Loads priv/security/bundled_versions.exs — the source-of-truth
manifest of what versions ship inside the OTP tarballs that
MobDev.OtpDownloader distributes.
See priv/security/bundled_versions.exs
for the full schema and update procedure.
Why a manifest, not a fingerprint-only approach
Manifest first, fingerprint second. The manifest is a claim reviewable in git — every PR that touches it is auditable. Fingerprinting is the receipt that proves the claim.
A fingerprint-only approach can silently fail when build flags change and a version string is stripped or moves to a different binary; the scanner just reports "version unknown" and you stop noticing. A manifest-first approach forces a human to write down what shipped — and the fingerprinter then catches drift.
Summary
Functions
Return the currently active bundle (the hash Mob is shipping today).
Return the bundle entry for a given OTP tarball hash.
Load the manifest from disk. Returns the parsed map.
Path to the manifest .exs file.
Functions
@spec active() :: map()
Return the currently active bundle (the hash Mob is shipping today).
Return the bundle entry for a given OTP tarball hash.
Returns {:ok, bundle} when present, {:error, :unknown_hash}
otherwise. Useful for the fingerprinter when the hash on disk
doesn't match the manifest's :active_hash — the tarball might
be from an older or unpublished build.
Load the manifest from disk. Returns the parsed map.
Raises if the file is missing or doesn't evaluate to a map with the expected shape — the manifest is a hard requirement for the bundled-runtime scan layer; a missing file is a real bug, not a soft warning.
@spec manifest_path() :: Path.t()
Path to the manifest .exs file.