Files
awoooi/docs/security/package-supply-chain-owner-policy-gate.snapshot.json

311 lines
10 KiB
JSON

{
"schema_version": "package_supply_chain_owner_policy_gate_v1",
"status": "draft_waiting_owner_policy_response",
"mode": "repo_snapshot_policy_gate_no_install_no_network_no_cve_scan",
"generated_at": "2026-06-15T07:05:00+08:00",
"baseline_ref": "docs/security/package-supply-chain-baseline.snapshot.json",
"baseline_git_commit": "1ab85f51",
"summary": {
"baseline_gap_count": 5,
"owner_policy_request_count": 6,
"c0_policy_request_count": 2,
"write_capable_policy_request_count": 6,
"required_owner_field_count": 8,
"reviewer_check_count": 12,
"blocked_action_count": 20,
"owner_policy_request_sent_count": 0,
"owner_response_received_count": 0,
"owner_response_accepted_count": 0,
"owner_response_rejected_count": 0,
"runtime_gate_count": 0,
"action_button_count": 0
},
"baseline_gaps": [
"python_lockfile_absent",
"docker_base_images_not_all_digest_pinned",
"docker_copy_from_images_not_all_digest_pinned",
"compose_images_not_all_digest_pinned",
"requirements_unpinned_entries_present"
],
"required_owner_fields": [
"package_manager_policy",
"lockfile_owner",
"python_lock_policy",
"docker_base_image_policy",
"compose_image_policy",
"registry_owner",
"cve_scan_window",
"rollback_owner"
],
"reviewer_checks": [
"owner_role_or_team_present",
"decision_present",
"decision_reason_present",
"affected_scope_present",
"redacted_evidence_refs_present",
"followup_owner_present",
"rollback_owner_present",
"package_manager_policy_consistent",
"python_lock_policy_consistent",
"image_digest_policy_consistent",
"cve_license_sbom_window_metadata_only",
"no_runtime_or_secret_request_embedded"
],
"blocked_actions": [
"install_package",
"upgrade_package",
"downgrade_package",
"rewrite_lockfile",
"pin_requirements_without_owner_policy",
"run_npm_audit",
"run_pip_audit",
"run_external_cve_lookup",
"run_external_license_lookup",
"generate_sbom",
"docker_pull",
"docker_build",
"docker_push",
"change_image_tag",
"pin_image_digest_without_owner_policy",
"registry_login",
"change_workflow",
"change_secret",
"production_deploy",
"open_runtime_gate"
],
"owner_policy_requests": [
{
"request_id": "supply_chain_owner_policy:package_manager_lockfile_owner",
"label": "Node / pnpm package manager 與 lockfile owner policy",
"control_tier": "C1",
"status": "draft_waiting_owner_policy_response",
"baseline_gap_refs": [
"package_manager_policy_required"
],
"evidence_refs": [
"package.json",
"pnpm-lock.yaml",
"docs/security/package-supply-chain-baseline.snapshot.json"
],
"required_owner_fields": [
"package_manager_policy",
"lockfile_owner",
"python_lock_policy",
"docker_base_image_policy",
"compose_image_policy",
"registry_owner",
"cve_scan_window",
"rollback_owner"
],
"blocked_until": [
"owner confirms pnpm lockfile owner",
"owner defines lockfile update window",
"rollback owner is assigned"
],
"request_sent": false,
"owner_response_received": false,
"owner_response_accepted": false,
"runtime_gate_open": false
},
{
"request_id": "supply_chain_owner_policy:python_lockfile_policy",
"label": "Python lockfile policy",
"control_tier": "C1",
"status": "draft_waiting_owner_policy_response",
"baseline_gap_refs": [
"python_lockfile_absent"
],
"evidence_refs": [
"apps/api/pyproject.toml",
"packages/lewooogo-brain/pyproject.toml",
"packages/lewooogo-data/pyproject.toml",
"scripts/aider_watch_client/pyproject.toml",
"docs/security/package-supply-chain-baseline.snapshot.json"
],
"required_owner_fields": [
"package_manager_policy",
"lockfile_owner",
"python_lock_policy",
"docker_base_image_policy",
"compose_image_policy",
"registry_owner",
"cve_scan_window",
"rollback_owner"
],
"blocked_until": [
"owner selects poetry.lock / uv.lock / Pipfile.lock policy",
"compatibility owner confirms scope",
"rollback owner is assigned"
],
"request_sent": false,
"owner_response_received": false,
"owner_response_accepted": false,
"runtime_gate_open": false
},
{
"request_id": "supply_chain_owner_policy:requirements_pin_policy",
"label": "requirements pinning policy",
"control_tier": "C1",
"status": "draft_waiting_owner_policy_response",
"baseline_gap_refs": [
"requirements_unpinned_entries_present"
],
"evidence_refs": [
"apps/api/requirements.txt",
"apps/sensor/requirements.txt",
"docs/security/package-supply-chain-baseline.snapshot.json"
],
"required_owner_fields": [
"package_manager_policy",
"lockfile_owner",
"python_lock_policy",
"docker_base_image_policy",
"compose_image_policy",
"registry_owner",
"cve_scan_window",
"rollback_owner"
],
"blocked_until": [
"owner defines pinning approach",
"compatibility test owner is assigned",
"rollback owner is assigned"
],
"request_sent": false,
"owner_response_received": false,
"owner_response_accepted": false,
"runtime_gate_open": false
},
{
"request_id": "supply_chain_owner_policy:dockerfile_digest_pin_policy",
"label": "Dockerfile base image / COPY --from digest policy",
"control_tier": "C0",
"status": "draft_waiting_owner_policy_response",
"baseline_gap_refs": [
"docker_base_images_not_all_digest_pinned",
"docker_copy_from_images_not_all_digest_pinned"
],
"evidence_refs": [
"apps/api/Dockerfile",
"apps/web/Dockerfile",
"docs/security/package-supply-chain-baseline.snapshot.json"
],
"required_owner_fields": [
"package_manager_policy",
"lockfile_owner",
"python_lock_policy",
"docker_base_image_policy",
"compose_image_policy",
"registry_owner",
"cve_scan_window",
"rollback_owner"
],
"blocked_until": [
"registry owner confirms digest source",
"image compatibility owner confirms scope",
"rollback owner is assigned"
],
"request_sent": false,
"owner_response_received": false,
"owner_response_accepted": false,
"runtime_gate_open": false
},
{
"request_id": "supply_chain_owner_policy:compose_image_digest_pin_policy",
"label": "docker-compose image digest policy",
"control_tier": "C0",
"status": "draft_waiting_owner_policy_response",
"baseline_gap_refs": [
"compose_images_not_all_digest_pinned"
],
"evidence_refs": [
"apps/api/docker-compose.test.yml",
"docker-compose.yml",
"infra/langfuse/docker-compose.yml",
"k8s/monitoring/docker-compose-110.yml",
"ops/monitoring/docker-compose.exporters.yaml",
"ops/sentry-self-hosted/docker-compose.yml",
"docs/security/package-supply-chain-baseline.snapshot.json"
],
"required_owner_fields": [
"package_manager_policy",
"lockfile_owner",
"python_lock_policy",
"docker_base_image_policy",
"compose_image_policy",
"registry_owner",
"cve_scan_window",
"rollback_owner"
],
"blocked_until": [
"registry owner confirms digest source",
"compose service owner confirms blast radius",
"rollback owner is assigned"
],
"request_sent": false,
"owner_response_received": false,
"owner_response_accepted": false,
"runtime_gate_open": false
},
{
"request_id": "supply_chain_owner_policy:cve_license_sbom_window",
"label": "CVE / license / SBOM 驗證窗口 policy",
"control_tier": "C1",
"status": "draft_waiting_owner_policy_response",
"baseline_gap_refs": [
"cve_license_sbom_not_run"
],
"evidence_refs": [
"docs/security/PACKAGE-SUPPLY-CHAIN-BASELINE.md",
"docs/security/package-supply-chain-baseline.snapshot.json"
],
"required_owner_fields": [
"package_manager_policy",
"lockfile_owner",
"python_lock_policy",
"docker_base_image_policy",
"compose_image_policy",
"registry_owner",
"cve_scan_window",
"rollback_owner"
],
"blocked_until": [
"owner selects allowed tools",
"network / cost / runtime boundary is confirmed",
"rollback owner is assigned"
],
"request_sent": false,
"owner_response_received": false,
"owner_response_accepted": false,
"runtime_gate_open": false
}
],
"execution_boundaries": {
"package_installation_allowed": false,
"package_upgrade_allowed": false,
"lockfile_write_allowed": false,
"requirements_pin_change_allowed": false,
"external_cve_lookup_allowed": false,
"external_license_lookup_allowed": false,
"sbom_generation_allowed": false,
"docker_pull_allowed": false,
"docker_build_allowed": false,
"docker_push_allowed": false,
"image_tag_change_allowed": false,
"image_digest_pin_change_allowed": false,
"registry_login_allowed": false,
"workflow_modification_authorized": false,
"production_deploy_authorized": false,
"runtime_execution_authorized": false,
"action_buttons_allowed": false,
"secret_value_collection_allowed": false,
"runtime_gate_count": 0,
"not_authorization": true
},
"operator_interpretation": [
"此 owner policy gate 只把 package / Docker baseline 缺口轉成 owner metadata 收件草案。",
"通過此 gate 不代表可 install、upgrade、pin requirements、寫 lockfile、pull / build / push image、跑 CVE / license / SBOM 或登入 registry。",
"C0 Docker / compose digest policy 仍需 registry owner、rollback owner 與相容性證據,不得自動改 tag 或 digest。",
"owner policy request sent、received、accepted、runtime gate 與 action button 全部維持 0 / false。"
]
}