fix(027): stabilize shared acceptance gates and compatibility collateral

2026-03-17 11:07:49 +03:00
parent 023bacde39
commit 18bdde0a81
19 changed files with 749 additions and 552 deletions
--- a/backend/src/services/clean_release/policy_engine.py
+++ b/backend/src/services/clean_release/policy_engine.py
@@ -13,7 +13,12 @@ from dataclasses import dataclass
 from typing import Dict, Iterable, List, Tuple

 from ...core.logger import belief_scope, logger
-from ...models.clean_release import CleanPolicySnapshot, SourceRegistrySnapshot
+from ...models.clean_release import (
+    CleanPolicySnapshot,
+    SourceRegistrySnapshot,
+    CleanProfilePolicy,
+    ResourceSourceRegistry,
+)


@dataclass
@@ -39,7 +44,11 @@ class SourceValidationResult:
 # @TEST_EDGE: external_endpoint -> endpoint not present in enabled internal registry entries
 # @TEST_INVARIANT: deterministic_classification -> VERIFIED_BY: [policy_valid]
 class CleanPolicyEngine:
-    def __init__(self, policy: CleanPolicySnapshot, registry: SourceRegistrySnapshot):
+    def __init__(
+        self,
+        policy: CleanPolicySnapshot | CleanProfilePolicy,
+        registry: SourceRegistrySnapshot | ResourceSourceRegistry,
+    ):
        self.policy = policy
        self.registry = registry

@@ -48,23 +57,45 @@ class CleanPolicyEngine:
            logger.reason("Validating enterprise-clean policy and internal registry consistency")
            reasons: List[str] = []

-            # Snapshots are immutable and assumed active if resolved by facade
-            if not self.policy.registry_snapshot_id.strip():
-                reasons.append("Policy missing registry_snapshot_id")
-            
-            content = self.policy.content_json or {}
+            registry_ref = (
+                getattr(self.policy, "registry_snapshot_id", None)
+                or getattr(self.policy, "internal_source_registry_ref", "")
+                or ""
+            )
+            if not str(registry_ref).strip():
+                reasons.append("Policy missing internal_source_registry_ref")
+
+            content = dict(getattr(self.policy, "content_json", None) or {})
+            if not content:
+                content = {
+                    "profile": getattr(getattr(self.policy, "profile", None), "value", getattr(self.policy, "profile", "standard")),
+                    "prohibited_artifact_categories": list(
+                        getattr(self.policy, "prohibited_artifact_categories", []) or []
+                    ),
+                    "required_system_categories": list(
+                        getattr(self.policy, "required_system_categories", []) or []
+                    ),
+                    "external_source_forbidden": getattr(self.policy, "external_source_forbidden", False),
+                }
+
            profile = content.get("profile", "standard")
-            
+
            if profile == "enterprise-clean":
                if not content.get("prohibited_artifact_categories"):
                    reasons.append("Enterprise policy requires prohibited artifact categories")
                if not content.get("external_source_forbidden"):
                    reasons.append("Enterprise policy requires external_source_forbidden=true")
-            
-            if self.registry.id != self.policy.registry_snapshot_id:
+
+            registry_id = getattr(self.registry, "id", None) or getattr(self.registry, "registry_id", None)
+            if registry_id != registry_ref:
                reasons.append("Policy registry ref does not match provided registry")
-            
-            if not self.registry.allowed_hosts:
+
+            allowed_hosts = getattr(self.registry, "allowed_hosts", None)
+            if allowed_hosts is None:
+                entries = getattr(self.registry, "entries", []) or []
+                allowed_hosts = [entry.host for entry in entries if getattr(entry, "enabled", True)]
+
+            if not allowed_hosts:
                reasons.append("Registry must contain allowed hosts")

            logger.reflect(f"Policy validation completed. blocking_reasons={len(reasons)}")
@@ -72,8 +103,17 @@ class CleanPolicyEngine:

    def classify_artifact(self, artifact: Dict) -> str:
        category = (artifact.get("category") or "").strip()
-        content = self.policy.content_json or {}
-        
+        content = dict(getattr(self.policy, "content_json", None) or {})
+        if not content:
+            content = {
+                "required_system_categories": list(
+                    getattr(self.policy, "required_system_categories", []) or []
+                ),
+                "prohibited_artifact_categories": list(
+                    getattr(self.policy, "prohibited_artifact_categories", []) or []
+                ),
+            }
+
        required = content.get("required_system_categories", [])
        prohibited = content.get("prohibited_artifact_categories", [])

@@ -100,7 +140,11 @@ class CleanPolicyEngine:
                    },
                )

-            allowed_hosts = set(self.registry.allowed_hosts or [])
+            allowed_hosts = getattr(self.registry, "allowed_hosts", None)
+            if allowed_hosts is None:
+                entries = getattr(self.registry, "entries", []) or []
+                allowed_hosts = [entry.host for entry in entries if getattr(entry, "enabled", True)]
+            allowed_hosts = set(allowed_hosts or [])
            normalized = endpoint.strip().lower()

            if normalized in allowed_hosts: