{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "urn:the-embassy:visa.schema:v0.3.0",
  "title": "Embassy Visa",
  "description": "A signed visa issued by The Embassy service",
  "type": "object",
  "required": [
    "visa_id",
    "issuer",
    "issued_at",
    "expires_at",
    "subject",
    "scope",
    "constraints",
    "signature",
    "sig_alg",
    "kid",
    "issuer_mode"
  ],
  "properties": {
    "visa_id": {
      "type": "string",
      "pattern": "^v_[a-f0-9]+$",
      "description": "Unique visa identifier"
    },
    "issuer": {
      "type": "string",
      "const": "The Embassy",
      "description": "Issuer identifier"
    },
    "issued_at": {
      "type": "string",
      "format": "date-time",
      "description": "ISO 8601 timestamp of issuance"
    },
    "expires_at": {
      "type": "string",
      "format": "date-time",
      "description": "ISO 8601 timestamp of expiration"
    },
    "subject": {
      "type": "string",
      "pattern": "^[a-f0-9]{64}$",
      "description": "SHA-256 hash of agent identity (LEDGER_SALT:agent_id)"
    },
    "scope": {
      "type": "array",
      "items": {
        "type": "string"
      },
      "description": "Array of granted permissions"
    },
    "constraints": {
      "type": "object",
      "required": ["no_persistence", "no_user_data", "no_external_calls"],
      "properties": {
        "no_persistence": {
          "type": "boolean",
          "description": "Agent must not persist data beyond visa duration"
        },
        "no_user_data": {
          "type": "boolean",
          "description": "Agent must not access or store user-identifiable data"
        },
        "no_external_calls": {
          "type": "boolean",
          "description": "Agent must not make external HTTP/API calls"
        }
      },
      "additionalProperties": false
    },
    "signature": {
      "type": "string",
      "description": "Base64-encoded Ed25519 signature"
    },
    "sig_alg": {
      "type": "string",
      "const": "ed25519",
      "description": "Signature algorithm"
    },
    "kid": {
      "type": "string",
      "pattern": "^[a-f0-9]{12}$",
      "description": "Key identifier (first 12 chars of SHA-256 of public key)"
    },
    "issuer_mode": {
      "type": "string",
      "enum": ["reference", "authoritative"],
      "description": "Issuer mode: reference (reference implementation) or authoritative (production)"
    },
    "warning": {
      "type": "string",
      "enum": ["local_unsigned_fallback"],
      "description": "Warning flag (only in local mode fallback)"
    }
  },
  "additionalProperties": false
}