{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "$id": "https://mazevault.com/schemas/governance-report-v1.json",
  "title": "MazeVault Governance Report",
  "description": "Schema for importing governance/security requirements into MazeVault. Reports conforming to this schema are parsed without ambiguity. For other audit tool formats (Nessus, CIS-CAT, Prowler, etc.), MazeVault uses smart alias mapping to normalize field names.",
  "type": "object",
  "properties": {
    "password_policy": {
      "type": "object",
      "description": "Password complexity and rotation requirements",
      "properties": {
        "min_length": {
          "type": "integer",
          "minimum": 1,
          "description": "Minimum password length",
          "examples": [14]
        },
        "max_length": {
          "type": "integer",
          "minimum": 1,
          "description": "Maximum password length",
          "examples": [128]
        },
        "require_uppercase": {
          "type": "boolean",
          "description": "Require at least one uppercase letter"
        },
        "require_lowercase": {
          "type": "boolean",
          "description": "Require at least one lowercase letter"
        },
        "require_numbers": {
          "type": "boolean",
          "description": "Require at least one digit"
        },
        "require_special": {
          "type": "boolean",
          "description": "Require at least one special character"
        },
        "max_age_days": {
          "type": "integer",
          "minimum": 1,
          "description": "Maximum password age in days before forced rotation",
          "examples": [90]
        },
        "history_count": {
          "type": "integer",
          "minimum": 0,
          "description": "Number of previous passwords that cannot be reused",
          "examples": [12]
        }
      },
      "additionalProperties": false
    },
    "certificate_policy": {
      "type": "object",
      "description": "Certificate issuance and lifecycle requirements",
      "properties": {
        "min_key_size_rsa": {
          "type": "integer",
          "description": "Minimum RSA key size in bits",
          "enum": [2048, 3072, 4096],
          "examples": [2048]
        },
        "min_key_size_ecdsa": {
          "type": "integer",
          "description": "Minimum ECDSA key size in bits",
          "enum": [256, 384, 521],
          "examples": [256]
        },
        "allowed_algorithms": {
          "type": "array",
          "items": { "type": "string", "enum": ["RSA", "ECDSA", "Ed25519"] },
          "description": "Allowed key algorithms"
        },
        "max_validity_days": {
          "type": "integer",
          "minimum": 1,
          "description": "Maximum certificate validity period in days",
          "examples": [397]
        },
        "min_validity_days": {
          "type": "integer",
          "minimum": 1,
          "description": "Minimum certificate validity period in days",
          "examples": [30]
        },
        "require_auto_renewal": {
          "type": "boolean",
          "description": "Whether auto-renewal must be enabled"
        }
      },
      "additionalProperties": false
    },
    "rotation_policy": {
      "type": "object",
      "description": "Secret and certificate rotation requirements",
      "properties": {
        "max_secret_rotation_days": {
          "type": "integer",
          "minimum": 1,
          "description": "Maximum number of days between secret rotations",
          "examples": [90]
        },
        "max_cert_rotation_days": {
          "type": "integer",
          "minimum": 1,
          "description": "Maximum number of days between certificate rotations"
        },
        "require_rotation_enabled": {
          "type": "boolean",
          "description": "Whether rotation must be enabled for all secrets"
        }
      },
      "additionalProperties": false
    },
    "naming_policy": {
      "type": "object",
      "description": "Naming convention requirements",
      "properties": {
        "required_patterns": {
          "type": "array",
          "items": { "type": "string" },
          "description": "Regex patterns that names must match"
        },
        "forbidden_patterns": {
          "type": "array",
          "items": { "type": "string" },
          "description": "Regex patterns that names must NOT match"
        }
      },
      "additionalProperties": false
    },
    "mfa_policy": {
      "type": "object",
      "description": "Multi-factor authentication requirements",
      "properties": {
        "min_enforcement_level": {
          "type": "string",
          "enum": ["disabled", "optional", "conditional", "required"],
          "description": "Minimum MFA enforcement level",
          "examples": ["required"]
        },
        "required_methods": {
          "type": "array",
          "items": { "type": "string" },
          "description": "MFA methods that must be available"
        }
      },
      "additionalProperties": false
    },
    "session_policy": {
      "type": "object",
      "description": "Session management requirements",
      "properties": {
        "max_idle_timeout_minutes": {
          "type": "integer",
          "minimum": 1,
          "description": "Maximum session idle timeout in minutes",
          "examples": [15]
        }
      },
      "additionalProperties": false
    },
    "encryption_policy": {
      "type": "object",
      "description": "Encryption and transport security requirements",
      "properties": {
        "min_tls_version": {
          "type": "string",
          "enum": ["1.0", "1.1", "1.2", "1.3"],
          "description": "Minimum required TLS version",
          "examples": ["1.2"]
        },
        "required_cipher_suites": {
          "type": "array",
          "items": { "type": "string" },
          "description": "Cipher suites that must be supported"
        }
      },
      "additionalProperties": false
    }
  },
  "additionalProperties": false
}