{ "schema_version": "docker_build_surface_inventory_v1", "generated_at": "2026-06-04T19:23:03+08:00", "program_status": { "overall_completion_percent": 97, "current_priority": "P1", "current_task_id": "P1-203", "next_task_id": "P1-204", "read_only_mode": true }, "source_refs": [ "apps/api/Dockerfile", "apps/web/Dockerfile", "apps/api/pyproject.toml", "apps/web/package.json", "pnpm-lock.yaml" ], "rollups": { "total_surfaces": 2, "dockerfile_count": 2, "external_image_ref_count": 3, "from_instruction_count": 6, "copy_from_external_image_count": 1, "digest_pinned_image_count": 0, "tag_pinned_image_count": 3, "build_time_network_fetch_count": 4, "non_root_runtime_count": 2, "healthcheck_count": 1, "by_status": { "action_required": 2 }, "action_required_surface_ids": [ "api_dockerfile", "web_dockerfile" ], "planned_next_surface_ids": [] }, "surfaces": [ { "surface_id": "api_dockerfile", "display_name": "AWOOOI API Dockerfile", "dockerfile_ref": "apps/api/Dockerfile", "status": "action_required", "risk_level": "high", "stage_count": 2, "external_image_refs": [ "python:3.11-slim", "ghcr.io/astral-sh/uv:0.6.9" ], "digest_pinned_image_refs": [], "tag_pinned_image_refs": [ "python:3.11-slim", "ghcr.io/astral-sh/uv:0.6.9" ], "build_time_network_fetches": [ "apt-get update && apt-get install openssh-client curl", "curl -LO https://dl.k8s.io/release/v1.29.0/bin/linux/amd64/kubectl" ], "binary_sources": [ "ghcr.io/astral-sh/uv:0.6.9 /uv", "dl.k8s.io kubectl v1.29.0" ], "non_root_runtime": true, "healthcheck_present": true, "cache_controls": [ "ARG BUILDKIT_INLINE_CACHE=0", "ARG CACHE_BUST=none", "dependency layer before apps/api/src COPY" ], "gate_status": "image_rebuild_blocked", "evidence_refs": ["apps/api/Dockerfile"], "next_action": "P1-204 定義 base image digest pin、kubectl checksum、apt source 與 rebuild approval policy;不得直接 build image。" }, { "surface_id": "web_dockerfile", "display_name": "AWOOOI Web Dockerfile", "dockerfile_ref": "apps/web/Dockerfile", "status": "action_required", "risk_level": "high", "stage_count": 4, "external_image_refs": [ "node:20-alpine" ], "digest_pinned_image_refs": [], "tag_pinned_image_refs": [ "node:20-alpine" ], "build_time_network_fetches": [ "corepack prepare pnpm@9.0.0 --activate", "pnpm install --frozen-lockfile" ], "binary_sources": [ "node:20-alpine base image", "corepack pnpm@9.0.0", "pnpm registry dependencies via pnpm-lock.yaml" ], "non_root_runtime": true, "healthcheck_present": false, "cache_controls": [ "ARG BUILDKIT_INLINE_CACHE=1", "ARG CACHE_BUST=dev", "NEXT_PRIVATE_BUILD_WORKER_COUNT=1", "BuildKit cache mount for .next/cache", "BuildKit cache mount for /root/.cache/turbo" ], "gate_status": "image_rebuild_blocked", "evidence_refs": ["apps/web/Dockerfile", "pnpm-lock.yaml"], "next_action": "P1-204 定義 node base image digest pin、pnpm/corepack provenance、Web runtime healthcheck 與 rebuild approval policy;不得直接 build image。" } ], "risk_findings": [ { "finding_id": "base_images_not_digest_pinned", "severity": "high", "status": "action_required", "summary": "API 與 Web Dockerfile 使用 tag-pinned base image,但未使用 digest pin;`python:3.11-slim`、`node:20-alpine`、`ghcr.io/astral-sh/uv:0.6.9` 都需要 P1-204 定義 digest / rebuild policy。", "evidence_refs": ["apps/api/Dockerfile", "apps/web/Dockerfile"], "next_action": "P1-204 定義 digest pin、更新 cadence、rollback 與 registry approval package。" }, { "finding_id": "api_kubectl_binary_without_checksum_policy", "severity": "high", "status": "action_required", "summary": "API image build 以 curl 下載 kubectl v1.29.0,但未在 Dockerfile 內呈現 checksum / signature 驗證 policy。", "evidence_refs": ["apps/api/Dockerfile"], "next_action": "P1-204 定義 kubectl binary source、checksum / signature、替換方式與 image rebuild approval gate。" }, { "finding_id": "build_time_network_fetches_present", "severity": "medium", "status": "action_required", "summary": "API build 會 apt-get / curl,Web build 會 corepack prepare / pnpm install;本輪只盤點,不執行 build,也不驗證外部 registry freshness。", "evidence_refs": ["apps/api/Dockerfile", "apps/web/Dockerfile", "pnpm-lock.yaml"], "next_action": "P1-204 定義外部來源白名單、快取策略、失敗告警與批准邊界。" }, { "finding_id": "web_runtime_healthcheck_missing", "severity": "medium", "status": "action_required", "summary": "Web runtime stage 有 non-root user,但 Dockerfile 未定義 HEALTHCHECK;需確認 K8s probe 是否是唯一健康檢查來源。", "evidence_refs": ["apps/web/Dockerfile", "k8s/"], "next_action": "P1-204 或 P1-001 對齊 Dockerfile healthcheck 與 K8s probe contract;不得直接改 image。" }, { "finding_id": "image_rebuild_not_run", "severity": "low", "status": "accepted", "summary": "本輪未執行 docker build、image pull、registry push 或外部 CVE 查詢;只建立 repo 內 Dockerfile 事實基線。", "evidence_refs": ["docs/ai/AI_AGENT_AUTOMATION_WORKLIST_2026-06-04.md"], "next_action": "若要重建 image,必須另走 P1-204 policy 與人工批准。" } ], "operation_boundaries": { "read_only_api_allowed": true, "docker_build_allowed": false, "image_pull_allowed": false, "image_rebuild_allowed": false, "registry_push_allowed": false, "external_cve_lookup_allowed": false, "package_installation_allowed": false, "production_routing_allowed": false }, "approval_boundaries": { "sdk_installation_allowed": false, "paid_api_call_allowed": false, "shadow_or_canary_allowed": false, "production_routing_allowed": false, "destructive_operation_allowed": false } }