o ưiՐ@sUdZddlZddlmZmZddlmZmZmZmZm Z m Z ddl m Z ddl mZmZmZmZmZmZmZmZmZmZerEddlmZdZd ed efd d ZGd ddZdae eed<d efddZdS)z Policy Registry - In-memory storage for policies. Handles storing, retrieving, and managing policies. Policies define WHAT guardrails to apply. WHERE they apply is defined by policy_attachments (see AttachmentRegistry). N)datetimetimezone) TYPE_CHECKINGAnyDictListOptionalTuple)verbose_proxy_logger) GuardrailPipeline PipelineStepPolicyPolicyConditionPolicyCreateRequestPolicyDBResponsePolicyGuardrailsPolicyUpdateRequestPolicyVersionCompareResponsePolicyVersionListResponse) PrismaClientZpolicy_rowreturncCstdid|jd|jdt|dddt|dddt|ddd t|d d d t|d dd t|d dd |jd|jd|jpBgd|jpcgd|jd|j d|j d|j d|j d|j Sd|jd|j d|j d|j d|j d|j S)z=Build PolicyDBResponse from a Prisma LiteLLM_PolicyTable row. policy_id policy_nameversion_numberversion_status productionparent_version_idN is_latestT published_at production_atinherit descriptionguardrails_addguardrails_remove conditionpipeline created_at updated_at created_by updated_by)rrrgetattrr"r#r$r%r&r'r(r)r*r+)rr,r,b/home/app/Keep/.python/lib/python3.10/site-packages/litellm/proxy/policy_engine/policy_registry.py_row_to_policy_db_responsesh             r/c @seZdZdZddZdeeefddfddZd ed eeefde fd d Z e d e eeefde e fddZd ede e fddZdeee ffddZdeefddZd edefddZdefddZdFddZd ede ddfddZd edefdd Z dGd!ed"d#d$e edefd%d&Z dGd'ed!ed"d#d(e edef d)d*Zd'ed"d#deeeffd+d,Zd'ed"d#de efd-d.Zd'ede e ee ffd/d0Z! dGd"d#d1e edeefd2d3Z" " #  dHd4d5Z#d ed"d#deefd6d7Z$d ed"d#de%fd8d9Z&  dId ed"d#d:e ed$e edef d;d<Z' dGd'ed=ed"d#d(e edef d>d?Z(d@edAed"d#de)fdBdCZ*d ed"d#deeeffdDdEZ+dS)JPolicyRegistryaT In-memory registry for storing and managing policies. This is a singleton that holds all loaded policies and provides methods to access them. Policies define WHAT guardrails to apply: - Base guardrails via guardrails.add/remove - Inheritance via inherit field - Conditional guardrails via condition.model cCsi|_i|_d|_dS)NF) _policies_policies_by_id _initializedselfr,r,r.__init__Ds zPolicyRegistry.__init__policies_configrNc Csi|_i|_|D]?\}}z|||}||j|<td|Wq tyI}ztd|dt|t d|dt||d}~wwd|_ t dt |jddS) z Load policies from a configuration dictionary. Args: policies_config: Dictionary mapping policy names to policy definitions. This is the raw config from the YAML file. zLoaded policy: zError loading policy 'z': zInvalid policy 'NTzLoaded z policies) r1r2items _parse_policyr debug Exceptionerrorstr ValueErrorr3infolen)r5r7r policy_datapolicyer,r,r. load_policiesIs   zPolicyRegistry.load_policiesrrAcCs|di}t|trt|d|dd}n t|r|ndd}d}|d}|r2t|dd }t|d }t|d |d |||d S)z Parse a policy from raw configuration data. Args: policy_name: Name of the policy policy_data: Raw policy configuration Returns: Parsed Policy object guardrailsaddremoverFrGN)rFr&model)rIr'r"r#r"r#rEr&r')get isinstancedictrrr0_parse_pipeliner )r5rrAZguardrails_datarEr&Zcondition_datar'r,r,r.r9bs*   zPolicyRegistry._parse_policy pipeline_datacCs:|durdS|dg}dd|D}t|dd|dS)z-Parse a pipeline configuration from raw data.NstepscSs(g|]}t|trtdi|n|qS)r,)rLrMr ).0Z step_datar,r,r. sz2PolicyRegistry._parse_pipeline..modeZpre_call)rSrP)rKr )rOZ steps_datarPr,r,r.rNs  zPolicyRegistry._parse_pipelinecC |j|S)z Get a policy by name. Args: policy_name: Name of the policy to retrieve Returns: Policy object if found, None otherwise )r1rKr5rr,r,r. get_policys zPolicyRegistry.get_policycCs |jS)zz Get all loaded policies. Returns: Dictionary mapping policy names to Policy objects )r1copyr4r,r,r.get_all_policiess zPolicyRegistry.get_all_policiescCst|jS)zb Get list of all policy names. Returns: List of policy names )listr1keysr4r,r,r.get_policy_namesszPolicyRegistry.get_policy_namescCs ||jvS)z Check if a policy exists. Args: policy_name: Name of the policy to check Returns: True if policy exists, False otherwise )r1rUr,r,r. has_policys zPolicyRegistry.has_policycCs|jS)z Check if the registry has been initialized with policies. Returns: True if policies have been loaded, False otherwise )r3r4r,r,r.is_initializedszPolicyRegistry.is_initializedcCsi|_d|_dS)z7 Clear all policies from the registry. FN)r1r3r4r,r,r.clears zPolicyRegistry.clearrBcCs||j|<td|dS)z Add or update a single policy. Args: policy_name: Name of the policy policy: Policy object to add zAdded/updated policy: Nr1r r:)r5rrBr,r,r. add_policys zPolicyRegistry.add_policycCs*||jvr|j|=td|dSdS)z Remove a policy by name. Args: policy_name: Name of the policy to remove Returns: True if policy was removed, False if it didn't exist zRemoved policy: TFr_rUr,r,r. remove_policys zPolicyRegistry.remove_policypolicy_request prisma_clientrr*c sbzttj}|jddd||jpg|jpg||d }|jdur%|j|d<|jdur/|j|d<|dur;||d<||d <|j durJt |j |d <|j dur`tdi|j }t | |d <|jjj|d IdH}||j|j|j|j|jd |j r|j nd|j d}||j|t|WSty} ztd| tdt| d} ~ ww)a' Add a policy to the database. Args: policy_request: The policy creation request prisma_client: The Prisma client instance created_by: User who created the policy Returns: PolicyDBResponse with the created policy rrT) rrrrr!r$r%r(r)Nr"r#r*r+r&r'datarHrJzError adding policy to DB: r,)rnowrutcrr$r%r"r#r&jsondumps model_dumpr'r dblitellm_policytablecreater9r`r/r;r exceptionr=) r5rbrcr*rfrevalidated_pipelineZcreated_policyrBrCr,r,r.add_policy_to_dbs`         zPolicyRegistry.add_policy_to_dbrr+c szz|jjjd|idIdH}|durtd|dt|dd}|dkr-td |d ttj|d }|j dur@|j |d <|j durJ|j |d <|j durT|j |d<|j dur^|j |d<|j durh|j |d<|jdurwt|j|d<|jdurtdi|j}t||d<|jjjd|i|dIdH} t| WSty} ztd| tdt| d} ~ ww)a Update a policy in the database. Only draft versions can be updated. Args: policy_id: The ID of the policy to update policy_request: The policy update request prisma_client: The Prisma client instance updated_by: User who updated the policy Returns: PolicyDBResponse with the updated policy Raises: Exception: If policy is not in draft status (only drafts are editable). rwhereNPolicy with ID not foundrrdraftz to execute a specific version (e.g. published or draft). The cache is populated by sync_policies_from_db, which loads draft and published versions keyed by policy_id. Args: policy_id: The policy version ID (raw UUID, no prefix) Returns: (policy_name, Policy) if found, None otherwise )r2rK)r5rr,r,r.get_policy_by_id_for_requests z+PolicyRegistry.get_policy_by_id_for_requestrc sz$i}|dur ||d<|jjj|r|ndddidIdH}dd|DWStyB}ztd|tdt|d}~ww) ak Get all policies from the database, optionally filtered by version_status. Args: prisma_client: The Prisma client instance version_status: If set, only return policies with this status ("draft", "published", "production"). Returns: List of PolicyDBResponse objects Nrr(descrrordercSg|]}t|qSr,r/)rQpr,r,r.rRz;PolicyRegistry.get_all_policies_from_db..z Error getting policies from DB: )rkrl find_manyr;r rnr=)r5rcrrrpoliciesrCr,r,r.get_all_policies_from_dbs  z'PolicyRegistry.get_all_policies_from_dbc sFzi|_|j|ddIdH}|D]}||j|j|j|j|jd|j|j d}| |j|qi|_ |j j jdddd giid d id IdH}|D]%}||j|j|j|jpXg|jp\gd|j|j d}|j|f|j |j<qJd |_tdt|dt|dWdSty}ztd|tdt|d}~ww)aM Sync policies from the database to in-memory registry. - Production versions are loaded into _policies (by policy name) for resolution. - Draft and published versions are loaded into _policies_by_id so request-body policy_ overrides can be resolved without DB access in the hot path. rrNrHrJrinru publishedr(rrTzSynced z production policies and z6 draft/published (by ID) from DB to in-memory registryz Error syncing policies from DB: )r1rr9rr"r#r$r%r&r'r`r2rkrlrrr3r r?r@r;rnr=)r5rcrpolicy_responserBZnon_productionrrCr,r,r.sync_policies_from_dbs\      z$PolicyRegistry.sync_policies_from_dbc sddlm}z:|j|ddIdH}i}|D]}||j|j|j|j|jd|j |j d}|||j<q|j ||dd}t |j WSty^} ztd | td t| d} ~ ww) aU Resolve all guardrails for a policy from the database. Uses the existing PolicyResolver to handle inheritance chain resolution. Args: policy_name: Name of the policy to resolve prisma_client: The Prisma client instance Returns: List of resolved guardrail names r)PolicyResolverrrNrHrJ)rrcontextz$Error resolving guardrails from DB: )Z+litellm.proxy.policy_engine.policy_resolverrrr9rr"r#r$r%r&r'Zresolve_policy_guardrailssortedrEr;r rnr=) r5rrcrrZ temp_policiesrrBZresolved_policyrCr,r,r.resolve_guardrails_from_dbCs>    z)PolicyRegistry.resolve_guardrails_from_dbc sz!|jjjd|iddidIdH}dd|D}t||t|dWSty?}ztd |td t|d}~ww) a, Get all versions of a policy by name, ordered by version_number descending. Args: policy_name: Name of the policy prisma_client: The Prisma client instance Returns: PolicyVersionListResponse with policy_name and list of versions rrrrNcSrr,r)rQrr,r,r.rRrz>PolicyRegistry.get_versions_by_policy_name..)rversionsZ total_countzError getting versions: ) rkrlrrr@r;r rnr=)r5rrcrowsrrCr,r,r.get_versions_by_policy_namezs" z*PolicyRegistry.get_versions_by_policy_namesource_policy_idc sz|dur1|jjjd|idIdH}|durtd|d|j|kr0td|jd|dn|jjj|d d dIdH}|durKtd |d|}|jjjd |id didIdH}|rd|jdnd}tt j } |jjj d |iddidIdH||d|j ddd|j |j|jpg|jpg| | ||d} |jdurt|jtrt|jn|j| d<|jdurt|jtrt|jn|j| d<|jjj| dIdH} t| WSty} ztd| tdt| d} ~ ww)a Create a new draft version of a policy. Copies all fields from the source. Source is current production if source_policy_id is None. Args: policy_name: Name of the policy prisma_client: The Prisma client instance source_policy_id: Policy ID to clone from; if None, use current production created_by: User who created the version Returns: PolicyDBResponse for the new draft version NrrqzSource policy rtzSource policy name 'z' does not match ''rrrz(No production version found for policy 'rrrrrrFrwruT)rrrrrr r!r"r#r$r%r(r)r*r+r&r'rdzError creating new version: )rkrlrxr;rZ find_firstrrrfrrg update_manyrr"r#r$r%r&rLrMrhrir'rmr/r rnr=) r5rrcrr*sourceprodZlatestZnext_numrfrecreatedrCr,r,r.create_new_versions            z!PolicyRegistry.create_new_version new_statusc sz|dvrtd|d|jjjd|idIdH}|dur'td|dt|d d }|j}ttj }|d kr^|d krFtd |d|jjj d|id |||ddIdH} t | WS|dvrjtd|d|d krrtd|jjj |d dd ||ddIdH|jjj d|id |||ddIdH} | |||| j| j| jpg| jpgd| j| jd} ||| t | WSty} ztd| tdt| d} ~ ww)a Update a policy version's status. Valid transitions: - draft -> published (sets published_at) - published -> production (sets production_at, demotes current production to published, updates in-memory) - production -> published (demotes, removes from in-memory) - draft -> production: NOT allowed (must publish first) - published -> draft: NOT allowed Args: policy_id: The policy version ID new_status: "published" or "production" prisma_client: The Prisma client instance updated_by: User who updated Returns: PolicyDBResponse for the updated version )rrzInvalid status 'z#'. Use 'published' or 'production'.rrqNrsrtrrrruz7Only draft versions can be published. Current status: 'rv)rr r)r+rw)rurzJOnly draft or published versions can be promoted to production. Current: 'zGCannot promote draft directly to production. Publish the version first.r)rr)r+)rr!r)r+rHrJzError updating version status: )r;rkrlrxr-rrrfrrgryr/rrar9r"r#r$r%r&r'r`r rnr=) r5rrrcr+rcurrentrrfupdatedrBrCr,r,r.update_version_statuss           z$PolicyRegistry.update_version_status policy_id_a policy_id_bc szb|jjjd|idIdH}|jjjd|idIdH}|dur(td|d|dur4td|dt|}t|}gd}i} |D]} t|| } t|| } | | kr[| | d| | <qDt||| dWSty} ztd | td t | d} ~ ww) aT Compare two policy versions and return field-by-field diffs. Args: policy_id_a: First policy version ID policy_id_b: Second policy version ID prisma_client: The Prisma client instance Returns: PolicyVersionCompareResponse with both versions and field_diffs rrqNr}rt)r"r#r$r%r&r') version_a version_b)rr field_diffszError comparing versions: ) rkrlrxr;r/r-rr rnr=)r5rrrcabZresp_aZresp_bZcompare_fieldsrfieldZval_aZval_brCr,r,r.compare_versionsis@    zPolicyRegistry.compare_versionsc stz|jjjd|idIdH||dd|diWSty9}ztd|tdt|d}~ww)a Delete all versions of a policy. Also removes from in-memory registry. Args: policy_name: Name of the policy prisma_client: The Prisma client instance Returns: Dict with success message rrqNr|zAll versions of policy 'z' deleted successfullyzError deleting all versions: )rkrlZ delete_manyrar;r rnr=)r5rrcrCr,r,r.delete_all_versionss  z"PolicyRegistry.delete_all_versions)rN)N)rcrrN)NN),__name__ __module__ __qualname____doc__r6rr=rrDr r9 staticmethodrr rNrVrXrr[boolr\r]r^r`rarrrprr{rrr rrrrrrrrrrrr,r,r,r.r07s )       P F  3   = 7 " e q 9 r0_policy_registrycCstdurtatS)zk Get the global PolicyRegistry singleton. Returns: The global PolicyRegistry instance N)rr0r,r,r,r.get_policy_registrysr) rrhrrtypingrrrrrr Zlitellm._loggingr Z!litellm.types.proxy.policy_enginer r r rrrrrrrZlitellm.proxy.utilsrZPOLICY_VERSION_ID_PREFIXr/r0r__annotations__rr,r,r,r.s(   0