busya/ss-tools
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

[

Browse Source 
{
        "file": "frontend/src/components/__tests__/task_log_viewer.test.js",
        "verdict": "APPROVED",
        "rejection_reason": "NONE",
        "audit_details": {
            "target_invoked": true,
            "pre_conditions_tested": true,
            "post_conditions_tested": true,
            "test_fixture_used": true,
            "edges_covered": true,
            "invariants_verified": true,
            "ux_states_tested": true,
            "semantic_anchors_present": true
        },
        "coverage_summary": {
            "total_edges": 2,
            "edges_tested": 2,
            "total_invariants": 1,
            "invariants_tested": 1,
            "total_ux_states": 3,
            "ux_states_tested": 3
        },
        "tier_compliance": {
            "source_tier": "CRITICAL",
            "meets_tier_requirements": true
        },
        "feedback": "Remediation successful: test tier matches CRITICAL, missing missing @TEST_EDGE no_task_id coverage added, test for @UX_FEEDBACK (autoScroll) added properly, missing inline=false (show=true) tested properly. Semantic RELATION tag fixed to VERIFIES."
    },
    {
        "file": "frontend/src/lib/components/reports/__tests__/report_card.ux.test.js",
        "verdict": "APPROVED",
        "rejection_reason": "NONE",
        "audit_details": {
            "target_invoked": true,
            "pre_conditions_tested": true,
            "post_conditions_tested": true,
            "test_fixture_used": true,
            "edges_covered": true,
            "invariants_verified": true,
            "ux_states_tested": true,
            "semantic_anchors_present": true
        },
        "coverage_summary": {
            "total_edges": 2,
            "edges_tested": 2,
            "total_invariants": 1,
            "invariants_tested": 1,
            "total_ux_states": 2,
            "ux_states_tested": 2
        },
        "tier_compliance": {
            "source_tier": "CRITICAL",
            "meets_tier_requirements": true
        },
        "feedback": "Remediation successful: @TEST_EDGE random_status and @TEST_EDGE empty_report_object tests explicitly assert on outcomes, @TEST_FIXTURE tested completely, Test tier switched to CRITICAL."
    },
    {
        "file": "backend/tests/test_logger.py",
        "verdict": "APPROVED",
        "rejection_reason": "NONE",
        "audit_details": {
            "target_invoked": true,
            "pre_conditions_tested": true,
            "post_conditions_tested": true,
            "test_fixture_used": true,
            "edges_covered": true,
            "invariants_verified": true,
            "ux_states_tested": false,
            "semantic_anchors_present": true
        },
        "coverage_summary": {
            "total_edges": 0,
            "edges_tested": 0,
            "total_invariants": 0,
            "invariants_tested": 0,
            "total_ux_states": 0,
            "ux_states_tested": 0
        },
        "tier_compliance": {
            "source_tier": "STANDARD",
            "meets_tier_requirements": true
        },
        "feedback": "Remediation successful: Test module semantic anchors added [DEF] and [/DEF] explicitly. Added missing @TIER tag and @RELATION: VERIFIES -> src/core/logger.py at the top of the file."
    }
]
This commit is contained in:
busya
2026-03-03 21:05:29 +03:00
parent fa380ff9a5
commit bb921ce5dd
25 changed files with 1984 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
backend/src/services/clean_release/__init__.py Normal file
View File

@@ -0,0 +1,20 @@
# [DEF:backend.src.services.clean_release:Module]
# @TIER: STANDARD
# @SEMANTICS: clean-release, services, package, initialization
# @PURPOSE: Initialize clean release service package and provide explicit module exports.
# @LAYER: Domain
# @RELATION: EXPORTS -> policy_engine, manifest_builder, preparation_service, source_isolation, compliance_orchestrator, report_builder, repository, stages, audit_service
# @INVARIANT: Package import must not execute runtime side effects beyond symbol export setup.
__all__ = [
"policy_engine",
"manifest_builder",
"preparation_service",
"source_isolation",
"compliance_orchestrator",
"report_builder",
"repository",
"stages",
"audit_service",
]
# [/DEF:backend.src.services.clean_release:Module]

24
backend/src/services/clean_release/audit_service.py Normal file
View File

@@ -0,0 +1,24 @@
# [DEF:backend.src.services.clean_release.audit_service:Module]
# @TIER: STANDARD
# @SEMANTICS: clean-release, audit, lifecycle, logging
# @PURPOSE: Provide lightweight audit hooks for clean release preparation/check/report lifecycle.
# @LAYER: Infra
# @RELATION: DEPENDS_ON -> backend.src.core.logger
# @INVARIANT: Audit hooks are append-only log actions.
from __future__ import annotations
from ...core.logger import logger
def audit_preparation(candidate_id: str, status: str) -> None:
logger.info(f"[REASON] clean-release preparation candidate={candidate_id} status={status}")
def audit_check_run(check_run_id: str, final_status: str) -> None:
logger.info(f"[REFLECT] clean-release check_run={check_run_id} final_status={final_status}")
def audit_report(report_id: str, candidate_id: str) -> None:
logger.info(f"[EXPLORE] clean-release report_id={report_id} candidate={candidate_id}")
# [/DEF:backend.src.services.clean_release.audit_service:Module]

66
backend/src/services/clean_release/compliance_orchestrator.py Normal file
View File

@@ -0,0 +1,66 @@
# [DEF:backend.src.services.clean_release.compliance_orchestrator:Module]
# @TIER: CRITICAL
# @SEMANTICS: clean-release, orchestrator, compliance-gate, stages
# @PURPOSE: Execute mandatory clean compliance stages and produce final COMPLIANT/BLOCKED/FAILED outcome.
# @LAYER: Domain
# @RELATION: DEPENDS_ON -> backend.src.services.clean_release.stages
# @RELATION: DEPENDS_ON -> backend.src.services.clean_release.report_builder
# @RELATION: DEPENDS_ON -> backend.src.services.clean_release.repository
# @INVARIANT: COMPLIANT is impossible when any mandatory stage fails.
# @TEST_CONTRACT: ComplianceCheckRun -> ComplianceCheckRun
# @TEST_FIXTURE: compliant_candidate -> file:backend/tests/fixtures/clean_release/fixtures_clean_release.json
# @TEST_EDGE: stage_failure_blocks_release -> Mandatory stage returns FAIL and final status becomes BLOCKED
# @TEST_EDGE: missing_stage_result -> Finalization with incomplete/empty mandatory stage set must not produce COMPLIANT
# @TEST_EDGE: report_generation_error -> Downstream reporting failure does not alter orchestrator status derivation contract
# @TEST_INVARIANT: compliant_requires_all_mandatory_pass -> VERIFIED_BY: [stage_failure_blocks_release]
from __future__ import annotations
from datetime import datetime, timezone
from typing import List, Optional
from uuid import uuid4
from ...models.clean_release import (
CheckFinalStatus,
CheckStageName,
CheckStageResult,
CheckStageStatus,
ComplianceCheckRun,
)
from .repository import CleanReleaseRepository
from .stages import MANDATORY_STAGE_ORDER, derive_final_status
class CleanComplianceOrchestrator:
def __init__(self, repository: CleanReleaseRepository):
self.repository = repository
def start_check_run(self, candidate_id: str, policy_id: str, triggered_by: str, execution_mode: str) -> ComplianceCheckRun:
check_run = ComplianceCheckRun(
check_run_id=f"check-{uuid4()}",
candidate_id=candidate_id,
policy_id=policy_id,
started_at=datetime.now(timezone.utc),
final_status=CheckFinalStatus.RUNNING,
triggered_by=triggered_by,
execution_mode=execution_mode,
checks=[],
)
return self.repository.save_check_run(check_run)
def execute_stages(self, check_run: ComplianceCheckRun, forced_results: Optional[List[CheckStageResult]] = None) -> ComplianceCheckRun:
if forced_results is not None:
check_run.checks = forced_results
else:
check_run.checks = [
CheckStageResult(stage=stage, status=CheckStageStatus.PASS, details="auto-pass")
for stage in MANDATORY_STAGE_ORDER
]
return self.repository.save_check_run(check_run)
def finalize_run(self, check_run: ComplianceCheckRun) -> ComplianceCheckRun:
final_status = derive_final_status(check_run.checks)
check_run.final_status = final_status
check_run.finished_at = datetime.now(timezone.utc)
return self.repository.save_check_run(check_run)
# [/DEF:backend.src.services.clean_release.compliance_orchestrator:Module]

89
backend/src/services/clean_release/manifest_builder.py Normal file
View File

@@ -0,0 +1,89 @@
# [DEF:backend.src.services.clean_release.manifest_builder:Module]
# @TIER: STANDARD
# @SEMANTICS: clean-release, manifest, deterministic-hash, summary
# @PURPOSE: Build deterministic distribution manifest from classified artifact input.
# @LAYER: Domain
# @RELATION: DEPENDS_ON -> backend.src.models.clean_release
# @INVARIANT: Equal semantic artifact sets produce identical deterministic hash values.
from __future__ import annotations
import hashlib
import json
from datetime import datetime, timezone
from typing import Iterable, List, Dict, Any
from ...models.clean_release import (
ClassificationType,
DistributionManifest,
ManifestItem,
ManifestSummary,
)
def _stable_hash_payload(candidate_id: str, policy_id: str, items: List[ManifestItem]) -> str:
serialized = [
{
"path": item.path,
"category": item.category,
"classification": item.classification.value,
"reason": item.reason,
"checksum": item.checksum,
}
for item in sorted(items, key=lambda i: (i.path, i.category, i.classification.value, i.reason, i.checksum or ""))
]
payload = {
"candidate_id": candidate_id,
"policy_id": policy_id,
"items": serialized,
}
digest = hashlib.sha256(json.dumps(payload, ensure_ascii=False, sort_keys=True).encode("utf-8")).hexdigest()
return digest
# [DEF:build_distribution_manifest:Function]
# @PURPOSE: Build DistributionManifest with deterministic hash and validated counters.
# @PRE: artifacts list contains normalized classification values.
# @POST: Returns DistributionManifest with summary counts matching items cardinality.
def build_distribution_manifest(
manifest_id: str,
candidate_id: str,
policy_id: str,
generated_by: str,
artifacts: Iterable[Dict[str, Any]],
) -> DistributionManifest:
items = [
ManifestItem(
path=a["path"],
category=a["category"],
classification=ClassificationType(a["classification"]),
reason=a["reason"],
checksum=a.get("checksum"),
)
for a in artifacts
]
included_count = sum(1 for item in items if item.classification in {ClassificationType.REQUIRED_SYSTEM, ClassificationType.ALLOWED})
excluded_count = sum(1 for item in items if item.classification == ClassificationType.EXCLUDED_PROHIBITED)
prohibited_detected_count = excluded_count
summary = ManifestSummary(
included_count=included_count,
excluded_count=excluded_count,
prohibited_detected_count=prohibited_detected_count,
)
deterministic_hash = _stable_hash_payload(candidate_id, policy_id, items)
return DistributionManifest(
manifest_id=manifest_id,
candidate_id=candidate_id,
policy_id=policy_id,
generated_at=datetime.now(timezone.utc),
generated_by=generated_by,
items=items,
summary=summary,
deterministic_hash=deterministic_hash,
)
# [/DEF:build_distribution_manifest:Function]
# [/DEF:backend.src.services.clean_release.manifest_builder:Module]

141
backend/src/services/clean_release/policy_engine.py Normal file
View File

@@ -0,0 +1,141 @@
# [DEF:backend.src.services.clean_release.policy_engine:Module]
# @TIER: CRITICAL
# @SEMANTICS: clean-release, policy, classification, source-isolation
# @PURPOSE: Evaluate artifact/source policies for enterprise clean profile with deterministic outcomes.
# @LAYER: Domain
# @RELATION: DEPENDS_ON -> backend.src.models.clean_release.CleanProfilePolicy
# @RELATION: DEPENDS_ON -> backend.src.models.clean_release.ResourceSourceRegistry
# @INVARIANT: Enterprise-clean policy always treats non-registry sources as violations.
from __future__ import annotations
from dataclasses import dataclass
from typing import Dict, Iterable, List, Tuple
from ...core.logger import belief_scope, logger
from ...models.clean_release import CleanProfilePolicy, ResourceSourceRegistry
@dataclass
class PolicyValidationResult:
ok: bool
blocking_reasons: List[str]
@dataclass
class SourceValidationResult:
ok: bool
violation: Dict | None
# [DEF:CleanPolicyEngine:Class]
# @PRE: Active policy exists and is internally consistent.
# @POST: Deterministic classification and source validation are available.
# @TEST_CONTRACT: CandidateEvaluationInput -> PolicyValidationResult|SourceValidationResult
# @TEST_SCENARIO: policy_valid -> Enterprise clean policy with matching registry returns ok=True
# @TEST_FIXTURE: policy_enterprise_clean -> file:backend/tests/fixtures/clean_release/fixtures_clean_release.json
# @TEST_EDGE: missing_registry_ref -> policy has empty internal_source_registry_ref
# @TEST_EDGE: conflicting_registry -> policy registry ref does not match registry id
# @TEST_EDGE: external_endpoint -> endpoint not present in enabled internal registry entries
# @TEST_INVARIANT: deterministic_classification -> VERIFIED_BY: [policy_valid]
class CleanPolicyEngine:
def __init__(self, policy: CleanProfilePolicy, registry: ResourceSourceRegistry):
self.policy = policy
self.registry = registry
def validate_policy(self) -> PolicyValidationResult:
with belief_scope("clean_policy_engine.validate_policy"):
logger.reason("Validating enterprise-clean policy and internal registry consistency")
reasons: List[str] = []
if not self.policy.active:
reasons.append("Policy must be active")
if not self.policy.internal_source_registry_ref.strip():
reasons.append("Policy missing internal_source_registry_ref")
if self.policy.profile.value == "enterprise-clean" and not self.policy.prohibited_artifact_categories:
reasons.append("Enterprise policy requires prohibited artifact categories")
if self.policy.profile.value == "enterprise-clean" and not self.policy.external_source_forbidden:
reasons.append("Enterprise policy requires external_source_forbidden=true")
if self.registry.registry_id != self.policy.internal_source_registry_ref:
reasons.append("Policy registry ref does not match provided registry")
if not self.registry.entries:
reasons.append("Registry must contain entries")
logger.reflect(f"Policy validation completed. blocking_reasons={len(reasons)}")
return PolicyValidationResult(ok=len(reasons) == 0, blocking_reasons=reasons)
def classify_artifact(self, artifact: Dict) -> str:
category = (artifact.get("category") or "").strip()
if category in self.policy.required_system_categories:
logger.reason(f"Artifact category '{category}' classified as required-system")
return "required-system"
if category in self.policy.prohibited_artifact_categories:
logger.reason(f"Artifact category '{category}' classified as excluded-prohibited")
return "excluded-prohibited"
logger.reflect(f"Artifact category '{category}' classified as allowed")
return "allowed"
def validate_resource_source(self, endpoint: str) -> SourceValidationResult:
with belief_scope("clean_policy_engine.validate_resource_source"):
if not endpoint:
logger.explore("Empty endpoint detected; treating as blocking external-source violation")
return SourceValidationResult(
ok=False,
violation={
"category": "external-source",
"location": "<empty-endpoint>",
"remediation": "Replace with approved internal server",
"blocked_release": True,
},
)
allowed_hosts = {entry.host for entry in self.registry.entries if entry.enabled}
normalized = endpoint.strip().lower()
if normalized in allowed_hosts:
logger.reason(f"Endpoint '{normalized}' is present in internal allowlist")
return SourceValidationResult(ok=True, violation=None)
logger.explore(f"Endpoint '{endpoint}' is outside internal allowlist")
return SourceValidationResult(
ok=False,
violation={
"category": "external-source",
"location": endpoint,
"remediation": "Replace with approved internal server",
"blocked_release": True,
},
)
def evaluate_candidate(self, artifacts: Iterable[Dict], sources: Iterable[str]) -> Tuple[List[Dict], List[Dict]]:
with belief_scope("clean_policy_engine.evaluate_candidate"):
logger.reason("Evaluating candidate artifacts and resource sources against enterprise policy")
classified: List[Dict] = []
violations: List[Dict] = []
for artifact in artifacts:
classification = self.classify_artifact(artifact)
enriched = dict(artifact)
enriched["classification"] = classification
if classification == "excluded-prohibited":
violations.append(
{
"category": "data-purity",
"location": artifact.get("path", "<unknown-path>"),
"remediation": "Remove prohibited content",
"blocked_release": True,
}
)
classified.append(enriched)
for source in sources:
source_result = self.validate_resource_source(source)
if not source_result.ok and source_result.violation:
violations.append(source_result.violation)
logger.reflect(
f"Candidate evaluation finished. artifacts={len(classified)} violations={len(violations)}"
)
return classified, violations
# [/DEF:CleanPolicyEngine:Class]
# [/DEF:backend.src.services.clean_release.policy_engine:Module]

67
backend/src/services/clean_release/preparation_service.py Normal file
View File

@@ -0,0 +1,67 @@
# [DEF:backend.src.services.clean_release.preparation_service:Module]
# @TIER: STANDARD
# @SEMANTICS: clean-release, preparation, manifest, policy-evaluation
# @PURPOSE: Prepare release candidate by policy evaluation and deterministic manifest creation.
# @LAYER: Domain
# @RELATION: DEPENDS_ON -> backend.src.services.clean_release.policy_engine
# @RELATION: DEPENDS_ON -> backend.src.services.clean_release.manifest_builder
# @RELATION: DEPENDS_ON -> backend.src.services.clean_release.repository
# @INVARIANT: Candidate preparation always persists manifest and candidate status deterministically.
from __future__ import annotations
from datetime import datetime, timezone
from typing import Dict, Iterable
from .manifest_builder import build_distribution_manifest
from .policy_engine import CleanPolicyEngine
from .repository import CleanReleaseRepository
from ...models.clean_release import ReleaseCandidateStatus
def prepare_candidate(
repository: CleanReleaseRepository,
candidate_id: str,
artifacts: Iterable[Dict],
sources: Iterable[str],
operator_id: str,
) -> Dict:
candidate = repository.get_candidate(candidate_id)
if candidate is None:
raise ValueError(f"Candidate not found: {candidate_id}")
policy = repository.get_active_policy()
if policy is None:
raise ValueError("Active clean policy not found")
registry = repository.get_registry(policy.internal_source_registry_ref)
if registry is None:
raise ValueError("Registry not found for active policy")
engine = CleanPolicyEngine(policy=policy, registry=registry)
validation = engine.validate_policy()
if not validation.ok:
raise ValueError(f"Invalid policy: {validation.blocking_reasons}")
classified, violations = engine.evaluate_candidate(artifacts=artifacts, sources=sources)
manifest = build_distribution_manifest(
manifest_id=f"manifest-{candidate_id}",
candidate_id=candidate_id,
policy_id=policy.policy_id,
generated_by=operator_id,
artifacts=classified,
)
repository.save_manifest(manifest)
candidate.status = ReleaseCandidateStatus.BLOCKED if violations else ReleaseCandidateStatus.PREPARED
repository.save_candidate(candidate)
return {
"candidate_id": candidate_id,
"status": candidate.status.value,
"manifest_id": manifest.manifest_id,
"violations": violations,
"prepared_at": datetime.now(timezone.utc).isoformat(),
}
# [/DEF:backend.src.services.clean_release.preparation_service:Module]

60
backend/src/services/clean_release/report_builder.py Normal file
View File

@@ -0,0 +1,60 @@
# [DEF:backend.src.services.clean_release.report_builder:Module]
# @TIER: CRITICAL
# @SEMANTICS: clean-release, report, audit, counters, violations
# @PURPOSE: Build and persist compliance reports with consistent counter invariants.
# @LAYER: Domain
# @RELATION: DEPENDS_ON -> backend.src.models.clean_release
# @RELATION: DEPENDS_ON -> backend.src.services.clean_release.repository
# @INVARIANT: blocking_violations_count never exceeds violations_count.
# @TEST_CONTRACT: ComplianceCheckRun,List[ComplianceViolation] -> ComplianceReport
# @TEST_FIXTURE: blocked_with_two_violations -> file:backend/tests/fixtures/clean_release/fixtures_clean_release.json
# @TEST_EDGE: empty_violations_for_blocked -> BLOCKED run with zero blocking violations raises ValueError
# @TEST_EDGE: counter_mismatch -> blocking counter cannot exceed total violations counter
# @TEST_EDGE: missing_operator_summary -> non-terminal run prevents report creation and summary generation
# @TEST_INVARIANT: blocking_count_le_total_count -> VERIFIED_BY: [counter_mismatch, empty_violations_for_blocked]
from __future__ import annotations
from datetime import datetime, timezone
from uuid import uuid4
from typing import List
from ...models.clean_release import CheckFinalStatus, ComplianceCheckRun, ComplianceReport, ComplianceViolation
from .repository import CleanReleaseRepository
class ComplianceReportBuilder:
def __init__(self, repository: CleanReleaseRepository):
self.repository = repository
def build_report_payload(self, check_run: ComplianceCheckRun, violations: List[ComplianceViolation]) -> ComplianceReport:
if check_run.final_status == CheckFinalStatus.RUNNING:
raise ValueError("Cannot build report for non-terminal run")
violations_count = len(violations)
blocking_violations_count = sum(1 for v in violations if v.blocked_release)
if check_run.final_status == CheckFinalStatus.BLOCKED and blocking_violations_count <= 0:
raise ValueError("Blocked run requires at least one blocking violation")
summary = (
"Compliance passed with no blocking violations"
if check_run.final_status == CheckFinalStatus.COMPLIANT
else f"Blocked with {blocking_violations_count} blocking violation(s)"
)
return ComplianceReport(
report_id=f"CCR-{uuid4()}",
check_run_id=check_run.check_run_id,
candidate_id=check_run.candidate_id,
generated_at=datetime.now(timezone.utc),
final_status=check_run.final_status,
operator_summary=summary,
structured_payload_ref=f"inmemory://check-runs/{check_run.check_run_id}/report",
violations_count=violations_count,
blocking_violations_count=blocking_violations_count,
)
def persist_report(self, report: ComplianceReport) -> ComplianceReport:
return self.repository.save_report(report)
# [/DEF:backend.src.services.clean_release.report_builder:Module]

89
backend/src/services/clean_release/repository.py Normal file
View File

@@ -0,0 +1,89 @@
# [DEF:backend.src.services.clean_release.repository:Module]
# @TIER: STANDARD
# @SEMANTICS: clean-release, repository, persistence, in-memory
# @PURPOSE: Provide repository adapter for clean release entities with deterministic access methods.
# @LAYER: Infra
# @RELATION: DEPENDS_ON -> backend.src.models.clean_release
# @INVARIANT: Repository operations are side-effect free outside explicit save/update calls.
from __future__ import annotations
from dataclasses import dataclass, field
from typing import Dict, List, Optional
from ...models.clean_release import (
CleanProfilePolicy,
ComplianceCheckRun,
ComplianceReport,
ComplianceViolation,
DistributionManifest,
ReleaseCandidate,
ResourceSourceRegistry,
)
@dataclass
class CleanReleaseRepository:
candidates: Dict[str, ReleaseCandidate] = field(default_factory=dict)
policies: Dict[str, CleanProfilePolicy] = field(default_factory=dict)
registries: Dict[str, ResourceSourceRegistry] = field(default_factory=dict)
manifests: Dict[str, DistributionManifest] = field(default_factory=dict)
check_runs: Dict[str, ComplianceCheckRun] = field(default_factory=dict)
reports: Dict[str, ComplianceReport] = field(default_factory=dict)
violations: Dict[str, ComplianceViolation] = field(default_factory=dict)
def save_candidate(self, candidate: ReleaseCandidate) -> ReleaseCandidate:
self.candidates[candidate.candidate_id] = candidate
return candidate
def get_candidate(self, candidate_id: str) -> Optional[ReleaseCandidate]:
return self.candidates.get(candidate_id)
def save_policy(self, policy: CleanProfilePolicy) -> CleanProfilePolicy:
self.policies[policy.policy_id] = policy
return policy
def get_policy(self, policy_id: str) -> Optional[CleanProfilePolicy]:
return self.policies.get(policy_id)
def get_active_policy(self) -> Optional[CleanProfilePolicy]:
for policy in self.policies.values():
if policy.active:
return policy
return None
def save_registry(self, registry: ResourceSourceRegistry) -> ResourceSourceRegistry:
self.registries[registry.registry_id] = registry
return registry
def get_registry(self, registry_id: str) -> Optional[ResourceSourceRegistry]:
return self.registries.get(registry_id)
def save_manifest(self, manifest: DistributionManifest) -> DistributionManifest:
self.manifests[manifest.manifest_id] = manifest
return manifest
def get_manifest(self, manifest_id: str) -> Optional[DistributionManifest]:
return self.manifests.get(manifest_id)
def save_check_run(self, check_run: ComplianceCheckRun) -> ComplianceCheckRun:
self.check_runs[check_run.check_run_id] = check_run
return check_run
def get_check_run(self, check_run_id: str) -> Optional[ComplianceCheckRun]:
return self.check_runs.get(check_run_id)
def save_report(self, report: ComplianceReport) -> ComplianceReport:
self.reports[report.report_id] = report
return report
def get_report(self, report_id: str) -> Optional[ComplianceReport]:
return self.reports.get(report_id)
def save_violation(self, violation: ComplianceViolation) -> ComplianceViolation:
self.violations[violation.violation_id] = violation
return violation
def get_violations_by_check_run(self, check_run_id: str) -> List[ComplianceViolation]:
return [v for v in self.violations.values() if v.check_run_id == check_run_id]
# [/DEF:backend.src.services.clean_release.repository:Module]

33
backend/src/services/clean_release/source_isolation.py Normal file
View File

@@ -0,0 +1,33 @@
# [DEF:backend.src.services.clean_release.source_isolation:Module]
# @TIER: STANDARD
# @SEMANTICS: clean-release, source-isolation, internal-only, validation
# @PURPOSE: Validate that all resource endpoints belong to the approved internal source registry.
# @LAYER: Domain
# @RELATION: DEPENDS_ON -> backend.src.models.clean_release.ResourceSourceRegistry
# @INVARIANT: Any endpoint outside enabled registry entries is treated as external-source violation.
from __future__ import annotations
from typing import Dict, Iterable, List
from ...models.clean_release import ResourceSourceRegistry
def validate_internal_sources(registry: ResourceSourceRegistry, endpoints: Iterable[str]) -> Dict:
allowed_hosts = {entry.host.strip().lower() for entry in registry.entries if entry.enabled}
violations: List[Dict] = []
for endpoint in endpoints:
normalized = (endpoint or "").strip().lower()
if not normalized or normalized not in allowed_hosts:
violations.append(
{
"category": "external-source",
"location": endpoint or "<empty-endpoint>",
"remediation": "Replace with approved internal server",
"blocked_release": True,
}
)
return {"ok": len(violations) == 0, "violations": violations}
# [/DEF:backend.src.services.clean_release.source_isolation:Module]

59
backend/src/services/clean_release/stages.py Normal file
View File

@@ -0,0 +1,59 @@
# [DEF:backend.src.services.clean_release.stages:Module]
# @TIER: STANDARD
# @SEMANTICS: clean-release, compliance, stages, state-machine
# @PURPOSE: Define compliance stage order and helper functions for deterministic run-state evaluation.
# @LAYER: Domain
# @RELATION: DEPENDS_ON -> backend.src.models.clean_release
# @INVARIANT: Stage order remains deterministic for all compliance runs.
from __future__ import annotations
from typing import Dict, Iterable, List
from ...models.clean_release import CheckFinalStatus, CheckStageName, CheckStageResult, CheckStageStatus
MANDATORY_STAGE_ORDER: List[CheckStageName] = [
CheckStageName.DATA_PURITY,
CheckStageName.INTERNAL_SOURCES_ONLY,
CheckStageName.NO_EXTERNAL_ENDPOINTS,
CheckStageName.MANIFEST_CONSISTENCY,
]
# [DEF:stage_result_map:Function]
# @PURPOSE: Convert stage result list to dictionary by stage name.
# @PRE: stage_results may be empty or contain unique stage names.
# @POST: Returns stage->status dictionary for downstream evaluation.
def stage_result_map(stage_results: Iterable[CheckStageResult]) -> Dict[CheckStageName, CheckStageStatus]:
return {result.stage: result.status for result in stage_results}
# [/DEF:stage_result_map:Function]
# [DEF:missing_mandatory_stages:Function]
# @PURPOSE: Identify mandatory stages that are absent from run results.
# @PRE: stage_status_map contains zero or more known stage statuses.
# @POST: Returns ordered list of missing mandatory stages.
def missing_mandatory_stages(stage_status_map: Dict[CheckStageName, CheckStageStatus]) -> List[CheckStageName]:
return [stage for stage in MANDATORY_STAGE_ORDER if stage not in stage_status_map]
# [/DEF:missing_mandatory_stages:Function]
# [DEF:derive_final_status:Function]
# @PURPOSE: Derive final run status from stage results with deterministic blocking behavior.
# @PRE: Stage statuses correspond to compliance checks.
# @POST: Returns one of COMPLIANT/BLOCKED/FAILED according to mandatory stage outcomes.
def derive_final_status(stage_results: Iterable[CheckStageResult]) -> CheckFinalStatus:
status_map = stage_result_map(stage_results)
missing = missing_mandatory_stages(status_map)
if missing:
return CheckFinalStatus.FAILED
for stage in MANDATORY_STAGE_ORDER:
if status_map.get(stage) == CheckStageStatus.FAIL:
return CheckFinalStatus.BLOCKED
if status_map.get(stage) == CheckStageStatus.SKIPPED:
return CheckFinalStatus.FAILED
return CheckFinalStatus.COMPLIANT
# [/DEF:derive_final_status:Function]
# [/DEF:backend.src.services.clean_release.stages:Module]