feat(clean-release): complete compliance redesign phases and polish tasks T047-T052

backend/src/services/clean_release/policy_resolution_service.py

@@ -0,0 +1,64 @@
+# [DEF:backend.src.services.clean_release.policy_resolution_service:Module]
+# @TIER: CRITICAL
+# @SEMANTICS: clean-release, policy, registry, trusted-resolution, immutable-snapshots
+# @PURPOSE: Resolve trusted policy and registry snapshots from ConfigManager without runtime overrides.
+# @LAYER: Domain
+# @RELATION: DEPENDS_ON -> backend.src.core.config_manager
+# @RELATION: DEPENDS_ON -> backend.src.services.clean_release.repository
+# @RELATION: DEPENDS_ON -> backend.src.services.clean_release.exceptions
+# @INVARIANT: Trusted snapshot resolution is based only on ConfigManager active identifiers.
+
+from __future__ import annotations
+
+from typing import Optional, Tuple
+
+from ...models.clean_release import CleanPolicySnapshot, SourceRegistrySnapshot
+from .exceptions import PolicyResolutionError
+from .repository import CleanReleaseRepository
+
+
+# [DEF:resolve_trusted_policy_snapshots:Function]
+# @PURPOSE: Resolve immutable trusted policy and registry snapshots using active config IDs only.
+# @PRE: ConfigManager provides active_policy_id and active_registry_id; repository contains referenced snapshots.
+# @POST: Returns immutable policy and registry snapshots; runtime override attempts are rejected.
+# @SIDE_EFFECT: None.
+def resolve_trusted_policy_snapshots(
+    *,
+    config_manager,
+    repository: CleanReleaseRepository,
+    policy_id_override: Optional[str] = None,
+    registry_id_override: Optional[str] = None,
+) -> Tuple[CleanPolicySnapshot, SourceRegistrySnapshot]:
+    if policy_id_override is not None or registry_id_override is not None:
+        raise PolicyResolutionError("override attempt is forbidden for trusted policy resolution")
+
+    config = config_manager.get_config()
+    clean_release_settings = getattr(getattr(config, "settings", None), "clean_release", None)
+    if clean_release_settings is None:
+        raise PolicyResolutionError("clean_release settings are missing")
+
+    policy_id = getattr(clean_release_settings, "active_policy_id", None)
+    registry_id = getattr(clean_release_settings, "active_registry_id", None)
+
+    if not policy_id:
+        raise PolicyResolutionError("missing trusted profile: active_policy_id is not configured")
+    if not registry_id:
+        raise PolicyResolutionError("missing trusted registry: active_registry_id is not configured")
+
+    policy_snapshot = repository.get_policy(policy_id)
+    if policy_snapshot is None:
+        raise PolicyResolutionError(f"trusted policy snapshot '{policy_id}' was not found")
+
+    registry_snapshot = repository.get_registry(registry_id)
+    if registry_snapshot is None:
+        raise PolicyResolutionError(f"trusted registry snapshot '{registry_id}' was not found")
+
+    if not bool(getattr(policy_snapshot, "immutable", False)):
+        raise PolicyResolutionError("policy snapshot must be immutable")
+    if not bool(getattr(registry_snapshot, "immutable", False)):
+        raise PolicyResolutionError("registry snapshot must be immutable")
+
+    return policy_snapshot, registry_snapshot
+# [/DEF:resolve_trusted_policy_snapshots:Function]
+
+# [/DEF:backend.src.services.clean_release.policy_resolution_service:Module]