{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "urn:awoooi:dependency-risk-policy-v1", "title": "AWOOOI dependency risk policy v1", "description": "由既有 Python、JavaScript 與 Docker 只讀盤點整理出的 CVE / license / drift 嚴重度政策。此 schema 不授權外部 CVE 查詢、license database 查詢、套件安裝、套件升級、lockfile 寫入、docker build、image pull、registry push、付費 API、shadow/canary 或生產路由變更。", "type": "object", "required": [ "schema_version", "generated_at", "program_status", "source_refs", "risk_taxonomy", "rollups", "severity_rules", "domain_policies", "action_queue", "operation_boundaries", "approval_boundaries" ], "properties": { "schema_version": { "type": "string", "const": "dependency_risk_policy_v1" }, "generated_at": { "type": "string", "minLength": 1 }, "program_status": { "type": "object", "required": [ "overall_completion_percent", "current_priority", "current_task_id", "next_task_id", "read_only_mode" ], "properties": { "overall_completion_percent": { "type": "integer", "minimum": 0, "maximum": 100 }, "current_priority": { "type": "string", "enum": ["P0", "P1", "P2", "P3"] }, "current_task_id": { "type": "string", "minLength": 1 }, "next_task_id": { "type": "string", "minLength": 1 }, "read_only_mode": { "type": "boolean", "const": true } }, "additionalProperties": false }, "source_refs": { "type": "array", "minItems": 1, "items": { "type": "string", "minLength": 1 } }, "risk_taxonomy": { "type": "object", "required": ["severity_levels", "statuses", "policy_states"], "properties": { "severity_levels": { "type": "array", "minItems": 4, "items": { "type": "object", "required": ["severity", "definition", "default_gate"], "properties": { "severity": { "type": "string", "enum": ["critical", "high", "medium", "low"] }, "definition": { "type": "string", "minLength": 1 }, "default_gate": { "type": "string", "minLength": 1 } }, "additionalProperties": false } }, "statuses": { "type": "array", "minItems": 1, "items": { "type": "string", "enum": ["accepted", "action_required", "planned_next", "blocked"] } }, "policy_states": { "type": "array", "minItems": 1, "items": { "type": "string", "enum": [ "monitor_only", "approval_package_required", "external_lookup_required", "blocked_until_approval" ] } } }, "additionalProperties": false }, "rollups": { "type": "object", "required": [ "total_rules", "by_severity", "by_status", "action_required_rule_ids", "planned_next_rule_ids", "accepted_rule_ids" ], "properties": { "total_rules": { "type": "integer", "minimum": 1 }, "by_severity": { "type": "object", "required": ["critical", "high", "medium", "low"], "properties": { "critical": { "type": "integer", "minimum": 0 }, "high": { "type": "integer", "minimum": 0 }, "medium": { "type": "integer", "minimum": 0 }, "low": { "type": "integer", "minimum": 0 } }, "additionalProperties": false }, "by_status": { "type": "object", "additionalProperties": { "type": "integer", "minimum": 0 } }, "action_required_rule_ids": { "type": "array", "items": { "type": "string", "minLength": 1 } }, "planned_next_rule_ids": { "type": "array", "items": { "type": "string", "minLength": 1 } }, "accepted_rule_ids": { "type": "array", "items": { "type": "string", "minLength": 1 } } }, "additionalProperties": false }, "severity_rules": { "type": "array", "minItems": 1, "items": { "type": "object", "required": [ "rule_id", "domain", "severity", "status", "trigger", "current_evidence", "required_gate", "blocked_operations", "owner_agent", "role_contract", "evidence_refs", "next_action" ], "properties": { "rule_id": { "type": "string", "minLength": 1 }, "domain": { "type": "string", "enum": ["cve", "license", "python", "javascript", "docker"] }, "severity": { "type": "string", "enum": ["critical", "high", "medium", "low"] }, "status": { "type": "string", "enum": ["accepted", "action_required", "planned_next", "blocked"] }, "trigger": { "type": "string", "minLength": 1 }, "current_evidence": { "type": "string", "minLength": 1 }, "required_gate": { "type": "string", "minLength": 1 }, "blocked_operations": { "type": "array", "items": { "type": "string", "minLength": 1 } }, "owner_agent": { "type": "string", "enum": ["openclaw", "hermes", "nemotron"] }, "role_contract": { "type": "string", "minLength": 1 }, "evidence_refs": { "type": "array", "minItems": 1, "items": { "type": "string", "minLength": 1 } }, "next_action": { "type": "string", "minLength": 1 } }, "additionalProperties": false } }, "domain_policies": { "type": "array", "minItems": 1, "items": { "type": "object", "required": [ "policy_id", "domain", "status", "owner_agent", "policy_summary", "allowed_now", "blocked_now", "required_next_gate", "evidence_refs" ], "properties": { "policy_id": { "type": "string", "minLength": 1 }, "domain": { "type": "string", "enum": ["python", "javascript", "docker", "external_sources"] }, "status": { "type": "string", "enum": ["accepted", "action_required", "planned_next", "blocked"] }, "owner_agent": { "type": "string", "enum": ["openclaw", "hermes", "nemotron"] }, "policy_summary": { "type": "string", "minLength": 1 }, "allowed_now": { "type": "array", "items": { "type": "string", "minLength": 1 } }, "blocked_now": { "type": "array", "items": { "type": "string", "minLength": 1 } }, "required_next_gate": { "type": "string", "minLength": 1 }, "evidence_refs": { "type": "array", "minItems": 1, "items": { "type": "string", "minLength": 1 } } }, "additionalProperties": false } }, "action_queue": { "type": "array", "items": { "type": "object", "required": ["task_id", "priority", "status", "owner_agent", "title", "blocked_operations", "acceptance_criteria"], "properties": { "task_id": { "type": "string", "minLength": 1 }, "priority": { "type": "string", "enum": ["P0", "P1", "P2", "P3"] }, "status": { "type": "string", "enum": ["planned_next", "planned", "blocked"] }, "owner_agent": { "type": "string", "enum": ["openclaw", "hermes", "nemotron"] }, "title": { "type": "string", "minLength": 1 }, "blocked_operations": { "type": "array", "items": { "type": "string", "minLength": 1 } }, "acceptance_criteria": { "type": "array", "minItems": 1, "items": { "type": "string", "minLength": 1 } } }, "additionalProperties": false } }, "operation_boundaries": { "type": "object", "required": [ "read_only_policy_allowed", "external_cve_lookup_allowed", "external_license_lookup_allowed", "package_installation_allowed", "package_upgrade_allowed", "lockfile_write_allowed", "docker_build_allowed", "image_pull_allowed", "image_rebuild_allowed", "registry_push_allowed", "paid_api_call_allowed", "shadow_or_canary_allowed", "production_routing_allowed" ], "properties": { "read_only_policy_allowed": { "type": "boolean", "const": true }, "external_cve_lookup_allowed": { "type": "boolean", "const": false }, "external_license_lookup_allowed": { "type": "boolean", "const": false }, "package_installation_allowed": { "type": "boolean", "const": false }, "package_upgrade_allowed": { "type": "boolean", "const": false }, "lockfile_write_allowed": { "type": "boolean", "const": false }, "docker_build_allowed": { "type": "boolean", "const": false }, "image_pull_allowed": { "type": "boolean", "const": false }, "image_rebuild_allowed": { "type": "boolean", "const": false }, "registry_push_allowed": { "type": "boolean", "const": false }, "paid_api_call_allowed": { "type": "boolean", "const": false }, "shadow_or_canary_allowed": { "type": "boolean", "const": false }, "production_routing_allowed": { "type": "boolean", "const": false } }, "additionalProperties": false }, "approval_boundaries": { "type": "object", "required": [ "sdk_installation_allowed", "paid_api_call_allowed", "shadow_or_canary_allowed", "production_routing_allowed", "destructive_operation_allowed" ], "properties": { "sdk_installation_allowed": { "type": "boolean", "const": false }, "paid_api_call_allowed": { "type": "boolean", "const": false }, "shadow_or_canary_allowed": { "type": "boolean", "const": false }, "production_routing_allowed": { "type": "boolean", "const": false }, "destructive_operation_allowed": { "type": "boolean", "const": false } }, "additionalProperties": false } }, "additionalProperties": false }