120 lines
4.8 KiB
Python
120 lines
4.8 KiB
Python
"""
|
|
Dependency upgrade approval package template snapshot.
|
|
|
|
Loads the latest committed, read-only approval package template for dependency
|
|
upgrades, digest pinning, publish boundary decisions, and external source
|
|
activation. The template never installs packages, writes manifests or
|
|
lockfiles, builds images, pulls images, pushes registries, publishes packages,
|
|
installs SDKs, calls paid APIs, creates shadow/canary traffic, or changes
|
|
production routing.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import json
|
|
from pathlib import Path
|
|
from typing import Any
|
|
|
|
from src.services.snapshot_paths import default_evaluations_dir
|
|
|
|
_DEFAULT_EVALUATIONS_DIR = default_evaluations_dir(Path(__file__))
|
|
_SNAPSHOT_PATTERN = "dependency_upgrade_approval_package_template_*.json"
|
|
_SCHEMA_VERSION = "dependency_upgrade_approval_package_template_v1"
|
|
|
|
|
|
def load_latest_dependency_upgrade_approval_package_template(
|
|
evaluations_dir: Path | None = None,
|
|
) -> dict[str, Any]:
|
|
"""Load the newest committed dependency upgrade approval package template."""
|
|
directory = evaluations_dir or _DEFAULT_EVALUATIONS_DIR
|
|
candidates = sorted(directory.glob(_SNAPSHOT_PATTERN))
|
|
if not candidates:
|
|
raise FileNotFoundError(
|
|
f"no dependency upgrade approval package template snapshots found in {directory}"
|
|
)
|
|
|
|
latest = candidates[-1]
|
|
with latest.open(encoding="utf-8") as handle:
|
|
payload = json.load(handle)
|
|
|
|
if not isinstance(payload, dict):
|
|
raise ValueError(f"{latest}: expected JSON object")
|
|
_require_schema(payload, _SCHEMA_VERSION, str(latest))
|
|
_require_read_only_boundaries(payload, str(latest))
|
|
_require_operation_boundaries(payload, str(latest))
|
|
_require_rollup_consistency(payload, str(latest))
|
|
return payload
|
|
|
|
|
|
def _require_schema(payload: dict[str, Any], expected: str, label: str) -> None:
|
|
actual = payload.get("schema_version")
|
|
if actual != expected:
|
|
raise ValueError(f"{label}: expected schema_version={expected}, got {actual!r}")
|
|
|
|
|
|
def _require_read_only_boundaries(payload: dict[str, Any], label: str) -> None:
|
|
program_status = payload.get("program_status") or {}
|
|
if program_status.get("read_only_mode") is not True:
|
|
raise ValueError(f"{label}: program_status.read_only_mode must be true")
|
|
|
|
boundaries = payload.get("approval_boundaries") or {}
|
|
blocked_flags = {
|
|
"sdk_installation_allowed",
|
|
"paid_api_call_allowed",
|
|
"shadow_or_canary_allowed",
|
|
"production_routing_allowed",
|
|
"destructive_operation_allowed",
|
|
}
|
|
allowed = sorted(flag for flag in blocked_flags if boundaries.get(flag) is not False)
|
|
if allowed:
|
|
raise ValueError(f"{label}: approval boundaries must remain false: {allowed}")
|
|
|
|
|
|
def _require_operation_boundaries(payload: dict[str, Any], label: str) -> None:
|
|
boundaries = payload.get("operation_boundaries") or {}
|
|
if boundaries.get("read_only_template_allowed") is not True:
|
|
raise ValueError(f"{label}: read_only_template_allowed must be true")
|
|
|
|
blocked_flags = {
|
|
"external_source_activation_allowed",
|
|
"sdk_installation_allowed",
|
|
"paid_api_call_allowed",
|
|
"package_installation_allowed",
|
|
"package_upgrade_allowed",
|
|
"lockfile_write_allowed",
|
|
"manifest_write_allowed",
|
|
"dockerfile_write_allowed",
|
|
"docker_build_allowed",
|
|
"image_pull_allowed",
|
|
"image_rebuild_allowed",
|
|
"registry_push_allowed",
|
|
"package_publish_allowed",
|
|
"shadow_or_canary_allowed",
|
|
"production_routing_allowed",
|
|
}
|
|
allowed = sorted(flag for flag in blocked_flags if boundaries.get(flag) is not False)
|
|
if allowed:
|
|
raise ValueError(f"{label}: operation boundaries must remain false: {allowed}")
|
|
|
|
|
|
def _require_rollup_consistency(payload: dict[str, Any], label: str) -> None:
|
|
templates = payload.get("package_templates") or []
|
|
rollups = payload.get("rollups") or {}
|
|
if rollups.get("total_templates") != len(templates):
|
|
raise ValueError(f"{label}: rollups.total_templates must match package_templates")
|
|
|
|
ready_ids = {template.get("template_id") for template in templates if template.get("status") == "template_ready"}
|
|
if set(rollups.get("template_ready_ids") or []) != ready_ids:
|
|
raise ValueError(f"{label}: rollups.template_ready_ids must match template_ready templates")
|
|
|
|
hitl_ids = {
|
|
template.get("template_id")
|
|
for template in templates
|
|
if "HITL approval" in (template.get("manual_approvals") or [])
|
|
}
|
|
if set(rollups.get("hitl_required_template_ids") or []) != hitl_ids:
|
|
raise ValueError(f"{label}: rollups.hitl_required_template_ids must match HITL templates")
|
|
|
|
if (payload.get("decision_gate_contract") or {}).get("hitl_required") is not True:
|
|
raise ValueError(f"{label}: decision_gate_contract.hitl_required must be true")
|