{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "urn:awoooi:docker-build-surface-inventory-v1",
  "title": "AWOOOI Docker build surface 盤點 v1",
  "description": "由 repo 內 Dockerfile 產生的只讀 Docker base image 與 build surface 盤點。此 schema 不授權 docker build、image pull、registry push、外部 CVE 查詢、套件安裝或生產路由變更。",
  "type": "object",
  "required": [
    "schema_version",
    "generated_at",
    "program_status",
    "source_refs",
    "rollups",
    "surfaces",
    "risk_findings",
    "operation_boundaries",
    "approval_boundaries"
  ],
  "properties": {
    "schema_version": {
      "type": "string",
      "const": "docker_build_surface_inventory_v1"
    },
    "generated_at": {
      "type": "string",
      "minLength": 1
    },
    "program_status": {
      "type": "object",
      "required": ["overall_completion_percent", "current_priority", "current_task_id", "next_task_id", "read_only_mode"],
      "properties": {
        "overall_completion_percent": {
          "type": "integer",
          "minimum": 0,
          "maximum": 100
        },
        "current_priority": {
          "type": "string",
          "enum": ["P0", "P1", "P2", "P3"]
        },
        "current_task_id": {
          "type": "string",
          "minLength": 1
        },
        "next_task_id": {
          "type": "string",
          "minLength": 1
        },
        "read_only_mode": {
          "type": "boolean",
          "const": true
        }
      },
      "additionalProperties": false
    },
    "source_refs": {
      "type": "array",
      "minItems": 1,
      "items": {
        "type": "string",
        "minLength": 1
      }
    },
    "rollups": {
      "type": "object",
      "required": [
        "total_surfaces",
        "dockerfile_count",
        "external_image_ref_count",
        "from_instruction_count",
        "copy_from_external_image_count",
        "digest_pinned_image_count",
        "tag_pinned_image_count",
        "build_time_network_fetch_count",
        "non_root_runtime_count",
        "healthcheck_count",
        "by_status",
        "action_required_surface_ids",
        "planned_next_surface_ids"
      ],
      "properties": {
        "total_surfaces": {
          "type": "integer",
          "minimum": 0
        },
        "dockerfile_count": {
          "type": "integer",
          "minimum": 0
        },
        "external_image_ref_count": {
          "type": "integer",
          "minimum": 0
        },
        "from_instruction_count": {
          "type": "integer",
          "minimum": 0
        },
        "copy_from_external_image_count": {
          "type": "integer",
          "minimum": 0
        },
        "digest_pinned_image_count": {
          "type": "integer",
          "minimum": 0
        },
        "tag_pinned_image_count": {
          "type": "integer",
          "minimum": 0
        },
        "build_time_network_fetch_count": {
          "type": "integer",
          "minimum": 0
        },
        "non_root_runtime_count": {
          "type": "integer",
          "minimum": 0
        },
        "healthcheck_count": {
          "type": "integer",
          "minimum": 0
        },
        "by_status": {
          "type": "object",
          "additionalProperties": {
            "type": "integer",
            "minimum": 0
          }
        },
        "action_required_surface_ids": {
          "type": "array",
          "items": {
            "type": "string",
            "minLength": 1
          }
        },
        "planned_next_surface_ids": {
          "type": "array",
          "items": {
            "type": "string",
            "minLength": 1
          }
        }
      },
      "additionalProperties": false
    },
    "surfaces": {
      "type": "array",
      "items": {
        "type": "object",
        "required": [
          "surface_id",
          "display_name",
          "dockerfile_ref",
          "status",
          "risk_level",
          "stage_count",
          "external_image_refs",
          "digest_pinned_image_refs",
          "tag_pinned_image_refs",
          "build_time_network_fetches",
          "binary_sources",
          "non_root_runtime",
          "healthcheck_present",
          "cache_controls",
          "gate_status",
          "evidence_refs",
          "next_action"
        ],
        "properties": {
          "surface_id": {
            "type": "string",
            "minLength": 1
          },
          "display_name": {
            "type": "string",
            "minLength": 1
          },
          "dockerfile_ref": {
            "type": "string",
            "minLength": 1
          },
          "status": {
            "type": "string",
            "enum": ["ready", "action_required", "planned_next", "blocked", "deferred"]
          },
          "risk_level": {
            "type": "string",
            "enum": ["low", "medium", "high", "critical"]
          },
          "stage_count": {
            "type": "integer",
            "minimum": 0
          },
          "external_image_refs": {
            "type": "array",
            "items": {
              "type": "string",
              "minLength": 1
            }
          },
          "digest_pinned_image_refs": {
            "type": "array",
            "items": {
              "type": "string",
              "minLength": 1
            }
          },
          "tag_pinned_image_refs": {
            "type": "array",
            "items": {
              "type": "string",
              "minLength": 1
            }
          },
          "build_time_network_fetches": {
            "type": "array",
            "items": {
              "type": "string",
              "minLength": 1
            }
          },
          "binary_sources": {
            "type": "array",
            "items": {
              "type": "string",
              "minLength": 1
            }
          },
          "non_root_runtime": {
            "type": "boolean"
          },
          "healthcheck_present": {
            "type": "boolean"
          },
          "cache_controls": {
            "type": "array",
            "items": {
              "type": "string",
              "minLength": 1
            }
          },
          "gate_status": {
            "type": "string",
            "enum": [
              "read_only_allowed",
              "image_rebuild_blocked",
              "external_cve_lookup_blocked",
              "registry_push_blocked"
            ]
          },
          "evidence_refs": {
            "type": "array",
            "minItems": 1,
            "items": {
              "type": "string",
              "minLength": 1
            }
          },
          "next_action": {
            "type": "string",
            "minLength": 1
          }
        },
        "additionalProperties": false
      }
    },
    "risk_findings": {
      "type": "array",
      "items": {
        "type": "object",
        "required": ["finding_id", "severity", "status", "summary", "evidence_refs", "next_action"],
        "properties": {
          "finding_id": {
            "type": "string",
            "minLength": 1
          },
          "severity": {
            "type": "string",
            "enum": ["low", "medium", "high", "critical"]
          },
          "status": {
            "type": "string",
            "enum": ["action_required", "planned_next", "blocked", "accepted"]
          },
          "summary": {
            "type": "string",
            "minLength": 1
          },
          "evidence_refs": {
            "type": "array",
            "minItems": 1,
            "items": {
              "type": "string",
              "minLength": 1
            }
          },
          "next_action": {
            "type": "string",
            "minLength": 1
          }
        },
        "additionalProperties": false
      }
    },
    "operation_boundaries": {
      "type": "object",
      "required": [
        "read_only_api_allowed",
        "docker_build_allowed",
        "image_pull_allowed",
        "image_rebuild_allowed",
        "registry_push_allowed",
        "external_cve_lookup_allowed",
        "package_installation_allowed",
        "production_routing_allowed"
      ],
      "properties": {
        "read_only_api_allowed": {
          "type": "boolean",
          "const": true
        },
        "docker_build_allowed": {
          "type": "boolean",
          "const": false
        },
        "image_pull_allowed": {
          "type": "boolean",
          "const": false
        },
        "image_rebuild_allowed": {
          "type": "boolean",
          "const": false
        },
        "registry_push_allowed": {
          "type": "boolean",
          "const": false
        },
        "external_cve_lookup_allowed": {
          "type": "boolean",
          "const": false
        },
        "package_installation_allowed": {
          "type": "boolean",
          "const": false
        },
        "production_routing_allowed": {
          "type": "boolean",
          "const": false
        }
      },
      "additionalProperties": false
    },
    "approval_boundaries": {
      "type": "object",
      "required": [
        "sdk_installation_allowed",
        "paid_api_call_allowed",
        "shadow_or_canary_allowed",
        "production_routing_allowed",
        "destructive_operation_allowed"
      ],
      "properties": {
        "sdk_installation_allowed": {
          "type": "boolean",
          "const": false
        },
        "paid_api_call_allowed": {
          "type": "boolean",
          "const": false
        },
        "shadow_or_canary_allowed": {
          "type": "boolean",
          "const": false
        },
        "production_routing_allowed": {
          "type": "boolean",
          "const": false
        },
        "destructive_operation_allowed": {
          "type": "boolean",
          "const": false
        }
      },
      "additionalProperties": false
    }
  },
  "additionalProperties": false
}