Implement canonical schema foundation

pkg/api/caring.go

@@ -0,0 +1,335 @@
+package api
+
+// CaringProfileCaring040RC2 is the executable profile identifier for the
+// CARING 0.4.0-RC2 standard pinned by flex-auth.
+const CaringProfileCaring040RC2 = "caring-0.4.0-rc2"
+
+// SubjectType is the CARING subject dimension.
+type SubjectType string
+
+const (
+	SubjectTypeHuman        SubjectType = "Human"
+	SubjectTypeGroup        SubjectType = "Group"
+	SubjectTypeOrganization SubjectType = "Organization"
+	SubjectTypeService      SubjectType = "Service"
+	SubjectTypeAutomation   SubjectType = "Automation"
+	SubjectTypeAgent        SubjectType = "Agent"
+	SubjectTypeSystem       SubjectType = "System"
+	SubjectTypeDevice       SubjectType = "Device"
+	SubjectTypeProcess      SubjectType = "Process"
+	SubjectTypeAnonymous    SubjectType = "Anonymous"
+	SubjectTypeUnknown      SubjectType = "Unknown"
+)
+
+// OrganizationRelation is the CARING organization-relation dimension.
+type OrganizationRelation string
+
+const (
+	OrganizationRelationVendor          OrganizationRelation = "Vendor"
+	OrganizationRelationServiceProvider OrganizationRelation = "ServiceProvider"
+	OrganizationRelationDistributor     OrganizationRelation = "Distributor"
+	OrganizationRelationConsultant      OrganizationRelation = "Consultant"
+	OrganizationRelationCustomer        OrganizationRelation = "Customer"
+	OrganizationRelationCommunity       OrganizationRelation = "Community"
+	OrganizationRelationAuthority       OrganizationRelation = "Authority"
+	OrganizationRelationUnknown         OrganizationRelation = "Unknown"
+)
+
+// CanonicalRole is the CARING lifecycle responsibility posture.
+type CanonicalRole string
+
+const (
+	CanonicalRoleCreator    CanonicalRole = "Creator"
+	CanonicalRoleBuilder    CanonicalRole = "Builder"
+	CanonicalRoleVerifier   CanonicalRole = "Verifier"
+	CanonicalRoleMaintainer CanonicalRole = "Maintainer"
+	CanonicalRoleIntegrator CanonicalRole = "Integrator"
+	CanonicalRoleOperator   CanonicalRole = "Operator"
+	CanonicalRoleManager    CanonicalRole = "Manager"
+	CanonicalRoleCoach      CanonicalRole = "Coach"
+	CanonicalRoleDoer       CanonicalRole = "Doer"
+)
+
+// ScopeLevel is the CARING scope ladder.
+type ScopeLevel string
+
+const (
+	ScopeLevelEcosystem   ScopeLevel = "Ecosystem"
+	ScopeLevelProduct     ScopeLevel = "Product"
+	ScopeLevelPlatform    ScopeLevel = "Platform"
+	ScopeLevelCluster     ScopeLevel = "Cluster"
+	ScopeLevelEnvironment ScopeLevel = "Environment"
+	ScopeLevelTenant      ScopeLevel = "Tenant"
+	ScopeLevelNamespace   ScopeLevel = "Namespace"
+	ScopeLevelDomain      ScopeLevel = "Domain"
+	ScopeLevelWorkspace   ScopeLevel = "Workspace"
+	ScopeLevelProject     ScopeLevel = "Project"
+	ScopeLevelProcess     ScopeLevel = "Process"
+	ScopeLevelDataset     ScopeLevel = "Dataset"
+	ScopeLevelResource    ScopeLevel = "Resource"
+	ScopeLevelSubresource ScopeLevel = "Subresource"
+	ScopeLevelRecord      ScopeLevel = "Record"
+	ScopeLevelField       ScopeLevel = "Field"
+	ScopeLevelAction      ScopeLevel = "Action"
+)
+
+// Plane is the CARING access-surface dimension.
+type Plane string
+
+const (
+	PlaneIntent        Plane = "Intent"
+	PlaneBuild         Plane = "Build"
+	PlaneRuntime       Plane = "Runtime"
+	PlaneExecution     Plane = "Execution"
+	PlaneConfiguration Plane = "Configuration"
+	PlaneData          Plane = "Data"
+	PlaneIdentity      Plane = "Identity"
+	PlanePolicy        Plane = "Policy"
+	PlaneSecret        Plane = "Secret"
+	PlaneAudit         Plane = "Audit"
+	PlaneCommercial    Plane = "Commercial"
+	PlaneCommunity     Plane = "Community"
+)
+
+// Capability is a CARING capability verb.
+type Capability string
+
+const (
+	CapabilityView           Capability = "View"
+	CapabilityViewCollection Capability = "ViewCollection"
+	CapabilityObserve        Capability = "Observe"
+	CapabilityCreate         Capability = "Create"
+	CapabilityEditOwn        Capability = "EditOwn"
+	CapabilityEditAssigned   Capability = "EditAssigned"
+	CapabilityEditAny        Capability = "EditAny"
+	CapabilityDeleteOwn      Capability = "DeleteOwn"
+	CapabilityDeleteAny      Capability = "DeleteAny"
+	CapabilityBulkDelete     Capability = "BulkDelete"
+	CapabilitySubmit         Capability = "Submit"
+	CapabilityComment        Capability = "Comment"
+	CapabilityReview         Capability = "Review"
+	CapabilityApprove        Capability = "Approve"
+	CapabilityReject         Capability = "Reject"
+	CapabilityPublish        Capability = "Publish"
+	CapabilityArchive        Capability = "Archive"
+	CapabilityRestore        Capability = "Restore"
+	CapabilityExecute        Capability = "Execute"
+	CapabilityConfigure      Capability = "Configure"
+	CapabilityOperate        Capability = "Operate"
+	CapabilityDeploy         Capability = "Deploy"
+	CapabilityIntegrate      Capability = "Integrate"
+	CapabilityGrant          Capability = "Grant"
+	CapabilityRevoke         Capability = "Revoke"
+	CapabilityDelegate       Capability = "Delegate"
+	CapabilityImpersonate    Capability = "Impersonate"
+	CapabilityExport         Capability = "Export"
+	CapabilityImport         Capability = "Import"
+	CapabilityReplicate      Capability = "Replicate"
+	CapabilityEncrypt        Capability = "Encrypt"
+	CapabilityDecrypt        Capability = "Decrypt"
+	CapabilityMask           Capability = "Mask"
+	CapabilityInspect        Capability = "Inspect"
+	CapabilityAudit          Capability = "Audit"
+	CapabilityOverride       Capability = "Override"
+	CapabilityEscalate       Capability = "Escalate"
+	CapabilityBind           Capability = "Bind"
+	CapabilityUse            Capability = "Use"
+)
+
+// ExposureMode describes how much information becomes visible or extractable.
+type ExposureMode string
+
+const (
+	ExposureModeNone                 ExposureMode = "None"
+	ExposureModeMetadata             ExposureMode = "Metadata"
+	ExposureModeMasked               ExposureMode = "Masked"
+	ExposureModeAggregated           ExposureMode = "Aggregated"
+	ExposureModeSynthetic            ExposureMode = "Synthetic"
+	ExposureModePseudonymous         ExposureMode = "Pseudonymous"
+	ExposureModeEncrypted            ExposureMode = "Encrypted"
+	ExposureModePlaintext            ExposureMode = "Plaintext"
+	ExposureModeSecretMaterial       ExposureMode = "SecretMaterial"
+	ExposureModeExportable           ExposureMode = "Exportable"
+	ExposureModeCrossTenantAggregate ExposureMode = "CrossTenantAggregate"
+)
+
+// Condition is a CARING runtime or governance condition.
+type Condition string
+
+const (
+	ConditionMFARequired              Condition = "MFARequired"
+	ConditionDeviceTrusted            Condition = "DeviceTrusted"
+	ConditionNetworkTrusted           Condition = "NetworkTrusted"
+	ConditionTicketRequired           Condition = "TicketRequired"
+	ConditionTenantConsentRequired    Condition = "TenantConsentRequired"
+	ConditionCustomerApprovalRequired Condition = "CustomerApprovalRequired"
+	ConditionDualApprovalRequired     Condition = "DualApprovalRequired"
+	ConditionTimeLimited              Condition = "TimeLimited"
+	ConditionBusinessHoursOnly        Condition = "BusinessHoursOnly"
+	ConditionEmergencyOnly            Condition = "EmergencyOnly"
+	ConditionTrainingRequired         Condition = "TrainingRequired"
+	ConditionContractRequired         Condition = "ContractRequired"
+	ConditionNDARequired              Condition = "NDARequired"
+	ConditionPurposeBound             Condition = "PurposeBound"
+	ConditionCaseBound                Condition = "CaseBound"
+	ConditionEnvironmentBound         Condition = "EnvironmentBound"
+	ConditionNamespaceBound           Condition = "NamespaceBound"
+	ConditionPipelineBound            Condition = "PipelineBound"
+	ConditionChangeWindowBound        Condition = "ChangeWindowBound"
+	ConditionLogged                   Condition = "Logged"
+	ConditionRecorded                 Condition = "Recorded"
+	ConditionNotificationRequired     Condition = "NotificationRequired"
+	ConditionPostReviewRequired       Condition = "PostReviewRequired"
+	ConditionHumanReviewRequired      Condition = "HumanReviewRequired"
+	ConditionPolicyReviewRequired     Condition = "PolicyReviewRequired"
+	ConditionWorkloadIdentityRequired Condition = "WorkloadIdentityRequired"
+)
+
+// LifecycleState describes why access exists now.
+type LifecycleState string
+
+const (
+	LifecycleStateDesign    LifecycleState = "Design"
+	LifecycleStateBuild     LifecycleState = "Build"
+	LifecycleStateTest      LifecycleState = "Test"
+	LifecycleStateReview    LifecycleState = "Review"
+	LifecycleStateRelease   LifecycleState = "Release"
+	LifecycleStateOnboard   LifecycleState = "Onboard"
+	LifecycleStateIntegrate LifecycleState = "Integrate"
+	LifecycleStateMigrate   LifecycleState = "Migrate"
+	LifecycleStateOperate   LifecycleState = "Operate"
+	LifecycleStateSupport   LifecycleState = "Support"
+	LifecycleStateImprove   LifecycleState = "Improve"
+	LifecycleStateDeprecate LifecycleState = "Deprecate"
+	LifecycleStateArchive   LifecycleState = "Archive"
+	LifecycleStateIncident  LifecycleState = "Incident"
+	LifecycleStateLegal     LifecycleState = "Legal"
+	LifecycleStateTerminate LifecycleState = "Terminate"
+)
+
+// Restriction is an overriding CARING deny or limiting policy effect.
+type Restriction string
+
+const (
+	RestrictionNoAccess                   Restriction = "NoAccess"
+	RestrictionSuspended                  Restriction = "Suspended"
+	RestrictionTerminated                 Restriction = "Terminated"
+	RestrictionQuarantined                Restriction = "Quarantined"
+	RestrictionScopeExcluded              Restriction = "ScopeExcluded"
+	RestrictionDataClassRestricted        Restriction = "DataClassRestricted"
+	RestrictionLegalHold                  Restriction = "LegalHold"
+	RestrictionExportBlocked              Restriction = "ExportBlocked"
+	RestrictionImpersonationBlocked       Restriction = "ImpersonationBlocked"
+	RestrictionCrossTenantBlocked         Restriction = "CrossTenantBlocked"
+	RestrictionSecretAccessBlocked        Restriction = "SecretAccessBlocked"
+	RestrictionPolicyFrozen               Restriction = "PolicyFrozen"
+	RestrictionEmergencyLocked            Restriction = "EmergencyLocked"
+	RestrictionRiskDenied                 Restriction = "RiskDenied"
+	RestrictionExecutionBlocked           Restriction = "ExecutionBlocked"
+	RestrictionWorkloadCreationBlocked    Restriction = "WorkloadCreationBlocked"
+	RestrictionPrivilegeEscalationBlocked Restriction = "PrivilegeEscalationBlocked"
+)
+
+// ExposureEventType is a CARING exceptional or irregular access class.
+type ExposureEventType string
+
+const (
+	ExposureEventSupport             ExposureEventType = "X-Support"
+	ExposureEventBreakGlass          ExposureEventType = "X-BreakGlass"
+	ExposureEventSecurityTest        ExposureEventType = "X-SecurityTest"
+	ExposureEventIncident            ExposureEventType = "X-Incident"
+	ExposureEventLegalDemand         ExposureEventType = "X-LegalDemand"
+	ExposureEventComplianceAudit     ExposureEventType = "X-ComplianceAudit"
+	ExposureEventMigration           ExposureEventType = "X-Migration"
+	ExposureEventRecovery            ExposureEventType = "X-Recovery"
+	ExposureEventAdversarial         ExposureEventType = "X-Adversarial"
+	ExposureEventMisconfiguration    ExposureEventType = "X-Misconfiguration"
+	ExposureEventInducedAccess       ExposureEventType = "X-InducedAccess"
+	ExposureEventPrivilegeEscalation ExposureEventType = "X-PrivilegeEscalation"
+)
+
+// AccessPath describes how access is exercised.
+type AccessPath string
+
+const (
+	AccessPathDirect    AccessPath = "direct"
+	AccessPathDelegated AccessPath = "delegated"
+	AccessPathMediated  AccessPath = "mediated"
+	AccessPathInduced   AccessPath = "induced"
+)
+
+// CaringScope identifies where a CARING descriptor applies.
+type CaringScope struct {
+	Level      ScopeLevel     `json:"level"                yaml:"level"`
+	ID         string         `json:"id"                   yaml:"id"`
+	Parent     string         `json:"parent,omitempty"     yaml:"parent,omitempty"`
+	Tenant     string         `json:"tenant,omitempty"     yaml:"tenant,omitempty"`
+	Resource   string         `json:"resource,omitempty"   yaml:"resource,omitempty"`
+	Attributes map[string]any `json:"attributes,omitempty" yaml:"attributes,omitempty"`
+}
+
+// CaringAccessDescriptor is the executable flex-auth representation of a
+// CARING access assignment.
+type CaringAccessDescriptor struct {
+	ID                   string                    `json:"id,omitempty"                    yaml:"id,omitempty"`
+	Profile              string                    `json:"profile"                         yaml:"profile"`
+	SubjectType          SubjectType               `json:"subject_type"                    yaml:"subject_type"`
+	OrganizationRelation OrganizationRelation      `json:"organization_relation"           yaml:"organization_relation"`
+	CanonicalRole        CanonicalRole             `json:"canonical_role"                  yaml:"canonical_role"`
+	Scope                CaringScope               `json:"scope"                           yaml:"scope"`
+	Planes               []Plane                   `json:"planes"                          yaml:"planes"`
+	Capabilities         []Capability              `json:"capabilities"                    yaml:"capabilities"`
+	ExposureModes        []ExposureMode            `json:"exposure_modes,omitempty"        yaml:"exposure_modes,omitempty"`
+	Conditions           []Condition               `json:"conditions,omitempty"            yaml:"conditions,omitempty"`
+	LifecycleState       LifecycleState            `json:"lifecycle_state,omitempty"       yaml:"lifecycle_state,omitempty"`
+	Restrictions         []Restriction             `json:"restrictions,omitempty"          yaml:"restrictions,omitempty"`
+	ExposureEvent        ExposureEventType         `json:"exposure_event,omitempty"        yaml:"exposure_event,omitempty"`
+	DerivedCapabilities  []CaringDerivedCapability `json:"derived_capabilities,omitempty" yaml:"derived_capabilities,omitempty"`
+	AccessPath           AccessPath                `json:"access_path,omitempty"           yaml:"access_path,omitempty"`
+	Metadata             map[string]any            `json:"metadata,omitempty"              yaml:"metadata,omitempty"`
+}
+
+// CaringDerivedCapability records effective authority created by another grant.
+type CaringDerivedCapability struct {
+	Capability    Capability     `json:"capability"               yaml:"capability"`
+	Reason        string         `json:"reason"                   yaml:"reason"`
+	Source        string         `json:"source,omitempty"         yaml:"source,omitempty"`
+	Planes        []Plane        `json:"planes,omitempty"         yaml:"planes,omitempty"`
+	ExposureModes []ExposureMode `json:"exposure_modes,omitempty" yaml:"exposure_modes,omitempty"`
+}
+
+// CaringConformanceFinding is a diagnostic emitted by descriptive or
+// prescriptive CARING validation.
+type CaringConformanceFinding struct {
+	Code       string         `json:"code"                 yaml:"code"`
+	Severity   string         `json:"severity"             yaml:"severity"`
+	Message    string         `json:"message"              yaml:"message"`
+	Fields     []string       `json:"fields,omitempty"     yaml:"fields,omitempty"`
+	Descriptor string         `json:"descriptor,omitempty" yaml:"descriptor,omitempty"`
+	Metadata   map[string]any `json:"metadata,omitempty"   yaml:"metadata,omitempty"`
+}
+
+// CaringExposureEvent records exceptional or irregular information exposure.
+type CaringExposureEvent struct {
+	ID                  string                     `json:"id"                                yaml:"id"`
+	Type                ExposureEventType          `json:"type"                              yaml:"type"`
+	Actor               string                     `json:"actor"                             yaml:"actor"`
+	Subject             string                     `json:"subject"                           yaml:"subject"`
+	Descriptor          *CaringAccessDescriptor    `json:"descriptor,omitempty"              yaml:"descriptor,omitempty"`
+	Scope               *CaringScope               `json:"scope,omitempty"                   yaml:"scope,omitempty"`
+	Planes              []Plane                    `json:"planes,omitempty"                  yaml:"planes,omitempty"`
+	CapabilitiesUsed    []Capability               `json:"capabilities_used,omitempty"       yaml:"capabilities_used,omitempty"`
+	DerivedCapabilities []CaringDerivedCapability  `json:"derived_capabilities,omitempty"    yaml:"derived_capabilities,omitempty"`
+	ExposureModes       []ExposureMode             `json:"exposure_modes,omitempty"          yaml:"exposure_modes,omitempty"`
+	Reason              string                     `json:"reason"                            yaml:"reason"`
+	AuthoritySource     string                     `json:"authority_source,omitempty"        yaml:"authority_source,omitempty"`
+	Approval            string                     `json:"approval,omitempty"                yaml:"approval,omitempty"`
+	StartTime           string                     `json:"start_time,omitempty"              yaml:"start_time,omitempty"`
+	EndTime             string                     `json:"end_time,omitempty"                yaml:"end_time,omitempty"`
+	ResourcesAccessed   []string                   `json:"resources_accessed,omitempty"      yaml:"resources_accessed,omitempty"`
+	Evidence            []string                   `json:"evidence,omitempty"                yaml:"evidence,omitempty"`
+	NotificationStatus  string                     `json:"notification_status,omitempty"     yaml:"notification_status,omitempty"`
+	PostReview          string                     `json:"post_review,omitempty"             yaml:"post_review,omitempty"`
+	ConformanceFindings []CaringConformanceFinding `json:"conformance_findings,omitempty" yaml:"conformance_findings,omitempty"`
+	Metadata            map[string]any             `json:"metadata,omitempty"                yaml:"metadata,omitempty"`
+}