{
  "policy_pack_id": "rls_pack_tokenops_controlled_pilot_v1",
  "version": "1.0.0",
  "runtime_tables": [
    {
      "table_name": "runtime_os_records",
      "rls_enabled": true,
      "read_policy": "trusted_agent_scope",
      "write_policy": "service_role_only",
      "service_role_required": true,
      "scope_fields": [
        "task_token",
        "agent_id",
        "work_order_id"
      ],
      "audit_event_required": true
    },
    {
      "table_name": "intake_work_order_dispatches",
      "rls_enabled": true,
      "read_policy": "operator_scope",
      "write_policy": "service_role_only",
      "service_role_required": true,
      "scope_fields": [
        "request_id",
        "work_order_id"
      ],
      "audit_event_required": true
    },
    {
      "table_name": "work_order_execution_bindings",
      "rls_enabled": true,
      "read_policy": "trusted_agent_scope",
      "write_policy": "service_role_only",
      "service_role_required": true,
      "scope_fields": [
        "work_order_id",
        "task_token",
        "tool_route"
      ],
      "audit_event_required": true
    },
    {
      "table_name": "callback_delivery_bindings",
      "rls_enabled": true,
      "read_policy": "client_task_scope",
      "write_policy": "callback_function_only",
      "service_role_required": true,
      "scope_fields": [
        "callback_delivery_id",
        "task_token",
        "result_contract_id"
      ],
      "audit_event_required": true
    },
    {
      "table_name": "os_security_audit_events",
      "rls_enabled": true,
      "read_policy": "operator_scope",
      "write_policy": "service_role_only",
      "service_role_required": true,
      "scope_fields": [
        "runtime_surface",
        "task_token",
        "work_order_id"
      ],
      "audit_event_required": false
    }
  ],
  "service_role_boundary": {
    "server_side_only": true,
    "env_vars": [
      "SUPABASE_URL",
      "SUPABASE_SERVICE_ROLE_KEY"
    ],
    "write_surfaces": [
      "runtime functions",
      "provider webhooks",
      "callback delivery",
      "controlled pilot execution"
    ],
    "audit_required": true,
    "public_json_contains_service_role_key": false
  },
  "public_discovery_boundary": {
    "public_files": [
      "agents.json",
      "openapi.json",
      "llms.txt",
      "schemas",
      "examples"
    ],
    "contains_secrets": false
  },
  "access_scopes": [
    "agent_trusted_read",
    "client_task_read",
    "operator_console_read",
    "service_role_write",
    "provider_webhook_write",
    "callback_delivery_write",
    "audit_event_write"
  ]
}