QiUdZddlZddlZddlZddlmZej jddddlm Z m Z dZ dhZ hdZ gdZeeed <d ed efd Zd eed eefdZdedeed dfdZded eefdZy)u파이프라인 YAML dict 검증 모듈. 설계서 Section 3-2 기반 11개 항목 검증: 1. schema_version 존재 + 지원 버전("1.0") 2. gates 최소 1개 이상 3. token_budget 존재 + 양수 4. blast_radius 유효값("step"|"team"|"org") 5. allowed_teams 비어있지 않음 6. 순환 DAG 검출 (Kahn's algorithm, 자기 참조 포함) 7. 시크릿 패턴 탐지 8. 모든 step의 target_team이 allowed_teams 내에 존재 9. 모든 depends_on 참조가 유효한 step id 10. 모든 step의 task_desc가 injection_guard.check_content() 통과 11. inject_context.source 경로가 WORKSPACE_ROOT 하위인지 검증 (path traversal 방지) 작성자: 토르 (dev2-team 백엔드 개발자) 날짜: 2026-03-24 N)dequez/home/jay/workspace)InjectionBlockedError check_contentz1.0>orgstepteam)zAWS_ACCESS_KEY_ID=AKIA PRIVATE_KEYz password=zsecret=zBEGIN RSA PRIVATE KEYzAPI_KEY=_SECRET_PATTERNStextreturnchtD])}tj||tjs)yy)uH시크릿 패턴이 text에 포함되어 있으면 True를 반환한다.TF)r research IGNORECASE)r patterns P/home/jay/workspace/.worktrees/task-2117-dev1/orchestrator/pipeline_validator.py scan_secretsr)s-# 99WdBMM 2 stepscg}|Dchc] }d|vs|d}}|D]F}|jdd}|jdgD]}||k(s |jd|dH|r|S|Dcic]}|d}}|Dcic]}|g}}|D]Q}|jdd}|jdgD](}||vs||j|||xxdz cc<*Std|jD} d} | rI| j } | dz } || D])} || xxdzcc<|| dk(s| j| +| rI| t |k7r|jd |Scc}wcc}wcc}w) uWKahn's algorithm으로 순환 의존성을 검출한다. 에러 목록을 반환한다.id depends_onStep 'z-' has a self-referencing cycle in depends_on.rc32K|]\}}|dk(s |yw)rN).0nodedegs r zvalidate_dag..KsRytSPQdRs zWPipeline steps contain a circular dependency cycle (Kahn's algorithm detected a cycle).)getappendritemspopleftlen) rerrorssstep_idsrsiddep in_degree adjacencyqueuevisitedrneighbors r validate_dagr11sF!&4A$!)$4H4[hhtR 88L"- [Ccz se+XYZ [[  4< target_teamrz': target_team 'z' is not in allowed_teams rz*': depends_on references unknown step id 'z'. task_descz+': task_desc failed injection guard check: inject_contextsourcerz..z@': inject_context.source contains path traversal sequence '..': z': inject_context.source path 'z6' is outside WORKSPACE_ROOT (path traversal rejected).)r"r#_SUPPORTED_SCHEMA_VERSIONSr5r:r&intfloat_VALID_BLAST_RADIUSsortedsetr9rextendr1rr6rr7ospathnormpathjoinWORKSPACE_ROOT startswith)r=r'r?rArBrCrDallowed_teams_setrr(r) all_stringsr rr*rFr+rGexcrHrInorms rvalidate_pipeliner[isF\\"23N ?@ 9 9 +N+;>JdIeef g LL !E } TU t $E a Z[<</L =>  sEl 3|q7H KLK[[\]^<</LL8K$K %l^3FvNaGbFccd e LL"5M mT *c-.@A.E EF.8.MM*SVSX Wb1E!&4A$!)$4H4 K;/   MMLTRUSUYMYZ[     l5)*$hht[)hh}-  "{:K'K MM-k]:TU[\mUnToopq  88L"- _C(" se+UVYUZZ\]^ _ HH[)   _c)n- "23 nd +#''"5Fs6{" SE!abhakklmww'' ^S[(QR~6MM %DVHMCDE$L Mm5H) _ se+VWZV[[\]^^ _s$1 N";N"5N'' O0OO)__doc__rQrsys collectionsrrRinsertutils.injection_guardrrrUrJrMr r:r6__annotations__boolrr7r1objectr9r[rrrrds& ()F&#W-$s)st)T )tCy)X 0f 0tCy 0T 0__c_r