Pack-enabler infra for the Authority Packs proposal (PR #2053). Makes the authority-pack format fully drop-in (zero core edits) for any jurisdiction.
Problem
Two things currently force an authority pack to touch core's source tree (documented as the pack's residual gaps):
- Host allowlist is a hardcoded frozenset.
PUBLIC_DOMAIN_SOURCE_HOSTS in opencontractserver/constants/safe_http.py is the SSRF allowlist every fetch is gated against. A pack for a new jurisdiction cannot open its government host(s) as data — it needs a same-PR constants edit. This is the single binding the pack format cannot self-declare (an unlisted host → SSRFValidationError → GATE_BLOCKED_DOMAIN).
- Provider discovery scans one hardcoded package.
PipelineComponentRegistry auto-discovers providers only under opencontractserver/pipeline/authority_source_providers/. A pack's provider module must be physically copied into core; there is no entry-point / out-of-tree plugin path, so a pack cannot live self-contained in its own package.
Proposed direction
- (a) Data-driven source-host allowlist — a superuser-curated, license-gated DB allowlist that augments the static frozenset (still SSRF-validated; still requires
license="public-domain" at the gate). A pack/provider declares its hosts as data.
- (b) Out-of-tree provider discovery — entry-point (or configured-extra-package) discovery so a provider outside the core package registers, letting a pack ship its provider in its own folder.
- (c, minor) Loader multi-YAML merge + a baseline-vs-baseline collision guard (
update_or_create currently has no source guard between two baseline writers on the same prefix — last loader run wins).
Acceptance criteria
- A provider/pack can declare its fetch host(s) as data; SSRF + license gating preserved; superuser-curated.
- A provider outside
pipeline/authority_source_providers/ is discovered and routable.
- Re-loading two packs that touch distinct prefixes never clobbers each other.
Context
Closes the one blocker and the out-of-tree gap from docs/architecture/proposals/0002-authority-packs.md §7. Independent of Phases 2–4; with this, a pack becomes pure data + a self-contained provider package with no edits to core.
Pack-enabler infra for the Authority Packs proposal (PR #2053). Makes the authority-pack format fully drop-in (zero core edits) for any jurisdiction.
Problem
Two things currently force an authority pack to touch core's source tree (documented as the pack's residual gaps):
PUBLIC_DOMAIN_SOURCE_HOSTSinopencontractserver/constants/safe_http.pyis the SSRF allowlist every fetch is gated against. A pack for a new jurisdiction cannot open its government host(s) as data — it needs a same-PR constants edit. This is the single binding the pack format cannot self-declare (an unlisted host →SSRFValidationError→GATE_BLOCKED_DOMAIN).PipelineComponentRegistryauto-discovers providers only underopencontractserver/pipeline/authority_source_providers/. A pack's provider module must be physically copied into core; there is no entry-point / out-of-tree plugin path, so a pack cannot live self-contained in its own package.Proposed direction
license="public-domain"at the gate). A pack/provider declares its hosts as data.update_or_createcurrently has no source guard between two baseline writers on the same prefix — last loader run wins).Acceptance criteria
pipeline/authority_source_providers/is discovered and routable.Context
Closes the one blocker and the out-of-tree gap from
docs/architecture/proposals/0002-authority-packs.md§7. Independent of Phases 2–4; with this, a pack becomes pure data + a self-contained provider package with no edits to core.