""" Dependency upgrade approval package template snapshot. Loads the latest committed, read-only approval package template for dependency upgrades, digest pinning, publish boundary decisions, and external source activation. The template never installs packages, writes manifests or lockfiles, builds images, pulls images, pushes registries, publishes packages, installs SDKs, calls paid APIs, creates shadow/canary traffic, or changes production routing. """ from __future__ import annotations import json from pathlib import Path from typing import Any from src.services.snapshot_paths import default_evaluations_dir _DEFAULT_EVALUATIONS_DIR = default_evaluations_dir(Path(__file__)) _SNAPSHOT_PATTERN = "dependency_upgrade_approval_package_template_*.json" _SCHEMA_VERSION = "dependency_upgrade_approval_package_template_v1" def load_latest_dependency_upgrade_approval_package_template( evaluations_dir: Path | None = None, ) -> dict[str, Any]: """Load the newest committed dependency upgrade approval package template.""" directory = evaluations_dir or _DEFAULT_EVALUATIONS_DIR candidates = sorted(directory.glob(_SNAPSHOT_PATTERN)) if not candidates: raise FileNotFoundError( f"no dependency upgrade approval package template snapshots found in {directory}" ) latest = candidates[-1] with latest.open(encoding="utf-8") as handle: payload = json.load(handle) if not isinstance(payload, dict): raise ValueError(f"{latest}: expected JSON object") _require_schema(payload, _SCHEMA_VERSION, str(latest)) _require_read_only_boundaries(payload, str(latest)) _require_operation_boundaries(payload, str(latest)) _require_rollup_consistency(payload, str(latest)) return payload def _require_schema(payload: dict[str, Any], expected: str, label: str) -> None: actual = payload.get("schema_version") if actual != expected: raise ValueError(f"{label}: expected schema_version={expected}, got {actual!r}") def _require_read_only_boundaries(payload: dict[str, Any], label: str) -> None: program_status = payload.get("program_status") or {} if program_status.get("read_only_mode") is not True: raise ValueError(f"{label}: program_status.read_only_mode must be true") boundaries = payload.get("approval_boundaries") or {} blocked_flags = { "sdk_installation_allowed", "paid_api_call_allowed", "shadow_or_canary_allowed", "production_routing_allowed", "destructive_operation_allowed", } allowed = sorted(flag for flag in blocked_flags if boundaries.get(flag) is not False) if allowed: raise ValueError(f"{label}: approval boundaries must remain false: {allowed}") def _require_operation_boundaries(payload: dict[str, Any], label: str) -> None: boundaries = payload.get("operation_boundaries") or {} if boundaries.get("read_only_template_allowed") is not True: raise ValueError(f"{label}: read_only_template_allowed must be true") blocked_flags = { "external_source_activation_allowed", "sdk_installation_allowed", "paid_api_call_allowed", "package_installation_allowed", "package_upgrade_allowed", "lockfile_write_allowed", "manifest_write_allowed", "dockerfile_write_allowed", "docker_build_allowed", "image_pull_allowed", "image_rebuild_allowed", "registry_push_allowed", "package_publish_allowed", "shadow_or_canary_allowed", "production_routing_allowed", } allowed = sorted(flag for flag in blocked_flags if boundaries.get(flag) is not False) if allowed: raise ValueError(f"{label}: operation boundaries must remain false: {allowed}") def _require_rollup_consistency(payload: dict[str, Any], label: str) -> None: templates = payload.get("package_templates") or [] rollups = payload.get("rollups") or {} if rollups.get("total_templates") != len(templates): raise ValueError(f"{label}: rollups.total_templates must match package_templates") ready_ids = {template.get("template_id") for template in templates if template.get("status") == "template_ready"} if set(rollups.get("template_ready_ids") or []) != ready_ids: raise ValueError(f"{label}: rollups.template_ready_ids must match template_ready templates") hitl_ids = { template.get("template_id") for template in templates if "HITL approval" in (template.get("manual_approvals") or []) } if set(rollups.get("hitl_required_template_ids") or []) != hitl_ids: raise ValueError(f"{label}: rollups.hitl_required_template_ids must match HITL templates") if (payload.get("decision_gate_contract") or {}).get("hitl_required") is not True: raise ValueError(f"{label}: decision_gate_contract.hitl_required must be true")