<j2^dZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl m Z ddlmZddlZe dZedz Zedz Zed z Zd Zdd Zdd Zef dd Zdd ddZdd ddZddZdd ddZdd dZedk(r eey)!urefresh_bot_token.py — GitHub App installation token refresh (50-min cycle). 회장 박제 명세 feedback_github_app_key_location_260507.md 준수. stdlib + PyJWT + cryptography 만 사용 (requests/httpx 금지). ) annotationsN)Path)Optionalz/home/jay/workspacez=.secrets/jeon-jonghyuk-taskctl-bot.2026-05-05.private-key.pemz2memory/orchestration-audit/bot-token-refresh.jsonlz .env.keyszhttps://api.github.comci}|js|S |jdjD]}|j}|r|j dr'|j dr|t ddj}d|vrY|j dd\}}|j}|jjdjd }|s|||< |S#t$rY|SwxYw) u4라인별 NAME=VALUE 파싱. 'export ' prefix strip.utf-8encoding#zexport N="')exists read_text splitlinesstrip startswithlensplit Exception)env_pathresultraw_linelinekvs J/home/jay/workspace/.worktrees/task-2551-dev6/scripts/refresh_bot_token.py_parse_env_keysr%sF ??    **G*<GGI H>>#D4??3/y)C NO,224$::c1%DAq A $**3/Aq   M   M sCC/%C// C<;C<ctjj|}|r|St|}|j|S)u.os.environ 우선, 없으면 .env.keys 파싱.)osenvirongetr)key env_keys_pathvalparseds r_getenvr'>s4 **.. C  ] +F ::c?c "td}g}|r|jt||j||j||D]}|js|cStd|Dcgc] }t |c}cc}w)uwenv BOT_GITHUB_PRIVATE_KEY_PATH 우선 → 부재 시 fallback. 둘 다 부재(파일 없음)면 FileNotFoundError.zG/home/jay/.secrets/jeon-jonghyuk-taskctl-bot.2026-05-05.private-key.pemzPEM key not found. Tried: )rappendrFileNotFoundErrorstr)r fallback_pathmain_pem candidatespcs rresolve_pem_pathr2Ls]^HJ$x.)hm$  88:H  $j%Ac!f%A$BC %As1B )nowc|ttj}|dz |dz|d}tj||dS)uDRS256, iat=now-60 (시계 보정), exp=now+540 (9분). PyJWT 사용.<i)iatexpissRS256) algorithm)inttimejwtencode)app_id pem_bytesr3payloads r generate_jwtrBdsF {$))+RxSyG ::gyG <8C99C>cd}|jr0|jd}|jjdz}nd}d}|j d}d }g}|D]=}|j |r|j ||d d}-|j |?|s=|r%|d jd s|j d |j ||d dj|} |jjdd tj|jd \} } d } tj| dd5} d} | j| dddtj | |tj"| |y#1swY6xYw#t$$rO| s& tj&| n#t($rYnwxYw tj*| #t($rYwxYwwxYw)u라인이 'BOT_GITHUB_TOKEN='로 시작하면 in-place 교체. 미존재 시 EOF append. atomic (tmpfile + os.replace). chmod 0o600 보존. export prefix 추가 X. zBOT_GITHUB_TOKEN=rriiT)keependsF parentsexist_okz.env.keys.tmp.)dirprefixwN)rrstatst_moderrr*endswithjoinparentmkdirtempfilemkstempr fdopenwritechmodrMrcloseOSErrorunlink)r new_token target_prefix original_text original_modelinesreplaced new_linesrnew_textfdtmp_path fd_closedfs rupdate_env_keysrs (M **G*<  //%7    $ $d $ 3EHI# ??= )    yk< =H   T " #  Yr]33D9   T "M?9+R89wwy!H  OO$6## OO$4LBI YYr3 1 QI GGH   =) 8X&           IIh       sl3F F4F FF G8,GG8 G G8 GG8G('G8( G41G83G44G8)rXcL|jjddtjdtj|||d}|||d<t j |dd z}|jd d 5}|j|dddy#1swYyxYw) ujsonl append-only. status ∈ {refreshed, refresh_rejected, pem_missing, api_error, dry_run}. 토큰 원문 절대 기록 X. sha256_prefix는 hashlib.sha256(token.encode()).hexdigest()[:16]. Triz%Y-%m-%dT%H:%M:%SZ)tsstatus sha256_prefix expires_atNrXF ensure_asciirgarr) rsrtr<strftimegmtimerVdumpsopenrx) audit_pathrrrrXrecordrrs r append_auditrsD48mm0$++-@& F  w ::f5 1D 8D w /1  s ?BB#c ptjd}|jddd|jdttdtd  |jd tt d t d  |j |}t|j}t|j}|j}td |}td|}td|}|stddt|ddddy|stddt|ddddy t|} | j} t#|| } t'| |} | j/d&d'}| j/d(d'}|std)dt|dddd*yt1j2|j5j7dd+}|dd,}|r:t|d-||.d-|||dd/}tt9j:|d01dy2 t=||t|d5||.d5|||d0d/}tt9j:|d01dy2#t $r3} td| dt|dddt| Yd} ~ yd} ~ wwxYw#t$$r-} td| dt|dddd| Yd} ~ yd} ~ wwxYw#t($rc} | j*\}}td|d|dd dd!t-|cxkrd"krnnd#nd}t||ddd$|d|dd Yd} ~ yd} ~ wt$$r3} td%| dt|dddt| Yd} ~ yd} ~ wwxYw#t$$r-} td3| dt|d||d4| Yd} ~ yd} ~ wwxYw)6u:CLI entry. exit 0=성공, 1=실패. --dry-run flag 지원.z%GitHub App installation token refresh) descriptionz --dry-run store_trueu,토큰 발급만 수행, .env.keys 미수정)actionhelpz --env-keysu.env.keys 경로 (기본값: ))defaultrz --audit-pathuaudit jsonl 경로 (기본값: BOT_GITHUB_APP_IDBOT_GITHUB_INSTALLATION_IDBOT_GITHUB_PRIVATE_KEY_PATHu#[ERROR] BOT_GITHUB_APP_ID 미설정T)flush api_errorNzBOT_GITHUB_APP_ID missing)rrrrXr u,[ERROR] BOT_GITHUB_INSTALLATION_ID 미설정z"BOT_GITHUB_INSTALLATION_ID missinguRROR] PEM 파일 없음: pem_missinguRROR] JWT 생성 실패: z jwt_error: u[ERROR] GitHub API 오류 HTTP z: iirefresh_rejectedhttp_uRROR] API 호출 실패: tokenreru%[ERROR] 응답에 token 필드 없음ztoken field missing in response dry_run)rrr)r token_prefixrrrFrru![ERROR] .env.keys 갱신 실패: zenv_keys_write_error: refreshed)argparseArgumentParser add_argumentr,DEFAULT_ENV_KEYS_PATHDEFAULT_AUDIT_PATH parse_argsrenv_keysrrr'printrr2 read_bytesr+rBrrcrZargsr;r"hashlibsha256r> hexdigestrVrr)argvparserrr$rrr?r] pem_env_pathpem_pathr@rbr\r status_codera audit_statusr}rrroutputs rmainrs8  $ $;F  ;  )*,-B,C1 E  &'./A.B! D   T "D'Mdoo&JLLG(- 8F:MJO8-HL  34@ -    L '!   ($*   djje4DA  y1# $ & F $**V% 0= i   +C51>  c(      +C51> u%     HH T / }BtDSzlKSWX-0C 4D-Js-J)P[  +bds 5     +C51> c(   d   1#7tD '!*3%0   sm)I J K M? J')JJ K&#KK M<AL== M< )M77M<? N5#N00N5__main__)rrreturnzdict[str, str])r#r,r$rr Optional[str])rrr-rrr)r?r,r@bytesr3z Optional[int]rr,)r\r,r]r,rDfloatrdict)rrr}r,rNone) rrrr,rrrrrXrrr)N)rzOptional[list[str]]rr;) __doc__ __future__rrrrVr rur< urllib.errorrPurllib.requestpathlibrtypingrr= WORKSPACEDEFAULT_PEM_BACKUPrrrOrr'r2rBrcrrr__name__ SystemExitr(rrs] #   & ' !``!UU!K/*2 - 8 = ==  =  =* 444 4  4>:F  !      @m ` z TV r(