stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
c49b03a254273f613530769916442daab6e13ed5
git.stella-ops.org/src/Api/StellaOps.Api.OpenApi/stella.yaml
StellaOps Bot aa70af062e save development progress
2025-12-25 23:10:09 +02:00

3304 lines
102 KiB
YAML
Raw Blame History

openapi: 3.1.0
info:
title: StellaOps Aggregate API
version: 0.0.1
description: Composed OpenAPI from per-service specs. This file is generated by
compose.mjs.
contact:
name: StellaOps API Guild
email: api@stella-ops.local
servers:
- url: https://authority.stellaops.local
description: Example Authority deployment
x-service: authority
- url: https://export.stellaops.local
description: Example Export Center endpoint
x-service: export-center
- url: https://graph.stellaops.local
description: Example Graph endpoint
x-service: graph
- url: https://orchestrator.stellaops.local
description: Example Orchestrator endpoint
x-service: orchestrator
- url: https://policy.stellaops.local
description: Example Policy Engine endpoint
x-service: policy
- url: https://scanner.stellaops.local/api/v1
description: Example Scanner endpoint
x-service: scanner
- url: https://scheduler.stellaops.local
description: Example Scheduler endpoint
x-service: scheduler
tags:
- name: Authentication
description: OAuth 2.1 token exchange, introspection, and revocation flows.
- name: Keys
description: JSON Web Key Set discovery.
- name: Health
description: Liveness endpoints
- name: Meta
description: Readiness/metadata endpoints
- name: Bundles
description: Export bundle access
- name: Graphs
description: Graph build status and traversal APIs
- name: Jobs
description: Job submission and status APIs
- name: Evaluation
description: Policy evaluation APIs
- name: Policies
description: Policy management APIs
- name: Queues
description: Queue metrics APIs
- name: Scans
description: Scan lifecycle management
- name: CallGraphs
description: Call graph ingestion
- name: RuntimeEvidence
description: Runtime evidence collection
- name: Reachability
description: Reachability analysis and queries
- name: Exports
description: Report exports
- name: ProofSpines
description: Verifiable audit trails
paths:
/authority/introspect:
post:
tags:
- Authentication
summary: Introspect token state
description: Returns the active status and claims for a given token. Requires a
privileged client.
operationId: authorityIntrospectToken
security:
- ClientSecretBasic: []
requestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
$ref: "#/components/schemas/authority.IntrospectionRequest"
examples:
introspectToken:
summary: Validate an access token issued to Orchestrator
value:
token: eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCJ9...
token_type_hint: access_token
responses:
"200":
description: Token state evaluated.
content:
application/json:
schema:
$ref: "#/components/schemas/authority.IntrospectionResponse"
examples:
activeToken:
summary: Active token response
value:
active: true
scope: orch:operate orch:read
client_id: orch-control
sub: operator-7f12
username: ops.engineer@tenant.example
token_type: Bearer
exp: 1761628800
iat: 1761625200
nbf: 1761625200
iss: https://authority.stellaops.local
aud:
- https://orch.stellaops.local
jti: 01J8KYRAMG7FWBPRRV5XG20T7S
tenant: tenant-alpha
confirmation:
mtls_thumbprint: 079871b8c9a0f2e6
inactiveToken:
summary: Revoked token response
value:
active: false
"400":
description: Malformed request.
content:
application/json:
schema:
$ref: "#/components/schemas/authority.OAuthErrorResponse"
examples:
missingToken:
summary: Token missing
value:
error: invalid_request
error_description: token parameter is required.
"401":
description: Client authentication failed or client lacks introspection
permission.
content:
application/json:
schema:
$ref: "#/components/schemas/authority.OAuthErrorResponse"
examples:
unauthorizedClient:
summary: Client not allowed to introspect tokens
value:
error: invalid_client
error_description: Client authentication failed.
x-service: authority
x-original-path: /introspect
/authority/jwks:
get:
tags:
- Keys
summary: Retrieve signing keys
description: Returns the JSON Web Key Set used to validate Authority-issued tokens.
operationId: authorityGetJwks
responses:
"200":
description: JWKS document.
headers:
Cache-Control:
schema:
type: string
description: Standard caching headers apply; keys rotate infrequently.
content:
application/json:
schema:
$ref: "#/components/schemas/authority.JwksDocument"
examples:
ecKeySet:
summary: EC signing keys
value:
keys:
- kid: auth-tokens-es384-202510
kty: EC
use: sig
alg: ES384
crv: P-384
x: 7UchU5R77LtChrJx6uWg9mYjFvV6RIpSgZPDIj7d1q0
y: v98nHe8a7mGZ9Fn1t4Jp9PTJv1ma35QPmhUrE4pH7H0
status: active
- kid: auth-tokens-es384-202409
kty: EC
use: sig
alg: ES384
crv: P-384
x: hjdKc0r8jvVHJ7S9mP0y0mU9bqN7v5PxS21SwclTzfc
y: yk6J3pz4TUpymN4mG-6th3dYvJ5N1lQvDK0PLuFv3Pg
status: retiring
x-service: authority
x-original-path: /jwks
/authority/revoke:
post:
tags:
- Authentication
summary: Revoke an access or refresh token
description: Revokes an access or refresh token; idempotent.
operationId: authorityRevokeToken
security:
- ClientSecretBasic: []
requestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
$ref: "#/components/schemas/authority.RevocationRequest"
examples:
revokeRefreshToken:
summary: Revoke refresh token after logout
value:
token: 0.rg9pVlsGzXE8Q
token_type_hint: refresh_token
responses:
"200":
description: Token revoked or already invalid. The response body is
intentionally blank.
"400":
description: Malformed request.
content:
application/json:
schema:
$ref: "#/components/schemas/authority.OAuthErrorResponse"
examples:
missingToken:
summary: Token parameter omitted
value:
error: invalid_request
error_description: The revocation request is missing the token parameter.
"401":
description: Client authentication failed.
content:
application/json:
schema:
$ref: "#/components/schemas/authority.OAuthErrorResponse"
examples:
badClientSecret:
summary: Invalid client credentials
value:
error: invalid_client
error_description: Client authentication failed.
x-service: authority
x-original-path: /revoke
/authority/token:
post:
tags:
- Authentication
summary: Exchange credentials for tokens
description: >
Issues OAuth 2.1 bearer tokens for StellaOps clients. Supports password,
client credentials,
authorization-code, device, and refresh token grants. Confidential
clients must authenticate using
HTTP Basic auth or `client_secret` form fields.
operationId: authorityTokenExchange
security:
- ClientSecretBasic: []
- {}
requestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
oneOf:
- $ref: "#/components/schemas/authority.PasswordGrantRequest"
- $ref: "#/components/schemas/authority.ClientCredentialsGrantRequest"
- $ref: "#/components/schemas/authority.RefreshTokenGrantRequest"
- $ref: "#/components/schemas/authority.AuthorizationCodeGrantRequest"
encoding:
authority_provider:
style: form
explode: false
examples:
passwordGrant:
summary: Password grant for tenant-scoped ingestion bot
value:
grant_type: password
client_id: ingest-cli
client_secret: s3cr3t
username: ingest-bot
password: pa55w0rd!
scope: advisory:ingest vex:ingest
authority_provider: primary-directory
authorizationCode:
summary: Authorization code exchange for Console UI session
value:
grant_type: authorization_code
client_id: console-ui
code: 2Lba1WtwPLfZ2b0Z9uPrsQ
redirect_uri: https://console.stellaops.local/auth/callback
code_verifier: g3ZnL91QJ6i4zO_86oI4CDnZ7gS0bSeK
clientCredentials:
summary: Client credentials exchange for Policy Engine
value:
grant_type: client_credentials
client_id: policy-engine
client_secret: 9c39f602-2f2b-4f29
scope: effective:write findings:read
operator_reason: Deploying policy change 1234
operator_ticket: CHG-004211
refreshToken:
summary: Refresh token rotation for console session
value:
grant_type: refresh_token
client_id: console-ui
refresh_token: 0.rg9pVlsGzXE8Q
responses:
"200":
description: Token exchange succeeded.
content:
application/json:
schema:
$ref: "#/components/schemas/authority.TokenResponse"
examples:
passwordGrant:
summary: Password grant success response
value:
access_token: eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCJ9...
token_type: Bearer
expires_in: 3600
refresh_token: OxGdVtZJ-mk49cFd38uRUw
scope: advisory:ingest vex:ingest
clientCredentials:
summary: Client credentials success response
value:
access_token: eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCJ9...
token_type: Bearer
expires_in: 900
scope: effective:write findings:read
authorizationCode:
summary: Authorization code success response
value:
access_token: eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCJ9...
token_type: Bearer
expires_in: 900
refresh_token: VxKpc9Vj9QjYV6gLrhQHTw
scope: ui.read authority:tenants.read
id_token: eyJhbGciOiJFUzM4NCIsImtpZCI6ImNvbnNvbGUifQ...
"400":
description: Malformed request, unsupported grant type, or invalid credentials.
content:
application/json:
schema:
$ref: "#/components/schemas/authority.OAuthErrorResponse"
examples:
invalidProvider:
summary: Unknown identity provider hint
value:
error: invalid_request
error_description: Unknown identity provider 'legacy-directory'.
invalidScope:
summary: Scope not permitted for client
value:
error: invalid_scope
error_description: Scope 'effective:write' is not permitted for this client.
"401":
description: Client authentication failed.
content:
application/json:
schema:
$ref: "#/components/schemas/authority.OAuthErrorResponse"
examples:
badClientSecret:
summary: Invalid client secret
value:
error: invalid_client
error_description: Client authentication failed.
x-service: authority
x-original-path: /token
/export-center/bundles:
get:
tags:
- Bundles
summary: List export bundles
operationId: exportListBundles
description: Returns paginated export bundles for the tenant.
parameters:
- $ref: "#/components/parameters/TenantParam"
- $ref: "#/components/parameters/LimitParam"
- $ref: "#/components/parameters/CursorParam"
security:
- OAuthClientCredentials: []
- BearerAuth: []
responses:
"200":
description: Bundle page
content:
application/json:
schema:
type: object
properties:
items:
type: array
items:
$ref: "#/components/schemas/export-center.BundleSummary"
metadata:
$ref: "#/components/schemas/PageMetadata"
examples:
page:
summary: First page of bundles
value:
items:
- bundleId: bundle-2025-11-18-001
createdAt: 2025-11-18T12:00:00Z
status: ready
sizeBytes: 1048576
sha256: sha256:abc123
- bundleId: bundle-2025-11-18-000
createdAt: 2025-11-18T10:00:00Z
status: ready
sizeBytes: 2048
sha256: sha256:def456
metadata:
hasMore: true
nextCursor: eyJyIjoiMjAyNS0xMS0xOC0wMDIifQ
"400":
description: Invalid request
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorEnvelope"
examples:
invalidTenant:
summary: Tenant missing
value:
code: export.invalid_tenant
message: tenant query parameter is required.
traceId: 01JF04ERR3
x-service: export-center
x-original-path: /bundles
/export-center/bundles/{bundleId}:
get:
tags:
- Bundles
summary: Download export bundle by id
operationId: exportGetBundle
description: Streams an export bundle archive.
parameters:
- name: bundleId
in: path
required: true
schema:
type: string
example: bundle-2025-11-18-001
security:
- OAuthClientCredentials: []
- BearerAuth: []
responses:
"200":
description: Bundle stream
content:
application/zip:
examples:
download:
summary: Zip payload
value: binary data
checksumMismatch:
summary: Expected sha256 mismatch example
value: binary data
"404":
description: Bundle not found
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorEnvelope"
examples:
notFound:
summary: Bundle missing
value:
code: export.bundle_not_found
message: Bundle bundle-2025-11-18-001 not found.
traceId: 01JF04NF
x-service: export-center
x-original-path: /bundles/{bundleId}
/export-center/bundles/{bundleId}/manifest:
get:
tags:
- Bundles
summary: Fetch bundle manifest metadata
description: Returns manifest metadata for a bundle id.
operationId: exportGetBundleManifest
parameters:
- name: bundleId
in: path
required: true
schema:
type: string
security:
- OAuthClientCredentials: []
- BearerAuth: []
responses:
"200":
description: Manifest metadata
content:
application/json:
schema:
$ref: "#/components/schemas/export-center.BundleManifest"
examples:
manifest:
value:
bundleId: bundle-2025-11-18-001
contents:
- type: advisory
digest: sha256:abc123
- type: vex
digest: sha256:def456
sizeBytes: 1048576
sha256: sha256:fedcba
createdAt: 2025-11-18T12:00:00Z
"404":
description: Bundle not found
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorEnvelope"
x-service: export-center
x-original-path: /bundles/{bundleId}/manifest
/export-center/health:
get:
tags:
- Health
summary: Liveness probe
description: Returns OK when Export Center is reachable.
operationId: exportHealth
responses:
"200":
description: Service is up
content:
application/json:
examples:
ok:
value:
status: ok
service: export-center
timestamp: 2025-11-18T00:00:00Z
"503":
description: Service unhealthy or dependencies unavailable.
content:
application/json:
examples:
unhealthy:
value:
status: degraded
service: export-center
reason: object store unreachable
timestamp: 2025-11-18T00:00:00Z
x-service: export-center
x-original-path: /health
/export-center/healthz:
get:
summary: Service health
tags:
- Meta
description: Readiness probe for Export Center dependencies.
operationId: exportHealthz
responses:
"200":
description: Service healthy
content:
application/json:
schema:
$ref: "#/components/schemas/export-center.HealthResponse"
examples:
ok:
summary: Healthy response
value:
status: ok
service: export-center
"503":
description: Service unavailable
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorEnvelope"
examples:
unavailable:
summary: Unhealthy response
value:
code: service_unavailable
message: mirror bundle backlog exceeds SLA
traceId: "3"
x-service: export-center
x-original-path: /healthz
/graph/graphs/{graphId}/nodes:
get:
summary: List graph nodes
tags:
- Graphs
operationId: graphListNodes
description: Lists nodes for a graph with paging.
parameters:
- name: graphId
in: path
required: true
schema:
type: string
- $ref: "#/components/parameters/LimitParam"
- $ref: "#/components/parameters/CursorParam"
responses:
"200":
description: Graph nodes page
content:
application/json:
schema:
$ref: "#/components/schemas/graph.GraphNodePage"
examples:
sample:
value:
nodes:
- id: node-1
kind: artifact
label: registry.stella-ops.local/runtime/api
tenant: tenant-alpha
- id: node-2
kind: policy
label: policy:baseline
tenant: tenant-alpha
metadata:
hasMore: true
nextCursor: eyJuIjoiMjAyNS0xMS0xOCJ9
filtered:
summary: Policy nodes only
value:
nodes:
- id: node-99
kind: policy
label: policy:runtime-allowlist
tenant: tenant-beta
metadata:
hasMore: false
nextCursor: ""
"404":
description: Graph not found
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorEnvelope"
x-service: graph
x-original-path: /graphs/{graphId}/nodes
/graph/graphs/{graphId}/status:
get:
summary: Get graph build status
tags:
- Graphs
operationId: graphGetStatus
description: Returns build status for a graph id.
parameters:
- name: graphId
in: path
required: true
schema:
type: string
- $ref: "#/components/parameters/TenantParam"
responses:
"200":
description: Graph status
content:
application/json:
schema:
$ref: "#/components/schemas/graph.GraphStatus"
examples:
ready:
value:
graphId: graph-01JF0XYZ
status: ready
builtAt: 2025-11-18T12:00:00Z
tenant: tenant-alpha
building:
value:
graphId: graph-01JF0BUILD
status: building
builtAt: 2025-11-18T12:05:00Z
tenant: tenant-alpha
"404":
description: Graph not found
content:
application/json:
schema:
$ref: "#/components/schemas/graph.ErrorEnvelope"
x-service: graph
x-original-path: /graphs/{graphId}/status
/graph/healthz:
get:
summary: Service health
tags:
- Meta
description: Readiness probe for Graph API.
operationId: graphHealthz
responses:
"200":
description: Service healthy
content:
application/json:
schema:
$ref: "#/components/schemas/graph.HealthEnvelope"
examples:
ok:
summary: Healthy response
value:
status: ok
service: graph
"503":
description: Service unavailable
content:
application/json:
schema:
$ref: "#/components/schemas/graph.ErrorEnvelope"
examples:
unavailable:
summary: Unhealthy response
value:
code: service_unavailable
message: indexer lag exceeds threshold
traceId: "5"
x-service: graph
x-original-path: /healthz
/orchestrator/health:
get:
tags:
- Health
summary: Liveness probe
description: Returns OK when Orchestrator is reachable.
operationId: orchestratorHealth
responses:
"200":
description: Service is up
content:
application/json:
examples:
ok:
value:
status: ok
service: orchestrator
timestamp: 2025-11-18T00:00:00Z
"503":
description: Service unhealthy or dependencies unavailable.
content:
application/json:
examples:
unhealthy:
value:
status: degraded
service: orchestrator
reason: scheduler queue unreachable
timestamp: 2025-11-18T00:00:00Z
x-service: orchestrator
x-original-path: /health
/orchestrator/healthz:
get:
summary: Service health
tags:
- Meta
description: Readiness probe for orchestrator dependencies.
operationId: orchestratorHealthz
responses:
"200":
description: Service healthy
content:
application/json:
schema:
$ref: "#/components/schemas/HealthEnvelope"
examples:
ok:
summary: Healthy response
value:
status: ok
service: orchestrator
"503":
description: Service unavailable
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorEnvelope"
examples:
unavailable:
summary: Unhealthy response
value:
code: service_unavailable
message: outbound queue lag exceeds threshold
traceId: "1"
x-service: orchestrator
x-original-path: /healthz
/orchestrator/jobs:
get:
tags:
- Jobs
summary: List jobs
operationId: orchestratorListJobs
description: Returns jobs for the tenant with optional status filter.
parameters:
- in: query
name: status
schema:
type: string
enum:
- queued
- running
- failed
- completed
description: Optional status filter
- $ref: "#/components/parameters/LimitParam"
- $ref: "#/components/parameters/CursorParam"
- $ref: "#/components/parameters/TenantParam"
responses:
"200":
description: Jobs page
content:
application/json:
schema:
type: array
items:
$ref: "#/components/schemas/orchestrator.JobSummary"
examples:
default:
summary: Mixed queues
value:
- jobId: job_01JF04ABCD
status: queued
queue: scan
tenant: tenant-alpha
enqueuedAt: 2025-11-18T12:00:00Z
- jobId: job_01JF04EFGH
status: running
queue: policy-eval
tenant: tenant-alpha
enqueuedAt: 2025-11-18T11:55:00Z
startedAt: 2025-11-18T11:56:10Z
queuedOnly:
summary: Filtered by status=queued with page limit
value:
- jobId: job_01JF0500QUE
status: queued
queue: export
tenant: tenant-beta
enqueuedAt: 2025-11-18T12:05:00Z
- jobId: job_01JF0501QUE
status: queued
queue: scan
tenant: tenant-beta
enqueuedAt: 2025-11-18T12:04:10Z
"400":
description: Invalid request
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorEnvelope"
examples:
invalidStatus:
summary: Bad status filter
value:
code: orch.invalid_request
message: status must be one of queued,running,failed,completed.
traceId: 01JF04ERR1
x-service: orchestrator
x-original-path: /jobs
post:
tags:
- Jobs
summary: Submit a job to the orchestrator queue
operationId: orchestratorSubmitJob
description: Enqueue a job for asynchronous execution.
parameters:
- in: header
name: Idempotency-Key
description: Optional idempotency key to safely retry job submissions.
required: false
schema:
type: string
maxLength: 128
requestBody:
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/orchestrator.JobCreateRequest"
examples:
scanJob:
summary: Submit scan job
value:
kind: scan
payload:
artifactId: registry.stella-ops.local/runtime/api
policyVersion: 2025.10.1
priority: high
tenant: tenant-alpha
security:
- OAuthClientCredentials: []
- BearerAuth: []
responses:
"202":
description: Job accepted
content:
application/json:
schema:
$ref: "#/components/schemas/orchestrator.JobCreateResponse"
examples:
accepted:
summary: Job enqueued
value:
jobId: job_01JF04ABCD
status: queued
queue: scan
enqueuedAt: 2025-11-18T12:00:00Z
"400":
description: Invalid request
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorEnvelope"
examples:
missingType:
summary: Missing jobType
value:
code: orch.invalid_request
message: jobType is required.
traceId: 01JF04ERR1
x-service: orchestrator
x-original-path: /jobs
/orchestrator/jobs/{jobId}:
get:
tags:
- Jobs
summary: Get job status
operationId: orchestratorGetJob
description: Fetch the current status of a job by id.
parameters:
- name: jobId
in: path
required: true
schema:
type: string
responses:
"200":
description: Job status
content:
application/json:
schema:
$ref: "#/components/schemas/orchestrator.JobSummary"
examples:
sample:
value:
jobId: job_01JF04ABCD
status: queued
queue: scan
enqueuedAt: 2025-11-18T12:00:00Z
"404":
description: Job not found
content:
application/json:
schema:
$ref: "#/components/schemas/orchestrator.ErrorEnvelope"
x-service: orchestrator
x-original-path: /jobs/{jobId}
/policy/evaluate:
post:
tags:
- Evaluation
summary: Evaluate policy for an artifact
description: Evaluate the active policy version for an artifact and return
allow/deny decision.
operationId: policyEvaluate
requestBody:
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/policy.EvaluationRequest"
examples:
default:
summary: Evaluate current policy for an artifact
value:
artifactId: registry.stella-ops.local/runtime/api
policyVersion: 2025.10.1
inputs:
tenant: acme
branch: main
environment: prod
responses:
"200":
description: Evaluation succeeded
content:
application/json:
examples:
allow:
summary: Allow decision with reasons
value:
decision: allow
policyVersion: 2025.10.1
traceId: 01JF040XYZ
reasons:
- signed
- within SLO
metadata:
latencyMs: 42
obligations:
- record: evidence
deny:
summary: Deny decision with obligations
value:
decision: deny
policyVersion: 2025.10.1
traceId: 01JF040DENY
reasons:
- missing attestation
- vulnerable runtime package
metadata:
latencyMs: 55
obligations:
- quarantine: true
- notify: security-team
schema:
$ref: "#/components/schemas/policy.EvaluationResponse"
"400":
description: Invalid request
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorEnvelope"
examples:
missingArtifact:
summary: Missing artifactId
value:
code: policy.invalid_request
message: artifactId is required.
traceId: 01JF041ERR
security:
- OAuthClientCredentials: []
- BearerAuth: []
x-service: policy
x-original-path: /evaluate
/policy/health:
get:
tags:
- Health
summary: Liveness probe
description: Returns OK when the Policy Engine is reachable.
operationId: policyHealth
responses:
"200":
description: Service is up
content:
application/json:
examples:
ok:
value:
status: ok
service: policy
timestamp: 2025-11-18T00:00:00Z
"503":
description: Service unhealthy or dependencies unavailable.
content:
application/json:
examples:
unhealthy:
value:
status: degraded
service: policy
reason: database unavailable
timestamp: 2025-11-18T00:00:00Z
x-service: policy
x-original-path: /health
/policy/healthz:
get:
summary: Service health
tags:
- Meta
description: Readiness probe for orchestrators.
operationId: policyHealthz
responses:
"200":
description: Service healthy
content:
application/json:
schema:
$ref: "#/components/schemas/HealthEnvelope"
examples:
ok:
summary: Healthy response
value:
status: ok
service: policy
"503":
description: Service unavailable
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorEnvelope"
examples:
unavailable:
summary: Unhealthy response
value:
code: service_unavailable
message: projector backlog exceeds SLA
traceId: "2"
x-service: policy
x-original-path: /healthz
/policy/policies:
get:
tags:
- Policies
summary: List policies
description: Returns a paginated list of policy documents filtered by tenant and
status.
operationId: policyList
parameters:
- $ref: "#/components/parameters/TenantParam"
- $ref: "#/components/parameters/LimitParam"
- $ref: "#/components/parameters/CursorParam"
- in: query
name: status
description: Optional status filter (draft, active, retired)
schema:
type: string
enum:
- draft
- active
- retired
responses:
"200":
description: Policy list page
content:
application/json:
schema:
$ref: "#/components/schemas/policy.PolicyListResponse"
examples:
default:
summary: First page of active policies
value:
items:
- id: pol-1234
name: Critical CVE blocker
status: active
version: 5
tenant: tenant-alpha
updatedAt: 2025-11-20T12:00:00Z
- id: pol-5678
name: Runtime Allowlist
status: active
version: 2
tenant: tenant-alpha
updatedAt: 2025-11-18T09:14:00Z
pageSize: 50
nextPageToken: eyJvZmZzZXQiOiIxMDAifQ==
"400":
$ref: "#/components/responses/ErrorResponse"
"401":
$ref: "#/components/responses/ErrorResponse"
x-service: policy
x-original-path: /policies
/scanner/scans:
post:
tags:
- Scans
operationId: createScan
summary: Create a new scan
description: |
Initiates a new scan context. Returns a scanId for subsequent
call graph and evidence submissions.
requestBody:
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/scanner.CreateScanRequest"
responses:
"201":
description: Scan created
content:
application/json:
schema:
$ref: "#/components/schemas/scanner.CreateScanResponse"
"400":
$ref: "#/components/responses/BadRequest"
x-service: scanner
x-original-path: /scans
/scanner/scans/{scanId}:
get:
tags:
- Scans
operationId: getScan
summary: Get scan status
parameters:
- $ref: "#/components/parameters/ScanIdPath"
responses:
"200":
description: Scan details
content:
application/json:
schema:
$ref: "#/components/schemas/scanner.ScanDetails"
"404":
$ref: "#/components/responses/NotFound"
x-service: scanner
x-original-path: /scans/{scanId}
/scanner/scans/{scanId}/callgraphs:
post:
tags:
- CallGraphs
operationId: submitCallGraph
summary: Submit a call graph
description: |
Submits a language-specific call graph for reachability analysis.
Idempotent: duplicate submissions with same Content-Digest are ignored.
parameters:
- $ref: "#/components/parameters/ScanIdPath"
- name: Content-Digest
in: header
required: true
description: SHA-256 digest for idempotency (RFC 9530)
schema:
type: string
example: "sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:"
requestBody:
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/scanner.CallGraphV1"
application/x-ndjson:
schema:
type: string
description: Streaming NDJSON for large graphs
responses:
"202":
description: Call graph accepted
content:
application/json:
schema:
$ref: "#/components/schemas/scanner.CallGraphAcceptedResponse"
"400":
$ref: "#/components/responses/BadRequest"
"409":
description: Duplicate submission (idempotent success)
"413":
description: Call graph too large
x-service: scanner
x-original-path: /scans/{scanId}/callgraphs
/scanner/scans/{scanId}/compute-reachability:
post:
tags:
- Reachability
operationId: computeReachability
summary: Trigger reachability computation
description: |
Triggers reachability analysis for the scan. Idempotent.
Computation is asynchronous; poll scan status for completion.
parameters:
- $ref: "#/components/parameters/ScanIdPath"
requestBody:
required: false
content:
application/json:
schema:
$ref: "#/components/schemas/scanner.ComputeReachabilityRequest"
responses:
"202":
description: Computation started
content:
application/json:
schema:
$ref: "#/components/schemas/scanner.ComputeReachabilityResponse"
"400":
$ref: "#/components/responses/BadRequest"
"409":
description: Computation already in progress
x-service: scanner
x-original-path: /scans/{scanId}/compute-reachability
/scanner/scans/{scanId}/exports/cdxr:
get:
tags:
- Exports
operationId: exportCycloneDxReachability
summary: Export as CycloneDX with reachability extension
parameters:
- $ref: "#/components/parameters/ScanIdPath"
responses:
"200":
description: CycloneDX with reachability
content:
application/vnd.cyclonedx+json:
schema:
type: object
x-service: scanner
x-original-path: /scans/{scanId}/exports/cdxr
/scanner/scans/{scanId}/exports/openvex:
get:
tags:
- Exports
operationId: exportOpenVex
summary: Export as OpenVEX
parameters:
- $ref: "#/components/parameters/ScanIdPath"
responses:
"200":
description: OpenVEX document
content:
application/json:
schema:
type: object
x-service: scanner
x-original-path: /scans/{scanId}/exports/openvex
/scanner/scans/{scanId}/exports/sarif:
get:
tags:
- Exports
operationId: exportSarif
summary: Export findings as SARIF
parameters:
- $ref: "#/components/parameters/ScanIdPath"
responses:
"200":
description: SARIF report
content:
application/sarif+json:
schema:
type: object
x-service: scanner
x-original-path: /scans/{scanId}/exports/sarif
/scanner/scans/{scanId}/reachability/components:
get:
tags:
- Reachability
operationId: getReachabilityByComponent
summary: Get reachability status by component
parameters:
- $ref: "#/components/parameters/ScanIdPath"
- name: purl
in: query
description: Filter by Package URL
schema:
type: string
- name: status
in: query
description: Filter by reachability status
schema:
type: string
enum:
- reachable
- unreachable
- possibly_reachable
- unknown
responses:
"200":
description: Component reachability results
content:
application/json:
schema:
$ref: "#/components/schemas/scanner.ComponentReachabilityList"
x-service: scanner
x-original-path: /scans/{scanId}/reachability/components
/scanner/scans/{scanId}/reachability/explain:
get:
tags:
- Reachability
operationId: explainReachability
summary: Explain reachability for CVE/component
description: |
Returns detailed explanation of why a CVE affects a component,
including path witness, evidence chain, and contributing factors.
parameters:
- $ref: "#/components/parameters/ScanIdPath"
- name: cve
in: query
required: true
schema:
type: string
- name: purl
in: query
required: true
schema:
type: string
responses:
"200":
description: Reachability explanation
content:
application/json:
schema:
$ref: "#/components/schemas/scanner.ReachabilityExplanation"
"404":
description: CVE/component combination not found
x-service: scanner
x-original-path: /scans/{scanId}/reachability/explain
/scanner/scans/{scanId}/reachability/findings:
get:
tags:
- Reachability
operationId: getReachabilityFindings
summary: Get vulnerability findings with reachability
parameters:
- $ref: "#/components/parameters/ScanIdPath"
- name: cve
in: query
description: Filter by CVE ID
schema:
type: string
- name: status
in: query
description: Filter by reachability status
schema:
type: string
enum:
- reachable
- unreachable
- possibly_reachable
- unknown
responses:
"200":
description: Vulnerability findings with reachability
content:
application/json:
schema:
$ref: "#/components/schemas/scanner.ReachabilityFindingList"
x-service: scanner
x-original-path: /scans/{scanId}/reachability/findings
/scanner/scans/{scanId}/runtimeevidence:
post:
tags:
- RuntimeEvidence
operationId: submitRuntimeEvidence
summary: Submit runtime evidence
description: |
Submits runtime execution evidence (stack traces, loaded modules).
Merges with existing evidence for the scan.
parameters:
- $ref: "#/components/parameters/ScanIdPath"
requestBody:
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/scanner.RuntimeEvidenceV1"
responses:
"202":
description: Evidence accepted
content:
application/json:
schema:
$ref: "#/components/schemas/scanner.RuntimeEvidenceAcceptedResponse"
"400":
$ref: "#/components/responses/BadRequest"
x-service: scanner
x-original-path: /scans/{scanId}/runtimeevidence
/scanner/scans/{scanId}/sbom:
post:
tags:
- Scans
operationId: submitSbom
summary: Submit SBOM for scan
description: |
Associates an SBOM (CycloneDX or SPDX) with the scan.
Required before reachability computation.
parameters:
- $ref: "#/components/parameters/ScanIdPath"
requestBody:
required: true
content:
application/vnd.cyclonedx+json:
schema:
type: object
application/spdx+json:
schema:
type: object
responses:
"202":
description: SBOM accepted
"400":
$ref: "#/components/responses/BadRequest"
x-service: scanner
x-original-path: /scans/{scanId}/sbom
/scanner/scans/{scanId}/spines:
get:
tags:
- ProofSpines
operationId: getSpinesByScan
summary: List proof spines for a scan
parameters:
- $ref: "#/components/parameters/ScanIdPath"
responses:
"200":
description: Proof spines for scan
content:
application/json:
schema:
$ref: "#/components/schemas/scanner.ProofSpineList"
x-service: scanner
x-original-path: /scans/{scanId}/spines
/scanner/spines/{spineId}:
get:
tags:
- ProofSpines
operationId: getSpine
summary: Get a proof spine
description: Returns full spine with all segments and verification status.
parameters:
- name: spineId
in: path
required: true
schema:
type: string
responses:
"200":
description: Proof spine details
content:
application/json:
schema:
$ref: "#/components/schemas/scanner.ProofSpine"
"404":
$ref: "#/components/responses/NotFound"
x-service: scanner
x-original-path: /spines/{spineId}
/scheduler/health:
get:
tags:
- Health
summary: Liveness probe
description: Returns OK when Scheduler is reachable.
operationId: schedulerHealth
responses:
"200":
description: Service is up
content:
application/json:
examples:
ok:
value:
status: ok
service: scheduler
timestamp: 2025-11-18T00:00:00Z
"503":
description: Service unhealthy or dependencies unavailable.
content:
application/json:
examples:
unhealthy:
value:
status: degraded
service: scheduler
reason: queue not reachable
timestamp: 2025-11-18T00:00:00Z
x-service: scheduler
x-original-path: /health
/scheduler/healthz:
get:
summary: Service health
tags:
- Meta
description: Readiness probe for queue connectivity.
operationId: schedulerHealthz
responses:
"200":
description: Service healthy
content:
application/json:
schema:
$ref: "#/components/schemas/scheduler.HealthEnvelope"
examples:
ok:
summary: Healthy response
value:
status: ok
service: scheduler
"503":
description: Service unavailable
content:
application/json:
schema:
$ref: "#/components/schemas/scheduler.ErrorEnvelope"
examples:
unavailable:
summary: Unhealthy response
value:
code: service_unavailable
message: queue backlog exceeds threshold
traceId: "4"
x-service: scheduler
x-original-path: /healthz
/scheduler/queues/{name}:
get:
tags:
- Queues
summary: Get queue status
description: Returns depth, inflight, and age metrics for a queue.
operationId: schedulerGetQueueStatus
parameters:
- name: name
in: path
required: true
schema:
type: string
example: default
responses:
"200":
description: Queue status
content:
application/json:
schema:
$ref: "#/components/schemas/scheduler.QueueStatus"
examples:
status:
summary: Queue depth snapshot
value:
name: default
depth: 12
inflight: 2
oldestAgeSeconds: 45
updatedAt: 2025-11-18T12:00:00Z
empty:
summary: Empty queue
value:
name: export
depth: 0
inflight: 0
oldestAgeSeconds: 0
updatedAt: 2025-11-18T12:05:00Z
"404":
description: Queue not found
content:
application/json:
schema:
$ref: "#/components/schemas/scheduler.ErrorEnvelope"
examples:
notFound:
summary: Queue missing
value:
code: scheduler.queue_not_found
message: Queue default not found.
traceId: 01JF04NF2
x-service: scheduler
x-original-path: /queues/{name}
components:
schemas:
BreakingChange:
type: object
description: Description of a breaking change between deprecated and successor
endpoints.
required:
- type
- description
properties:
type:
type: string
enum:
- parameter-removed
- parameter-renamed
- parameter-type-changed
- response-schema-changed
- header-removed
- header-renamed
- status-code-changed
- content-type-changed
- authentication-changed
description: Category of the breaking change.
path:
type: string
description: JSON path to the affected element.
example: $.parameters[0].name
description:
type: string
description: Human-readable description of the change.
example: Parameter 'page' renamed to 'cursor'
migrationAction:
type: string
description: Recommended action for consumers.
example: Replace 'page' parameter with 'cursor' using the nextCursor value from
previous response.
DeprecationMetadata:
type: object
description: >
Deprecation metadata for API endpoints. Applied as x-deprecation
extension
on operation objects. Used by Spectral rules, changelog generation, and
notification templates.
required:
- deprecatedAt
- sunsetAt
- successorPath
- reason
properties:
deprecatedAt:
type: string
format: date-time
description: ISO 8601 timestamp when the endpoint was marked deprecated.
example: 2025-01-15T00:00:00Z
sunsetAt:
type: string
format: date-time
description: ISO 8601 timestamp when the endpoint will be removed.
example: 2025-07-15T00:00:00Z
successorPath:
type: string
description: Path to the replacement endpoint (if available).
example: /v2/resources
successorOperationId:
type: string
description: Operation ID of the replacement endpoint.
example: getResourcesV2
reason:
type: string
description: Human-readable explanation for the deprecation.
example: Replaced by paginated v2 endpoint with cursor-based pagination.
migrationGuide:
type: string
format: uri
description: URL to migration documentation.
example: https://docs.stella-ops.org/migration/resources-v2
notificationChannels:
type: array
description: Notification channels for deprecation announcements.
items:
type: string
enum:
- slack
- teams
- email
- webhook
default:
- email
affectedConsumerHints:
type: array
description: Hints about affected consumers (e.g., SDK names, client IDs).
items:
type: string
breakingChanges:
type: array
description: List of breaking changes in the successor endpoint.
items:
$ref: "#/schemas/BreakingChange"
DeprecationNotificationEvent:
type: object
description: Event payload for deprecation notifications sent to Notify service.
required:
- eventId
- eventType
- timestamp
- tenantId
- deprecation
properties:
eventId:
type: string
format: uuid
description: Unique identifier for this notification event.
eventType:
type: string
const: api.deprecation.announced
description: Event type for routing in Notify service.
timestamp:
type: string
format: date-time
description: ISO 8601 timestamp when the event was generated.
tenantId:
type: string
description: Tenant scope for the notification.
deprecation:
$ref: "#/schemas/DeprecationSummary"
DeprecationReport:
type: object
description: Aggregated report of all deprecations for changelog/SDK publishing.
required:
- generatedAt
- schemaVersion
- deprecations
properties:
generatedAt:
type: string
format: date-time
description: When this report was generated.
schemaVersion:
type: string
const: api.deprecation.report@1
totalCount:
type: integer
description: Total number of deprecated endpoints.
upcomingSunsets:
type: integer
description: Number of endpoints with sunset within 90 days.
deprecations:
type: array
items:
$ref: "#/schemas/DeprecationSummary"
DeprecationSummary:
type: object
description: Summary of a deprecated endpoint for notification purposes.
required:
- service
- path
- method
- deprecatedAt
- sunsetAt
properties:
service:
type: string
description: Service name owning the deprecated endpoint.
example: authority
path:
type: string
description: API path of the deprecated endpoint.
example: /v1/tokens
method:
type: string
enum:
- GET
- POST
- PUT
- PATCH
- DELETE
- HEAD
- OPTIONS
description: HTTP method of the deprecated endpoint.
operationId:
type: string
description: OpenAPI operation ID.
example: createToken
deprecatedAt:
type: string
format: date-time
sunsetAt:
type: string
format: date-time
daysUntilSunset:
type: integer
description: Computed days remaining until sunset.
example: 180
successorPath:
type: string
description: Path to the replacement endpoint.
reason:
type: string
description: Deprecation reason.
migrationGuide:
type: string
format: uri
changelogUrl:
type: string
format: uri
description: URL to the API changelog entry for this deprecation.
ErrorEnvelope:
type: object
required:
- code
- message
properties:
code:
type: string
example: service_unavailable
message:
type: string
traceId:
type: string
description: Correlation identifier for troubleshooting
HealthEnvelope:
type: object
required:
- status
- service
properties:
status:
type: string
example: ok
service:
type: string
example: any-service
PageMetadata:
type: object
required:
- hasMore
properties:
hasMore:
type: boolean
description: Indicates if additional pages are available.
nextCursor:
type: string
description: Cursor to fetch the next page.
previousCursor:
type: string
description: Cursor to fetch the previous page.
authority.AuthorizationCodeGrantRequest:
type: object
description: Form-encoded payload for authorization code exchange.
required:
- grant_type
- code
- redirect_uri
- code_verifier
properties:
grant_type:
type: string
const: authorization_code
client_id:
type: string
client_secret:
type: string
description: Optional when HTTP Basic auth is used.
code:
type: string
redirect_uri:
type: string
format: uri
code_verifier:
type: string
authority.ClientCredentialsGrantRequest:
type: object
required:
- grant_type
- client_id
properties:
grant_type:
type: string
const: client_credentials
client_id:
type: string
description: Registered client identifier. May also be supplied via HTTP Basic
auth.
client_secret:
type: string
description: Client secret. Required for confidential clients when not using
HTTP Basic auth.
scope:
type: string
description: Space-delimited scopes being requested.
authority_provider:
type: string
description: Optional identity provider hint for plugin-backed clients.
operator_reason:
type: string
description: Required when requesting `orch:operate`; explains the operator
action.
maxLength: 256
operator_ticket:
type: string
description: Required when requesting `orch:operate`; tracks the external change
ticket or incident.
maxLength: 128
description: Form-encoded payload for client credentials exchange.
authority.IntrospectionRequest:
type: object
required:
- token
properties:
token:
type: string
description: Token value whose state should be introspected.
token_type_hint:
type: string
description: Optional token type hint (`access_token` or `refresh_token`).
description: Form-encoded payload for token introspection.
authority.IntrospectionResponse:
type: object
description: Active token descriptor compliant with RFC 7662.
properties:
active:
type: boolean
description: Indicates whether the token is currently active.
scope:
type: string
description: Space-delimited list of scopes granted to the token.
client_id:
type: string
description: Client identifier associated with the token.
sub:
type: string
description: Subject identifier when the token represents an end-user.
username:
type: string
description: Preferred username associated with the subject.
token_type:
type: string
description: Type of the token (e.g., `Bearer`).
exp:
type: integer
description: Expiration timestamp (seconds since UNIX epoch).
iat:
type: integer
description: Issued-at timestamp (seconds since UNIX epoch).
nbf:
type: integer
description: Not-before timestamp (seconds since UNIX epoch).
aud:
type: array
description: Audience values associated with the token.
items:
type: string
iss:
type: string
description: Issuer identifier.
jti:
type: string
description: JWT identifier corresponding to the token.
tenant:
type: string
description: Tenant associated with the token, when assigned.
confirmation:
type: object
description: Sender-constrained confirmation data (e.g., mTLS thumbprint, DPoP
JWK thumbprint).
required:
- active
authority.Jwk:
type: object
description: Public key material for token signature validation.
properties:
kid:
type: string
description: Key identifier.
kty:
type: string
description: Key type (e.g., `EC`, `RSA`).
use:
type: string
description: Intended key use (`sig`).
alg:
type: string
description: Signing algorithm (e.g., `ES384`).
crv:
type: string
description: Elliptic curve identifier when applicable.
x:
type: string
description: X coordinate for EC keys.
y:
type: string
description: Y coordinate for EC keys.
status:
type: string
description: Operational status metadata for the key (e.g., `active`, `retiring`).
authority.JwksDocument:
type: object
description: JSON Web Key Set published by the Authority.
properties:
keys:
type: array
items:
$ref: "#/components/schemas/authority.Jwk"
required:
- keys
authority.OAuthErrorResponse:
type: object
description: RFC 6749 compliant error envelope.
properties:
error:
type: string
description: Machine-readable error code.
error_description:
type: string
description: Human-readable error description.
error_uri:
type: string
format: uri
description: Link to documentation about the error.
required:
- error
authority.PasswordGrantRequest:
type: object
required:
- grant_type
- client_id
- username
- password
properties:
grant_type:
type: string
const: password
client_id:
type: string
description: Registered client identifier. May also be supplied via HTTP Basic
auth.
client_secret:
type: string
description: Client secret. Required for confidential clients when not using
HTTP Basic auth.
scope:
type: string
description: Space-delimited scopes being requested.
username:
type: string
description: Resource owner username.
password:
type: string
description: Resource owner password.
authority_provider:
type: string
description: Optional identity provider hint. Required when multiple
password-capable providers are registered.
description: Form-encoded payload for password grant exchange.
authority.RefreshTokenGrantRequest:
type: object
required:
- grant_type
- refresh_token
properties:
grant_type:
type: string
const: refresh_token
client_id:
type: string
description: Registered client identifier. May also be supplied via HTTP Basic
auth.
client_secret:
type: string
description: Client secret. Required for confidential clients when not using
HTTP Basic auth.
refresh_token:
type: string
description: Previously issued refresh token.
scope:
type: string
description: Optional scope list to narrow the requested access.
description: Form-encoded payload for refresh token exchange.
authority.RevocationRequest:
type: object
required:
- token
properties:
token:
type: string
description: Token value or token identifier to revoke.
token_type_hint:
type: string
description: Optional token type hint (`access_token` or `refresh_token`).
description: Form-encoded payload for token revocation.
authority.TokenResponse:
type: object
description: OAuth 2.1 bearer token response.
properties:
access_token:
type: string
description: Access token encoded as JWT.
token_type:
type: string
description: Token type indicator. Always `Bearer`.
expires_in:
type: integer
description: Lifetime of the access token, in seconds.
minimum: 1
refresh_token:
type: string
description: Refresh token issued when the grant allows offline access.
scope:
type: string
description: Space-delimited scopes granted in the response.
id_token:
type: string
description: ID token issued for authorization-code flows.
required:
- access_token
- token_type
- expires_in
export-center.BundleManifest:
type: object
required:
- bundleId
- contents
properties:
bundleId:
type: string
contents:
type: array
items:
type: object
required:
- type
- digest
properties:
type:
type: string
example: advisory
digest:
type: string
example: sha256:abc123
createdAt:
type: string
format: date-time
export-center.BundleSummary:
type: object
required:
- bundleId
- createdAt
- status
properties:
bundleId:
type: string
createdAt:
type: string
format: date-time
status:
type: string
enum:
- ready
- building
- failed
sizeBytes:
type: integer
export-center.HealthResponse:
$ref: "#/components/schemas/HealthEnvelope"
graph.ErrorEnvelope:
type: object
properties:
code:
type: string
message:
type: string
traceId:
type: string
required:
- code
- message
graph.GraphNodePage:
type: object
required:
- nodes
- metadata
properties:
nodes:
type: array
items:
type: object
required:
- id
- kind
- label
properties:
id:
type: string
kind:
type: string
label:
type: string
metadata:
$ref: "#/components/schemas/PageMetadata"
graph.GraphStatus:
type: object
required:
- graphId
- status
properties:
graphId:
type: string
status:
type: string
enum:
- building
- ready
- failed
builtAt:
type: string
format: date-time
graph.HealthEnvelope:
type: object
properties:
status:
type: string
service:
type: string
required:
- status
- service
orchestrator.ErrorEnvelope:
type: object
properties:
code:
type: string
message:
type: string
traceId:
type: string
required:
- code
- message
orchestrator.JobCreateRequest:
type: object
required:
- kind
- payload
properties:
kind:
type: string
description: Job kind identifier.
payload:
type: object
description: Job payload (kind-specific fields).
priority:
type: string
enum:
- low
- normal
- high
tenant:
type: string
orchestrator.JobCreateResponse:
type: object
required:
- jobId
- status
properties:
jobId:
type: string
status:
type: string
queue:
type: string
enqueuedAt:
type: string
format: date-time
orchestrator.JobSummary:
type: object
required:
- jobId
- status
- queue
- enqueuedAt
properties:
jobId:
type: string
status:
type: string
enum:
- queued
- running
- failed
- completed
queue:
type: string
enqueuedAt:
type: string
format: date-time
startedAt:
type: string
format: date-time
completedAt:
type: string
format: date-time
tenant:
type: string
policy.EvaluationRequest:
type: object
required:
- artifactId
properties:
artifactId:
type: string
example: registry.stella-ops.local/runtime/api
policyVersion:
type: string
example: 2025.10.1
inputs:
type: object
policy.EvaluationResponse:
type: object
required:
- decision
properties:
decision:
type: string
enum:
- allow
- deny
policyVersion:
type: string
traceId:
type: string
reasons:
type: array
items:
type: string
obligations:
type: array
items:
type: object
cacheHit:
type: boolean
description: Whether the decision was served from cache.
cacheSource:
type: string
enum:
- none
- inMemory
- redis
description: Source of cached data (none for fresh computation, inMemory for L1 cache, redis for Provcache L2).
executionTimeMs:
type: integer
description: Time taken to evaluate the policy in milliseconds.
provcache.TrustScoreComponent:
type: object
required:
- score
- weight
properties:
score:
type: integer
minimum: 0
maximum: 100
description: Component score (0-100).
weight:
type: number
format: float
minimum: 0
maximum: 1
description: Weight of this component in the total score (0.0-1.0).
provcache.TrustScoreBreakdown:
type: object
required:
- reachability
- sbomCompleteness
- vexCoverage
- policyFreshness
- signerTrust
properties:
reachability:
$ref: '#/components/schemas/provcache.TrustScoreComponent'
description: Reachability evidence contribution (weight 25%).
sbomCompleteness:
$ref: '#/components/schemas/provcache.TrustScoreComponent'
description: SBOM completeness contribution (weight 20%).
vexCoverage:
$ref: '#/components/schemas/provcache.TrustScoreComponent'
description: VEX statement coverage contribution (weight 20%).
policyFreshness:
$ref: '#/components/schemas/provcache.TrustScoreComponent'
description: Policy freshness contribution (weight 15%).
signerTrust:
$ref: '#/components/schemas/provcache.TrustScoreComponent'
description: Signer trust contribution (weight 20%).
provcache.ReplaySeed:
type: object
required:
- feedIds
- ruleIds
properties:
feedIds:
type: array
items:
type: string
description: Advisory feed identifiers used in evaluation.
ruleIds:
type: array
items:
type: string
description: Policy rule identifiers used in evaluation.
frozenEpoch:
type: string
format: date-time
description: Optional frozen epoch timestamp for deterministic replay.
provcache.DecisionDigest:
type: object
required:
- digestVersion
- veriKey
- verdictHash
- proofRoot
- replaySeed
- createdAt
- expiresAt
- trustScore
properties:
digestVersion:
type: string
description: Schema version of this digest format.
example: v1
veriKey:
type: string
description: Composite cache key that uniquely identifies the provenance decision context.
example: sha256:abc123...
verdictHash:
type: string
description: Hash of sorted dispositions from the evaluation result.
proofRoot:
type: string
description: Merkle root of all evidence chunks used in this decision.
replaySeed:
$ref: '#/components/schemas/provcache.ReplaySeed'
createdAt:
type: string
format: date-time
description: UTC timestamp when this digest was created.
expiresAt:
type: string
format: date-time
description: UTC timestamp when this digest expires.
trustScore:
type: integer
minimum: 0
maximum: 100
description: Composite trust score (0-100) indicating decision confidence.
trustScoreBreakdown:
$ref: '#/components/schemas/provcache.TrustScoreBreakdown'
description: Breakdown of trust score by component.
policy.PolicyListResponse:
type: object
required:
- items
properties:
items:
type: array
items:
type: object
properties:
id:
type: string
name:
type: string
status:
type: string
version:
type: integer
tenant:
type: string
updatedAt:
type: string
format: date-time
pageSize:
type: integer
nextPageToken:
type: string
scanner.CallGraphAcceptedResponse:
type: object
properties:
callgraphId:
type: string
nodeCount:
type: integer
edgeCount:
type: integer
digest:
type: string
scanner.CallGraphArtifact:
type: object
properties:
artifactKey:
type: string
kind:
type: string
enum:
- assembly
- jar
- module
- binary
sha256:
type: string
purl:
type: string
scanner.CallGraphEdge:
type: object
required:
- from
- to
properties:
from:
type: string
description: Source node ID
to:
type: string
description: Target node ID
kind:
type: string
enum:
- static
- heuristic
default: static
reason:
type: string
enum:
- direct_call
- virtual_call
- reflection_string
- di_binding
- dynamic_import
- unknown
weight:
type: number
default: 1
scanner.CallGraphEntrypoint:
type: object
required:
- nodeId
- kind
properties:
nodeId:
type: string
kind:
type: string
enum:
- http
- grpc
- cli
- job
- event
- unknown
route:
type: string
description: HTTP route pattern (e.g., /api/orders/{id})
framework:
type: string
enum:
- aspnetcore
- minimalapi
- spring
- express
- fastapi
- unknown
scanner.CallGraphNode:
type: object
required:
- nodeId
- symbolKey
properties:
nodeId:
type: string
artifactKey:
type: string
symbolKey:
type: string
description: Canonical symbol key (Namespace.Type::Method(signature))
visibility:
type: string
enum:
- public
- internal
- private
- unknown
isEntrypointCandidate:
type: boolean
default: false
scanner.CallGraphV1:
type: object
required:
- schema
- scanKey
- language
- nodes
- edges
properties:
schema:
type: string
const: stella.callgraph.v1
scanKey:
type: string
format: uuid
language:
type: string
enum:
- dotnet
- java
- node
- python
- go
- rust
- binary
- ruby
- php
artifacts:
type: array
items:
$ref: "#/components/schemas/scanner.CallGraphArtifact"
nodes:
type: array
items:
$ref: "#/components/schemas/scanner.CallGraphNode"
edges:
type: array
items:
$ref: "#/components/schemas/scanner.CallGraphEdge"
entrypoints:
type: array
items:
$ref: "#/components/schemas/scanner.CallGraphEntrypoint"
scanner.ComponentReachability:
type: object
properties:
purl:
type: string
status:
type: string
enum:
- reachable
- unreachable
- possibly_reachable
- unknown
confidence:
type: number
latticeState:
type: string
why:
type: array
items:
type: string
scanner.ComponentReachabilityList:
type: object
properties:
items:
type: array
items:
$ref: "#/components/schemas/scanner.ComponentReachability"
total:
type: integer
scanner.ComputeReachabilityRequest:
type: object
properties:
forceRecompute:
type: boolean
default: false
entrypoints:
type: array
items:
type: string
description: Override auto-detected entrypoints
targets:
type: array
items:
type: string
description: Specific symbols to analyze
scanner.ComputeReachabilityResponse:
type: object
properties:
jobId:
type: string
status:
type: string
enum:
- queued
- processing
estimatedDuration:
type: string
description: ISO-8601 duration estimate
scanner.CreateScanRequest:
type: object
required:
- artifactDigest
properties:
artifactDigest:
type: string
description: Image or artifact digest (sha256:...)
repoUri:
type: string
commitSha:
type: string
policyProfileId:
type: string
metadata:
type: object
additionalProperties: true
scanner.CreateScanResponse:
type: object
properties:
scanId:
type: string
format: uuid
status:
type: string
enum:
- created
- pending
- processing
- completed
- failed
createdAt:
type: string
format: date-time
scanner.ErrorResponse:
type: object
properties:
error:
type: string
message:
type: string
details:
type: object
scanner.EvidenceChain:
type: object
properties:
staticAnalysis:
type: object
properties:
callgraphDigest:
type: string
pathLength:
type: integer
edgeTypes:
type: array
items:
type: string
runtimeEvidence:
type: object
properties:
observed:
type: boolean
hitCount:
type: integer
lastObserved:
type: string
format: date-time
policyEvaluation:
type: object
properties:
policyDigest:
type: string
verdict:
type: string
verdictReason:
type: string
scanner.ExplanationReason:
type: object
properties:
code:
type: string
description:
type: string
impact:
type: number
scanner.LoadedArtifact:
type: object
properties:
artifactKey:
type: string
evidence:
type: string
enum:
- loaded_module
- mapped_file
- jar_loaded
scanner.ProofSegment:
type: object
properties:
segmentId:
type: string
segmentType:
type: string
enum:
- SBOM_SLICE
- MATCH
- REACHABILITY
- GUARD_ANALYSIS
- RUNTIME_OBSERVATION
- POLICY_EVAL
index:
type: integer
inputHash:
type: string
resultHash:
type: string
prevSegmentHash:
type: string
toolId:
type: string
toolVersion:
type: string
status:
type: string
enum:
- pending
- verified
- partial
- invalid
- untrusted
createdAt:
type: string
format: date-time
scanner.ProofSpine:
type: object
properties:
spineId:
type: string
artifactId:
type: string
vulnerabilityId:
type: string
policyProfileId:
type: string
verdict:
type: string
verdictReason:
type: string
rootHash:
type: string
scanRunId:
type: string
segments:
type: array
items:
$ref: "#/components/schemas/scanner.ProofSegment"
createdAt:
type: string
format: date-time
supersededBySpineId:
type: string
scanner.ProofSpineList:
type: object
properties:
items:
type: array
items:
$ref: "#/components/schemas/scanner.ProofSpineSummary"
total:
type: integer
scanner.ProofSpineSummary:
type: object
properties:
spineId:
type: string
artifactId:
type: string
vulnerabilityId:
type: string
verdict:
type: string
segmentCount:
type: integer
createdAt:
type: string
format: date-time
scanner.ReachabilityExplanation:
type: object
properties:
cveId:
type: string
purl:
type: string
status:
type: string
confidence:
type: number
latticeState:
type: string
pathWitness:
type: array
items:
type: string
description: Symbol path from entrypoint to vulnerable code
why:
type: array
items:
$ref: "#/components/schemas/scanner.ExplanationReason"
evidence:
$ref: "#/components/schemas/scanner.EvidenceChain"
spineId:
type: string
description: Reference to ProofSpine for full audit trail
scanner.ReachabilityFinding:
type: object
properties:
cveId:
type: string
purl:
type: string
status:
type: string
confidence:
type: number
latticeState:
type: string
severity:
type: string
affectedVersions:
type: string
scanner.ReachabilityFindingList:
type: object
properties:
items:
type: array
items:
$ref: "#/components/schemas/scanner.ReachabilityFinding"
total:
type: integer
scanner.RuntimeEnvironment:
type: object
properties:
os:
type: string
k8s:
type: object
properties:
namespace:
type: string
pod:
type: string
container:
type: string
imageDigest:
type: string
buildId:
type: string
scanner.RuntimeEvidenceAcceptedResponse:
type: object
properties:
evidenceId:
type: string
sampleCount:
type: integer
loadedArtifactCount:
type: integer
scanner.RuntimeEvidenceV1:
type: object
required:
- schema
- scanKey
- collectedAt
properties:
schema:
type: string
const: stella.runtimeevidence.v1
scanKey:
type: string
format: uuid
collectedAt:
type: string
format: date-time
environment:
$ref: "#/components/schemas/scanner.RuntimeEnvironment"
samples:
type: array
items:
$ref: "#/components/schemas/scanner.RuntimeSample"
loadedArtifacts:
type: array
items:
$ref: "#/components/schemas/scanner.LoadedArtifact"
scanner.RuntimeSample:
type: object
properties:
timestamp:
type: string
format: date-time
pid:
type: integer
threadId:
type: integer
frames:
type: array
items:
type: string
description: Array of node IDs representing call stack
sampleWeight:
type: number
default: 1
scanner.ScanDetails:
type: object
properties:
scanId:
type: string
status:
type: string
artifactDigest:
type: string
callGraphCount:
type: integer
runtimeEvidenceCount:
type: integer
reachabilityStatus:
type: string
enum:
- pending
- computing
- completed
- failed
createdAt:
type: string
format: date-time
completedAt:
type: string
format: date-time
scheduler.ErrorEnvelope:
type: object
properties:
code:
type: string
message:
type: string
traceId:
type: string
required:
- code
- message
scheduler.HealthEnvelope:
type: object
properties:
status:
type: string
service:
type: string
required:
- status
- service
scheduler.QueueStatus:
type: object
required:
- name
- depth
- inflight
- updatedAt
properties:
name:
type: string
depth:
type: integer
inflight:
type: integer
oldestAgeSeconds:
type: integer
updatedAt:
type: string
format: date-time
parameters:
CursorParam:
name: cursor
in: query
required: false
schema:
type: string
example: eyJyIjoiMjAyNS0xMS0xOC0wMDIifQ
LimitParam:
name: limit
in: query
required: false
schema:
type: integer
minimum: 1
maximum: 200
example: 50
TenantParam:
name: tenant
in: query
required: false
schema:
type: string
description: Filter results to a specific tenant identifier.
example: acme
securitySchemes:
BearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
ClientSecretBasic:
type: http
scheme: basic
description: HTTP Basic authentication with `client_id` and `client_secret`.
OAuthClientCredentials:
type: oauth2
description: OAuth 2.1 client credentials flow scoped per service.
flows:
clientCredentials:
tokenUrl: /token
scopes: {}
OAuthPassword:
type: oauth2
description: Resource owner password exchange for Authority-managed identities.
flows:
password:
tokenUrl: /token
refreshUrl: /token
scopes:
attestor.write: Submit attestation bundles and Rekor entries.
attestor.verify: Invoke attestation verification APIs.
attestor.read: Fetch attestation entries and proofs.
advisory:ingest: Submit advisory ingestion payloads.
advisory:read: Read advisory ingestion data.
advisory-ai:view: View Advisory AI artefacts and cached outputs.
advisory-ai:operate: Submit Advisory AI inference and remediation requests.
advisory-ai:admin: Administer Advisory AI configuration, profiles, and remote
execution.
aoc:verify: Execute Aggregation-Only Contract verification workflows.
airgap:seal: Seal or unseal an air-gapped installation.
airgap:import: Import offline bundles and mirror artifacts while air-gapped.
airgap:status:read: Read air-gap sealing status and staleness indicators.
obs:read: Read observability dashboards, SLO digests, and incident overlays.
timeline:read: Read incident timeline entries and annotations.
timeline:write: Append deterministic incident timeline events and annotations.
evidence:create: Create evidence items, upload artefacts, and link attestations.
evidence:read: Read evidence items, artefacts, and linkage metadata.
evidence:hold: Apply or release legal holds on evidence items.
attest:read: Read attestation records, DSSE bundles, and verification proofs.
obs:incident: Toggle incident mode, extend retention, enable emergency telemetry.
authority.audit.read: Read Authority audit logs.
authority.clients.manage: Manage Authority client registrations.
authority.users.manage: Manage Authority users.
authority:tenants.read: Read the Authority tenant catalog.
concelier.jobs.trigger: Trigger Concelier aggregation jobs.
concelier.merge: Manage Concelier merge operations.
effective:write: Write effective findings (Policy Engine service identity only).
email: Access email claim data.
exceptions:approve: Approve exception workflows.
findings:read: Read effective findings emitted by Policy Engine.
graph:export: Export graph artefacts.
graph:read: Read graph explorer data.
graph:simulate: Run graph what-if simulations.
graph:write: Enqueue or mutate graph build jobs.
offline_access: Request refresh tokens for offline access.
openid: Request OpenID Connect identity tokens.
orch:operate: Execute privileged Orchestrator control actions.
orch:read: Read Orchestrator job state.
packs.read: Read Task Pack definitions and execution history.
packs.write: Publish or update Task Packs in the registry.
packs.run: Execute Task Packs via Task Runner workflows.
packs.approve: Approve Task Pack gates and resume pending runs.
policy:author: Author Policy Studio drafts and workspaces.
policy:activate: Activate policy revisions.
policy:approve: Approve or reject policy drafts.
policy:audit: Inspect Policy Studio audit history.
policy:edit: Edit policy definitions.
policy:operate: Operate Policy Studio promotions and runs.
policy:read: Read policy definitions and metadata.
policy:run: Trigger policy executions.
policy:submit: Submit policy drafts for review.
policy:review: Review Policy Studio drafts and leave feedback.
policy:simulate: Execute Policy Studio simulations.
policy:write: Create or update policy drafts.
profile: Access profile claim data.
signals:admin: Administer Signals ingestion and routing settings.
signals:read: Read Signals events and state.
signals:write: Publish Signals events or mutate state.
stellaops.bypass: Bypass trust boundary protections (restricted identities only).
ui.read: Read Console UX resources.
vex:ingest: Submit VEX ingestion payloads.
vex:read: Read VEX ingestion data.
vuln:view: Read vulnerability overlays and issue permalinks.
vuln:investigate: Perform vulnerability triage actions (assign, comment, annotate).
vuln:operate: Execute vulnerability workflow transitions and remediation tasks.
vuln:audit: Access vulnerability audit ledgers and exports.
vuln:read: Read vulnerability permalinks and overlays. (legacy compatibility;
prefer vuln:view)
authorizationCode:
authorizationUrl: /authorize
tokenUrl: /token
refreshUrl: /token
scopes:
attestor.write: Submit attestation bundles and Rekor entries.
attestor.verify: Invoke attestation verification APIs.
attestor.read: Fetch attestation entries and proofs.
advisory:ingest: Submit advisory ingestion payloads.
advisory:read: Read advisory ingestion data.
advisory-ai:view: View Advisory AI artefacts and cached outputs.
advisory-ai:operate: Submit Advisory AI inference and remediation requests.
advisory-ai:admin: Administer Advisory AI configuration, profiles, and remote
execution.
aoc:verify: Execute Aggregation-Only Contract verification workflows.
airgap:seal: Seal or unseal an air-gapped installation.
airgap:import: Import offline bundles and mirror artifacts while air-gapped.
airgap:status:read: Read air-gap sealing status and staleness indicators.
obs:read: Read observability dashboards, SLO digests, and incident overlays.
timeline:read: Read incident timeline entries and annotations.
timeline:write: Append deterministic incident timeline events and annotations.
evidence:create: Create evidence items, upload artefacts, and link attestations.
evidence:read: Read evidence items, artefacts, and linkage metadata.
evidence:hold: Apply or release legal holds on evidence items.
attest:read: Read attestation records, DSSE bundles, and verification proofs.
obs:incident: Toggle incident mode, extend retention, enable emergency telemetry.
authority.audit.read: Read Authority audit logs.
authority.clients.manage: Manage Authority client registrations.
authority.users.manage: Manage Authority users.
authority:tenants.read: Read the Authority tenant catalog.
concelier.jobs.trigger: Trigger Concelier aggregation jobs.
concelier.merge: Manage Concelier merge operations.
effective:write: Write effective findings (Policy Engine service identity only).
email: Access email claim data.
exceptions:approve: Approve exception workflows.
findings:read: Read effective findings emitted by Policy Engine.
graph:export: Export graph artefacts.
graph:read: Read graph explorer data.
graph:simulate: Run graph what-if simulations.
graph:write: Enqueue or mutate graph build jobs.
offline_access: Request refresh tokens for offline access.
openid: Request OpenID Connect identity tokens.
orch:operate: Execute privileged Orchestrator control actions.
orch:read: Read Orchestrator job state.
policy:author: Author Policy Studio drafts and workspaces.
policy:activate: Activate policy revisions.
policy:approve: Approve or reject policy drafts.
policy:audit: Inspect Policy Studio audit history.
policy:edit: Edit policy definitions.
policy:operate: Operate Policy Studio promotions and runs.
policy:read: Read policy definitions and metadata.
policy:run: Trigger policy executions.
policy:submit: Submit policy drafts for review.
policy:review: Review Policy Studio drafts and leave feedback.
policy:simulate: Execute Policy Studio simulations.
policy:write: Create or update policy drafts.
profile: Access profile claim data.
signals:admin: Administer Signals ingestion and routing settings.
signals:read: Read Signals events and state.
signals:write: Publish Signals events or mutate state.
stellaops.bypass: Bypass trust boundary protections (restricted identities only).
ui.read: Read Console UX resources.
vex:ingest: Submit VEX ingestion payloads.
vex:read: Read VEX ingestion data.
vuln:view: Read vulnerability overlays and issue permalinks.
vuln:investigate: Perform vulnerability triage actions (assign, comment, annotate).
vuln:operate: Execute vulnerability workflow transitions and remediation tasks.
vuln:audit: Access vulnerability audit ledgers and exports.
vuln:read: Read vulnerability permalinks and overlays. (legacy compatibility;
prefer vuln:view)
responses:
ErrorResponse:
description: Error envelope
content:
application/json:
schema:
type: object
required:
- code
- message
properties:
code:
type: string
message:
type: string
traceId:
type: string
Reference in New Issue View Git Blame Copy Permalink