{"contract":{"permissionCheck":{"method":"POST","body":{"kind":"permission","principalId":"usr-amal-os","permissionId":"tenants.manage","scopeKey":"tenant:tenant-construction"}},"roleGrantCheck":{"method":"POST","body":{"kind":"role-grant","actorId":"usr-ravi-platform","roleId":"tenant.admin","scopeKey":"tenant:tenant-construction"}},"registrationFlowCheck":{"method":"POST","body":{"kind":"registration-flow","requestId":"req-platform-admin-lina"}}},"options":{"permissions":[{"id":"identity.principals.read","label":"Read principals","group":"Identity","risk":"low","description":"View users, service accounts, agents, and their current memberships."},{"id":"identity.principals.manage","label":"Manage principals","group":"Identity","risk":"high","description":"Invite, update, suspend, or reactivate principals."},{"id":"auth.credentials.read","label":"Read authenticators","group":"Authentication","risk":"low","description":"View registered passkeys, FIDO security keys, and OTP verification posture."},{"id":"auth.credentials.manage","label":"Manage authenticators","group":"Authentication","risk":"high","description":"Register, revoke, or recover passwordless authenticators through controlled flows."},{"id":"auth.otp.issue","label":"Issue OTP step-up","group":"Authentication","risk":"medium","description":"Issue a short-lived OTP for periodic verification, recovery, or high-risk step-up."},{"id":"rbac.roles.read","label":"Read role policy","group":"RBAC","risk":"low","description":"Inspect roles, assignments, and effective permissions."},{"id":"rbac.roles.assign","label":"Assign roles","group":"RBAC","risk":"high","description":"Grant or revoke scoped roles through the approval gate."},{"id":"platforms.read","label":"Read platforms","group":"Platform","risk":"low","description":"View the fixed DiyaOS platform boundary and platform-level configuration."},{"id":"platforms.manage","label":"Manage platform configuration","group":"Platform","risk":"high","description":"Change governed configuration for the fixed DiyaOS platform through approved APIs."},{"id":"platform.admins.manage","label":"Manage platform admins","group":"Platform","risk":"high","description":"Register, assign, revoke, or transfer responsibility for platform admins."},{"id":"tenants.read","label":"Read tenants","group":"Tenant","risk":"low","description":"View tenant accounts, membership counts, and tenant status."},{"id":"tenants.manage","label":"Manage tenants","group":"Tenant","risk":"high","description":"Create, configure, suspend, or archive tenants."},{"id":"tenant.users.read","label":"Read tenant users","group":"Tenant","risk":"low","description":"View tenant users and tenant-scoped memberships."},{"id":"tenant.users.manage","label":"Manage tenant users","group":"Tenant","risk":"medium","description":"Invite, suspend, or update tenant-scoped users."},{"id":"tenant.admins.manage","label":"Manage tenant admins","group":"Tenant","risk":"high","description":"Register, assign, revoke, or transfer responsibility for tenant admins."},{"id":"audit.events.read","label":"Read audit events","group":"Audit","risk":"low","description":"Inspect security, identity, and authorization events."},{"id":"apps.access","label":"Access apps","group":"Apps","risk":"low","description":"Enter DiyaOS applications available to the active scope."},{"id":"agents.delegate","label":"Delegate agents","group":"Agents","risk":"medium","description":"Allow approved agent actions to run under scoped user authority."},{"id":"catalog.items.read","label":"Read catalog items","group":"Catalog","risk":"low","description":"View tenant-scoped product, service, bundle, and subscription catalog records."},{"id":"catalog.items.manage","label":"Manage catalog items","group":"Catalog","risk":"medium","description":"Create, edit, retire, or archive product and service records before governed publication."},{"id":"catalog.experiences.read","label":"Read catalog experiences","group":"Catalog","risk":"low","description":"View client, channel, market, and app-specific catalog experience profiles."},{"id":"catalog.experiences.manage","label":"Manage catalog experiences","group":"Catalog","risk":"medium","description":"Configure which catalog records appear in a client, channel, market, or app surface."},{"id":"catalog.channels.publish","label":"Publish catalog channels","group":"Catalog","risk":"high","description":"Publish catalog records or experience profiles to public, partner, marketplace, or embedded channels."},{"id":"catalog.exports.read","label":"Read catalog exports","group":"Catalog","risk":"medium","description":"Read API, feed, or export-ready catalog payloads used by other applications."},{"id":"catalog.analytics.read","label":"Read catalog analytics","group":"Catalog","risk":"medium","description":"Inspect tenant-scoped catalog usage, channel readiness, and app adoption signals."},{"id":"brand.workspaces.read","label":"Read brand workspaces","group":"Brand","risk":"low","description":"View tenant-scoped Brand House workspaces and brand context."},{"id":"brand.workspaces.manage","label":"Manage brand workspaces","group":"Brand","risk":"high","description":"Create, configure, archive, or transfer responsibility for Brand House workspaces."},{"id":"brand.guidelines.read","label":"Read brand guidelines","group":"Brand","risk":"low","description":"View approved and permitted brand guideline sections."},{"id":"brand.guidelines.write","label":"Write brand guidelines","group":"Brand","risk":"medium","description":"Draft or edit brand guideline sections before review."},{"id":"brand.guidelines.review","label":"Review brand guidelines","group":"Brand","risk":"medium","description":"Review guideline changes and request fixes before approval."},{"id":"brand.guidelines.publish","label":"Publish brand guidelines","group":"Brand","risk":"high","description":"Publish approved guideline releases for a tenant brand workspace."},{"id":"brand.assets.read","label":"Read brand assets","group":"Brand","risk":"low","description":"View approved asset metadata and allowed controlled file references."},{"id":"brand.assets.upload","label":"Upload brand assets","group":"Brand","risk":"medium","description":"Register new brand asset drafts through governed storage workflows."},{"id":"brand.assets.approve","label":"Approve brand assets","group":"Brand","risk":"high","description":"Approve controlled brand assets for internal, partner, or public use."},{"id":"brand.assets.archive","label":"Archive brand assets","group":"Brand","risk":"high","description":"Archive or retire controlled brand assets while preserving audit history."},{"id":"brand.templates.read","label":"Read brand templates","group":"Brand","risk":"low","description":"View approved or permitted brand templates."},{"id":"brand.templates.manage","label":"Manage brand templates","group":"Brand","risk":"medium","description":"Create, update, or prepare governed templates for review."},{"id":"brand.tokens.read","label":"Read brand tokens","group":"Brand","risk":"low","description":"View approved brand and generated design tokens."},{"id":"brand.tokens.export","label":"Export brand tokens","group":"Brand","risk":"medium","description":"Export brand token packages for implementation surfaces."},{"id":"brand.requests.create","label":"Create brand requests","group":"Brand","risk":"low","description":"Submit Brand Desk requests for assets, exceptions, or guideline changes."},{"id":"brand.requests.triage","label":"Triage brand requests","group":"Brand","risk":"medium","description":"Assign, prioritize, or close Brand Desk requests."},{"id":"brand.analytics.read","label":"Read brand analytics","group":"Brand","risk":"medium","description":"View tenant-scoped Brand House analytics and adoption signals."},{"id":"brand.portal.manage","label":"Manage brand portals","group":"Brand","risk":"high","description":"Configure internal, partner, public, or press portal access and visibility."},{"id":"brand.qa.run","label":"Run Brand QA","group":"Brand","risk":"medium","description":"Run brand usage checks that can create findings but cannot approve usage."},{"id":"voice.sessions.read","label":"Read voice sessions","group":"Agents","risk":"low","description":"Inspect voice session metadata, state, and audit references."},{"id":"voice.sessions.create","label":"Create voice sessions","group":"Agents","risk":"medium","description":"Start a tenant-scoped voice session through the shared voice service."},{"id":"voice.sessions.end","label":"End voice sessions","group":"Agents","risk":"medium","description":"Terminate an active voice session and record the closeout event."},{"id":"voice.sessions.monitor","label":"Monitor voice sessions","group":"Agents","risk":"high","description":"Privately observe and steer an active voice session with audit controls."},{"id":"voice.agents.invoke","label":"Invoke voice agents","group":"Agents","risk":"medium","description":"Delegate spoken interaction to an approved voice agent."},{"id":"voice.agents.configure","label":"Configure voice agents","group":"Agents","risk":"high","description":"Change voice agent provider, tool, transcript, or approval policy settings."},{"id":"voice.transcripts.read","label":"Read voice transcripts","group":"Agents","risk":"medium","description":"Read retained voice transcripts when a transcript policy permits storage."},{"id":"email.connections.read","label":"Read email connections","group":"Communication","risk":"low","description":"Inspect configured email providers, ownership, scopes, and readiness metadata."},{"id":"email.connections.manage","label":"Manage email connections","group":"Communication","risk":"high","description":"Create, disable, or reassign email provider connections and secret-binding requirements."},{"id":"email.sender-identities.read","label":"Read email sender identities","group":"Communication","risk":"low","description":"Inspect approved sender identities, ownership, scopes, and verification state."},{"id":"email.sender-identities.manage","label":"Manage email sender identities","group":"Communication","risk":"high","description":"Create, verify, disable, or transfer sender identities for admins, users, or services."},{"id":"email.messages.send","label":"Send email","group":"Communication","risk":"medium","description":"Send email through an approved sender identity and audited provider boundary."},{"id":"email.messages.read-status","label":"Read email status","group":"Communication","risk":"medium","description":"Inspect send records, provider message ids, and delivery status metadata."},{"id":"email.audit.read","label":"Read email audit","group":"Communication","risk":"medium","description":"Inspect audit records for email connection changes and send attempts."}],"roles":[{"id":"os.admin","label":"OS Admin","layer":"OS","summary":"Full DiyaOS authority across the fixed platform, tenants, users, policy, and audit.","assignableScopes":["os"],"permissions":["identity.principals.read","identity.principals.manage","auth.credentials.read","auth.credentials.manage","auth.otp.issue","rbac.roles.read","rbac.roles.assign","platforms.read","platforms.manage","platform.admins.manage","tenants.read","tenants.manage","tenant.users.read","tenant.users.manage","tenant.admins.manage","audit.events.read","apps.access","agents.delegate","catalog.items.read","catalog.items.manage","catalog.experiences.read","catalog.experiences.manage","catalog.channels.publish","catalog.exports.read","catalog.analytics.read","brand.workspaces.read","brand.workspaces.manage","brand.guidelines.read","brand.guidelines.write","brand.guidelines.review","brand.guidelines.publish","brand.assets.read","brand.assets.upload","brand.assets.approve","brand.assets.archive","brand.templates.read","brand.templates.manage","brand.tokens.read","brand.tokens.export","brand.requests.create","brand.requests.triage","brand.analytics.read","brand.portal.manage","brand.qa.run","voice.sessions.read","voice.sessions.create","voice.sessions.end","voice.sessions.monitor","voice.agents.invoke","voice.agents.configure","voice.transcripts.read","email.connections.read","email.connections.manage","email.sender-identities.read","email.sender-identities.manage","email.messages.send","email.messages.read-status","email.audit.read"],"grantableBy":["os.admin"]},{"id":"platform.admin","label":"Platform Admin","layer":"Platform","summary":"Runs tenant operations under the fixed DiyaOS platform and manages tenants, admins, users, and delegated agents.","assignableScopes":["platform"],"permissions":["identity.principals.read","auth.credentials.read","auth.credentials.manage","auth.otp.issue","rbac.roles.read","rbac.roles.assign","platforms.read","platforms.manage","platform.admins.manage","tenants.read","tenants.manage","tenant.admins.manage","tenant.users.read","tenant.users.manage","audit.events.read","apps.access","agents.delegate","catalog.items.read","catalog.items.manage","catalog.experiences.read","catalog.experiences.manage","catalog.channels.publish","catalog.exports.read","catalog.analytics.read","brand.workspaces.read","brand.workspaces.manage","brand.guidelines.read","brand.guidelines.write","brand.guidelines.review","brand.guidelines.publish","brand.assets.read","brand.assets.upload","brand.assets.approve","brand.assets.archive","brand.templates.read","brand.templates.manage","brand.tokens.read","brand.tokens.export","brand.requests.create","brand.requests.triage","brand.analytics.read","brand.portal.manage","brand.qa.run","voice.sessions.read","voice.sessions.create","voice.sessions.end","voice.sessions.monitor","voice.agents.invoke","voice.agents.configure","voice.transcripts.read","email.connections.read","email.connections.manage","email.sender-identities.read","email.sender-identities.manage","email.messages.send","email.messages.read-status","email.audit.read"],"grantableBy":["os.admin","platform.admin"]},{"id":"tenant.admin","label":"Tenant Admin","layer":"Tenant","summary":"Runs one tenant and manages tenant users, memberships, app access, and local audit review.","assignableScopes":["tenant"],"permissions":["identity.principals.read","auth.credentials.read","auth.credentials.manage","auth.otp.issue","rbac.roles.read","rbac.roles.assign","tenants.read","tenant.admins.manage","tenant.users.read","tenant.users.manage","audit.events.read","apps.access","voice.sessions.read","voice.sessions.create","voice.sessions.end","voice.sessions.monitor","voice.agents.invoke","voice.transcripts.read","email.connections.read","email.sender-identities.read","email.sender-identities.manage","email.messages.send","email.messages.read-status","email.audit.read","catalog.items.read","catalog.items.manage","catalog.experiences.read","catalog.experiences.manage","catalog.channels.publish","catalog.exports.read","catalog.analytics.read","brand.workspaces.read","brand.workspaces.manage","brand.guidelines.read","brand.guidelines.write","brand.guidelines.review","brand.guidelines.publish","brand.assets.read","brand.assets.upload","brand.assets.approve","brand.assets.archive","brand.templates.read","brand.templates.manage","brand.tokens.read","brand.tokens.export","brand.requests.create","brand.requests.triage","brand.analytics.read","brand.portal.manage","brand.qa.run"],"grantableBy":["os.admin","platform.admin","tenant.admin"]},{"id":"tenant.user","label":"Tenant User","layer":"Tenant","summary":"Uses tenant applications and reads the tenant context available to their memberships.","assignableScopes":["tenant"],"permissions":["tenants.read","apps.access","voice.sessions.create","voice.agents.invoke","email.sender-identities.read","email.messages.send","email.messages.read-status","catalog.items.read","catalog.experiences.read","brand.workspaces.read","brand.guidelines.read","brand.assets.read","brand.templates.read","brand.tokens.read","brand.requests.create","brand.qa.run"],"grantableBy":["os.admin","platform.admin","tenant.admin"]}],"scopes":[{"key":"os","label":"DiyaOS","detail":"System-wide control plane"},{"key":"platform:platform-diya","label":"Diya Platform","detail":"3 tenants"},{"key":"tenant:tenant-diya-core","label":"Diya Core Ops","detail":"active / me-central"},{"key":"tenant:tenant-construction","label":"Construction Studio","detail":"active / me-central"},{"key":"tenant:tenant-atelier","label":"Atelier Partner","detail":"provisioning / eu-west"}],"registrationRequests":[{"id":"req-platform-admin-lina","kind":"platform-admin-registration","status":"pending-approval","targetName":"Lina Basri","scopeLabel":"Diya Platform"},{"id":"req-tenant-studio","kind":"tenant-provisioning","status":"draft","targetName":"Design Studio","scopeLabel":"Design Studio / Diya Platform"},{"id":"req-tenant-admin-sara","kind":"tenant-admin-registration","status":"pending-approval","targetName":"Sara Khalid","scopeLabel":"Construction Studio / Diya Platform"},{"id":"req-tenant-user-nabil","kind":"tenant-user-registration","status":"approved","targetName":"Nabil Farah","scopeLabel":"Construction Studio / Diya Platform"},{"id":"req-tenant-admin-atelier","kind":"tenant-admin-registration","status":"blocked","targetName":"Atelier Admin","scopeLabel":"Atelier Partner / Diya Platform"}]}}