git.stella-ops.org/docs/schemas/binary-index/delta-sig-v1.schema.json

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://stella.dev/schemas/binary-index/delta-sig-v1.schema.json",
  "title": "Stella Ops Delta Signature Predicate v1",
  "description": "JSON Schema for delta-sig predicate used in binary patch verification. Enables offline CI gate validation per advisory requirements.",
  "type": "object",
  "required": [
    "predicateType",
    "subject",
    "original_hash",
    "patched_hash",
    "diff_method",
    "similarity_score",
    "confidence",
    "call_ngram_hash",
    "bom_ref",
    "architecture",
    "lifter",
    "computed_at"
  ],
  "properties": {
    "predicateType": {
      "type": "string",
      "const": "stella.dev/delta-sig/v1",
      "description": "Predicate type URI identifying this as a Stella delta signature"
    },
    "subject": {
      "type": "object",
      "description": "Subject function identification",
      "required": ["func_id"],
      "properties": {
        "func_id": {
          "$ref": "#/$defs/func_id",
          "description": "Function identifier in format: module:bom-ref:offset:canonical-IR-hash"
        },
        "name": {
          "type": "string",
          "description": "Human-readable function name (optional)"
        },
        "demangled": {
          "type": "string",
          "description": "Demangled C++/Rust symbol name (optional)"
        }
      }
    },
    "original_hash": {
      "$ref": "#/$defs/hash_value",
      "description": "Hash of the original (unpatched) function's canonical IR with algorithm prefix"
    },
    "patched_hash": {
      "$ref": "#/$defs/hash_value",
      "description": "Hash of the patched function's canonical IR with algorithm prefix"
    },
    "diff_method": {
      "type": "string",
      "description": "Method used to compute the semantic diff",
      "enum": [
        "semantic-ir",
        "cfg-structural",
        "call-ngram",
        "instruction-sequence",
        "composite"
      ]
    },
    "proof_ref": {
      "type": "string",
      "description": "Reference to the full diff proof (rekor entry ID, sha256, or blake3 digest)",
      "pattern": "^(rekor|sha256|blake3):[a-fA-F0-9]{64,128}$"
    },
    "similarity_score": {
      "type": "number",
      "description": "Similarity score between original and patched functions [0.0, 1.0]",
      "minimum": 0,
      "maximum": 1
    },
    "confidence": {
      "type": "number",
      "description": "Match confidence score [0.0, 1.0]",
      "minimum": 0,
      "maximum": 1
    },
    "call_ngram_hash": {
      "$ref": "#/$defs/hash_value",
      "description": "Call-ngram fingerprint for cross-compiler resilience"
    },
    "bom_ref": {
      "type": "string",
      "description": "CycloneDX/SPDX bom-ref linking to SBOM component"
    },
    "architecture": {
      "type": "string",
      "description": "Target architecture",
      "examples": ["x86-64", "arm64", "arm32", "riscv64", "mips64"]
    },
    "lifter": {
      "type": "string",
      "description": "IR lifter used for binary analysis",
      "examples": ["B2R2", "Ghidra", "BinaryNinja", "Iced", "Capstone", "angr"]
    },
    "ir_version": {
      "type": "string",
      "description": "IR representation version for cache invalidation",
      "default": "v1.0.0",
      "pattern": "^v[0-9]+\\.[0-9]+\\.[0-9]+$"
    },
    "computed_at": {
      "type": "string",
      "description": "ISO 8601 timestamp when signature was computed",
      "format": "date-time"
    }
  },
  "additionalProperties": false,
  "$defs": {
    "func_id": {
      "type": "string",
      "description": "Function identifier in format: module:bom-ref:offset:canonical-IR-hash",
      "pattern": "^[^:]+:[^:]+:0x[a-fA-F0-9]+:[a-f0-9]{64}$"
    },
    "hash_value": {
      "type": "string",
      "description": "Hash value with algorithm prefix",
      "pattern": "^(sha256|sha384|sha512|blake3):[a-f0-9]{64,128}$"
    }
  },
  "examples": [
    {
      "predicateType": "stella.dev/delta-sig/v1",
      "subject": {
        "func_id": "libssl.so.3:pkg:deb/openssl@3.0.2:0x12345:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234",
        "name": "SSL_read",
        "demangled": "SSL_read"
      },
      "original_hash": "sha256:1111111111111111111111111111111111111111111111111111111111111111",
      "patched_hash": "sha256:2222222222222222222222222222222222222222222222222222222222222222",
      "diff_method": "semantic-ir",
      "proof_ref": "rekor:3333333333333333333333333333333333333333333333333333333333333333",
      "similarity_score": 0.95,
      "confidence": 0.98,
      "call_ngram_hash": "blake3:4444444444444444444444444444444444444444444444444444444444444444",
      "bom_ref": "pkg:deb/debian/openssl@3.0.2-0ubuntu1.10",
      "architecture": "x86-64",
      "lifter": "B2R2",
      "ir_version": "v1.0.0",
      "computed_at": "2026-01-18T12:00:00Z"
    }
  ]
}