package api // ProtectedSystemManifest describes a system that delegates authorization to // flex-auth. type ProtectedSystemManifest struct { ID string `json:"id" yaml:"id"` Name string `json:"name,omitempty" yaml:"name,omitempty"` Description string `json:"description,omitempty" yaml:"description,omitempty"` ResourceTypes []ResourceType `json:"resource_types,omitempty" yaml:"resource_types,omitempty"` Actions []ActionDefinition `json:"actions,omitempty" yaml:"actions,omitempty"` CaringProfiles []string `json:"caring_profiles,omitempty" yaml:"caring_profiles,omitempty"` Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"` } // ResourceType describes a resource namespace entry owned by a protected system. type ResourceType struct { Name string `json:"name" yaml:"name"` ParentTypes []string `json:"parent_types,omitempty" yaml:"parent_types,omitempty"` ScopeLevel ScopeLevel `json:"scope_level,omitempty" yaml:"scope_level,omitempty"` Planes []Plane `json:"planes,omitempty" yaml:"planes,omitempty"` Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"` } // ActionDefinition maps a protected-system action to CARING capabilities. type ActionDefinition struct { Name string `json:"name" yaml:"name"` Capabilities []Capability `json:"capabilities,omitempty" yaml:"capabilities,omitempty"` Planes []Plane `json:"planes,omitempty" yaml:"planes,omitempty"` ExposureModes []ExposureMode `json:"exposure_modes,omitempty" yaml:"exposure_modes,omitempty"` Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"` } // SubjectManifest declares subjects, groups, teams, and tenants for local // registry loading. type SubjectManifest struct { ID string `json:"id" yaml:"id"` Subjects []Subject `json:"subjects,omitempty" yaml:"subjects,omitempty"` Groups []Group `json:"groups,omitempty" yaml:"groups,omitempty"` Teams []Team `json:"teams,omitempty" yaml:"teams,omitempty"` Tenants []Tenant `json:"tenants,omitempty" yaml:"tenants,omitempty"` Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"` } // Subject is a human, service, automation, agent, or other acting identity. type Subject struct { ID string `json:"id" yaml:"id"` Type SubjectType `json:"type" yaml:"type"` DisplayName string `json:"display_name,omitempty" yaml:"display_name,omitempty"` OrganizationRelation OrganizationRelation `json:"organization_relation,omitempty" yaml:"organization_relation,omitempty"` Roles []CanonicalRole `json:"roles,omitempty" yaml:"roles,omitempty"` Groups []string `json:"groups,omitempty" yaml:"groups,omitempty"` Tenant string `json:"tenant,omitempty" yaml:"tenant,omitempty"` Claims map[string]any `json:"claims,omitempty" yaml:"claims,omitempty"` CaringDescriptors []CaringAccessDescriptor `json:"caring_descriptors,omitempty" yaml:"caring_descriptors,omitempty"` Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"` } // Group is an assignment convenience, not a canonical role. type Group struct { ID string `json:"id" yaml:"id"` DisplayName string `json:"display_name,omitempty" yaml:"display_name,omitempty"` Members []string `json:"members,omitempty" yaml:"members,omitempty"` Tenant string `json:"tenant,omitempty" yaml:"tenant,omitempty"` CaringDescriptors []CaringAccessDescriptor `json:"caring_descriptors,omitempty" yaml:"caring_descriptors,omitempty"` Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"` } // Team is a group-like ownership unit used by protected systems. type Team struct { ID string `json:"id" yaml:"id"` DisplayName string `json:"display_name,omitempty" yaml:"display_name,omitempty"` Members []string `json:"members,omitempty" yaml:"members,omitempty"` Tenant string `json:"tenant,omitempty" yaml:"tenant,omitempty"` CaringDescriptors []CaringAccessDescriptor `json:"caring_descriptors,omitempty" yaml:"caring_descriptors,omitempty"` Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"` } // Tenant is a structural isolation boundary. type Tenant struct { ID string `json:"id" yaml:"id"` Name string `json:"name,omitempty" yaml:"name,omitempty"` Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"` } // RelationshipFact records a relation between subjects, groups, teams, tenants, // and resources. type RelationshipFact struct { ID string `json:"id" yaml:"id"` System string `json:"system,omitempty" yaml:"system,omitempty"` Subject string `json:"subject" yaml:"subject"` Relation string `json:"relation" yaml:"relation"` Object string `json:"object" yaml:"object"` Tenant string `json:"tenant,omitempty" yaml:"tenant,omitempty"` Conditions []Condition `json:"conditions,omitempty" yaml:"conditions,omitempty"` Caring *CaringAccessDescriptor `json:"caring,omitempty" yaml:"caring,omitempty"` Provenance map[string]any `json:"provenance,omitempty" yaml:"provenance,omitempty"` Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"` } // PolicyPackageMetadata is the frontmatter contract for Rego-in-Markdown // policy packages. type PolicyPackageMetadata struct { ID string `json:"id" yaml:"id"` Name string `json:"name,omitempty" yaml:"name,omitempty"` Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"` Version string `json:"version" yaml:"version"` Status string `json:"status,omitempty" yaml:"status,omitempty"` Package string `json:"package" yaml:"package"` Actions []string `json:"actions,omitempty" yaml:"actions,omitempty"` Owner string `json:"owner,omitempty" yaml:"owner,omitempty"` Fixtures []string `json:"fixtures,omitempty" yaml:"fixtures,omitempty"` Caring CaringPolicyMetadata `json:"caring" yaml:"caring"` Activation map[string]any `json:"activation,omitempty" yaml:"activation,omitempty"` Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"` } // CaringPolicyMetadata declares the CARING envelope a policy governs. type CaringPolicyMetadata struct { Profile string `json:"profile" yaml:"profile"` Enforce bool `json:"enforce,omitempty" yaml:"enforce,omitempty"` CanonicalRoles []CanonicalRole `json:"canonical_roles,omitempty" yaml:"canonical_roles,omitempty"` OrganizationRelations []OrganizationRelation `json:"organization_relations,omitempty" yaml:"organization_relations,omitempty"` Scopes []CaringScope `json:"scopes,omitempty" yaml:"scopes,omitempty"` Planes []Plane `json:"planes,omitempty" yaml:"planes,omitempty"` Capabilities []Capability `json:"capabilities,omitempty" yaml:"capabilities,omitempty"` ExposureModes []ExposureMode `json:"exposure_modes,omitempty" yaml:"exposure_modes,omitempty"` Conditions []Condition `json:"conditions,omitempty" yaml:"conditions,omitempty"` Restrictions []Restriction `json:"restrictions,omitempty" yaml:"restrictions,omitempty"` Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"` } // PolicyFixture binds a check request to an expected decision. type PolicyFixture struct { ID string `json:"id" yaml:"id"` Request CheckRequest `json:"request" yaml:"request"` Expect DecisionExpectation `json:"expect" yaml:"expect"` Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"` } // DecisionExpectation is the compact fixture expectation for policy tests. type DecisionExpectation struct { Effect DecisionEffect `json:"effect" yaml:"effect"` Reason string `json:"reason,omitempty" yaml:"reason,omitempty"` Obligations []Obligation `json:"obligations,omitempty" yaml:"obligations,omitempty"` ConformanceFindings []CaringConformanceFinding `json:"conformance_findings,omitempty" yaml:"conformance_findings,omitempty"` } // CheckRequest is the stable protected-system-facing decision request. type CheckRequest struct { ID string `json:"id,omitempty" yaml:"id,omitempty"` Subject SubjectRef `json:"subject" yaml:"subject"` Action string `json:"action" yaml:"action"` Resource ResourceRef `json:"resource" yaml:"resource"` Context map[string]any `json:"context,omitempty" yaml:"context,omitempty"` CaringContext *CaringAccessDescriptor `json:"caring_context,omitempty" yaml:"caring_context,omitempty"` PolicyVersion string `json:"policy_version,omitempty" yaml:"policy_version,omitempty"` } // BatchCheckRequest evaluates one subject/action against multiple resources. type BatchCheckRequest struct { ID string `json:"id,omitempty" yaml:"id,omitempty"` Subject SubjectRef `json:"subject" yaml:"subject"` Action string `json:"action" yaml:"action"` Resources []ResourceRef `json:"resources" yaml:"resources"` Context map[string]any `json:"context,omitempty" yaml:"context,omitempty"` PolicyVersion string `json:"policy_version,omitempty" yaml:"policy_version,omitempty"` } // SubjectRef is a normalized subject reference in request and decision shapes. type SubjectRef struct { ID string `json:"id" yaml:"id"` Type SubjectType `json:"type,omitempty" yaml:"type,omitempty"` Tenant string `json:"tenant,omitempty" yaml:"tenant,omitempty"` Attributes map[string]any `json:"attributes,omitempty" yaml:"attributes,omitempty"` } // ResourceRef is a normalized resource reference in request and decision shapes. type ResourceRef struct { ID string `json:"id" yaml:"id"` Type string `json:"type,omitempty" yaml:"type,omitempty"` System string `json:"system,omitempty" yaml:"system,omitempty"` Tenant string `json:"tenant,omitempty" yaml:"tenant,omitempty"` Attributes map[string]any `json:"attributes,omitempty" yaml:"attributes,omitempty"` } // DecisionEffect is the stable decision outcome vocabulary. type DecisionEffect string const ( DecisionEffectAllow DecisionEffect = "allow" DecisionEffectDeny DecisionEffect = "deny" DecisionEffectRedact DecisionEffect = "redact" DecisionEffectAuditOnly DecisionEffect = "audit_only" DecisionEffectNotApplicable DecisionEffect = "not_applicable" ) // DecisionEnvelope is the stable response produced by standalone and delegated // evaluators. type DecisionEnvelope struct { ID string `json:"id" yaml:"id"` RequestID string `json:"request_id,omitempty" yaml:"request_id,omitempty"` Effect DecisionEffect `json:"effect" yaml:"effect"` Reason string `json:"reason,omitempty" yaml:"reason,omitempty"` MatchedPolicyVersion string `json:"matched_policy_version,omitempty" yaml:"matched_policy_version,omitempty"` MatchedRule string `json:"matched_rule,omitempty" yaml:"matched_rule,omitempty"` Resource ResourceRef `json:"resource" yaml:"resource"` Subject SubjectRef `json:"subject" yaml:"subject"` Obligations []Obligation `json:"obligations,omitempty" yaml:"obligations,omitempty"` Diagnostics map[string]any `json:"diagnostics,omitempty" yaml:"diagnostics,omitempty"` Provenance DecisionProvenance `json:"provenance" yaml:"provenance"` Caring *CaringDecisionMetadata `json:"caring,omitempty" yaml:"caring,omitempty"` } // Obligation describes a follow-up behavior required by a decision. type Obligation struct { Type string `json:"type" yaml:"type"` Parameters map[string]any `json:"parameters,omitempty" yaml:"parameters,omitempty"` } // DecisionProvenance captures evaluator and policy provenance. type DecisionProvenance struct { Evaluator string `json:"evaluator" yaml:"evaluator"` Mode string `json:"mode" yaml:"mode"` PolicyPackage string `json:"policy_package,omitempty" yaml:"policy_package,omitempty"` PolicyVersion string `json:"policy_version,omitempty" yaml:"policy_version,omitempty"` DirectoryETag string `json:"directory_etag,omitempty" yaml:"directory_etag,omitempty"` DecisionTime string `json:"decision_time,omitempty" yaml:"decision_time,omitempty"` } // CaringDecisionMetadata carries CARING descriptor and conformance details in // a decision envelope. type CaringDecisionMetadata struct { Profile string `json:"profile" yaml:"profile"` Descriptor *CaringAccessDescriptor `json:"descriptor,omitempty" yaml:"descriptor,omitempty"` RestrictionsEvaluated []Restriction `json:"restrictions_evaluated,omitempty" yaml:"restrictions_evaluated,omitempty"` ExposureModes []ExposureMode `json:"exposure_modes,omitempty" yaml:"exposure_modes,omitempty"` DerivedCapabilities []CaringDerivedCapability `json:"derived_capabilities,omitempty" yaml:"derived_capabilities,omitempty"` ConformanceFindings []CaringConformanceFinding `json:"conformance_findings,omitempty" yaml:"conformance_findings,omitempty"` ExposureEvent *CaringExposureEvent `json:"exposure_event,omitempty" yaml:"exposure_event,omitempty"` } // AuditEvent is the local log shape for decisions and exposure events. type AuditEvent struct { ID string `json:"id" yaml:"id"` Type string `json:"type" yaml:"type"` DecisionID string `json:"decision_id,omitempty" yaml:"decision_id,omitempty"` Subject SubjectRef `json:"subject" yaml:"subject"` Resource ResourceRef `json:"resource,omitempty" yaml:"resource,omitempty"` Action string `json:"action,omitempty" yaml:"action,omitempty"` Effect DecisionEffect `json:"effect,omitempty" yaml:"effect,omitempty"` Timestamp string `json:"timestamp,omitempty" yaml:"timestamp,omitempty"` ExposureEvent *CaringExposureEvent `json:"exposure_event,omitempty" yaml:"exposure_event,omitempty"` Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"` }