{ "schema_version": "package_supply_chain_inventory_v1", "generated_at": "2026-06-04T21:06:22+08:00", "program_status": { "overall_completion_percent": 100, "current_priority": "P1", "current_task_id": "P1-206", "next_task_id": "P1-103", "read_only_mode": true }, "source_refs": [ "apps/api/pyproject.toml", "apps/api/requirements.txt", "apps/sensor/requirements.txt", "packages/lewooogo-data/pyproject.toml", "packages/lewooogo-brain/pyproject.toml", "scripts/aider_watch_client/pyproject.toml", "package.json", "apps/web/package.json", "pnpm-lock.yaml", "apps/api/Dockerfile", "apps/web/Dockerfile" ], "rollups": { "total_surfaces": 10, "by_ecosystem": { "python": 6, "javascript": 2, "docker": 2 }, "by_status": { "ready": 5, "action_required": 5, "planned_next": 0 }, "python_manifest_count": 6, "javascript_manifest_count": 2, "docker_surface_count": 2, "action_required_surface_ids": [ "apps_api_pyproject", "apps_api_requirements", "apps_web_package_json", "apps_api_dockerfile", "apps_web_dockerfile" ], "planned_next_surface_ids": [] }, "surfaces": [ { "surface_id": "apps_api_pyproject", "display_name": "API pyproject", "ecosystem": "python", "status": "action_required", "risk_level": "high", "manifest_ref": "apps/api/pyproject.toml", "lockfile_ref": "none", "direct_dependency_count": 25, "optional_dependency_group_count": 1, "pinning_policy": "range_minimums_only;claude-agent-sdk、langfuse 等仍需依賴批准與版本漂移治理。", "runtime_ref": "apps/api/Dockerfile uses python:3.11-slim + uv 0.6.9", "gate_status": "read_only_allowed", "evidence_refs": ["apps/api/pyproject.toml", "apps/api/Dockerfile"], "next_action": "P1-204 定義 Python dependency drift / CVE / license 嚴重度;不得自動升級。" }, { "surface_id": "apps_api_requirements", "display_name": "API legacy requirements", "ecosystem": "python", "status": "action_required", "risk_level": "high", "manifest_ref": "apps/api/requirements.txt", "lockfile_ref": "none", "direct_dependency_count": 24, "optional_dependency_group_count": 0, "pinning_policy": "range_minimums_only;與 pyproject 存在 manifest drift。", "runtime_ref": "not used by current Dockerfile dependency layer", "gate_status": "read_only_allowed", "evidence_refs": ["apps/api/requirements.txt", "apps/api/pyproject.toml", "apps/api/Dockerfile"], "next_action": "P1-204 決定 requirements 是否保留、生成或廢止;需人工 review,不直接刪。" }, { "surface_id": "apps_sensor_requirements", "display_name": "Sensor requirements", "ecosystem": "python", "status": "ready", "risk_level": "medium", "manifest_ref": "apps/sensor/requirements.txt", "lockfile_ref": "none", "direct_dependency_count": 1, "optional_dependency_group_count": 0, "pinning_policy": "range_minimums_only", "runtime_ref": "sensor runtime, Redis client only", "gate_status": "read_only_allowed", "evidence_refs": ["apps/sensor/requirements.txt"], "next_action": "P1-204 納入 Python risk policy。" }, { "surface_id": "lewooogo_data_pyproject", "display_name": "leWOOOgo Data pyproject", "ecosystem": "python", "status": "ready", "risk_level": "medium", "manifest_ref": "packages/lewooogo-data/pyproject.toml", "lockfile_ref": "none", "direct_dependency_count": 4, "optional_dependency_group_count": 2, "pinning_policy": "range_minimums_only;pg extra 才包含 asyncpg。", "runtime_ref": "installed as local package in apps/api/Dockerfile", "gate_status": "read_only_allowed", "evidence_refs": ["packages/lewooogo-data/pyproject.toml", "apps/api/Dockerfile"], "next_action": "P1-204 納入 local package dependency policy。" }, { "surface_id": "lewooogo_brain_pyproject", "display_name": "leWOOOgo Brain pyproject", "ecosystem": "python", "status": "ready", "risk_level": "medium", "manifest_ref": "packages/lewooogo-brain/pyproject.toml", "lockfile_ref": "none", "direct_dependency_count": 3, "optional_dependency_group_count": 1, "pinning_policy": "range_minimums_only", "runtime_ref": "installed as local package in apps/api/Dockerfile", "gate_status": "read_only_allowed", "evidence_refs": ["packages/lewooogo-brain/pyproject.toml", "apps/api/Dockerfile"], "next_action": "P1-204 納入 local package dependency policy。" }, { "surface_id": "aider_watch_client_pyproject", "display_name": "aider-watch client pyproject", "ecosystem": "python", "status": "ready", "risk_level": "low", "manifest_ref": "scripts/aider_watch_client/pyproject.toml", "lockfile_ref": "none", "direct_dependency_count": 3, "optional_dependency_group_count": 1, "pinning_policy": "range_minimums_only", "runtime_ref": "local Mac client script package", "gate_status": "read_only_allowed", "evidence_refs": ["scripts/aider_watch_client/pyproject.toml"], "next_action": "P1-204 納入工具端 dependency policy。" }, { "surface_id": "root_package_json", "display_name": "Root pnpm workspace", "ecosystem": "javascript", "status": "ready", "risk_level": "medium", "manifest_ref": "package.json", "lockfile_ref": "pnpm-lock.yaml", "direct_dependency_count": 5, "optional_dependency_group_count": 0, "pinning_policy": "pnpm lockfile present;P1-202 已確認 root importer 與 lockfile specifier 同步。", "runtime_ref": "pnpm@9.0.0 workspace", "gate_status": "read_only_allowed", "evidence_refs": ["package.json", "pnpm-lock.yaml", "docs/evaluations/javascript_package_inventory_2026-06-04.json"], "next_action": "P1-204 定義 toolchain 與 caret range drift policy;不得寫 lockfile。" }, { "surface_id": "apps_web_package_json", "display_name": "Web package", "ecosystem": "javascript", "status": "action_required", "risk_level": "high", "manifest_ref": "apps/web/package.json", "lockfile_ref": "pnpm-lock.yaml", "direct_dependency_count": 33, "optional_dependency_group_count": 0, "pinning_policy": "pnpm lockfile present;Next pinned 14.1.0,28 條 caret range 已由 P1-204 定義漂移政策,P1-205 已建立定期只讀檢查設計。", "runtime_ref": "apps/web/Dockerfile uses node:20-alpine + pnpm 9.0.0", "gate_status": "lockfile_write_blocked", "evidence_refs": ["apps/web/package.json", "apps/web/Dockerfile", "pnpm-lock.yaml", "docs/evaluations/javascript_package_inventory_2026-06-04.json"], "next_action": "P1-206 產生 Next / React / Sentry / Playwright 等高影響套件升級批准包模板。" }, { "surface_id": "apps_api_dockerfile", "display_name": "API Docker supply-chain surface", "ecosystem": "docker", "status": "action_required", "risk_level": "high", "manifest_ref": "apps/api/Dockerfile", "lockfile_ref": "none", "direct_dependency_count": 3, "optional_dependency_group_count": 0, "pinning_policy": "python:3.11-slim 與 uv 0.6.9 tag-pinned 但未 digest-pinned;kubectl v1.29.0 缺 checksum policy。", "runtime_ref": "python:3.11-slim + ghcr.io/astral-sh/uv:0.6.9 + kubectl v1.29.0", "gate_status": "image_rebuild_blocked", "evidence_refs": ["apps/api/Dockerfile", "docs/evaluations/docker_build_surface_inventory_2026-06-04.json"], "next_action": "P1-206 產生 base image digest pin、kubectl checksum、apt source 與 rebuild approval package。" }, { "surface_id": "apps_web_dockerfile", "display_name": "Web Docker supply-chain surface", "ecosystem": "docker", "status": "action_required", "risk_level": "medium", "manifest_ref": "apps/web/Dockerfile", "lockfile_ref": "pnpm-lock.yaml", "direct_dependency_count": 2, "optional_dependency_group_count": 0, "pinning_policy": "node:20-alpine tag-pinned 但未 digest-pinned;pnpm 9.0.0 pinned,仍需 corepack / registry provenance policy。", "runtime_ref": "node:20-alpine + pnpm 9.0.0", "gate_status": "image_rebuild_blocked", "evidence_refs": ["apps/web/Dockerfile", "pnpm-lock.yaml", "docs/evaluations/docker_build_surface_inventory_2026-06-04.json"], "next_action": "P1-206 產生 node base image digest pin、pnpm/corepack provenance、Web runtime healthcheck 與 rebuild approval package。" } ], "drift_findings": [ { "finding_id": "api_python_manifest_drift", "severity": "high", "status": "action_required", "summary": "apps/api/pyproject.toml 與 apps/api/requirements.txt 不一致;Dockerfile 目前使用 pyproject + uv,requirements 仍保留舊版下限與不同依賴集合。", "evidence_refs": ["apps/api/pyproject.toml", "apps/api/requirements.txt", "apps/api/Dockerfile"], "next_action": "P1-206 產生 requirements 權威性、生成策略或廢止策略批准包;不得自動刪除。" }, { "finding_id": "python_no_lockfile", "severity": "medium", "status": "action_required", "summary": "Python surfaces 以 range constraints 為主,未發現 uv.lock / poetry.lock / Pipfile.lock;build 可重現性需另定政策。", "evidence_refs": ["apps/api/pyproject.toml", "packages/lewooogo-data/pyproject.toml", "packages/lewooogo-brain/pyproject.toml"], "next_action": "P1-206 將 lockfile / constraints file 策略納入升級批准包。" }, { "finding_id": "external_cve_lookup_not_run", "severity": "medium", "status": "planned_next", "summary": "本輪未查外部 CVE / license database,避免未批准網路掃描與外部服務依賴;只建立 repo 內事實基線。", "evidence_refs": ["docs/ai/AI_AGENT_AUTOMATION_WORKLIST_2026-06-04.md"], "next_action": "P1-206 將外部 CVE / license / registry freshness 來源納入批准包模板;未批准前不得查詢。" }, { "finding_id": "javascript_manifest_lockfile_in_sync", "severity": "low", "status": "accepted", "summary": "P1-202 已確認 6 個 JavaScript workspace importer 的 manifest specifier 與 pnpm-lock.yaml importer specifier 同步;missing、mismatch、extra 均為 0。", "evidence_refs": ["docs/evaluations/javascript_package_inventory_2026-06-04.json", "pnpm-lock.yaml"], "next_action": "維持只讀監控;P1-205 已設計外部 registry / audit 資料來源 cadence 與批准邊界,未批准前不得查詢。" }, { "finding_id": "apps_web_caret_range_exposure", "severity": "medium", "status": "action_required", "summary": "@awoooi/web 有 33 條 direct dependencies,其中 28 條使用 caret range;lockfile 目前固定解析結果,但升級政策與高影響套件漂移門檻尚未定義。", "evidence_refs": ["apps/web/package.json", "pnpm-lock.yaml", "docs/evaluations/javascript_package_inventory_2026-06-04.json"], "next_action": "P1-206 產生 Next / React / Sentry / Playwright / visualization dependencies 的升級批准包模板。" }, { "finding_id": "docker_base_images_not_digest_pinned", "severity": "high", "status": "action_required", "summary": "P1-203 已確認 API / Web Dockerfile 使用 tag-pinned external images,但未使用 digest pin;python:3.11-slim、node:20-alpine、ghcr.io/astral-sh/uv:0.6.9 都需 P1-204 定義 digest / rebuild policy。", "evidence_refs": ["docs/evaluations/docker_build_surface_inventory_2026-06-04.json", "apps/api/Dockerfile", "apps/web/Dockerfile"], "next_action": "P1-206 產生 digest pin、更新 cadence、rollback 與 registry approval package。" }, { "finding_id": "docker_build_time_network_fetches_present", "severity": "medium", "status": "action_required", "summary": "P1-203 已確認 API build 會 apt-get / curl,Web build 會 corepack prepare / pnpm install;本輪未執行 build,也未驗證外部 registry freshness。", "evidence_refs": ["docs/evaluations/docker_build_surface_inventory_2026-06-04.json"], "next_action": "P1-206 將外部來源白名單、快取策略、失敗告警與批准邊界納入 image rebuild 批准包模板。" }, { "finding_id": "dependency_risk_policy_defined", "severity": "low", "status": "accepted", "summary": "P1-204 已建立 CVE / license / drift 嚴重度政策,12 條規則中 8 action_required、3 planned_next、1 accepted;未查外部 CVE / license。", "evidence_refs": ["docs/evaluations/dependency_risk_policy_2026-06-04.json", "GET /api/v1/agents/dependency-risk-policy"], "next_action": "P1-205 已建立定期依賴漂移與外部資料來源檢查設計;仍不得安裝、升級、寫 lockfile 或 build image。" }, { "finding_id": "dependency_drift_check_plan_defined", "severity": "low", "status": "accepted", "summary": "P1-205 已建立定期依賴漂移與外部資料來源檢查設計,涵蓋 5 個 cadence items、5 個 repo-only local checks、10 個外部來源候選;外部來源均需批准。", "evidence_refs": ["docs/evaluations/dependency_drift_check_plan_2026-06-04.json", "GET /api/v1/agents/dependency-drift-check-plan"], "next_action": "P1-206 已產生依賴升級、digest pin、publish boundary 批准包模板;仍不得啟用排程或呼叫外部來源。" }, { "finding_id": "dependency_upgrade_approval_package_template_defined", "severity": "low", "status": "accepted", "summary": "P1-206 已建立依賴升級、digest pin、publish boundary 與外部來源啟用批准包模板,8 類模板全部要求 OpenClaw 仲裁與 HITL。", "evidence_refs": ["docs/evaluations/dependency_upgrade_approval_package_template_2026-06-04.json", "GET /api/v1/agents/dependency-upgrade-approval-package-template"], "next_action": "WS5 套件與供應鏈自動化達 100%;下一步回到 P1-103 備份通知政策。" } ], "operation_boundaries": { "read_only_api_allowed": true, "dependency_installation_allowed": false, "package_upgrade_allowed": false, "lockfile_write_allowed": false, "external_cve_lookup_allowed": false, "image_rebuild_allowed": false, "production_routing_allowed": false }, "approval_boundaries": { "sdk_installation_allowed": false, "paid_api_call_allowed": false, "shadow_or_canary_allowed": false, "production_routing_allowed": false, "destructive_operation_allowed": false } }