Polished docs and schema

Signed-off-by: Eddie Knight <[email protected]>

schema.cue

@@ -1,27 +1,33 @@
 //// Definitions ////
 
+import (
+  "time"
+)
+
 #URL: =~"^https?://[^\\s]+$"
 #Email: =~"^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}$"
+#Date: time.Format("2006-01-02")
 
 #Assessment: {
-  evidence?: #URL
-  date?:     string
   comment:   string
+  name?:     string
+  evidence?: #URL
+  date?:     #Date
 }
 
 #Attestation: {
   name:            string
-  "predicate-uri": #URL
   location:        #URL
-  comment:         string
+  "predicate-uri": string
+  comment?:         string
 }
 
 #Contact: {
   name:         string
+  primary:      bool
   affiliation?: string
   email?:       #Email
   social?:      string
-  primary:      bool
 }
 
 #License: {
@@ -37,12 +43,12 @@
 //// Schema ////
 
 header: {
-  "last-updated":      string
-  "last-reviewed":     string
-  "schema-version":    string
-  url:                 #URL
-  comment?:            string
-  "parent-si-source"?: #URL
+  "last-reviewed":      #Date
+  "last-updated":       #Date
+  "schema-version":     string
+  url:                  #URL
+  comment?:             string
+  "project-si-source"?: #URL
 }
 
 project?: {
@@ -55,75 +61,56 @@ project?: {
 
   repositories: [...{
     name:    string
-    url:     #URL
     comment: string
+    url:     #URL
   }]
 
   "vulnerability-reporting": {
     "reports-accepted":       bool
     "bug-bounty-available":   bool
     "bug-bounty-program"?:     #URL
+    contact?:                  #Contact
+    comment?:                  string
     "security-policy"?:        #URL
     "pgp-key"?:                string
-    contact:                  #Contact
-    comment?:                  string
 
     "in-scope"?:               [...string]
     "out-of-scope"?:           [...string]
   }
 
   documentation?: {
-    "quickstart-guide"?:       #URL
     "detailed-guide"?:        #URL
     "code-of-conduct"?:       #URL
+    "quickstart-guide"?:       #URL
     "release-process"?:       #URL
     "signature-verification"?: #URL
   }
 }
 
-repository?: {
+repository?: {  
+  status: "active" | "abandoned" | "concept" | "inactive" | "moved" | "suspended" | "unsupported" | "WIP"
+
   "accepts-change-request":           bool
   "accepts-automated-change-request": bool
   "bug-fixes-only":                   bool
   "no-third-party-packages":          bool
-  status:                             string
   url:                                #URL
 
-  license:                            #License
-
   "core-team": [...#Contact]
 
-  documentation?: {
-    "contributing-guide"?:           #URL
-    "dependency-management-policy"?: #URL
-    governance?:                     #URL
-    "review-policy"?:                #URL
-    "security-policy"?:              #URL
-  }
-
-  release?: {
-    "automated-pipeline": bool
-
-    "distribution-points": [...#Link]
-
-    changelog?:            #URL
-
-    license?: #License
-
-    attestations?: [...#Attestation]
-  }
+  license:                            #License
 
   security: {
     assessments: {
       self: #Assessment
-      "third-party": [...#Assessment]
+      "third-party"?: [...#Assessment]
     }
 
     champions?: [...#Contact]
 
     tools?: [...{
-      name: string
-      type:    string
+      name:     string
+      type: "fuzzing" | "container" | "secret" | "SCA" | "SAST" | "other"
       version?: string
       comment?: string
 
@@ -140,6 +127,27 @@ repository?: {
         ci?: #Attestation
         release?: #Attestation
       }
+
     }]
   }
-}
+
+  documentation?: {
+    "contributing-guide"?:           #URL
+    "dependency-management-policy"?: #URL
+    governance?:                     #URL
+    "review-policy"?:                #URL
+    "security-policy"?:              #URL
+  }
+
+  release?: {
+    "automated-pipeline": bool
+
+    "distribution-points": [...#Link]
+
+    changelog?: #URL
+
+    license?:   #License
+
+    attestations?: [...#Attestation]
+  }
+}

specification-details/aliases.md

@@ -0,0 +1,114 @@
+# Aliases
+
+The following aliases are used throughout the schema.
+
+## `assessment`
+
+### `assessment.name`
+
+- **Type**: `string`
+- **Description**: The name or identifier of the assessment artifact.
+
+### `assessment.evidence`
+
+- **Type**: [URL]
+- **Matches Pattern**: `^https?://[^\\s]+$`
+- **Description**: The URL where the assessment report or artifact is located.
+
+### `assessment.date`
+
+- **Type**: [Date]
+- **Description**: The date the assessment was published.
+
+### `assessment.comment`
+
+- **Type**: `string`
+- **Description**: Notes or commentary about the findings or purpose of the assessment.
+
+---
+
+## `attestation`
+
+A list of objects describing various release attestations or artifacts.
+
+### `attestation.name`
+
+- **Type**: `string`
+- **Description**: The name or identifier of the attestation.
+
+### `attestation.location`
+
+- **Type**: [URL]
+- **Description**: A web location where the attestation can be found.
+
+### `attestation.predicate-uri`
+
+- **Type**: `string`
+- **Description**: A URI to a resource describing the attestation’s predicate or specification.
+
+### `attestation.comment`
+
+- **Type**: `string`
+- **Description**: Additional context or instructions for using the attestation.
+
+---
+
+## `contact`
+
+- `contact.name`
+  - **Type**: `string`
+  - **Description**: The contact person's name.
+- `contact.primary`
+  - **Type**: `bool`
+  - **Description**: Indicates whether this admin is the first point of contact for inquiries. Only one entry should be marked as primary.
+- `contact.affiliation` (optional)
+  - **Type**: `string`
+  - **Description**: The entity with which the contact is affiliated, such as a school or employer.
+- `contact.email` (optional)
+  - **Type**: [Email]
+  - **Description**: A preferred email address to reach the contact.
+- `contact.social` (optional)
+  - **Type**: `string`
+  - **Description**: A social media handle or profile for the contact.
+
+---
+
+## `license`
+
+- `license.url`
+  - **Type**: [URL]
+  - **Description**: A web address where the license can be found.
+- `license.expression`
+  - **Type**: `string`
+  - **Description**: The SPDX license expression for the license.
+
+---
+
+## `link`
+
+- `link.uri`
+  - **Type**: `string`
+  - **Description**: A link to a resource, not restricted to http/s.
+- `link.comment`
+  - **Type**: `string`
+  - **Description**: Instructions or information about the link.
+
+---
+
+## Validation Types
+
+- `date`
+  - **Type**: `string`
+  - **Description**: A date in ISO 8601 format (`YYYY-MM-DD`).
+- `email`
+  - **Type**: `string`
+  - **Matches Pattern**: `^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}$`
+- `url`
+  - **Type**: `string`
+  - **Matches Pattern**: `^https?://[^\\s]+$`
+
+---
+
+[URL]: #url
+[Email]: #email
+[Date]: #date

specification-details/header.md

@@ -1,53 +1,51 @@
-# Header
+# `header`
 
-The `header` object provides high-level information about the project schema.
+The `header` object captures high-level metadata about the schema.
 
-This section is **required**.
-
-```yaml
-header:
-  schema-version: 1.0.0 
-  last-updated: '2021-09-01'
-  last-reviewed: '2022-09-01'
-  repo-url: https://foo.bar
-  repo-status: active
-```
+---
 
+## `header.last-reviewed`
 
-## `header.schema-version`
-- **Type**: `string`
-- **Description**: *[Add description here]*
-- **Example**: *[Add example here]*
+- **Type**: [Date]
+- **Description**: The date when the document or data was last reviewed.
 
 ---
 
 ## `header.last-updated`
-- **Type**: `string`
-- **Description**: *[Add description here]*
-- **Example**: *[Add example here]*
+
+- **Type**: [Date]
+- **Description**: The date when this document or data was last updated.
 
 ---
 
-## `header.last-reviewed`
+## `header.schema-version`
+
 - **Type**: `string`
-- **Description**: *[Add description here]*
-- **Example**: *[Add example here]*
+- **Description**: Represents the version of this schema.
 
 ---
 
-## `header.repo-url`
-- **Type**: `string`
-- **Matches Pattern**: `^https?://[^\\s]+$`
-- **Description**: *[Add description here]*
-- **Example**: *[Add example here]*
+## `header.url`
+
+- **Type**: [URL]
+- **Description**: The primary reference URL for this schema’s origin or repository.
 
 ---
 
-## `header.repo-status`
+## `header.comment` (optional)
+
 - **Type**: `string`
-- **Description**: *[Add description here]*
-- **Example**: *[Add example here]*
+- **Description**: Additional information about the schema.
+
+---
+
+## `header.project-si-source` (optional)
+
+- **Type**: [URL]
+- **Description**: A URL to the security insights file that contains project information for this file to inherit.
 
 ---
 
-> **Note**: Each field should be assigned a value consistent with its specified data type and/or regular expression pattern. Fields not marked as optional are required.
+[URL]: #url
+[Email]: #email
+[Date]: #date