Signed bypass & approvals
A firewall you can't get past gets turned off. dpndncY's bypass is deliberate, scoped, and signed — every override produces a tamper-evident record so an auditor can see exactly who bypassed what, when, and why.
Three bypass channels
| Channel | How | Good for |
|---|---|---|
| Signed waiver | A DSSE-signed YAML waiver, committed to the repo, scoped to a package + version range + expiry. | Known, reviewed exceptions you want in version control. |
| Expiring token | A scoped, single-use or TTL-bounded token issued for one install. | One-off unblocks in CI without editing policy. |
| Human approver | A live approval request routed to Slack / web / API; an authorised reviewer approves or denies. | Urgent, judgement-call overrides. |
Waiver format
package: "npm:left-pad"
versions: ">=1.0.0 <2.0.0"
reason: "Pinned transitive; upstream fix tracked in JIRA-4821"
approved_by: "security@acme.com"
expires: "2026-09-01"The waiver is DSSE-signed; the firewall verifies the signature before honouring it.
What gets recorded
Every bypass — successful or attempted — emits a signed firewall/v1 record carrying the package, the verdict that was overridden, the channel used, the identity, the reason, and a timestamp. The record is the same envelope format as any other decision, so it lands in the same audit trail and can be verified offline with dpndncy-verify.
Reporting
Report on bypass usage by team, package, channel, and reason to spot patterns (the same package waived repeatedly is a backlog item, not an exception).