{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://openwop.dev/spec/v1/credential-reference.schema.json",
  "title": "CredentialReference",
  "description": "RFC 0046. An opaque, host-issued handle to a stored credential. This is the ONLY credential artifact permitted on the wire — it NEVER carries key material. The host's host.credentials resolver dereferences it into the node sandbox at execution time (SECURITY invariant `credential-payload-redaction`).",
  "type": "object",
  "required": ["ref"],
  "properties": {
    "ref": {
      "type": "string",
      "minLength": 1,
      "description": "Opaque host-issued identifier, e.g. `cred_a3b9c2`. Hosts MUST NOT encode secret material in the ref."
    },
    "scope": {
      "type": "string",
      "enum": ["user", "workspace", "tenant"],
      "description": "Resolution scope. MUST match a scope in `capabilities.credentials.scopes`. Absent ⇒ the host's default scope."
    }
  },
  "additionalProperties": false
}