Files
awoooi/apps/api/src/services/dependency_upgrade_approval_package_template.py
Your Name c28212027c
Some checks failed
CD Pipeline / tests (push) Successful in 1m23s
Code Review / ai-code-review (push) Successful in 13s
CD Pipeline / build-and-deploy (push) Failing after 3m52s
CD Pipeline / post-deploy-checks (push) Has been skipped
fix(api): resolve snapshot paths in production image
2026-06-04 22:26:44 +08:00

120 lines
4.8 KiB
Python

"""
Dependency upgrade approval package template snapshot.
Loads the latest committed, read-only approval package template for dependency
upgrades, digest pinning, publish boundary decisions, and external source
activation. The template never installs packages, writes manifests or
lockfiles, builds images, pulls images, pushes registries, publishes packages,
installs SDKs, calls paid APIs, creates shadow/canary traffic, or changes
production routing.
"""
from __future__ import annotations
import json
from pathlib import Path
from typing import Any
from src.services.snapshot_paths import default_evaluations_dir
_DEFAULT_EVALUATIONS_DIR = default_evaluations_dir(Path(__file__))
_SNAPSHOT_PATTERN = "dependency_upgrade_approval_package_template_*.json"
_SCHEMA_VERSION = "dependency_upgrade_approval_package_template_v1"
def load_latest_dependency_upgrade_approval_package_template(
evaluations_dir: Path | None = None,
) -> dict[str, Any]:
"""Load the newest committed dependency upgrade approval package template."""
directory = evaluations_dir or _DEFAULT_EVALUATIONS_DIR
candidates = sorted(directory.glob(_SNAPSHOT_PATTERN))
if not candidates:
raise FileNotFoundError(
f"no dependency upgrade approval package template snapshots found in {directory}"
)
latest = candidates[-1]
with latest.open(encoding="utf-8") as handle:
payload = json.load(handle)
if not isinstance(payload, dict):
raise ValueError(f"{latest}: expected JSON object")
_require_schema(payload, _SCHEMA_VERSION, str(latest))
_require_read_only_boundaries(payload, str(latest))
_require_operation_boundaries(payload, str(latest))
_require_rollup_consistency(payload, str(latest))
return payload
def _require_schema(payload: dict[str, Any], expected: str, label: str) -> None:
actual = payload.get("schema_version")
if actual != expected:
raise ValueError(f"{label}: expected schema_version={expected}, got {actual!r}")
def _require_read_only_boundaries(payload: dict[str, Any], label: str) -> None:
program_status = payload.get("program_status") or {}
if program_status.get("read_only_mode") is not True:
raise ValueError(f"{label}: program_status.read_only_mode must be true")
boundaries = payload.get("approval_boundaries") or {}
blocked_flags = {
"sdk_installation_allowed",
"paid_api_call_allowed",
"shadow_or_canary_allowed",
"production_routing_allowed",
"destructive_operation_allowed",
}
allowed = sorted(flag for flag in blocked_flags if boundaries.get(flag) is not False)
if allowed:
raise ValueError(f"{label}: approval boundaries must remain false: {allowed}")
def _require_operation_boundaries(payload: dict[str, Any], label: str) -> None:
boundaries = payload.get("operation_boundaries") or {}
if boundaries.get("read_only_template_allowed") is not True:
raise ValueError(f"{label}: read_only_template_allowed must be true")
blocked_flags = {
"external_source_activation_allowed",
"sdk_installation_allowed",
"paid_api_call_allowed",
"package_installation_allowed",
"package_upgrade_allowed",
"lockfile_write_allowed",
"manifest_write_allowed",
"dockerfile_write_allowed",
"docker_build_allowed",
"image_pull_allowed",
"image_rebuild_allowed",
"registry_push_allowed",
"package_publish_allowed",
"shadow_or_canary_allowed",
"production_routing_allowed",
}
allowed = sorted(flag for flag in blocked_flags if boundaries.get(flag) is not False)
if allowed:
raise ValueError(f"{label}: operation boundaries must remain false: {allowed}")
def _require_rollup_consistency(payload: dict[str, Any], label: str) -> None:
templates = payload.get("package_templates") or []
rollups = payload.get("rollups") or {}
if rollups.get("total_templates") != len(templates):
raise ValueError(f"{label}: rollups.total_templates must match package_templates")
ready_ids = {template.get("template_id") for template in templates if template.get("status") == "template_ready"}
if set(rollups.get("template_ready_ids") or []) != ready_ids:
raise ValueError(f"{label}: rollups.template_ready_ids must match template_ready templates")
hitl_ids = {
template.get("template_id")
for template in templates
if "HITL approval" in (template.get("manual_approvals") or [])
}
if set(rollups.get("hitl_required_template_ids") or []) != hitl_ids:
raise ValueError(f"{label}: rollups.hitl_required_template_ids must match HITL templates")
if (payload.get("decision_gate_contract") or {}).get("hitl_required") is not True:
raise ValueError(f"{label}: decision_gate_contract.hitl_required must be true")