@jaguilar87/gaia 5.0.8 → 5.0.9

package/dist/gaia-ops/tools/scan/orchestrator.py

@@ -11,23 +11,26 @@ Pipeline:
   3. Collect and combine scanner sections (handling environment sub-keys)
   4. Cross-populate derived fields
   5. Return ScanOutput
+
+Section ownership rules (inlined from the retired tools/scan/merge.py):
+  Rule 1: Scanner-owned sections -> full replace
+  Rule 2: Agent-enriched sections -> never touch
+  Rule 3: Mixed sections -> selective update at sub-key level
+  Rule 4: Unknown/user-custom sections -> preserve
+  Rule 5: Metadata -> always update
 """
 
+import copy
 import logging
 import time
 from concurrent.futures import ThreadPoolExecutor, as_completed
 from dataclasses import dataclass, field
 from datetime import datetime, timezone
 from pathlib import Path
-from typing import Any, Dict, List, Optional
+from typing import Any, Dict, List, Optional, Set
 
 from tools.scan import __version__ as scanner_package_version
 from tools.scan.config import ScanConfig
-from tools.scan.merge import (
-    AGENT_ENRICHED_SECTIONS,
-    collect_scanner_sections,
-    merge_context,
-)
 from tools.scan.registry import ScannerRegistry
 from tools.scan.scanners.base import BaseScanner, ScanResult
 from tools.scan.workspace import WorkspaceInfo, detect_workspace_type
@@ -35,6 +38,190 @@ from tools.scan.workspace import WorkspaceInfo, detect_workspace_type
 logger = logging.getLogger(__name__)
 
 
+# ---------------------------------------------------------------------------
+# Section ownership constants (Rule 1 / Rule 2 / Rule 3)
+# ---------------------------------------------------------------------------
+
+# Sections fully owned by scanners -- replaced entirely on each scan (Rule 1)
+# Top-level sections only; sub-key ownership handled separately
+SCANNER_OWNED_TOP_LEVEL: Dict[str, str] = {
+    "project_identity": "stack",
+    "stack": "stack",
+    "git": "git",
+    "infrastructure": "infrastructure",
+    "orchestration": "orchestration",
+    # "environment" is NOT listed here because it has sub-key ownership
+}
+
+# Sub-key ownership within the `environment` section (Rule 4 / sub-section)
+# Maps environment sub-key -> owning scanner name
+ENVIRONMENT_SUBKEY_OWNERS: Dict[str, str] = {
+    "tools": "tools",
+    "tool_preferences": "tools",
+    "os": "environment",
+    "runtimes": "environment",
+    "env_files": "environment",
+}
+
+# Agent-enriched sections -- never modified by scanners (Rule 2)
+AGENT_ENRICHED_SECTIONS: frozenset = frozenset([
+    "operational_guidelines",
+    "cluster_details",
+    "infrastructure_topology",
+    "monitoring_observability",
+    "architecture_overview",
+    "gcp_services",
+    "workload_identity",
+])
+
+# Mixed sections with partial scanner ownership (Rule 3)
+# Maps section_name -> set of scanner-owned field names
+MIXED_SECTION_SCANNER_FIELDS: Dict[str, Set[str]] = {
+    "terraform_infrastructure": {"layout"},
+    "gitops_configuration": {"repository"},
+    "application_services": {"base_path", "services"},
+}
+
+
+# ---------------------------------------------------------------------------
+# Section collection and merge helpers
+# ---------------------------------------------------------------------------
+
+def collect_scanner_sections(
+    scanner_results: Dict[str, Any],
+) -> Dict[str, Any]:
+    """Collect and combine sections from all scanner results.
+
+    Handles the environment section specially: both `tools` and `environment`
+    scanners produce sub-keys under `environment`, so their outputs are
+    combined into a single `environment` section.
+
+    Args:
+        scanner_results: Mapping of scanner_name -> ScanResult (must have
+                         a `sections` attribute that is a dict).
+
+    Returns:
+        Combined sections dict from all scanners.
+    """
+    combined: Dict[str, Any] = {}
+    environment_parts: Dict[str, Any] = {}
+
+    for _scanner_name, scan_result in scanner_results.items():
+        sections = scan_result.sections if hasattr(scan_result, "sections") else {}
+
+        for section_name, section_data in sections.items():
+            if section_name == "environment":
+                # Merge environment sub-keys from both scanners
+                if isinstance(section_data, dict):
+                    for key, value in section_data.items():
+                        if key != "_source":
+                            environment_parts[key] = value
+            else:
+                # Non-environment sections: direct assignment (last scanner wins,
+                # but each section should have exactly one owner)
+                combined[section_name] = section_data
+
+    # Reassemble environment section if we got any parts
+    if environment_parts:
+        combined["environment"] = {
+            "_source": "scanner:environment+tools",
+            **environment_parts,
+        }
+
+    return combined
+
+
+def _merge_environment_section(
+    result: Dict[str, Any],
+    scan_sections: Dict[str, Any],
+) -> None:
+    """Merge the `environment` section with sub-key level ownership.
+
+    Two scanners contribute to the `environment` section:
+    - `tools` scanner owns: tools, tool_preferences
+    - `environment` scanner owns: os, runtimes, env_files
+
+    Each scanner's sub-keys replace their owned portion; the other scanner's
+    sub-keys are preserved. The `_source` field gets a combined tag.
+
+    Args:
+        result: The result dict being built (mutated in place).
+        scan_sections: Combined sections from all scanners.
+    """
+    if "environment" not in scan_sections:
+        return
+
+    scan_env = scan_sections["environment"]
+
+    if "environment" not in result:
+        result["environment"] = {}
+
+    env = result["environment"]
+
+    # Replace each sub-key based on ownership
+    for subkey in ENVIRONMENT_SUBKEY_OWNERS:
+        if subkey in scan_env:
+            env[subkey] = copy.deepcopy(scan_env[subkey])
+
+    # Set combined _source tag
+    env["_source"] = "scanner:environment+tools"
+
+
+def _merge_sections(
+    existing: Dict[str, Any],
+    scan_sections: Dict[str, Any],
+) -> Dict[str, Any]:
+    """Merge scanner results with existing project-context sections.
+
+    Applies the ownership rules to produce the final merged sections dict.
+    Called with existing={} in normal scan runs (display-only path).
+
+    Args:
+        existing: Current sections (may be empty when called from scan).
+        scan_sections: Combined sections from all scanners.
+
+    Returns:
+        Merged sections dict. The merge is deterministic: same inputs always
+        produce the same output.
+    """
+    result = copy.deepcopy(existing)
+
+    # --- Rule 1: Scanner-owned top-level sections -> full replace ---
+    for section_name in SCANNER_OWNED_TOP_LEVEL:
+        if section_name in scan_sections:
+            result[section_name] = copy.deepcopy(scan_sections[section_name])
+
+    # --- Sub-section level ownership for `environment` ---
+    _merge_environment_section(result, scan_sections)
+
+    # --- Rule 2: Agent-enriched sections -> never touch ---
+    # These are already in `result` from the deepcopy of `existing`.
+    # (No action needed -- they are preserved by the deepcopy.)
+
+    # --- Rule 3: Mixed sections -> selective update ---
+    for section_name, scanner_fields in MIXED_SECTION_SCANNER_FIELDS.items():
+        if section_name in scan_sections:
+            scan_data = scan_sections[section_name]
+            if section_name not in result:
+                result[section_name] = {}
+            # Only update scanner-owned fields; preserve agent fields
+            for field_name in scanner_fields:
+                if field_name in scan_data:
+                    result[section_name][field_name] = copy.deepcopy(
+                        scan_data[field_name]
+                    )
+
+    # --- Rule 5: Unknown/user-custom sections -> preserve ---
+    # Any section in `existing` not covered above is preserved by the deepcopy.
+    # We do NOT add new unknown sections from scan_sections.
+
+    return result
+
+
+# ---------------------------------------------------------------------------
+# ScanOutput dataclass
+# ---------------------------------------------------------------------------
+
 @dataclass(frozen=True)
 class ScanOutput:
     """Aggregated output from all scanners.
@@ -187,11 +374,9 @@ class ScanOrchestrator:
         scan_sections = collect_scanner_sections(scanner_results)
 
         # Merge with empty existing context (no JSON persistence)
-        section_owners = self.registry.get_section_owners()
-        merged_sections = merge_context(
+        merged_sections = _merge_sections(
             existing={},
             scan_sections=scan_sections,
-            section_owners=section_owners,
         )
 
         # Determine which sections were updated vs preserved
@@ -210,7 +395,6 @@ class ScanOrchestrator:
         self._cross_populate_monorepo(merged_sections)
 
         # Remove empty {} placeholders for agent-enriched and mixed sections
-        from tools.scan.merge import MIXED_SECTION_SCANNER_FIELDS
         remove_if_empty = (
             AGENT_ENRICHED_SECTIONS
             | frozenset(MIXED_SECTION_SCANNER_FIELDS.keys())

package/dist/gaia-ops/tools/scan/tests/test_integration.py

@@ -23,8 +23,7 @@ from unittest.mock import patch
 import pytest
 
 from tools.scan.config import ScanConfig
-from tools.scan.merge import AGENT_ENRICHED_SECTIONS
-from tools.scan.orchestrator import ScanOrchestrator, ScanOutput
+from tools.scan.orchestrator import AGENT_ENRICHED_SECTIONS, ScanOrchestrator, ScanOutput
 from tools.scan.registry import ScannerRegistry
 from tools.scan.scanners.base import BaseScanner, ScanResult
 from tools.scan.tests.conftest import create_git_dir

package/dist/gaia-security/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "gaia-security",
-  "version": "5.0.8",
+  "version": "5.0.9",
   "description": "Keeps you in the loop only when it matters. Gaia Security analyzes every command and classifies it into risk tiers: read-only queries run freely, simulations and validations pass through, and state-changing operations (create, delete, apply, push) pause for your explicit approval before executing. Irreversible commands like dropping databases or deleting cloud infrastructure are permanently blocked.",
   "author": {
     "name": "jaguilar87",

package/dist/gaia-security/hooks/adapters/claude_code.py

@@ -1117,19 +1117,15 @@ class ClaudeCodeAdapter(HookAdapter):
           2. Load the specific pending file by prefix (any session).
           3. Activate the grant under the CURRENT session.
 
-        Falls back to session-wide activation when no nonce is present in
-        the answer (backward compatibility with older approval labels).
+        DB-only since the grant-lifecycle FS retirement: REQUESTED writes go
+        to the DB, so the approved pending is resolved by nonce prefix straight
+        from the DB via ``activate_db_pending_by_prefix()``.
 
         Never blocks (no exceptions raised to caller).
         """
         from modules.security.approval_grants import (
-            activate_cross_session_pending,
             activate_db_pending_by_prefix,
-            activate_grants_for_session,
-            activate_pending_approval,
             extract_nonce_from_label,
-            get_pending_approvals_for_session,
-            load_pending_by_nonce_prefix,
         )
 
         session_id = hook_data.get("session_id", "") or os.environ.get("CLAUDE_SESSION_ID", "")
@@ -1163,93 +1159,31 @@ class ClaudeCodeAdapter(HookAdapter):
                 logger.info("AskUserQuestion: no session_id available, skipping grant activation")
                 return
 
-            # Try nonce-targeted activation first: extract nonce from answer labels
+            # Nonce-targeted activation: extract the nonce from answer labels.
             nonce_prefix = None
             for v in answers.values():
                 nonce_prefix = extract_nonce_from_label(str(v))
                 if nonce_prefix:
                     break
 
-            if nonce_prefix:
-                # Nonce-targeted: load this specific pending regardless of session
-                pending_data = load_pending_by_nonce_prefix(nonce_prefix)
-                if pending_data:
-                    pending_session = pending_data.get("session_id", "")
-                    full_nonce = pending_data.get("nonce", "")
-
-                    if pending_session == session_id:
-                        # Same session -- use standard activation
-                        result = activate_pending_approval(
-                            nonce=full_nonce,
-                            session_id=session_id,
-                        )
-                    else:
-                        # Cross session -- activate under current session
-                        result = activate_cross_session_pending(
-                            pending_data,
-                            session_id=session_id,
-                        )
-
-                    if result.success:
-                        logger.info(
-                            "AskUserQuestion nonce-targeted activation: prefix=%s, "
-                            "pending_session=%s, current_session=%s, status=%s",
-                            nonce_prefix, pending_session[:12], session_id[:12],
-                            getattr(result.status, "value", str(result.status)),
-                        )
-                        return
-                    else:
-                        logger.warning(
-                            "AskUserQuestion nonce-targeted activation failed: "
-                            "prefix=%s, status=%s, reason=%s",
-                            nonce_prefix,
-                            getattr(result.status, "value", str(result.status)),
-                            result.reason,
-                        )
-                else:
-                    # Filesystem pending not found -- try DB lookup (M2 bridge).
-                    # Since M2, REQUESTED writes go to DB only; no pending-{nonce}.json
-                    # is written to the filesystem any more.
-                    logger.info(
-                        "AskUserQuestion: nonce prefix %s found in label but no "
-                        "matching pending file -- trying DB lookup (M2 bridge)",
-                        nonce_prefix,
-                    )
-                    result = activate_db_pending_by_prefix(
-                        nonce_prefix, current_session_id=session_id,
-                    )
-                    if result.success:
-                        logger.info(
-                            "AskUserQuestion DB-bridge activation: prefix=%s status=%s",
-                            nonce_prefix,
-                            getattr(result.status, "value", str(result.status)),
-                        )
-                        return
-                    else:
-                        logger.warning(
-                            "AskUserQuestion DB-bridge activation failed: "
-                            "prefix=%s status=%s reason=%s -- falling back to session-wide",
-                            nonce_prefix,
-                            getattr(result.status, "value", str(result.status)),
-                            result.reason,
-                        )
-                    # Fall through to session-wide activation below
-                    nonce_prefix = None
-
             if not nonce_prefix:
-                # No nonce in label (or all targeted paths failed) -- fall back to
-                # session-wide activation for backward compatibility
-                pending = get_pending_approvals_for_session(session_id)
-                if not pending:
-                    logger.info("AskUserQuestion: no pending grants for session %s", session_id)
-                    return
-
-                results = activate_grants_for_session(session_id)
-                activated = sum(1 for r in results if r.success)
                 logger.info(
-                    "AskUserQuestion session-wide activation: %d/%d pending grants for session %s",
-                    activated, len(results), session_id,
+                    "AskUserQuestion: no nonce prefix in answer labels -- "
+                    "nothing to activate for session %s", session_id[:12],
                 )
+                return
+
+            # Resolve the approved pending straight from the DB.
+            result = activate_db_pending_by_prefix(
+                nonce_prefix, current_session_id=session_id,
+            )
+            logger.info(
+                "AskUserQuestion DB activation: prefix=%s success=%s status=%s reason=%s",
+                nonce_prefix,
+                result.success,
+                getattr(result.status, "value", str(result.status)),
+                result.reason,
+            )
 
         except Exception as e:
             logger.error("Error in _handle_ask_user_question_result: %s", e, exc_info=True)

package/dist/gaia-security/hooks/modules/context/context_injector.py

@@ -450,17 +450,33 @@ def build_project_context(
         if critical_summary:
             context_string += critical_summary
 
-        # Inject recent operational events (non-blocking)
+        # Inject recent operational events (non-blocking).
+        # Brief 54 / Task 2.2: read from the harness_events DB table via
+        # gaia.store.reader.cross_surface_query instead of the legacy
+        # events.jsonl reader. The reader returns rows shaped as
+        # {surface, timestamp, type, agent, summary, raw} -- NOT the old
+        # {ts, type, agent, result} JSONL shape -- so the formatting loop
+        # below is remapped to those keys (audit Risk 4: without the remap
+        # the "Recent Events" block silently goes blank).
         try:
-            from ..events.event_writer import read_events
-            recent = read_events(hours=24, limit=20)
+            import sys as _sys
+            from pathlib import Path as _Path
+            try:
+                from gaia.store import reader as _reader
+            except ImportError:
+                _repo_root = _Path(__file__).resolve().parents[3]
+                _sys.path.insert(0, str(_repo_root))
+                from gaia.store import reader as _reader
+            recent = _reader.cross_surface_query(
+                surface="harness_events", since="24h", last=20,
+            )
             if recent:
                 lines = ["\n# Recent Events (last 24h)"]
                 for evt in recent:
-                    ts_short = evt.get("ts", "")[:16]
-                    etype = evt.get("type", "")
-                    agent_name = evt.get("agent", "")
-                    result_str = evt.get("result", "")
+                    ts_short = (evt.get("timestamp") or "")[:16]
+                    etype = evt.get("type") or ""
+                    agent_name = evt.get("agent") or ""
+                    result_str = evt.get("summary") or ""
                     label = f"{agent_name}: " if agent_name else ""
                     lines.append(f"- [{ts_short}] {etype}: {label}{result_str}")
                 context_string += "\n".join(lines) + "\n"

package/dist/gaia-security/hooks/modules/events/event_writer.py

@@ -1,16 +1,27 @@
-"""Event writer and reader for the GAIA Event Context system.
+"""Event writer for the GAIA Event Context system.
+
+As of Brief 54 / Task 2.2 the event pipeline writes to the ``harness_events``
+table in the Gaia SQLite substrate (``~/.gaia/gaia.db``) instead of the legacy
+``events.jsonl`` file. This is an ATOMIC cutover: ``write_event`` no longer
+touches ``events.jsonl`` in any code path -- there is NO dual-write.
 
 Provides:
-    - EventWriter: append-only JSONL writer with file locking
-    - read_events(): read events from last N hours with optional filtering
-    - cleanup_old_events(): remove events older than N days
+    - EventWriter: non-blocking, silent-on-failure DB event writer
+    - read_events(): legacy JSONL reader (read-only; retained until Task 2.3
+      removes events.jsonl entirely -- no longer the canonical read path)
     - Event type constants
+
+The DB write delegates to ``gaia.store.writer.write_harness_event``, which
+resolves the DB path the same way every other gaia DB writer does (via
+``gaia.paths.db_path()`` -> ``GAIA_DATA_DIR`` / ``gaia.db``, falling back to
+``~/.gaia/gaia.db``). The hook subprocess imports the ``gaia`` package via the
+repo-root fallback already established by handoff_persister.
 """
 
-import fcntl
 import json
 import logging
 import os
+import sys
 from datetime import datetime, timedelta, timezone
 from pathlib import Path
 from typing import Any, Dict, List, Optional
@@ -32,17 +43,36 @@ HEARTBEAT = "heartbeat"
 USER_NOTE = "user.note"
 
 
+def _import_store_writer():
+    """Import gaia.store.writer, falling back to the repo layout.
+
+    Mirrors the import contract used by
+    hooks/modules/agents/handoff_persister.py: prefer a sibling ``gaia``
+    package if installed; otherwise add the repo root (two levels above
+    ``hooks/``) to ``sys.path`` and import from there.
+    """
+    try:
+        from gaia.store import writer as _writer
+    except ImportError:
+        _repo_root = Path(__file__).resolve().parents[3]
+        sys.path.insert(0, str(_repo_root))
+        from gaia.store import writer as _writer
+    return _writer
+
+
 class EventWriter:
-    """Append-only JSONL event writer with file locking.
+    """Non-blocking DB event writer.
 
-    All writes are wrapped in try/except -- events are non-critical and
-    must never block the hook pipeline.
+    All writes are wrapped in try/except -- events are non-critical and must
+    never block the hook pipeline. The ``events_dir`` argument is retained for
+    backward compatibility (legacy JSONL reads still resolve it) but is no
+    longer used for writes, which target the ``harness_events`` DB table.
     """
 
     def __init__(self, events_dir: Optional[Path] = None):
+        # Retained for compatibility with the legacy reader; not used for
+        # writes. Resolved lazily-safe (never raises here).
         self.events_dir = events_dir or get_events_dir()
-        self.events_file = self.events_dir / "events.jsonl"
-        self.lock_file = self.events_dir / "events.jsonl.lock"
 
     def write_event(
         self,
@@ -53,10 +83,10 @@ class EventWriter:
         severity: str = "info",
         meta: Optional[Dict[str, Any]] = None,
     ) -> None:
-        """Append a single event to the JSONL log.
+        """Append a single event to the ``harness_events`` DB table.
 
-        Thread-safe via exclusive file lock.  Fails silently on any error
-        to avoid disrupting the hook pipeline.
+        Fails silently on any error to avoid disrupting the hook pipeline --
+        same contract as the historical file writer.
 
         Args:
             event_type: Dotted event category (e.g. "agent.dispatch").
@@ -64,30 +94,21 @@ class EventWriter:
             agent: Agent involved, or empty string for non-agent events.
             result: Outcome summary string.
             severity: info | warning | error.
-            meta: Optional type-specific structured data.
+            meta: Optional type-specific structured data (stored as JSON in
+                the ``payload`` column).
         """
         try:
-            self.events_dir.mkdir(parents=True, exist_ok=True)
-
-            record: Dict[str, Any] = {
-                "ts": datetime.now(timezone.utc).isoformat(),
-                "type": event_type,
-                "source": source,
-                "agent": agent,
-                "result": result,
-                "severity": severity,
-            }
-            if meta:
-                record["meta"] = meta
-
-            with open(self.lock_file, "w") as lf:
-                fcntl.flock(lf.fileno(), fcntl.LOCK_EX)
-                try:
-                    with open(self.events_file, "a") as f:
-                        f.write(json.dumps(record, separators=(",", ":")) + "\n")
-                finally:
-                    fcntl.flock(lf.fileno(), fcntl.LOCK_UN)
-
+            writer = _import_store_writer()
+            workspace = os.environ.get("GAIA_WORKSPACE") or None
+            writer.write_harness_event(
+                event_type=event_type,
+                source=source,
+                agent=agent,
+                result=result,
+                severity=severity,
+                meta=meta,
+                workspace=workspace,
+            )
         except Exception as exc:
             logger.debug("Event write failed (non-fatal): %s", exc)
 
@@ -98,7 +119,13 @@ def read_events(
     limit: int = 50,
     events_dir: Optional[Path] = None,
 ) -> List[Dict[str, Any]]:
-    """Read recent events from the JSONL log.
+    """Read recent events from the legacy JSONL log.
+
+    NOTE: As of Task 2.2 this is no longer the canonical read path -- new
+    events are written to the ``harness_events`` DB table. This reader is
+    retained read-only until Task 2.3 removes ``events.jsonl`` entirely, so
+    historical pre-cutover events remain consultable. New callers should use
+    ``gaia.store.reader.cross_surface_query(surface="harness_events")``.
 
     Args:
         hours: How far back to look (default 24h).
@@ -148,63 +175,3 @@ def read_events(
     except Exception as exc:
         logger.debug("Event read failed (non-fatal): %s", exc)
         return []
-
-
-def cleanup_old_events(
-    days: int = 7,
-    events_dir: Optional[Path] = None,
-) -> int:
-    """Remove events older than *days* from the JSONL log.
-
-    Uses file locking to avoid conflicts with concurrent writers.
-    Retains lines that cannot be parsed (conservative).
-
-    Args:
-        days: Retention window in days (default 7).
-        events_dir: Override events directory (for testing).
-
-    Returns:
-        Number of events removed.
-    """
-    try:
-        edir = events_dir or get_events_dir()
-        events_file = edir / "events.jsonl"
-        lock_file = edir / "events.jsonl.lock"
-
-        if not events_file.exists():
-            return 0
-
-        retention_days = int(os.environ.get("GAIA_EVENT_RETENTION_DAYS", str(days)))
-        cutoff = datetime.now(timezone.utc) - timedelta(days=retention_days)
-        kept: List[str] = []
-        removed = 0
-
-        with open(lock_file, "w") as lf:
-            fcntl.flock(lf.fileno(), fcntl.LOCK_EX)
-            try:
-                with open(events_file, "r") as f:
-                    for line in f:
-                        line = line.strip()
-                        if not line:
-                            continue
-                        try:
-                            evt = json.loads(line)
-                            ts = datetime.fromisoformat(evt["ts"])
-                            if ts < cutoff:
-                                removed += 1
-                                continue
-                        except (json.JSONDecodeError, KeyError, ValueError):
-                            pass  # Keep unparseable lines
-                        kept.append(line)
-
-                with open(events_file, "w") as f:
-                    for line in kept:
-                        f.write(line + "\n")
-            finally:
-                fcntl.flock(lf.fileno(), fcntl.LOCK_UN)
-
-        return removed
-
-    except Exception as exc:
-        logger.debug("Event cleanup failed (non-fatal): %s", exc)
-        return 0

package/dist/gaia-security/hooks/modules/security/__init__.py

@@ -45,7 +45,6 @@ from .approval_scopes import (
 from .approval_grants import (
     check_approval_grant,
     cleanup_expired_grants,
-    get_latest_pending_approval,
     last_check_found_expired,
     ApprovalGrant,
 )
@@ -93,7 +92,6 @@ __all__ = [
     # Approval Grants
     "check_approval_grant",
     "cleanup_expired_grants",
-    "get_latest_pending_approval",
     "last_check_found_expired",
     "ApprovalGrant",
     # Shell unwrapper