{
    "$schema": "https://json-schema.org/draft/2020-12/schema",
    "$id": "https://schema.beltic.com/agent/v1/agent-credential-v1.schema.json",
    "title": "AgentCredential v1",
    "description": "Machine-readable schema for Beltic AgentCredential v1 (see docs/agent-credential-v1.md).",
    "type": "object",
    "additionalProperties": false,
    "required": [
        "schemaVersion",
        "agentId",
        "agentName",
        "agentVersion",
        "agentDescription",
        "firstReleaseDate",
        "currentStatus",
        "developerCredentialId",
        "developerCredentialVerified",
        "primaryModelProvider",
        "primaryModelFamily",
        "modelContextWindow",
        "modalitySupport",
        "languageCapabilities",
        "architectureType",
        "systemConfigFingerprint",
        "systemConfigLastUpdated",
        "deploymentEnvironment",
        "dataLocationProfile",
        "dataCategoriesProcessed",
        "dataRetentionMaxPeriod",
        "trainingDataUsage",
        "piiDetectionEnabled",
        "piiRedactionCapability",
        "dataEncryptionStandards",
        "harmfulContentRefusalScore",
        "harmfulContentBenchmarkName",
        "harmfulContentBenchmarkVersion",
        "harmfulContentEvaluationDate",
        "harmfulContentAssuranceSource",
        "promptInjectionRobustnessScore",
        "promptInjectionBenchmarkName",
        "promptInjectionBenchmarkVersion",
        "promptInjectionEvaluationDate",
        "promptInjectionAssuranceSource",
        "piiLeakageRobustnessScore",
        "piiLeakageBenchmarkName",
        "piiLeakageBenchmarkVersion",
        "piiLeakageEvaluationDate",
        "piiLeakageAssuranceSource",
        "incidentResponseContact",
        "incidentResponseSLO",
        "deprecationPolicy",
        "updateCadence",
        "humanOversightMode",
        "failSafeBehavior",
        "monitoringCoverage",
        "credentialIssuanceDate",
        "credentialExpirationDate",
        "overallSafetyRating",
        "ageRestrictions",
        "kybTierRequired",
        "verificationLevel",
        "credentialId",
        "issuerDid",
        "verificationMethod",
        "credentialStatus",
        "revocationListUrl",
        "proof"
    ],
    "$defs": {
        "uuid": {
            "type": "string",
            "format": "uuid"
        },
        "isoCountry": {
            "type": "string",
            "pattern": "^[A-Z]{2}$",
            "description": "ISO 3166-1 alpha-2 country code"
        },
        "isoLanguage": {
            "type": "string",
            "pattern": "^[a-z]{2}$",
            "description": "ISO 639-1 language code"
        },
        "isoDuration": {
            "type": "string",
            "pattern": "^P(?!$)(?:\\d+Y)?(?:\\d+M)?(?:\\d+W)?(?:\\d+D)?(?:T(?:\\d+H)?(?:\\d+M)?(?:\\d+S)?)?$",
            "description": "ISO 8601 duration"
        },
        "benchmarkName": {
            "type": "string",
            "maxLength": 200
        },
        "benchmarkVersion": {
            "type": "string",
            "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-[0-9A-Za-z.-]+)?$"
        },
        "assuranceSource": {
            "type": "string",
            "enum": ["self", "beltic", "third_party"]
        },
        "tool": {
            "type": "object",
            "required": [
                "toolId",
                "toolName",
                "toolDescription",
                "riskCategory",
                "riskSubcategory",
                "requiresAuth",
                "requiresHumanApproval"
            ],
            "additionalProperties": false,
            "properties": {
                "toolId": {
                    "type": "string",
                    "minLength": 1,
                    "maxLength": 100
                },
                "toolName": {
                    "type": "string",
                    "minLength": 2,
                    "maxLength": 200
                },
                "toolDescription": {
                    "type": "string",
                    "minLength": 10,
                    "maxLength": 1000
                },
                "riskCategory": {
                    "type": "string",
                    "enum": ["data", "compute", "financial", "external"]
                },
                "riskSubcategory": {
                    "type": "string",
                    "enum": [
                        "data_read_internal",
                        "data_read_external",
                        "data_write_internal",
                        "data_write_external",
                        "data_delete",
                        "data_export",
                        "compute_code_execution",
                        "compute_query_generation",
                        "compute_api_call",
                        "compute_transformation",
                        "compute_analysis",
                        "financial_read",
                        "financial_transaction",
                        "financial_account_access",
                        "financial_payment_initiation",
                        "external_internet_access",
                        "external_email",
                        "external_notification",
                        "external_authentication",
                        "external_file_access"
                    ]
                },
                "requiresAuth": { "type": "boolean" },
                "requiresHumanApproval": { "type": "boolean" },
                "mitigations": {
                    "type": "string",
                    "maxLength": 1000
                }
            }
        },
        "dataLocationProfile": {
            "type": "object",
            "required": ["storageRegions", "processingRegions"],
            "additionalProperties": false,
            "properties": {
                "storageRegions": {
                    "type": "array",
                    "items": { "$ref": "#/$defs/isoCountry" },
                    "minItems": 1,
                    "uniqueItems": true
                },
                "processingRegions": {
                    "type": "array",
                    "items": { "$ref": "#/$defs/isoCountry" },
                    "minItems": 1,
                    "uniqueItems": true
                },
                "backupRegions": {
                    "type": "array",
                    "items": { "$ref": "#/$defs/isoCountry" },
                    "minItems": 1,
                    "uniqueItems": true
                },
                "notes": {
                    "type": "string",
                    "maxLength": 500
                }
            }
        },
        "safetyScore": {
            "type": "number",
            "minimum": 0,
            "maximum": 100
        },
        "benchmarkMetadata": {
            "type": "object",
            "required": ["benchmarkName", "benchmarkVersion", "evaluationDate", "assuranceSource"],
            "additionalProperties": false,
            "properties": {
                "benchmarkName": { "$ref": "#/$defs/benchmarkName" },
                "benchmarkVersion": { "$ref": "#/$defs/benchmarkVersion" },
                "evaluationDate": { "type": "string", "format": "date" },
                "assuranceSource": { "$ref": "#/$defs/assuranceSource" }
            }
        },
        "didIdentifier": {
            "type": "string",
            "pattern": "^did:(web|key|ion|pkh|ethr):[a-zA-Z0-9._%-]+",
            "minLength": 10,
            "maxLength": 500,
            "description": "Decentralized Identifier (DID)"
        },
        "verificationMethodRef": {
            "type": "string",
            "pattern": "^did:(web|key|ion|pkh|ethr):[a-zA-Z0-9._%-]+#[a-zA-Z0-9_-]+$",
            "minLength": 15,
            "maxLength": 600,
            "description": "DID verification method reference (DID#keyId format)"
        },
        "credentialStatusEnum": {
            "type": "string",
            "enum": ["active", "suspended", "revoked", "expired"]
        },
        "proofObject": {
            "type": "object",
            "description": "W3C VC Data Integrity Proof",
            "required": ["type", "created", "verificationMethod", "proofPurpose", "proofValue"],
            "additionalProperties": false,
            "properties": {
                "type": {
                    "type": "string",
                    "enum": ["Ed25519Signature2020", "JsonWebSignature2020", "EcdsaSecp256k1Signature2019"]
                },
                "created": {
                    "type": "string",
                    "format": "date-time"
                },
                "verificationMethod": { "$ref": "#/$defs/verificationMethodRef" },
                "proofPurpose": {
                    "type": "string",
                    "enum": ["assertionMethod", "authentication", "keyAgreement"]
                },
                "proofValue": {
                    "type": "string",
                    "minLength": 40,
                    "maxLength": 2000
                },
                "challenge": {
                    "type": "string",
                    "maxLength": 256
                },
                "domain": {
                    "type": "string",
                    "format": "uri"
                }
            }
        },
        "deploymentEnvironmentObject": {
            "type": "object",
            "description": "Deployment environment profile",
            "required": ["type", "cloudProvider"],
            "additionalProperties": false,
            "properties": {
                "type": {
                    "type": "string",
                    "enum": ["cloud_managed", "cloud_self_managed", "on_premises", "hybrid", "edge"]
                },
                "cloudProvider": {
                    "type": "string",
                    "enum": ["aws", "gcp", "azure", "oracle", "ibm", "alibaba", "other", "none"]
                },
                "primaryRegion": { "$ref": "#/$defs/isoCountry" },
                "complianceNotes": {
                    "type": "string",
                    "maxLength": 500
                }
            }
        },
        "jwkThumbprint": {
            "type": "string",
            "pattern": "^[A-Za-z0-9_-]{43}$",
            "description": "Base64url-encoded SHA-256 JWK thumbprint per RFC 7638 (43 characters)"
        }
    },
    "properties": {
        "$schema": {
            "type": "string",
            "description": "JSON Schema reference (optional)"
        },
        "schemaVersion": {
            "type": "string",
            "enum": ["1.0"]
        },
        "agentId": { "$ref": "#/$defs/uuid" },
        "agentName": {
            "type": "string",
            "minLength": 2,
            "maxLength": 200
        },
        "agentVersion": {
            "type": "string",
            "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-[0-9A-Za-z.-]+)?(?:\\+[0-9A-Za-z.-]+)?$"
        },
        "agentDescription": {
            "type": "string",
            "minLength": 50,
            "maxLength": 1000
        },
        "firstReleaseDate": { "type": "string", "format": "date" },
        "currentStatus": {
            "type": "string",
            "enum": ["production", "beta", "alpha", "internal", "deprecated", "retired"]
        },
        "developerCredentialId": { "$ref": "#/$defs/uuid" },
        "developerCredentialVerified": { "type": "boolean" },
        "primaryModelProvider": {
            "type": "string",
            "enum": ["anthropic", "openai", "google", "meta", "mistral", "cohere", "amazon", "microsoft", "huggingface", "self_hosted", "other"],
            "description": "Primary AI model provider"
        },
        "primaryModelFamily": {
            "type": "string",
            "enum": [
                "claude-3-opus", "claude-3-sonnet", "claude-3-haiku", "claude-3.5-sonnet", "claude-4",
                "gpt-4", "gpt-4-turbo", "gpt-4o", "gpt-4o-mini",
                "gemini-pro", "gemini-ultra", "gemini-1.5",
                "llama-3", "llama-3.1",
                "mistral-large", "mistral-medium",
                "command-r", "command-r-plus",
                "other"
            ],
            "description": "Primary model family/version"
        },
        "modelContextWindow": {
            "type": "integer",
            "minimum": 1
        },
        "modalitySupport": {
            "type": "array",
            "items": {
                "type": "string",
                "enum": ["text", "image", "audio", "video", "code", "structured_data"]
            },
            "minItems": 1,
            "uniqueItems": true
        },
        "languageCapabilities": {
            "type": "array",
            "items": { "$ref": "#/$defs/isoLanguage" },
            "minItems": 1,
            "uniqueItems": true
        },
        "architectureType": {
            "type": "string",
            "enum": [
                "single_agent",
                "rag",
                "tool_using",
                "multi_agent",
                "agentic_workflow",
                "fine_tuned",
                "hybrid"
            ]
        },
        "systemConfigFingerprint": {
            "type": "string",
            "pattern": "^[A-Fa-f0-9]{64}$"
        },
        "systemConfigLastUpdated": { "type": "string", "format": "date" },
        "deploymentEnvironment": {
            "$ref": "#/$defs/deploymentEnvironmentObject"
        },
        "complianceCertifications": {
            "type": "array",
            "items": {
                "type": "string",
                "enum": [
                    "soc2_type1",
                    "soc2_type2",
                    "iso27001",
                    "iso27017",
                    "iso27018",
                    "hipaa",
                    "pci_dss",
                    "fedramp",
                    "gdpr_compliant",
                    "ccpa_compliant"
                ]
            },
            "minItems": 1,
            "uniqueItems": true
        },
        "dataLocationProfile": { "$ref": "#/$defs/dataLocationProfile" },
        "toolsList": {
            "type": "array",
            "items": { "$ref": "#/$defs/tool" },
            "uniqueItems": true
        },
        "toolsLastAudited": { "type": "string", "format": "date" },
        "dataCategoriesProcessed": {
            "type": "array",
            "items": {
                "type": "string",
                "enum": [
                    "none",
                    "pii",
                    "phi",
                    "financial",
                    "biometric",
                    "behavioral",
                    "authentication",
                    "proprietary",
                    "government_id",
                    "children_data"
                ]
            },
            "minItems": 1,
            "uniqueItems": true
        },
        "dataRetentionMaxPeriod": {
            "type": "string",
            "pattern": "^P(?!$).*"
        },
        "dataRetentionByCategory": {
            "type": "object",
            "additionalProperties": {
                "type": "string",
                "pattern": "^P(?!$).*"
            }
        },
        "trainingDataUsage": {
            "type": "string",
            "enum": [
                "never",
                "anonymized_only",
                "aggregated_only",
                "with_explicit_consent",
                "opt_out_available",
                "not_applicable"
            ]
        },
        "piiDetectionEnabled": { "type": "boolean" },
        "piiRedactionCapability": {
            "type": "string",
            "enum": ["none", "basic", "advanced", "context_aware"]
        },
        "piiRedactionPipeline": {
            "type": "string",
            "maxLength": 1000
        },
        "dataEncryptionStandards": {
            "type": "array",
            "items": {
                "type": "string",
                "enum": [
                    "AES-128-at-rest", "AES-256-at-rest",
                    "AES-128-GCM", "AES-256-GCM",
                    "TLS-1.2-in-transit", "TLS-1.3-in-transit",
                    "ChaCha20-Poly1305",
                    "RSA-2048", "RSA-4096",
                    "ECDHE", "other"
                ]
            },
            "minItems": 1,
            "uniqueItems": true
        },
        "harmfulContentRefusalScore": { "$ref": "#/$defs/safetyScore" },
        "harmfulContentBenchmarkName": { "$ref": "#/$defs/benchmarkName" },
        "harmfulContentBenchmarkVersion": { "$ref": "#/$defs/benchmarkVersion" },
        "harmfulContentEvaluationDate": { "type": "string", "format": "date" },
        "harmfulContentAssuranceSource": { "$ref": "#/$defs/assuranceSource" },
        "promptInjectionRobustnessScore": { "$ref": "#/$defs/safetyScore" },
        "promptInjectionBenchmarkName": { "$ref": "#/$defs/benchmarkName" },
        "promptInjectionBenchmarkVersion": { "$ref": "#/$defs/benchmarkVersion" },
        "promptInjectionEvaluationDate": { "type": "string", "format": "date" },
        "promptInjectionAssuranceSource": { "$ref": "#/$defs/assuranceSource" },
        "toolAbuseRobustnessScore": { "$ref": "#/$defs/safetyScore" },
        "toolAbuseBenchmarkName": { "$ref": "#/$defs/benchmarkName" },
        "toolAbuseBenchmarkVersion": { "$ref": "#/$defs/benchmarkVersion" },
        "toolAbuseEvaluationDate": { "type": "string", "format": "date" },
        "toolAbuseAssuranceSource": { "$ref": "#/$defs/assuranceSource" },
        "piiLeakageRobustnessScore": { "$ref": "#/$defs/safetyScore" },
        "piiLeakageBenchmarkName": { "$ref": "#/$defs/benchmarkName" },
        "piiLeakageBenchmarkVersion": { "$ref": "#/$defs/benchmarkVersion" },
        "piiLeakageEvaluationDate": { "type": "string", "format": "date" },
        "piiLeakageAssuranceSource": { "$ref": "#/$defs/assuranceSource" },
        "incidentResponseContact": {
            "type": "string",
            "format": "email",
            "maxLength": 254
        },
        "incidentResponseSLO": { "$ref": "#/$defs/isoDuration" },
        "deprecationPolicy": {
            "type": "string",
            "maxLength": 1000
        },
        "updateCadence": {
            "type": "string",
            "enum": [
                "continuous",
                "weekly",
                "biweekly",
                "monthly",
                "quarterly",
                "as_needed",
                "no_updates"
            ]
        },
        "humanOversightMode": {
            "type": "string",
            "enum": [
                "autonomous_low_risk",
                "human_review_pre_action",
                "human_review_post_action",
                "human_initiated_only",
                "custom_handover"
            ]
        },
        "failSafeBehavior": {
            "type": "string",
            "minLength": 50,
            "maxLength": 800
        },
        "monitoringCoverage": {
            "type": "string",
            "minLength": 50,
            "maxLength": 800
        },
        "credentialIssuanceDate": { "type": "string", "format": "date-time" },
        "credentialExpirationDate": { "type": "string", "format": "date-time" },
        "overallSafetyRating": {
            "type": "string",
            "enum": [
                "minimal_risk",
                "low_risk",
                "moderate_risk",
                "high_risk",
                "evaluation_pending"
            ]
        },
        "approvedUseCases": {
            "type": "array",
            "items": { "type": "string", "maxLength": 200 },
            "minItems": 1
        },
        "prohibitedUseCases": {
            "type": "array",
            "items": { "type": "string", "maxLength": 200 },
            "minItems": 1
        },
        "ageRestrictions": {
            "type": "string",
            "enum": ["none", "13+", "16+", "18+", "21+"]
        },
        "regulatoryApprovals": {
            "type": "array",
            "items": { "type": "string", "maxLength": 200 },
            "minItems": 1
        },
        "kybTierRequired": {
            "type": "string",
            "enum": ["tier_0", "tier_1", "tier_2", "tier_3", "tier_4"]
        },
        "verificationLevel": {
            "type": "string",
            "enum": ["self_attested", "beltic_verified", "third_party_verified"]
        },
        "lastSecurityAuditDate": { "type": "string", "format": "date" },
        "credentialId": { "$ref": "#/$defs/uuid" },
        "issuerDid": {
            "$ref": "#/$defs/didIdentifier",
            "description": "DID of the credential issuer"
        },
        "verificationMethod": {
            "$ref": "#/$defs/verificationMethodRef",
            "description": "DID verification method reference for proof verification"
        },
        "credentialStatus": {
            "$ref": "#/$defs/credentialStatusEnum",
            "description": "Current status of the credential"
        },
        "revocationListUrl": {
            "type": "string",
            "format": "uri"
        },
        "proof": {
            "$ref": "#/$defs/proofObject"
        },
        "httpSigningKeyJwkThumbprint": {
            "$ref": "#/$defs/jwkThumbprint",
            "description": "RFC 7638 JWK thumbprint of the Ed25519 key used for HTTP request signing (Web Bot Auth). Must match the keyid used in Signature-Input headers."
        },
        "keyDirectoryUrl": {
            "type": "string",
            "format": "uri",
            "pattern": "^https://.*/.well-known/http-message-signatures-directory$",
            "description": "URL to the agent's HTTP Message Signatures key directory per draft-meunier-http-message-signatures-directory"
        }
    },
    "allOf": [
        {
            "if": {
                "properties": { "toolsList": { "type": "array", "minItems": 1 } },
                "required": ["toolsList"]
            },
            "then": {
                "required": [
                    "toolAbuseRobustnessScore",
                    "toolAbuseBenchmarkName",
                    "toolAbuseBenchmarkVersion",
                    "toolAbuseEvaluationDate",
                    "toolAbuseAssuranceSource",
                    "toolsLastAudited"
                ]
            },
            "else": {
                "properties": {
                    "toolAbuseRobustnessScore": { "type": "number", "minimum": 0, "maximum": 100 },
                    "toolAbuseBenchmarkName": { "$ref": "#/$defs/benchmarkName" },
                    "toolAbuseBenchmarkVersion": { "$ref": "#/$defs/benchmarkVersion" },
                    "toolAbuseEvaluationDate": { "type": "string", "format": "date" },
                    "toolAbuseAssuranceSource": { "$ref": "#/$defs/assuranceSource" }
                }
            }
        },
        {
            "$comment": "PHI data requires HIPAA compliance certification",
            "if": {
                "properties": {
                    "dataCategoriesProcessed": {
                        "contains": { "const": "phi" }
                    }
                },
                "required": ["dataCategoriesProcessed"]
            },
            "then": {
                "properties": {
                    "complianceCertifications": {
                        "contains": { "const": "hipaa" }
                    }
                },
                "required": ["complianceCertifications"]
            }
        },
        {
            "$comment": "Financial data requires PCI-DSS or SOC2 Type 2 compliance",
            "if": {
                "properties": {
                    "dataCategoriesProcessed": {
                        "contains": { "const": "financial" }
                    }
                },
                "required": ["dataCategoriesProcessed"]
            },
            "then": {
                "properties": {
                    "complianceCertifications": {
                        "anyOf": [
                            { "contains": { "const": "pci_dss" } },
                            { "contains": { "const": "soc2_type2" } }
                        ]
                    }
                },
                "required": ["complianceCertifications"]
            }
        },
        {
            "$comment": "Children data requires age restrictions and enhanced protections",
            "if": {
                "properties": {
                    "dataCategoriesProcessed": {
                        "contains": { "const": "children_data" }
                    }
                },
                "required": ["dataCategoriesProcessed"]
            },
            "then": {
                "properties": {
                    "ageRestrictions": {
                        "enum": ["13+", "16+", "18+", "21+"]
                    },
                    "piiDetectionEnabled": { "const": true },
                    "trainingDataUsage": {
                        "enum": ["never", "not_applicable"]
                    }
                },
                "required": ["ageRestrictions"]
            }
        },
        {
            "$comment": "Web Bot Auth: httpSigningKeyJwkThumbprint and keyDirectoryUrl must both be present if either is specified",
            "if": {
                "anyOf": [
                    { "required": ["httpSigningKeyJwkThumbprint"] },
                    { "required": ["keyDirectoryUrl"] }
                ]
            },
            "then": {
                "required": ["httpSigningKeyJwkThumbprint", "keyDirectoryUrl"]
            }
        }
    ]
}
