from __future__ import annotations from sqlalchemy.orm import Session from govoplan_core.auth import ApiPrincipal from govoplan_core.core.access import TenantContextSwitchRef from govoplan_access.backend.db.models import AuthSession from govoplan_access.backend.security.sessions import switch_auth_session_tenant class AccessTenantContextSwitcher: def switch_tenant_context(self, session: object, *, principal: object, tenant_id: str) -> TenantContextSwitchRef: if not isinstance(session, Session): raise TypeError("AccessTenantContextSwitcher requires a SQLAlchemy session") if not isinstance(principal, ApiPrincipal): raise TypeError("AccessTenantContextSwitcher requires an API principal") if not isinstance(principal.auth_session, AuthSession): raise ValueError("API keys cannot switch tenant context") membership = switch_auth_session_tenant(session, principal.auth_session, tenant_id) return TenantContextSwitchRef( account_id=principal.account_id, membership_id=membership.id, tenant_id=membership.tenant_id, session_id=principal.session_id, )