# [DEF:backend.src.services.clean_release.policy_resolution_service:Module] # @TIER: CRITICAL # @SEMANTICS: clean-release, policy, registry, trusted-resolution, immutable-snapshots # @PURPOSE: Resolve trusted policy and registry snapshots from ConfigManager without runtime overrides. # @LAYER: Domain # @RELATION: DEPENDS_ON -> backend.src.core.config_manager # @RELATION: DEPENDS_ON -> backend.src.services.clean_release.repository # @RELATION: DEPENDS_ON -> backend.src.services.clean_release.exceptions # @INVARIANT: Trusted snapshot resolution is based only on ConfigManager active identifiers. from __future__ import annotations from typing import Optional, Tuple from ...models.clean_release import CleanPolicySnapshot, SourceRegistrySnapshot from .exceptions import PolicyResolutionError from .repository import CleanReleaseRepository # [DEF:resolve_trusted_policy_snapshots:Function] # @PURPOSE: Resolve immutable trusted policy and registry snapshots using active config IDs only. # @PRE: ConfigManager provides active_policy_id and active_registry_id; repository contains referenced snapshots. # @POST: Returns immutable policy and registry snapshots; runtime override attempts are rejected. # @SIDE_EFFECT: None. def resolve_trusted_policy_snapshots( *, config_manager, repository: CleanReleaseRepository, policy_id_override: Optional[str] = None, registry_id_override: Optional[str] = None, ) -> Tuple[CleanPolicySnapshot, SourceRegistrySnapshot]: if policy_id_override is not None or registry_id_override is not None: raise PolicyResolutionError("override attempt is forbidden for trusted policy resolution") config = config_manager.get_config() clean_release_settings = getattr(getattr(config, "settings", None), "clean_release", None) if clean_release_settings is None: raise PolicyResolutionError("clean_release settings are missing") policy_id = getattr(clean_release_settings, "active_policy_id", None) registry_id = getattr(clean_release_settings, "active_registry_id", None) if not policy_id: raise PolicyResolutionError("missing trusted profile: active_policy_id is not configured") if not registry_id: raise PolicyResolutionError("missing trusted registry: active_registry_id is not configured") policy_snapshot = repository.get_policy(policy_id) if policy_snapshot is None: raise PolicyResolutionError(f"trusted policy snapshot '{policy_id}' was not found") registry_snapshot = repository.get_registry(registry_id) if registry_snapshot is None: raise PolicyResolutionError(f"trusted registry snapshot '{registry_id}' was not found") if not bool(getattr(policy_snapshot, "immutable", False)): raise PolicyResolutionError("policy snapshot must be immutable") if not bool(getattr(registry_snapshot, "immutable", False)): raise PolicyResolutionError("registry snapshot must be immutable") return policy_snapshot, registry_snapshot # [/DEF:resolve_trusted_policy_snapshots:Function] # [/DEF:backend.src.services.clean_release.policy_resolution_service:Module]