{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://git.mirv.top/verstak/verstak-sdk/schemas/permissions.json",
  "title": "Verstak Permissions Registry",
  "description": "Known runtime permissions and their safety levels",
  "type": "object",
  "properties": {
    "permissions": {
      "type": "array",
      "items": {
        "$ref": "#/$defs/PermissionEntry"
      }
    }
  },
  "$defs": {
    "PermissionEntry": {
      "type": "object",
      "properties": {
        "name": { "type": "string" },
        "description": { "type": "string" },
        "dangerous": {
          "type": "boolean",
          "description": "If true, user must explicitly approve before enabling plugin"
        }
      },
      "required": ["name", "description", "dangerous"]
    }
  },
  "permissions": [
    { "name": "vault.read", "description": "Read vault files and metadata", "dangerous": false },
    { "name": "vault.write", "description": "Write vault files and metadata", "dangerous": true },
    { "name": "vault.watch", "description": "Watch vault file changes", "dangerous": false },
    { "name": "files.read", "description": "List files and read text files through the vault Files API", "dangerous": false },
    { "name": "files.write", "description": "Create folders, write text files, and move paths through the vault Files API", "dangerous": true },
    { "name": "files.delete", "description": "Trash vault files and folders through the vault Files API", "dangerous": true },
    { "name": "storage.namespace", "description": "Read/write plugin's own storage namespace", "dangerous": false },
    { "name": "storage.migrations", "description": "Run database migrations in plugin namespace", "dangerous": false },
    { "name": "events.publish", "description": "Publish events to the event bus", "dangerous": false },
    { "name": "events.subscribe", "description": "Subscribe to events on the event bus", "dangerous": false },
    { "name": "ui.register", "description": "Register UI components and contributions", "dangerous": false },
    { "name": "commands.register", "description": "Register command palette commands", "dangerous": false },
    { "name": "workbench.open", "description": "Request Workbench open/edit routing for vault resources", "dangerous": false },
    { "name": "network.local", "description": "Connect to localhost network services", "dangerous": false },
    { "name": "network.remote", "description": "Connect to remote network services", "dangerous": true },
    { "name": "process.spawn", "description": "Spawn external processes", "dangerous": true },
    { "name": "secrets.read", "description": "Read secrets from the secret store", "dangerous": true },
    { "name": "secrets.write", "description": "Write secrets to the secret store", "dangerous": true },
    { "name": "sync.participate", "description": "Participate in vault sync", "dangerous": true }
  ]
}