package api // CaringProfileCaring040RC2 is the executable profile identifier for the // CARING 0.4.0-RC2 standard pinned by flex-auth. const CaringProfileCaring040RC2 = "caring-0.4.0-rc2" // SubjectType is the CARING subject dimension. type SubjectType string const ( SubjectTypeHuman SubjectType = "Human" SubjectTypeGroup SubjectType = "Group" SubjectTypeOrganization SubjectType = "Organization" SubjectTypeService SubjectType = "Service" SubjectTypeAutomation SubjectType = "Automation" SubjectTypeAgent SubjectType = "Agent" SubjectTypeSystem SubjectType = "System" SubjectTypeDevice SubjectType = "Device" SubjectTypeProcess SubjectType = "Process" SubjectTypeAnonymous SubjectType = "Anonymous" SubjectTypeUnknown SubjectType = "Unknown" ) // OrganizationRelation is the CARING organization-relation dimension. type OrganizationRelation string const ( OrganizationRelationVendor OrganizationRelation = "Vendor" OrganizationRelationServiceProvider OrganizationRelation = "ServiceProvider" OrganizationRelationDistributor OrganizationRelation = "Distributor" OrganizationRelationConsultant OrganizationRelation = "Consultant" OrganizationRelationCustomer OrganizationRelation = "Customer" OrganizationRelationCommunity OrganizationRelation = "Community" OrganizationRelationAuthority OrganizationRelation = "Authority" OrganizationRelationUnknown OrganizationRelation = "Unknown" ) // CanonicalRole is the CARING lifecycle responsibility posture. type CanonicalRole string const ( CanonicalRoleCreator CanonicalRole = "Creator" CanonicalRoleBuilder CanonicalRole = "Builder" CanonicalRoleVerifier CanonicalRole = "Verifier" CanonicalRoleMaintainer CanonicalRole = "Maintainer" CanonicalRoleIntegrator CanonicalRole = "Integrator" CanonicalRoleOperator CanonicalRole = "Operator" CanonicalRoleManager CanonicalRole = "Manager" CanonicalRoleCoach CanonicalRole = "Coach" CanonicalRoleDoer CanonicalRole = "Doer" ) // ScopeLevel is the CARING scope ladder. type ScopeLevel string const ( ScopeLevelEcosystem ScopeLevel = "Ecosystem" ScopeLevelProduct ScopeLevel = "Product" ScopeLevelPlatform ScopeLevel = "Platform" ScopeLevelCluster ScopeLevel = "Cluster" ScopeLevelEnvironment ScopeLevel = "Environment" ScopeLevelTenant ScopeLevel = "Tenant" ScopeLevelNamespace ScopeLevel = "Namespace" ScopeLevelDomain ScopeLevel = "Domain" ScopeLevelWorkspace ScopeLevel = "Workspace" ScopeLevelProject ScopeLevel = "Project" ScopeLevelProcess ScopeLevel = "Process" ScopeLevelDataset ScopeLevel = "Dataset" ScopeLevelResource ScopeLevel = "Resource" ScopeLevelSubresource ScopeLevel = "Subresource" ScopeLevelRecord ScopeLevel = "Record" ScopeLevelField ScopeLevel = "Field" ScopeLevelAction ScopeLevel = "Action" ) // Plane is the CARING access-surface dimension. type Plane string const ( PlaneIntent Plane = "Intent" PlaneBuild Plane = "Build" PlaneRuntime Plane = "Runtime" PlaneExecution Plane = "Execution" PlaneConfiguration Plane = "Configuration" PlaneData Plane = "Data" PlaneIdentity Plane = "Identity" PlanePolicy Plane = "Policy" PlaneSecret Plane = "Secret" PlaneAudit Plane = "Audit" PlaneCommercial Plane = "Commercial" PlaneCommunity Plane = "Community" ) // Capability is a CARING capability verb. type Capability string const ( CapabilityView Capability = "View" CapabilityViewCollection Capability = "ViewCollection" CapabilityObserve Capability = "Observe" CapabilityCreate Capability = "Create" CapabilityEditOwn Capability = "EditOwn" CapabilityEditAssigned Capability = "EditAssigned" CapabilityEditAny Capability = "EditAny" CapabilityDeleteOwn Capability = "DeleteOwn" CapabilityDeleteAny Capability = "DeleteAny" CapabilityBulkDelete Capability = "BulkDelete" CapabilitySubmit Capability = "Submit" CapabilityComment Capability = "Comment" CapabilityReview Capability = "Review" CapabilityApprove Capability = "Approve" CapabilityReject Capability = "Reject" CapabilityPublish Capability = "Publish" CapabilityArchive Capability = "Archive" CapabilityRestore Capability = "Restore" CapabilityExecute Capability = "Execute" CapabilityConfigure Capability = "Configure" CapabilityOperate Capability = "Operate" CapabilityDeploy Capability = "Deploy" CapabilityIntegrate Capability = "Integrate" CapabilityGrant Capability = "Grant" CapabilityRevoke Capability = "Revoke" CapabilityDelegate Capability = "Delegate" CapabilityImpersonate Capability = "Impersonate" CapabilityExport Capability = "Export" CapabilityImport Capability = "Import" CapabilityReplicate Capability = "Replicate" CapabilityEncrypt Capability = "Encrypt" CapabilityDecrypt Capability = "Decrypt" CapabilityMask Capability = "Mask" CapabilityInspect Capability = "Inspect" CapabilityAudit Capability = "Audit" CapabilityOverride Capability = "Override" CapabilityEscalate Capability = "Escalate" CapabilityBind Capability = "Bind" CapabilityUse Capability = "Use" ) // ExposureMode describes how much information becomes visible or extractable. type ExposureMode string const ( ExposureModeNone ExposureMode = "None" ExposureModeMetadata ExposureMode = "Metadata" ExposureModeMasked ExposureMode = "Masked" ExposureModeAggregated ExposureMode = "Aggregated" ExposureModeSynthetic ExposureMode = "Synthetic" ExposureModePseudonymous ExposureMode = "Pseudonymous" ExposureModeEncrypted ExposureMode = "Encrypted" ExposureModePlaintext ExposureMode = "Plaintext" ExposureModeSecretMaterial ExposureMode = "SecretMaterial" ExposureModeExportable ExposureMode = "Exportable" ExposureModeCrossTenantAggregate ExposureMode = "CrossTenantAggregate" ) // Condition is a CARING runtime or governance condition. type Condition string const ( ConditionMFARequired Condition = "MFARequired" ConditionDeviceTrusted Condition = "DeviceTrusted" ConditionNetworkTrusted Condition = "NetworkTrusted" ConditionTicketRequired Condition = "TicketRequired" ConditionTenantConsentRequired Condition = "TenantConsentRequired" ConditionCustomerApprovalRequired Condition = "CustomerApprovalRequired" ConditionDualApprovalRequired Condition = "DualApprovalRequired" ConditionTimeLimited Condition = "TimeLimited" ConditionBusinessHoursOnly Condition = "BusinessHoursOnly" ConditionEmergencyOnly Condition = "EmergencyOnly" ConditionTrainingRequired Condition = "TrainingRequired" ConditionContractRequired Condition = "ContractRequired" ConditionNDARequired Condition = "NDARequired" ConditionPurposeBound Condition = "PurposeBound" ConditionCaseBound Condition = "CaseBound" ConditionEnvironmentBound Condition = "EnvironmentBound" ConditionNamespaceBound Condition = "NamespaceBound" ConditionPipelineBound Condition = "PipelineBound" ConditionChangeWindowBound Condition = "ChangeWindowBound" ConditionLogged Condition = "Logged" ConditionRecorded Condition = "Recorded" ConditionNotificationRequired Condition = "NotificationRequired" ConditionPostReviewRequired Condition = "PostReviewRequired" ConditionHumanReviewRequired Condition = "HumanReviewRequired" ConditionPolicyReviewRequired Condition = "PolicyReviewRequired" ConditionWorkloadIdentityRequired Condition = "WorkloadIdentityRequired" ) // LifecycleState describes why access exists now. type LifecycleState string const ( LifecycleStateDesign LifecycleState = "Design" LifecycleStateBuild LifecycleState = "Build" LifecycleStateTest LifecycleState = "Test" LifecycleStateReview LifecycleState = "Review" LifecycleStateRelease LifecycleState = "Release" LifecycleStateOnboard LifecycleState = "Onboard" LifecycleStateIntegrate LifecycleState = "Integrate" LifecycleStateMigrate LifecycleState = "Migrate" LifecycleStateOperate LifecycleState = "Operate" LifecycleStateSupport LifecycleState = "Support" LifecycleStateImprove LifecycleState = "Improve" LifecycleStateDeprecate LifecycleState = "Deprecate" LifecycleStateArchive LifecycleState = "Archive" LifecycleStateIncident LifecycleState = "Incident" LifecycleStateLegal LifecycleState = "Legal" LifecycleStateTerminate LifecycleState = "Terminate" ) // Restriction is an overriding CARING deny or limiting policy effect. type Restriction string const ( RestrictionNoAccess Restriction = "NoAccess" RestrictionSuspended Restriction = "Suspended" RestrictionTerminated Restriction = "Terminated" RestrictionQuarantined Restriction = "Quarantined" RestrictionScopeExcluded Restriction = "ScopeExcluded" RestrictionDataClassRestricted Restriction = "DataClassRestricted" RestrictionLegalHold Restriction = "LegalHold" RestrictionExportBlocked Restriction = "ExportBlocked" RestrictionImpersonationBlocked Restriction = "ImpersonationBlocked" RestrictionCrossTenantBlocked Restriction = "CrossTenantBlocked" RestrictionSecretAccessBlocked Restriction = "SecretAccessBlocked" RestrictionPolicyFrozen Restriction = "PolicyFrozen" RestrictionEmergencyLocked Restriction = "EmergencyLocked" RestrictionRiskDenied Restriction = "RiskDenied" RestrictionExecutionBlocked Restriction = "ExecutionBlocked" RestrictionWorkloadCreationBlocked Restriction = "WorkloadCreationBlocked" RestrictionPrivilegeEscalationBlocked Restriction = "PrivilegeEscalationBlocked" ) // ExposureEventType is a CARING exceptional or irregular access class. type ExposureEventType string const ( ExposureEventSupport ExposureEventType = "X-Support" ExposureEventBreakGlass ExposureEventType = "X-BreakGlass" ExposureEventSecurityTest ExposureEventType = "X-SecurityTest" ExposureEventIncident ExposureEventType = "X-Incident" ExposureEventLegalDemand ExposureEventType = "X-LegalDemand" ExposureEventComplianceAudit ExposureEventType = "X-ComplianceAudit" ExposureEventMigration ExposureEventType = "X-Migration" ExposureEventRecovery ExposureEventType = "X-Recovery" ExposureEventAdversarial ExposureEventType = "X-Adversarial" ExposureEventMisconfiguration ExposureEventType = "X-Misconfiguration" ExposureEventInducedAccess ExposureEventType = "X-InducedAccess" ExposureEventPrivilegeEscalation ExposureEventType = "X-PrivilegeEscalation" ) // AccessPath describes how access is exercised. type AccessPath string const ( AccessPathDirect AccessPath = "direct" AccessPathDelegated AccessPath = "delegated" AccessPathMediated AccessPath = "mediated" AccessPathInduced AccessPath = "induced" ) // CaringScope identifies where a CARING descriptor applies. type CaringScope struct { Level ScopeLevel `json:"level" yaml:"level"` ID string `json:"id" yaml:"id"` Parent string `json:"parent,omitempty" yaml:"parent,omitempty"` Tenant string `json:"tenant,omitempty" yaml:"tenant,omitempty"` Resource string `json:"resource,omitempty" yaml:"resource,omitempty"` Attributes map[string]any `json:"attributes,omitempty" yaml:"attributes,omitempty"` } // CaringAccessDescriptor is the executable flex-auth representation of a // CARING access assignment. type CaringAccessDescriptor struct { ID string `json:"id,omitempty" yaml:"id,omitempty"` Profile string `json:"profile" yaml:"profile"` SubjectType SubjectType `json:"subject_type" yaml:"subject_type"` OrganizationRelation OrganizationRelation `json:"organization_relation" yaml:"organization_relation"` CanonicalRole CanonicalRole `json:"canonical_role" yaml:"canonical_role"` Scope CaringScope `json:"scope" yaml:"scope"` Planes []Plane `json:"planes" yaml:"planes"` Capabilities []Capability `json:"capabilities" yaml:"capabilities"` ExposureModes []ExposureMode `json:"exposure_modes,omitempty" yaml:"exposure_modes,omitempty"` Conditions []Condition `json:"conditions,omitempty" yaml:"conditions,omitempty"` LifecycleState LifecycleState `json:"lifecycle_state,omitempty" yaml:"lifecycle_state,omitempty"` Restrictions []Restriction `json:"restrictions,omitempty" yaml:"restrictions,omitempty"` ExposureEvent ExposureEventType `json:"exposure_event,omitempty" yaml:"exposure_event,omitempty"` DerivedCapabilities []CaringDerivedCapability `json:"derived_capabilities,omitempty" yaml:"derived_capabilities,omitempty"` AccessPath AccessPath `json:"access_path,omitempty" yaml:"access_path,omitempty"` Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"` } // CaringDerivedCapability records effective authority created by another grant. type CaringDerivedCapability struct { Capability Capability `json:"capability" yaml:"capability"` Reason string `json:"reason" yaml:"reason"` Source string `json:"source,omitempty" yaml:"source,omitempty"` Planes []Plane `json:"planes,omitempty" yaml:"planes,omitempty"` ExposureModes []ExposureMode `json:"exposure_modes,omitempty" yaml:"exposure_modes,omitempty"` } // CaringConformanceFinding is a diagnostic emitted by descriptive or // prescriptive CARING validation. type CaringConformanceFinding struct { Code string `json:"code" yaml:"code"` Severity string `json:"severity" yaml:"severity"` Message string `json:"message" yaml:"message"` Fields []string `json:"fields,omitempty" yaml:"fields,omitempty"` Descriptor string `json:"descriptor,omitempty" yaml:"descriptor,omitempty"` Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"` } // CaringExposureEvent records exceptional or irregular information exposure. type CaringExposureEvent struct { ID string `json:"id" yaml:"id"` Type ExposureEventType `json:"type" yaml:"type"` Actor string `json:"actor" yaml:"actor"` Subject string `json:"subject" yaml:"subject"` Descriptor *CaringAccessDescriptor `json:"descriptor,omitempty" yaml:"descriptor,omitempty"` Scope *CaringScope `json:"scope,omitempty" yaml:"scope,omitempty"` Planes []Plane `json:"planes,omitempty" yaml:"planes,omitempty"` CapabilitiesUsed []Capability `json:"capabilities_used,omitempty" yaml:"capabilities_used,omitempty"` DerivedCapabilities []CaringDerivedCapability `json:"derived_capabilities,omitempty" yaml:"derived_capabilities,omitempty"` ExposureModes []ExposureMode `json:"exposure_modes,omitempty" yaml:"exposure_modes,omitempty"` Reason string `json:"reason" yaml:"reason"` AuthoritySource string `json:"authority_source,omitempty" yaml:"authority_source,omitempty"` Approval string `json:"approval,omitempty" yaml:"approval,omitempty"` StartTime string `json:"start_time,omitempty" yaml:"start_time,omitempty"` EndTime string `json:"end_time,omitempty" yaml:"end_time,omitempty"` ResourcesAccessed []string `json:"resources_accessed,omitempty" yaml:"resources_accessed,omitempty"` Evidence []string `json:"evidence,omitempty" yaml:"evidence,omitempty"` NotificationStatus string `json:"notification_status,omitempty" yaml:"notification_status,omitempty"` PostReview string `json:"post_review,omitempty" yaml:"post_review,omitempty"` ConformanceFindings []CaringConformanceFinding `json:"conformance_findings,omitempty" yaml:"conformance_findings,omitempty"` Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"` }