// SPDX-License-Identifier: BUSL-1.1
// Copyright (c) 2025 StellaOps
// Sprint: SPRINT_20260122_039_Scanner_runtime_linkage_verification
// Task: RLV-001 - Define function_map Predicate Schema
using System.Text.Json.Serialization;
namespace StellaOps.Scanner.Reachability.FunctionMap;
///
/// Function map predicate that declares expected call-paths for a service.
/// Used for runtime→static linkage verification via eBPF observation.
///
/// This predicate serves as the "contract" that runtime observations will be verified against.
/// It is typically generated from SBOM + static analysis and signed for attestation.
///
///
/// Predicate type: https://stella.ops/predicates/function-map/v1
///
/// Key concepts:
/// - Uses nodeHash recipe from witness-v1 for consistency (PURL + normalized symbol)
/// - expectedPaths defines call-paths from entrypoints to "hot functions"
/// - probeTypes specifies acceptable eBPF probe types for each function
/// - coverage.minObservationRate maps to "≥ 95% of calls witnessed" requirement
/// - optional flag handles conditional paths (feature flags, error handlers)
///
public sealed record FunctionMapPredicate
{
///
/// Predicate type URI.
///
[JsonPropertyName("_type")]
public string Type { get; init; } = FunctionMapSchema.PredicateType;
///
/// Subject artifact that this function map applies to.
///
[JsonPropertyName("subject")]
public required FunctionMapSubject Subject { get; init; }
///
/// The predicate payload containing the function map definition.
///
[JsonPropertyName("predicate")]
public required FunctionMapPredicatePayload Predicate { get; init; }
}
///
/// Subject artifact for the function map.
///
public sealed record FunctionMapSubject
{
///
/// Package URL of the subject artifact.
/// Example: "pkg:oci/myservice@sha256:abc123..."
///
[JsonPropertyName("purl")]
public required string Purl { get; init; }
///
/// Digest(s) of the subject artifact.
/// Key is algorithm (sha256, sha512), value is hex-encoded hash.
///
[JsonPropertyName("digest")]
public required IReadOnlyDictionary Digest { get; init; }
///
/// Optional artifact name.
///
[JsonPropertyName("name")]
public string? Name { get; init; }
}
///
/// The main predicate payload containing function map definition.
///
public sealed record FunctionMapPredicatePayload
{
///
/// Schema version of this predicate.
///
[JsonPropertyName("schemaVersion")]
public string SchemaVersion { get; init; } = FunctionMapSchema.SchemaVersion;
///
/// Service name that this function map applies to.
///
[JsonPropertyName("service")]
public required string Service { get; init; }
///
/// Build ID or version of the service.
/// Used to correlate with specific builds.
///
[JsonPropertyName("buildId")]
public string? BuildId { get; init; }
///
/// References to source materials used to generate this function map.
///
[JsonPropertyName("generatedFrom")]
public FunctionMapGeneratedFrom? GeneratedFrom { get; init; }
///
/// Expected call-paths that should be observed at runtime.
///
[JsonPropertyName("expectedPaths")]
public required IReadOnlyList ExpectedPaths { get; init; }
///
/// Coverage thresholds for verification.
///
[JsonPropertyName("coverage")]
public required CoverageThresholds Coverage { get; init; }
///
/// When this function map was generated.
///
[JsonPropertyName("generatedAt")]
public required DateTimeOffset GeneratedAt { get; init; }
///
/// Optional generator tool information.
///
[JsonPropertyName("generator")]
public GeneratorInfo? Generator { get; init; }
///
/// Optional metadata for extensions.
///
[JsonPropertyName("metadata")]
public IReadOnlyDictionary? Metadata { get; init; }
}
///
/// References to source materials used to generate the function map.
///
public sealed record FunctionMapGeneratedFrom
{
///
/// SHA256 digest of the SBOM used.
///
[JsonPropertyName("sbomRef")]
public string? SbomRef { get; init; }
///
/// SHA256 digest of the static analysis results used.
///
[JsonPropertyName("staticAnalysisRef")]
public string? StaticAnalysisRef { get; init; }
///
/// SHA256 digest of the binary analysis results used.
///
[JsonPropertyName("binaryAnalysisRef")]
public string? BinaryAnalysisRef { get; init; }
///
/// Hot function patterns used for filtering.
///
[JsonPropertyName("hotFunctionPatterns")]
public IReadOnlyList? HotFunctionPatterns { get; init; }
}
///
/// Coverage thresholds for function map verification.
///
public sealed record CoverageThresholds
{
///
/// Minimum observation rate required for verification to pass.
/// Value between 0.0 and 1.0 (e.g., 0.95 = 95% of expected calls must be observed).
///
[JsonPropertyName("minObservationRate")]
public double MinObservationRate { get; init; } = FunctionMapSchema.DefaultMinObservationRate;
///
/// Observation window in seconds.
/// Only observations within this window are considered for verification.
///
[JsonPropertyName("windowSeconds")]
public int WindowSeconds { get; init; } = FunctionMapSchema.DefaultWindowSeconds;
///
/// Minimum number of observations required before verification can succeed.
/// Prevents false positives from low traffic periods.
///
[JsonPropertyName("minObservationCount")]
public int? MinObservationCount { get; init; }
///
/// Whether to fail on unexpected symbols (not in the function map).
/// When false (default), unexpected symbols are reported but don't fail verification.
///
[JsonPropertyName("failOnUnexpected")]
public bool FailOnUnexpected { get; init; }
}
///
/// Information about the tool that generated this function map.
///
public sealed record GeneratorInfo
{
///
/// Name of the generator tool.
///
[JsonPropertyName("name")]
public string? Name { get; init; }
///
/// Version of the generator tool.
///
[JsonPropertyName("version")]
public string? Version { get; init; }
///
/// Optional commit hash of the generator tool.
///
[JsonPropertyName("commit")]
public string? Commit { get; init; }
}