up

src/Policy/StellaOps.Policy.Engine/Services/PolicyBundleService.cs

@@ -0,0 +1,92 @@
+using System.Collections.Immutable;
+using System.Security.Cryptography;
+using System.Text;
+using StellaOps.Policy.Engine.Domain;
+
+namespace StellaOps.Policy.Engine.Services;
+
+/// <summary>
+/// Compiles policy DSL to canonical representation, signs it deterministically, and stores per revision.
+/// </summary>
+internal sealed class PolicyBundleService
+{
+    private readonly PolicyCompilationService _compilationService;
+    private readonly IPolicyPackRepository _repository;
+    private readonly TimeProvider _timeProvider;
+
+    public PolicyBundleService(
+        PolicyCompilationService compilationService,
+        IPolicyPackRepository repository,
+        TimeProvider timeProvider)
+    {
+        _compilationService = compilationService ?? throw new ArgumentNullException(nameof(compilationService));
+        _repository = repository ?? throw new ArgumentNullException(nameof(repository));
+        _timeProvider = timeProvider ?? TimeProvider.System;
+    }
+
+    public async Task<PolicyBundleResponse> CompileAndStoreAsync(
+        string packId,
+        int version,
+        PolicyBundleRequest request,
+        CancellationToken cancellationToken)
+    {
+        if (string.IsNullOrWhiteSpace(packId))
+        {
+            throw new ArgumentException("packId is required", nameof(packId));
+        }
+
+        if (request is null)
+        {
+            throw new ArgumentNullException(nameof(request));
+        }
+
+        var compileResult = _compilationService.Compile(new PolicyCompileRequest(request.Dsl));
+        if (!compileResult.Success || compileResult.CanonicalRepresentation.IsDefaultOrEmpty)
+        {
+            return new PolicyBundleResponse(
+                Success: false,
+                Digest: null,
+                Signature: null,
+                SizeBytes: 0,
+                CreatedAt: null,
+                Diagnostics: compileResult.Diagnostics);
+        }
+
+        var payload = compileResult.CanonicalRepresentation.ToArray();
+        var digest = compileResult.Digest ?? $"sha256:{ComputeSha256Hex(payload)}";
+        var signature = Sign(digest, request.SigningKeyId);
+        var createdAt = _timeProvider.GetUtcNow();
+
+        var record = new PolicyBundleRecord(
+            Digest: digest,
+            Signature: signature,
+            Size: payload.Length,
+            CreatedAt: createdAt,
+            Payload: payload.ToImmutableArray());
+
+        await _repository.StoreBundleAsync(packId, version, record, cancellationToken).ConfigureAwait(false);
+
+        return new PolicyBundleResponse(
+            Success: true,
+            Digest: digest,
+            Signature: signature,
+            SizeBytes: payload.Length,
+            CreatedAt: createdAt,
+            Diagnostics: compileResult.Diagnostics);
+    }
+
+    private static string ComputeSha256Hex(byte[] payload)
+    {
+        Span<byte> hash = stackalloc byte[32];
+        SHA256.HashData(payload, hash);
+        return Convert.ToHexString(hash).ToLowerInvariant();
+    }
+
+    private static string Sign(string digest, string? signingKeyId)
+    {
+        // Deterministic signature stub suitable for offline testing.
+        var key = string.IsNullOrWhiteSpace(signingKeyId) ? "policy-dev-signer" : signingKeyId.Trim();
+        var mac = HMACSHA256.HashData(Encoding.UTF8.GetBytes(key), Encoding.UTF8.GetBytes(digest));
+        return $"sig:sha256:{Convert.ToHexString(mac).ToLowerInvariant()}";
+    }
+}