{ "schema_version": "1.0", "baseline": "A-runtime-admin-phase-2a", "phase": "Phase 2a", "updated_at": "2026-04-19", "owner": "session_a", "honest_note": "Canonical decision vectors for the policy engine. Every example states the operation, request context, and expected decision shape. Verify with verify_examples.py. now_iso is pinned to 2026-04-19T06:00:00Z so TTL math is deterministic.", "time_base_iso": "2026-04-19T06:00:00Z", "groups": { "access_check": "Access decisions against the real registry · covers deny/mask/allow paths", "mask_resolve": "Field-level mask resolution for different roles × field categories", "assist_validate": "Assist session validation · valid / invalid / forbidden-action", "viewas_validate": "View-as-tenant validation · always read-only", "sensitive_check": "Sensitive-surface approval gate" }, "access_check": [ { "id": "ac-01-unknown-role-denies", "name": "unknown actor_role → deny", "ctx": { "actor_role": "ghost_mode", "actor_user_id": "U-1", "field_category": "email", "requested_action": "read" }, "expected": { "decision": "deny", "mask_level": "denied", "self_view": false } }, { "id": "ac-02-end-user-self-view", "name": "end_user reading own email → allow unmasked (self-view)", "ctx": { "actor_role": "end_user", "actor_user_id": "U-42", "actor_tenant_id": "pty-zeroth", "target_tenant_id": "pty-zeroth", "target_user_id": "U-42", "field_category": "email", "requested_action": "read" }, "expected": { "decision": "allow", "mask_level": "unmasked", "self_view": true } }, { "id": "ac-03-tenant-admin-own-tenant-pii", "name": "tenant_admin reading PII on own tenant → unmasked", "ctx": { "actor_role": "tenant_admin", "actor_user_id": "U-TA-1", "actor_tenant_id": "pty-zeroth", "target_tenant_id": "pty-zeroth", "target_user_id": "U-42", "field_category": "email", "requested_action": "read" }, "expected": { "decision": "allow", "mask_level": "unmasked", "tenant_relation": "own" } }, { "id": "ac-04-sales-cross-tenant-no-context", "name": "sales_ae cross-tenant PII without assist/view-as → deny", "ctx": { "actor_role": "sales_ae", "actor_user_id": "U-SA-1", "actor_tenant_id": null, "target_tenant_id": "pty-zeroth", "target_user_id": "U-42", "field_category": "email", "requested_action": "read" }, "expected": { "decision": "deny", "tenant_relation": "cross" } }, { "id": "ac-05-support-with-viewas-read", "name": "support_success cross-tenant with view_as_ctx read → masked (PII still masked without unmask approval)", "ctx": { "actor_role": "support_success", "actor_user_id": "U-SP-1", "actor_tenant_id": null, "target_tenant_id": "pty-zeroth", "target_user_id": "U-42", "field_category": "email", "requested_action": "read", "view_as_ctx": { "target_tenant_id": "pty-zeroth", "granted_at": "2026-04-19T05:30:00Z", "expires_at": "2026-04-19T06:30:00Z" } }, "expected": { "decision": "mask", "tenant_relation": "cross" } }, { "id": "ac-06-support-viewas-write-denied", "name": "support_success view_as_ctx + write intent → deny", "ctx": { "actor_role": "support_success", "actor_user_id": "U-SP-1", "target_tenant_id": "pty-zeroth", "target_user_id": "U-42", "field_category": "email", "requested_action": "write", "view_as_ctx": { "target_tenant_id": "pty-zeroth", "granted_at": "2026-04-19T05:30:00Z", "expires_at": "2026-04-19T06:30:00Z" } }, "expected": { "decision": "deny" } }, { "id": "ac-07-sensitive-no-approval-denies", "name": "sensitive field without approval_refs → deny · required dual signers", "ctx": { "actor_role": "tenant_admin", "actor_user_id": "U-TA-2", "actor_tenant_id": "pty-zeroth", "target_tenant_id": "pty-zeroth", "target_user_id": "U-99", "field_category": "health", "requested_action": "read", "is_sensitive": true }, "expected": { "decision": "deny" } }, { "id": "ac-08-sensitive-with-approval-allows", "name": "sensitive + approval_refs held → tenant_admin own-tenant unmasked", "ctx": { "actor_role": "tenant_admin", "actor_user_id": "U-TA-2", "actor_tenant_id": "pty-zeroth", "target_tenant_id": "pty-zeroth", "target_user_id": "U-99", "field_category": "health", "requested_action": "read", "is_sensitive": true, "approval_refs": ["APP-row-sensitive-override-42"] }, "expected": { "decision": "allow", "mask_level": "unmasked" } }, { "id": "ac-09-gps-always-denied", "name": "GPS coordinates · producer-side policy · unmask always denied", "ctx": { "actor_role": "superadmin", "actor_user_id": "U-SUPER", "target_tenant_id": "pty-zeroth", "target_user_id": "U-42", "field_category": "gps", "requested_action": "read", "approval_refs": ["APP-break-glass-1"] }, "expected": { "decision": "mask", "mask_level": "masked" } }, { "id": "ac-10-product-ops-kpi-aggregate", "name": "product_ops reading KPI aggregate → unmasked (k-anon enforced upstream)", "ctx": { "actor_role": "product_ops", "actor_user_id": "U-PO-1", "field_category": "kpi", "requested_action": "read" }, "expected": { "decision": "allow", "mask_level": "unmasked" } } ], "mask_resolve": [ { "id": "mr-01-platform-role-default-masked", "name": "sales_ae resolving PII with no approval → masked", "ctx": { "actor_role": "sales_ae", "actor_user_id": "U-SA-1", "target_tenant_id": "pty-zeroth", "target_user_id": "U-42", "field_category": "email" }, "expected": { "mask_level": "masked" } }, { "id": "mr-02-self-view-unmasked", "name": "end_user on own email → unmasked", "ctx": { "actor_role": "end_user", "actor_user_id": "U-42", "target_user_id": "U-42", "field_category": "email" }, "expected": { "mask_level": "unmasked" } }, { "id": "mr-03-tenant-dpo-own-sensitive", "name": "tenant_dpo on own-tenant health field → unmasked", "ctx": { "actor_role": "tenant_dpo", "actor_user_id": "U-DPO-1", "actor_tenant_id": "pty-zeroth", "target_tenant_id": "pty-zeroth", "target_user_id": "U-99", "field_category": "health" }, "expected": { "mask_level": "unmasked" } } ], "assist_validate": [ { "id": "av-01-valid-support", "name": "support_success with consent + case_ref + active TTL → valid", "ctx": { "actor_role": "support_success", "actor_user_id": "U-SP-1", "assist_ctx": { "target_tenant_id": "pty-zeroth", "consent_record_id": "CR-assist-123", "case_ref": "CASE-002", "granted_at": "2026-04-19T05:30:00Z", "expires_at": "2026-04-19T06:30:00Z", "scope": ["edit_profile", "fix_data_error"] }, "proposed_action": "edit_profile" }, "expected": { "valid": true, "proposed_action_allowed": true } }, { "id": "av-02-missing-consent", "name": "assist without consent_record_id → invalid", "ctx": { "actor_role": "support_success", "actor_user_id": "U-SP-2", "assist_ctx": { "target_tenant_id": "pty-zeroth", "granted_at": "2026-04-19T05:45:00Z", "expires_at": "2026-04-19T06:45:00Z", "scope": ["edit_profile"] } }, "expected": { "valid": false } }, { "id": "av-03-role-not-eligible", "name": "superadmin trying assist → not eligible (break-glass path is different)", "ctx": { "actor_role": "superadmin", "actor_user_id": "U-SUPER", "assist_ctx": { "target_tenant_id": "pty-zeroth", "consent_record_id": "CR-assist-999", "granted_at": "2026-04-19T05:00:00Z", "expires_at": "2026-04-19T07:00:00Z", "scope": ["*"] } }, "expected": { "valid": false } }, { "id": "av-04-forbidden-sign-approval", "name": "assist attempting sign_approval → forbidden pattern", "ctx": { "actor_role": "support_success", "actor_user_id": "U-SP-1", "assist_ctx": { "target_tenant_id": "pty-zeroth", "consent_record_id": "CR-assist-321", "case_ref": "CASE-002", "granted_at": "2026-04-19T05:30:00Z", "expires_at": "2026-04-19T06:30:00Z", "scope": ["sign_approval"] }, "proposed_action": "sign_approval" }, "expected": { "valid": false, "proposed_action_allowed": false } }, { "id": "av-05-ttl-expired", "name": "assist session expired → invalid", "ctx": { "actor_role": "sales_ae", "actor_user_id": "U-SA-1", "assist_ctx": { "target_tenant_id": "pty-zeroth", "consent_record_id": "CR-assist-000", "granted_at": "2026-04-19T03:00:00Z", "expires_at": "2026-04-19T03:30:00Z", "scope": ["edit_profile"] } }, "expected": { "valid": false } } ], "viewas_validate": [ { "id": "vv-01-valid-read", "name": "support_success view-as read with active TTL → valid", "ctx": { "actor_role": "support_success", "actor_user_id": "U-SP-1", "view_as_ctx": { "target_tenant_id": "pty-zeroth", "granted_at": "2026-04-19T05:45:00Z", "expires_at": "2026-04-19T06:15:00Z" }, "proposed_action": "read" }, "expected": { "valid": true, "read_allowed": true, "write_allowed": false } }, { "id": "vv-02-write-rejected", "name": "view-as + write → invalid (write_allowed always false)", "ctx": { "actor_role": "support_success", "actor_user_id": "U-SP-1", "view_as_ctx": { "target_tenant_id": "pty-zeroth", "granted_at": "2026-04-19T05:45:00Z", "expires_at": "2026-04-19T06:15:00Z" }, "proposed_action": "write" }, "expected": { "valid": false, "write_allowed": false } }, { "id": "vv-03-role-not-eligible", "name": "end_user view-as → not eligible", "ctx": { "actor_role": "end_user", "actor_user_id": "U-42", "view_as_ctx": { "target_tenant_id": "pty-zeroth", "granted_at": "2026-04-19T05:45:00Z", "expires_at": "2026-04-19T06:15:00Z" }, "proposed_action": "read" }, "expected": { "valid": false } } ], "sensitive_check": [ { "id": "sc-01-health-no-ref-denied", "name": "tenant_admin sensitive health · no approval → deny · dual required", "ctx": { "actor_role": "tenant_admin", "actor_user_id": "U-TA-1", "actor_tenant_id": "pty-zeroth", "target_tenant_id": "pty-zeroth", "field_category": "health", "requested_action": "read" }, "expected": { "decision": "deny", "current_approvals_satisfy": false } }, { "id": "sc-02-health-with-ref-allowed", "name": "tenant_admin sensitive health · approval_ref held → allow", "ctx": { "actor_role": "tenant_admin", "actor_user_id": "U-TA-1", "actor_tenant_id": "pty-zeroth", "target_tenant_id": "pty-zeroth", "field_category": "health", "requested_action": "read", "approval_refs": ["APP-row-sensitive-override-7"] }, "expected": { "decision": "allow", "current_approvals_satisfy": true } }, { "id": "sc-03-write-by-platform-role-blocked", "name": "support_success write on sensitive financial → deny regardless of ref", "ctx": { "actor_role": "support_success", "actor_user_id": "U-SP-1", "target_tenant_id": "pty-zeroth", "field_category": "financial", "requested_action": "write", "approval_refs": ["APP-some-ref"] }, "expected": { "decision": "deny" } } ] }