{"success":true,"filters":{"layer":"identity","visibility":null,"search":null},"summary":{"profiles":1,"layers":1,"visibilityModes":4,"roles":5,"apiScopes":3,"evidenceItems":3},"profiles":[{"id":"access-identity","layer":"identity","name":"Identity-bound learning evidence","purpose":"Tie readiness scores, attempts, credentials, manager reports, and exports to authenticated learners and organizations.","enforcementPoint":"getCurrentUser, getCurrentContentUser, SSO/SCIM provisioning, and enterprise user imports","failClosedRule":"If a learner or API principal cannot be resolved, readiness writes and private reads stop.","visibilityModes":[{"mode":"public","learnerAccess":"Active global content can be browsed without tenant context.","managerAccess":"Managers can use public content as academy defaults.","adminAccess":"Only platform admins can publish true public content."},{"mode":"org-only","learnerAccess":"Learners can read active content assigned to their organization.","managerAccess":"Managers can inspect team evidence inside their organization.","adminAccess":"Tenant admins and instructors can manage content inside their organization."},{"mode":"private","learnerAccess":"Only the creator or permitted manager can inspect the artifact.","managerAccess":"Managers use private evidence for coaching, not broad publishing.","adminAccess":"Admins can manage private content only inside their allowed tenant boundary."},{"mode":"draft","learnerAccess":"Learners cannot use drafts as readiness evidence.","managerAccess":"Managers can review drafts only when they are content managers.","adminAccess":"Admins and instructors review drafts before publishing."}],"roles":[{"role":"owner","permissions":["billing","branding","identity","all academy settings"],"boundary":"Own organization or platform scope when explicitly platform-admin."},{"role":"admin","permissions":["content approval","integration setup","org reports"],"boundary":"Own organization and assigned academy surfaces."},{"role":"manager","permissions":["team dashboards","coaching reports","export readiness evidence"],"boundary":"Own organization and assigned academy surfaces."},{"role":"instructor","permissions":["scenario drafts","rubric drafts","learner feedback"],"boundary":"Own organization and assigned academy surfaces."},{"role":"viewer","permissions":["read-only dashboards","credential registry"],"boundary":"Own organization and assigned academy surfaces."}],"apiScopes":["users:read","users:write","all:read"],"evidence":["Readiness artifacts carry learner and org identifiers","Credential registry entries can be traced to an identity-managed learner","SSO/SCIM keeps user access aligned with company identity"],"implementationRefs":["src/lib/auth.ts","src/lib/content-access.ts","src/lib/enterprise-access.ts","src/app/api/enterprise/sso/route.ts"]}]}