Skip to content
Cisco AI Defense logo
CiscoAI Security

Schemas — DefenseClaw

Overview

The schema reference below is generated from JSON Schema files under schemas/. These files cover audit events, scan events, scan findings, activity events, gateway event envelopes, network egress events, scan results, and OpenTelemetry-facing event contracts.

Runtime shapes

The gateway handlers in internal/gateway/api.go and internal/gateway/proxy.go also return small JSON responses that are defined in Go rather than JSON Schema files.

ShapeSourceWhere it appears
Sidecar status mapinternal/gateway/api.go::handleStatusGET /status
Guardrail runtime config mapinternal/gateway/api.go::handleGuardrailConfigGET and PATCH /v1/guardrail/config
Provider list responseinternal/gateway/providers_endpoint.go::providersListResponseGET /v1/config/providers on the proxy
Egress ingestion payloadschemas/network-egress-event.json plus internal/gateway/egress.go validationPOST /v1/events/egress on the proxy

Autogenerated reference

The tables below are rebuilt by make docs-gen from the JSON Schemas under schemas/. Do not edit between the BEGIN AUTOGEN / END AUTOGEN sentinels.

Audit event

DefenseClaw Audit Event

Row persisted in audit_events (SQLite) and forwarded to Splunk/HTTP sinks. v7 adds provenance (SchemaVersion=7) + three-tier agent identity. Consumers MUST treat every field marked optional as nullable — not every action emits every field.

FieldTypeRequiredDescription
idstring (uuid)yes
timestampstring (date-time)yes
actionenum (init, stop, ready, scan, scan-start, rescan, rescan-start, block, allow, warn, quarantine, restore, disable, enable, deploy, drift, network-egress-blocked, network-egress-allowed, guardrail-block, guardrail-warn, guardrail-allow, approval-request, approval-granted, approval-denied, tool-call, tool-result, config-update, policy-update, policy-reload, action, acknowledge-alerts, dismiss-alerts, webhook-delivered, webhook-failed, sink-failure, sink-restored, alert)yesCurated action — see internal/audit/actions.go (Go) and cli/defenseclaw/audit_actions.py (Python). Extending this enum is a minor schema bump.
targetstring \| nullnoTarget of the action (skill id, mcp server id, policy id, etc). Nullable — lifecycle events like 'init' and 'ready' have no target.
actorstringyesWho caused the action. Format: '<subsystem>:<principal>' (e.g. 'cli:alice', 'scanner:skill', 'system').
detailsstring \| nullnoRedacted free-form detail blob. JSON-encoded payload after sanitizer. Treat as opaque.
severityenum (CRITICAL, HIGH, MEDIUM, LOW, INFO, WARN)no
run_idstring \| nullno
session_idstring \| nullno
trace_idstring \| nullno
span_idstring \| nullno
agent_idstring \| nullnoStable agent identity across process restarts.
agent_namestring \| nullnoHuman-readable agent name.
agent_instance_idstring \| nullnoPer-session agent identity — rotates on new session.
sidecar_instance_idstring \| nullnoPer-process sidecar identity — rotates on every defenseclaw gateway start.
destination_appstring \| nullnoTool provider / downstream app. Optional.
tool_namestring \| nullno
tool_idstring \| nullno
policy_idstring \| nullno
schema_versionintegeryesAudit row format version. v7 = provenance + three-tier agent identity. Downstream MUST reject unrecognized versions.
content_hashstring \| nullnoSHA-256 hex of the canonical JSON serialization of the emitting config / policy at emit time. Optional; present when the event describes a configurable surface.
generationinteger \| nullnoMonotonic counter incremented on every Save of the governing config/policy. Optional.
binary_versionstring \| nullnoSemver of the DefenseClaw binary that produced the event.

Scan event

DefenseClaw Scan Event Payload (v7)

Populates the scan sub-object on a gateway-event-envelope when event_type="scan". Summarises one scanner invocation — findings are fanned out as sibling EventScanFinding events sharing the same scan_id.

Definitions

ScanPayload

FieldTypeRequiredDescription
scan_idstringyesCorrelation id shared by the roll-up EventScan and all child EventScanFinding events.
scannerenum (skill, mcp, plugin, aibom, codeguard)yes
targetstringyesFile path | skill name | server URL. Redacted when scanner contract requires.
target_typeenum (file, skill, mcp, plugin, aibom, None)no
verdictenum (clean, warn, block, None)no
duration_msinteger \| nullno
severity_maxenum (CRITICAL, HIGH, MEDIUM, LOW, INFO, None)no
countsobject \| nullnoSeverity -> count. Keys are a subset of severity_max enum.
total_countinteger \| nullno
exit_codeinteger \| nullno
errorstring \| nullnoScanner execution error. Present only when the wrapper failed (timeout, non-zero exit).

Scan finding event

DefenseClaw Scan Finding Event Payload (v7)

Populates the scan_finding sub-object on a gateway-event-envelope when event_type="scan_finding". One emission per scanner finding; downstream SIEM can alert on a single critical finding without joining against the parent EventScan summary.

Definitions

ScanFindingPayload

FieldTypeRequiredDescription
scan_idstringyes
scannerenum (skill, mcp, plugin, aibom, codeguard)yes
targetstringyes
finding_idstring \| nullno
rule_idstring \| nullnoStable detection rule identifier. Preferred group-by for SIEM; never display-string.
categorystring \| nullno
titlestring \| nullno
descriptionstring \| nullnoAlways redacted.
severityenum (CRITICAL, HIGH, MEDIUM, LOW, INFO, None)no
locationstring \| nullnoRedacted path + line.
line_numberinteger \| nullno
remediationstring \| nullno
tagsarray \| nullno

Activity event

DefenseClaw Activity Event Payload (v7)

Populates the activity sub-object on a gateway-event-envelope when event_type="activity". Records operator-facing mutations: config save, policy reload, block/allow list update, skill approval, sink reconfiguration. Carries before/after snapshots plus a structured diff so compliance auditors can reconstruct every change without scraping CLI output.

Definitions

ActivityPayload

FieldTypeRequiredDescription
actorstringyesPrincipal who made the change. Format: '<subsystem>:<principal>'.
actionenum (config-update, policy-update, policy-reload, block, allow, quarantine, restore, disable, enable, action, acknowledge-alerts, dismiss-alerts, deploy, stop)yesMirrors audit.Action. Subset applicable to operator mutations.
target_typeenum (policy, skill, mcp, config, action, sink, alert, plugin)yes
target_idstringyes
reasonstring \| nullnoOperator-supplied free text.
beforeobject \| nullnoCompact snapshot of resource before change. null on create.
afterobject \| nullnoCompact snapshot of resource after change. null on delete.
diffarray \| nullno
version_fromstring \| nullnoContent hash / semver of resource before change.
version_tostring \| nullnoContent hash / semver of resource after change.

DiffEntry

FieldTypeRequiredDescription
pathstringyesJSON pointer / dotted path. Array indices rendered as 'field[n]'.
openum (add, remove, replace)yes
beforenoPresent for replace + remove. Redacted if sensitive.
afternoPresent for add + replace. Redacted if sensitive.

Gateway event envelope

DefenseClaw Gateway Event Envelope (v7)

One JSONL line emitted by the DefenseClaw gateway sidecar to gateway.jsonl / stderr / HTTP sinks. The envelope carries correlation + provenance; exactly one of the type-specific payload sub-objects (verdict, judge, lifecycle, error, diagnostic, scan, scan_finding, activity) is populated and selected by event_type.

FieldTypeRequiredDescription
tsstring (date-time)yes
event_typeenum (verdict, judge, lifecycle, error, diagnostic, scan, scan_finding, activity, egress)yes
severityenum (INFO, LOW, MEDIUM, HIGH, CRITICAL, WARN)yes
schema_versionintegeryes
content_hashstring \| nullno
generationinteger \| nullno
binary_versionstring \| nullno
run_idstring \| nullno
request_idstring \| nullno
session_idstring \| nullno
trace_idstring \| nullno
providerstring \| nullno
modelstring \| nullno
directionenum (prompt, completion, tool_call, None)no
agent_idstring \| nullno
agent_namestring \| nullno
agent_instance_idstring \| nullno
sidecar_instance_idstring \| nullno
policy_idstring \| nullno
destination_appstring \| nullno
tool_namestring \| nullno
tool_idstring \| nullno
tenant_idstring \| nullnoRESERVED (v7): logical tenancy boundary for hosted/SaaS deployments. Unpopulated until a matching producer ships.
workspace_idstring \| nullnoRESERVED (v7): sub-tenant workspace/organization/team scope. Unpopulated until a matching producer ships.
environmentstring \| nullnoRESERVED (v7): deployment environment (dev|staging|prod|sandbox). Unpopulated until a matching producer ships.
deployment_modestring \| nullnoRESERVED (v7): sidecar deployment mode (standalone|managed|edge|ci). Unpopulated until a matching producer ships.
discovery_sourcestring \| nullnoRESERVED (v7): how the monitored agent/tool was discovered (registry|manual|scan|import). Unpopulated until a matching producer ships.
verdict#/$defs/VerdictPayloadno
judge#/$defs/JudgePayloadno
lifecycle#/$defs/LifecyclePayloadno
error#/$defs/ErrorPayloadno
diagnostic#/$defs/DiagnosticPayloadno
scanhttps://defenseclaw.io/schemas/scan-event.json#/$defs/ScanPayloadno
scan_findinghttps://defenseclaw.io/schemas/scan-finding-event.json#/$defs/ScanFindingPayloadno
activityhttps://defenseclaw.io/schemas/activity-event.json#/$defs/ActivityPayloadno
egress#/$defs/EgressPayloadno

Variants (oneOf)

  • Variant 1:
  • Variant 2:
  • Variant 3:
  • Variant 4:
  • Variant 5:
  • Variant 6:
  • Variant 7:
  • Variant 8:
  • Variant 9:

Definitions

VerdictPayload

FieldTypeRequiredDescription
stageenum (regex, judge, cisco_ai_defense, opa, final, session_message, multi_turn, block_list, approval)yes
actionenum (allow, warn, block)yes
reasonstring \| nullno
categoriesarray \| nullno
latency_msinteger \| nullno

JudgePayload

FieldTypeRequiredDescription
kindstringyes
modelstringyes
input_bytesintegeryes
latency_msintegeryes
actionstring \| nullno
severitystring \| nullno
findingsarray \| nullno
raw_responsestring \| nullno
parse_errorstring \| nullno

LifecyclePayload

FieldTypeRequiredDescription
subsystemstringyes
transitionenum (start, stop, ready, degraded, restored, alert, completed)yes
detailsobject \| nullno

ErrorPayload

FieldTypeRequiredDescription
subsystemstringyes
codestring \| nullno
messagestringyes
causestring \| nullno

DiagnosticPayload

FieldTypeRequiredDescription
componentstringyes
messagestringyes
fieldsobject \| nullno

EgressPayload

FieldTypeRequiredDescription
target_hoststring \| nullno
target_pathstring \| nullno
body_shapeenum (``, none, messages, prompt, input, contents, unknown, None)no
looks_like_llmboolean \| nullno
branchenum (known, shape, passthrough)yes
decisionenum (allow, block)yes
reasonstring \| nullno
sourceenum (go, ts)yes

Network egress event

NetworkEgressEvent

A single outbound network call observed by the agent runtime, with policy decision fields stored as first-class structured data.

FieldTypeRequiredDescription
timestampstring (date-time)noWhen the call was observed (RFC3339). Defaults to the ingestion time when omitted.
session_idstringnoAgent session identifier. Correlates this event with tool_call/tool_result rows for the same session.
hostnamestringyesDestination hostname without port (e.g. 'api.example.com').
urlstringnoFull destination URL. Stored at most 512 characters.
http_methodenum (GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS)noHTTP verb (GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS).
protocolenum (http, https)noTransport protocol.
policy_outcomestringyesHuman-readable summary of the policy decision.
decision_codestringnoMachine-readable outcome token for programmatic filtering.
blockedbooleannotrue when the call was actively prevented by policy.
severityenum (INFO, LOW, MEDIUM, HIGH, CRITICAL)noEvent severity. Defaults to HIGH for blocked calls and INFO for allowed calls.
detailsstringnoAdditional context such as the matched policy pattern.

Scan result

DefenseClaw Scan Result

Canonical scanner output — what skill-scanner / mcp-scanner / plugin-scanner / aibom / codeguard serialize as the CLI --output json payload and what gets persisted to audit.scan_results.raw_output. v7 extends the Finding shape with rule_id + line_number for SIEM-safe grouping, and extends the envelope with the provenance quartet.

FieldTypeRequiredDescription
scannerenum (skill, mcp, plugin, aibom, codeguard, skill-scanner, mcp-scanner, plugin-scanner)yes
targetstringyes
timestampstring (date-time)yes
durationstring \| nullno
scan_idstring \| nullnov7 correlation id shared with gateway-event-envelope EventScan + child EventScanFinding events.
schema_versioninteger \| nullno
content_hashstring \| nullno
generationinteger \| nullno
binary_versionstring \| nullno
agent_idstring \| nullno
agent_instance_idstring \| nullno
sidecar_instance_idstring \| nullno
findingsarrayyes

Related