{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://github.com/aegisbpf/aegisbpf/blob/main/config/event-schema.json",
  "title": "AegisBPF Event Schema",
  "description": "JSON Schema for AegisBPF security events",
  "type": "object",
  "oneOf": [
    { "$ref": "#/$defs/ExecEvent" },
    { "$ref": "#/$defs/BlockEvent" }
  ],
  "$defs": {
    "ExecEvent": {
      "type": "object",
      "description": "Execution event - emitted when a process execution is observed",
      "required": ["type", "pid", "ppid", "start_time", "cgid", "cgroup_path", "comm"],
      "properties": {
        "type": {
          "type": "string",
          "const": "exec",
          "description": "Event type identifier"
        },
        "pid": {
          "type": "integer",
          "minimum": 0,
          "description": "Process ID of the executed process"
        },
        "ppid": {
          "type": "integer",
          "minimum": 0,
          "description": "Parent process ID"
        },
        "start_time": {
          "type": "integer",
          "minimum": 0,
          "description": "Process start time in kernel ticks or nanoseconds"
        },
        "exec_id": {
          "type": "string",
          "description": "Stable execution identifier (pid:start_time)"
        },
        "trace_id": {
          "type": "string",
          "description": "Correlation identifier for cross-signal tracing (matches exec_id)"
        },
        "cgid": {
          "type": "integer",
          "minimum": 0,
          "description": "Cgroup ID (inode number of cgroup directory)"
        },
        "cgroup_path": {
          "type": "string",
          "description": "Full path of the cgroup"
        },
        "comm": {
          "type": "string",
          "maxLength": 16,
          "description": "Command name (truncated to 16 characters)"
        }
      },
      "additionalProperties": false
    },
    "BlockEvent": {
      "type": "object",
      "description": "Block or audit event emitted on denied file open attempts",
      "required": [
        "type",
        "pid",
        "ppid",
        "start_time",
        "parent_start_time",
        "cgid",
        "cgroup_path",
        "ino",
        "dev",
        "action",
        "comm"
      ],
      "properties": {
        "type": {
          "type": "string",
          "const": "block",
          "description": "Event type identifier"
        },
        "pid": {
          "type": "integer",
          "minimum": 0,
          "description": "Process ID that attempted the access"
        },
        "ppid": {
          "type": "integer",
          "minimum": 0,
          "description": "Parent process ID"
        },
        "start_time": {
          "type": "integer",
          "minimum": 0,
          "description": "Process start time"
        },
        "exec_id": {
          "type": "string",
          "description": "Stable execution identifier (pid:start_time)"
        },
        "trace_id": {
          "type": "string",
          "description": "Correlation identifier for cross-signal tracing (matches exec_id)"
        },
        "parent_start_time": {
          "type": "integer",
          "minimum": 0,
          "description": "Parent process start time"
        },
        "parent_exec_id": {
          "type": "string",
          "description": "Stable parent execution identifier (ppid:parent_start_time)"
        },
        "parent_trace_id": {
          "type": "string",
          "description": "Parent correlation identifier (matches parent_exec_id)"
        },
        "cgid": {
          "type": "integer",
          "minimum": 0,
          "description": "Cgroup ID (inode number of cgroup directory)"
        },
        "cgroup_path": {
          "type": "string",
          "description": "Full path of the cgroup"
        },
        "ino": {
          "type": "integer",
          "minimum": 0,
          "description": "Inode number of the file"
        },
        "dev": {
          "type": "integer",
          "minimum": 0,
          "description": "Device number of the file"
        },
        "path": {
          "type": "string",
          "description": "Path of the file when available"
        },
        "resolved_path": {
          "type": "string",
          "description": "Resolved canonical path (if different from path)"
        },
        "action": {
          "type": "string",
          "enum": ["AUDIT", "INT", "TERM", "KILL", "BLOCK"],
          "description": "Action taken (AUDIT in audit mode, enforce action in enforce mode)"
        },
        "comm": {
          "type": "string",
          "maxLength": 16,
          "description": "Command name (truncated to 16 characters)"
        }
      },
      "additionalProperties": false
    }
  },
  "examples": [
    {
      "type": "exec",
      "pid": 12345,
      "ppid": 1000,
      "start_time": 123456789,
      "exec_id": "12345:123456789",
      "trace_id": "12345:123456789",
      "cgid": 5678,
      "cgroup_path": "/sys/fs/cgroup/user.slice/user-1000.slice",
      "comm": "bash"
    },
    {
      "type": "block",
      "pid": 12346,
      "ppid": 12345,
      "start_time": 223456789,
      "exec_id": "12346:223456789",
      "trace_id": "12346:223456789",
      "parent_start_time": 123456789,
      "parent_exec_id": "12345:123456789",
      "parent_trace_id": "12345:123456789",
      "cgid": 5678,
      "cgroup_path": "/sys/fs/cgroup/user.slice/user-1000.slice",
      "ino": 123456,
      "dev": 259,
      "path": "/etc/shadow",
      "resolved_path": "/etc/shadow",
      "action": "KILL",
      "comm": "cat"
    }
  ]
}