{
  "$defs": {
    "ControlCategory": {
      "description": "Control category.",
      "oneOf": [
        {
          "enum": [
            "organizational",
            "people",
            "physical",
            "technological"
          ],
          "type": "string"
        },
        {
          "const": "process",
          "description": "Process / procedural.",
          "type": "string"
        }
      ]
    },
    "ControlFrameworkMapping": {
      "description": "External framework mapping.",
      "properties": {
        "clause": {
          "description": "Clause / control identifier (e.g. \"A.5.18\", \"CC6.2\", \"PR.AC-1\",\n\"AC-3\", \"8.3.1\", \"164.312(a)(1)\", \"5.1\").",
          "type": "string"
        },
        "framework": {
          "description": "Framework name (e.g. \"ISO 27001:2022 Annex A\", \"SOC 2 TSC\n2017\", \"NIST CSF 2.0\", \"NIST SP 800-53 Rev.5\", \"PCI DSS v4.0\",\n\"HIPAA Security Rule\", \"CIS v8\", \"COBIT 2019\").",
          "type": "string"
        }
      },
      "required": [
        "framework",
        "clause"
      ],
      "type": "object"
    },
    "ControlMaturity": {
      "description": "Maturity (CMMI-style 1–5).",
      "oneOf": [
        {
          "const": "initial",
          "description": "Initial / ad-hoc.",
          "type": "string"
        },
        {
          "const": "managed",
          "description": "Managed / repeatable.",
          "type": "string"
        },
        {
          "const": "defined",
          "description": "Defined / documented.",
          "type": "string"
        },
        {
          "const": "quantitatively_managed",
          "description": "Quantitatively managed.",
          "type": "string"
        },
        {
          "const": "optimising",
          "description": "Optimising / continuously improved.",
          "type": "string"
        }
      ]
    },
    "ImplementationStatus": {
      "description": "Implementation status.",
      "oneOf": [
        {
          "const": "not_applicable",
          "description": "Not in scope for this entity.",
          "type": "string"
        },
        {
          "const": "not_implemented",
          "description": "Recognised but not yet started.",
          "type": "string"
        },
        {
          "const": "partially_implemented",
          "description": "In-flight (partial coverage).",
          "type": "string"
        },
        {
          "const": "implemented",
          "description": "In place + operating.",
          "type": "string"
        },
        {
          "const": "implemented_monitored",
          "description": "Implemented + continuous-monitoring evidence.",
          "type": "string"
        }
      ]
    },
    "IsoDate": {
      "description": "ISO 8601 date (YYYY-MM-DD).",
      "format": "date",
      "type": "string"
    },
    "PathRef": {
      "description": "Path-based cross-reference relative to .corpospec/ root.\nPattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$`",
      "pattern": "^[a-z0-9_-]+(/[a-z0-9_.-]+)+$",
      "type": "string"
    },
    "SecurityControlType": {
      "description": "Control type (preventive / detective / corrective).",
      "oneOf": [
        {
          "enum": [
            "preventive",
            "detective",
            "corrective",
            "deterrent",
            "recovery"
          ],
          "type": "string"
        },
        {
          "const": "compensating",
          "description": "Compensating (substitute).",
          "type": "string"
        }
      ]
    }
  },
  "$id": "https://corpospec.com/schemas/v0.16.0/security-control.schema.json",
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "additionalProperties": false,
  "description": "Security control record.",
  "properties": {
    "category": {
      "$ref": "#/$defs/ControlCategory"
    },
    "control_type": {
      "$ref": "#/$defs/SecurityControlType"
    },
    "description": {
      "type": "string"
    },
    "entity": {
      "$ref": "#/$defs/PathRef"
    },
    "evidence_refs": {
      "description": "PathRefs to evidence collected for this control.",
      "items": {
        "$ref": "#/$defs/PathRef"
      },
      "type": "array"
    },
    "framework_mappings": {
      "items": {
        "$ref": "#/$defs/ControlFrameworkMapping"
      },
      "type": "array"
    },
    "id": {
      "$ref": "#/$defs/PathRef"
    },
    "last_tested": {
      "$ref": "#/$defs/IsoDate"
    },
    "maturity": {
      "$ref": "#/$defs/ControlMaturity"
    },
    "name": {
      "type": "string"
    },
    "next_test_due": {
      "$ref": "#/$defs/IsoDate"
    },
    "owner": {
      "$ref": "#/$defs/PathRef",
      "description": "PathRef into the owning team / role."
    },
    "procedure_refs": {
      "description": "PathRefs into SOPs / runbooks that operationalise this control.",
      "items": {
        "$ref": "#/$defs/PathRef"
      },
      "type": "array"
    },
    "risk_refs": {
      "description": "Risk treated (PathRef to a risk register entry, if used).",
      "items": {
        "$ref": "#/$defs/PathRef"
      },
      "type": "array"
    },
    "short_id": {
      "description": "Short identifier (e.g. \"AC-1\", \"IR-1\") for internal reference.",
      "type": "string"
    },
    "status": {
      "$ref": "#/$defs/ImplementationStatus"
    },
    "test_cadence": {
      "description": "Test cadence ISO 8601 duration (e.g. \"P3M\" — quarterly).",
      "type": "string"
    }
  },
  "required": [
    "id",
    "entity",
    "short_id",
    "name",
    "description",
    "category",
    "control_type",
    "status",
    "maturity",
    "framework_mappings",
    "owner",
    "test_cadence",
    "last_tested",
    "next_test_due"
  ],
  "title": "SecurityControlRecord",
  "type": "object",
  "x-corpospec-pillar": "legal"
}