generated from coulomb/repo-seed
97 lines
4.0 KiB
JSON
97 lines
4.0 KiB
JSON
{
|
|
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
"$id": "https://flex-auth.netkingdom/schemas/resource_manifest.schema.json",
|
|
"title": "FlexAuthResourceManifest",
|
|
"description": "Manifest a protected system publishes to register its resources with flex-auth. Pinned against the Markitect-side emitter in markitect-tool/src/markitect_tool/policy/enterprise.py (MKTT-WP-0014).",
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"required": ["id", "system", "resources"],
|
|
"properties": {
|
|
"id": {
|
|
"type": "string",
|
|
"description": "Stable identifier of this manifest (e.g. 'markitect-example-knowledge-base').",
|
|
"minLength": 1
|
|
},
|
|
"system": {
|
|
"type": "string",
|
|
"description": "Slug of the protected system publishing the manifest. Matches a registered protected-system manifest in flex-auth (e.g. 'markitect-tool').",
|
|
"minLength": 1
|
|
},
|
|
"resources": {
|
|
"type": "array",
|
|
"description": "Resources to register with flex-auth. Order is not significant; identity is by 'id'.",
|
|
"items": {"$ref": "#/$defs/resource"}
|
|
},
|
|
"actions": {
|
|
"type": "array",
|
|
"description": "Action vocabulary the manifest's resources expect. Validated against the protected system's declared actions on registration.",
|
|
"items": {"type": "string", "minLength": 1},
|
|
"uniqueItems": true
|
|
},
|
|
"caring_profile": {
|
|
"type": "string",
|
|
"description": "Optional CARING profile identifier used by resource-level descriptors.",
|
|
"const": "caring-0.4.0-rc2"
|
|
},
|
|
"metadata": {
|
|
"type": "object",
|
|
"description": "Free-form provenance and contract metadata. Conventions: 'source' (origin description), 'flex_auth_contract' (contract version string, currently 'resource-registration-v0').",
|
|
"additionalProperties": true
|
|
}
|
|
},
|
|
"$defs": {
|
|
"resource": {
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"required": ["id", "type"],
|
|
"properties": {
|
|
"id": {
|
|
"type": "string",
|
|
"description": "Stable resource identifier, conventionally '<type>:<slug>' (e.g. 'document:architecture/adr-001').",
|
|
"minLength": 1
|
|
},
|
|
"type": {
|
|
"type": "string",
|
|
"description": "Resource type within the protected system's namespace (e.g. 'knowledge_base', 'repository', 'document', 'section', 'context_package', 'workflow_artifact', 'export'). Not enumerated — flex-auth validates against the protected system's declared namespace.",
|
|
"minLength": 1
|
|
},
|
|
"path": {
|
|
"type": "string",
|
|
"description": "Optional source path within the protected system (e.g. a filesystem path or repo-relative path).",
|
|
"minLength": 1
|
|
},
|
|
"parent": {
|
|
"type": "string",
|
|
"description": "Optional resource id of the parent resource for hierarchy and inherited access.",
|
|
"minLength": 1
|
|
},
|
|
"labels": {
|
|
"type": "array",
|
|
"description": "Policy labels applied to the resource (e.g. 'public', 'internal', 'restricted').",
|
|
"items": {"type": "string", "minLength": 1},
|
|
"uniqueItems": true
|
|
},
|
|
"trust_zone": {
|
|
"type": "string",
|
|
"description": "Coarse trust classification (e.g. 'public', 'internal', 'restricted').",
|
|
"minLength": 1
|
|
},
|
|
"owner": {
|
|
"type": "string",
|
|
"description": "Owner identifier, conventionally 'team:<slug>' or 'user:<slug>'.",
|
|
"minLength": 1
|
|
},
|
|
"caring": {
|
|
"description": "Optional CARING descriptor for this resource. Policy packages may require this field for conformance checks.",
|
|
"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json"
|
|
},
|
|
"attributes": {
|
|
"type": "object",
|
|
"description": "Free-form attributes that policy packages may consult. Reserved keys may be defined by individual policy packages.",
|
|
"additionalProperties": true
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|