{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://tenantatlas.local/specs/120-secret-redaction-integrity/contracts/protected-snapshot.schema.json",
  "title": "Protected Snapshot Contract",
  "type": "object",
  "required": [
    "redaction_version",
    "snapshot",
    "secret_fingerprints"
  ],
  "properties": {
    "redaction_version": {
      "type": "integer",
      "const": 1,
      "description": "Classifier contract version for newly protected policy versions."
    },
    "snapshot": {
      "description": "Protected snapshot payload with safe configuration values preserved.",
      "$ref": "#/$defs/jsonValue"
    },
    "assignments": {
      "description": "Protected assignments payload under the same contract.",
      "$ref": "#/$defs/jsonValue"
    },
    "scope_tags": {
      "description": "Protected scope-tag payload under the same contract.",
      "$ref": "#/$defs/jsonValue"
    },
    "secret_fingerprints": {
      "type": "object",
      "required": ["snapshot", "assignments", "scope_tags"],
      "properties": {
        "snapshot": {
          "$ref": "#/$defs/fingerprintBucket"
        },
        "assignments": {
          "$ref": "#/$defs/fingerprintBucket"
        },
        "scope_tags": {
          "$ref": "#/$defs/fingerprintBucket"
        }
      },
      "additionalProperties": false
    }
  },
  "$defs": {
    "jsonValue": {
      "oneOf": [
        { "type": "object", "additionalProperties": { "$ref": "#/$defs/jsonValue" } },
        { "type": "array", "items": { "$ref": "#/$defs/jsonValue" } },
        { "type": "string" },
        { "type": "number" },
        { "type": "integer" },
        { "type": "boolean" },
        { "type": "null" }
      ]
    },
    "fingerprintBucket": {
      "type": "object",
      "description": "Map of RFC 6901 JSON Pointer paths to lowercase HMAC-SHA256 hex digests.",
      "propertyNames": {
        "type": "string",
        "pattern": "^/(|.*)$"
      },
      "additionalProperties": {
        "type": "string",
        "pattern": "^[a-f0-9]{64}$"
      }
    }
  },
  "examples": [
    {
      "redaction_version": 1,
      "snapshot": {
        "wifi": {
          "ssid": "Corp",
          "password": "[REDACTED]"
        },
        "passwordMinimumLength": 12
      },
      "assignments": [],
      "scope_tags": [],
      "secret_fingerprints": {
        "snapshot": {
          "/wifi/password": "2a1ec8cbf1ea9c0d5a9770b7eeed93ec651987369f9fbeb6f1df2dfeb5a86fd4"
        },
        "assignments": {},
        "scope_tags": {}
      }
    }
  ]
}