{"success":true,"filters":{"layer":"api","visibility":null,"search":null},"summary":{"profiles":1,"layers":1,"visibilityModes":4,"roles":5,"apiScopes":14,"evidenceItems":3},"profiles":[{"id":"access-api","layer":"api","name":"Enterprise API scopes","purpose":"Limit training data, users, teams, reports, enrollments, analytics, and webhook access for enterprise integrations.","enforcementPoint":"Bearer or x-api-key authentication, hashed keys, scopes, expiry, IP/origin allowlists, and rate limits","failClosedRule":"Invalid, expired, inactive, out-of-scope, disallowed-origin, or rate-limited API keys are rejected.","visibilityModes":[{"mode":"public","learnerAccess":"Active global content can be browsed without tenant context.","managerAccess":"Managers can use public content as academy defaults.","adminAccess":"Only platform admins can publish true public content."},{"mode":"org-only","learnerAccess":"Learners can read active content assigned to their organization.","managerAccess":"Managers can inspect team evidence inside their organization.","adminAccess":"Tenant admins and instructors can manage content inside their organization."},{"mode":"private","learnerAccess":"Only the creator or permitted manager can inspect the artifact.","managerAccess":"Managers use private evidence for coaching, not broad publishing.","adminAccess":"Admins can manage private content only inside their allowed tenant boundary."},{"mode":"draft","learnerAccess":"Learners cannot use drafts as readiness evidence.","managerAccess":"Managers can review drafts only when they are content managers.","adminAccess":"Admins and instructors review drafts before publishing."}],"roles":[{"role":"owner","permissions":["billing","branding","identity","all academy settings"],"boundary":"Own organization or platform scope when explicitly platform-admin."},{"role":"admin","permissions":["content approval","integration setup","org reports"],"boundary":"Own organization and assigned academy surfaces."},{"role":"manager","permissions":["team dashboards","coaching reports","export readiness evidence"],"boundary":"Own organization and assigned academy surfaces."},{"role":"instructor","permissions":["scenario drafts","rubric drafts","learner feedback"],"boundary":"Own organization and assigned academy surfaces."},{"role":"viewer","permissions":["read-only dashboards","credential registry"],"boundary":"Own organization and assigned academy surfaces."}],"apiScopes":["users:read","users:write","courses:read","courses:write","enrollments:read","enrollments:write","analytics:read","teams:read","teams:write","reports:read","webhooks:read","webhooks:write","all:read","all:write"],"evidence":["Enterprise API keys are hashed before lookup","Scopes must match the required resource and action","Rate limits, origins, IPs, status, and expiry are checked before access"],"implementationRefs":["src/lib/enterprise-api-auth.ts","src/app/api/enterprise/api-keys/route.ts","src/app/api/enterprise/training-data/route.ts","src/lib/rate-limit.ts"]}]}