awoooi/docs/security/package-supply-chain-baseline.snapshot.json

{
  "schema_version": "package_supply_chain_baseline_v1",
  "status": "repo_only_inventory_ready_needs_owner_policy",
  "mode": "repo_snapshot_only_no_install_no_network_no_cve_scan",
  "generated_at": "2026-06-15T06:20:00+08:00",
  "git_commit": "1ab85f51",
  "package_manager": "pnpm@9.0.0",
  "summary": {
    "package_json_count": 6,
    "pyproject_count": 4,
    "requirements_file_count": 2,
    "requirements_entry_count": 26,
    "requirements_unpinned_entry_count": 26,
    "lockfile_count": 1,
    "pnpm_lock_present": true,
    "npm_lock_present": false,
    "yarn_lock_present": false,
    "python_lockfile_count": 0,
    "dockerfile_count": 2,
    "docker_base_image_count": 3,
    "docker_base_digest_pinned_count": 0,
    "docker_copy_from_image_count": 1,
    "docker_copy_from_digest_pinned_count": 0,
    "compose_file_count": 6,
    "compose_image_ref_count": 16,
    "compose_digest_pinned_image_ref_count": 0,
    "gap_count": 5,
    "owner_response_received_count": 0,
    "owner_response_accepted_count": 0,
    "runtime_gate_count": 0,
    "action_button_count": 0
  },
  "package_json_manifests": [
    {
      "path": "apps/web/package.json",
      "name": "@awoooi/web",
      "private": true,
      "package_manager": null,
      "dependency_count": 33,
      "has_scripts": true
    },
    {
      "path": "package.json",
      "name": "awoooi",
      "private": true,
      "package_manager": "pnpm@9.0.0",
      "dependency_count": 5,
      "has_scripts": true
    },
    {
      "path": "packages/eslint-config/package.json",
      "name": "@awoooi/eslint-config",
      "private": true,
      "package_manager": null,
      "dependency_count": 6,
      "has_scripts": false
    },
    {
      "path": "packages/lewooogo-core/package.json",
      "name": "@awoooi/lewooogo-core",
      "private": true,
      "package_manager": null,
      "dependency_count": 5,
      "has_scripts": true
    },
    {
      "path": "packages/shared-types/package.json",
      "name": "@awoooi/shared-types",
      "private": false,
      "package_manager": null,
      "dependency_count": 2,
      "has_scripts": true
    },
    {
      "path": "packages/tsconfig/package.json",
      "name": "@awoooi/tsconfig",
      "private": true,
      "package_manager": null,
      "dependency_count": 0,
      "has_scripts": false
    }
  ],
  "pyproject_manifests": [
    {
      "path": "apps/api/pyproject.toml",
      "name": "awoooi-api",
      "dependency_count": 33,
      "has_build_system": true
    },
    {
      "path": "packages/lewooogo-brain/pyproject.toml",
      "name": "lewooogo-brain",
      "dependency_count": 13,
      "has_build_system": true
    },
    {
      "path": "packages/lewooogo-data/pyproject.toml",
      "name": "lewooogo-data",
      "dependency_count": 16,
      "has_build_system": true
    },
    {
      "path": "scripts/aider_watch_client/pyproject.toml",
      "name": "aider-watch-client",
      "dependency_count": 0,
      "has_build_system": true
    }
  ],
  "requirements_files": [
    {
      "path": "apps/api/requirements.txt",
      "entry_count": 25,
      "pinned_entry_count": 0,
      "unpinned_entry_count": 25
    },
    {
      "path": "apps/sensor/requirements.txt",
      "entry_count": 1,
      "pinned_entry_count": 0,
      "unpinned_entry_count": 1
    }
  ],
  "lockfiles": [
    "pnpm-lock.yaml"
  ],
  "dockerfiles": [
    {
      "path": "apps/api/Dockerfile",
      "from_images": [
        "python:3.11-slim",
        "python:3.11-slim"
      ],
      "from_image_count": 2,
      "digest_pinned_from_image_count": 0,
      "copy_from_images": [
        "ghcr.io/astral-sh/uv:0.6.9"
      ],
      "copy_from_image_count": 1,
      "digest_pinned_copy_from_image_count": 0
    },
    {
      "path": "apps/web/Dockerfile",
      "from_images": [
        "node:20-alpine"
      ],
      "from_image_count": 1,
      "digest_pinned_from_image_count": 0,
      "copy_from_images": [],
      "copy_from_image_count": 0,
      "digest_pinned_copy_from_image_count": 0
    }
  ],
  "compose_files": [
    {
      "path": "apps/api/docker-compose.test.yml",
      "image_refs": [
        "pgvector/pgvector:pg16",
        "redis:7-alpine",
        "python:3.11-slim"
      ],
      "image_ref_count": 3,
      "digest_pinned_image_ref_count": 0
    },
    {
      "path": "docker-compose.yml",
      "image_refs": [
        "postgres:16-alpine",
        "redis:7-alpine"
      ],
      "image_ref_count": 2,
      "digest_pinned_image_ref_count": 0
    },
    {
      "path": "infra/langfuse/docker-compose.yml",
      "image_refs": [
        "langfuse/langfuse:2",
        "postgres:15-alpine"
      ],
      "image_ref_count": 2,
      "digest_pinned_image_ref_count": 0
    },
    {
      "path": "k8s/monitoring/docker-compose-110.yml",
      "image_refs": [
        "gcr.io/cadvisor/cadvisor:latest",
        "prom/prometheus:latest",
        "grafana/grafana:latest",
        "prom/blackbox-exporter:latest",
        "prom/alertmanager:latest",
        "promhippie/github-exporter:latest"
      ],
      "image_ref_count": 6,
      "digest_pinned_image_ref_count": 0
    },
    {
      "path": "ops/monitoring/docker-compose.exporters.yaml",
      "image_refs": [
        "prometheuscommunity/postgres-exporter:v0.15.0",
        "oliver006/redis_exporter:v1.58.0"
      ],
      "image_ref_count": 2,
      "digest_pinned_image_ref_count": 0
    },
    {
      "path": "ops/sentry-self-hosted/docker-compose.yml",
      "image_refs": [
        "alpine:latest"
      ],
      "image_ref_count": 1,
      "digest_pinned_image_ref_count": 0
    }
  ],
  "gaps": [
    "python_lockfile_absent",
    "docker_base_images_not_all_digest_pinned",
    "docker_copy_from_images_not_all_digest_pinned",
    "compose_images_not_all_digest_pinned",
    "requirements_unpinned_entries_present"
  ],
  "next_owner_evidence_fields": [
    "package_manager_policy",
    "lockfile_owner",
    "python_lock_policy",
    "docker_base_image_policy",
    "compose_image_policy",
    "registry_owner",
    "cve_scan_window",
    "rollback_owner"
  ],
  "execution_boundaries": {
    "package_install_authorized": false,
    "dependency_upgrade_authorized": false,
    "lockfile_rewrite_authorized": false,
    "npm_audit_authorized": false,
    "pip_audit_authorized": false,
    "cve_scan_authorized": false,
    "docker_build_authorized": false,
    "docker_pull_authorized": false,
    "docker_push_authorized": false,
    "image_tag_change_authorized": false,
    "image_digest_pin_change_authorized": false,
    "registry_login_authorized": false,
    "secret_value_collection_allowed": false,
    "workflow_modification_authorized": false,
    "production_deploy_authorized": false,
    "runtime_gate_count": 0,
    "action_button_count": 0,
    "not_authorization": true
  },
  "operator_interpretation": [
    "此 baseline 只代表 repo 供應鏈來源盤點，不代表 CVE / license / SBOM 已驗收。",
    "Docker image 未全數 digest pinning 是 policy gap，不在本輪自動改 image tag。",
    "Python lockfile 缺口是 owner policy gap，不在本輪自動產生 lockfile。",
    "不得把此 snapshot 當成 install、upgrade、docker pull、registry login 或 deploy 授權。"
  ]
}