64 lines
3.1 KiB
Python
64 lines
3.1 KiB
Python
# [DEF:backend.src.services.clean_release.policy_resolution_service:Module]
|
|
# @TIER: CRITICAL
|
|
# @SEMANTICS: clean-release, policy, registry, trusted-resolution, immutable-snapshots
|
|
# @PURPOSE: Resolve trusted policy and registry snapshots from ConfigManager without runtime overrides.
|
|
# @LAYER: Domain
|
|
# @RELATION: DEPENDS_ON -> backend.src.core.config_manager
|
|
# @RELATION: DEPENDS_ON -> backend.src.services.clean_release.repository
|
|
# @RELATION: DEPENDS_ON -> backend.src.services.clean_release.exceptions
|
|
# @INVARIANT: Trusted snapshot resolution is based only on ConfigManager active identifiers.
|
|
|
|
from __future__ import annotations
|
|
|
|
from typing import Optional, Tuple
|
|
|
|
from ...models.clean_release import CleanPolicySnapshot, SourceRegistrySnapshot
|
|
from .exceptions import PolicyResolutionError
|
|
from .repository import CleanReleaseRepository
|
|
|
|
|
|
# [DEF:resolve_trusted_policy_snapshots:Function]
|
|
# @PURPOSE: Resolve immutable trusted policy and registry snapshots using active config IDs only.
|
|
# @PRE: ConfigManager provides active_policy_id and active_registry_id; repository contains referenced snapshots.
|
|
# @POST: Returns immutable policy and registry snapshots; runtime override attempts are rejected.
|
|
# @SIDE_EFFECT: None.
|
|
def resolve_trusted_policy_snapshots(
|
|
*,
|
|
config_manager,
|
|
repository: CleanReleaseRepository,
|
|
policy_id_override: Optional[str] = None,
|
|
registry_id_override: Optional[str] = None,
|
|
) -> Tuple[CleanPolicySnapshot, SourceRegistrySnapshot]:
|
|
if policy_id_override is not None or registry_id_override is not None:
|
|
raise PolicyResolutionError("override attempt is forbidden for trusted policy resolution")
|
|
|
|
config = config_manager.get_config()
|
|
clean_release_settings = getattr(getattr(config, "settings", None), "clean_release", None)
|
|
if clean_release_settings is None:
|
|
raise PolicyResolutionError("clean_release settings are missing")
|
|
|
|
policy_id = getattr(clean_release_settings, "active_policy_id", None)
|
|
registry_id = getattr(clean_release_settings, "active_registry_id", None)
|
|
|
|
if not policy_id:
|
|
raise PolicyResolutionError("missing trusted profile: active_policy_id is not configured")
|
|
if not registry_id:
|
|
raise PolicyResolutionError("missing trusted registry: active_registry_id is not configured")
|
|
|
|
policy_snapshot = repository.get_policy(policy_id)
|
|
if policy_snapshot is None:
|
|
raise PolicyResolutionError(f"trusted policy snapshot '{policy_id}' was not found")
|
|
|
|
registry_snapshot = repository.get_registry(registry_id)
|
|
if registry_snapshot is None:
|
|
raise PolicyResolutionError(f"trusted registry snapshot '{registry_id}' was not found")
|
|
|
|
if not bool(getattr(policy_snapshot, "immutable", False)):
|
|
raise PolicyResolutionError("policy snapshot must be immutable")
|
|
if not bool(getattr(registry_snapshot, "immutable", False)):
|
|
raise PolicyResolutionError("registry snapshot must be immutable")
|
|
|
|
return policy_snapshot, registry_snapshot
|
|
# [/DEF:resolve_trusted_policy_snapshots:Function]
|
|
|
|
# [/DEF:backend.src.services.clean_release.policy_resolution_service:Module] |