services

package
v0.4.5-alpha Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 29, 2026 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Overview

Package services contains application use cases.

Package services contains application use cases.

Package services contains application use cases.

Package services contains application use cases.

Package services contains application use cases.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IsRemoteProfile 

func IsRemoteProfile(path string) bool

IsRemoteProfile returns true if the path looks like a remote URL.

Types

type CachedPluginResolver 

type CachedPluginResolver struct {
	services.BaseResolver
	// contains filtered or unexported fields
}

CachedPluginResolver checks local cache for plugins.

func NewCachedPluginResolver 

func NewCachedPluginResolver(repository ports.PluginRepository) *CachedPluginResolver

NewCachedPluginResolver creates a cached plugin resolver.

func (*CachedPluginResolver) Resolve 

func (r *CachedPluginResolver) Resolve(ctx context.Context, ref values.PluginReference) (*entities.Plugin, error)

Resolve checks cache, otherwise delegates to next.

type CapabilityGatekeeper 

type CapabilityGatekeeper struct {
	// contains filtered or unexported fields
}

CapabilityGatekeeper handles capability granting decisions, user interaction, and persistence. This is an application service responsible for the security boundary between required and granted capabilities.

func NewCapabilityGatekeeper 

func NewCapabilityGatekeeper(configPath string, securityLevel string) *CapabilityGatekeeper

NewCapabilityGatekeeper creates a new capability gatekeeper.

func (*CapabilityGatekeeper) GrantCapabilities 

func (g *CapabilityGatekeeper) GrantCapabilities(
	required *sdkEntities.GrantSet,
	capabilityInfo map[string]ports.CapabilityInfo,
	trustAll bool,
) (*sdkEntities.GrantSet, error)

GrantCapabilities determines which capabilities to grant based on security policy, user input, and saved grants. It handles the complete granting workflow: check saved grants, apply security policy, prompt if needed, persist decisions.

Parameters:

  • required: capabilities requested by plugins (as GrantSet)
  • capabilityInfo: metadata about each capability (is it broad, profile-specific alternative, etc.)
  • trustAll: if true, auto-grant all capabilities without prompting

Returns:

  • granted capabilities (as GrantSet)
  • error if user denies or security policy blocks

type CapabilityOrchestrator 

type CapabilityOrchestrator struct {
	// contains filtered or unexported fields
}

CapabilityOrchestrator coordinates capability collection and granting. It delegates to specialized services: - CapabilityAnalyzer for extraction (domain logic) - CapabilityGatekeeper for granting (security boundary)

func NewCapabilityOrchestrator 

func NewCapabilityOrchestrator(
	runtimeFactory ports.PluginRuntimeFactory,
	opts ...CapabilityOrchestratorOption,
) *CapabilityOrchestrator

NewCapabilityOrchestrator creates a capability orchestrator with the given options. RuntimeFactory is required for creating plugin runtimes.

func (*CapabilityOrchestrator) CollectCapabilities 

func (o *CapabilityOrchestrator) CollectCapabilities(ctx context.Context, profile entities.ProfileReader, pluginDir string) (map[string]*sdkEntities.GrantSet, ports.PluginRuntime, error)

CollectCapabilities creates a temporary runtime and collects required capabilities. Returns the required capabilities and the temporary runtime (caller must close it).

func (*CapabilityOrchestrator) CollectRequiredCapabilities 

func (o *CapabilityOrchestrator) CollectRequiredCapabilities(ctx context.Context, profile entities.ProfileReader, runtime ports.PluginRuntime, pluginDir string) (map[string]*sdkEntities.GrantSet, error)

CollectRequiredCapabilities loads plugins and identifies requirements. It prioritizes specific capabilities extracted from profile configs over plugin metadata.

func (*CapabilityOrchestrator) GrantCapabilities 

func (o *CapabilityOrchestrator) GrantCapabilities(required map[string]*sdkEntities.GrantSet, trustAll bool) (map[string]*sdkEntities.GrantSet, error)

GrantCapabilities resolves permissions via the gatekeeper. Delegates the complete granting workflow to CapabilityGatekeeper.

type CapabilityOrchestratorOption 

type CapabilityOrchestratorOption func(*CapabilityOrchestrator)

CapabilityOrchestratorOption configures a CapabilityOrchestrator.

func WithAnalyzer 

func WithAnalyzer(a ports.CapabilityAnalyzer) CapabilityOrchestratorOption

WithAnalyzer sets a custom capability analyzer.

func WithCapabilityRegistry 

func WithCapabilityRegistry(r *capabilities.Registry) CapabilityOrchestratorOption

WithCapabilityRegistry sets a capability registry to use for the analyzer.

func WithGatekeeper 

func WithGatekeeper(g ports.CapabilityGatekeeperPort) CapabilityOrchestratorOption

WithGatekeeper sets a custom capability gatekeeper.

func WithSecurityConfig 

func WithSecurityConfig(configPath, securityLevel string) CapabilityOrchestratorOption

WithSecurityConfig sets the config path and security level for the gatekeeper.

func WithTrustAll 

func WithTrustAll(trust bool) CapabilityOrchestratorOption

WithTrustAll sets the trust-all flag for capability granting.

type CheckProfileUseCase 

type CheckProfileUseCase struct {
	// contains filtered or unexported fields
}

CheckProfileUseCase orchestrates the complete profile check workflow. This is a pure application layer component that depends only on ports.

func NewCheckProfileUseCase 

func NewCheckProfileUseCase(
	profileLoader ports.ProfileLoader,
	profileCompiler *services.ProfileCompiler,
	opts ...CheckProfileUseCaseOption,
) *CheckProfileUseCase

NewCheckProfileUseCase creates a new check profile use case. ProfileLoader and ProfileCompiler are required dependencies.

func (*CheckProfileUseCase) CheckFailed 

func (uc *CheckProfileUseCase) CheckFailed(result *execution.ExecutionResult) bool

CheckFailed returns true if the execution result indicates failures.

func (*CheckProfileUseCase) Execute 

func (uc *CheckProfileUseCase) Execute(ctx context.Context, req dto.CheckProfileRequest) (*dto.CheckProfileResponse, error)

Execute runs the complete check profile workflow.

type CheckProfileUseCaseOption 

type CheckProfileUseCaseOption func(*CheckProfileUseCase)

CheckProfileUseCaseOption configures a CheckProfileUseCase.

func WithCapabilityOrchestrator 

func WithCapabilityOrchestrator(o *CapabilityOrchestrator) CheckProfileUseCaseOption

WithCapabilityOrchestrator sets the capability orchestrator.

func WithEngineFactory 

func WithEngineFactory(f ports.EngineFactory) CheckProfileUseCaseOption

WithEngineFactory sets the engine factory.

func WithLockfileService 

func WithLockfileService(s *LockfileService) CheckProfileUseCaseOption

WithLockfileService sets the lockfile service.

func WithPluginResolver 

func WithPluginResolver(r ports.PluginDirectoryResolver) CheckProfileUseCaseOption

WithPluginResolver sets the plugin directory resolver.

func WithPluginService 

func WithPluginService(s *PluginService) CheckProfileUseCaseOption

WithPluginService sets the plugin service.

func WithProfileValidator 

func WithProfileValidator(v ports.ProfileValidator) CheckProfileUseCaseOption

WithProfileValidator sets the profile validator.

func WithSystemConfig 

func WithSystemConfig(c ports.SystemConfigProvider) CheckProfileUseCaseOption

WithSystemConfig sets the system config provider.

func WithUseCaseLogger 

func WithUseCaseLogger(l *slog.Logger) CheckProfileUseCaseOption

WithUseCaseLogger sets the logger.

type EmbeddedPluginResolver 

type EmbeddedPluginResolver struct {
	services.BaseResolver
	// contains filtered or unexported fields
}

EmbeddedPluginResolver checks for built-in plugins.

func NewEmbeddedPluginResolver 

func NewEmbeddedPluginResolver(source ports.EmbeddedPluginSource) *EmbeddedPluginResolver

NewEmbeddedPluginResolver creates an embedded plugin resolver.

func (*EmbeddedPluginResolver) Resolve 

func (r *EmbeddedPluginResolver) Resolve(ctx context.Context, ref values.PluginReference) (*entities.Plugin, error)

Resolve checks if plugin is embedded, otherwise delegates to next.

type LockfileService 

type LockfileService struct {
	// contains filtered or unexported fields
}

LockfileService orchestrates plugin version resolution and locking.

func NewLockfileService 

func NewLockfileService(
	repo ports.LockfileRepository,
	resolver ports.VersionResolver,
	digester ports.PluginDigester,
) *LockfileService

NewLockfileService creates a new LockfileService.

func (*LockfileService) GetLockedProfile 

func (s *LockfileService) GetLockedProfile(
	ctx context.Context,
	lockfilePath string,
	profileURL string,
) (*entities.ProfileLock, error)

GetLockedProfile retrieves a locked profile entry by URL. Returns nil if the profile is not locked.

func (*LockfileService) LockProfile 

func (s *LockfileService) LockProfile(
	ctx context.Context,
	lockfilePath string,
	profileURL string,
	version string,
	digest string,
) error

LockProfile adds a remote profile to the lockfile with its resolved version and digest. This enables reproducible builds by pinning profile versions.

func (*LockfileService) ResolvePlugins 

func (s *LockfileService) ResolvePlugins(
	ctx context.Context,
	profile *entities.Profile,
	lockfilePath string,
) (*entities.Lockfile, error)

ResolvePlugins resolves plugin versions using the lockfile if available, or falls back to resolving constraints and updating the lockfile.

type PlanProfileUseCase 

type PlanProfileUseCase struct {
	// contains filtered or unexported fields
}

PlanProfileUseCase generates an execution plan without running controls. This provides a dry-run view showing what would execute and in what order.

func NewPlanProfileUseCase 

func NewPlanProfileUseCase(
	profileLoader ports.ProfileLoader,
	profileCompiler *services.ProfileCompiler,
	opts ...PlanProfileUseCaseOption,
) *PlanProfileUseCase

NewPlanProfileUseCase creates a new plan profile use case. ProfileLoader and ProfileCompiler are required dependencies.

func (*PlanProfileUseCase) Execute 

func (uc *PlanProfileUseCase) Execute(
	ctx context.Context,
	req dto.PlanProfileRequest,
) (*dto.PlanProfileResponse, error)

Execute generates the execution plan.

type PlanProfileUseCaseOption 

type PlanProfileUseCaseOption func(*PlanProfileUseCase)

PlanProfileUseCaseOption configures a PlanProfileUseCase.

func WithPlanDependencyResolver 

func WithPlanDependencyResolver(r *services.DependencyResolver) PlanProfileUseCaseOption

WithPlanDependencyResolver sets a custom dependency resolver.

func WithPlanLogger 

func WithPlanLogger(l *slog.Logger) PlanProfileUseCaseOption

WithPlanLogger sets the logger.

type PluginService 

type PluginService struct {
	// contains filtered or unexported fields
}

PluginService orchestrates plugin management use cases. Coordinates domain services and infrastructure adapters.

func NewPluginService 

func NewPluginService(
	repository ports.PluginRepository,
	registry ports.PluginRegistry,
	opts ...PluginServiceOption,
) *PluginService

NewPluginService creates a plugin service with the given options. Repository and registry are required dependencies.

func (*PluginService) ListCachedPlugins 

func (s *PluginService) ListCachedPlugins(ctx context.Context) ([]*entities.Plugin, error)

ListCachedPlugins returns all plugins in local cache.

func (*PluginService) LoadPlugin 

func (s *PluginService) LoadPlugin(ctx context.Context, spec *dto.PluginSpecDTO) (string, error)

LoadPlugin is the main use case for loading a plugin. Returns the file path to the WASM binary.

func (*PluginService) PruneCache 

func (s *PluginService) PruneCache(ctx context.Context, keepVersions int) error

PruneCache removes old plugin versions.

func (*PluginService) PublishPlugin 

func (s *PluginService) PublishPlugin(
	ctx context.Context,
	plugin *entities.Plugin,
	wasm io.Reader,
	shouldSign bool,
) error

PublishPlugin uploads a plugin to a registry.

type PluginServiceOption 

type PluginServiceOption func(*PluginService)

PluginServiceOption configures a PluginService.

func WithIntegrityService 

func WithIntegrityService(is *services.IntegrityService) PluginServiceOption

WithIntegrityService sets the integrity service.

func WithIntegrityVerifier 

func WithIntegrityVerifier(iv ports.IntegrityVerifier) PluginServiceOption

WithIntegrityVerifier sets the integrity verifier.

func WithLogger 

func WithLogger(l *slog.Logger) PluginServiceOption

WithLogger sets the logger.

func WithResolver 

func WithResolver(r services.PluginResolutionStrategy) PluginServiceOption

WithResolver sets the plugin resolution strategy.

type ProfileTrustService 

type ProfileTrustService struct {
	// contains filtered or unexported fields
}

ProfileTrustService handles trust decisions for remote profiles. It determines whether a remote profile source is trusted and manages user prompts for untrusted sources.

func NewProfileTrustService 

func NewProfileTrustService(opts ...ProfileTrustServiceOption) *ProfileTrustService

NewProfileTrustService creates a new profile trust service.

func (*ProfileTrustService) FormatNonInteractiveError 

func (s *ProfileTrustService) FormatNonInteractiveError(
	url string,
	requiredCaps map[string]*sdkEntities.GrantSet,
) error

FormatNonInteractiveError creates a helpful error message for non-interactive mode.

func (*ProfileTrustService) IsTrusted 

func (s *ProfileTrustService) IsTrusted(url string) bool

IsTrusted returns true if the URL matches a trusted source pattern.

func (*ProfileTrustService) PromptForTrust 

func (s *ProfileTrustService) PromptForTrust(
	ctx context.Context,
	url string,
	requiredCaps map[string]*sdkEntities.GrantSet,
	trustFlag bool,
) (bool, error)

PromptForTrust prompts the user to trust a remote profile source. Shows the capabilities that the profile will require. Returns true if the user grants trust, false otherwise. Returns an error if running in non-interactive mode without --trust-source.

func (*ProfileTrustService) RequiresTrust 

func (s *ProfileTrustService) RequiresTrust(path string) bool

RequiresTrust returns true if the profile path is a remote URL that requires trust verification.

type ProfileTrustServiceOption 

type ProfileTrustServiceOption func(*ProfileTrustService)

ProfileTrustServiceOption configures a ProfileTrustService.

func WithTrustLogger 

func WithTrustLogger(l *slog.Logger) ProfileTrustServiceOption

WithTrustLogger sets a custom logger.

func WithTrustedSources 

func WithTrustedSources(patterns []string) ProfileTrustServiceOption

WithTrustedSources sets the trusted source patterns.

type RegistryPluginResolver 

type RegistryPluginResolver struct {
	services.BaseResolver
	// contains filtered or unexported fields
}

RegistryPluginResolver pulls plugins from OCI registries.

func NewRegistryPluginResolver 

func NewRegistryPluginResolver(
	registry ports.PluginRegistry,
	repository ports.PluginRepository,
	logger *slog.Logger,
) *RegistryPluginResolver

NewRegistryPluginResolver creates a registry resolver.

func (*RegistryPluginResolver) Resolve 

func (r *RegistryPluginResolver) Resolve(ctx context.Context, ref values.PluginReference) (*entities.Plugin, error)

Resolve pulls from registry and caches.

type RemoteFetchOptions 

type RemoteFetchOptions struct {
	// Headers are custom HTTP headers to send with the request.
	Headers map[string]string

	// Timeout overrides the default fetch timeout.
	Timeout time.Duration

	// Refresh forces a cache bypass and re-fetch.
	Refresh bool

	// AllowPrivateNetwork permits fetching from private IP addresses.
	AllowPrivateNetwork bool

	// Insecure allows TLS certificate validation to be skipped.
	Insecure bool
}

RemoteFetchOptions configures a fetch operation.

type RemoteFetchResult 

type RemoteFetchResult struct {
	// FetchedAt is when the content was fetched (or cache entry created).
	FetchedAt time.Time

	// Reference is the parsed profile reference.
	Reference values.ProfileReference

	// ContentHash is the SHA256 digest of the content.
	ContentHash values.Digest

	// Content is the raw profile YAML content.
	Content []byte

	// FromCache indicates if the content came from cache.
	FromCache bool
}

RemoteFetchResult contains the result of fetching a remote profile.

type RemoteProfileService 

type RemoteProfileService struct {

	// OnFetchStart is called when a fetch operation begins.
	OnFetchStart func(url string)

	// OnFetchComplete is called when a fetch operation completes.
	OnFetchComplete func(url string, cached bool)

	// DefaultTTL is the cache TTL for fetched profiles.
	DefaultTTL time.Duration
	// contains filtered or unexported fields
}

RemoteProfileService handles fetching and loading profiles from remote URLs. It uses the ProfileFetcher port for HTTP/OCI fetching and integrates with the profile cache for performance and offline support.

func NewRemoteProfileService 

func NewRemoteProfileService(
	fetcher ports.ProfileFetcher,
	opts ...RemoteProfileServiceOption,
) *RemoteProfileService

NewRemoteProfileService creates a new remote profile service.

func (*RemoteProfileService) Fetch 

func (s *RemoteProfileService) Fetch(
	ctx context.Context,
	urlString string,
	opts RemoteFetchOptions,
) (*RemoteFetchResult, error)

Fetch retrieves a profile from a remote URL. It checks the cache first (unless Refresh is true), then fetches from the network.

func (*RemoteProfileService) FetchAsReader 

func (s *RemoteProfileService) FetchAsReader(
	ctx context.Context,
	urlString string,
	opts RemoteFetchOptions,
) (io.Reader, error)

FetchAsReader fetches a profile and returns it as an io.Reader. This is useful for integration with ProfileLoader.LoadProfileFromReader.

type RemoteProfileServiceOption 

type RemoteProfileServiceOption func(*RemoteProfileService)

RemoteProfileServiceOption configures a RemoteProfileService.

func WithCache 

func WithCache(cache ports.ProfileCacheRepository) RemoteProfileServiceOption

WithCache sets the profile cache repository.

func WithDefaultTTL 

func WithDefaultTTL(ttl time.Duration) RemoteProfileServiceOption

WithDefaultTTL sets the default cache TTL.

func WithRemoteLogger 

func WithRemoteLogger(logger *slog.Logger) RemoteProfileServiceOption

WithRemoteLogger sets the logger.

type TrustResult 

type TrustResult struct {
	Trusted    bool
	FromConfig bool
	FromFlag   bool
}

TrustResult represents the result of a trust check.

type ValidateProfileUseCase 

type ValidateProfileUseCase struct {
	// contains filtered or unexported fields
}

ValidateProfileUseCase validates profile structure without execution. This provides fast feedback during profile development by checking: - Profile metadata (name, version) - Control definitions (ID, name, observations) - Dependency graph (cycle detection) - Expect expression syntax (expr-lang)

func NewValidateProfileUseCase 

func NewValidateProfileUseCase(
	profileLoader ports.ProfileLoader,
	profileCompiler *domainservices.ProfileCompiler,
	opts ...ValidateProfileUseCaseOption,
) *ValidateProfileUseCase

NewValidateProfileUseCase creates a new validate profile use case. ProfileLoader and ProfileCompiler are required dependencies.

func (*ValidateProfileUseCase) Execute 

func (uc *ValidateProfileUseCase) Execute(
	ctx context.Context,
	req dto.ValidateProfileRequest,
) (*dto.ValidateProfileResponse, error)

Execute validates the profile and returns validation results.

type ValidateProfileUseCaseOption 

type ValidateProfileUseCaseOption func(*ValidateProfileUseCase)

ValidateProfileUseCaseOption configures a ValidateProfileUseCase.

func WithValidateDependencyResolver 

func WithValidateDependencyResolver(r *domainservices.DependencyResolver) ValidateProfileUseCaseOption

WithValidateDependencyResolver sets a custom dependency resolver.

func WithValidateExpectValidator 

func WithValidateExpectValidator(v *domainservices.ExpectValidator) ValidateProfileUseCaseOption

WithValidateExpectValidator sets a custom expect validator.

func WithValidateLogger 

func WithValidateLogger(l *slog.Logger) ValidateProfileUseCaseOption

WithValidateLogger sets the logger.

func WithValidateProfileValidator 

func WithValidateProfileValidator(v ports.ProfileValidator) ValidateProfileUseCaseOption

WithValidateProfileValidator sets the profile validator.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.