""" Backup / DR readiness matrix snapshot. Loads the latest committed, read-only Backup / DR readiness matrix. The matrix is visibility-only; it does not run backups, restore drills, offsite sync, credential marker writes, schedule changes, or destructive prune. """ from __future__ import annotations import json from pathlib import Path from typing import Any from src.services.snapshot_paths import default_evaluations_dir _DEFAULT_EVALUATIONS_DIR = default_evaluations_dir(Path(__file__)) _SNAPSHOT_PATTERN = "backup_dr_readiness_matrix_*.json" _SCHEMA_VERSION = "backup_dr_readiness_matrix_v1" def load_latest_backup_dr_readiness_matrix( evaluations_dir: Path | None = None, ) -> dict[str, Any]: """Load the newest committed Backup / DR readiness matrix snapshot.""" directory = evaluations_dir or _DEFAULT_EVALUATIONS_DIR candidates = sorted(directory.glob(_SNAPSHOT_PATTERN)) if not candidates: raise FileNotFoundError(f"no Backup / DR readiness matrix snapshots found in {directory}") latest = candidates[-1] with latest.open(encoding="utf-8") as handle: payload = json.load(handle) if not isinstance(payload, dict): raise ValueError(f"{latest}: expected JSON object") _require_schema(payload, _SCHEMA_VERSION, str(latest)) _require_read_only_boundaries(payload, str(latest)) _require_operation_boundaries(payload, str(latest)) _require_rollup_consistency(payload, str(latest)) return payload def _require_schema(payload: dict[str, Any], expected: str, label: str) -> None: actual = payload.get("schema_version") if actual != expected: raise ValueError(f"{label}: expected schema_version={expected}, got {actual!r}") def _require_read_only_boundaries(payload: dict[str, Any], label: str) -> None: program_status = payload.get("program_status") or {} if program_status.get("read_only_mode") is not True: raise ValueError(f"{label}: program_status.read_only_mode must be true") boundaries = payload.get("approval_boundaries") or {} blocked_flags = { "sdk_installation_allowed", "paid_api_call_allowed", "shadow_or_canary_allowed", "production_routing_allowed", "destructive_operation_allowed", } allowed = sorted(flag for flag in blocked_flags if boundaries.get(flag) is not False) if allowed: raise ValueError(f"{label}: approval boundaries must remain false: {allowed}") def _require_operation_boundaries(payload: dict[str, Any], label: str) -> None: boundaries = payload.get("operation_boundaries") or {} if boundaries.get("read_only_api_allowed") is not True: raise ValueError(f"{label}: read_only_api_allowed must be true") blocked_flags = { "backup_execution_allowed", "restore_execution_allowed", "offsite_sync_execution_allowed", "credential_marker_write_allowed", "schedule_change_allowed", "destructive_prune_allowed", } allowed = sorted(flag for flag in blocked_flags if boundaries.get(flag) is not False) if allowed: raise ValueError(f"{label}: operation boundaries must remain false: {allowed}") def _require_rollup_consistency(payload: dict[str, Any], label: str) -> None: rows = payload.get("readiness_rows") or [] rollups = payload.get("rollups") or {} total = rollups.get("total_rows") if total != len(rows): raise ValueError(f"{label}: rollups.total_rows must equal readiness_rows length") blocked_row_ids = set(rollups.get("blocked_row_ids") or []) actual_blocked = {row.get("target_id") for row in rows if row.get("overall_readiness") == "blocked"} if blocked_row_ids != actual_blocked: raise ValueError(f"{label}: rollups.blocked_row_ids must match blocked rows") action_required_ids = set(rollups.get("action_required_row_ids") or []) actual_action_required = { row.get("target_id") for row in rows if row.get("overall_readiness") == "action_required" } if action_required_ids != actual_action_required: raise ValueError(f"{label}: rollups.action_required_row_ids must match action_required rows")