Monitor only
Audit every install. Block nothing.
The proxy logs every package decision with a structured row. Rules ship in monitor mode by default; the daily report tells you which installs would have failed. Zero developer disruption — every CI job, every laptop install passes through the audit log.
Tooling: proxy + dashboard.