coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement canonical schema foundation
Some checks failed
CI / Build and Test (push) Has been cancelled
Details
CI / Lint (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-17 04:59:18 +02:00
parent dd0b9663c4
commit 7fdf6d63d5
29 changed files with 1905 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

358
schemas/caring_access_descriptor.schema.json Normal file
View File

@@ -0,0 +1,358 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json",
"title": "CaringAccessDescriptor",
"description": "Executable flex-auth representation of a CARING access descriptor pinned to CARING 0.4.0-RC2.",
"type": "object",
"additionalProperties": false,
"required": [
"profile",
"subject_type",
"organization_relation",
"canonical_role",
"scope",
"planes",
"capabilities"
],
"properties": {
"id": {"type": "string", "minLength": 1},
"profile": {"const": "caring-0.4.0-rc2"},
"subject_type": {"$ref": "#/$defs/subject_type"},
"organization_relation": {"$ref": "#/$defs/organization_relation"},
"canonical_role": {"$ref": "#/$defs/canonical_role"},
"scope": {"$ref": "#/$defs/scope"},
"planes": {
"type": "array",
"items": {"$ref": "#/$defs/plane"},
"minItems": 1,
"uniqueItems": true
},
"capabilities": {
"type": "array",
"items": {"$ref": "#/$defs/capability"},
"minItems": 1,
"uniqueItems": true
},
"exposure_modes": {
"type": "array",
"items": {"$ref": "#/$defs/exposure_mode"},
"uniqueItems": true
},
"conditions": {
"type": "array",
"items": {"$ref": "#/$defs/condition"},
"uniqueItems": true
},
"lifecycle_state": {"$ref": "#/$defs/lifecycle_state"},
"restrictions": {
"type": "array",
"items": {"$ref": "#/$defs/restriction"},
"uniqueItems": true
},
"exposure_event": {"$ref": "#/$defs/exposure_event_type"},
"derived_capabilities": {
"type": "array",
"items": {"$ref": "#/$defs/derived_capability"}
},
"access_path": {"enum": ["direct", "delegated", "mediated", "induced"]},
"metadata": {"type": "object", "additionalProperties": true}
},
"$defs": {
"subject_type": {
"enum": [
"Human",
"Group",
"Organization",
"Service",
"Automation",
"Agent",
"System",
"Device",
"Process",
"Anonymous",
"Unknown"
]
},
"organization_relation": {
"enum": [
"Vendor",
"ServiceProvider",
"Distributor",
"Consultant",
"Customer",
"Community",
"Authority",
"Unknown"
]
},
"canonical_role": {
"enum": [
"Creator",
"Builder",
"Verifier",
"Maintainer",
"Integrator",
"Operator",
"Manager",
"Coach",
"Doer"
]
},
"scope_level": {
"enum": [
"Ecosystem",
"Product",
"Platform",
"Cluster",
"Environment",
"Tenant",
"Namespace",
"Domain",
"Workspace",
"Project",
"Process",
"Dataset",
"Resource",
"Subresource",
"Record",
"Field",
"Action"
]
},
"scope": {
"type": "object",
"additionalProperties": false,
"required": ["level", "id"],
"properties": {
"level": {"$ref": "#/$defs/scope_level"},
"id": {"type": "string", "minLength": 1},
"parent": {"type": "string", "minLength": 1},
"tenant": {"type": "string", "minLength": 1},
"resource": {"type": "string", "minLength": 1},
"attributes": {"type": "object", "additionalProperties": true}
}
},
"plane": {
"enum": [
"Intent",
"Build",
"Runtime",
"Execution",
"Configuration",
"Data",
"Identity",
"Policy",
"Secret",
"Audit",
"Commercial",
"Community"
]
},
"capability": {
"enum": [
"View",
"ViewCollection",
"Observe",
"Create",
"EditOwn",
"EditAssigned",
"EditAny",
"DeleteOwn",
"DeleteAny",
"BulkDelete",
"Submit",
"Comment",
"Review",
"Approve",
"Reject",
"Publish",
"Archive",
"Restore",
"Execute",
"Configure",
"Operate",
"Deploy",
"Integrate",
"Grant",
"Revoke",
"Delegate",
"Impersonate",
"Export",
"Import",
"Replicate",
"Encrypt",
"Decrypt",
"Mask",
"Inspect",
"Audit",
"Override",
"Escalate",
"Bind",
"Use"
]
},
"exposure_mode": {
"enum": [
"None",
"Metadata",
"Masked",
"Aggregated",
"Synthetic",
"Pseudonymous",
"Encrypted",
"Plaintext",
"SecretMaterial",
"Exportable",
"CrossTenantAggregate"
]
},
"condition": {
"enum": [
"MFARequired",
"DeviceTrusted",
"NetworkTrusted",
"TicketRequired",
"TenantConsentRequired",
"CustomerApprovalRequired",
"DualApprovalRequired",
"TimeLimited",
"BusinessHoursOnly",
"EmergencyOnly",
"TrainingRequired",
"ContractRequired",
"NDARequired",
"PurposeBound",
"CaseBound",
"EnvironmentBound",
"NamespaceBound",
"PipelineBound",
"ChangeWindowBound",
"Logged",
"Recorded",
"NotificationRequired",
"PostReviewRequired",
"HumanReviewRequired",
"PolicyReviewRequired",
"WorkloadIdentityRequired"
]
},
"lifecycle_state": {
"enum": [
"Design",
"Build",
"Test",
"Review",
"Release",
"Onboard",
"Integrate",
"Migrate",
"Operate",
"Support",
"Improve",
"Deprecate",
"Archive",
"Incident",
"Legal",
"Terminate"
]
},
"restriction": {
"enum": [
"NoAccess",
"Suspended",
"Terminated",
"Quarantined",
"ScopeExcluded",
"DataClassRestricted",
"LegalHold",
"ExportBlocked",
"ImpersonationBlocked",
"CrossTenantBlocked",
"SecretAccessBlocked",
"PolicyFrozen",
"EmergencyLocked",
"RiskDenied",
"ExecutionBlocked",
"WorkloadCreationBlocked",
"PrivilegeEscalationBlocked"
]
},
"exposure_event_type": {
"enum": [
"X-Support",
"X-BreakGlass",
"X-SecurityTest",
"X-Incident",
"X-LegalDemand",
"X-ComplianceAudit",
"X-Migration",
"X-Recovery",
"X-Adversarial",
"X-Misconfiguration",
"X-InducedAccess",
"X-PrivilegeEscalation"
]
},
"derived_capability": {
"type": "object",
"additionalProperties": false,
"required": ["capability", "reason"],
"properties": {
"capability": {"$ref": "#/$defs/capability"},
"reason": {"type": "string", "minLength": 1},
"source": {"type": "string", "minLength": 1},
"planes": {
"type": "array",
"items": {"$ref": "#/$defs/plane"},
"uniqueItems": true
},
"exposure_modes": {
"type": "array",
"items": {"$ref": "#/$defs/exposure_mode"},
"uniqueItems": true
}
}
},
"conformance_finding": {
"type": "object",
"additionalProperties": false,
"required": ["code", "severity", "message"],
"properties": {
"code": {"type": "string", "minLength": 1},
"severity": {"enum": ["info", "warning", "violation", "blocked"]},
"message": {"type": "string", "minLength": 1},
"fields": {"type": "array", "items": {"type": "string", "minLength": 1}},
"descriptor": {"type": "string", "minLength": 1},
"metadata": {"type": "object", "additionalProperties": true}
}
},
"exposure_event": {
"type": "object",
"additionalProperties": false,
"required": ["id", "type", "actor", "subject", "reason"],
"properties": {
"id": {"type": "string", "minLength": 1},
"type": {"$ref": "#/$defs/exposure_event_type"},
"actor": {"type": "string", "minLength": 1},
"subject": {"type": "string", "minLength": 1},
"descriptor": {"$ref": "#"},
"scope": {"$ref": "#/$defs/scope"},
"planes": {"type": "array", "items": {"$ref": "#/$defs/plane"}},
"capabilities_used": {"type": "array", "items": {"$ref": "#/$defs/capability"}},
"derived_capabilities": {"type": "array", "items": {"$ref": "#/$defs/derived_capability"}},
"exposure_modes": {"type": "array", "items": {"$ref": "#/$defs/exposure_mode"}},
"reason": {"type": "string", "minLength": 1},
"authority_source": {"type": "string", "minLength": 1},
"approval": {"type": "string", "minLength": 1},
"start_time": {"type": "string", "minLength": 1},
"end_time": {"type": "string", "minLength": 1},
"resources_accessed": {"type": "array", "items": {"type": "string", "minLength": 1}},
"evidence": {"type": "array", "items": {"type": "string", "minLength": 1}},
"notification_status": {"type": "string", "minLength": 1},
"post_review": {"type": "string", "minLength": 1},
"conformance_findings": {"type": "array", "items": {"$ref": "#/$defs/conformance_finding"}},
"metadata": {"type": "object", "additionalProperties": true}
}
}
}
}