"""Device trust policy: only trust cross-signed devices.

Replaces the insecure auto-trust-all pattern with selective verification
based on cross-signing signatures.
"""
import logging

logger = logging.getLogger(__name__)


class CrossSignedOnlyPolicy:
    """Trust only devices that carry a cross-signing signature.

    A device's signatures dict typically contains its own ed25519:DEVICE_ID
    self-signature. A cross-signed device additionally has a signature from
    the user's self-signing key (ed25519:SELF_SIGNING_PUB). This policy
    checks for that extra signature.
    """

    def should_trust(self, user_id: str, device) -> bool:
        """Return True if device has a cross-signing signature beyond its own."""
        sigs = getattr(device, "signatures", None)
        if not sigs:
            return False

        user_sigs = sigs.get(user_id, {})
        device_self_key = f"ed25519:{device.device_id}"

        # Trust if any signature key is NOT the device's own key
        for key_id in user_sigs:
            if key_id != device_self_key:
                return True

        return False