Rollout modes: observe → soak → enforce
The Dependency Firewall ships policy on a curve, not a cliff. Three modes let you watch, then warn, then block — with consistent, signed verdicts at every stage so you can prove what would have happened before it does.
The three modes
| Mode | Behaviour | Use when |
|---|---|---|
| observe | Evaluate every install, record a signed verdict, always forward upstream. Nothing is blocked. | Day 1 — measure what your policy would block. |
| soak | Surface block verdicts as warnings to the developer, but still forward the install. | Once observe is quiet — give teams notice before enforcement. |
| enforce | Return 403 on a block verdict; the install fails. | When the warning rate is acceptable and teams know the rules. |
Per-ecosystem mode
Modes are set per ecosystem, so you can be in enforce for npm while still in observe for Maven. This lets you graduate one toolchain at a time instead of flipping the whole org at once.
policy.yaml
firewall:
modes:
npm: enforce
pypi: enforce
maven: soak
nuget: observeRecommended ramp
- Week 1–2 — observe. Collect verdicts. Tune the policy until the would-block rate is sane.
- Week 3–4 — soak. Developers see warnings and approval prompts. Wire your bypass channels.
- Week 5+ — enforce. Block verdicts now fail installs; bypass is approval-gated and audited.
Every mode signs the same verdict
A verdict in observe is byte-identical to the one you’d get in enforce — so the audit trail you build while watching is the same evidence you rely on while blocking. Roll back to a softer mode at any time; the trail is continuous.