""" Dependency risk policy snapshot. Loads the latest committed, read-only CVE / license / drift severity policy. The policy never queries external CVE or license services, installs packages, upgrades dependencies, writes lockfiles, builds images, pulls images, pushes registries, calls paid APIs, creates shadow/canary traffic, or changes production routing. """ from __future__ import annotations import json from pathlib import Path from typing import Any from src.services.snapshot_paths import default_evaluations_dir _DEFAULT_EVALUATIONS_DIR = default_evaluations_dir(Path(__file__)) _SNAPSHOT_PATTERN = "dependency_risk_policy_*.json" _SCHEMA_VERSION = "dependency_risk_policy_v1" def load_latest_dependency_risk_policy( evaluations_dir: Path | None = None, ) -> dict[str, Any]: """Load the newest committed dependency risk policy snapshot.""" directory = evaluations_dir or _DEFAULT_EVALUATIONS_DIR candidates = sorted(directory.glob(_SNAPSHOT_PATTERN)) if not candidates: raise FileNotFoundError(f"no dependency risk policy snapshots found in {directory}") latest = candidates[-1] with latest.open(encoding="utf-8") as handle: payload = json.load(handle) if not isinstance(payload, dict): raise ValueError(f"{latest}: expected JSON object") _require_schema(payload, _SCHEMA_VERSION, str(latest)) _require_read_only_boundaries(payload, str(latest)) _require_operation_boundaries(payload, str(latest)) _require_rollup_consistency(payload, str(latest)) return payload def _require_schema(payload: dict[str, Any], expected: str, label: str) -> None: actual = payload.get("schema_version") if actual != expected: raise ValueError(f"{label}: expected schema_version={expected}, got {actual!r}") def _require_read_only_boundaries(payload: dict[str, Any], label: str) -> None: program_status = payload.get("program_status") or {} if program_status.get("read_only_mode") is not True: raise ValueError(f"{label}: program_status.read_only_mode must be true") boundaries = payload.get("approval_boundaries") or {} blocked_flags = { "sdk_installation_allowed", "paid_api_call_allowed", "shadow_or_canary_allowed", "production_routing_allowed", "destructive_operation_allowed", } allowed = sorted(flag for flag in blocked_flags if boundaries.get(flag) is not False) if allowed: raise ValueError(f"{label}: approval boundaries must remain false: {allowed}") def _require_operation_boundaries(payload: dict[str, Any], label: str) -> None: boundaries = payload.get("operation_boundaries") or {} if boundaries.get("read_only_policy_allowed") is not True: raise ValueError(f"{label}: read_only_policy_allowed must be true") blocked_flags = { "external_cve_lookup_allowed", "external_license_lookup_allowed", "package_installation_allowed", "package_upgrade_allowed", "lockfile_write_allowed", "docker_build_allowed", "image_pull_allowed", "image_rebuild_allowed", "registry_push_allowed", "paid_api_call_allowed", "shadow_or_canary_allowed", "production_routing_allowed", } allowed = sorted(flag for flag in blocked_flags if boundaries.get(flag) is not False) if allowed: raise ValueError(f"{label}: operation boundaries must remain false: {allowed}") def _require_rollup_consistency(payload: dict[str, Any], label: str) -> None: rules = payload.get("severity_rules") or [] rollups = payload.get("rollups") or {} total = rollups.get("total_rules") if total != len(rules): raise ValueError(f"{label}: rollups.total_rules must equal severity_rules length") by_severity = rollups.get("by_severity") or {} for severity in ("critical", "high", "medium", "low"): actual = sum(1 for rule in rules if rule.get("severity") == severity) if by_severity.get(severity) != actual: raise ValueError(f"{label}: rollups.by_severity.{severity} must match rules") by_status = rollups.get("by_status") or {} for status in ("accepted", "action_required", "planned_next", "blocked"): actual = sum(1 for rule in rules if rule.get("status") == status) expected = by_status.get(status, 0) if expected != actual: raise ValueError(f"{label}: rollups.by_status.{status} must match rules") expected_by_status = { "action_required": set(rollups.get("action_required_rule_ids") or []), "planned_next": set(rollups.get("planned_next_rule_ids") or []), "accepted": set(rollups.get("accepted_rule_ids") or []), } for status, expected_ids in expected_by_status.items(): actual_ids = {rule.get("rule_id") for rule in rules if rule.get("status") == status} if expected_ids != actual_ids: raise ValueError(f"{label}: rollups.{status}_rule_ids must match rules")