{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://veritrust.vc/schemas/veritrust/did-key-profile/1.0/schema.json",
  "title": "Veritrust DID Document Profile (did:key canonical)",
  "type": "object",
  "description": "DID Document profile where the canonical DID is did:key; controller is did:web:neksus.ai; JWK VM; optional service fragments.",

  "required": ["@context", "id", "verificationMethod", "authentication", "assertionMethod"],
  "additionalProperties": true,

  "properties": {
    "@context": {
      "type": ["array", "string"],
      "description": "DID Core + JWS 2020.",
      "anyOf": [
        { "type": "string", "const": "https://www.w3.org/ns/did/v1" },
        {
          "type": "array",
          "contains": { "const": "https://www.w3.org/ns/did/v1" }
        }
      ]
    },

    "id": {
      "type": "string",
      "description": "Canonical DID MUST be did:key",
      "pattern": "^did:key:z[1-9A-HJ-NP-Za-km-z]{20,}$"
    },

    "alsoKnownAs": {
      "type": "array",
      "description": "Optional aliases (e.g., did:web for the same subject).",
      "items": {
        "type": "string",
        "pattern": "^did:web:[a-z0-9.-]+(?::[a-z0-9._:-]+)*$"
      },
      "uniqueItems": true
    },

    "controller": {
      "type": ["string", "array"],
      "description": "Controlling organization (Neksus AI).",
      "anyOf": [
        { "type": "string", "const": "did:web:neksus.ai" },
        {
          "type": "array",
          "items": { "type": "string", "const": "did:web:neksus.ai" },
          "minItems": 1
        }
      ]
    },

    "verificationMethod": {
      "type": "array",
      "minItems": 1,
      "items": { "$ref": "#/$defs/verificationMethod" }
    },

    "authentication": {
      "type": "array",
      "minItems": 1,
      "items": { "$ref": "#/$defs/didUrlFragmentRef" }
    },

    "assertionMethod": {
      "type": "array",
      "minItems": 1,
      "items": { "$ref": "#/$defs/didUrlFragmentRef" }
    },

    "keyAgreement": {
      "type": "array",
      "items": { "$ref": "#/$defs/didUrlFragmentRef" }
    },

    "capabilityInvocation": {
      "type": "array",
      "items": { "$ref": "#/$defs/didUrlFragmentRef" }
    },

    "capabilityDelegation": {
      "type": "array",
      "items": { "$ref": "#/$defs/didUrlFragmentRef" }
    },

    "service": {
      "type": "array",
      "description": "Service entries (ids must be local fragments; endpoints are absolute URLs).",
      "items": { "$ref": "#/$defs/service" }
    }
  },

  "$defs": {
    "didUrlFragmentRef": {
      "type": "string",
      "description": "A reference to a verification method in this DID Document by fragment.",
      "pattern": "^did:[a-z0-9]+:[A-Za-z0-9._:%-]+#[-A-Za-z0-9._:%]+$"
    },

    "verificationMethod": {
      "type": "object",
      "required": ["id", "type", "controller"],
      "additionalProperties": true,
      "properties": {
        "id": {
          "type": "string",
          "description": "VM id SHOULD be a fragment of this DID and SHOULD follow #keys-N.",
          "pattern": "^did:[a-z0-9]+:[A-Za-z0-9._:%-]+#keys-[0-9]+$"
        },
        "type": {
          "type": "string",
          "enum": ["JsonWebKey2020", "Multikey"]
        },
        "controller": {
          "type": "string",
          "pattern": "^did:(key|web):[A-Za-z0-9.:_-]+$"
        },

        "publicKeyJwk": {
          "type": "object",
          "description": "Required when type=JsonWebKey2020",
          "required": ["kty", "crv", "x"],
          "additionalProperties": true,
          "properties": {
            "kty": { "type": "string", "enum": ["EC"] },
            "crv": { "type": "string", "enum": ["P-256", "secp256k1"] },
            "x": { "type": "string", "pattern": "^[A-Za-z0-9_-]{22,}$" },
            "y": { "type": "string", "pattern": "^[A-Za-z0-9_-]{22,}$" },
            "alg": { "type": "string", "enum": ["ES256", "ES256K"] },
            "use": { "type": "string", "enum": ["sig"] },
            "kid": { "type": "string" }
          }
        },

        "publicKeyMultibase": {
          "type": "string",
          "description": "Required when type=Multikey (optional in this profile).",
          "pattern": "^z[1-9A-HJ-NP-Za-km-z]{20,}$"
        }
      },
      "allOf": [
        {
          "if": { "properties": { "type": { "const": "JsonWebKey2020" } } },
          "then": { "required": ["publicKeyJwk"] }
        },
        {
          "if": { "properties": { "type": { "const": "Multikey" } } },
          "then": { "required": ["publicKeyMultibase"] }
        }
      ]
    },

    "service": {
      "type": "object",
      "required": ["id", "type", "serviceEndpoint"],
      "additionalProperties": true,
      "properties": {
        "id": {
          "type": "string",
          "description": "MUST be a local fragment within this DID's namespace.",
          "pattern": "^#[A-Za-z0-9._:-]+$"
        },
        "type": {
          "type": ["string", "array"],
          "description": "Service type(s), e.g., AgentEndpoint, OpenId4VP."
        },
        "serviceEndpoint": {
          "oneOf": [
            { "type": "string", "format": "uri" },
            {
              "type": "array",
              "items": { "type": "string", "format": "uri" },
              "minItems": 1
            }
          ]
        }
      }
    }
  }
}