stage-18: approval queue — human gate before evidence leaves

CERT-Bund (authority) requires_approval by default; PSYC_REQUIRE_APPROVAL=1 forces every routable submission through the queue. Courier branches at execute_routes: approval-required → freeze payload + enqueue, no HTTP; else submit directly as before. Approve dispatches the frozen payload to mock-cert and writes the ledger row (detail=approved_by=…); reject writes a ledger row with the reviewer's reason. CLI: queue / approve / reject. Cockpit /queue page with POST approve / reject and counts. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-20 21:42:08 +02:00
parent 9e4c217a3d
commit 994a5c642f
10 changed files with 526 additions and 5 deletions
--- a/src/psyc/cli.py
+++ b/src/psyc/cli.py
@@ -284,6 +284,55 @@ def submit_case(case_id: str) -> None:
        typer.echo(f"  ⊘ {b.destination_name}: {b.reason} (logged)")
@app.command("queue")
 def queue_list(
    status: str = typer.Option("pending", help="pending | approved | rejected | all"),
    limit: int = typer.Option(50, help="max rows"),
 ) -> None:
    """List the approval queue."""
    from psyc.models import ApprovalStatus
    status_filter = None if status == "all" else ApprovalStatus(status)
    rows = courier.list_pending(status=status_filter, limit=limit)
    if not rows:
        typer.echo(f"(no submissions with status={status})")
        return
    for p in rows:
        rev = f" by {p.reviewer}" if p.reviewer else ""
        typer.echo(
            f"  #{p.id} {p.status.value:9s} {p.destination_name:16s} {p.case_id} "
            f"({p.payload_kind}, tlp={p.tlp.value}){rev}"
        )
@app.command("approve")
 def approve(
    pending_id: int = typer.Argument(..., help="pending submission id"),
    reviewer: str = typer.Option("operator", "--by", help="reviewer identity"),
 ) -> None:
    """Approve a pending submission — dispatches to its destination."""
    result = courier.dispatch_pending(pending_id, reviewer=reviewer)
    if isinstance(result, Err):
        typer.echo(f"error: {result.reason}", err=True)
        raise typer.Exit(1)
    r = result.value
    rcpt = f" → {r.receipt_id}" if r.receipt_id else ""
    typer.echo(f"approved #{pending_id} · {r.destination_name}: {r.outcome.value}{rcpt}")
@app.command("reject")
 def reject(
    pending_id: int = typer.Argument(..., help="pending submission id"),
    reviewer: str = typer.Option("operator", "--by", help="reviewer identity"),
    reason: str = typer.Option("", "--reason", help="rejection reason"),
 ) -> None:
    """Reject a pending submission — nothing leaves; ledger row written."""
    result = courier.reject_pending(pending_id, reviewer=reviewer, reason=reason)
    if isinstance(result, Err):
        typer.echo(f"error: {result.reason}", err=True)
        raise typer.Exit(1)
    typer.echo(f"rejected #{pending_id}{(': ' + reason) if reason else ''}")
@app.command("mock-cert")
 def mock_cert_serve(host: str = "127.0.0.1", port: int = 8770) -> None:
    uvicorn.run("psyc.mock_cert:app", host=host, port=port)
--- a/src/psyc/cockpit/app.py
+++ b/src/psyc/cockpit/app.py
@@ -5,13 +5,14 @@ from __future__ import annotations
 from pathlib import Path
 from typing import List
-from fastapi import FastAPI, HTTPException, Request
+from fastapi import FastAPI, Form, HTTPException, Request
-from fastapi.responses import HTMLResponse
+from fastapi.responses import HTMLResponse, RedirectResponse
 from fastapi.staticfiles import StaticFiles
 from fastapi.templating import Jinja2Templates
 from psyc import db, log
 from psyc.cockpit import inference, journey as journey_view
 from psyc.lines import courier as courier_line
 from psyc.lines import ledger as ledger_line
 from psyc.lines import route as route_line
 from psyc.lines import seal as seal_line
@@ -102,3 +103,36 @@ def healthz() -> dict:
 def inference_status() -> dict:
    adapter = inference.server_adapter()
    return {"online": adapter is not None, "adapter": adapter}
@app.get("/queue", response_class=HTMLResponse)
 def queue_view(request: Request, status: str = "pending") -> HTMLResponse:
    from psyc.models import ApprovalStatus
    status_filter = None if status == "all" else ApprovalStatus(status)
    rows = courier_line.list_pending(status=status_filter, limit=200)
    counts = {
        "pending": courier_line.pending_count(ApprovalStatus.PENDING),
        "approved": courier_line.pending_count(ApprovalStatus.APPROVED),
        "rejected": courier_line.pending_count(ApprovalStatus.REJECTED),
    }
    return TEMPLATES.TemplateResponse(
        request,
        "queue.html",
        {"rows": rows, "counts": counts, "current_status": status},
    )
@app.post("/queue/approve/{pid}")
 def queue_approve(pid: int, reviewer: str = Form("operator")) -> RedirectResponse:
    result = courier_line.dispatch_pending(pid, reviewer=reviewer)
    if isinstance(result, Err):
        _log.warning("cockpit.queue.approve.error", pending_id=pid, reason=result.reason)
    return RedirectResponse("/queue", status_code=303)
@app.post("/queue/reject/{pid}")
 def queue_reject(pid: int, reviewer: str = Form("operator"), reason: str = Form("")) -> RedirectResponse:
    result = courier_line.reject_pending(pid, reviewer=reviewer, reason=reason)
    if isinstance(result, Err):
        _log.warning("cockpit.queue.reject.error", pending_id=pid, reason=result.reason)
    return RedirectResponse("/queue", status_code=303)
--- a/src/psyc/cockpit/static/cockpit.css
+++ b/src/psyc/cockpit/static/cockpit.css
@@ -285,3 +285,32 @@ tr.sev-low .sev-badge { color: var(--muted); }
  border-radius: 4px; padding: 4px 12px; font: inherit; font-size: 12px; cursor: pointer;
 }
 .replay-btn:hover { border-color: var(--accent); }
 /* ── approval queue ─────────────────────────────────────────── */
 .queue-tabs { display: flex; gap: 4px; margin: 12px 0 16px; border-bottom: 1px solid var(--border); }
 .queue-tab {
  padding: 6px 14px; color: var(--muted); border: 1px solid transparent;
  border-bottom: none; border-radius: 4px 4px 0 0; font-size: 12px;
  text-transform: uppercase; letter-spacing: 0.05em;
 }
 .queue-tab:hover { color: var(--text); }
 .queue-tab.is-active {
  color: var(--accent); border-color: var(--border) var(--border) transparent;
  background: var(--panel-2);
 }
 .queue-action { display: inline-flex; gap: 4px; margin-right: 6px; align-items: center; }
 .btn {
  background: var(--panel-2); color: var(--text); border: 1px solid var(--border);
  border-radius: 3px; padding: 4px 10px; font: inherit; font-size: 12px; cursor: pointer;
 }
 .btn:hover { border-color: var(--accent); }
 .btn-approve { color: var(--green); border-color: rgba(74, 222, 128, 0.35); }
 .btn-approve:hover { background: rgba(74, 222, 128, 0.08); border-color: var(--green); }
 .btn-reject { color: var(--red); border-color: rgba(248, 113, 113, 0.35); }
 .btn-reject:hover { background: rgba(248, 113, 113, 0.08); border-color: var(--red); }
 .reject-reason {
  background: var(--bg); color: var(--text); border: 1px solid var(--border);
  border-radius: 3px; padding: 3px 6px; font: inherit; font-size: 11px; width: 130px;
 }
 .reject-reason::placeholder { color: var(--muted); }
 .outcome-pending_approval { background: rgba(251, 191, 36, 0.15); color: var(--amber); border: 1px solid rgba(251, 191, 36, 0.4); }
--- a/src/psyc/cockpit/templates/base.html
+++ b/src/psyc/cockpit/templates/base.html
@@ -18,6 +18,7 @@
    </a>
    <nav class="nav">
      <a href="/cases">Cases</a>
      <a href="/queue">Queue</a>
      <a href="/ledger">Ledger</a>
      <a href="/train">Trainline</a>
    </nav>
--- a/src/psyc/cockpit/templates/queue.html
+++ b/src/psyc/cockpit/templates/queue.html
@@ -0,0 +1,73 @@
 {% extends "base.html" %}
 {% block title %}Approval Queue — psyc{% endblock %}
 {% block content %}
 <section class="panel">
  <div class="panel-head">
    <h1>Submission Approval Queue</h1>
    <span class="count">{{ counts.pending }} pending · {{ counts.approved }} approved · {{ counts.rejected }} rejected</span>
  </div>
  <p class="page-intro">Nothing leaves psyc to an authority destination without a human signing off. Routing builds the payload, freezes it here, and waits. You approve — Courier dispatches and the Ledger records. You reject — nothing leaves, and the rejection is recorded too.</p>
  <details class="page-help">
    <summary>how to use this view</summary>
    <div class="help-body">
      <p><b>How to use.</b> Each row is a payload waiting on you. Click the case to inspect it before deciding. Approve sends it now; Reject blocks it forever (the case can still be re-submitted later from CLI if appropriate).</p>
      <p><b>What you're seeing.</b> Pending submissions for destinations marked <code>requires_approval=True</code> — CERT-Bund by default, or <em>all</em> destinations when <code>PSYC_REQUIRE_APPROVAL=1</code>.</p>
      <p><b>Why it matters.</b> The dossier mandates a human gate before evidence reaches real authority systems. This is that gate. The frozen payload guarantees the reviewer approves exactly what gets sent — not a re-derived version that might have drifted.</p>
    </div>
  </details>
  <div class="queue-tabs">
    <a class="queue-tab{% if current_status == 'pending' %} is-active{% endif %}" href="/queue?status=pending">pending ({{ counts.pending }})</a>
    <a class="queue-tab{% if current_status == 'approved' %} is-active{% endif %}" href="/queue?status=approved">approved ({{ counts.approved }})</a>
    <a class="queue-tab{% if current_status == 'rejected' %} is-active{% endif %}" href="/queue?status=rejected">rejected ({{ counts.rejected }})</a>
    <a class="queue-tab{% if current_status == 'all' %} is-active{% endif %}" href="/queue?status=all">all</a>
  </div>
  {% if not rows %}
    <p class="empty">Queue is clear. Either nothing is pending, or no destination on the current cases requires approval. Set <code>PSYC_REQUIRE_APPROVAL=1</code> to force every routable submission through this gate.</p>
  {% else %}
  <table class="ledger">
    <thead>
      <tr>
        <th>#</th>
        <th>Created</th>
        <th>Case</th>
        <th>Destination</th>
        <th>Payload</th>
        <th>TLP</th>
        <th>Hash</th>
        <th>Status</th>
        <th>Action</th>
      </tr>
    </thead>
    <tbody>
    {% for p in rows %}
      <tr class="ledger-row{% if p.status.value == 'rejected' %} is-rejected{% elif p.status.value == 'approved' %} is-actioned{% endif %}">
        <td>#{{ p.id }}</td>
        <td class="lg-ts">{{ p.created_at.strftime('%Y-%m-%d %H:%M:%S') }}</td>
        <td class="lg-case"><a href="/cases/{{ p.case_id }}">{{ p.case_id }}</a></td>
        <td class="lg-dest">{{ p.destination_name }}</td>
        <td>{{ p.payload_kind }}</td>
        <td><span class="tlp-badge tlp-{{ p.tlp.value }}">{{ p.tlp.value }}</span></td>
        <td class="lg-hash">{{ p.payload_hash[:12] }}…</td>
        <td><span class="outcome-badge outcome-{{ 'submitted' if p.status.value == 'approved' else ('rejected' if p.status.value == 'rejected' else 'pending_approval') }}">{{ p.status.value }}</span></td>
        <td>
          {% if p.status.value == 'pending' %}
            <form method="post" action="/queue/approve/{{ p.id }}" class="queue-action">
              <button type="submit" class="btn btn-approve">approve</button>
            </form>
            <form method="post" action="/queue/reject/{{ p.id }}" class="queue-action">
              <input type="text" name="reason" placeholder="reason (optional)" class="reject-reason">
              <button type="submit" class="btn btn-reject">reject</button>
            </form>
          {% else %}
            <span class="lg-sub">{{ p.reviewer or '—' }}{% if p.reason %} · {{ p.reason }}{% endif %}</span>
          {% endif %}
        </td>
      </tr>
    {% endfor %}
    </tbody>
  </table>
  {% endif %}
 </section>
 {% endblock %}
--- a/src/psyc/db.py
+++ b/src/psyc/db.py
@@ -64,6 +64,24 @@ ledger = Table(
 Index("ledger_case_idx", ledger.c.case_id)
 Index("ledger_time_idx", ledger.c.timestamp.desc())
 pending = Table(
    "pending_submissions", _metadata,
    Column("id", Integer, primary_key=True, autoincrement=True),
    Column("case_id", String, nullable=False),
    Column("destination_name", String, nullable=False),
    Column("payload_kind", String, nullable=False),
    Column("payload_hash", String, nullable=False),
    Column("payload_json", Text, nullable=False),
    Column("tlp", String, nullable=False),
    Column("created_at", String, nullable=False),
    Column("status", String, nullable=False),
    Column("reviewer", String, nullable=True),
    Column("reviewed_at", String, nullable=True),
    Column("reason", String, nullable=True),
 )
 Index("pending_status_idx", pending.c.status)
 Index("pending_case_idx", pending.c.case_id)
 _log = log.get(__name__)
 _engine: Optional[Engine] = None
--- a/src/psyc/lines/courier.py
+++ b/src/psyc/lines/courier.py
@@ -1,18 +1,21 @@
-"""Courier — payload building + HTTP submission to destination endpoints."""
+"""Courier — payload building + HTTP submission, with optional approval queue."""
 from __future__ import annotations
 import hashlib
 import json
 import os
 from datetime import datetime, timezone
 from typing import Any, Dict, List, Optional
 import httpx
 from pydantic import BaseModel, Field
 from sqlalchemy import select, update
-from psyc import log
+from psyc import db, log
 from psyc.lines import ledger as ledger_line
 from psyc.lines.route import BlockedRoute, Route, endpoint_for
-from psyc.models import Case, Outcome, SealedPackage
+from psyc.models import ApprovalStatus, Case, Outcome, PendingSubmission, SealedPackage, TLP
 from psyc.result import Err, Ok, Result
@@ -122,8 +125,32 @@ def execute_blocked_routes(case: Case, blocked: List[BlockedRoute]) -> None:
        )
 def _force_approval() -> bool:
    return os.environ.get("PSYC_REQUIRE_APPROVAL", "").lower() in ("1", "true", "yes")
 def _enqueue_pending(case: Case, route: Route, payload: Dict[str, Any], payload_hash: str) -> int:
    now = datetime.now(timezone.utc).isoformat()
    stmt = db.pending.insert().values(
        case_id=case.case_id,
        destination_name=route.destination_name,
        payload_kind=route.payload_kind,
        payload_hash=payload_hash,
        payload_json=json.dumps(payload, sort_keys=True),
        tlp=case.classification.tlp.value,
        created_at=now,
        status=ApprovalStatus.PENDING.value,
    )
    with db.engine().begin() as conn:
        res = conn.execute(stmt)
        pid = int(res.inserted_primary_key[0])
    _log.info("courier.queued", case_id=case.case_id, destination=route.destination_name, pending_id=pid)
    return pid
 def execute_routes(case: Case, routes: List[Route], sealed_pkg: Optional[SealedPackage] = None) -> List[SubmitResult]:
    results: List[SubmitResult] = []
    force = _force_approval()
    for r in routes:
        endpoint = endpoint_for(r.destination_name)
        if endpoint is None:
@@ -140,6 +167,14 @@ def execute_routes(case: Case, routes: List[Route], sealed_pkg: Optional[SealedP
            continue
        payload = build_payload(case, r.payload_kind, sealed_pkg)
        payload_hash = _hash_payload(payload)
        if r.requires_approval or force:
            pid = _enqueue_pending(case, r, payload, payload_hash)
            results.append(SubmitResult(
                destination_name=r.destination_name,
                outcome=Outcome.PENDING_APPROVAL,
                detail=f"pending_id={pid}",
            ))
            continue
        result = submit(endpoint, payload)
        if isinstance(result, Err):
            ledger_line.write(
@@ -166,3 +201,129 @@ def execute_routes(case: Case, routes: List[Route], sealed_pkg: Optional[SealedP
        )
        results.append(SubmitResult(destination_name=r.destination_name, outcome=outcome, receipt_id=receipt.receipt_id))
    return results
 def _row_to_pending(row: Any) -> PendingSubmission:
    return PendingSubmission(
        id=row.id,
        case_id=row.case_id,
        destination_name=row.destination_name,
        payload_kind=row.payload_kind,
        payload_hash=row.payload_hash,
        payload_json=row.payload_json,
        tlp=TLP(row.tlp),
        created_at=datetime.fromisoformat(row.created_at),
        status=ApprovalStatus(row.status),
        reviewer=row.reviewer,
        reviewed_at=datetime.fromisoformat(row.reviewed_at) if row.reviewed_at else None,
        reason=row.reason,
    )
 def list_pending(status: Optional[ApprovalStatus] = ApprovalStatus.PENDING, limit: int = 200) -> List[PendingSubmission]:
    stmt = select(db.pending)
    if status is not None:
        stmt = stmt.where(db.pending.c.status == status.value)
    stmt = stmt.order_by(db.pending.c.created_at.desc()).limit(limit)
    with db.engine().connect() as conn:
        rows = conn.execute(stmt).fetchall()
    return [_row_to_pending(r) for r in rows]
 def get_pending(pid: int) -> Result[PendingSubmission, str]:
    stmt = select(db.pending).where(db.pending.c.id == pid)
    with db.engine().connect() as conn:
        row = conn.execute(stmt).fetchone()
    if row is None:
        return Err(f"pending submission not found: {pid}")
    return Ok(_row_to_pending(row))
 def pending_count(status: ApprovalStatus = ApprovalStatus.PENDING) -> int:
    from sqlalchemy import func as sa_func
    stmt = select(sa_func.count()).select_from(db.pending).where(db.pending.c.status == status.value)
    with db.engine().connect() as conn:
        return int(conn.execute(stmt).scalar_one())
 def dispatch_pending(pid: int, reviewer: str = "operator") -> Result[SubmitResult, str]:
    """Approve and submit a pending entry — POST to destination, write ledger, mark approved."""
    pending_r = get_pending(pid)
    if isinstance(pending_r, Err):
        return Err(pending_r.reason)
    p = pending_r.value
    if p.status != ApprovalStatus.PENDING:
        return Err(f"pending submission {pid} is already {p.status.value}")
    endpoint = endpoint_for(p.destination_name)
    if endpoint is None:
        return Err(f"no endpoint configured for {p.destination_name}")
    payload = json.loads(p.payload_json)
    result = submit(endpoint, payload)
    now = datetime.now(timezone.utc).isoformat()
    if isinstance(result, Err):
        ledger_line.write(
            case_id=p.case_id,
            destination=p.destination_name,
            payload_hash=p.payload_hash,
            submitter_identity=SUBMITTER_IDENTITY,
            tlp=p.tlp,
            outcome=Outcome.FAILED,
            detail=result.reason,
        )
        with db.engine().begin() as conn:
            conn.execute(update(db.pending).where(db.pending.c.id == pid).values(
                status=ApprovalStatus.APPROVED.value,
                reviewer=reviewer,
                reviewed_at=now,
                reason=f"submit failed: {result.reason}",
            ))
        return Ok(SubmitResult(destination_name=p.destination_name, outcome=Outcome.FAILED, detail=result.reason))
    receipt = result.value
    outcome = _STATUS_TO_OUTCOME.get(receipt.status, Outcome.SUBMITTED)
    ledger_line.write(
        case_id=p.case_id,
        destination=p.destination_name,
        payload_hash=p.payload_hash,
        submitter_identity=SUBMITTER_IDENTITY,
        tlp=p.tlp,
        outcome=outcome,
        response_id=receipt.receipt_id,
        detail=f"approved_by={reviewer}",
    )
    with db.engine().begin() as conn:
        conn.execute(update(db.pending).where(db.pending.c.id == pid).values(
            status=ApprovalStatus.APPROVED.value,
            reviewer=reviewer,
            reviewed_at=now,
        ))
    _log.info("courier.approved", pending_id=pid, reviewer=reviewer, outcome=outcome.value)
    return Ok(SubmitResult(destination_name=p.destination_name, outcome=outcome, receipt_id=receipt.receipt_id))
 def reject_pending(pid: int, reviewer: str = "operator", reason: str = "") -> Result[None, str]:
    """Reject a pending entry — write ledger reject row, mark rejected. Nothing leaves."""
    pending_r = get_pending(pid)
    if isinstance(pending_r, Err):
        return Err(pending_r.reason)
    p = pending_r.value
    if p.status != ApprovalStatus.PENDING:
        return Err(f"pending submission {pid} is already {p.status.value}")
    now = datetime.now(timezone.utc).isoformat()
    ledger_line.write(
        case_id=p.case_id,
        destination=p.destination_name,
        payload_hash=p.payload_hash,
        submitter_identity=SUBMITTER_IDENTITY,
        tlp=p.tlp,
        outcome=Outcome.REJECTED,
        detail=f"rejected_by={reviewer}: {reason}" if reason else f"rejected_by={reviewer}",
    )
    with db.engine().begin() as conn:
        conn.execute(update(db.pending).where(db.pending.c.id == pid).values(
            status=ApprovalStatus.REJECTED.value,
            reviewer=reviewer,
            reviewed_at=now,
            reason=reason or None,
        ))
    _log.info("courier.rejected", pending_id=pid, reviewer=reviewer)
    return Ok(None)
--- a/src/psyc/lines/route.py
+++ b/src/psyc/lines/route.py
@@ -38,6 +38,7 @@ class Destination(BaseModel):
    priority: int
    payload_kind: str
    countries: List[str] = Field(default_factory=list)
    requires_approval: bool = False
 class Route(BaseModel):
@@ -45,6 +46,7 @@ class Route(BaseModel):
    priority: int
    payload_kind: str
    max_tlp_allowed: TLP
    requires_approval: bool = False
 class BlockedRoute(BaseModel):
@@ -61,6 +63,7 @@ DESTINATIONS: List[Destination] = [
        priority=1,
        payload_kind="sealed_evidence_package",
        countries=["DE"],
        requires_approval=True,
    ),
    Destination(
        name="MISP-Community",
@@ -111,6 +114,7 @@ def plan(case: Case) -> Tuple[List[Route], List[BlockedRoute]]:
            priority=d.priority,
            payload_kind=d.payload_kind,
            max_tlp_allowed=d.max_tlp,
            requires_approval=d.requires_approval,
        ))
    routes.sort(key=lambda r: r.priority)
    _log.info("route.planned", case_id=case.case_id, allowed=len(routes), blocked=len(blocked))
--- a/src/psyc/models.py
+++ b/src/psyc/models.py
@@ -133,6 +133,7 @@ class Outcome(str, Enum):
    REJECTED = "rejected"
    ACTIONED = "actioned"
    FAILED = "failed"
    PENDING_APPROVAL = "pending_approval"
 class LedgerEntry(BaseModel):
@@ -146,3 +147,24 @@ class LedgerEntry(BaseModel):
    response_id: Optional[str] = None
    outcome: Outcome
    detail: Optional[str] = None
 class ApprovalStatus(str, Enum):
    PENDING = "pending"
    APPROVED = "approved"
    REJECTED = "rejected"
 class PendingSubmission(BaseModel):
    id: Optional[int] = None
    case_id: str
    destination_name: str
    payload_kind: str
    payload_hash: str
    payload_json: str  # frozen payload — what will be sent on approval
    tlp: TLP
    created_at: datetime
    status: ApprovalStatus = ApprovalStatus.PENDING
    reviewer: Optional[str] = None
    reviewed_at: Optional[datetime] = None
    reason: Optional[str] = None
--- a/tests/test_courier.py
+++ b/tests/test_courier.py
@@ -0,0 +1,130 @@
 """Courier approval-queue tests — gating, dispatch, rejection."""
 from __future__ import annotations
 import pytest
 from sqlalchemy import create_engine, select
 from psyc import db
 from psyc.lines import courier, ledger as ledger_line
 from psyc.lines.route import Route
 from psyc.models import ApprovalStatus, Outcome, TLP
 from psyc.result import Ok
 from conftest import make_case
@pytest.fixture
 def fresh_db(tmp_path, monkeypatch):
    test_db = tmp_path / "test.db"
    test_engine = create_engine(f"sqlite:///{test_db}", future=True)
    db._metadata.create_all(test_engine, checkfirst=True)
    monkeypatch.setattr(db, "_engine", test_engine)
    monkeypatch.setattr(db, "DB_PATH", test_db)
    yield test_db
 def _malware_url_route(requires_approval: bool) -> Route:
    return Route(
        destination_name="URLhaus",
        priority=3,
        payload_kind="malware_url_report",
        max_tlp_allowed=TLP.GREEN,
        requires_approval=requires_approval,
    )
 def test_execute_routes_enqueues_when_approval_required(fresh_db, monkeypatch):
    case = make_case(feed="urlhaus", urls=["http://1.2.3.4/x"], ips=["1.2.3.4"])
    case.classification.tlp = TLP.GREEN
    # No HTTP should happen — submit must NOT be called on the approval branch.
    def boom(*a, **kw):
        raise AssertionError("submit() must not be called when approval is required")
    monkeypatch.setattr(courier, "submit", boom)
    results = courier.execute_routes(case, [_malware_url_route(requires_approval=True)])
    assert len(results) == 1
    assert results[0].outcome is Outcome.PENDING_APPROVAL
    pending = courier.list_pending()
    assert len(pending) == 1
    assert pending[0].destination_name == "URLhaus"
    assert pending[0].status is ApprovalStatus.PENDING
    assert pending[0].payload_hash  # frozen hash present
    assert pending[0].payload_json  # frozen payload present
 def test_execute_routes_force_approval_via_env(fresh_db, monkeypatch):
    case = make_case(feed="urlhaus", urls=["http://1.2.3.4/x"], ips=["1.2.3.4"])
    case.classification.tlp = TLP.GREEN
    monkeypatch.setenv("PSYC_REQUIRE_APPROVAL", "1")
    monkeypatch.setattr(courier, "submit", lambda *a, **kw: (_ for _ in ()).throw(AssertionError("must not submit")))
    results = courier.execute_routes(case, [_malware_url_route(requires_approval=False)])
    assert results[0].outcome is Outcome.PENDING_APPROVAL
    assert courier.pending_count() == 1
 def test_dispatch_pending_submits_and_marks_approved(fresh_db, monkeypatch):
    case = make_case(feed="urlhaus", urls=["http://1.2.3.4/x"], ips=["1.2.3.4"])
    case.classification.tlp = TLP.GREEN
    monkeypatch.setattr(courier, "submit", lambda *a, **kw: (_ for _ in ()).throw(AssertionError("queue phase")))
    courier.execute_routes(case, [_malware_url_route(requires_approval=True)])
    pid = courier.list_pending()[0].id
    # Now approve — submit IS called, returns a receipt.
    receipt = courier.Receipt(receipt_id="r-001", destination="urlhaus", status="acknowledged", response_body={})
    monkeypatch.setattr(courier, "submit", lambda *a, **kw: Ok(receipt))
    result = courier.dispatch_pending(pid, reviewer="alice")
    assert isinstance(result, Ok)
    assert result.value.outcome is Outcome.ACKNOWLEDGED
    assert result.value.receipt_id == "r-001"
    # Pending row now marked approved.
    refreshed = courier.get_pending(pid).value
    assert refreshed.status is ApprovalStatus.APPROVED
    assert refreshed.reviewer == "alice"
    # Ledger has a corresponding row.
    entries = ledger_line.list_by_case(case.case_id, limit=10)
    assert any(e.outcome is Outcome.ACKNOWLEDGED and e.destination == "URLhaus" for e in entries)
 def test_reject_pending_writes_rejection_to_ledger(fresh_db, monkeypatch):
    case = make_case(feed="urlhaus", urls=["http://1.2.3.4/x"], ips=["1.2.3.4"])
    case.classification.tlp = TLP.GREEN
    monkeypatch.setattr(courier, "submit", lambda *a, **kw: (_ for _ in ()).throw(AssertionError("queue phase")))
    courier.execute_routes(case, [_malware_url_route(requires_approval=True)])
    pid = courier.list_pending()[0].id
    # Reject — submit must NOT be called.
    def boom(*a, **kw):
        raise AssertionError("rejected submissions must not POST")
    monkeypatch.setattr(courier, "submit", boom)
    result = courier.reject_pending(pid, reviewer="bob", reason="payload looks wrong")
    assert isinstance(result, Ok)
    refreshed = courier.get_pending(pid).value
    assert refreshed.status is ApprovalStatus.REJECTED
    assert refreshed.reviewer == "bob"
    assert refreshed.reason == "payload looks wrong"
    entries = ledger_line.list_by_case(case.case_id, limit=10)
    assert any(e.outcome is Outcome.REJECTED and "rejected_by=bob" in (e.detail or "") for e in entries)
 def test_double_approve_is_rejected(fresh_db, monkeypatch):
    case = make_case(feed="urlhaus", urls=["http://1.2.3.4/x"], ips=["1.2.3.4"])
    case.classification.tlp = TLP.GREEN
    monkeypatch.setattr(courier, "submit", lambda *a, **kw: (_ for _ in ()).throw(AssertionError("queue phase")))
    courier.execute_routes(case, [_malware_url_route(requires_approval=True)])
    pid = courier.list_pending()[0].id
    receipt = courier.Receipt(receipt_id="r-002", destination="urlhaus", status="acknowledged", response_body={})
    monkeypatch.setattr(courier, "submit", lambda *a, **kw: Ok(receipt))
    courier.dispatch_pending(pid, reviewer="alice")
    # Second approval of the same id must fail — no double-submission.
    again = courier.dispatch_pending(pid, reviewer="alice")
    assert not isinstance(again, Ok)