feat(governance): add agent market automation surfaces

apps/api/src/services/javascript_package_inventory.py

@@ -0,0 +1,139 @@
+"""
+JavaScript / pnpm 套件盤點快照。
+
+只讀取已提交的 JSON 快照；不安裝套件、不升級套件、不寫 lockfile、
+不呼叫外部 CVE / audit 服務、不改生產路由。
+"""
+
+from __future__ import annotations
+
+import json
+from pathlib import Path
+from typing import Any
+
+_REPO_ROOT = Path(__file__).resolve().parents[4]
+_DEFAULT_EVALUATIONS_DIR = _REPO_ROOT / "docs" / "evaluations"
+_SNAPSHOT_PATTERN = "javascript_package_inventory_*.json"
+_SCHEMA_VERSION = "javascript_package_inventory_v1"
+
+
+def load_latest_javascript_package_inventory(
+    evaluations_dir: Path | None = None,
+) -> dict[str, Any]:
+    """載入最新已提交的 JavaScript / pnpm 套件盤點快照。"""
+    directory = evaluations_dir or _DEFAULT_EVALUATIONS_DIR
+    candidates = sorted(directory.glob(_SNAPSHOT_PATTERN))
+    if not candidates:
+        raise FileNotFoundError(f"no JavaScript package inventory snapshots found in {directory}")
+
+    latest = candidates[-1]
+    with latest.open(encoding="utf-8") as handle:
+        payload = json.load(handle)
+
+    if not isinstance(payload, dict):
+        raise ValueError(f"{latest}: expected JSON object")
+    _require_schema(payload, _SCHEMA_VERSION, str(latest))
+    _require_read_only_boundaries(payload, str(latest))
+    _require_operation_boundaries(payload, str(latest))
+    _require_rollup_consistency(payload, str(latest))
+    return payload
+
+
+def _require_schema(payload: dict[str, Any], expected: str, label: str) -> None:
+    actual = payload.get("schema_version")
+    if actual != expected:
+        raise ValueError(f"{label}: expected schema_version={expected}, got {actual!r}")
+
+
+def _require_read_only_boundaries(payload: dict[str, Any], label: str) -> None:
+    program_status = payload.get("program_status") or {}
+    if program_status.get("read_only_mode") is not True:
+        raise ValueError(f"{label}: program_status.read_only_mode must be true")
+
+    boundaries = payload.get("approval_boundaries") or {}
+    blocked_flags = {
+        "sdk_installation_allowed",
+        "paid_api_call_allowed",
+        "shadow_or_canary_allowed",
+        "production_routing_allowed",
+        "destructive_operation_allowed",
+    }
+    allowed = sorted(flag for flag in blocked_flags if boundaries.get(flag) is not False)
+    if allowed:
+        raise ValueError(f"{label}: approval boundaries must remain false: {allowed}")
+
+
+def _require_operation_boundaries(payload: dict[str, Any], label: str) -> None:
+    boundaries = payload.get("operation_boundaries") or {}
+    if boundaries.get("read_only_api_allowed") is not True:
+        raise ValueError(f"{label}: read_only_api_allowed must be true")
+
+    blocked_flags = {
+        "package_installation_allowed",
+        "package_upgrade_allowed",
+        "lockfile_write_allowed",
+        "external_cve_lookup_allowed",
+        "npm_audit_allowed",
+        "pnpm_install_allowed",
+        "production_routing_allowed",
+    }
+    allowed = sorted(flag for flag in blocked_flags if boundaries.get(flag) is not False)
+    if allowed:
+        raise ValueError(f"{label}: operation boundaries must remain false: {allowed}")
+
+    lockfile_summary = payload.get("lockfile_summary") or {}
+    if lockfile_summary.get("write_allowed") is not False:
+        raise ValueError(f"{label}: lockfile_summary.write_allowed must be false")
+
+
+def _require_rollup_consistency(payload: dict[str, Any], label: str) -> None:
+    workspaces = payload.get("workspaces") or []
+    rollups = payload.get("rollups") or {}
+    total = rollups.get("total_workspaces")
+    if total != len(workspaces):
+        raise ValueError(f"{label}: rollups.total_workspaces must equal workspaces length")
+
+    action_required = set(rollups.get("action_required_workspace_ids") or [])
+    actual_action_required = {
+        workspace.get("workspace_id")
+        for workspace in workspaces
+        if workspace.get("status") == "action_required"
+    }
+    if action_required != actual_action_required:
+        raise ValueError(
+            f"{label}: rollups.action_required_workspace_ids must match action_required workspaces"
+        )
+
+    planned_next = set(rollups.get("planned_next_workspace_ids") or [])
+    actual_planned_next = {
+        workspace.get("workspace_id")
+        for workspace in workspaces
+        if workspace.get("status") == "planned_next"
+    }
+    if planned_next != actual_planned_next:
+        raise ValueError(
+            f"{label}: rollups.planned_next_workspace_ids must match planned_next workspaces"
+        )
+
+    total_dependencies = sum(
+        (workspace.get("dependency_counts") or {}).get("total", 0)
+        for workspace in workspaces
+    )
+    if rollups.get("total_direct_dependencies") != total_dependencies:
+        raise ValueError(
+            f"{label}: rollups.total_direct_dependencies must equal workspace dependency totals"
+        )
+
+    drift = payload.get("lockfile_drift") or {}
+    if rollups.get("manifest_lock_mismatch_count") != len(drift.get("specifier_mismatches") or []):
+        raise ValueError(
+            f"{label}: rollups.manifest_lock_mismatch_count must equal specifier_mismatches length"
+        )
+    if rollups.get("missing_in_lockfile_count") != len(drift.get("missing_in_lockfile") or []):
+        raise ValueError(
+            f"{label}: rollups.missing_in_lockfile_count must equal missing_in_lockfile length"
+        )
+    if rollups.get("extra_in_lockfile_count") != len(drift.get("extra_in_lockfile") or []):
+        raise ValueError(
+            f"{label}: rollups.extra_in_lockfile_count must equal extra_in_lockfile length"
+        )