309 lines
15 KiB
JSON
309 lines
15 KiB
JSON
{
|
||
"schema_version": "package_supply_chain_inventory_v1",
|
||
"generated_at": "2026-06-04T21:06:22+08:00",
|
||
"program_status": {
|
||
"overall_completion_percent": 100,
|
||
"current_priority": "P1",
|
||
"current_task_id": "P1-206",
|
||
"next_task_id": "P1-103",
|
||
"read_only_mode": true
|
||
},
|
||
"source_refs": [
|
||
"apps/api/pyproject.toml",
|
||
"apps/api/requirements.txt",
|
||
"apps/sensor/requirements.txt",
|
||
"packages/lewooogo-data/pyproject.toml",
|
||
"packages/lewooogo-brain/pyproject.toml",
|
||
"scripts/aider_watch_client/pyproject.toml",
|
||
"package.json",
|
||
"apps/web/package.json",
|
||
"pnpm-lock.yaml",
|
||
"apps/api/Dockerfile",
|
||
"apps/web/Dockerfile"
|
||
],
|
||
"rollups": {
|
||
"total_surfaces": 10,
|
||
"by_ecosystem": {
|
||
"python": 6,
|
||
"javascript": 2,
|
||
"docker": 2
|
||
},
|
||
"by_status": {
|
||
"ready": 5,
|
||
"action_required": 5,
|
||
"planned_next": 0
|
||
},
|
||
"python_manifest_count": 6,
|
||
"javascript_manifest_count": 2,
|
||
"docker_surface_count": 2,
|
||
"action_required_surface_ids": [
|
||
"apps_api_pyproject",
|
||
"apps_api_requirements",
|
||
"apps_web_package_json",
|
||
"apps_api_dockerfile",
|
||
"apps_web_dockerfile"
|
||
],
|
||
"planned_next_surface_ids": []
|
||
},
|
||
"surfaces": [
|
||
{
|
||
"surface_id": "apps_api_pyproject",
|
||
"display_name": "API pyproject",
|
||
"ecosystem": "python",
|
||
"status": "action_required",
|
||
"risk_level": "high",
|
||
"manifest_ref": "apps/api/pyproject.toml",
|
||
"lockfile_ref": "none",
|
||
"direct_dependency_count": 25,
|
||
"optional_dependency_group_count": 1,
|
||
"pinning_policy": "range_minimums_only;claude-agent-sdk、langfuse 等仍需依賴批准與版本漂移治理。",
|
||
"runtime_ref": "apps/api/Dockerfile uses python:3.11-slim + uv 0.6.9",
|
||
"gate_status": "read_only_allowed",
|
||
"evidence_refs": ["apps/api/pyproject.toml", "apps/api/Dockerfile"],
|
||
"next_action": "P1-204 定義 Python dependency drift / CVE / license 嚴重度;不得自動升級。"
|
||
},
|
||
{
|
||
"surface_id": "apps_api_requirements",
|
||
"display_name": "API legacy requirements",
|
||
"ecosystem": "python",
|
||
"status": "action_required",
|
||
"risk_level": "high",
|
||
"manifest_ref": "apps/api/requirements.txt",
|
||
"lockfile_ref": "none",
|
||
"direct_dependency_count": 24,
|
||
"optional_dependency_group_count": 0,
|
||
"pinning_policy": "range_minimums_only;與 pyproject 存在 manifest drift。",
|
||
"runtime_ref": "not used by current Dockerfile dependency layer",
|
||
"gate_status": "read_only_allowed",
|
||
"evidence_refs": ["apps/api/requirements.txt", "apps/api/pyproject.toml", "apps/api/Dockerfile"],
|
||
"next_action": "P1-204 決定 requirements 是否保留、生成或廢止;需人工 review,不直接刪。"
|
||
},
|
||
{
|
||
"surface_id": "apps_sensor_requirements",
|
||
"display_name": "Sensor requirements",
|
||
"ecosystem": "python",
|
||
"status": "ready",
|
||
"risk_level": "medium",
|
||
"manifest_ref": "apps/sensor/requirements.txt",
|
||
"lockfile_ref": "none",
|
||
"direct_dependency_count": 1,
|
||
"optional_dependency_group_count": 0,
|
||
"pinning_policy": "range_minimums_only",
|
||
"runtime_ref": "sensor runtime, Redis client only",
|
||
"gate_status": "read_only_allowed",
|
||
"evidence_refs": ["apps/sensor/requirements.txt"],
|
||
"next_action": "P1-204 納入 Python risk policy。"
|
||
},
|
||
{
|
||
"surface_id": "lewooogo_data_pyproject",
|
||
"display_name": "leWOOOgo Data pyproject",
|
||
"ecosystem": "python",
|
||
"status": "ready",
|
||
"risk_level": "medium",
|
||
"manifest_ref": "packages/lewooogo-data/pyproject.toml",
|
||
"lockfile_ref": "none",
|
||
"direct_dependency_count": 4,
|
||
"optional_dependency_group_count": 2,
|
||
"pinning_policy": "range_minimums_only;pg extra 才包含 asyncpg。",
|
||
"runtime_ref": "installed as local package in apps/api/Dockerfile",
|
||
"gate_status": "read_only_allowed",
|
||
"evidence_refs": ["packages/lewooogo-data/pyproject.toml", "apps/api/Dockerfile"],
|
||
"next_action": "P1-204 納入 local package dependency policy。"
|
||
},
|
||
{
|
||
"surface_id": "lewooogo_brain_pyproject",
|
||
"display_name": "leWOOOgo Brain pyproject",
|
||
"ecosystem": "python",
|
||
"status": "ready",
|
||
"risk_level": "medium",
|
||
"manifest_ref": "packages/lewooogo-brain/pyproject.toml",
|
||
"lockfile_ref": "none",
|
||
"direct_dependency_count": 3,
|
||
"optional_dependency_group_count": 1,
|
||
"pinning_policy": "range_minimums_only",
|
||
"runtime_ref": "installed as local package in apps/api/Dockerfile",
|
||
"gate_status": "read_only_allowed",
|
||
"evidence_refs": ["packages/lewooogo-brain/pyproject.toml", "apps/api/Dockerfile"],
|
||
"next_action": "P1-204 納入 local package dependency policy。"
|
||
},
|
||
{
|
||
"surface_id": "aider_watch_client_pyproject",
|
||
"display_name": "aider-watch client pyproject",
|
||
"ecosystem": "python",
|
||
"status": "ready",
|
||
"risk_level": "low",
|
||
"manifest_ref": "scripts/aider_watch_client/pyproject.toml",
|
||
"lockfile_ref": "none",
|
||
"direct_dependency_count": 3,
|
||
"optional_dependency_group_count": 1,
|
||
"pinning_policy": "range_minimums_only",
|
||
"runtime_ref": "local Mac client script package",
|
||
"gate_status": "read_only_allowed",
|
||
"evidence_refs": ["scripts/aider_watch_client/pyproject.toml"],
|
||
"next_action": "P1-204 納入工具端 dependency policy。"
|
||
},
|
||
{
|
||
"surface_id": "root_package_json",
|
||
"display_name": "Root pnpm workspace",
|
||
"ecosystem": "javascript",
|
||
"status": "ready",
|
||
"risk_level": "medium",
|
||
"manifest_ref": "package.json",
|
||
"lockfile_ref": "pnpm-lock.yaml",
|
||
"direct_dependency_count": 5,
|
||
"optional_dependency_group_count": 0,
|
||
"pinning_policy": "pnpm lockfile present;P1-202 已確認 root importer 與 lockfile specifier 同步。",
|
||
"runtime_ref": "pnpm@9.0.0 workspace",
|
||
"gate_status": "read_only_allowed",
|
||
"evidence_refs": ["package.json", "pnpm-lock.yaml", "docs/evaluations/javascript_package_inventory_2026-06-04.json"],
|
||
"next_action": "P1-204 定義 toolchain 與 caret range drift policy;不得寫 lockfile。"
|
||
},
|
||
{
|
||
"surface_id": "apps_web_package_json",
|
||
"display_name": "Web package",
|
||
"ecosystem": "javascript",
|
||
"status": "action_required",
|
||
"risk_level": "high",
|
||
"manifest_ref": "apps/web/package.json",
|
||
"lockfile_ref": "pnpm-lock.yaml",
|
||
"direct_dependency_count": 33,
|
||
"optional_dependency_group_count": 0,
|
||
"pinning_policy": "pnpm lockfile present;Next pinned 14.1.0,28 條 caret range 已由 P1-204 定義漂移政策,P1-205 已建立定期只讀檢查設計。",
|
||
"runtime_ref": "apps/web/Dockerfile uses node:20-alpine + pnpm 9.0.0",
|
||
"gate_status": "lockfile_write_blocked",
|
||
"evidence_refs": ["apps/web/package.json", "apps/web/Dockerfile", "pnpm-lock.yaml", "docs/evaluations/javascript_package_inventory_2026-06-04.json"],
|
||
"next_action": "P1-206 產生 Next / React / Sentry / Playwright 等高影響套件升級批准包模板。"
|
||
},
|
||
{
|
||
"surface_id": "apps_api_dockerfile",
|
||
"display_name": "API Docker supply-chain surface",
|
||
"ecosystem": "docker",
|
||
"status": "action_required",
|
||
"risk_level": "high",
|
||
"manifest_ref": "apps/api/Dockerfile",
|
||
"lockfile_ref": "none",
|
||
"direct_dependency_count": 3,
|
||
"optional_dependency_group_count": 0,
|
||
"pinning_policy": "python:3.11-slim 與 uv 0.6.9 tag-pinned 但未 digest-pinned;kubectl v1.29.0 缺 checksum policy。",
|
||
"runtime_ref": "python:3.11-slim + ghcr.io/astral-sh/uv:0.6.9 + kubectl v1.29.0",
|
||
"gate_status": "image_rebuild_blocked",
|
||
"evidence_refs": ["apps/api/Dockerfile", "docs/evaluations/docker_build_surface_inventory_2026-06-04.json"],
|
||
"next_action": "P1-206 產生 base image digest pin、kubectl checksum、apt source 與 rebuild approval package。"
|
||
},
|
||
{
|
||
"surface_id": "apps_web_dockerfile",
|
||
"display_name": "Web Docker supply-chain surface",
|
||
"ecosystem": "docker",
|
||
"status": "action_required",
|
||
"risk_level": "medium",
|
||
"manifest_ref": "apps/web/Dockerfile",
|
||
"lockfile_ref": "pnpm-lock.yaml",
|
||
"direct_dependency_count": 2,
|
||
"optional_dependency_group_count": 0,
|
||
"pinning_policy": "node:20-alpine tag-pinned 但未 digest-pinned;pnpm 9.0.0 pinned,仍需 corepack / registry provenance policy。",
|
||
"runtime_ref": "node:20-alpine + pnpm 9.0.0",
|
||
"gate_status": "image_rebuild_blocked",
|
||
"evidence_refs": ["apps/web/Dockerfile", "pnpm-lock.yaml", "docs/evaluations/docker_build_surface_inventory_2026-06-04.json"],
|
||
"next_action": "P1-206 產生 node base image digest pin、pnpm/corepack provenance、Web runtime healthcheck 與 rebuild approval package。"
|
||
}
|
||
],
|
||
"drift_findings": [
|
||
{
|
||
"finding_id": "api_python_manifest_drift",
|
||
"severity": "high",
|
||
"status": "action_required",
|
||
"summary": "apps/api/pyproject.toml 與 apps/api/requirements.txt 不一致;Dockerfile 目前使用 pyproject + uv,requirements 仍保留舊版下限與不同依賴集合。",
|
||
"evidence_refs": ["apps/api/pyproject.toml", "apps/api/requirements.txt", "apps/api/Dockerfile"],
|
||
"next_action": "P1-206 產生 requirements 權威性、生成策略或廢止策略批准包;不得自動刪除。"
|
||
},
|
||
{
|
||
"finding_id": "python_no_lockfile",
|
||
"severity": "medium",
|
||
"status": "action_required",
|
||
"summary": "Python surfaces 以 range constraints 為主,未發現 uv.lock / poetry.lock / Pipfile.lock;build 可重現性需另定政策。",
|
||
"evidence_refs": ["apps/api/pyproject.toml", "packages/lewooogo-data/pyproject.toml", "packages/lewooogo-brain/pyproject.toml"],
|
||
"next_action": "P1-206 將 lockfile / constraints file 策略納入升級批准包。"
|
||
},
|
||
{
|
||
"finding_id": "external_cve_lookup_not_run",
|
||
"severity": "medium",
|
||
"status": "planned_next",
|
||
"summary": "本輪未查外部 CVE / license database,避免未批准網路掃描與外部服務依賴;只建立 repo 內事實基線。",
|
||
"evidence_refs": ["docs/ai/AI_AGENT_AUTOMATION_WORKLIST_2026-06-04.md"],
|
||
"next_action": "P1-206 將外部 CVE / license / registry freshness 來源納入批准包模板;未批准前不得查詢。"
|
||
},
|
||
{
|
||
"finding_id": "javascript_manifest_lockfile_in_sync",
|
||
"severity": "low",
|
||
"status": "accepted",
|
||
"summary": "P1-202 已確認 6 個 JavaScript workspace importer 的 manifest specifier 與 pnpm-lock.yaml importer specifier 同步;missing、mismatch、extra 均為 0。",
|
||
"evidence_refs": ["docs/evaluations/javascript_package_inventory_2026-06-04.json", "pnpm-lock.yaml"],
|
||
"next_action": "維持只讀監控;P1-205 已設計外部 registry / audit 資料來源 cadence 與批准邊界,未批准前不得查詢。"
|
||
},
|
||
{
|
||
"finding_id": "apps_web_caret_range_exposure",
|
||
"severity": "medium",
|
||
"status": "action_required",
|
||
"summary": "@awoooi/web 有 33 條 direct dependencies,其中 28 條使用 caret range;lockfile 目前固定解析結果,但升級政策與高影響套件漂移門檻尚未定義。",
|
||
"evidence_refs": ["apps/web/package.json", "pnpm-lock.yaml", "docs/evaluations/javascript_package_inventory_2026-06-04.json"],
|
||
"next_action": "P1-206 產生 Next / React / Sentry / Playwright / visualization dependencies 的升級批准包模板。"
|
||
},
|
||
{
|
||
"finding_id": "docker_base_images_not_digest_pinned",
|
||
"severity": "high",
|
||
"status": "action_required",
|
||
"summary": "P1-203 已確認 API / Web Dockerfile 使用 tag-pinned external images,但未使用 digest pin;python:3.11-slim、node:20-alpine、ghcr.io/astral-sh/uv:0.6.9 都需 P1-204 定義 digest / rebuild policy。",
|
||
"evidence_refs": ["docs/evaluations/docker_build_surface_inventory_2026-06-04.json", "apps/api/Dockerfile", "apps/web/Dockerfile"],
|
||
"next_action": "P1-206 產生 digest pin、更新 cadence、rollback 與 registry approval package。"
|
||
},
|
||
{
|
||
"finding_id": "docker_build_time_network_fetches_present",
|
||
"severity": "medium",
|
||
"status": "action_required",
|
||
"summary": "P1-203 已確認 API build 會 apt-get / curl,Web build 會 corepack prepare / pnpm install;本輪未執行 build,也未驗證外部 registry freshness。",
|
||
"evidence_refs": ["docs/evaluations/docker_build_surface_inventory_2026-06-04.json"],
|
||
"next_action": "P1-206 將外部來源白名單、快取策略、失敗告警與批准邊界納入 image rebuild 批准包模板。"
|
||
},
|
||
{
|
||
"finding_id": "dependency_risk_policy_defined",
|
||
"severity": "low",
|
||
"status": "accepted",
|
||
"summary": "P1-204 已建立 CVE / license / drift 嚴重度政策,12 條規則中 8 action_required、3 planned_next、1 accepted;未查外部 CVE / license。",
|
||
"evidence_refs": ["docs/evaluations/dependency_risk_policy_2026-06-04.json", "GET /api/v1/agents/dependency-risk-policy"],
|
||
"next_action": "P1-205 已建立定期依賴漂移與外部資料來源檢查設計;仍不得安裝、升級、寫 lockfile 或 build image。"
|
||
},
|
||
{
|
||
"finding_id": "dependency_drift_check_plan_defined",
|
||
"severity": "low",
|
||
"status": "accepted",
|
||
"summary": "P1-205 已建立定期依賴漂移與外部資料來源檢查設計,涵蓋 5 個 cadence items、5 個 repo-only local checks、10 個外部來源候選;外部來源均需批准。",
|
||
"evidence_refs": ["docs/evaluations/dependency_drift_check_plan_2026-06-04.json", "GET /api/v1/agents/dependency-drift-check-plan"],
|
||
"next_action": "P1-206 已產生依賴升級、digest pin、publish boundary 批准包模板;仍不得啟用排程或呼叫外部來源。"
|
||
},
|
||
{
|
||
"finding_id": "dependency_upgrade_approval_package_template_defined",
|
||
"severity": "low",
|
||
"status": "accepted",
|
||
"summary": "P1-206 已建立依賴升級、digest pin、publish boundary 與外部來源啟用批准包模板,8 類模板全部要求 OpenClaw 仲裁與 HITL。",
|
||
"evidence_refs": ["docs/evaluations/dependency_upgrade_approval_package_template_2026-06-04.json", "GET /api/v1/agents/dependency-upgrade-approval-package-template"],
|
||
"next_action": "WS5 套件與供應鏈自動化達 100%;下一步回到 P1-103 備份通知政策。"
|
||
}
|
||
],
|
||
"operation_boundaries": {
|
||
"read_only_api_allowed": true,
|
||
"dependency_installation_allowed": false,
|
||
"package_upgrade_allowed": false,
|
||
"lockfile_write_allowed": false,
|
||
"external_cve_lookup_allowed": false,
|
||
"image_rebuild_allowed": false,
|
||
"production_routing_allowed": false
|
||
},
|
||
"approval_boundaries": {
|
||
"sdk_installation_allowed": false,
|
||
"paid_api_call_allowed": false,
|
||
"shadow_or_canary_allowed": false,
|
||
"production_routing_allowed": false,
|
||
"destructive_operation_allowed": false
|
||
}
|
||
}
|