dpndncY

Rollout modes: observe → soak → enforce

The Dependency Firewall ships policy on a curve, not a cliff. Three modes let you watch, then warn, then block — with consistent, signed verdicts at every stage so you can prove what would have happened before it does.

The three modes

ModeBehaviourUse when
observeEvaluate every install, record a signed verdict, always forward upstream. Nothing is blocked.Day 1 — measure what your policy would block.
soakSurface block verdicts as warnings to the developer, but still forward the install.Once observe is quiet — give teams notice before enforcement.
enforceReturn 403 on a block verdict; the install fails.When the warning rate is acceptable and teams know the rules.

Per-ecosystem mode

Modes are set per ecosystem, so you can be in enforce for npm while still in observe for Maven. This lets you graduate one toolchain at a time instead of flipping the whole org at once.

policy.yaml
firewall:
  modes:
    npm: enforce
    pypi: enforce
    maven: soak
    nuget: observe

Recommended ramp

  1. Week 1–2 — observe. Collect verdicts. Tune the policy until the would-block rate is sane.
  2. Week 3–4 — soak. Developers see warnings and approval prompts. Wire your bypass channels.
  3. Week 5+ — enforce. Block verdicts now fail installs; bypass is approval-gated and audited.
Every mode signs the same verdict
A verdict in observe is byte-identical to the one you’d get in enforce — so the audit trail you build while watching is the same evidence you rely on while blocking. Roll back to a softer mode at any time; the trail is continuous.

See also