# Authority Profile Bundle Schema — v2 PCv2 Authorization Axes # KNO Schema Version: 0.1.0 # # An authority-profile-bundle defines a named set of authority profiles. Each # profile resolves to a flat set of pspace:* scopes. Profiles compose via # extends + additional_scopes (linear, no diamonds). # # Used by: # - X1.2 (#1718): resolveAuthorityProfile() resolver # - X1.3 (#1719): verifyRelationshipScope() verifier # - DD-COL2-06: authority profiles compose existing pspace:* scopes # # DESIGN PRINCIPLE: Profile bundles are DATA, not code. The resolver # loads this schema at module init and validates every scope against the # in-process scope vocabulary (ALL_MCP_SCOPES). Unknown profile, unknown # scope, or extends cycle → fail-closed (throw). # ============================================================================= # SCHEMA DECLARATION # ============================================================================= $schema: kno@0.0.9 # ============================================================================= # IDENTITY # ============================================================================= id: 01KQA4XZNF8EBHXKPVR2D7SAJW slug: authority-profile-bundle-schema type: spec version: 0.1.0 # ============================================================================= # STANDARD TIER # ============================================================================= title: "Authority Profile Bundle Schema" purpose: | Define the schema for authority-profile-bundle entities — named collections of authority profiles drawn from the existing pspace:* scope vocabulary per DD-COL2-06. **What is an Authority Profile?** An authority profile is a preset bundle of pspace:* scopes that an organizer of a parent Possibility may grant to an Envoy/Liaison helper at edge-consent time. The profile caps what the helper may request when acting across the consented edge. **Composition (extends + additional_scopes):** Profiles compose via a single-parent `extends` field plus a list of `additional_scopes`. Resolution is linear (no diamonds, no multiple inheritance). The resolver fails closed on cycles. **Validation:** Every scope listed in any profile MUST exist in the in-process scope vocabulary (ALL_MCP_SCOPES from services/pspace-api/src/mcp/types.ts). When the /v0.1/servers HTTP route ships (#1746), validation will additionally cross-check the published vocabulary. **Why a bundle (not one profile per file)?** All four DD-COL2-06 profiles are defined together so that: - The resolver can validate the extends chain at load time. - Reviewers see the full lattice in one file. - A future versioned bundle can replace the current one atomically. # ============================================================================= # RICH TIER — Taxonomy # ============================================================================= provenance: origin: id: 01KQA4XZNF8EBHXKPVR2D7SAJW timestamp: "2026-04-23T00:00:00Z" tool: ai-assisted-authoring taxonomy: topics: - authorization - scopes - cross-possibility - pcv2 keywords: - authority-profile - profile-bundle - relationship-axis - dd-col2-06 # ============================================================================= # RICH TIER — Relationships # ============================================================================= relationships: extends: - xri: "kno://specs/document-schema" reason: "Layer 2 base type" depends_on: - xri: "kno://specs/kno-spec" reason: "Defines kno@0.0.9 schema structure" related_to: - xri: "pspace://issue:1717" reason: "X1.1 — knowledge-base entry that documents the 4-axis model this bundle is consumed by" - xri: "pspace://issue:1718" reason: "X1.2 — resolveAuthorityProfile() consumes bundles defined by this schema" - xri: "pspace://issue:1719" reason: "X1.3 — verifyRelationshipScope() consumes the resolver" - xri: "pspace://knowledge-base:authorization-axes" reason: "Companion human-readable explainer for the 4-axis model and DD-COL2-06" quality: completeness: 0.85 last_reviewed: "2026-04-23" review_status: draft # ============================================================================= # HISTORY # ============================================================================= _history: version: 1 created: "2026-04-23T00:00:00Z" created_by: "pspace-core-team" modified: "2026-04-23T00:00:00Z" modified_by: "claude" # ============================================================================= # SPECIFICATION # ============================================================================= spec: status: Draft changelog: - version: "0.1.0" date: "2026-04-23" changes: - "Initial creation for X1.2 (#1718) — DD-COL2-06 authority profile bundles" - "Linear extends chain (no diamonds) per resolver contract" - "Scope validation against in-process ALL_MCP_SCOPES; future /v0.1/servers cross-check" schema: type: object required: - $schema - id - type - name - version - profiles properties: # ----------------------------------------------------------------------- # BASIC TIER # ----------------------------------------------------------------------- $schema: type: string const: "authority-profile-bundle@0.1.0" description: "Schema declaration" id: type: string pattern: "^[0-9A-HJKMNP-TV-Z]{26}$" description: | ULID identifier for this bundle. examples: - "01KQA4XZNF8EBHXKPVR2D7SAJW" # pragma: allowlist secret type: type: string const: "authority-profile-bundle" description: "Entity type marker" name: type: string description: "Human-readable bundle name (used as the stable lookup key for the resolver)" examples: - "pcv2-authority-profiles" version: type: string pattern: "^[0-9]+\\.[0-9]+\\.[0-9]+$" description: "SemVer of this bundle" examples: - "0.1.0" # ----------------------------------------------------------------------- # PROFILES # ----------------------------------------------------------------------- profiles: type: object description: | Map of profile name → definition. Profile names are arbitrary strings (chosen by the bundle author) but must be stable — consumers reference them by name. The four DD-COL2-06 names (none, audit_only, provisioning, full_organizer) are recommended for the canonical pcv2-authority-profiles bundle. additionalProperties: type: object required: [] properties: scopes: type: array description: | Flat list of pspace:* scopes the profile resolves to. Mutually exclusive with `extends` + `additional_scopes` (a profile is either a leaf with `scopes`, or a node with `extends`). items: type: string pattern: "^pspace:[a-z][a-z0-9-]*(:[a-z][a-z0-9-]*)+$" examples: - [ "pspace:project:read", "pspace:catalog:read" ] extends: type: string description: | Name of another profile in the same bundle to extend. Linear chain only — no multiple inheritance, no cycles. The resolver rejects cycles at load time. examples: - "audit_only" additional_scopes: type: array description: | Scopes added on top of the `extends` parent. Resolved scope set = parent.scopes ∪ additional_scopes (deduplicated). items: type: string pattern: "^pspace:[a-z][a-z0-9-]*(:[a-z][a-z0-9-]*)+$" examples: - [ "pspace:project:write" ] # ============================================================================= # EXAMPLES # ============================================================================= examples: - title: "Canonical PCv2 authority profiles (DD-COL2-06)" description: "The four DD-COL2-06 profiles forming the canonical bundle." content: | $schema: authority-profile-bundle@0.1.0 id: 01KQA4ZK5JPZNRRZP4TS2VCXA0 # pragma: allowlist secret type: authority-profile-bundle name: pcv2-authority-profiles version: 0.1.0 profiles: none: scopes: [] audit_only: scopes: - pspace:project:read - pspace:catalog:read provisioning: extends: audit_only additional_scopes: - pspace:project:write full_organizer: extends: provisioning additional_scopes: - pspace:secrets:read - pspace:secrets:write