# Package / Docker 供應鏈 Owner Policy Gate | 項目 | 內容 | |------|------| | 日期 | 2026-06-15 | | 狀態 | `draft_waiting_owner_policy_response` | | 腳本 | `scripts/security/package-supply-chain-owner-policy-guard.py` | | Snapshot | `docs/security/package-supply-chain-owner-policy-gate.snapshot.json` | | Baseline | `docs/security/package-supply-chain-baseline.snapshot.json` | | 模式 | repo snapshot policy gate,不 install、不 upgrade、不 pull image、不 build image、不 push image | | runtime gate | `0` | ## 1. 目的 此 owner policy gate 把 Package / Docker 供應鏈 baseline 的五個缺口轉成六個 owner policy request 草稿,讓後續處理 Python lockfile、requirements pinning、Docker digest pinning、compose image digest、CVE / license / SBOM 時,都必須先有 owner role / team、policy decision、maintenance window、rollback owner 與 redacted evidence refs。 本 gate 是只讀治理物件,不是套件安裝、升級、pinning、CVE 掃描、SBOM 產生、image pull / build / push、registry login、workflow 修改、production deploy 或 runtime gate。 ## 2. Owner Policy Request | Request ID | 分級 | 對應缺口 | 目前狀態 | |------------|------|----------|----------| | `supply_chain_owner_policy:package_manager_lockfile_owner` | C1 | Node / pnpm lockfile owner 與更新窗口 | waiting owner policy response | | `supply_chain_owner_policy:python_lockfile_policy` | C1 | `python_lockfile_absent` | waiting owner policy response | | `supply_chain_owner_policy:requirements_pin_policy` | C1 | `requirements_unpinned_entries_present` | waiting owner policy response | | `supply_chain_owner_policy:dockerfile_digest_pin_policy` | C0 | `docker_base_images_not_all_digest_pinned`、`docker_copy_from_images_not_all_digest_pinned` | waiting owner policy response | | `supply_chain_owner_policy:compose_image_digest_pin_policy` | C0 | `compose_images_not_all_digest_pinned` | waiting owner policy response | | `supply_chain_owner_policy:cve_license_sbom_window` | C1 | CVE / license / SBOM tool 與執行窗口未定 | waiting owner policy response | ## 3. Required Owner Fields 1. `package_manager_policy` 2. `lockfile_owner` 3. `python_lock_policy` 4. `docker_base_image_policy` 5. `compose_image_policy` 6. `registry_owner` 7. `cve_scan_window` 8. `rollback_owner` ## 4. Reviewer Checks 1. owner role / team 必須可追溯,不能只填個人暱稱或未脫敏 repo namespace。 2. policy decision 必須明確區分 observe、plan、approve change、reject change。 3. Python lockfile 決策必須說明工具、產生位置與相容性驗證方式。 4. requirements pinning 決策必須說明 pinning 原則、例外條件與 rollback owner。 5. Docker digest pinning 決策必須說明 base image、`COPY --from` image、registry owner 與回復策略。 6. compose image digest 決策必須說明 service 範圍、tag / digest 對照與維護窗口。 7. CVE / license / SBOM 決策必須說明工具、掃描窗口、結果分級與噪音處理方式。 8. evidence refs 只能是脫敏 metadata,不得包含 token、cookie、registry password、private key 或 secret value。 9. change evidence 必須能回連到 baseline gap,不得只提供口頭批准。 10. runtime gate 必須獨立批准;owner policy accepted 不能自動變成 runtime execution authorized。 11. deploy / workflow / registry / image write 必須另有變更證據與 post-check。 12. 前台呈現只能顯示脫敏產品 / 控管狀態,不得顯示 raw namespace、內部協作內容或工作視窗對話。 ## 5. Blocked Actions 本 gate 通過前,以下動作全部維持 blocked: 1. install package 2. upgrade package 3. rewrite lockfile 4. change requirements pin 5. run external CVE lookup 6. run external license lookup 7. generate SBOM 8. docker pull 9. docker build 10. docker push 11. image tag change 12. image digest pin change 13. registry login 14. workflow modification 15. runner change 16. secret value collection 17. production deploy 18. runtime execution 19. action button enablement 20. treat owner policy as runtime approval ## 6. 不可誤讀 - `package-supply-chain-baseline.snapshot.json` 只是 repo-only baseline。 - `package-supply-chain-owner-policy-gate.snapshot.json` 只是 owner policy gate 草稿。 - 所有 request_sent、owner_response_received、owner_response_accepted、runtime_execution_authorized、action_buttons_allowed 仍是 `0 / false`。 - `owner policy gate` 通過只代表文件、snapshot 與 guard 對齊,不代表 Python lockfile、requirements pinning、Docker digest pinning、CVE / license / SBOM 已完成。 - 本輪不 install、不 upgrade、不 pull image、不 build image、不 push image,不登入 registry、不改 workflow、不改 secret、不部署。 ## 7. 完成度 | 工作 | 完成度 | 說明 | |------|--------|------| | Package / Docker supply-chain owner policy gate | `100%` | 已新增人讀文件、snapshot 與 guard,並可由總進度 guard 串接 | | Node lockfile owner policy | `45%` | 已有 pnpm lockfile 與 owner policy request;尚未收到 owner response | | Python lock policy | `45%` | 已有 Python lockfile 缺口與 owner policy request;尚未決定工具與 lockfile 策略 | | requirements pinning policy | `35%` | 已有 26 條未 pin entry 的 policy request;尚未批准 pinning 或相容性窗口 | | Docker / compose image policy | `45%` | 已有 C0 digest pinning policy request;尚未批准 digest 變更、registry owner 或 rollback | | CVE / license / SBOM 驗證 | `15%` | 已定義 owner policy request;尚未批准外部掃描窗口或工具 | | runtime gate | `0%` | 未開啟任何執行期閘門 |