Skip to content

v1.108.93 - Upstream exposure links (get_endpoint_impact include_infra exposes)

Choose a tag to compare

@jgravelle jgravelle released this 02 Jul 13:38

P2 of the endpoint-scoped infrastructure blast radius. get_endpoint_impact(include_infra=true) now answers the upstream question alongside the downstream one shipped in v1.108.91: what infrastructure exposes the app that serves this endpoint?

The previously empty infra.exposes[] is populated with evidence-anchored links, each carrying a mandatory precision field:

  • compose_port - a compose service whose build_context contains a blast-radius file and which publishes ports
  • k8s_service - a Service whose selector matches the pod labels of a workload running an anchored image, or that backs a path-matched Ingress rule (works in k8s-only repos)
  • k8s_ingress - an Ingress rule routing to an anchored Service, or one whose path rule literally names the resolved endpoint path

precision: ingress_path is granted only when an Ingress path rule names the endpoint path - the one manifest construct that encodes a route. Everything else is host_port ("exposes the app, not this specific route"). Ambiguous resources are skipped, not guessed, and a _meta.honest_note states the semantics whenever exposes is non-empty.

Enabler: the K8s manifest parser now captures Service selectors and service-level ports, Ingress rules (v1 and legacy backends), and workload pod-template labels - additive keys, present only when non-empty.

Default include_infra=false output remains byte-identical. No new tool parameters, no INDEX_VERSION bump, read-only throughout. Full suite 4911 passed / 10 skipped; +9 tests.

See CHANGELOG.md for details.