{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "$id": "https://raw.githubusercontent.com/api-evangelist/zero-trust/main/json-schema/zero-trust-access-decision-schema.json",
  "title": "Zero Trust Access Decision",
  "description": "The result returned by a Zero Trust Policy Decision Point (PDP) for a single access request, capturing the verdict and the signals that produced it.",
  "type": "object",
  "required": ["request_id", "subject", "resource", "decision", "evaluated_at"],
  "properties": {
    "request_id": { "type": "string", "format": "uuid" },
    "evaluated_at": { "type": "string", "format": "date-time" },
    "decision": { "type": "string", "enum": ["allow", "deny", "step_up", "isolate", "monitor"] },
    "ttl_seconds": { "type": "integer", "minimum": 0, "description": "How long this decision is valid before re-evaluation" },
    "subject": {
      "type": "object",
      "required": ["id", "type"],
      "properties": {
        "id": { "type": "string" },
        "type": { "type": "string", "enum": ["user", "service_account", "workload"] },
        "identity_provider": { "type": "string" },
        "groups": { "type": "array", "items": { "type": "string" } },
        "mfa_method": { "type": "string" }
      }
    },
    "device": {
      "type": "object",
      "properties": {
        "id": { "type": "string" },
        "managed": { "type": "boolean" },
        "posture": { "type": "string", "enum": ["compliant", "non_compliant", "unknown"] },
        "edr": { "type": "string" }
      }
    },
    "resource": {
      "type": "object",
      "required": ["id"],
      "properties": {
        "id": { "type": "string" },
        "type": { "type": "string", "enum": ["application", "data", "host", "api", "saas"] },
        "classification": { "type": "string" }
      }
    },
    "context": {
      "type": "object",
      "properties": {
        "geo": { "type": "string" },
        "ip": { "type": "string" },
        "risk_score": { "type": "integer", "minimum": 0, "maximum": 100 },
        "client_app": { "type": "string" }
      }
    },
    "signals": {
      "type": "array",
      "description": "The individual signals consulted by the PDP",
      "items": {
        "type": "object",
        "properties": {
          "name": { "type": "string" },
          "value": {},
          "weight": { "type": "number" }
        }
      }
    },
    "policy_id": { "type": "string", "description": "Identifier of the policy that produced the decision" },
    "obligations": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "type": { "type": "string", "description": "e.g. require_mfa, log, redact, isolate" },
          "params": { "type": "object", "additionalProperties": true }
        }
      }
    }
  }
}