{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://flex-auth.netkingdom/schemas/resource_manifest.schema.json", "title": "FlexAuthResourceManifest", "description": "Manifest a protected system publishes to register its resources with flex-auth. Pinned against the Markitect-side emitter in markitect-tool/src/markitect_tool/policy/enterprise.py (MKTT-WP-0014).", "type": "object", "additionalProperties": false, "required": ["id", "system", "resources"], "properties": { "id": { "type": "string", "description": "Stable identifier of this manifest (e.g. 'markitect-example-knowledge-base').", "minLength": 1 }, "system": { "type": "string", "description": "Slug of the protected system publishing the manifest. Matches a registered protected-system manifest in flex-auth (e.g. 'markitect-tool').", "minLength": 1 }, "resources": { "type": "array", "description": "Resources to register with flex-auth. Order is not significant; identity is by 'id'.", "items": {"$ref": "#/$defs/resource"} }, "actions": { "type": "array", "description": "Action vocabulary the manifest's resources expect. Validated against the protected system's declared actions on registration.", "items": {"type": "string", "minLength": 1}, "uniqueItems": true }, "caring_profile": { "type": "string", "description": "Optional CARING profile identifier used by resource-level descriptors.", "const": "caring-0.4.0-rc2" }, "metadata": { "type": "object", "description": "Free-form provenance and contract metadata. Conventions: 'source' (origin description), 'flex_auth_contract' (contract version string, currently 'resource-registration-v0').", "additionalProperties": true } }, "$defs": { "resource": { "type": "object", "additionalProperties": false, "required": ["id", "type"], "properties": { "id": { "type": "string", "description": "Stable resource identifier, conventionally ':' (e.g. 'document:architecture/adr-001').", "minLength": 1 }, "type": { "type": "string", "description": "Resource type within the protected system's namespace (e.g. 'knowledge_base', 'repository', 'document', 'section', 'context_package', 'workflow_artifact', 'export'). Not enumerated — flex-auth validates against the protected system's declared namespace.", "minLength": 1 }, "path": { "type": "string", "description": "Optional source path within the protected system (e.g. a filesystem path or repo-relative path).", "minLength": 1 }, "parent": { "type": "string", "description": "Optional resource id of the parent resource for hierarchy and inherited access.", "minLength": 1 }, "labels": { "type": "array", "description": "Policy labels applied to the resource (e.g. 'public', 'internal', 'restricted').", "items": {"type": "string", "minLength": 1}, "uniqueItems": true }, "trust_zone": { "type": "string", "description": "Coarse trust classification (e.g. 'public', 'internal', 'restricted').", "minLength": 1 }, "owner": { "type": "string", "description": "Owner identifier, conventionally 'team:' or 'user:'.", "minLength": 1 }, "caring": { "description": "Optional CARING descriptor for this resource. Policy packages may require this field for conformance checks.", "$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json" }, "attributes": { "type": "object", "description": "Free-form attributes that policy packages may consult. Reserved keys may be defined by individual policy packages.", "additionalProperties": true } } } } }