- id: fixture:markitect-public-document-allow
  request:
    id: check:markitect-public-document
    subject:
      id: user:visitor
      type: Human
      tenant: tenant:alpha
    action: read
    resource:
      id: document:public-note
      type: document
      system: markitect-tool
      tenant: tenant:alpha
      attributes:
        labels:
          - public
        trust_zone: public
    caring_context:
      id: descriptor:public-document-reader
      profile: caring-0.4.0-rc2
      subject_type: Human
      organization_relation: Customer
      canonical_role: Doer
      scope:
        level: Resource
        id: document:public-note
        tenant: tenant:alpha
      planes:
        - Data
      capabilities:
        - View
      exposure_modes:
        - Plaintext
      conditions:
        - Logged
  expect:
    effect: allow
    reason: public_document
  metadata:
    expected_caring_descriptor: descriptor:public-document-reader
    expected_conformance_findings: []
    expected_exposure_modes:
      - Plaintext
    expected_audit_behavior: sampled_allow
- id: fixture:markitect-internal-document-deny
  request:
    id: check:markitect-internal-document-deny
    subject:
      id: user:visitor
      type: Human
      tenant: tenant:alpha
      attributes:
        groups: []
    action: read
    resource:
      id: document:internal-note
      type: document
      system: markitect-tool
      tenant: tenant:alpha
      attributes:
        labels:
          - internal
        trust_zone: internal
  expect:
    effect: deny
    reason: no_matching_rule
  metadata:
    expected_caring_descriptor: null
    expected_conformance_findings: []
    expected_exposure_modes:
      - None
    expected_audit_behavior: always_record
- id: fixture:markitect-internal-document-reader-allow
  request:
    id: check:markitect-internal-document-reader
    subject:
      id: user:alice
      type: Human
      tenant: tenant:alpha
      attributes:
        groups:
          - group:platform-architecture
    action: read
    resource:
      id: document:internal-note
      type: document
      system: markitect-tool
      tenant: tenant:alpha
      attributes:
        labels:
          - internal
        trust_zone: internal
    caring_context:
      id: descriptor:internal-document-reader
      profile: caring-0.4.0-rc2
      subject_type: Human
      organization_relation: Customer
      canonical_role: Doer
      scope:
        level: Resource
        id: document:internal-note
        tenant: tenant:alpha
      planes:
        - Data
      capabilities:
        - View
      exposure_modes:
        - Masked
        - Plaintext
      conditions:
        - Logged
      restrictions:
        - ExportBlocked
  expect:
    effect: allow
    reason: reader_group
  metadata:
    expected_caring_descriptor: descriptor:internal-document-reader
    expected_conformance_findings: []
    expected_exposure_modes:
      - Masked
      - Plaintext
    expected_audit_behavior: sampled_allow
- id: fixture:markitect-restricted-export-steward-mfa
  request:
    id: check:markitect-restricted-export
    subject:
      id: user:steward
      type: Human
      tenant: tenant:alpha
      attributes:
        roles:
          - steward
    action: export
    resource:
      id: export:internal-note-review-bundle
      type: export
      system: markitect-tool
      tenant: tenant:alpha
      attributes:
        labels:
          - export
        trust_zone: external
    context:
      mfa: true
      reason: customer-approved export
    caring_context:
      id: descriptor:restricted-export-steward
      profile: caring-0.4.0-rc2
      subject_type: Human
      organization_relation: Customer
      canonical_role: Maintainer
      scope:
        level: Record
        id: export:internal-note-review-bundle
        tenant: tenant:alpha
      planes:
        - Data
        - Audit
      capabilities:
        - Export
      exposure_modes:
        - Exportable
        - Plaintext
      conditions:
        - MFARequired
        - Logged
  expect:
    effect: allow
    reason: steward_export_mfa
    conformance_findings:
      - code: MARKITECT-EXPORT-MFA-LOGGED
        severity: info
        message: Export is allowed only with steward role, MFA, and logging.
  metadata:
    expected_caring_descriptor: descriptor:restricted-export-steward
    expected_exposure_modes:
      - Exportable
      - Plaintext
    expected_audit_behavior: always_record
- id: fixture:markitect-context-package-activation
  request:
    id: check:markitect-context-package-activation
    subject:
      id: user:alice
      type: Human
      tenant: tenant:alpha
    action: activate_context
    resource:
      id: context-package:internal-note-review
      type: context_package
      system: markitect-tool
      tenant: tenant:alpha
      attributes:
        labels:
          - internal
          - generated
    context:
      freshness_seconds: 600
    policy_version: markitect-gateway-v1
    caring_context:
      id: descriptor:context-package-activation
      profile: caring-0.4.0-rc2
      subject_type: Human
      organization_relation: Customer
      canonical_role: Verifier
      scope:
        level: Dataset
        id: context-package:internal-note-review
        tenant: tenant:alpha
      planes:
        - Intent
        - Policy
      capabilities:
        - Use
        - Execute
      exposure_modes:
        - Metadata
        - Masked
      conditions:
        - PurposeBound
        - Logged
  expect:
    effect: allow
    reason: fresh_context_package
    obligations:
      - type: record_context_activation
        parameters:
          freshness_seconds: 600
    conformance_findings:
      - code: MARKITECT-CONTEXT-FRESHNESS
        severity: info
        message: Context package activation includes policy version and freshness metadata.
  metadata:
    expected_caring_descriptor: descriptor:context-package-activation
    expected_exposure_modes:
      - Metadata
      - Masked
    expected_audit_behavior: always_record