v1.108.93 - Upstream exposure links (get_endpoint_impact include_infra exposes)
P2 of the endpoint-scoped infrastructure blast radius. get_endpoint_impact(include_infra=true) now answers the upstream question alongside the downstream one shipped in v1.108.91: what infrastructure exposes the app that serves this endpoint?
The previously empty infra.exposes[] is populated with evidence-anchored links, each carrying a mandatory precision field:
compose_port- a compose service whosebuild_contextcontains a blast-radius file and which publishes portsk8s_service- a Service whose selector matches the pod labels of a workload running an anchored image, or that backs a path-matched Ingress rule (works in k8s-only repos)k8s_ingress- an Ingress rule routing to an anchored Service, or one whose path rule literally names the resolved endpoint path
precision: ingress_path is granted only when an Ingress path rule names the endpoint path - the one manifest construct that encodes a route. Everything else is host_port ("exposes the app, not this specific route"). Ambiguous resources are skipped, not guessed, and a _meta.honest_note states the semantics whenever exposes is non-empty.
Enabler: the K8s manifest parser now captures Service selectors and service-level ports, Ingress rules (v1 and legacy backends), and workload pod-template labels - additive keys, present only when non-empty.
Default include_infra=false output remains byte-identical. No new tool parameters, no INDEX_VERSION bump, read-only throughout. Full suite 4911 passed / 10 skipped; +9 tests.
See CHANGELOG.md for details.