git.stella-ops.org/docs/schemas/predicates/boundary.v1.schema.json

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://stella.ops/predicates/boundary@v1",
  "title": "StellaOps Boundary Attestation Predicate",
  "description": "Predicate for attack surface boundary detection.",
  "type": "object",
  "required": ["surface", "exposure", "observedAt"],
  "properties": {
    "surface": {
      "type": "string",
      "enum": ["http", "grpc", "tcp", "udp", "mqtt", "kafka", "cli", "internal"],
      "description": "Type of attack surface."
    },
    "exposure": {
      "type": "string",
      "enum": ["public", "private", "internal", "localhost"],
      "description": "Exposure level of the surface."
    },
    "observedAt": {
      "type": "string",
      "format": "date-time",
      "description": "When the boundary was observed."
    },
    "endpoints": {
      "type": "array",
      "items": {
        "$ref": "#/$defs/endpoint"
      },
      "description": "Detected endpoints on this surface."
    },
    "auth": {
      "type": "object",
      "properties": {
        "mechanism": {
          "type": "string",
          "enum": ["none", "apikey", "jwt", "oauth2", "mtls", "basic"],
          "description": "Authentication mechanism."
        },
        "required_scopes": {
          "type": "array",
          "items": { "type": "string" },
          "description": "Required authorization scopes."
        }
      },
      "description": "Authentication configuration."
    },
    "controls": {
      "type": "array",
      "items": { "type": "string" },
      "description": "Security controls in place (e.g., rate-limit, WAF)."
    },
    "expiresAt": {
      "type": "string",
      "format": "date-time",
      "description": "When this boundary observation expires (TTL: 72h)."
    }
  },
  "$defs": {
    "endpoint": {
      "type": "object",
      "required": ["route", "method"],
      "properties": {
        "route": {
          "type": "string",
          "description": "Route pattern (e.g., /api/users/:id)."
        },
        "method": {
          "type": "string",
          "enum": ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "HEAD"],
          "description": "HTTP method."
        },
        "auth": {
          "type": "string",
          "description": "Authentication requirement for this endpoint."
        }
      }
    }
  },
  "additionalProperties": false
}