{
    "$schema": "https://json-schema.org/draft/2020-12/schema",
    "$id": "https://schema.beltic.com/agent/v2/agent-credential-v2.schema.json",
    "title": "AgentCredential v2",
    "description": "W3C Verifiable Credential schema for Beltic AgentCredential v2. Aligned with VC Data Model 2.0.",
    "type": "object",
    "additionalProperties": false,
    "required": [
        "@context",
        "type",
        "id",
        "issuer",
        "validFrom",
        "validUntil",
        "credentialSubject",
        "credentialStatus",
        "proof"
    ],
    "$defs": {
        "uuid": {
            "type": "string",
            "format": "uuid"
        },
        "isoCountry": {
            "type": "string",
            "pattern": "^[A-Z]{2}$",
            "description": "ISO 3166-1 alpha-2 country code"
        },
        "isoLanguage": {
            "type": "string",
            "pattern": "^[a-z]{2}$",
            "description": "ISO 639-1 language code"
        },
        "isoDuration": {
            "type": "string",
            "pattern": "^P(?!$)(?:\\d+Y)?(?:\\d+M)?(?:\\d+W)?(?:\\d+D)?(?:T(?:\\d+H)?(?:\\d+M)?(?:\\d+S)?)?$",
            "description": "ISO 8601 duration"
        },
        "didIdentifier": {
            "type": "string",
            "pattern": "^did:(web|key|ion|pkh|ethr):[a-zA-Z0-9._%-]+",
            "minLength": 10,
            "maxLength": 500,
            "description": "Decentralized Identifier (DID)"
        },
        "verificationMethodRef": {
            "type": "string",
            "pattern": "^did:(web|key|ion|pkh|ethr):[a-zA-Z0-9._%-]+#[a-zA-Z0-9_-]+$",
            "minLength": 15,
            "maxLength": 600,
            "description": "DID verification method reference (DID#keyId format)"
        },
        "benchmarkName": {
            "type": "string",
            "maxLength": 200
        },
        "benchmarkVersion": {
            "type": "string",
            "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-[0-9A-Za-z.-]+)?$"
        },
        "assuranceSource": {
            "type": "string",
            "enum": ["self", "beltic", "third_party"]
        },
        "safetyScore": {
            "type": "number",
            "minimum": 0,
            "maximum": 100
        },
        "safetyBenchmark": {
            "type": "object",
            "description": "Optional safety benchmark evaluation results",
            "additionalProperties": false,
            "properties": {
                "score": { "$ref": "#/$defs/safetyScore" },
                "benchmarkName": { "$ref": "#/$defs/benchmarkName" },
                "benchmarkVersion": { "$ref": "#/$defs/benchmarkVersion" },
                "evaluationDate": { "type": "string", "format": "date" },
                "assuranceSource": { "$ref": "#/$defs/assuranceSource" }
            }
        },
        "tool": {
            "type": "object",
            "required": [
                "toolId",
                "toolName",
                "toolDescription",
                "riskCategory",
                "riskSubcategory",
                "requiresAuth",
                "requiresHumanApproval"
            ],
            "additionalProperties": false,
            "properties": {
                "toolId": {
                    "type": "string",
                    "minLength": 1,
                    "maxLength": 100
                },
                "toolName": {
                    "type": "string",
                    "minLength": 2,
                    "maxLength": 200
                },
                "toolDescription": {
                    "type": "string",
                    "minLength": 10,
                    "maxLength": 1000
                },
                "riskCategory": {
                    "type": "string",
                    "enum": ["data", "compute", "financial", "external"]
                },
                "riskSubcategory": {
                    "type": "string",
                    "enum": [
                        "data_read_internal",
                        "data_read_external",
                        "data_write_internal",
                        "data_write_external",
                        "data_delete",
                        "data_export",
                        "compute_code_execution",
                        "compute_query_generation",
                        "compute_api_call",
                        "compute_transformation",
                        "compute_analysis",
                        "financial_read",
                        "financial_transaction",
                        "financial_account_access",
                        "financial_payment_initiation",
                        "external_internet_access",
                        "external_email",
                        "external_notification",
                        "external_authentication",
                        "external_file_access"
                    ]
                },
                "requiresAuth": { "type": "boolean" },
                "requiresHumanApproval": { "type": "boolean" },
                "mitigations": {
                    "type": "string",
                    "maxLength": 1000
                }
            }
        },
        "dataLocationProfile": {
            "type": "object",
            "required": ["storageRegions", "processingRegions"],
            "additionalProperties": false,
            "properties": {
                "storageRegions": {
                    "type": "array",
                    "items": { "$ref": "#/$defs/isoCountry" },
                    "minItems": 1,
                    "uniqueItems": true
                },
                "processingRegions": {
                    "type": "array",
                    "items": { "$ref": "#/$defs/isoCountry" },
                    "minItems": 1,
                    "uniqueItems": true
                },
                "backupRegions": {
                    "type": "array",
                    "items": { "$ref": "#/$defs/isoCountry" },
                    "minItems": 1,
                    "uniqueItems": true
                },
                "notes": {
                    "type": "string",
                    "maxLength": 500
                }
            }
        },
        "deploymentEnvironmentObject": {
            "type": "object",
            "description": "Deployment environment profile",
            "required": ["type", "cloudProvider"],
            "additionalProperties": false,
            "properties": {
                "type": {
                    "type": "string",
                    "enum": ["cloud_managed", "cloud_self_managed", "on_premises", "hybrid", "edge"]
                },
                "cloudProvider": {
                    "type": "string",
                    "enum": ["aws", "gcp", "azure", "oracle", "ibm", "alibaba", "other", "none"]
                },
                "primaryRegion": { "$ref": "#/$defs/isoCountry" },
                "complianceNotes": {
                    "type": "string",
                    "maxLength": 500
                }
            }
        },
        "proofObject": {
            "type": "object",
            "description": "W3C VC Data Integrity Proof",
            "required": ["type", "created", "verificationMethod", "proofPurpose", "proofValue"],
            "additionalProperties": false,
            "properties": {
                "type": {
                    "type": "string",
                    "enum": ["Ed25519Signature2020", "JsonWebSignature2020", "EcdsaSecp256k1Signature2019"]
                },
                "created": {
                    "type": "string",
                    "format": "date-time"
                },
                "verificationMethod": { "$ref": "#/$defs/verificationMethodRef" },
                "proofPurpose": {
                    "type": "string",
                    "enum": ["assertionMethod", "authentication", "keyAgreement"]
                },
                "proofValue": {
                    "type": "string",
                    "minLength": 40,
                    "maxLength": 2000
                },
                "challenge": {
                    "type": "string",
                    "maxLength": 256
                },
                "domain": {
                    "type": "string",
                    "format": "uri"
                }
            }
        },
        "bitstringStatusListEntry": {
            "type": "object",
            "description": "W3C Bitstring Status List Entry for credential revocation/suspension",
            "required": ["id", "type", "statusPurpose", "statusListIndex", "statusListCredential"],
            "additionalProperties": false,
            "properties": {
                "id": {
                    "type": "string",
                    "format": "uri",
                    "description": "URL to the specific status entry"
                },
                "type": {
                    "type": "string",
                    "const": "BitstringStatusListEntry"
                },
                "statusPurpose": {
                    "type": "string",
                    "enum": ["revocation", "suspension"],
                    "description": "Purpose of the status check"
                },
                "statusListIndex": {
                    "type": "string",
                    "pattern": "^[0-9]+$",
                    "description": "Index position in the status list bitstring"
                },
                "statusListCredential": {
                    "type": "string",
                    "format": "uri",
                    "description": "URL to the status list credential"
                }
            }
        },
        "jwkThumbprint": {
            "type": "string",
            "pattern": "^[A-Za-z0-9_-]{43}$",
            "description": "Base64url-encoded SHA-256 JWK thumbprint per RFC 7638 (43 characters)"
        }
    },
    "properties": {
        "@context": {
            "type": "array",
            "items": { "type": "string" },
            "minItems": 2,
            "description": "W3C VC context URIs. Must include base VC context and Beltic context.",
            "contains": {
                "const": "https://www.w3.org/ns/credentials/v2"
            }
        },
        "type": {
            "type": "array",
            "items": { "type": "string" },
            "minItems": 2,
            "allOf": [
                { "contains": { "const": "VerifiableCredential" } },
                { "contains": { "const": "AgentCredential" } }
            ],
            "description": "Credential types. Must include VerifiableCredential and AgentCredential."
        },
        "id": {
            "type": "string",
            "format": "uri",
            "description": "Unique identifier for the credential (URN or URL)"
        },
        "issuer": {
            "$ref": "#/$defs/didIdentifier",
            "description": "DID of the credential issuer"
        },
        "validFrom": {
            "type": "string",
            "format": "date-time",
            "description": "Date and time when the credential becomes valid"
        },
        "validUntil": {
            "type": "string",
            "format": "date-time",
            "description": "Date and time when the credential expires"
        },
        "credentialSubject": {
            "type": "object",
            "description": "Agent-specific claims",
            "additionalProperties": false,
            "required": [
                "id",
                "schemaVersion",
                "agentId",
                "agentName",
                "agentVersion",
                "agentDescription",
                "firstReleaseDate",
                "currentStatus",
                "developerCredentialId",
                "developerCredentialVerified",
                "primaryModelProvider",
                "primaryModelFamily",
                "modelContextWindow",
                "modalitySupport",
                "languageCapabilities",
                "architectureType",
                "systemConfigFingerprint",
                "systemConfigLastUpdated",
                "deploymentEnvironment",
                "dataLocationProfile",
                "dataCategoriesProcessed",
                "dataRetentionMaxPeriod",
                "trainingDataUsage",
                "piiDetectionEnabled",
                "piiRedactionCapability",
                "dataEncryptionStandards",
                "incidentResponseContact",
                "incidentResponseSLO",
                "deprecationPolicy",
                "updateCadence",
                "humanOversightMode",
                "failSafeBehavior",
                "monitoringCoverage",
                "overallSafetyRating",
                "ageRestrictions",
                "kybTierRequired",
                "verificationLevel"
            ],
            "properties": {
                "id": {
                    "$ref": "#/$defs/didIdentifier",
                    "description": "DID of the agent (credential subject)"
                },
                "schemaVersion": {
                    "type": "string",
                    "enum": ["2.0"]
                },
                "agentId": { "$ref": "#/$defs/uuid" },
                "agentName": {
                    "type": "string",
                    "minLength": 2,
                    "maxLength": 200
                },
                "agentVersion": {
                    "type": "string",
                    "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-[0-9A-Za-z.-]+)?(?:\\+[0-9A-Za-z.-]+)?$"
                },
                "agentDescription": {
                    "type": "string",
                    "minLength": 50,
                    "maxLength": 1000
                },
                "firstReleaseDate": { "type": "string", "format": "date" },
                "currentStatus": {
                    "type": "string",
                    "enum": ["production", "beta", "alpha", "internal", "deprecated", "retired"]
                },
                "developerCredentialId": { "$ref": "#/$defs/uuid" },
                "developerCredentialVerified": { "type": "boolean" },
                "primaryModelProvider": {
                    "type": "string",
                    "enum": ["anthropic", "openai", "google", "meta", "mistral", "cohere", "amazon", "microsoft", "huggingface", "self_hosted", "other"],
                    "description": "Primary AI model provider"
                },
                "primaryModelFamily": {
                    "type": "string",
                    "enum": [
                        "claude-3-opus", "claude-3-sonnet", "claude-3-haiku", "claude-3.5-sonnet", "claude-4",
                        "gpt-4", "gpt-4-turbo", "gpt-4o", "gpt-4o-mini",
                        "gemini-pro", "gemini-ultra", "gemini-1.5",
                        "llama-3", "llama-3.1",
                        "mistral-large", "mistral-medium",
                        "command-r", "command-r-plus",
                        "other"
                    ],
                    "description": "Primary model family/version"
                },
                "modelContextWindow": {
                    "type": "integer",
                    "minimum": 1
                },
                "modalitySupport": {
                    "type": "array",
                    "items": {
                        "type": "string",
                        "enum": ["text", "image", "audio", "video", "code", "structured_data"]
                    },
                    "minItems": 1,
                    "uniqueItems": true
                },
                "languageCapabilities": {
                    "type": "array",
                    "items": { "$ref": "#/$defs/isoLanguage" },
                    "minItems": 1,
                    "uniqueItems": true
                },
                "architectureType": {
                    "type": "string",
                    "enum": [
                        "single_agent",
                        "rag",
                        "tool_using",
                        "multi_agent",
                        "agentic_workflow",
                        "fine_tuned",
                        "hybrid"
                    ]
                },
                "systemConfigFingerprint": {
                    "type": "string",
                    "pattern": "^[A-Fa-f0-9]{64}$"
                },
                "systemConfigLastUpdated": { "type": "string", "format": "date" },
                "deploymentEnvironment": {
                    "$ref": "#/$defs/deploymentEnvironmentObject"
                },
                "complianceCertifications": {
                    "type": "array",
                    "items": {
                        "type": "string",
                        "enum": [
                            "soc2_type1",
                            "soc2_type2",
                            "iso27001",
                            "iso27017",
                            "iso27018",
                            "hipaa",
                            "pci_dss",
                            "fedramp",
                            "gdpr_compliant",
                            "ccpa_compliant"
                        ]
                    },
                    "minItems": 1,
                    "uniqueItems": true
                },
                "dataLocationProfile": { "$ref": "#/$defs/dataLocationProfile" },
                "toolsList": {
                    "type": "array",
                    "items": { "$ref": "#/$defs/tool" },
                    "uniqueItems": true
                },
                "toolsLastAudited": { "type": "string", "format": "date" },
                "dataCategoriesProcessed": {
                    "type": "array",
                    "items": {
                        "type": "string",
                        "enum": [
                            "none",
                            "pii",
                            "phi",
                            "financial",
                            "biometric",
                            "behavioral",
                            "authentication",
                            "proprietary",
                            "government_id",
                            "children_data"
                        ]
                    },
                    "minItems": 1,
                    "uniqueItems": true
                },
                "dataRetentionMaxPeriod": {
                    "type": "string",
                    "pattern": "^P(?!$).*"
                },
                "dataRetentionByCategory": {
                    "type": "object",
                    "additionalProperties": {
                        "type": "string",
                        "pattern": "^P(?!$).*"
                    }
                },
                "trainingDataUsage": {
                    "type": "string",
                    "enum": [
                        "never",
                        "anonymized_only",
                        "aggregated_only",
                        "with_explicit_consent",
                        "opt_out_available",
                        "not_applicable"
                    ]
                },
                "piiDetectionEnabled": { "type": "boolean" },
                "piiRedactionCapability": {
                    "type": "string",
                    "enum": ["none", "basic", "advanced", "context_aware"]
                },
                "piiRedactionPipeline": {
                    "type": "string",
                    "maxLength": 1000
                },
                "dataEncryptionStandards": {
                    "type": "array",
                    "items": {
                        "type": "string",
                        "enum": [
                            "AES-128-at-rest", "AES-256-at-rest",
                            "AES-128-GCM", "AES-256-GCM",
                            "TLS-1.2-in-transit", "TLS-1.3-in-transit",
                            "ChaCha20-Poly1305",
                            "RSA-2048", "RSA-4096",
                            "ECDHE", "other"
                        ]
                    },
                    "minItems": 1,
                    "uniqueItems": true
                },
                "safetyBenchmarks": {
                    "type": "object",
                    "description": "Optional safety evaluation benchmarks. All sections are optional for early adoption.",
                    "additionalProperties": false,
                    "properties": {
                        "harmfulContent": { "$ref": "#/$defs/safetyBenchmark" },
                        "promptInjection": { "$ref": "#/$defs/safetyBenchmark" },
                        "toolAbuse": { "$ref": "#/$defs/safetyBenchmark" },
                        "piiLeakage": { "$ref": "#/$defs/safetyBenchmark" }
                    }
                },
                "incidentResponseContact": {
                    "type": "string",
                    "format": "email",
                    "maxLength": 254
                },
                "incidentResponseSLO": { "$ref": "#/$defs/isoDuration" },
                "deprecationPolicy": {
                    "type": "string",
                    "maxLength": 1000
                },
                "updateCadence": {
                    "type": "string",
                    "enum": [
                        "continuous",
                        "weekly",
                        "biweekly",
                        "monthly",
                        "quarterly",
                        "as_needed",
                        "no_updates"
                    ]
                },
                "humanOversightMode": {
                    "type": "string",
                    "enum": [
                        "autonomous_low_risk",
                        "human_review_pre_action",
                        "human_review_post_action",
                        "human_initiated_only",
                        "custom_handover"
                    ]
                },
                "failSafeBehavior": {
                    "type": "string",
                    "minLength": 50,
                    "maxLength": 800
                },
                "monitoringCoverage": {
                    "type": "string",
                    "minLength": 50,
                    "maxLength": 800
                },
                "overallSafetyRating": {
                    "type": "string",
                    "enum": [
                        "minimal_risk",
                        "low_risk",
                        "moderate_risk",
                        "high_risk",
                        "evaluation_pending"
                    ]
                },
                "approvedUseCases": {
                    "type": "array",
                    "items": { "type": "string", "maxLength": 200 },
                    "minItems": 1
                },
                "prohibitedUseCases": {
                    "type": "array",
                    "items": { "type": "string", "maxLength": 200 },
                    "minItems": 1
                },
                "ageRestrictions": {
                    "type": "string",
                    "enum": ["none", "13+", "16+", "18+", "21+"]
                },
                "regulatoryApprovals": {
                    "type": "array",
                    "items": { "type": "string", "maxLength": 200 },
                    "minItems": 1
                },
                "kybTierRequired": {
                    "type": "string",
                    "enum": ["tier_0", "tier_1", "tier_2", "tier_3", "tier_4"]
                },
                "verificationLevel": {
                    "type": "string",
                    "enum": ["self_attested", "beltic_verified", "third_party_verified"]
                },
                "lastSecurityAuditDate": { "type": "string", "format": "date" },
                "httpSigningKeyJwkThumbprint": {
                    "$ref": "#/$defs/jwkThumbprint",
                    "description": "RFC 7638 JWK thumbprint of the Ed25519 key used for HTTP request signing (Web Bot Auth). Must match the keyid used in Signature-Input headers."
                },
                "keyDirectoryUrl": {
                    "type": "string",
                    "format": "uri",
                    "pattern": "^https://.*/.well-known/http-message-signatures-directory$",
                    "description": "URL to the agent's HTTP Message Signatures key directory per draft-meunier-http-message-signatures-directory"
                }
            }
        },
        "credentialStatus": {
            "$ref": "#/$defs/bitstringStatusListEntry"
        },
        "proof": {
            "$ref": "#/$defs/proofObject"
        }
    },
    "allOf": [
        {
            "$comment": "PHI data requires HIPAA compliance certification",
            "if": {
                "properties": {
                    "credentialSubject": {
                        "properties": {
                            "dataCategoriesProcessed": {
                                "contains": { "const": "phi" }
                            }
                        },
                        "required": ["dataCategoriesProcessed"]
                    }
                }
            },
            "then": {
                "properties": {
                    "credentialSubject": {
                        "properties": {
                            "complianceCertifications": {
                                "contains": { "const": "hipaa" }
                            }
                        },
                        "required": ["complianceCertifications"]
                    }
                }
            }
        },
        {
            "$comment": "Financial data requires PCI-DSS or SOC2 Type 2 compliance",
            "if": {
                "properties": {
                    "credentialSubject": {
                        "properties": {
                            "dataCategoriesProcessed": {
                                "contains": { "const": "financial" }
                            }
                        },
                        "required": ["dataCategoriesProcessed"]
                    }
                }
            },
            "then": {
                "properties": {
                    "credentialSubject": {
                        "properties": {
                            "complianceCertifications": {
                                "anyOf": [
                                    { "contains": { "const": "pci_dss" } },
                                    { "contains": { "const": "soc2_type2" } }
                                ]
                            }
                        },
                        "required": ["complianceCertifications"]
                    }
                }
            }
        },
        {
            "$comment": "Children data requires age restrictions and enhanced protections",
            "if": {
                "properties": {
                    "credentialSubject": {
                        "properties": {
                            "dataCategoriesProcessed": {
                                "contains": { "const": "children_data" }
                            }
                        },
                        "required": ["dataCategoriesProcessed"]
                    }
                }
            },
            "then": {
                "properties": {
                    "credentialSubject": {
                        "properties": {
                            "ageRestrictions": {
                                "enum": ["13+", "16+", "18+", "21+"]
                            },
                            "piiDetectionEnabled": { "const": true },
                            "trainingDataUsage": {
                                "enum": ["never", "not_applicable"]
                            }
                        },
                        "required": ["ageRestrictions"]
                    }
                }
            }
        },
        {
            "$comment": "Web Bot Auth: httpSigningKeyJwkThumbprint and keyDirectoryUrl must both be present if either is specified",
            "if": {
                "properties": {
                    "credentialSubject": {
                        "anyOf": [
                            { "required": ["httpSigningKeyJwkThumbprint"] },
                            { "required": ["keyDirectoryUrl"] }
                        ]
                    }
                }
            },
            "then": {
                "properties": {
                    "credentialSubject": {
                        "required": ["httpSigningKeyJwkThumbprint", "keyDirectoryUrl"]
                    }
                }
            }
        }
    ]
}
