{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "Create Group Policy",
  "description": "Attach an ABAC policy to a group. Each policy grants or denies one or more actions on entities whose attributes satisfy the conditions.",
  "type": "object",
  "required": ["effect", "actions", "conditions"],
  "properties": {
    "effect": {
      "type": "string",
      "x-gql-type": "policy_effect",
      "title": "Effect",
      "description": "ALLOW grants the actions. DENY blocks them and wins over any matching ALLOW.",
      "enum": ["ALLOW", "DENY"],
      "default": "ALLOW"
    },
    "actions": {
      "type": "array",
      "title": "Actions",
      "description": "What members of this group can do. Pass one or more action ids in `{entity}:{verb}` form. Conditions apply to every action; actions whose entity does not support a given condition simply never match. Duplicate entries are rejected.",
      "items": { "type": "string" },
      "minItems": 1,
      "uniqueItems": true,
      "examples": [
        ["project:view"],
        ["project:view", "project:update", "instance:deploy"]
      ]
    },
    "conditions": {
      "type": "object",
      "x-gql-type": "conditions",
      "title": "Conditions",
      "description": "Restrict the actions to entities whose attributes match every condition. Send the literal `\"*\"` to apply to all entities of each action's type. Per-key, send `\"*\"` to match any value or a non-empty list of strings to match a closed set. Within a policy all conditions are AND. Across policies, evaluation is OR.",
      "additionalProperties": {
        "oneOf": [
          { "type": "string", "const": "*" },
          { "type": "array", "items": { "type": "string" }, "minItems": 1 }
        ]
      },
      "examples": [
        { "TEAM": ["payments"], "md-environment": ["dev", "staging"] },
        { "md-project": "*", "md-environment": ["prod"] }
      ]
    }
  }
}