{
  "feature": "user-account-self-service",
  "version": "1.0.0",
  "description": "User self-service account and credential management",
  "category": "auth",
  "tags": [
    "account-management"
  ],
  "fields": [
    {
      "name": "email",
      "type": "email",
      "required": true,
      "label": "Email",
      "validation": [
        {
          "type": "required",
          "message": "Email required"
        },
        {
          "type": "email",
          "message": "Must be valid email"
        }
      ]
    },
    {
      "name": "current_password",
      "type": "password",
      "required": true,
      "label": "Current Password",
      "sensitive": true,
      "validation": [
        {
          "type": "required",
          "message": "Password required"
        }
      ]
    }
  ],
  "rules": {
    "core": "Account self-service operations"
  },
  "outcomes": {
    "profile_updated": {
      "priority": 5,
      "given": [
        {
          "field": "email",
          "operator": "exists",
          "value": null
        }
      ],
      "then": [
        {
          "action": "emit_event",
          "event": "account.updated",
          "payload": [
            "user_id"
          ]
        }
      ],
      "result": "Profile updated"
    }
  },
  "errors": [
    {
      "code": "INVALID_PASSWORD",
      "status": 401,
      "message": "Invalid password"
    }
  ],
  "events": [
    {
      "name": "account.updated",
      "description": "Account updated",
      "payload": [
        "user_id"
      ]
    }
  ],
  "related": [],
  "agi": {
    "goals": [
      {
        "id": "reliable_user_account_self_service",
        "description": "User self-service account and credential management",
        "success_metrics": [
          {
            "metric": "unauthorized_access_rate",
            "target": "0%",
            "measurement": "Failed authorization attempts that succeed"
          },
          {
            "metric": "response_time_p95",
            "target": "< 500ms",
            "measurement": "95th percentile response time"
          }
        ],
        "constraints": [
          {
            "type": "security",
            "description": "Follow OWASP security recommendations",
            "negotiable": false
          },
          {
            "type": "security",
            "description": "Sensitive fields must be encrypted at rest and never logged in plaintext",
            "negotiable": false
          }
        ]
      }
    ],
    "autonomy": {
      "level": "supervised",
      "human_checkpoints": [
        "before modifying sensitive data fields"
      ],
      "escalation_triggers": [
        "error_rate > 5",
        "consecutive_failures > 3"
      ]
    },
    "safety": {
      "action_permissions": [
        {
          "action": "profile_updated",
          "permission": "supervised"
        }
      ]
    },
    "tradeoffs": [
      {
        "prefer": "security",
        "over": "performance",
        "reason": "authentication must prioritize preventing unauthorized access"
      }
    ],
    "verification": {
      "invariants": [
        "sensitive fields are never logged in plaintext",
        "all data access is authenticated and authorized",
        "error messages never expose internal system details"
      ]
    }
  },
  "extensions": {
    "source": {
      "repo": "https://github.com/keycloak/keycloak",
      "project": "Keycloak",
      "tech_stack": "Java"
    }
  }
}