Add CARING examples and coverage

examples/caring/README.md

@@ -6,3 +6,7 @@ Small fixtures for the executable CARING 0.4.0-RC2 profile used by
 These are intentionally compact. They prove that the canonical descriptor,
 request, decision, registry, audit, and Rego-in-Markdown policy package
 shapes can round-trip through `pkg/api` and `internal/policy`.
+
+The set includes local subjects, groups, teams, project resources, inherited
+relationship facts, exposure events, allow/deny fixtures, and a
+redact-with-obligation policy package.

examples/caring/exposure_event.json

@@ -0,0 +1,20 @@
+{
+  "id": "exposure:tenant-alpha-support-001",
+  "type": "X-Support",
+  "actor": "user:alice",
+  "subject": "user:bob",
+  "scope": {
+    "level": "Resource",
+    "id": "document:alpha-plan",
+    "tenant": "tenant:alpha",
+    "resource": "document:alpha-plan"
+  },
+  "planes": ["Data"],
+  "exposure_modes": ["Masked"],
+  "reason": "Support review of masked project plan",
+  "decision_id": "decision:tenant-alpha-support-001",
+  "timestamp": "2026-05-17T00:00:00Z",
+  "metadata": {
+    "source": "examples/caring/exposure_event.json"
+  }
+}

examples/caring/inherited_relationships.yaml

@@ -0,0 +1,38 @@
+- id: rel:reviewers-project-reviewer
+  system: markitect-tool
+  subject: team:project-reviewers
+  relation: reviewer
+  object: project:alpha-redesign
+  tenant: tenant:alpha
+  conditions:
+    - Logged
+  caring:
+    id: descriptor:tenant-alpha-project-reviewer
+    profile: caring-0.4.0-rc2
+    subject_type: Group
+    organization_relation: Customer
+    canonical_role: Verifier
+    scope:
+      level: Project
+      id: project:alpha-redesign
+      tenant: tenant:alpha
+      resource: project:alpha-redesign
+    planes:
+      - Data
+    capabilities:
+      - Review
+    exposure_modes:
+      - Masked
+    conditions:
+      - Logged
+    restrictions:
+      - ExportBlocked
+- id: rel:alpha-plan-inherits-project-reviewer
+  system: markitect-tool
+  subject: document:alpha-plan
+  relation: inherits
+  object: project:alpha-redesign
+  tenant: tenant:alpha
+  metadata:
+    inheritance: parent
+    source: examples/caring/inherited_relationships.yaml

examples/caring/project_resource_manifest.yaml

@@ -0,0 +1,27 @@
+id: markitect-project-resources
+system: markitect-tool
+resources:
+  - id: project:alpha-redesign
+    type: project
+    path: /projects/alpha-redesign
+    labels:
+      - project
+    trust_zone: internal
+    owner: team:project-reviewers
+  - id: document:alpha-plan
+    type: document
+    path: /projects/alpha-redesign/plan
+    parent: project:alpha-redesign
+    labels:
+      - internal
+      - pii
+    trust_zone: internal
+    owner: team:project-reviewers
+actions:
+  - read
+  - review
+  - export
+caring_profile: caring-0.4.0-rc2
+metadata:
+  flex_auth_contract: resource-registration-v0
+  source: examples/caring/project_resource_manifest.yaml

examples/caring/redact_policy_package.md

@@ -0,0 +1,132 @@
+---
+id: markitect.documents.mask-pii
+name: Markitect masked PII read
+namespace: markitect:document
+version: v1
+status: draft
+package: flexauth.markitect.redact
+actions:
+  - read
+owner: team:project-reviewers
+caring:
+  profile: caring-0.4.0-rc2
+  enforce: false
+  canonical_roles:
+    - Verifier
+  organization_relations:
+    - Customer
+  scopes:
+    - level: Resource
+      id: document:alpha-plan
+      tenant: tenant:alpha
+  planes:
+    - Data
+  capabilities:
+    - View
+    - Mask
+  exposure_modes:
+    - Masked
+  conditions:
+    - Logged
+  restrictions:
+    - ExportBlocked
+metadata:
+  source: examples/caring/redact_policy_package.md
+---
+
+# Markitect Masked PII Read
+
+This package returns a redaction decision when a verifier may inspect a
+document only through masked fields.
+
+## Rules
+
+```rego
+import future.keywords.if
+import future.keywords.in
+
+default decision := {"effect": "deny", "reason": "no_matching_rule"}
+
+decision := {
+  "effect": "redact",
+  "reason": "masked_pii",
+  "obligations": [{
+    "type": "mask_fields",
+    "parameters": {"fields": ["email", "phone"]}
+  }]
+} if {
+  input.action == "read"
+  input.resource.id == "document:alpha-plan"
+  "Mask" in input.caring_context.capabilities
+  "Masked" in input.caring_context.exposure_modes
+}
+```
+
+## Tests
+
+```rego test
+package flexauth.markitect.redact_test
+
+import future.keywords.if
+import data.flexauth.markitect.redact
+
+test_masked_reader_gets_redaction if {
+  redact.decision.effect == "redact" with input as {
+    "action": "read",
+    "resource": {"id": "document:alpha-plan"},
+    "caring_context": {
+      "capabilities": ["View", "Mask"],
+      "exposure_modes": ["Masked"]
+    }
+  }
+}
+```
+
+## Fixtures
+
+```yaml fixture
+id: fixture:masked-pii-redact
+request:
+  id: check:masked-pii
+  subject:
+    id: user:bob
+    type: Human
+    tenant: tenant:alpha
+  action: read
+  resource:
+    id: document:alpha-plan
+    type: document
+    system: markitect-tool
+    tenant: tenant:alpha
+  caring_context:
+    id: descriptor:tenant-alpha-masked-pii-reviewer
+    profile: caring-0.4.0-rc2
+    subject_type: Human
+    organization_relation: Customer
+    canonical_role: Verifier
+    scope:
+      level: Resource
+      id: document:alpha-plan
+      tenant: tenant:alpha
+      resource: document:alpha-plan
+    planes:
+      - Data
+    capabilities:
+      - View
+      - Mask
+    exposure_modes:
+      - Masked
+    conditions:
+      - Logged
+    restrictions:
+      - ExportBlocked
+expect:
+  effect: redact
+  reason: masked_pii
+  obligations:
+    - type: mask_fields
+      parameters:
+        fields:
+          - email
+          - phone
+```

examples/caring/team_subject_manifest.yaml

@@ -0,0 +1,37 @@
+id: tenant-alpha-project-team
+tenants:
+  - id: tenant:alpha
+    name: Tenant Alpha
+subjects:
+  - id: user:alice
+    type: Human
+    display_name: Alice Example
+    organization_relation: Customer
+    roles:
+      - Doer
+    groups:
+      - group:platform-architecture
+    tenant: tenant:alpha
+  - id: user:bob
+    type: Human
+    display_name: Bob Example
+    organization_relation: Customer
+    roles:
+      - Verifier
+    groups:
+      - team:project-reviewers
+    tenant: tenant:alpha
+groups:
+  - id: group:platform-architecture
+    display_name: Platform Architecture
+    members:
+      - user:alice
+    tenant: tenant:alpha
+teams:
+  - id: team:project-reviewers
+    display_name: Project Reviewers
+    members:
+      - user:bob
+    tenant: tenant:alpha
+metadata:
+  source: examples/caring/team_subject_manifest.yaml