{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://stellaops.dev/schemas/excititor/connector-signer-metadata.schema.json",
  "title": "Excititor Connector Signer Metadata",
  "type": "object",
  "additionalProperties": false,
  "required": ["schemaVersion", "generatedAt", "connectors"],
  "properties": {
    "schemaVersion": {
      "type": "string",
      "pattern": "^1\\.0\\.0$"
    },
    "generatedAt": {
      "type": "string",
      "format": "date-time"
    },
    "connectors": {
      "type": "array",
      "minItems": 1,
      "items": {
        "$ref": "#/$defs/connector"
      }
    }
  },
  "$defs": {
    "connector": {
      "type": "object",
      "additionalProperties": false,
      "required": [
        "connectorId",
        "provider",
        "issuerTier",
        "signers"
      ],
      "properties": {
        "connectorId": {
          "type": "string",
          "pattern": "^[a-z0-9:-\\.]+$"
        },
        "provider": {
          "type": "object",
          "additionalProperties": false,
          "required": ["name", "slug"],
          "properties": {
            "name": { "type": "string", "minLength": 3 },
            "slug": { "type": "string", "pattern": "^[a-z0-9-]+$" }
          }
        },
        "issuerTier": {
          "type": "string",
          "enum": ["tier-0", "tier-1", "tier-2", "untrusted"]
        },
        "signers": {
          "type": "array",
          "minItems": 1,
          "items": { "$ref": "#/$defs/signer" }
        },
        "bundle": { "$ref": "#/$defs/bundleRef" },
        "validFrom": { "type": "string", "format": "date" },
        "validTo": { "type": "string", "format": "date" },
        "revoked": { "type": "boolean", "default": false },
        "notes": { "type": "string", "maxLength": 2000 }
      }
    },
    "signer": {
      "type": "object",
      "additionalProperties": false,
      "required": ["usage", "fingerprints"],
      "properties": {
        "usage": {
          "type": "string",
          "enum": ["csaf", "oval", "openvex", "bulk-meta", "attestation"]
        },
        "fingerprints": {
          "type": "array",
          "minItems": 1,
          "items": { "$ref": "#/$defs/fingerprint" }
        },
        "keyLocator": {
          "type": "string",
          "description": "Path or URL (mirror/OCI/TUF) where the signing key or certificate chain can be retrieved in offline kits."
        },
        "certificateChain": {
          "type": "array",
          "items": { "type": "string" },
          "description": "Optional PEM-encoded certificates for x509/cosign keys."
        }
      }
    },
    "fingerprint": {
      "type": "object",
      "additionalProperties": false,
      "required": ["alg", "value"],
      "properties": {
        "alg": {
          "type": "string",
          "enum": ["sha256", "sha512", "sha1"]
        },
        "format": {
          "type": "string",
          "enum": ["pgp", "x509-spki", "x509-ski", "cosign", "pem"]
        },
        "value": {
          "type": "string",
          "minLength": 16,
          "maxLength": 128
        }
      }
    },
    "bundleRef": {
      "type": "object",
      "additionalProperties": false,
      "required": ["kind", "uri"],
      "properties": {
        "kind": {
          "type": "string",
          "enum": ["oci-referrer", "oci-tag", "file", "tuf"]
        },
        "uri": { "type": "string", "minLength": 8 },
        "digest": { "type": "string", "minLength": 32 },
        "publishedAt": { "type": "string", "format": "date-time" }
      }
    }
  }
}