256975e10c
Add snapshot, signature, and drift guard support for Vertex AI, Cloudflare Workers AI, and Perplexity API, backed by a queryable audit table and recent-window view. This commit also wires the audit query layer into daily signal materialization and report generation so structure drift becomes a first-class signal instead of a log-only artifact.
137 lines
4.9 KiB
Go
137 lines
4.9 KiB
Go
//go:build llm_script
|
|
|
|
package main
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"time"
|
|
)
|
|
|
|
type cloudflarePricingSignatureGuardConfig struct {
|
|
URL string
|
|
Fixture string
|
|
SnapshotDir string
|
|
BaselinePath string
|
|
Timeout time.Duration
|
|
AllowBootstrap bool
|
|
}
|
|
|
|
type cloudflarePricingSignatureGuardResult struct {
|
|
SnapshotPath string
|
|
SignaturePath string
|
|
BaselinePath string
|
|
DriftDetected bool
|
|
BaselineInitialized bool
|
|
PreviousBaselineHash string
|
|
CurrentSignature markdownPricingStructureSignature
|
|
}
|
|
|
|
func runCloudflarePricingSignatureGuard(cfg cloudflarePricingSignatureGuardConfig, now time.Time) (cloudflarePricingSignatureGuardResult, error) {
|
|
snapshotDir := cfg.SnapshotDir
|
|
if snapshotDir == "" {
|
|
snapshotDir = filepath.Join("logs", "cloudflare-pricing-snapshots")
|
|
}
|
|
if err := os.MkdirAll(snapshotDir, 0o755); err != nil {
|
|
return cloudflarePricingSignatureGuardResult{}, fmt.Errorf("mkdir snapshot dir: %w", err)
|
|
}
|
|
|
|
snapshotPath, signaturePath := resolveCloudflarePricingSnapshotPaths("", "", snapshotDir, now)
|
|
baselinePath := cfg.BaselinePath
|
|
if baselinePath == "" {
|
|
baselinePath = filepath.Join(snapshotDir, "baseline.signature.json")
|
|
}
|
|
|
|
clientCfg := cloudflarePricingImportConfig{
|
|
URL: cfg.URL,
|
|
Fixture: cfg.Fixture,
|
|
DryRun: true,
|
|
Timeout: cfg.Timeout,
|
|
SnapshotOnly: true,
|
|
SnapshotOut: snapshotPath,
|
|
SignatureOut: signaturePath,
|
|
}
|
|
if err := runCloudflarePricingImport(clientCfg, nil, ioDiscard{}); err != nil {
|
|
return cloudflarePricingSignatureGuardResult{}, err
|
|
}
|
|
|
|
current, err := readMarkdownPricingStructureSignature(signaturePath)
|
|
if err != nil {
|
|
return cloudflarePricingSignatureGuardResult{}, err
|
|
}
|
|
result := cloudflarePricingSignatureGuardResult{
|
|
SnapshotPath: snapshotPath,
|
|
SignaturePath: signaturePath,
|
|
BaselinePath: baselinePath,
|
|
CurrentSignature: current,
|
|
}
|
|
|
|
previous, err := readMarkdownPricingStructureSignature(baselinePath)
|
|
if err != nil {
|
|
if os.IsNotExist(err) {
|
|
if !cfg.AllowBootstrap {
|
|
return result, fmt.Errorf("cloudflare pricing baseline missing: %s", baselinePath)
|
|
}
|
|
if err := copyFileCommon(signaturePath, baselinePath); err != nil {
|
|
return result, fmt.Errorf("initialize baseline: %w", err)
|
|
}
|
|
result.BaselineInitialized = true
|
|
return result, nil
|
|
}
|
|
return result, err
|
|
}
|
|
|
|
result.PreviousBaselineHash = previous.StructureSHA256
|
|
if previous.StructureSHA256 != current.StructureSHA256 {
|
|
result.DriftDetected = true
|
|
return result, fmt.Errorf(
|
|
"cloudflare pricing structure drift detected: baseline=%s current=%s baseline_path=%s signature_path=%s snapshot_path=%s",
|
|
previous.StructureSHA256, current.StructureSHA256, baselinePath, signaturePath, snapshotPath,
|
|
)
|
|
}
|
|
return result, nil
|
|
}
|
|
|
|
func formatCloudflarePricingSignatureGuardSummary(result cloudflarePricingSignatureGuardResult) string {
|
|
return fmt.Sprintf(
|
|
"source=cloudflare-pricing-signature-guard drift=%t baseline_initialized=%t structure_sha256=%s previous_baseline_sha256=%s snapshot_out=%s signature_out=%s baseline_path=%s",
|
|
result.DriftDetected,
|
|
result.BaselineInitialized,
|
|
result.CurrentSignature.StructureSHA256,
|
|
emptyIfBlank(result.PreviousBaselineHash),
|
|
result.SnapshotPath,
|
|
result.SignaturePath,
|
|
result.BaselinePath,
|
|
)
|
|
}
|
|
|
|
func buildCloudflarePricingSignatureAuditRecord(cfg cloudflarePricingSignatureGuardConfig, result cloudflarePricingSignatureGuardResult, checkedAt time.Time, runErr error) officialImportSignatureAuditRecord {
|
|
record := officialImportSignatureAuditRecord{
|
|
SourceKey: "cloudflare_pricing_signature",
|
|
CheckedAt: checkedAt,
|
|
Status: officialImportSignatureAuditStatus(result.DriftDetected, result.BaselineInitialized, runErr),
|
|
DriftDetected: result.DriftDetected,
|
|
BaselineInitialized: result.BaselineInitialized,
|
|
SourceURL: strings.TrimSpace(cfg.URL),
|
|
FixturePath: strings.TrimSpace(cfg.Fixture),
|
|
SnapshotPath: strings.TrimSpace(result.SnapshotPath),
|
|
SignaturePath: strings.TrimSpace(result.SignaturePath),
|
|
BaselinePath: strings.TrimSpace(result.BaselinePath),
|
|
StructureSHA256: strings.TrimSpace(result.CurrentSignature.StructureSHA256),
|
|
PreviousStructureSHA256: strings.TrimSpace(result.PreviousBaselineHash),
|
|
ByteSize: result.CurrentSignature.ByteSize,
|
|
ErrorMessage: errorMessageText(runErr),
|
|
}
|
|
if hasMarkdownPricingStructureSignature(result.CurrentSignature) {
|
|
signatureCopy := result.CurrentSignature
|
|
record.SignaturePayload = &signatureCopy
|
|
}
|
|
return record
|
|
}
|
|
|
|
func persistCloudflarePricingSignatureAuditIfConfigured(cfg cloudflarePricingSignatureGuardConfig, result cloudflarePricingSignatureGuardResult, checkedAt time.Time, runErr error) error {
|
|
return persistOfficialImportSignatureAuditIfConfigured(buildCloudflarePricingSignatureAuditRecord(cfg, result, checkedAt, runErr))
|
|
}
|