{
  "feature": "fine-grained-authorization",
  "version": "1.0.0",
  "description": "Resource-based and policy-based authorization",
  "category": "access",
  "tags": [
    "authorization",
    "rbac"
  ],
  "fields": [
    {
      "name": "resource_id",
      "type": "text",
      "required": true,
      "label": "Resource ID",
      "validation": [
        {
          "type": "required",
          "message": "Resource ID required"
        }
      ]
    },
    {
      "name": "scope_name",
      "type": "text",
      "required": true,
      "label": "Scope",
      "validation": [
        {
          "type": "required",
          "message": "Scope required"
        }
      ]
    }
  ],
  "rules": {
    "core": "Authorization policy evaluation"
  },
  "outcomes": {
    "access_granted": {
      "priority": 5,
      "given": [
        {
          "field": "resource_id",
          "operator": "exists",
          "value": null
        }
      ],
      "then": [
        {
          "action": "emit_event",
          "event": "authz.granted",
          "payload": [
            "resource_id"
          ]
        }
      ],
      "result": "Access granted"
    }
  },
  "errors": [
    {
      "code": "ACCESS_DENIED",
      "status": 403,
      "message": "Access denied"
    }
  ],
  "events": [
    {
      "name": "authz.granted",
      "description": "Authorization granted",
      "payload": [
        "resource_id"
      ]
    }
  ],
  "related": [],
  "agi": {
    "goals": [
      {
        "id": "reliable_fine_grained_authorization",
        "description": "Resource-based and policy-based authorization",
        "success_metrics": [
          {
            "metric": "unauthorized_access_rate",
            "target": "0%",
            "measurement": "Failed authorization attempts that succeed"
          },
          {
            "metric": "response_time_p95",
            "target": "< 500ms",
            "measurement": "95th percentile response time"
          }
        ],
        "constraints": [
          {
            "type": "security",
            "description": "Follow OWASP security recommendations",
            "negotiable": false
          }
        ]
      }
    ],
    "autonomy": {
      "level": "supervised",
      "human_checkpoints": [
        "before making irreversible changes"
      ],
      "escalation_triggers": [
        "error_rate > 5",
        "consecutive_failures > 3"
      ]
    },
    "safety": {
      "action_permissions": [
        {
          "action": "access_granted",
          "permission": "autonomous"
        }
      ]
    },
    "tradeoffs": [
      {
        "prefer": "security",
        "over": "usability",
        "reason": "access control must enforce least-privilege principle"
      }
    ],
    "verification": {
      "invariants": [
        "error messages never expose internal system details"
      ]
    }
  },
  "extensions": {
    "source": {
      "repo": "https://github.com/keycloak/keycloak",
      "project": "Keycloak",
      "tech_stack": "Java"
    }
  }
}