Problem
Declared audit policy can currently weaken built-in baseline policy by replacing a built-in policy with the same name. gowdk build --allow-insecure is also a blanket bypass for production security findings. That makes the audit model less monotonic than the fail-closed production story implies.
Verified in this checkout:
internal/auditspec.ComposeBaseline replaces a built-in baseline policy when a declared policy has the same name.cmd/gowdk/build_audit.go evaluates baseline plus declared policies during builds, but --allow-insecure downgrades all production errors to warnings.gowdk-security.json currently records posture facts, not waiver metadata or bypass provenance.
Acceptance criteria
- Make built-in baseline errors monotonic by default: declared policies can extend/tighten baseline behavior without silently weakening it.
- Replace implicit overrides with explicit waivers.
- Waivers should include diagnostic code, target, owner, justification, expiry date, optional ticket reference, policy digest, and posture digest.
- Scope build bypasses, for example
--allow-insecure=CODE1,CODE2 or an equivalent explicit target/code mechanism.
- Record every waiver/bypass in
gowdk-security.json, build metadata, human output, and JSON audit output.
- Add tests that a project policy cannot silently suppress a built-in error without a waiver.
- Document migration behavior for existing same-name policy overrides.
Problem
Declared audit policy can currently weaken built-in baseline policy by replacing a built-in policy with the same name.
gowdk build --allow-insecureis also a blanket bypass for production security findings. That makes the audit model less monotonic than the fail-closed production story implies.Verified in this checkout:
internal/auditspec.ComposeBaselinereplaces a built-in baseline policy when a declared policy has the same name.cmd/gowdk/build_audit.goevaluates baseline plus declared policies during builds, but--allow-insecuredowngrades all production errors to warnings.gowdk-security.jsoncurrently records posture facts, not waiver metadata or bypass provenance.Acceptance criteria
--allow-insecure=CODE1,CODE2or an equivalent explicit target/code mechanism.gowdk-security.json, build metadata, human output, and JSON audit output.