{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://securitycompliancehub.io/schemas/caf-prefill.schema.json",
  "title": "SCH CAF Pre-fill Schema",
  "description": "Schema for importing security tool data into the SCH NCSC Cyber Assessment Framework (CAF) assessment. 14 principles, 83 questions across 4 objectives. Generate from your SIEM, vulnerability scanner, or asset management tooling.",
  "version": "1.0.0",
  "type": "object",
  "required": ["assessmentType", "generated", "questions"],
  "additionalProperties": false,
  "properties": {
    "assessmentType": {
      "type": "string",
      "const": "caf",
      "description": "Must be 'caf'."
    },
    "source": {
      "type": "string",
      "description": "Tool or pipeline that generated this file.",
      "examples": ["splunk", "microsoft-sentinel", "qualys", "ninjone", "custom-script"]
    },
    "generated": {
      "type": "string",
      "format": "date-time"
    },
    "questions": {
      "type": "object",
      "description": "Map of question radio names to pre-fill values. Key format: caf_{principle}_{question} where principle uses CAF sub-principle codes. Objective A (Managing Security Risk): A1a, A1b, A2a, A2b, A3a, A3b, A3c, A3d, A4. Objective B (Protecting Against Cyber Attack): B1, B2, B3, B4, B5, B6. Objective C (Detecting Cyber Security Events): C1a, C1b, C2a, C2b. Objective D (Minimising Impact): D1, D2, D3. Example keys: caf_A1a_1, caf_B3_2, caf_C1b_1.",
      "propertyNames": {
        "pattern": "^caf_[A-D][0-9]+[a-z]?_[0-9]+$"
      },
      "additionalProperties": {
        "$ref": "#/$defs/questionEntry"
      },
      "examples": [
        {
          "caf_B3_1": {
            "suggested_value": "partial",
            "evidence_summary": "Patch management policy exists; 87% of systems patched within SLA; 18 endpoints overdue"
          },
          "caf_B3_2": {
            "suggested_value": "achieved",
            "evidence_summary": "Automated patching enabled via NinjaOne; critical patches deployed within 24 hours across all managed endpoints"
          },
          "caf_C1a_1": {
            "suggested_value": "partial",
            "evidence_summary": "SIEM deployed and ingesting logs from 94% of assets; 6 assets pending onboarding",
            "evidence_detail": "Assets not yet onboarded: legacy PLC, 3 OT sensors, 2 unmanaged printers. Onboarding scheduled Q3.",
            "raw_stats": {
              "total_assets": 187,
              "siem_covered": 175,
              "coverage_pct": 94
            }
          }
        }
      ]
    }
  },
  "$defs": {
    "questionEntry": {
      "type": "object",
      "required": ["suggested_value"],
      "additionalProperties": false,
      "properties": {
        "suggested_value": {
          "type": "string",
          "enum": ["achieved", "partial", "not-achieved", "na"],
          "description": "'achieved' = fully met, 'partial' = partially met, 'not-achieved' = not met, 'na' = not applicable. The user reviews and confirms before submission."
        },
        "evidence_summary": {
          "type": "string",
          "maxLength": 500,
          "description": "CLAUDE-SAFE. Aggregated, identifier-free summary. May be included in Phronesis analysis. No hostnames, IPs, or usernames."
        },
        "evidence_detail": {
          "type": "string",
          "description": "EVIDENCE VAULT ONLY. Detailed data with specific identifiers. Never sent to Phronesis AI."
        },
        "raw_stats": {
          "type": "object",
          "description": "EVIDENCE VAULT ONLY. Machine-readable statistics. Never sent to Phronesis AI.",
          "additionalProperties": true
        }
      }
    }
  }
}
