{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json",
  "title": "CaringAccessDescriptor",
  "description": "Executable flex-auth representation of a CARING access descriptor pinned to CARING 0.4.0-RC2.",
  "type": "object",
  "additionalProperties": false,
  "required": [
    "profile",
    "subject_type",
    "organization_relation",
    "canonical_role",
    "scope",
    "planes",
    "capabilities"
  ],
  "properties": {
    "id": {"type": "string", "minLength": 1},
    "profile": {"const": "caring-0.4.0-rc2"},
    "subject_type": {"$ref": "#/$defs/subject_type"},
    "organization_relation": {"$ref": "#/$defs/organization_relation"},
    "canonical_role": {"$ref": "#/$defs/canonical_role"},
    "scope": {"$ref": "#/$defs/scope"},
    "planes": {
      "type": "array",
      "items": {"$ref": "#/$defs/plane"},
      "minItems": 1,
      "uniqueItems": true
    },
    "capabilities": {
      "type": "array",
      "items": {"$ref": "#/$defs/capability"},
      "minItems": 1,
      "uniqueItems": true
    },
    "exposure_modes": {
      "type": "array",
      "items": {"$ref": "#/$defs/exposure_mode"},
      "uniqueItems": true
    },
    "conditions": {
      "type": "array",
      "items": {"$ref": "#/$defs/condition"},
      "uniqueItems": true
    },
    "lifecycle_state": {"$ref": "#/$defs/lifecycle_state"},
    "restrictions": {
      "type": "array",
      "items": {"$ref": "#/$defs/restriction"},
      "uniqueItems": true
    },
    "exposure_event": {"$ref": "#/$defs/exposure_event_type"},
    "derived_capabilities": {
      "type": "array",
      "items": {"$ref": "#/$defs/derived_capability"}
    },
    "access_path": {"enum": ["direct", "delegated", "mediated", "induced"]},
    "metadata": {"type": "object", "additionalProperties": true}
  },
  "$defs": {
    "subject_type": {
      "enum": [
        "Human",
        "Group",
        "Organization",
        "Service",
        "Automation",
        "Agent",
        "System",
        "Device",
        "Process",
        "Anonymous",
        "Unknown"
      ]
    },
    "organization_relation": {
      "enum": [
        "Vendor",
        "ServiceProvider",
        "Distributor",
        "Consultant",
        "Customer",
        "Community",
        "Authority",
        "Unknown"
      ]
    },
    "canonical_role": {
      "enum": [
        "Creator",
        "Builder",
        "Verifier",
        "Maintainer",
        "Integrator",
        "Operator",
        "Manager",
        "Coach",
        "Doer"
      ]
    },
    "scope_level": {
      "enum": [
        "Ecosystem",
        "Product",
        "Platform",
        "Cluster",
        "Environment",
        "Tenant",
        "Namespace",
        "Domain",
        "Workspace",
        "Project",
        "Process",
        "Dataset",
        "Resource",
        "Subresource",
        "Record",
        "Field",
        "Action"
      ]
    },
    "scope": {
      "type": "object",
      "additionalProperties": false,
      "required": ["level", "id"],
      "properties": {
        "level": {"$ref": "#/$defs/scope_level"},
        "id": {"type": "string", "minLength": 1},
        "parent": {"type": "string", "minLength": 1},
        "tenant": {"type": "string", "minLength": 1},
        "resource": {"type": "string", "minLength": 1},
        "attributes": {"type": "object", "additionalProperties": true}
      }
    },
    "plane": {
      "enum": [
        "Intent",
        "Build",
        "Runtime",
        "Execution",
        "Configuration",
        "Data",
        "Identity",
        "Policy",
        "Secret",
        "Audit",
        "Commercial",
        "Community"
      ]
    },
    "capability": {
      "enum": [
        "View",
        "ViewCollection",
        "Observe",
        "Create",
        "EditOwn",
        "EditAssigned",
        "EditAny",
        "DeleteOwn",
        "DeleteAny",
        "BulkDelete",
        "Submit",
        "Comment",
        "Review",
        "Approve",
        "Reject",
        "Publish",
        "Archive",
        "Restore",
        "Execute",
        "Configure",
        "Operate",
        "Deploy",
        "Integrate",
        "Grant",
        "Revoke",
        "Delegate",
        "Impersonate",
        "Export",
        "Import",
        "Replicate",
        "Encrypt",
        "Decrypt",
        "Mask",
        "Inspect",
        "Audit",
        "Override",
        "Escalate",
        "Bind",
        "Use"
      ]
    },
    "exposure_mode": {
      "enum": [
        "None",
        "Metadata",
        "Masked",
        "Aggregated",
        "Synthetic",
        "Pseudonymous",
        "Encrypted",
        "Plaintext",
        "SecretMaterial",
        "Exportable",
        "CrossTenantAggregate"
      ]
    },
    "condition": {
      "enum": [
        "MFARequired",
        "DeviceTrusted",
        "NetworkTrusted",
        "TicketRequired",
        "TenantConsentRequired",
        "CustomerApprovalRequired",
        "DualApprovalRequired",
        "TimeLimited",
        "BusinessHoursOnly",
        "EmergencyOnly",
        "TrainingRequired",
        "ContractRequired",
        "NDARequired",
        "PurposeBound",
        "CaseBound",
        "EnvironmentBound",
        "NamespaceBound",
        "PipelineBound",
        "ChangeWindowBound",
        "Logged",
        "Recorded",
        "NotificationRequired",
        "PostReviewRequired",
        "HumanReviewRequired",
        "PolicyReviewRequired",
        "WorkloadIdentityRequired"
      ]
    },
    "lifecycle_state": {
      "enum": [
        "Design",
        "Build",
        "Test",
        "Review",
        "Release",
        "Onboard",
        "Integrate",
        "Migrate",
        "Operate",
        "Support",
        "Improve",
        "Deprecate",
        "Archive",
        "Incident",
        "Legal",
        "Terminate"
      ]
    },
    "restriction": {
      "enum": [
        "NoAccess",
        "Suspended",
        "Terminated",
        "Quarantined",
        "ScopeExcluded",
        "DataClassRestricted",
        "LegalHold",
        "ExportBlocked",
        "ImpersonationBlocked",
        "CrossTenantBlocked",
        "SecretAccessBlocked",
        "PolicyFrozen",
        "EmergencyLocked",
        "RiskDenied",
        "ExecutionBlocked",
        "WorkloadCreationBlocked",
        "PrivilegeEscalationBlocked"
      ]
    },
    "exposure_event_type": {
      "enum": [
        "X-Support",
        "X-BreakGlass",
        "X-SecurityTest",
        "X-Incident",
        "X-LegalDemand",
        "X-ComplianceAudit",
        "X-Migration",
        "X-Recovery",
        "X-Adversarial",
        "X-Misconfiguration",
        "X-InducedAccess",
        "X-PrivilegeEscalation"
      ]
    },
    "derived_capability": {
      "type": "object",
      "additionalProperties": false,
      "required": ["capability", "reason"],
      "properties": {
        "capability": {"$ref": "#/$defs/capability"},
        "reason": {"type": "string", "minLength": 1},
        "source": {"type": "string", "minLength": 1},
        "planes": {
          "type": "array",
          "items": {"$ref": "#/$defs/plane"},
          "uniqueItems": true
        },
        "exposure_modes": {
          "type": "array",
          "items": {"$ref": "#/$defs/exposure_mode"},
          "uniqueItems": true
        }
      }
    },
    "conformance_finding": {
      "type": "object",
      "additionalProperties": false,
      "required": ["code", "severity", "message"],
      "properties": {
        "code": {"type": "string", "minLength": 1},
        "severity": {"enum": ["info", "warning", "violation", "blocked"]},
        "message": {"type": "string", "minLength": 1},
        "fields": {"type": "array", "items": {"type": "string", "minLength": 1}},
        "descriptor": {"type": "string", "minLength": 1},
        "metadata": {"type": "object", "additionalProperties": true}
      }
    },
    "exposure_event": {
      "type": "object",
      "additionalProperties": false,
      "required": ["id", "type", "actor", "subject", "reason"],
      "properties": {
        "id": {"type": "string", "minLength": 1},
        "type": {"$ref": "#/$defs/exposure_event_type"},
        "actor": {"type": "string", "minLength": 1},
        "subject": {"type": "string", "minLength": 1},
        "descriptor": {"$ref": "#"},
        "scope": {"$ref": "#/$defs/scope"},
        "planes": {"type": "array", "items": {"$ref": "#/$defs/plane"}},
        "capabilities_used": {"type": "array", "items": {"$ref": "#/$defs/capability"}},
        "derived_capabilities": {"type": "array", "items": {"$ref": "#/$defs/derived_capability"}},
        "exposure_modes": {"type": "array", "items": {"$ref": "#/$defs/exposure_mode"}},
        "reason": {"type": "string", "minLength": 1},
        "authority_source": {"type": "string", "minLength": 1},
        "approval": {"type": "string", "minLength": 1},
        "start_time": {"type": "string", "minLength": 1},
        "end_time": {"type": "string", "minLength": 1},
        "resources_accessed": {"type": "array", "items": {"type": "string", "minLength": 1}},
        "evidence": {"type": "array", "items": {"type": "string", "minLength": 1}},
        "notification_status": {"type": "string", "minLength": 1},
        "post_review": {"type": "string", "minLength": 1},
        "conformance_findings": {"type": "array", "items": {"$ref": "#/$defs/conformance_finding"}},
        "metadata": {"type": "object", "additionalProperties": true}
      }
    }
  }
}