{ "schema_version": "javascript_package_inventory_v1", "generated_at": "2026-06-04T19:13:23+08:00", "program_status": { "overall_completion_percent": 95, "current_priority": "P1", "current_task_id": "P1-202", "next_task_id": "P1-203", "read_only_mode": true }, "source_refs": [ "package.json", "pnpm-workspace.yaml", "pnpm-lock.yaml", "apps/web/package.json", "packages/lewooogo-core/package.json", "packages/shared-types/package.json", "packages/eslint-config/package.json", "packages/tsconfig/package.json" ], "lockfile_summary": { "lockfile_ref": "pnpm-lock.yaml", "lockfile_version": "9.0", "importer_count": 6, "package_entry_count": 986, "snapshot_entry_count": 986, "settings": { "autoInstallPeers": true, "excludeLinksFromLockfile": false }, "status": "in_sync", "write_allowed": false }, "rollups": { "total_workspaces": 6, "total_direct_dependencies": 51, "production_dependency_count": 20, "dev_dependency_count": 31, "workspace_dependency_count": 6, "external_dependency_count": 45, "caret_specifier_count": 44, "exact_specifier_count": 1, "tilde_specifier_count": 0, "manifest_lock_mismatch_count": 0, "missing_in_lockfile_count": 0, "extra_in_lockfile_count": 0, "by_status": { "ready": 4, "action_required": 2, "planned_next": 0 }, "action_required_workspace_ids": [ "apps_web", "shared_types" ], "planned_next_workspace_ids": [] }, "workspaces": [ { "workspace_id": "root_workspace", "display_name": "Root pnpm workspace", "manifest_ref": "package.json", "lockfile_importer": ".", "status": "ready", "risk_level": "medium", "private_package": true, "package_manager": "pnpm@9.0.0", "dependency_counts": { "dependencies": 0, "devDependencies": 5, "peerDependencies": 0, "optionalDependencies": 0, "total": 5 }, "specifier_counts": { "workspace": 0, "caret": 5, "exact": 0, "tilde": 0, "other": 0 }, "workspace_dependency_names": [], "evidence_refs": ["package.json", "pnpm-lock.yaml"], "next_action": "P1-204 定義 caret range 與 toolchain 版本漂移政策;不得直接升級。" }, { "workspace_id": "apps_web", "display_name": "@awoooi/web", "manifest_ref": "apps/web/package.json", "lockfile_importer": "apps/web", "status": "action_required", "risk_level": "high", "private_package": true, "package_manager": null, "dependency_counts": { "dependencies": 19, "devDependencies": 14, "peerDependencies": 0, "optionalDependencies": 0, "total": 33 }, "specifier_counts": { "workspace": 4, "caret": 28, "exact": 1, "tilde": 0, "other": 0 }, "workspace_dependency_names": [ "@awoooi/lewooogo-core", "@awoooi/shared-types", "@awoooi/eslint-config", "@awoooi/tsconfig" ], "evidence_refs": ["apps/web/package.json", "pnpm-lock.yaml"], "next_action": "P1-204 定義 Next / React / Sentry / Playwright 等高影響套件的 drift、CVE、license 嚴重度;不得直接改 lockfile。" }, { "workspace_id": "lewooogo_core", "display_name": "@awoooi/lewooogo-core", "manifest_ref": "packages/lewooogo-core/package.json", "lockfile_importer": "packages/lewooogo-core", "status": "ready", "risk_level": "medium", "private_package": true, "package_manager": null, "dependency_counts": { "dependencies": 1, "devDependencies": 4, "peerDependencies": 0, "optionalDependencies": 0, "total": 5 }, "specifier_counts": { "workspace": 2, "caret": 3, "exact": 0, "tilde": 0, "other": 0 }, "workspace_dependency_names": [ "@awoooi/eslint-config", "@awoooi/tsconfig" ], "evidence_refs": ["packages/lewooogo-core/package.json", "pnpm-lock.yaml"], "next_action": "P1-204 納入 workspace package dependency policy。" }, { "workspace_id": "shared_types", "display_name": "@awoooi/shared-types", "manifest_ref": "packages/shared-types/package.json", "lockfile_importer": "packages/shared-types", "status": "action_required", "risk_level": "medium", "private_package": null, "package_manager": null, "dependency_counts": { "dependencies": 0, "devDependencies": 2, "peerDependencies": 0, "optionalDependencies": 0, "total": 2 }, "specifier_counts": { "workspace": 0, "caret": 2, "exact": 0, "tilde": 0, "other": 0 }, "workspace_dependency_names": [], "evidence_refs": ["packages/shared-types/package.json", "pnpm-lock.yaml"], "next_action": "P1-204 決定 shared-types 是否必須 private 或保留 publishConfig;不得自動 publish。" }, { "workspace_id": "eslint_config", "display_name": "@awoooi/eslint-config", "manifest_ref": "packages/eslint-config/package.json", "lockfile_importer": "packages/eslint-config", "status": "ready", "risk_level": "medium", "private_package": true, "package_manager": null, "dependency_counts": { "dependencies": 0, "devDependencies": 6, "peerDependencies": 0, "optionalDependencies": 0, "total": 6 }, "specifier_counts": { "workspace": 0, "caret": 6, "exact": 0, "tilde": 0, "other": 0 }, "workspace_dependency_names": [], "evidence_refs": ["packages/eslint-config/package.json", "pnpm-lock.yaml"], "next_action": "P1-204 納入 lint toolchain drift policy。" }, { "workspace_id": "tsconfig", "display_name": "@awoooi/tsconfig", "manifest_ref": "packages/tsconfig/package.json", "lockfile_importer": "packages/tsconfig", "status": "ready", "risk_level": "low", "private_package": true, "package_manager": null, "dependency_counts": { "dependencies": 0, "devDependencies": 0, "peerDependencies": 0, "optionalDependencies": 0, "total": 0 }, "specifier_counts": { "workspace": 0, "caret": 0, "exact": 0, "tilde": 0, "other": 0 }, "workspace_dependency_names": [], "evidence_refs": ["packages/tsconfig/package.json", "pnpm-lock.yaml"], "next_action": "維持只讀觀察。" } ], "lockfile_drift": { "status": "in_sync", "missing_in_lockfile": [], "specifier_mismatches": [], "extra_in_lockfile": [] }, "drift_findings": [ { "finding_id": "manifest_lockfile_in_sync", "severity": "low", "status": "accepted", "summary": "6 個 workspace importer 的 manifest specifier 與 pnpm-lock.yaml importer specifier 一致;本輪未發現 missing、mismatch 或 extra dependency。", "evidence_refs": ["package.json", "apps/web/package.json", "pnpm-lock.yaml"], "next_action": "維持只讀監控;後續若批准外部 registry / audit 才能補 CVE 與 version freshness。" }, { "finding_id": "apps_web_caret_range_exposure", "severity": "medium", "status": "action_required", "summary": "@awoooi/web 有 33 條 direct dependencies,其中 28 條使用 caret range;lockfile 目前固定解析結果,但升級政策與高影響套件漂移門檻尚未定義。", "evidence_refs": ["apps/web/package.json", "pnpm-lock.yaml"], "next_action": "P1-204 定義 Next / React / Sentry / Playwright / visualization dependencies 的 drift、CVE、license 嚴重度。" }, { "finding_id": "shared_types_publish_boundary_unclear", "severity": "medium", "status": "action_required", "summary": "@awoooi/shared-types 未標記 private=true,且含 publishConfig access=public;需確認這是刻意的 publish contract 或應改為 private。", "evidence_refs": ["packages/shared-types/package.json"], "next_action": "P1-204 產生 publish boundary 批准包;不得自動 publish 或改 package metadata。" }, { "finding_id": "external_cve_lookup_not_run", "severity": "medium", "status": "planned_next", "summary": "本輪未呼叫 npm registry、npm audit、GitHub advisory 或其他外部 CVE / license 來源;只建立 repo 內事實基線。", "evidence_refs": ["docs/ai/AI_AGENT_AUTOMATION_WORKLIST_2026-06-04.md"], "next_action": "P1-204 先定義資料來源、費用、速率與批准邊界,再決定是否接外部掃描。" } ], "operation_boundaries": { "read_only_api_allowed": true, "package_installation_allowed": false, "package_upgrade_allowed": false, "lockfile_write_allowed": false, "external_cve_lookup_allowed": false, "npm_audit_allowed": false, "pnpm_install_allowed": false, "production_routing_allowed": false }, "approval_boundaries": { "sdk_installation_allowed": false, "paid_api_call_allowed": false, "shadow_or_canary_allowed": false, "production_routing_allowed": false, "destructive_operation_allowed": false } }