{ "schema_version": "package_supply_chain_owner_policy_gate_v1", "status": "draft_waiting_owner_policy_response", "mode": "repo_snapshot_policy_gate_no_install_no_network_no_cve_scan", "generated_at": "2026-06-15T07:05:00+08:00", "baseline_ref": "docs/security/package-supply-chain-baseline.snapshot.json", "baseline_git_commit": "1ab85f51", "summary": { "baseline_gap_count": 5, "owner_policy_request_count": 6, "c0_policy_request_count": 2, "write_capable_policy_request_count": 6, "required_owner_field_count": 8, "reviewer_check_count": 12, "blocked_action_count": 20, "owner_policy_request_sent_count": 0, "owner_response_received_count": 0, "owner_response_accepted_count": 0, "owner_response_rejected_count": 0, "runtime_gate_count": 0, "action_button_count": 0 }, "baseline_gaps": [ "python_lockfile_absent", "docker_base_images_not_all_digest_pinned", "docker_copy_from_images_not_all_digest_pinned", "compose_images_not_all_digest_pinned", "requirements_unpinned_entries_present" ], "required_owner_fields": [ "package_manager_policy", "lockfile_owner", "python_lock_policy", "docker_base_image_policy", "compose_image_policy", "registry_owner", "cve_scan_window", "rollback_owner" ], "reviewer_checks": [ "owner_role_or_team_present", "decision_present", "decision_reason_present", "affected_scope_present", "redacted_evidence_refs_present", "followup_owner_present", "rollback_owner_present", "package_manager_policy_consistent", "python_lock_policy_consistent", "image_digest_policy_consistent", "cve_license_sbom_window_metadata_only", "no_runtime_or_secret_request_embedded" ], "blocked_actions": [ "install_package", "upgrade_package", "downgrade_package", "rewrite_lockfile", "pin_requirements_without_owner_policy", "run_npm_audit", "run_pip_audit", "run_external_cve_lookup", "run_external_license_lookup", "generate_sbom", "docker_pull", "docker_build", "docker_push", "change_image_tag", "pin_image_digest_without_owner_policy", "registry_login", "change_workflow", "change_secret", "production_deploy", "open_runtime_gate" ], "owner_policy_requests": [ { "request_id": "supply_chain_owner_policy:package_manager_lockfile_owner", "label": "Node / pnpm package manager 與 lockfile owner policy", "control_tier": "C1", "status": "draft_waiting_owner_policy_response", "baseline_gap_refs": [ "package_manager_policy_required" ], "evidence_refs": [ "package.json", "pnpm-lock.yaml", "docs/security/package-supply-chain-baseline.snapshot.json" ], "required_owner_fields": [ "package_manager_policy", "lockfile_owner", "python_lock_policy", "docker_base_image_policy", "compose_image_policy", "registry_owner", "cve_scan_window", "rollback_owner" ], "blocked_until": [ "owner confirms pnpm lockfile owner", "owner defines lockfile update window", "rollback owner is assigned" ], "request_sent": false, "owner_response_received": false, "owner_response_accepted": false, "runtime_gate_open": false }, { "request_id": "supply_chain_owner_policy:python_lockfile_policy", "label": "Python lockfile policy", "control_tier": "C1", "status": "draft_waiting_owner_policy_response", "baseline_gap_refs": [ "python_lockfile_absent" ], "evidence_refs": [ "apps/api/pyproject.toml", "packages/lewooogo-brain/pyproject.toml", "packages/lewooogo-data/pyproject.toml", "scripts/aider_watch_client/pyproject.toml", "docs/security/package-supply-chain-baseline.snapshot.json" ], "required_owner_fields": [ "package_manager_policy", "lockfile_owner", "python_lock_policy", "docker_base_image_policy", "compose_image_policy", "registry_owner", "cve_scan_window", "rollback_owner" ], "blocked_until": [ "owner selects poetry.lock / uv.lock / Pipfile.lock policy", "compatibility owner confirms scope", "rollback owner is assigned" ], "request_sent": false, "owner_response_received": false, "owner_response_accepted": false, "runtime_gate_open": false }, { "request_id": "supply_chain_owner_policy:requirements_pin_policy", "label": "requirements pinning policy", "control_tier": "C1", "status": "draft_waiting_owner_policy_response", "baseline_gap_refs": [ "requirements_unpinned_entries_present" ], "evidence_refs": [ "apps/api/requirements.txt", "apps/sensor/requirements.txt", "docs/security/package-supply-chain-baseline.snapshot.json" ], "required_owner_fields": [ "package_manager_policy", "lockfile_owner", "python_lock_policy", "docker_base_image_policy", "compose_image_policy", "registry_owner", "cve_scan_window", "rollback_owner" ], "blocked_until": [ "owner defines pinning approach", "compatibility test owner is assigned", "rollback owner is assigned" ], "request_sent": false, "owner_response_received": false, "owner_response_accepted": false, "runtime_gate_open": false }, { "request_id": "supply_chain_owner_policy:dockerfile_digest_pin_policy", "label": "Dockerfile base image / COPY --from digest policy", "control_tier": "C0", "status": "draft_waiting_owner_policy_response", "baseline_gap_refs": [ "docker_base_images_not_all_digest_pinned", "docker_copy_from_images_not_all_digest_pinned" ], "evidence_refs": [ "apps/api/Dockerfile", "apps/web/Dockerfile", "docs/security/package-supply-chain-baseline.snapshot.json" ], "required_owner_fields": [ "package_manager_policy", "lockfile_owner", "python_lock_policy", "docker_base_image_policy", "compose_image_policy", "registry_owner", "cve_scan_window", "rollback_owner" ], "blocked_until": [ "registry owner confirms digest source", "image compatibility owner confirms scope", "rollback owner is assigned" ], "request_sent": false, "owner_response_received": false, "owner_response_accepted": false, "runtime_gate_open": false }, { "request_id": "supply_chain_owner_policy:compose_image_digest_pin_policy", "label": "docker-compose image digest policy", "control_tier": "C0", "status": "draft_waiting_owner_policy_response", "baseline_gap_refs": [ "compose_images_not_all_digest_pinned" ], "evidence_refs": [ "apps/api/docker-compose.test.yml", "docker-compose.yml", "infra/langfuse/docker-compose.yml", "k8s/monitoring/docker-compose-110.yml", "ops/monitoring/docker-compose.exporters.yaml", "ops/sentry-self-hosted/docker-compose.yml", "docs/security/package-supply-chain-baseline.snapshot.json" ], "required_owner_fields": [ "package_manager_policy", "lockfile_owner", "python_lock_policy", "docker_base_image_policy", "compose_image_policy", "registry_owner", "cve_scan_window", "rollback_owner" ], "blocked_until": [ "registry owner confirms digest source", "compose service owner confirms blast radius", "rollback owner is assigned" ], "request_sent": false, "owner_response_received": false, "owner_response_accepted": false, "runtime_gate_open": false }, { "request_id": "supply_chain_owner_policy:cve_license_sbom_window", "label": "CVE / license / SBOM 驗證窗口 policy", "control_tier": "C1", "status": "draft_waiting_owner_policy_response", "baseline_gap_refs": [ "cve_license_sbom_not_run" ], "evidence_refs": [ "docs/security/PACKAGE-SUPPLY-CHAIN-BASELINE.md", "docs/security/package-supply-chain-baseline.snapshot.json" ], "required_owner_fields": [ "package_manager_policy", "lockfile_owner", "python_lock_policy", "docker_base_image_policy", "compose_image_policy", "registry_owner", "cve_scan_window", "rollback_owner" ], "blocked_until": [ "owner selects allowed tools", "network / cost / runtime boundary is confirmed", "rollback owner is assigned" ], "request_sent": false, "owner_response_received": false, "owner_response_accepted": false, "runtime_gate_open": false } ], "execution_boundaries": { "package_installation_allowed": false, "package_upgrade_allowed": false, "lockfile_write_allowed": false, "requirements_pin_change_allowed": false, "external_cve_lookup_allowed": false, "external_license_lookup_allowed": false, "sbom_generation_allowed": false, "docker_pull_allowed": false, "docker_build_allowed": false, "docker_push_allowed": false, "image_tag_change_allowed": false, "image_digest_pin_change_allowed": false, "registry_login_allowed": false, "workflow_modification_authorized": false, "production_deploy_authorized": false, "runtime_execution_authorized": false, "action_buttons_allowed": false, "secret_value_collection_allowed": false, "runtime_gate_count": 0, "not_authorization": true }, "operator_interpretation": [ "此 owner policy gate 只把 package / Docker baseline 缺口轉成 owner metadata 收件草案。", "通過此 gate 不代表可 install、upgrade、pin requirements、寫 lockfile、pull / build / push image、跑 CVE / license / SBOM 或登入 registry。", "C0 Docker / compose digest policy 仍需 registry owner、rollback owner 與相容性證據,不得自動改 tag 或 digest。", "owner policy request sent、received、accepted、runtime gate 與 action button 全部維持 0 / false。" ] }