4.2 KiB
Predicate Schema Registry
Status
- Status: DRAFT (2026-02-19)
- Owner: Attestor Guild
- Sprint: SPRINT_20260219_010
Purpose
Replace hardcoded predicate type URIs scattered across the codebase with a discoverable, versioned, PostgreSQL-backed registry. External tooling (cosign, policy-as-code engines, audit exporters) can query the registry to discover and validate predicate schemas.
Design
Storage
- Schema:
proofchain(alongside existing proof chain tables) - Table:
proofchain.predicate_type_registry
Data Model
Each registry entry:
| Column | Type | Description |
|---|---|---|
registry_id |
UUID | Primary key |
predicate_type_uri |
TEXT UNIQUE | The canonical predicate type URI |
display_name |
TEXT | Human-readable name |
version |
TEXT | Semver string (e.g., "1.0.0") |
category |
TEXT | Category: stella-core, stella-proof, ecosystem, intoto |
json_schema |
JSONB | JSON Schema document for payload validation (nullable) |
description |
TEXT | Purpose description |
is_active |
BOOLEAN | Whether this type accepts new submissions |
validation_mode |
TEXT | log-only / warn / reject (default: log-only) |
created_at |
TIMESTAMPTZ | Created timestamp |
updated_at |
TIMESTAMPTZ | Last update timestamp |
Immutability Rule
Once a (predicate_type_uri, version) pair is published, its json_schema MUST NOT change. New versions get new semver.
API Endpoints
GET /api/v1/attestor/predicates— List all registered predicate types (paged, filterable by category and is_active)GET /api/v1/attestor/predicates/{uri}— Get schema and metadata for a specific predicate type URI (URI is URL-encoded)POST /api/v1/attestor/predicates— Register a new predicate type (admin-only, OpTok-gated withattestor:adminscope)
Submission Validation
When a DSSE envelope is submitted via POST /api/v1/rekor/entries:
- Look up
predicate_typein registry - If found and
validation_mode = "log-only": validate payload againstjson_schema, log result (pass/mismatch), proceed - If found and
validation_mode = "warn": validate, emit warning metric, proceed - If found and
validation_mode = "reject": validate, reject on mismatch (400 Bad Request) - If not found: log unknown predicate type, proceed (don't block unregistered types during rollout)
Seeded Predicate Types (from codebase analysis)
stella-core (Attestor native):
https://stella-ops.org/predicates/sbom-linkage/v1https://stella-ops.org/predicates/vex-verdict/v1https://stella-ops.org/predicates/evidence/v1https://stella-ops.org/predicates/reasoning/v1https://stella-ops.org/predicates/proof-spine/v1https://stella-ops.org/predicates/reachability-drift/v1https://stella-ops.org/predicates/reachability-subgraph/v1https://stella-ops.org/predicates/delta-verdict/v1https://stella-ops.org/predicates/policy-decision/v1https://stella-ops.org/predicates/unknowns-budget/v1https://stella-ops.org/predicates/ai-code-guard/v1https://stella-ops.org/predicates/fix-chain/v1https://stella-ops.org/attestation/graph-root/v1
stella-proof (ProofChain predicates):
14. https://stella.ops/predicates/path-witness/v1
15. https://stella.ops/predicates/runtime-witness/v1
16. https://stella.ops/predicates/policy-decision@v2
17. https://stellaops.dev/predicates/binary-micro-witness@v1
18. https://stellaops.dev/predicates/binary-fingerprint-evidence@v1
19. https://stellaops.io/attestation/budget-check/v1
20. https://stellaops.dev/attestation/vex/v1
21. https://stellaops.dev/attestations/vex-override/v1
22. https://stellaops.dev/predicates/trust-verdict@v1
23. https://stellaops.io/attestation/v1/signed-exception
24. https://stellaops.dev/attestation/verification-report/v1
stella-delta (Delta predicates):
25. stella.ops/changetrace@v1
26. stella.ops/vex-delta@v1
27. stella.ops/sbom-delta@v1
28. stella.ops/verdict-delta@v1
29. stellaops.binarydiff.v1
ecosystem (Standard predicates):
30. https://spdx.dev/Document
31. https://cyclonedx.org/bom
32. https://slsa.dev/provenance
intoto (In-Toto standard):
33. https://in-toto.io/Statement/v1
34. https://in-toto.io/Link/v1
35. https://in-toto.io/Layout/v1