refactor(ocsf): replace redundant id+label pairs with typed enums

Store typed enum values (ActionId, DispositionId, SeverityId, etc.)
directly in event structs instead of separate _id: u8 + label: String
pairs. Labels are derived at serialization time via custom Serialize
impls, eliminating the drift risk between ID and label fields.

- Add OcsfEnum trait implemented by all 11 enum types
- Add HttpMethod enum (9 OCSF-defined variants + Other) for HttpRequest
- Refactor BaseEventData: severity and status use typed enums
- Refactor all 6 event structs: 18 id+label pairs consolidated to
  single typed fields with derive(Deserialize) + custom Serialize
- 2 custom-label fields (auth_type, state) use separate _custom_label
  field for the Other variant override
- Simplify OcsfEvent Serialize to delegate directly to inner structs
- Simplify all 8 builders: remove manual .as_u8()/.label() expansion
- Add serde_helpers module with insert_enum_pair! macros

Author: johntmyers

crates/openshell-ocsf/src/builders/config.rs

@@ -106,12 +106,10 @@ impl<'a> ConfigStateChangeBuilder<'a> {
 
         OcsfEvent::DeviceConfigStateChange(DeviceConfigStateChangeEvent {
             base,
-            state_id: self.state_id.map(StateId::as_u8),
-            state: self.state_label,
-            security_level_id: self.security_level.map(SecurityLevelId::as_u8),
-            security_level: self.security_level.map(|s| s.label().to_string()),
-            prev_security_level_id: self.prev_security_level.map(SecurityLevelId::as_u8),
-            prev_security_level: self.prev_security_level.map(|s| s.label().to_string()),
+            state: self.state_id,
+            state_custom_label: self.state_label,
+            security_level: self.security_level,
+            prev_security_level: self.prev_security_level,
         })
     }
 }

crates/openshell-ocsf/src/builders/finding.rs

@@ -170,14 +170,10 @@ impl<'a> DetectionFindingBuilder<'a> {
             },
             remediation: self.remediation,
             is_alert: self.is_alert,
-            confidence_id: self.confidence.map(ConfidenceId::as_u8),
-            confidence: self.confidence.map(|c| c.label().to_string()),
-            risk_level_id: self.risk_level.map(RiskLevelId::as_u8),
-            risk_level: self.risk_level.map(|r| r.label().to_string()),
-            action_id: self.action.map(ActionId::as_u8),
-            action: self.action.map(|a| a.label().to_string()),
-            disposition_id: self.disposition.map(DispositionId::as_u8),
-            disposition: self.disposition.map(|d| d.label().to_string()),
+            confidence: self.confidence,
+            risk_level: self.risk_level,
+            action: self.action,
+            disposition: self.disposition,
         })
     }
 }

crates/openshell-ocsf/src/builders/http.rs

@@ -139,10 +139,8 @@ impl<'a> HttpActivityBuilder<'a> {
             proxy_endpoint: Some(self.ctx.proxy_endpoint()),
             actor: self.actor,
             firewall_rule: self.firewall_rule,
-            action_id: self.action.map(ActionId::as_u8),
-            action: self.action.map(|a| a.label().to_string()),
-            disposition_id: self.disposition.map(DispositionId::as_u8),
-            disposition: self.disposition.map(|d| d.label().to_string()),
+            action: self.action,
+            disposition: self.disposition,
             observation_point_id: Some(2),
             is_src_dst_assignment_known: Some(true),
         })

crates/openshell-ocsf/src/builders/network.rs

@@ -189,10 +189,8 @@ impl<'a> NetworkActivityBuilder<'a> {
             actor: self.actor,
             firewall_rule: self.firewall_rule,
             connection_info: self.connection_info,
-            action_id: self.action.map(ActionId::as_u8),
-            action: self.action.map(|a| a.label().to_string()),
-            disposition_id: self.disposition.map(DispositionId::as_u8),
-            disposition: self.disposition.map(|d| d.label().to_string()),
+            action: self.action,
+            disposition: self.disposition,
             observation_point_id: self.observation_point_id,
             is_src_dst_assignment_known: Some(true),
         })

crates/openshell-ocsf/src/builders/process.rs

@@ -120,13 +120,10 @@ impl<'a> ProcessActivityBuilder<'a> {
             base,
             process: self.process.unwrap_or_else(|| Process::new("unknown", 0)),
             actor: self.actor,
-            launch_type_id: self.launch_type.map(LaunchTypeId::as_u8),
-            launch_type: self.launch_type.map(|lt| lt.label().to_string()),
+            launch_type: self.launch_type,
             exit_code: self.exit_code,
-            action_id: self.action.map(ActionId::as_u8),
-            action: self.action.map(|a| a.label().to_string()),
-            disposition_id: self.disposition.map(DispositionId::as_u8),
-            disposition: self.disposition.map(|d| d.label().to_string()),
+            action: self.action,
+            disposition: self.disposition,
         })
     }
 }

crates/openshell-ocsf/src/builders/ssh.rs

@@ -136,13 +136,11 @@ impl<'a> SshActivityBuilder<'a> {
             src_endpoint: self.src_endpoint,
             dst_endpoint: self.dst_endpoint,
             actor: self.actor,
-            auth_type_id: self.auth_type_id.map(AuthTypeId::as_u8),
-            auth_type: self.auth_type_label,
+            auth_type: self.auth_type_id,
+            auth_type_custom_label: self.auth_type_label,
             protocol_ver: self.protocol_ver,
-            action_id: self.action.map(ActionId::as_u8),
-            action: self.action.map(|a| a.label().to_string()),
-            disposition_id: self.disposition.map(DispositionId::as_u8),
-            disposition: self.disposition.map(|d| d.label().to_string()),
+            action: self.action,
+            disposition: self.disposition,
         })
     }
 }

crates/openshell-ocsf/src/enums/http_method.rs

@@ -0,0 +1,137 @@
+// SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+//! OCSF `http_method` enum — the 9 OCSF-defined HTTP methods.
+
+use serde::{Deserialize, Serialize};
+
+/// HTTP method as defined in the OCSF v1.7.0 `http_request` object schema.
+///
+/// The 9 standard methods are typed variants. Non-standard methods use
+/// `Other(String)`.
+#[derive(Debug, Clone, PartialEq, Eq, Hash)]
+pub enum HttpMethod {
+    /// OPTIONS
+    Options,
+    /// GET
+    Get,
+    /// HEAD
+    Head,
+    /// POST
+    Post,
+    /// PUT
+    Put,
+    /// DELETE
+    Delete,
+    /// TRACE
+    Trace,
+    /// CONNECT
+    Connect,
+    /// PATCH
+    Patch,
+    /// Non-standard method.
+    Other(String),
+}
+
+impl HttpMethod {
+    /// Return the canonical uppercase string representation.
+    #[must_use]
+    pub fn as_str(&self) -> &str {
+        match self {
+            Self::Options => "OPTIONS",
+            Self::Get => "GET",
+            Self::Head => "HEAD",
+            Self::Post => "POST",
+            Self::Put => "PUT",
+            Self::Delete => "DELETE",
+            Self::Trace => "TRACE",
+            Self::Connect => "CONNECT",
+            Self::Patch => "PATCH",
+            Self::Other(s) => s,
+        }
+    }
+}
+
+impl std::str::FromStr for HttpMethod {
+    type Err = std::convert::Infallible;
+
+    /// Parse a method string into a typed variant (case-insensitive).
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        Ok(match s.to_uppercase().as_str() {
+            "OPTIONS" => Self::Options,
+            "GET" => Self::Get,
+            "HEAD" => Self::Head,
+            "POST" => Self::Post,
+            "PUT" => Self::Put,
+            "DELETE" => Self::Delete,
+            "TRACE" => Self::Trace,
+            "CONNECT" => Self::Connect,
+            "PATCH" => Self::Patch,
+            _ => Self::Other(s.to_string()),
+        })
+    }
+}
+
+impl Serialize for HttpMethod {
+    fn serialize<S: serde::Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+        serializer.serialize_str(self.as_str())
+    }
+}
+
+impl<'de> Deserialize<'de> for HttpMethod {
+    fn deserialize<D: serde::Deserializer<'de>>(deserializer: D) -> Result<Self, D::Error> {
+        let s = String::deserialize(deserializer)?;
+        Ok(s.parse().unwrap())
+    }
+}
+
+impl std::fmt::Display for HttpMethod {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_str(self.as_str())
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_from_str_standard_methods() {
+        assert_eq!("GET".parse::<HttpMethod>().unwrap(), HttpMethod::Get);
+        assert_eq!("get".parse::<HttpMethod>().unwrap(), HttpMethod::Get);
+        assert_eq!("Post".parse::<HttpMethod>().unwrap(), HttpMethod::Post);
+        assert_eq!("DELETE".parse::<HttpMethod>().unwrap(), HttpMethod::Delete);
+        assert_eq!(
+            "CONNECT".parse::<HttpMethod>().unwrap(),
+            HttpMethod::Connect
+        );
+        assert_eq!("PATCH".parse::<HttpMethod>().unwrap(), HttpMethod::Patch);
+    }
+
+    #[test]
+    fn test_from_str_non_standard() {
+        let method: HttpMethod = "PROPFIND".parse().unwrap();
+        assert_eq!(method, HttpMethod::Other("PROPFIND".to_string()));
+        assert_eq!(method.as_str(), "PROPFIND");
+    }
+
+    #[test]
+    fn test_json_roundtrip() {
+        let method = HttpMethod::Get;
+        let json = serde_json::to_value(&method).unwrap();
+        assert_eq!(json, serde_json::json!("GET"));
+
+        let deserialized: HttpMethod = serde_json::from_value(json).unwrap();
+        assert_eq!(deserialized, HttpMethod::Get);
+    }
+
+    #[test]
+    fn test_json_roundtrip_other() {
+        let method = HttpMethod::Other("PROPFIND".to_string());
+        let json = serde_json::to_value(&method).unwrap();
+        assert_eq!(json, serde_json::json!("PROPFIND"));
+
+        let deserialized: HttpMethod = serde_json::from_value(json).unwrap();
+        assert_eq!(deserialized, HttpMethod::Other("PROPFIND".to_string()));
+    }
+}

crates/openshell-ocsf/src/enums/mod.rs

@@ -7,6 +7,7 @@ mod action;
 mod activity;
 mod auth;
 mod disposition;
+mod http_method;
 mod launch;
 mod security;
 mod severity;
@@ -16,7 +17,45 @@ pub use action::ActionId;
 pub use activity::ActivityId;
 pub use auth::AuthTypeId;
 pub use disposition::DispositionId;
+pub use http_method::HttpMethod;
 pub use launch::LaunchTypeId;
 pub use security::{ConfidenceId, RiskLevelId, SecurityLevelId};
 pub use severity::SeverityId;
 pub use status::{StateId, StatusId};
+
+/// Trait for OCSF enum types that have an integer ID and a string label.
+///
+/// All OCSF "sibling pair" enums implement this trait, enabling generic
+/// serialization of `_id` + label field pairs.
+pub trait OcsfEnum: Copy + Clone + PartialEq + Eq + std::fmt::Debug {
+    /// Return the integer representation for JSON serialization.
+    fn as_u8(self) -> u8;
+
+    /// Return the OCSF string label for this value.
+    fn label(self) -> &'static str;
+}
+
+/// Implement [`OcsfEnum`] for a type that already has `as_u8()` and `label()` methods.
+macro_rules! impl_ocsf_enum {
+    ($($ty:ty),+ $(,)?) => {
+        $(
+            impl OcsfEnum for $ty {
+                fn as_u8(self) -> u8 { self.as_u8() }
+                fn label(self) -> &'static str { self.label() }
+            }
+        )+
+    };
+}
+
+impl_ocsf_enum!(
+    ActionId,
+    AuthTypeId,
+    ConfidenceId,
+    DispositionId,
+    LaunchTypeId,
+    RiskLevelId,
+    SecurityLevelId,
+    SeverityId,
+    StateId,
+    StatusId,
+);