{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://flex-auth.netkingdom/schemas/decision_envelope.schema.json",
  "title": "DecisionEnvelope",
  "type": "object",
  "additionalProperties": false,
  "required": ["id", "effect", "resource", "subject", "provenance"],
  "properties": {
    "id": {"type": "string", "minLength": 1},
    "request_id": {"type": "string", "minLength": 1},
    "effect": {"enum": ["allow", "deny", "redact", "audit_only", "not_applicable"]},
    "reason": {"type": "string"},
    "matched_policy_version": {"type": "string", "minLength": 1},
    "matched_rule": {"type": "string", "minLength": 1},
    "resource": {"$ref": "https://flex-auth.netkingdom/schemas/check_request.schema.json#/$defs/resource_ref"},
    "subject": {"$ref": "https://flex-auth.netkingdom/schemas/check_request.schema.json#/$defs/subject_ref"},
    "obligations": {"type": "array", "items": {"$ref": "#/$defs/obligation"}},
    "diagnostics": {"type": "object", "additionalProperties": true},
    "provenance": {"$ref": "#/$defs/provenance"},
    "caring": {"$ref": "#/$defs/caring_decision_metadata"}
  },
  "$defs": {
    "obligation": {
      "type": "object",
      "additionalProperties": false,
      "required": ["type"],
      "properties": {
        "type": {"type": "string", "minLength": 1},
        "parameters": {"type": "object", "additionalProperties": true}
      }
    },
    "provenance": {
      "type": "object",
      "additionalProperties": false,
      "required": ["evaluator", "mode"],
      "properties": {
        "evaluator": {"type": "string", "minLength": 1},
        "mode": {"type": "string", "minLength": 1},
        "policy_package": {"type": "string", "minLength": 1},
        "policy_version": {"type": "string", "minLength": 1},
        "directory_etag": {"type": "string", "minLength": 1},
        "decision_time": {"type": "string", "minLength": 1}
      }
    },
    "caring_decision_metadata": {
      "type": "object",
      "additionalProperties": false,
      "required": ["profile"],
      "properties": {
        "profile": {"const": "caring-0.4.0-rc2"},
        "descriptor": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json"},
        "restrictions_evaluated": {
          "type": "array",
          "items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/restriction"},
          "uniqueItems": true
        },
        "exposure_modes": {
          "type": "array",
          "items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/exposure_mode"},
          "uniqueItems": true
        },
        "derived_capabilities": {
          "type": "array",
          "items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/derived_capability"}
        },
        "conformance_findings": {
          "type": "array",
          "items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/conformance_finding"}
        },
        "exposure_event": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/exposure_event"}
      }
    }
  }
}