Implement canonical schema foundation

examples/README.md

@@ -9,6 +9,8 @@ FLEX-WP-0005):
 examples/
   claims/                  # key-cape lightweight-mode and Keycloak heavy-mode
                            # claim envelopes (P5.5)
+  caring/                  # executable CARING descriptor, request,
+                           # decision, registry, and audit fixtures (P2.1)
   markitect/               # FlexAuthResourceManifest fixtures, decision
                            # fixtures, and Rego-in-Markdown policy packages
   topaz/                   # docker-compose + sample directory and policy

examples/caring/README.md

@@ -0,0 +1,8 @@
+# CARING examples
+
+Small fixtures for the executable CARING 0.4.0-RC2 profile used by
+`FLEX-WP-0002 P2.1`.
+
+These are intentionally compact. They are not policy-engine fixtures yet;
+they prove that the canonical descriptor, request, decision, registry, and
+audit shapes can round-trip through `pkg/api`.

examples/caring/access_descriptor.yaml

@@ -0,0 +1,26 @@
+id: descriptor:tenant-alpha-document-reader
+profile: caring-0.4.0-rc2
+subject_type: Human
+organization_relation: Customer
+canonical_role: Doer
+scope:
+  level: Resource
+  id: document:internal-note
+  tenant: tenant:alpha
+  resource: document:internal-note
+planes:
+  - Data
+capabilities:
+  - View
+exposure_modes:
+  - Masked
+  - Plaintext
+conditions:
+  - PurposeBound
+  - Logged
+lifecycle_state: Operate
+restrictions:
+  - ExportBlocked
+access_path: direct
+metadata:
+  source: examples/caring

examples/caring/audit_event.json

@@ -0,0 +1,22 @@
+{
+  "id": "audit:decision:tenant-alpha-internal-note",
+  "type": "decision",
+  "decision_id": "decision:tenant-alpha-internal-note",
+  "subject": {
+    "id": "user:alice",
+    "type": "Human",
+    "tenant": "tenant:alpha"
+  },
+  "resource": {
+    "id": "document:internal-note",
+    "type": "document",
+    "system": "markitect-tool",
+    "tenant": "tenant:alpha"
+  },
+  "action": "read",
+  "effect": "allow",
+  "timestamp": "2026-05-17T00:00:00Z",
+  "metadata": {
+    "profile": "caring-0.4.0-rc2"
+  }
+}

examples/caring/check_request.yaml

@@ -0,0 +1,41 @@
+id: check:tenant-alpha-internal-note
+subject:
+  id: user:alice
+  type: Human
+  tenant: tenant:alpha
+action: read
+resource:
+  id: document:internal-note
+  type: document
+  system: markitect-tool
+  tenant: tenant:alpha
+context:
+  purpose: knowledge-base-read
+  assurance:
+    mfa: true
+caring_context:
+  id: descriptor:tenant-alpha-document-reader
+  profile: caring-0.4.0-rc2
+  subject_type: Human
+  organization_relation: Customer
+  canonical_role: Doer
+  scope:
+    level: Resource
+    id: document:internal-note
+    tenant: tenant:alpha
+    resource: document:internal-note
+  planes:
+    - Data
+  capabilities:
+    - View
+  exposure_modes:
+    - Masked
+    - Plaintext
+  conditions:
+    - PurposeBound
+    - Logged
+  lifecycle_state: Operate
+  restrictions:
+    - ExportBlocked
+  access_path: direct
+policy_version: markitect.documents.v1

examples/caring/decision_envelope.json

@@ -0,0 +1,69 @@
+{
+  "id": "decision:tenant-alpha-internal-note",
+  "request_id": "check:tenant-alpha-internal-note",
+  "effect": "allow",
+  "reason": "reader_relation",
+  "matched_policy_version": "markitect.documents.v1",
+  "matched_rule": "allow_document_read",
+  "resource": {
+    "id": "document:internal-note",
+    "type": "document",
+    "system": "markitect-tool",
+    "tenant": "tenant:alpha"
+  },
+  "subject": {
+    "id": "user:alice",
+    "type": "Human",
+    "tenant": "tenant:alpha"
+  },
+  "obligations": [
+    {
+      "type": "log_access",
+      "parameters": {
+        "level": "standard"
+      }
+    }
+  ],
+  "diagnostics": {
+    "policy_package": "examples/caring"
+  },
+  "provenance": {
+    "evaluator": "flex-auth",
+    "mode": "standalone",
+    "policy_package": "markitect.documents",
+    "policy_version": "v1",
+    "decision_time": "2026-05-17T00:00:00Z"
+  },
+  "caring": {
+    "profile": "caring-0.4.0-rc2",
+    "descriptor": {
+      "id": "descriptor:tenant-alpha-document-reader",
+      "profile": "caring-0.4.0-rc2",
+      "subject_type": "Human",
+      "organization_relation": "Customer",
+      "canonical_role": "Doer",
+      "scope": {
+        "level": "Resource",
+        "id": "document:internal-note",
+        "tenant": "tenant:alpha",
+        "resource": "document:internal-note"
+      },
+      "planes": ["Data"],
+      "capabilities": ["View"],
+      "exposure_modes": ["Masked", "Plaintext"],
+      "conditions": ["PurposeBound", "Logged"],
+      "lifecycle_state": "Operate",
+      "restrictions": ["ExportBlocked"],
+      "access_path": "direct"
+    },
+    "restrictions_evaluated": ["ExportBlocked"],
+    "exposure_modes": ["Masked", "Plaintext"],
+    "conformance_findings": [
+      {
+        "code": "CARING-EXPORT-SEPARATION",
+        "severity": "info",
+        "message": "View is allowed, but Exportable exposure remains separately blocked."
+      }
+    ]
+  }
+}

examples/caring/policy_fixture.yaml

@@ -0,0 +1,45 @@
+id: fixture:markitect-internal-read-allow
+request:
+  id: check:tenant-alpha-internal-note
+  subject:
+    id: user:alice
+    type: Human
+    tenant: tenant:alpha
+  action: read
+  resource:
+    id: document:internal-note
+    type: document
+    system: markitect-tool
+    tenant: tenant:alpha
+  caring_context:
+    id: descriptor:tenant-alpha-document-reader
+    profile: caring-0.4.0-rc2
+    subject_type: Human
+    organization_relation: Customer
+    canonical_role: Doer
+    scope:
+      level: Resource
+      id: document:internal-note
+      tenant: tenant:alpha
+      resource: document:internal-note
+    planes:
+      - Data
+    capabilities:
+      - View
+    exposure_modes:
+      - Masked
+      - Plaintext
+    conditions:
+      - PurposeBound
+      - Logged
+    restrictions:
+      - ExportBlocked
+expect:
+  effect: allow
+  reason: reader_relation
+  conformance_findings:
+    - code: CARING-EXPORT-SEPARATION
+      severity: info
+      message: View is allowed, but Exportable exposure remains separately blocked.
+metadata:
+  source: examples/caring

examples/caring/policy_package.yaml

@@ -0,0 +1,29 @@
+id: markitect.documents.internal-read
+name: Markitect internal document read
+version: v1
+status: draft
+package: flexauth.markitect.documents
+caring:
+  profile: caring-0.4.0-rc2
+  canonical_roles:
+    - Doer
+  organization_relations:
+    - Customer
+  scopes:
+    - level: Resource
+      id: document:internal-note
+      tenant: tenant:alpha
+  planes:
+    - Data
+  capabilities:
+    - View
+  exposure_modes:
+    - Masked
+    - Plaintext
+  conditions:
+    - PurposeBound
+    - Logged
+  restrictions:
+    - ExportBlocked
+metadata:
+  source: examples/caring

examples/caring/relationship_fact.yaml

@@ -0,0 +1,32 @@
+id: rel:alice-reader-internal-note
+system: markitect-tool
+subject: group:platform-architecture
+relation: reader
+object: document:internal-note
+tenant: tenant:alpha
+conditions:
+  - Logged
+caring:
+  id: descriptor:tenant-alpha-document-reader
+  profile: caring-0.4.0-rc2
+  subject_type: Group
+  organization_relation: Customer
+  canonical_role: Doer
+  scope:
+    level: Resource
+    id: document:internal-note
+    tenant: tenant:alpha
+    resource: document:internal-note
+  planes:
+    - Data
+  capabilities:
+    - View
+  exposure_modes:
+    - Masked
+    - Plaintext
+  conditions:
+    - Logged
+  restrictions:
+    - ExportBlocked
+provenance:
+  source: examples/caring

examples/caring/subject_manifest.yaml

@@ -0,0 +1,22 @@
+id: subjects:tenant-alpha
+subjects:
+  - id: user:alice
+    type: Human
+    display_name: Alice Example
+    organization_relation: Customer
+    roles:
+      - Doer
+    groups:
+      - group:platform-architecture
+    tenant: tenant:alpha
+groups:
+  - id: group:platform-architecture
+    display_name: Platform Architecture
+    members:
+      - user:alice
+    tenant: tenant:alpha
+tenants:
+  - id: tenant:alpha
+    name: Tenant Alpha
+metadata:
+  source: examples/caring