491 lines
12 KiB
JSON
491 lines
12 KiB
JSON
{
|
|
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
"$id": "urn:awoooi:dependency-risk-policy-v1",
|
|
"title": "AWOOOI dependency risk policy v1",
|
|
"description": "由既有 Python、JavaScript 與 Docker 只讀盤點整理出的 CVE / license / drift 嚴重度政策。此 schema 不授權外部 CVE 查詢、license database 查詢、套件安裝、套件升級、lockfile 寫入、docker build、image pull、registry push、付費 API、shadow/canary 或生產路由變更。",
|
|
"type": "object",
|
|
"required": [
|
|
"schema_version",
|
|
"generated_at",
|
|
"program_status",
|
|
"source_refs",
|
|
"risk_taxonomy",
|
|
"rollups",
|
|
"severity_rules",
|
|
"domain_policies",
|
|
"action_queue",
|
|
"operation_boundaries",
|
|
"approval_boundaries"
|
|
],
|
|
"properties": {
|
|
"schema_version": {
|
|
"type": "string",
|
|
"const": "dependency_risk_policy_v1"
|
|
},
|
|
"generated_at": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"program_status": {
|
|
"type": "object",
|
|
"required": [
|
|
"overall_completion_percent",
|
|
"current_priority",
|
|
"current_task_id",
|
|
"next_task_id",
|
|
"read_only_mode"
|
|
],
|
|
"properties": {
|
|
"overall_completion_percent": {
|
|
"type": "integer",
|
|
"minimum": 0,
|
|
"maximum": 100
|
|
},
|
|
"current_priority": {
|
|
"type": "string",
|
|
"enum": ["P0", "P1", "P2", "P3"]
|
|
},
|
|
"current_task_id": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"next_task_id": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"read_only_mode": {
|
|
"type": "boolean",
|
|
"const": true
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"source_refs": {
|
|
"type": "array",
|
|
"minItems": 1,
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"risk_taxonomy": {
|
|
"type": "object",
|
|
"required": ["severity_levels", "statuses", "policy_states"],
|
|
"properties": {
|
|
"severity_levels": {
|
|
"type": "array",
|
|
"minItems": 4,
|
|
"items": {
|
|
"type": "object",
|
|
"required": ["severity", "definition", "default_gate"],
|
|
"properties": {
|
|
"severity": {
|
|
"type": "string",
|
|
"enum": ["critical", "high", "medium", "low"]
|
|
},
|
|
"definition": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"default_gate": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
}
|
|
},
|
|
"statuses": {
|
|
"type": "array",
|
|
"minItems": 1,
|
|
"items": {
|
|
"type": "string",
|
|
"enum": ["accepted", "action_required", "planned_next", "blocked"]
|
|
}
|
|
},
|
|
"policy_states": {
|
|
"type": "array",
|
|
"minItems": 1,
|
|
"items": {
|
|
"type": "string",
|
|
"enum": [
|
|
"monitor_only",
|
|
"approval_package_required",
|
|
"external_lookup_required",
|
|
"blocked_until_approval"
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"rollups": {
|
|
"type": "object",
|
|
"required": [
|
|
"total_rules",
|
|
"by_severity",
|
|
"by_status",
|
|
"action_required_rule_ids",
|
|
"planned_next_rule_ids",
|
|
"accepted_rule_ids"
|
|
],
|
|
"properties": {
|
|
"total_rules": {
|
|
"type": "integer",
|
|
"minimum": 1
|
|
},
|
|
"by_severity": {
|
|
"type": "object",
|
|
"required": ["critical", "high", "medium", "low"],
|
|
"properties": {
|
|
"critical": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"high": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"medium": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"low": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"by_status": {
|
|
"type": "object",
|
|
"additionalProperties": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
}
|
|
},
|
|
"action_required_rule_ids": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"planned_next_rule_ids": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"accepted_rule_ids": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"severity_rules": {
|
|
"type": "array",
|
|
"minItems": 1,
|
|
"items": {
|
|
"type": "object",
|
|
"required": [
|
|
"rule_id",
|
|
"domain",
|
|
"severity",
|
|
"status",
|
|
"trigger",
|
|
"current_evidence",
|
|
"required_gate",
|
|
"blocked_operations",
|
|
"owner_agent",
|
|
"role_contract",
|
|
"evidence_refs",
|
|
"next_action"
|
|
],
|
|
"properties": {
|
|
"rule_id": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"domain": {
|
|
"type": "string",
|
|
"enum": ["cve", "license", "python", "javascript", "docker"]
|
|
},
|
|
"severity": {
|
|
"type": "string",
|
|
"enum": ["critical", "high", "medium", "low"]
|
|
},
|
|
"status": {
|
|
"type": "string",
|
|
"enum": ["accepted", "action_required", "planned_next", "blocked"]
|
|
},
|
|
"trigger": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"current_evidence": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"required_gate": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"blocked_operations": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"owner_agent": {
|
|
"type": "string",
|
|
"enum": ["openclaw", "hermes", "nemotron"]
|
|
},
|
|
"role_contract": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"evidence_refs": {
|
|
"type": "array",
|
|
"minItems": 1,
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"next_action": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
}
|
|
},
|
|
"domain_policies": {
|
|
"type": "array",
|
|
"minItems": 1,
|
|
"items": {
|
|
"type": "object",
|
|
"required": [
|
|
"policy_id",
|
|
"domain",
|
|
"status",
|
|
"owner_agent",
|
|
"policy_summary",
|
|
"allowed_now",
|
|
"blocked_now",
|
|
"required_next_gate",
|
|
"evidence_refs"
|
|
],
|
|
"properties": {
|
|
"policy_id": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"domain": {
|
|
"type": "string",
|
|
"enum": ["python", "javascript", "docker", "external_sources"]
|
|
},
|
|
"status": {
|
|
"type": "string",
|
|
"enum": ["accepted", "action_required", "planned_next", "blocked"]
|
|
},
|
|
"owner_agent": {
|
|
"type": "string",
|
|
"enum": ["openclaw", "hermes", "nemotron"]
|
|
},
|
|
"policy_summary": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"allowed_now": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"blocked_now": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"required_next_gate": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"evidence_refs": {
|
|
"type": "array",
|
|
"minItems": 1,
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
}
|
|
},
|
|
"action_queue": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "object",
|
|
"required": ["task_id", "priority", "status", "owner_agent", "title", "blocked_operations", "acceptance_criteria"],
|
|
"properties": {
|
|
"task_id": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"priority": {
|
|
"type": "string",
|
|
"enum": ["P0", "P1", "P2", "P3"]
|
|
},
|
|
"status": {
|
|
"type": "string",
|
|
"enum": ["planned_next", "planned", "blocked"]
|
|
},
|
|
"owner_agent": {
|
|
"type": "string",
|
|
"enum": ["openclaw", "hermes", "nemotron"]
|
|
},
|
|
"title": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"blocked_operations": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"acceptance_criteria": {
|
|
"type": "array",
|
|
"minItems": 1,
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
}
|
|
},
|
|
"operation_boundaries": {
|
|
"type": "object",
|
|
"required": [
|
|
"read_only_policy_allowed",
|
|
"external_cve_lookup_allowed",
|
|
"external_license_lookup_allowed",
|
|
"package_installation_allowed",
|
|
"package_upgrade_allowed",
|
|
"lockfile_write_allowed",
|
|
"docker_build_allowed",
|
|
"image_pull_allowed",
|
|
"image_rebuild_allowed",
|
|
"registry_push_allowed",
|
|
"paid_api_call_allowed",
|
|
"shadow_or_canary_allowed",
|
|
"production_routing_allowed"
|
|
],
|
|
"properties": {
|
|
"read_only_policy_allowed": {
|
|
"type": "boolean",
|
|
"const": true
|
|
},
|
|
"external_cve_lookup_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"external_license_lookup_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"package_installation_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"package_upgrade_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"lockfile_write_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"docker_build_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"image_pull_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"image_rebuild_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"registry_push_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"paid_api_call_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"shadow_or_canary_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"production_routing_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"approval_boundaries": {
|
|
"type": "object",
|
|
"required": [
|
|
"sdk_installation_allowed",
|
|
"paid_api_call_allowed",
|
|
"shadow_or_canary_allowed",
|
|
"production_routing_allowed",
|
|
"destructive_operation_allowed"
|
|
],
|
|
"properties": {
|
|
"sdk_installation_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"paid_api_call_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"shadow_or_canary_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"production_routing_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"destructive_operation_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
}
|