ralph/config/validation/
trust.rs1use super::agent::agent_has_execution_settings;
16use crate::config::{ConfigLayer, RepoTrust};
17use anyhow::{Result, bail};
18
19pub const ERR_PROJECT_EXECUTION_TRUST: &str = "Project config defines execution-sensitive settings (runner binaries, plugin runners, agent.ci_gate, and/or plugins), but this repo is not trusted. Run `ralph config trust init`, use `ralph init --trust-project-commands` when bootstrapping, create `.ralph/trust.jsonc` with {\"allow_project_commands\": true, \"trusted_at\": \"<RFC3339>\"}, or move those settings to trusted global config.";
20
21pub fn validate_project_execution_trust(
22 project_cfg: Option<&ConfigLayer>,
23 repo_trust: &RepoTrust,
24) -> Result<()> {
25 let project_needs_trust = project_cfg.is_some_and(layer_has_execution_settings);
26 if project_needs_trust && !repo_trust.is_trusted() {
27 bail!(ERR_PROJECT_EXECUTION_TRUST);
28 }
29 Ok(())
30}
31
32fn layer_has_execution_settings(layer: &ConfigLayer) -> bool {
33 if agent_has_execution_settings(&layer.agent) {
34 return true;
35 }
36 if !layer.plugins.plugins.is_empty() {
37 return true;
38 }
39 layer
40 .profiles
41 .as_ref()
42 .is_some_and(|profiles| profiles.values().any(agent_has_execution_settings))
43}