{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://securitycompliancehub.io/schemas/dora-prefill.schema.json",
  "title": "SCH DORA Pre-fill Schema",
  "description": "Schema for importing ICT risk management and incident management tool data into the SCH DORA (Digital Operational Resilience Act) assessment. 5 pillars, 49 questions covering Articles 5–45. Useful data sources: ServiceNow ITSM, PagerDuty, Jira, BCM tools.",
  "version": "1.0.0",
  "type": "object",
  "required": ["assessmentType", "generated", "questions"],
  "additionalProperties": false,
  "properties": {
    "assessmentType": {
      "type": "string",
      "const": "dora",
      "description": "Must be 'dora'."
    },
    "source": {
      "type": "string",
      "description": "Tool or pipeline that generated this file.",
      "examples": ["servicenow-itsm", "pagerduty", "jira", "bcm-tool", "custom-script"]
    },
    "generated": {
      "type": "string",
      "format": "date-time"
    },
    "questions": {
      "type": "object",
      "description": "Map of question radio names to pre-fill values. Key format: dora_{pillar}_{question}. Pillars: P1 (ICT Risk Management, Articles 5-16), P2 (ICT-Related Incident Management, Articles 17-23), P3 (Digital Operational Resilience Testing, Articles 24-27), P4 (ICT Third-Party Risk Management, Articles 28-44), P5 (Information and Intelligence Sharing, Article 45). Example keys: dora_P1_1, dora_P2_3, dora_P4_7.",
      "propertyNames": {
        "pattern": "^dora_P[1-5]_[0-9]+$"
      },
      "additionalProperties": {
        "$ref": "#/$defs/questionEntry"
      },
      "examples": [
        {
          "dora_P2_1": {
            "suggested_value": "achieved",
            "evidence_summary": "ICT incident classification policy documented and approved; classification criteria align with DORA Article 18 thresholds"
          },
          "dora_P2_3": {
            "suggested_value": "partial",
            "evidence_summary": "Major incident reporting process exists; NCA notifications made for 2 incidents in past 12 months; initial report SLA met on 1 of 2 (4-hour threshold)",
            "evidence_detail": "Incident INC-2025-0047: initial report submitted 6h 23m (breach). Incident INC-2025-0091: initial report submitted 3h 12m (compliant). Root cause analysis for INC-2025-0047 attached.",
            "raw_stats": {
              "major_incidents_12m": 2,
              "initial_report_compliant": 1,
              "initial_report_breach": 1,
              "mean_initial_report_hours": 4.75
            }
          },
          "dora_P3_1": {
            "suggested_value": "partial",
            "evidence_summary": "Annual TLPT completed; BCP tests conducted twice yearly; DR test last completed 8 months ago (SLA: 6 monthly)"
          }
        }
      ]
    }
  },
  "$defs": {
    "questionEntry": {
      "type": "object",
      "required": ["suggested_value"],
      "additionalProperties": false,
      "properties": {
        "suggested_value": {
          "type": "string",
          "enum": ["achieved", "partial", "not-achieved", "na"],
          "description": "'achieved' = compliant, 'partial' = partially compliant, 'not-achieved' = not compliant, 'na' = not applicable to entity type. The user reviews and confirms before submission."
        },
        "evidence_summary": {
          "type": "string",
          "maxLength": 500,
          "description": "CLAUDE-SAFE. Aggregated, identifier-free summary. May be included in Phronesis analysis. No system names, IP addresses, or personal data."
        },
        "evidence_detail": {
          "type": "string",
          "description": "EVIDENCE VAULT ONLY. Detailed incident data or system specifics. Never sent to Phronesis AI."
        },
        "raw_stats": {
          "type": "object",
          "description": "EVIDENCE VAULT ONLY. Machine-readable statistics. Never sent to Phronesis AI.",
          "additionalProperties": true
        }
      }
    }
  }
}
