üi.jUdZddlmZddlZddlZddlZddlmZddlm Z dZ dZ dZ dgZ d ed <de d  dd Zddd  ddZddd  ddZddd  ddZddddZddddZdd ddZ ddd d dZdddd d!dZy)"uUSilent corruption guard for task done preconditions. Three hardcoded fail-closed checks: 1. ``check_pr_merged_at`` — ``gh pr view --json mergedAt`` not null. 2. ``check_pr_merge_commit_oid`` — ``gh pr view --json mergeCommit`` oid not null. 3. ``check_origin_main_ancestry`` — race-safe fetch + 2회 교차 검증으로 ``origin/`` 가 merge commit 의 ancestor 인지 확인. 각 함수는 ``GuardResult-like`` dict 를 반환 한다:: {"ok": bool, "reason": str, "detail": dict} 외부 호출 (subprocess, gh, git) 실패 시 항상 fail-closed (``ok=False``). ) annotationsN)Path)Optionalg?gh list[str]DEFAULT_GH_CMDcwdtimeoutc , tj||r t|nddd|dd}|j|j|j fS#tj ttf$r'}ddt|jd|fcYd}~Sd}~wwxYw)zRun subprocess with shell=False, capture_output, timeout. Returns ``(returncode, stdout, stderr)``. On any exception returns ``(-1, "", str(exc))`` so callers can fail-closed without try/except noise. NTF)r capture_outputtextr shellcheckz: ) subprocessrunstr returncodestdoutstderrTimeoutExpiredFileNotFoundErrorOSErrortype__name__)cmdr r procexcs N/home/jay/workspace/.worktrees/task-2487-dev2/utils/silent_corruption_guard.py_runr#!s 6~~ CT  T[[88  % %'8' B62$s),,-Ru5556sA AB,BBBgh_cmdr cr|r t|ntt}|ddt|d|ddgz}t||t\}}} |dk7rdd | j xsd |fS t j|} || vrdd d |fSd | |dfS#t j$r} dd d | fcYd } ~ Sd } ~ wwxYw)zRun ``gh pr view --repo --json mergedAt,mergeCommit -q ''``. Returns ``(ok, value, raw_stderr_or_msg)``. ``value`` is whatever JSON the ``-q`` selector emits (string for mergedAt, object/None for mergeCommit). prviewz--repoz--jsonzmergedAt,mergeCommitr rFNz gh exited rc=zgh JSON decode failed: zmissing field Tr) listr rr#_GH_TIMEOUT_SECstripjsonloadsJSONDecodeError) pr_numberrepofieldr%r baserrcrrpayloadr!s r"_gh_view_fieldr5;s"4r?rDs r"check_pr_merge_commit_oidrIs$4v3NBs +C51$-tmT  eT "6$-tER  ))E C jc*/$-tER  + )4SQ rAr cd|d|}tdddd|g|t\}}}|dk7rd |jxsd |fSy ) zM``git fetch origin --no-tags +refs/heads/:refs/remotes/origin/``.z +refs/heads/z:refs/remotes/origin/gitfetchoriginz --no-tagsr rFz git fetch rc=)Trr#_GIT_TIMEOUT_SECr+) base_branchr refspecr3_rs r"_git_fetch_baserTsb[M)>{mLG ;8  MB6  Qwflln<-t(<<< rActtdddd|g|t\}}}|dk7ry|j}|xsdS)z)``git rev-parse --verify origin/``.rLz rev-parsez--verifyrefs/remotes/origin/r rNrO)rQr r3rrSshas r"_git_rev_parse_remoterXsM  Z+? })MN  MB  Qw ,,.C ;$rAcHtddd|d|g|t\}}}|dk(S)NrLz merge-basez --is-ancestorrVr r)r#rP)rErQr r3rSs r"_git_is_ancestorrZsB    ";- 0     HB1 7NrAmainc  t|tr|js dd||ddSt||\}}|s dd|||ddSt ||}|s dd||ddSt j tt ||}|s dd||ddS||k7rXt||t ||}t j tt ||}|r|r||k7r dd ||||||d dS|}t|||s dd |||d dSd d|||d dS)uRace-safe ancestry verification (fetch + 2회 교차 검증). Sequence -------- 1. ``git fetch origin --no-tags +refs/heads/:refs/remotes/origin/`` 2. 1차 ``git rev-parse origin/`` -> ``sha_a`` 3. ``time.sleep(0.5)`` 4. 2차 ``git rev-parse origin/`` -> ``sha_b`` 5. ``sha_a == sha_b`` -> ``git merge-base --is-ancestor`` 통과 검증 그렇지 않으면 1회 fetch+재조회 후 그래도 불일치면 fail-closed. Fzmerge_commit_sha empty)rErQr:rJzgit fetch failed: z$rev-parse origin/ failed (1st)z$rev-parse origin/ failed (2nd)z;origin/ SHA unstable across 2 fetches (race detected))rErQsha_asha_bsha_csha_dz*merge_commit not ancestor of origin/)rErQ origin_shaTzancestry verified) rFrr+rTrXtimesleep_FETCH_RETRY_SLEEP_SECrZ) rErQr fetchedr?r]r^r_r`s r"check_origin_main_ancestryrfs" & ,4D4J4J4L.+;KX  #;C8LGS *3%0+;KX  "+3 7E <+;KX   JJ%& !+3 7E <+;KX   ~ -%ks; )*%ks;EUe^W(8#.""""    ,ks CB$4*#  % 0&  rA)rQr%r c @i}t||||}||d<|dsdd|dd|||ddSt||||}||d <|dsdd |dd |||ddS|d d }|d d } t|||} | |d<| dsdd| dd|||| ||ddSdd|| ||||ddS)uR3 check 통합. 하나라도 FAIL 시 ``ok=False``. Returns ------- dict ``{"ok": bool, "reason": str, "detail": {...}}``. 성공 시 ``detail`` 은 ``merge_commit_sha``, ``merged_at``, ``checks`` 키를 포함. 실패 시 어느 check 가 실패 했는지 ``detail["failed_check"]`` 에 명시. r$ merged_atr;Fzmerged_at check failed: r<) failed_checkr/r0checksr:merge_commit_oidzmerge_commit_oid check failed: r=rEr7)rQr ancestryzancestry check failed: )rir/r0rErhrQrjTz%all 3 silent_corruption checks passed)rErhr/r0rQrj)r@rIrf) r/r0rQr%r rjmerged_at_result oid_resultrErhancestry_results r"verify_done_preconditionsrp1sU$!F))T&cR*F; D !01A(1K0LM +&   +9d6sSJ!+F  d 7 88L7MN 2&   "(+,>? *:6I0ksO)F: 4 /0I/JK *&$4&*   9 0""&    rA)rrr Optional[Path]r intreturnztuple[int, str, str]) r/rrr0rr1rr%Optional[list[str]]r rqrsztuple[bool, object, str]) r/rrr0rr%rtr rqrsrG)rQrr rqrsztuple[bool, str])rQrr rqrsz Optional[str])rErrQrr rqrsbool)r[)rErrQrr rqrsrG) r/rrr0rrQrr%rtr rqrsrG)__doc__ __future__rr,rrbpathlibrtypingrr*rPrdr __annotations__r#r5r@rIrTrXrZrfrprAr"r|s #  !F " " 6 6 6 6  6>#' #$#$ #$ #$ #$  #$#$T#'       H#' %% % %  %  %P@D FJ GK(+5C &Z ZZZ  Z  ZB"& QQ Q Q Q  Q QrA