stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
e2e404e705578c36a9d19a806405bd3051bc52ce
git.stella-ops.org/docs/schemas/export-bundle-shapes.schema.json
StellaOps Bot 9bd6a73926
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Implement incident mode management service and models 
- Added IPackRunIncidentModeService interface for managing incident mode activation, deactivation, and status retrieval.
- Created PackRunIncidentModeService class implementing the service interface with methods for activating, deactivating, and escalating incident modes.
- Introduced incident mode status model (PackRunIncidentModeStatus) and related enums for escalation levels and activation sources.
- Developed retention policy, telemetry settings, and debug capture settings models to manage incident mode configurations.
- Implemented SLO breach notification handling to activate incident mode based on severity.
- Added in-memory store (InMemoryPackRunIncidentModeStore) for testing purposes.
- Created comprehensive unit tests for incident mode service, covering activation, deactivation, status retrieval, and SLO breach handling.
2025-12-06 22:33:00 +02:00

629 lines
16 KiB
JSON
Raw Blame History

{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/export-bundle-shapes.schema.json",
"title": "StellaOps Export Bundle Shapes Schema",
"description": "Schema for export bundle formats, hashing inputs, and airgap bundle structures. Unblocks DOCS-RISK-68-001, DOCS-RISK-68-002 (2+ tasks).",
"type": "object",
"definitions": {
"ExportBundle": {
"type": "object",
"description": "Export bundle package",
"required": ["bundle_id", "bundle_type", "version", "created_at", "contents"],
"properties": {
"bundle_id": {
"type": "string",
"format": "uuid"
},
"bundle_type": {
"type": "string",
"enum": ["findings", "sbom", "vex", "risk", "compliance", "evidence", "full"],
"description": "Type of export bundle"
},
"version": {
"type": "string",
"pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$"
},
"format": {
"type": "string",
"enum": ["json", "ndjson", "csv", "xml", "cyclonedx", "spdx", "sarif"],
"description": "Output format"
},
"created_at": {
"type": "string",
"format": "date-time"
},
"created_by": {
"type": "string"
},
"tenant_id": {
"type": "string"
},
"scope": {
"$ref": "#/definitions/ExportScope"
},
"contents": {
"$ref": "#/definitions/BundleContents"
},
"metadata": {
"$ref": "#/definitions/BundleMetadata"
},
"signatures": {
"type": "array",
"items": {
"$ref": "#/definitions/BundleSignature"
}
},
"manifest_digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Digest of bundle manifest"
}
}
},
"ExportScope": {
"type": "object",
"description": "Scope of exported data",
"properties": {
"projects": {
"type": "array",
"items": {
"type": "string"
}
},
"assets": {
"type": "array",
"items": {
"type": "string"
}
},
"time_range": {
"type": "object",
"properties": {
"start": {
"type": "string",
"format": "date-time"
},
"end": {
"type": "string",
"format": "date-time"
}
}
},
"severities": {
"type": "array",
"items": {
"type": "string",
"enum": ["critical", "high", "medium", "low", "info"]
}
},
"statuses": {
"type": "array",
"items": {
"type": "string"
}
},
"filters": {
"type": "object",
"additionalProperties": true,
"description": "Additional filter criteria"
}
}
},
"BundleContents": {
"type": "object",
"description": "Bundle content inventory",
"properties": {
"files": {
"type": "array",
"items": {
"$ref": "#/definitions/BundleFile"
}
},
"record_counts": {
"type": "object",
"additionalProperties": {
"type": "integer"
},
"description": "Count of records by type"
},
"total_size_bytes": {
"type": "integer"
},
"compressed_size_bytes": {
"type": "integer"
},
"compression": {
"type": "string",
"enum": ["none", "gzip", "zstd", "lz4"]
}
}
},
"BundleFile": {
"type": "object",
"description": "Individual file in bundle",
"required": ["path", "digest", "size_bytes"],
"properties": {
"path": {
"type": "string"
},
"type": {
"type": "string",
"enum": ["data", "metadata", "schema", "signature", "index"]
},
"format": {
"type": "string"
},
"digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
},
"size_bytes": {
"type": "integer"
},
"record_count": {
"type": "integer"
},
"schema_ref": {
"type": "string",
"description": "Reference to schema for this file"
}
}
},
"BundleMetadata": {
"type": "object",
"description": "Bundle metadata",
"properties": {
"export_job_id": {
"type": "string"
},
"source_system": {
"type": "string"
},
"source_version": {
"type": "string"
},
"export_profile": {
"type": "string"
},
"redaction_applied": {
"type": "boolean",
"default": false
},
"redaction_policy": {
"type": "string"
},
"retention_policy": {
"type": "string"
},
"classification": {
"type": "string",
"enum": ["public", "internal", "confidential", "restricted"]
},
"custom": {
"type": "object",
"additionalProperties": true
}
}
},
"BundleSignature": {
"type": "object",
"description": "Digital signature on bundle",
"required": ["signature_type", "signature"],
"properties": {
"signature_type": {
"type": "string",
"enum": ["dsse", "cosign", "gpg", "x509"]
},
"signature": {
"type": "string",
"description": "Base64-encoded signature"
},
"public_key": {
"type": "string",
"description": "Public key or key reference"
},
"key_id": {
"type": "string"
},
"signed_at": {
"type": "string",
"format": "date-time"
},
"signer": {
"type": "string"
},
"certificate_chain": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"AirgapBundle": {
"type": "object",
"description": "Air-gapped export bundle for offline environments",
"required": ["bundle_id", "created_at", "manifest"],
"properties": {
"bundle_id": {
"type": "string",
"format": "uuid"
},
"bundle_type": {
"type": "string",
"const": "airgap"
},
"created_at": {
"type": "string",
"format": "date-time"
},
"valid_until": {
"type": "string",
"format": "date-time",
"description": "Expiration for time-sensitive data"
},
"manifest": {
"$ref": "#/definitions/AirgapManifest"
},
"advisory_data": {
"$ref": "#/definitions/AdvisoryBundle"
},
"risk_data": {
"$ref": "#/definitions/RiskBundle"
},
"policy_data": {
"$ref": "#/definitions/PolicyBundle"
},
"time_anchor": {
"$ref": "#/definitions/TimeAnchor"
},
"aggregate_digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
}
}
},
"AirgapManifest": {
"type": "object",
"description": "Manifest of airgap bundle contents",
"required": ["version", "files"],
"properties": {
"version": {
"type": "string"
},
"format_version": {
"type": "string",
"const": "1.0"
},
"files": {
"type": "array",
"items": {
"$ref": "#/definitions/BundleFile"
}
},
"dependencies": {
"type": "array",
"items": {
"type": "object",
"properties": {
"bundle_id": {
"type": "string"
},
"required": {
"type": "boolean"
}
}
}
}
}
},
"AdvisoryBundle": {
"type": "object",
"description": "Advisory data for airgap bundle",
"properties": {
"sources": {
"type": "array",
"items": {
"type": "string"
},
"description": "Advisory sources included (NVD, OSV, etc.)"
},
"advisory_count": {
"type": "integer"
},
"cve_count": {
"type": "integer"
},
"last_sync": {
"type": "string",
"format": "date-time"
},
"file_ref": {
"type": "string",
"description": "Path to advisory data file"
},
"digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
}
}
},
"RiskBundle": {
"type": "object",
"description": "Risk scoring data for airgap bundle",
"properties": {
"profiles": {
"type": "array",
"items": {
"type": "string"
},
"description": "Risk profiles included"
},
"epss_data": {
"type": "object",
"properties": {
"version": {
"type": "string"
},
"date": {
"type": "string",
"format": "date"
},
"record_count": {
"type": "integer"
}
}
},
"kev_data": {
"type": "object",
"properties": {
"version": {
"type": "string"
},
"date": {
"type": "string",
"format": "date"
},
"record_count": {
"type": "integer"
}
}
},
"file_ref": {
"type": "string"
},
"digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
}
}
},
"PolicyBundle": {
"type": "object",
"description": "Policy data for airgap bundle",
"properties": {
"policy_packs": {
"type": "array",
"items": {
"type": "object",
"properties": {
"pack_id": {
"type": "string"
},
"version": {
"type": "string"
},
"digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
}
}
}
},
"file_ref": {
"type": "string"
},
"digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
}
}
},
"TimeAnchor": {
"type": "object",
"description": "Time anchor for bundle validity",
"required": ["anchor_time", "source"],
"properties": {
"anchor_time": {
"type": "string",
"format": "date-time"
},
"source": {
"type": "string",
"enum": ["ntp", "tsa", "rekor", "manual"]
},
"tsa_response": {
"type": "string",
"description": "RFC 3161 timestamp response (base64)"
},
"rekor_entry": {
"type": "string",
"description": "Rekor transparency log entry ID"
},
"drift_tolerance": {
"type": "string",
"description": "Acceptable clock drift (e.g., 1h)"
}
}
},
"HashingInputs": {
"type": "object",
"description": "Inputs used for deterministic hashing",
"required": ["algorithm", "inputs"],
"properties": {
"algorithm": {
"type": "string",
"enum": ["sha256", "sha384", "sha512"],
"default": "sha256"
},
"inputs": {
"type": "array",
"items": {
"$ref": "#/definitions/HashInput"
},
"description": "Ordered list of inputs for hash computation"
},
"canonicalization": {
"type": "string",
"enum": ["none", "json-canonical", "xml-c14n"],
"description": "Canonicalization method before hashing"
},
"encoding": {
"type": "string",
"enum": ["utf8", "base64"],
"default": "utf8"
},
"computed_digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
}
}
},
"HashInput": {
"type": "object",
"description": "Single input for hash computation",
"required": ["type", "value"],
"properties": {
"type": {
"type": "string",
"enum": ["file", "field", "literal", "nested_digest"]
},
"path": {
"type": "string",
"description": "File path or JSON path"
},
"value": {
"type": "string",
"description": "Literal value or computed digest"
},
"order": {
"type": "integer",
"description": "Order in hash computation"
}
}
},
"ExportProfile": {
"type": "object",
"description": "Export profile configuration",
"required": ["profile_id", "name", "bundle_type"],
"properties": {
"profile_id": {
"type": "string"
},
"name": {
"type": "string"
},
"description": {
"type": "string"
},
"bundle_type": {
"type": "string",
"enum": ["findings", "sbom", "vex", "risk", "compliance", "evidence", "full"]
},
"format": {
"type": "string"
},
"scope_defaults": {
"$ref": "#/definitions/ExportScope"
},
"include_signatures": {
"type": "boolean",
"default": true
},
"compression": {
"type": "string",
"enum": ["none", "gzip", "zstd"]
},
"redaction_policy": {
"type": "string"
},
"retention_days": {
"type": "integer"
},
"schedule": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"cron": {
"type": "string"
},
"destination": {
"type": "string"
}
}
}
}
}
},
"properties": {
"export_profiles": {
"type": "array",
"items": {
"$ref": "#/definitions/ExportProfile"
}
},
"bundle_schemas": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "Schema references by bundle type"
}
},
"examples": [
{
"export_profiles": [
{
"profile_id": "findings-weekly",
"name": "Weekly Findings Export",
"description": "Weekly export of all findings for compliance reporting",
"bundle_type": "findings",
"format": "ndjson",
"scope_defaults": {
"time_range": {
"start": "{{now-7d}}",
"end": "{{now}}"
},
"severities": ["critical", "high", "medium"]
},
"include_signatures": true,
"compression": "gzip",
"redaction_policy": "pii-removal",
"retention_days": 90,
"schedule": {
"enabled": true,
"cron": "0 0 * * 0",
"destination": "s3://exports/weekly/"
}
},
{
"profile_id": "airgap-full",
"name": "Air-Gap Full Bundle",
"description": "Complete bundle for air-gapped environments",
"bundle_type": "full",
"format": "json",
"include_signatures": true,
"compression": "zstd"
}
],
"bundle_schemas": {
"findings": "https://stella-ops.org/schemas/findings-bundle.schema.json",
"sbom": "https://cyclonedx.org/schema/bom-1.6.schema.json",
"vex": "https://stella-ops.org/schemas/vex-normalization.schema.json"
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink