Design Philosophy

Stave is designed around open standards from the first release so teams can adopt it without platform lock-in.

Core Principles

1. Contract-first: data is exchanged through versioned, documented schemas.
2. Vendor-neutral: extractors can be built in any language and for any platform.
3. Deterministic by default: same inputs + same --now produce the same output.
4. Offline-capable: evaluation and validation work without cloud credentials.
5. Composable CLI: commands fit CI/CD pipelines through stable flags, outputs, and exit codes.

Standardization Surface

• Controls: ctrl.v1 YAML
• Observations: obs.v0.1 JSON
• Evaluation/verification output: out.v0.1 JSON
• JSON Schema contracts under schemas/

Because these are open files and versioned contracts, teams can:

• Generate observations from their own systems and tools
• Validate data independently in other runtimes
• Store, diff, and audit artifacts in any repository or data platform
• Change cloud vendors or scanners without rewriting Stave core logic

What This Means in Practice

• Stave runs as a standalone CLI — bring your own CI runner, laptop, or air-gapped host.
• Controls are YAML with a standard predicate DSL — portable across teams and toolchains.
• Artifacts remain portable across local development, CI runners, and audit workflows.

Stave is a standards-based safety layer designed for composability.