{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://spec-first.dev/contracts/security/secret-deny-patterns.schema.json",
  "title": "spec-first secret deny patterns",
  "type": "object",
  "additionalProperties": false,
  "required": ["version", "patterns", "allowlist", "exclusions"],
  "properties": {
    "version": {
      "const": "secret-deny-patterns.v1"
    },
    "patterns": {
      "type": "array",
      "minItems": 1,
      "items": {
        "type": "object",
        "additionalProperties": false,
        "required": ["id", "reason_code", "match"],
        "properties": {
          "id": {
            "type": "string",
            "pattern": "^[a-z0-9]+(?:-[a-z0-9]+)*$"
          },
          "reason_code": {
            "type": "string",
            "pattern": "^[a-z0-9]+(?:-[a-z0-9]+)*$"
          },
          "match": {
            "type": "array",
            "minItems": 1,
            "items": {
              "type": "string",
              "minLength": 1
            }
          },
          "case_insensitive": {
            "type": "boolean"
          }
        }
      }
    },
    "allowlist": {
      "type": "array",
      "items": {
        "type": "string",
        "minLength": 1,
        "pattern": "^(?!/)(?!~)(?!.*:)(?!.*//)(?!.*(?:^|/)\\.(?:/|$))(?!.*(?:^|/)\\.\\.(?:/|$))(?!.*[\\\\*?\\[\\]{}]).+$",
        "description": "Exact repo-relative paths only; no globs, absolute paths, drive/colon paths, dot segments, parent escapes, or home-dir expansion."
      }
    },
    "exclusions": {
      "type": "array",
      "items": {
        "type": "string"
      }
    }
  }
}