{
  "subject": {{ toJson .Subject }},
  "sans": {{ toJson .SANs }},

  {{- /*
    Mosaic Federation X.509 Certificate Template
    ============================================
    This template is used by the "mosaic-fed" JWK provisioner to sign
    federation client certificates.

    Custom OID extensions (per PRD §6):
      1.3.6.1.4.1.99999.1  — mosaic.federation.grantId   (UUID string)
      1.3.6.1.4.1.99999.2  — mosaic.federation.subjectUserId (UUID string)

    TODO (M2-04): Wire actual OID extensions below once the CA service
    (apps/gateway/src/federation/ca.service.ts) lands the SAN-bearing CSR
    work and the template can be exercised end-to-end.

    Step-CA template reference:
      https://smallstep.com/docs/step-ca/templates

    Expected final shape of the extensions block (placeholder — not yet
    activated):

    "extensions": [
      {
        "id": "1.3.6.1.4.1.99999.1",
        "critical": false,
        "value": {{ toJson (first .Token.mosaic_grant_id) }}
      },
      {
        "id": "1.3.6.1.4.1.99999.2",
        "critical": false,
        "value": {{ toJson (first .Token.mosaic_subject_user_id) }}
      }
    ],

    The provisioner must pass these values in the ACME/JWK token payload
    (token claims `mosaic_grant_id` and `mosaic_subject_user_id`) when
    submitting the CSR.  M2-04 owns that work.
  */ -}}

  "keyUsage": ["digitalSignature"],
  "extKeyUsage": ["clientAuth"],
  "basicConstraints": {
    "isCA": false
  }
}