{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://tenantpilot.local/contracts/foundation-rbac-snapshot.schema.json",
  "title": "Foundation RBAC Snapshot",
  "type": "object",
  "additionalProperties": false,
  "required": ["type", "sourceId", "payload", "metadata"],
  "properties": {
    "type": {
      "type": "string",
      "enum": ["intuneRoleDefinition", "intuneRoleAssignment"]
    },
    "policyId": {
      "type": ["integer", "null"],
      "description": "Synthetic tenant-scoped policy anchor used when immutable RBAC history is linked into the shared policy-version surfaces."
    },
    "policyVersionId": {
      "type": ["integer", "null"],
      "description": "Immutable policy version identifier for RBAC foundation snapshots when version linkage is present."
    },
    "sourceId": {
      "type": "string",
      "minLength": 1
    },
    "displayName": {
      "type": ["string", "null"]
    },
    "payload": {
      "type": "object",
      "description": "Full immutable Graph payload captured for backup or version display."
    },
    "metadata": {
      "type": "object",
      "additionalProperties": true,
      "required": ["kind", "graph"],
      "properties": {
        "kind": {
          "type": "string",
          "enum": ["intuneRoleDefinition", "intuneRoleAssignment"]
        },
        "displayName": {
          "type": ["string", "null"]
        },
        "graph": {
          "type": "object",
          "additionalProperties": false,
          "required": ["resource", "apiVersion"],
          "properties": {
            "resource": {
              "type": "string",
              "enum": [
                "deviceManagement/roleDefinitions",
                "deviceManagement/roleAssignments"
              ]
            },
            "apiVersion": {
              "type": "string"
            }
          }
        },
        "warnings": {
          "type": "array",
          "items": {
            "type": "string"
          }
        }
      }
    }
  }
}