git.stella-ops.org/docs/schemas/tte-event.schema.json

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://stella-ops.org/schemas/tte-event.schema.json",
  "title": "Time-to-Evidence (TTE) Telemetry Event",
  "description": "Schema for tracking time-to-evidence metrics across triage workflows (TTE1-TTE10)",
  "type": "object",
  "required": [
    "schema_version",
    "event_type",
    "timestamp",
    "tenant_id",
    "correlation_id",
    "phase",
    "elapsed_ms"
  ],
  "properties": {
    "schema_version": {
      "type": "string",
      "pattern": "^v[0-9]+\\.[0-9]+$",
      "description": "Schema version (e.g., v1.0)",
      "examples": ["v1.0"]
    },
    "event_type": {
      "type": "string",
      "enum": [
        "tte.phase.started",
        "tte.phase.completed",
        "tte.phase.failed",
        "tte.phase.timeout",
        "tte.evidence.attached",
        "tte.evidence.verified",
        "tte.decision.made",
        "tte.slo.breach"
      ],
      "description": "Type of TTE event"
    },
    "timestamp": {
      "type": "string",
      "format": "date-time",
      "description": "ISO-8601 UTC timestamp when event occurred"
    },
    "tenant_id": {
      "type": "string",
      "minLength": 1,
      "description": "Tenant identifier for scoping"
    },
    "correlation_id": {
      "type": "string",
      "format": "uuid",
      "description": "Correlation ID linking all events in a triage workflow"
    },
    "phase": {
      "type": "string",
      "enum": [
        "scan_to_finding",
        "finding_to_evidence",
        "evidence_to_decision",
        "decision_to_attestation",
        "attestation_to_verification",
        "verification_to_policy",
        "end_to_end"
      ],
      "description": "Phase of the evidence chain being measured"
    },
    "elapsed_ms": {
      "type": "number",
      "minimum": 0,
      "description": "Elapsed time in milliseconds for this phase"
    },
    "finding_id": {
      "type": "string",
      "description": "Finding identifier if applicable"
    },
    "vulnerability_id": {
      "type": "string",
      "pattern": "^CVE-[0-9]{4}-[0-9]+$",
      "description": "CVE identifier if applicable"
    },
    "artifact_digest": {
      "type": "string",
      "pattern": "^sha256:[a-f0-9]{64}$",
      "description": "Artifact digest in OCI format"
    },
    "evidence_type": {
      "type": "string",
      "enum": ["attestation", "vex", "sbom", "policy_eval", "reachability", "fix_pr"],
      "description": "Type of evidence attached or verified"
    },
    "evidence_count": {
      "type": "integer",
      "minimum": 0,
      "description": "Number of evidence items attached in this event"
    },
    "decision_status": {
      "type": "string",
      "enum": ["not_affected", "affected", "fixed", "under_investigation"],
      "description": "VEX decision status if event is decision-related"
    },
    "verification_result": {
      "type": "string",
      "enum": ["verified", "failed", "pending", "expired", "revoked"],
      "description": "Result of attestation/signature verification"
    },
    "slo_target_ms": {
      "type": "number",
      "minimum": 0,
      "description": "SLO target in milliseconds for this phase"
    },
    "slo_breach": {
      "type": "boolean",
      "description": "True if this event represents an SLO breach"
    },
    "surface": {
      "type": "string",
      "enum": ["api", "ui", "cli", "webhook", "scheduler"],
      "description": "Surface where the event originated"
    },
    "user_agent": {
      "type": "string",
      "description": "User agent string (filtered for bots)"
    },
    "is_automated": {
      "type": "boolean",
      "description": "True if event triggered by automation (not human)"
    },
    "offline_mode": {
      "type": "boolean",
      "description": "True if event occurred in offline/airgap mode"
    },
    "error_code": {
      "type": ["string", "null"],
      "description": "Error code if event_type is failure/timeout"
    },
    "metadata": {
      "type": "object",
      "additionalProperties": true,
      "description": "Additional context-specific metadata"
    }
  },
  "additionalProperties": false,
  "examples": [
    {
      "schema_version": "v1.0",
      "event_type": "tte.phase.completed",
      "timestamp": "2025-12-13T14:30:00.000Z",
      "tenant_id": "tenant-123",
      "correlation_id": "550e8400-e29b-41d4-a716-446655440000",
      "phase": "finding_to_evidence",
      "elapsed_ms": 1250,
      "finding_id": "finding-abc-123",
      "vulnerability_id": "CVE-2024-1234",
      "evidence_type": "attestation",
      "evidence_count": 1,
      "surface": "ui",
      "is_automated": false,
      "slo_target_ms": 5000,
      "slo_breach": false
    },
    {
      "schema_version": "v1.0",
      "event_type": "tte.slo.breach",
      "timestamp": "2025-12-13T14:35:00.000Z",
      "tenant_id": "tenant-456",
      "correlation_id": "660e8400-e29b-41d4-a716-446655440001",
      "phase": "end_to_end",
      "elapsed_ms": 125000,
      "slo_target_ms": 60000,
      "slo_breach": true,
      "surface": "api",
      "is_automated": true,
      "error_code": "TTE_SLO_END_TO_END_BREACH"
    }
  ]
}