# [DEF:backend.src.services.clean_release.source_isolation:Module]
# @TIER: STANDARD
# @SEMANTICS: clean-release, source-isolation, internal-only, validation
# @PURPOSE: Validate that all resource endpoints belong to the approved internal source registry.
# @LAYER: Domain
# @RELATION: DEPENDS_ON -> backend.src.models.clean_release.ResourceSourceRegistry
# @INVARIANT: Any endpoint outside enabled registry entries is treated as external-source violation.

from __future__ import annotations

from typing import Dict, Iterable, List

from ...models.clean_release import ResourceSourceRegistry


def validate_internal_sources(registry: ResourceSourceRegistry, endpoints: Iterable[str]) -> Dict:
    allowed_hosts = {entry.host.strip().lower() for entry in registry.entries if entry.enabled}
    violations: List[Dict] = []

    for endpoint in endpoints:
        normalized = (endpoint or "").strip().lower()
        if not normalized or normalized not in allowed_hosts:
            violations.append(
                {
                    "category": "external-source",
                    "location": endpoint or "<empty-endpoint>",
                    "remediation": "Replace with approved internal server",
                    "blocked_release": True,
                }
            )

    return {"ok": len(violations) == 0, "violations": violations}
# [/DEF:backend.src.services.clean_release.source_isolation:Module]