Problem
External pin constraints are enforced, but lifecycle operations (freshness handling, review workflow ergonomics, rollback clarity) can be further formalized.
Intent
Improve maintainability and operational clarity while preserving the current policy principle: package files remain source-of-truth for pinned refs.
Scope
- Keep source-of-truth refs in
pkgs/ package definitions.
- Keep allowlist metadata in
checks/policy-pin-allowlist.nix.
- Improve lifecycle reporting and review workflow documentation.
- Define explicit rollback/update procedure.
Non-goals
- No migration to opaque external policy registries.
- No duplication of pinned refs in policy metadata.
Tasks
- Tighten external pin review runbook and failure handling docs.
- Improve lifecycle script output for issue/PR automation consumption.
- Add any minimal check refinements needed for lifecycle policy invariants.
Acceptance criteria
- Maintainers have a documented review/update/rollback path.
- Lifecycle outputs are actionable and machine-consumable.
- Policy remains single-source and deterministic.
Problem
External pin constraints are enforced, but lifecycle operations (freshness handling, review workflow ergonomics, rollback clarity) can be further formalized.
Intent
Improve maintainability and operational clarity while preserving the current policy principle: package files remain source-of-truth for pinned refs.
Scope
pkgs/package definitions.checks/policy-pin-allowlist.nix.Non-goals
Tasks
Acceptance criteria