JjB UdZddlmZddlZddlZddlmZddlmZddl m Z m Z ddl m Z mZmZmZmZmZmZmZddlmZmZmZmZd Zd ed <d Zd ed <ej:dZded<ej:dej:dej:dej:dej:dej:dej:dej:dej:dej:df Zded<dZ ded<ed !Gd"d#Z!Gd$d%e"Z#Gd&d'e"Z$Gd(d)e%Z&Gd*d+e"Z'd1d,Z(d2d-Z)d3d4d.Z*Gd/d0Z+y)5u9anu_v2.owner_trigger_only — OWNER_TRIGGER_ONLY_CAPABILITY core module. 회장 §명시 14장 1:1 박제 (2026-05-11 KST, OWNER_TRIGGER_ONLY_CAPABILITY). task-2554+1 회장 §명시 (2026-05-12 KST) HIGH race condition fix 반영. task-2554+2 회장 §명시 (2026-05-12 KST) §1 1:1 완성: - ``RESULT_PENDING`` import + sentinel 활용. - ``http_post`` 호출 직전 ``txn.record(PENDING)`` 으로 영구 기록 — process crash 후 다음 runner 가 DEDUPED 판정 (crash-safety fail-closed). 본 모듈 범위: - public action **1 종**: ``POST_GEMINI_REVIEW_TRIGGER_COMMENT`` - comment body 상수 (외부 입력 X): ``COMMENT_BODY = "/gemini review"`` - 단일 허용 endpoint: ``POST /repos/{owner}/{repo}/issues/{pr_number}/comments`` - 금지 11 endpoint hard-block (``PermissionError`` raise) - 전용 token 1 종: ``OWNER_GEMINI_TRIGGER_TOKEN`` (다른 token fallback 0) - merge path 와 완전 분리: ``BOT_GITHUB_TOKEN`` 본 모듈 어디서도 사용 0 - dedupe atomic (audit JSONL + fcntl flock + sidecar lock transaction) - token redaction guard (audit 에 raw value 미출력) - decision JSON v1 검증 fail-closed - result enum: POSTED / DEDUPED / FAILED / PENDING result 흐름 (task-2554+2 §1): 1. txn.check_dedupe (POSTED + PENDING) 2. (DEDUPED 인 경우 audit DEDUPED + return) 3. token presence + hash_prefix 계산 4. **txn.record(PENDING)** — http_post 직전 영구 기록 (crash-safety) 5. http_post 호출 6. 성공: txn.record(POSTED) / 실패: txn.record(FAILED) one-way isolation: anu_v2/ 외부 import 금지. ) annotationsN) dataclass)Path)CallableFinal)AuditRedactionErrorDedupeViolationOwnerTriggerAuditRESULT_DEDUPED RESULT_FAILEDRESULT_PENDING RESULT_POSTEDtoken_hash_prefix)ALLOWED_ACTIONALLOWED_COMMENT_BODYDecisionInvalidErrorvalidate_decisionz/gemini reviewz Final[str] COMMENT_BODYOWNER_GEMINI_TRIGGER_TOKENTOKEN_ENV_NAMEz(^/repos/[^/]+/[^/]+/issues/\d+/comments$zFinal[re.Pattern[str]]_ALLOWED_PATH_REz/pulls/\d+/merge\bz/pulls/\d+/reviews\bz /git/refs\bz /contents\bz/issues/\d+(?:\?|$)z /labels\bz /branches\bz$/actions/(?:runs|workflows)/.*/rerunz3/check-runs/.*/rerequest|/check-suites/.*/rerequestz/pulls/\d+\?|/pulls/\d+$z"Final[tuple[re.Pattern[str], ...]]FORBIDDEN_ENDPOINT_PATTERNS)BOT_GITHUB_TOKENGH_TOKEN GITHUB_TOKEN OWNER_PAT PAT_TOKENzFinal[tuple[str, ...]]FORBIDDEN_TOKEN_ENV_NAMEST)frozencpeZdZUdZded<ded<ded<ded<ded<ded <d ed <ded <d Zded<y ) TriggerResultuP``trigger_gemini_review`` 결과 객체. token / authorization header 미포함.strstatusintprheadaction comment_bodyendpointbool token_presentrN str | None error_code)__name__ __module__ __qualname____doc____annotations__r-anu_v2/owner_trigger_only.pyr!r!_s:Z K G I KM!J !r4r!ceZdZdZy)ForbiddenEndpointErroru9금지 11 endpoint 호출 시도 (회장 §7 hard-block).Nr.r/r0r1r3r4r5r7r7qsCr4r7ceZdZdZy)TokenBoundaryViolationu-다른 token 사용 시도 (회장 §6 fail).Nr8r3r4r5r:r:us7r4r:ceZdZdZy)CommentBodyViolationuKCOMMENT_BODY 외부 변조 / 외부 입력 사용 시도 (회장 §4 fail).Nr8r3r4r5r<r<ysUr4r<ceZdZdZy)MergePathViolationuGmerge_queue_executor merge path 와의 분리 위반 (회장 §9 fail).Nr8r3r4r5r>r>}sQr4r>ct|tr|rd|vr tdt|tr|rd|vr tdt|trt|ts|dkr tdd|d|d|dS) N/z,owner must be a non-empty string without '/'z+repo must be a non-empty string without '/'rz pr_number must be a positive intz/repos/z/issues/z /comments) isinstancer" ValueErrorr$r*)ownerrepo pr_numbers r5_build_post_comment_pathrFs eS !#,GHH dC t FGG i %It)D UV;<< UG1TF(9+Y ??r4c6t|tr|jdk7rtd|t|ts tdtD]!}|j |std|t j|std|y)z+static + dynamic endpoint hard-block guard.POSTzforbidden method: zpath must be stringzforbidden endpoint path: z8path not in allow-list (POST issues/{n}/comments only): N)rAr"upperr7rsearchrmatch)methodpathpats r5assert_endpoint_allowedrOs fc "flln&>$'9&%DEE dC $%:;;*O ::d (+DTH)MN NO  ! !$ '$H Q   (r4cT|ytD]}||vstd|dtdy)utoken 경계 검증 (회장 §6). 명시적으로 ``env`` dict 에 다른 token env 이름이 키로 전달되면 fail. Nzforbidden token env injected: u! — owner trigger path must use z only)rr:r)env forbiddens r5assert_token_boundaryrSsI  {.  (0 <*+52 r4czeZdZdZdd d dZd dZddd ddZdZd Zd Z d Z y)OwnerTriggerOnlyu3OWNER_TRIGGER_ONLY_CAPABILITY 단일 진입점. public action: ``trigger_gemini_review(decision_path, owner, repo, current_head_actual)``. side-effect 추상화 (test injection): - ``http_post``: ``Callable[[method:str, path:str, body:dict, headers:dict], dict]`` - ``token_provider``: ``Callable[[], str]`` — OWNER_GEMINI_TRIGGER_TOKEN value 반환. task-2554+2 §1 흐름: 1. token boundary 검증 2. decision JSON 검증 3. comment_body 검증 4. endpoint hard-block 5. ── ATOMIC TRANSACTION ──────────────────────────────── 5a. audit.transaction() 진입 (sidecar lock LOCK_EX) 5b. txn.check_dedupe (POSTED + PENDING) 5c. DEDUPED 시 audit record + return 5d. token presence + hash_prefix 계산 5e. **txn.record(PENDING)** — http_post 호출 직전 영구 기록 (crash-safety) 5f. http_post 호출 5g. 성공 시 audit POSTED / 실패 시 audit FAILED 6. lock 해제 N)auditc| td| tdt|j|_||_||_|||_yt |j|_y)Nz#http_post callable must be injectedz(token_provider callable must be injected)NotImplementedErrorrresolve_workspace_root _http_post_token_providerr _audit)selfworkspace_root http_posttoken_providerrVs r5__init__zOwnerTriggerOnly.__init__sk  %&KL L  !%&PQ Q#N3;;=#-$0e 6GH\H\6] r4ct|}|js|j|z }|jst dd|t j |jd}|S)NE_FILE_MISSINGzdecision file not found: zutf-8)encoding)r is_absoluterZexistsrjsonloads read_text)r^ decision_pathrMdatas r5_read_decisionzOwnerTriggerOnly._read_decisionsgM"!''$.D{{}&'7;TUYTZ9[\ \zz$..'.:; r4) env_overrider(c t||j|}t|||tn|}|tk7rt dtd|t |d} |d} t||| } td| t|} |jdd } |jj5} |j| | |j'}t)|tr|st+t,dt/|}|j| | | t t0t| | d|d d d|ddd}dti} |j3d| || i}d } |j| | | t t8t| | d|d d t%t8| | t t| d|d cdddS#t$rV|j| | | t t"t| | d d d d d t%t"| | t t| d d d  cYcdddSwxYw#t4$r?} |j| | | t t6t| | d|d dd i}d }|#i}d }wxYwd}~wwxYw#i}d }wxYw#tt:f$rwxYw#1swYyxYw)u단일 public action. /gemini review 댓글 1회 작성. race condition: 동시 2 process 가 같은 (pr, head) 호출 시 lock 직렬화로 후속 process 의 check_dedupe 가 항상 DedupeViolation 차단. crash-safety (task-2554+2 §1): http_post 호출 직전 ``txn.record(PENDING)`` 으로 영구 기록. process crash 후 다음 runner 가 ``_has_active_trigger`` 에서 PENDING 발견 → DedupeViolation → DEDUPED 판정 (fail-closed). )current_head_actualNzcomment_body must be z, got r% current_headrHtask_id)r%r&FDEDUPE) rrr%r&r'resultr(r)rkr+rtoken_value_loggedr-) r#r%r&r'r(r)r+rr-u+ not provided — owner trigger fail-closedT) rrr%r&r'rur(r)rkr+rrvzBearer zapplication/vnd.github+jsonz 2022-11-28) AuthorizationAcceptzX-GitHub-Api-VersionbodyHTTP_POST_FAIL)rSrmrrrr<r$rFrOr"getr] transaction check_deduper recordrr r!r\rAr:rrr r[ Exceptionr rr)r^rkrCrDrprnr(decisionrypr_numr&rMdecision_path_str task_id_valtxntoken hash_prefixheaders body_payloadexcs r5trigger_gemini_reviewz&OwnerTriggerOnly.trigger_gemini_reviews( l+&&}5(8KL ,3| ' '&'(<'?vdXN  Xd^$''tV<- .ll9b1 [[ $ $ &@ #   F 6>((*EeS),%&&QR,E2K JJ*  ,,$0 $%6%))4*/  $$+5'!27(4G #L1L lGD4  #.$ $"0"/(4$():)--8.3 $!$%)""- m@ @ #  #.$ $"0"0(4$():).-/.3&.  %))!-!"'&('  +@ @  D JJ'2"($(&4&3,8(,->-11<27*: "!GE !GE- 2&$%89  g@ @ s5I:7F0 A9I:HI:)I&I:0AHI:HI: I*I I IIIII##I:&I77I::Jctd)NzZowner_trigger_only must not perform merge. Use merge_queue_executor with BOT_GITHUB_TOKEN.)r>r^argskwargss r5mergezOwnerTriggerOnly.merges  >  r4ctd)Nz)approve forbidden (review submit blocked)r7rs r5approvezOwnerTriggerOnly.approves$%PQQr4ctd)Nzclose forbiddenrrs r5closezOwnerTriggerOnly.closes$%677r4ctd)Nzreopen forbiddenrrs r5reopenzOwnerTriggerOnly.reopens$%788r4) r_ str | Pathr`z&Callable[[str, str, dict, dict], dict]razCallable[[], str]rVzOwnerTriggerAudit | NonereturnNone)rkrrdict)rkrrCr"rDr"rpr"rn dict | Noner(r,rr!) r.r/r0r1rbrmrrrrrr3r4r5rUrUs<+/ ^#^: ^ * ^ ( ^ ^&$%)#'k"k k  k ! k"k!k k^ R89r4rU)rCr"rDr"rEr$rr")rLr"rMr"rr)N)rQrrr),r1 __future__rrhre dataclassesrpathlibrtypingrranu_v2.owner_trigger_auditrr r r r r rranu_v2.owner_trigger_decisionrrrrrr2rcompilerrrr!PermissionErrorr7r:rBr<r>rFrOrSrUr3r4r5rs@# !"   , j+9 9+52::/,( BJJ$%BJJ&'BJJ~BJJ~BJJ%&BJJ|BJJ~BJJ67BJJEFBJJ*+ C? 51 $ " " ""D_D8_8V:VRR@   $s9s9r4