{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "$id": "https://plenaverify.com/vrx1-ai-use-privacy-check-receipt.schema.json",
  "title": "PLENA VRX-1 AI Use Privacy Check Receipt v1",
  "description": "Additive VRX-1 receipt type for the Private AI Use position (Task 17). The signer has reviewed their AI use against risk criteria (data exposure, disclosure obligations, sensitive-information leakage) and attests to the check. The receipt signs that a check was run and its structure; the underlying findings stay with the signer unless the signer chooses to disclose them. Risk-category terms are standards-vocabulary routing terms, not compliance claims. Self-attested, tamper-evident via SHA-256 over canonical JSON; not issuer-signed by default, not externally anchored, not certified by PLENA. Voice on the verify page: 'The signer ran a privacy check on their AI use against [N] risk categories on [date]. The check itself is signed; the underlying findings are private unless the signer chooses to disclose them.'",
  "type": "object",
  "additionalProperties": false,
  "required": [
    "vrx1_version",
    "schema_version",
    "receipt_id",
    "receipt_type",
    "created_at",
    "check_timestamp",
    "risk_categories_reviewed",
    "risk_findings",
    "privacy_level",
    "verification_url",
    "integrity_note",
    "hash"
  ],
  "$comment": "Privacy-safe architecture: MUST NOT contain the data that was shared with AI tools, prompts, AI outputs, or any document content. additionalProperties is false.",
  "properties": {
    "vrx1_version": { "type": "string", "const": "1.0-d19-private-ai-use-ai-use-privacy-check-receipt-reference", "description": "VRX-1 reference-implementation version string." },
    "schema_version": { "type": "string", "const": "vrx1.ai-use-privacy-check-receipt.v1", "description": "Stable schema identifier." },
    "receipt_id": { "type": "string", "pattern": "^PLENA-APC-[0-9]{8}-[A-F0-9]{4}$", "description": "Unique id. Format: PLENA-APC-<YYYYMMDD>-<4 uppercase hex>." },
    "receipt_type": { "type": "string", "const": "AI_USE_PRIVACY_CHECK_RECEIPT", "description": "Receipt type discriminator." },
    "created_at": { "type": "string", "format": "date-time", "description": "ISO-8601 date-time from the device that built the receipt." },
    "issuer": { "type": "string", "description": "Optional. Signature-ready issuer identifier when signed via the Issuer Portal." },
    "source_product": { "type": "string", "description": "Optional. Product/surface that generated the receipt." },
    "signed_at": { "type": "string", "format": "date-time", "description": "Optional. Time of issuer signature, if signed." },
    "check_timestamp": { "type": "string", "format": "date-time", "description": "When the privacy check was performed." },
    "risk_categories_reviewed": {
      "type": "array",
      "minItems": 1,
      "uniqueItems": true,
      "items": { "type": "string", "enum": ["data_shared_with_ai", "client_information", "patient_information", "student_information", "parish_information", "business_confidential", "personal_sensitive", "third_party_attributable", "regulated_content"] },
      "description": "Categories the signer examined. Standards-vocabulary terms, not compliance claims."
    },
    "risk_findings": {
      "type": "array",
      "minItems": 1,
      "items": {
        "type": "object",
        "additionalProperties": false,
        "required": ["category", "finding"],
        "properties": {
          "category": { "type": "string", "enum": ["data_shared_with_ai", "client_information", "patient_information", "student_information", "parish_information", "business_confidential", "personal_sensitive", "third_party_attributable", "regulated_content"] },
          "finding": { "type": "string", "enum": ["not_applicable", "no_risk_identified", "risk_identified_remediated", "risk_identified_disclosure_required"], "description": "Outcome for the category. The finding label is signed; the underlying detail stays private." }
        }
      },
      "description": "Per-category result. Records the outcome label only, never the underlying sensitive content."
    },
    "remediation_actions": {
      "type": "array",
      "uniqueItems": true,
      "items": { "type": "string", "enum": ["redaction_completed", "disclosure_initiated", "consultation_obtained", "use_terminated", "policy_review_completed"] },
      "description": "Optional. Actions the signer took in response to findings."
    },
    "human_responsibility_link": { "type": "string", "pattern": "^PLENA-HUR-[0-9]{8}-[A-F0-9]{4}$", "description": "Optional. receipt_id of a related Human Responsibility Receipt." },
    "privacy_level": { "type": "string", "enum": ["restricted", "private", "public"], "description": "Privacy classification of the receipt." },
    "verification_url": { "type": "string", "minLength": 1, "description": "URL where the receipt can be opened in the Public Verify panel." },
    "integrity_note": { "type": "string", "minLength": 1, "description": "Plain-language truth boundary. Should state that findings are private unless the signer discloses them." },
    "hash": { "type": "string", "pattern": "^sha256:[0-9a-f]{64}$", "description": "SHA-256 hex digest over canonical JSON without the 'hash' field." }
  }
}