref": "#/definitions/ExportScope" }, "include_signatures": { "type": "boolean", "default": true }, "compression": { "type": "string", "enum": ["none", "gzip", "zstd"] }, "redaction_policy": { "type": "string" }, "retention_days": { "type": "integer" }, "schedule": { "type": "object", "properties": { "enabled": { "type": "boolean" }, "cron": { "type": "string" }, "destination": { "type": "string" } } } } } }, "properties": { "export_profiles": { "type": "array", "items": { "$ref": "#/definitions/ExportProfile" } }, "bundle_schemas": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Schema references by bundle type" } }, "examples": [ { "export_profiles": [ { "profile_id": "findings-weekly", "name": "Weekly Findings Export", "description": "Weekly export of all findings for compliance reporting", "bundle_type": "findings", "format": "ndjson", "scope_defaults": { "time_range": { "start": "{{now-7d}}", "end": "{{now}}" }, "severities": ["critical", "high", "medium"] }, "include_signatures": true, "compression": "gzip", "redaction_policy": "pii-removal", "retention_days": 90, "schedule": { "enabled": true, "cron": "0 0 * * 0", "destination": "s3://exports/weekly/" } }, { "profile_id": "airgap-full", "name": "Air-Gap Full Bundle", "description": "Complete bundle for air-gapped environments", "bundle_type": "full", "format": "json", "include_signatures": true, "compression": "zstd" } ], "bundle_schemas": { "findings": "https://stella-ops.org/schemas/findings-bundle.schema.json", "sbom": "https://cyclonedx.org/schema/bom-1.6.schema.json", "vex": "https://stella-ops.org/schemas/vex-normalization.schema.json" } } ] }