Ë
    M¥j§u  ã            
      ó‚  — U d Z ddlmZ ddlmZmZ ddlmZmZm	Z	m
Z
 dZdZdZdZd	Zd
ZdZdZdZdZdZdZdZeeeeeeeefZded<   dZdZdZdZ eeh«      ZdZ dZ!dZ" ee!e"h«      Z#d3d„Z$ ed¬«       G d„ d«      «       Z%e G d „ d!«      «       Z&d"d#d$e" e'e«      d$eedd%œ		 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 d4d&„Z(	 	 	 	 	 	 	 	 	 	 	 	 d5d'„Z)e G d(„ d)«      «       Z*	 	 	 	 	 	 	 	 d6d*„Z+d"d$d$d"d+œ	 	 	 	 	 	 	 	 	 	 	 d7d,„Z,d"d$d"d-œ	 	 	 	 	 	 	 	 	 d8d.„Z-e G d/„ d0«      «       Z.	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 d9d1„Z/g d2¢Z0y"):uÆ  dispatch.callback_owner_enforcer â€” executor self-collector / self-dispatch /
self-adjudication êµ¬ì¡°ì  ì°¨ë‹¨ + write-back role/fallback binding conflict ê°ì‚¬.

task-2553+49 (MICRO-HARDENING, íšŒìž¥ ê²°ì • â€” ì½”ë“œ/íŒŒì¼ ìžë™í™”).

Problem (ë´‰ì‡„ ref: memory/events/task-2553-selfcollector-violation-containment
-decision_260518.json): task-2553+47 dispatch ì‹œ ANU ê°€ normal callback ì„
ë…ë¦½ ANU key ë¡œ ë°œì‚¬í•˜ë„ë¡ ëª»ë°•ì§€ ì•Šì•„, executor(dev3)ê°€ ìžê¸° key ì±„ë„ë¡œ
normal/fallback callback ì„ ë“±ë¡í•˜ê³  ê·¸ ìžê°€ì„¸ì…˜ì´ +47 ìžê°€ íšŒìˆ˜Â·ìžê°€ Codex
auditÂ·ìžê°€ adjudicationÂ·+48 ìžê°€ dispatch ë¥¼ ìˆ˜í–‰í–ˆë‹¤. ë¶„ë¦¬ì›ì¹™Â·collector
ë…ë¦½ì„±Â·executor ì‹ ê·œ dispatch 0Â·ANU ë‹¨ë… dispatch ê¶Œí•œ 4ì¤‘ ìœ„ë°˜. ê·¼ë³¸ì›ì¸ =
ANU orchestration ì„¤ê³„ ê²°í•¨(ANU-key ì†Œìœ  í•€ ëˆ„ë½).

This standalone module encodes the missing fail-closed pins as executable
code so a future executor session *cannot* own its own completion collector,
self-adjudicate, or self-dispatch (íšŒìž¥ Â§1/Â§2):

  * ``enforce_callback_owner`` â€” normal/fallback callback owner MUST be an
    independent ANU key. executor_key == collector_key, collector owner ==
    executor key, collector_role != ANU, prompt-says-ANU-but-owner-is-executor
    -> FAIL (Â§2 / regression 2~6).
  * ``assert_not_self_adjudication`` â€” executor self session running a Codex
    audit / ANU-Codex adjudication -> FAIL (Â§2 / regression 7).
  * ``assert_not_self_dispatch`` â€” executor self session dispatching a
    follow-up task -> FAIL (Â§2 / regression 8).
  * ``audit_writeback_binding_conflict`` â€” the +47 idempotency key was LOW:
    it keyed only on (dispatch_id, chat_id, normal_collector_cron_id) and
    ignored role/fallback binding. This audits role/fallback binding conflict
    over the +44 read-only ledger and emits ``WRITEBACK_BINDING_CONFLICT``
    instead of a silent idempotent skip (Â§2 line 20/21).

Standalone, zero-mutation (íšŒìž¥ Â§5 / byte-0 ìš°ì„ ): imports/edits ZERO
byte-0-pinned tracked module. ``anu_v3.callback_4tuple_registry`` and
``dispatch.executor_completion_contract`` are byte-0 (pinned by the existing
+44/+48 regression FROZEN_SHA256 autouse invariant); they are imported
read-only / lazily and NEVER mutated. The Â§2 4-tuple owner fields
(executor_key / collector_key / collector_owner_key / collector_role) are
carried by THIS module's own ``CallbackOwner4Tuple`` record + schema +
decision artifact â€” NOT by mutating the frozen +44 legacy record (9-R /
byte-0 ìš°ì„  carve-out, +42/+43/+45 ì„ ë¡€ ë™í˜•).

Layer A / NO-CRON (9-R.1): this module performs ZERO cron register/remove,
ZERO dispatch, ZERO merge, ZERO ``cokacdir`` / ``subprocess`` exec. It only
*validates* owner/key bindings and *records* a verdict. The executor's own
normal completion callback (fired by an authorized session with the ANU key,
Â§10) is a designed lifecycle signal â€” NOT an ad-hoc registry cron â€” and the
firing happens outside this module; the module never execs it.
é    )Úannotations)Ú	dataclassÚfield)ÚListÚOptionalÚSequenceÚTuplez&dispatch.callback_owner_enforcement.v1z!dispatch.callback_owner_4tuple.v1ÚPASSÚFAILÚHOLD_FOR_CHAIRÚSELF_COLLECTOR_FORBIDDENÚ$EXECUTOR_SELF_ADJUDICATION_FORBIDDENÚSELF_DISPATCH_FORBIDDENÚCALLBACK_OWNER_MISMATCHÚCALLBACK_COLLECTOR_NOT_ANUÚCALLBACK_4TUPLE_INVALIDÚDISPATCH_PATH_BYPASSED_CONTRACTÚWRITEBACK_BINDING_CONFLICTzTuple[str, ...]ÚALL_CLASSIFICATIONSÚWRITEBACK_NO_CONFLICTÚWRITEBACK_IDEMPOTENT_SKIPÚANUÚc119085addb0f8b7Ú1e41a2324a3ccdd0zdispatch.core.mainÚcokacdir_cron_directc                ó6   — t        | «      xr | t        |«      v S )z?True iff ``key`` is a non-empty configured independent ANU key.)ÚboolÚset)ÚkeyÚanu_keyss     úQ/home/jay/workspace/.worktrees/task-2643-dev6/dispatch/callback_owner_enforcer.pyÚ
is_anu_keyr"   p   s   € ä‹9Ò-˜¤ H£Ð-Ð-ó    T)Úfrozenc                  óª   — e Zd ZU dZded<   ded<   ded<   ded<   ded<   ded	<   ded
<   ded<   dZded<   eZded<   eZded<   dZ	ded<   dd„Z
dd„Zy)ÚCallbackOwner4Tupleu¡  The Â§2/Â§10 owner-bound callback 4-tuple.

    Base 4-tuple {task_id, dispatch_cron_id, normal_collector_cron_id*,
    fallback_callback_cron_id} + the owner binding the +44 frozen legacy
    record cannot carry (executor_key / collector_key / collector_owner_key /
    collector_role=ANU / normal_collector_cron_id / fallback_cron_id /
    normal_collector_cron_id_role). normal_collector_cron_id is MANDATORY.
    ÚstrÚtask_idÚdispatch_cron_idúOptional[str]Únormal_collector_cron_idÚfallback_callback_cron_idÚexecutor_keyÚcollector_keyÚcollector_owner_keyÚcollector_roleÚ Úchat_idÚnormal_collector_cron_id_roleÚfallback_cron_id_roleFr   Úno_fallbackc           	     ó¸   — | j                   | j                  | j                  | j                  | j                  | j
                  | j                  | j                  dœS )N©r(   r)   r+   r,   r-   r.   r/   r0   r7   ©Úselfs    r!   ÚidentityzCallbackOwner4Tuple.identityŽ   sR   € à—|‘|Ø $× 5Ñ 5Ø(,×(EÑ(EØ)-×)GÑ)GØ ×-Ñ-Ø!×/Ñ/Ø#'×#;Ñ#;Ø"×1Ñ1ñ	
ð 		
r#   c                ó¾   — t        | j                  «       «      }|j                  t        | j                  | j
                  | j                  | j                  dœ«       |S )N)Úschemar2   r3   r4   r5   )Údictr:   ÚupdateÚOWNER_4TUPLE_SCHEMAr2   r3   r4   r5   )r9   Úds     r!   Úto_jsonzCallbackOwner4Tuple.to_jsonš   sO   € Ü—‘“Ó!ˆØ	‰ä-ØŸ<™<à×6Ñ6à)-×)CÑ)CØ#×/Ñ/ñô
	
ð ˆr#   N©Úreturnr=   )Ú__name__Ú
__module__Ú__qualname__Ú__doc__Ú__annotations__r2   ÚCOLLECTOR_ROLE_ANUr3   r4   r5   r:   rA   © r#   r!   r&   r&   v   sl   … ñð ƒLØÓØ+Ó+Ø,Ó,ØÓØÓØÓØÓØ€GˆSÓØ);Ð! 3Ó;Ø!3Ð˜3Ó3Ø€KÓó

ôr#   r&   c                  óö   — e Zd ZU ded<   ded<   ded<   ded<   ded<   ded<   ded	<   ded
<   ded<   ded<   ded<   ded<   ded<   ded<   ded<   ded<    ee¬«      Zded<   edd„«       Zedd„«       Z	dd„Z
y)ÚCallbackOwnerEnforcementResultr'   r<   Úverdictú	List[str]Úclassificationsr(   r-   r.   r/   r0   r*   r+   r,   r)   r3   r4   Ú
entry_pathr   Úprompt_claims_anu_collectorÚowner_is_independent_anu©Údefault_factoryÚreasonsc                ó(   — | j                   t        k(  S ©N©rM   r
   r8   s    r!   Úokz!CallbackOwnerEnforcementResult.ok¾   ó   € à|‰|œtÑ#Ð#r#   c                ó<   — | j                   r| j                   d   S d S )Nr   )rO   r8   s    r!   Úprimary_classificationz5CallbackOwnerEnforcementResult.primary_classificationÂ   s    € à*.×*>Ò*>ˆt×#Ñ# AÑ&ÐHÀDÐHr#   c                ó   — i d| j                   “d| j                  “dt        | j                  «      “d| j                  “d| j
                  “d| j                  “d| j                  “d| j                  “d	| j                  “d
| j                  “d| j                  “d| j                  “d| j                  “d| j                  “d| j                  “d| j                   “d| j"                  “dt        | j$                  «      i¥S )Nr<   rM   rO   r\   r(   r-   r.   r/   r0   r+   r,   r)   r3   r4   rP   rQ   rR   rU   )r<   rM   ÚlistrO   r\   r(   r-   r.   r/   r0   r+   r,   r)   r3   r4   rP   rQ   rR   rU   r8   s    r!   rA   z&CallbackOwnerEnforcementResult.to_jsonÆ   sM  € ð
Ød—k‘kð
àt—|‘|ð
ð œt D×$8Ñ$8Ó9ð
ð % d×&AÑ&Að	
ð
 t—|‘|ð
ð ˜D×-Ñ-ð
ð ˜T×/Ñ/ð
ð " 4×#;Ñ#;ð
ð ˜d×1Ñ1ð
ð '¨×(EÑ(Eð
ð (¨×)GÑ)Gð
ð  × 5Ñ 5ð
ð ,Ø×2Ñ2ð
ð  $ T×%?Ñ%?ð!
ð" ˜$Ÿ/™/ð#
ð$ *¨4×+KÑ+Kð%
ð& '¨×(EÑ(Eð'
ð( ”t˜DŸL™LÓ)ñ)
ð 	
r#   N©rC   r   )rC   r*   rB   )rD   rE   rF   rH   r   r^   rU   ÚpropertyrY   r\   rA   rJ   r#   r!   rL   rL   ª   sš   … àƒKØƒLØÓØƒLØÓØÓØÓØÓØ+Ó+Ø,Ó,ØÓØ#&Ó&ØÓØƒOØ!%Ó%Ø"Ó"Ù¨tÔ4€GˆYÓ4àò$ó ð$ð òIó ðIô
r#   rL   Nr1   F)	r/   r2   rQ   rP   r    r5   r3   r4   Úanu_keys_resolvablec                ó  — |xs |xs d}g }|rt        |«      sEt        d i dt        “dt        “dg “d| “d|“d|“d|“d	|“d
|“d|“d|“d|“d|“d|
“d|	“dd“ddg“ŽS g }|
t        vr*|j                  t        «       |j                  d|
›d«       |t        k7  r*|j                  t        «       |j                  d|›d«       |r-|r+||k(  r&|j                  t        «       |j                  d«       t        |«      xr ||k(  }|r&|j                  t        «       |j                  d«       t        ||«      }|	r*|s|s&|j                  t        «       |j                  d«       |s,|s*|j                  t        «       |j                  d|›d«       t        | ||||¬«      }|r&|j                  t        «       |j                  |«       t!        «       }g }|D ])  }||vsŒ|j#                  |«       |j                  |«       Œ+ |st$        nt&        }|xr | xr	 |t        k(  }|t$        k(  r|j                  d«       t        d i dt        “d|“d|“d| “d|“d|“d|“d	|“d
|“d|“d|“d|“d|“d|
“d|	“d|“d|“ŽS )!u#  Fail-closed gate: normal/fallback callback owner MUST be an
    independent ANU key (íšŒìž¥ Â§2/Â§8/Â§10).

    Verdict logic (every violating condition is recorded â€” NOT silently
    dropped; Â§2 line 21):

      * ANU key set unresolvable in this env   -> HOLD_FOR_CHAIR (Â§6 â€” the
                                                   ONLY conditional escalation;
                                                   un-codeable sub-control)
      * entry_path unrecognised                -> DISPATCH_PATH_BYPASSED_
                                                   CONTRACT (cron-direct bypass)
      * collector_role != "ANU"                -> CALLBACK_COLLECTOR_NOT_ANU
                                                   (regression 5)
      * executor_key == collector_key          -> SELF_COLLECTOR_FORBIDDEN
                                                   (regression 4)
      * effective owner == executor key        -> SELF_COLLECTOR_FORBIDDEN
                                                   (regression 2/3 â€” normal &
                                                   fallback self callback)
      * prompt says ANU collector but owner is
        the executor key / not an ANU key      -> CALLBACK_OWNER_MISMATCH
                                                   (regression 6)
      * owner not an independent ANU key       -> CALLBACK_OWNER_MISMATCH
      * 4-tuple invalid (task_id/dispatch_cron
        /normal_collector_cron_id mandatory;
        fallback unless no_fallback)           -> CALLBACK_4TUPLE_INVALID
      * else                                   -> PASS (owner is an
                                                   independent ANU key,
                                                   regression 1).

    Layer A: pure validation. ZERO cron / dispatch / subprocess / cokacdir.
    r1   r<   rM   rO   r(   r-   r.   r/   r0   r+   r,   r)   r3   r4   rP   rQ   rR   FrU   u¶   ANU key set unresolvable in this environment â€” the callback owner=ANU pin cannot be code-enforced here (Â§6 HOLD_FOR_CHAIR; the only conditional escalation, 9-R.2). NO silent pass.zentry_path u¹    not a recognised gated dispatch path â€” a cron-direct contract bypass (Â§3 / 9-R.1). The ANU control layer (prompt gen Â· 4-tuple Â· post-reg owner cross-check) must fail-closed here.zcollector_role=um    != 'ANU' â€” the completion collector MUST run as an independent ANU collector session (Â§2 / regression 5).ui   executor_key == collector_key â€” executor self-collector is structurally forbidden (Â§2 / regression 4).uÃ   normal/fallback callback owner key == executor self key â€” executor self-callback (normal & fallback) is structurally forbidden; owner MUST be an independent ANU key (Â§2/Â§10 / regression 2/3).u¾   prompt declares an 'ANU Result Collector' but the schedule owner key is the executor key / not an ANU key â€” invalid; owner identity, not prompt text, is authoritative (Â§2 / regression 6).zcallback owner key uF    is not a configured independent ANU key â€” owner mismatch (Â§2/Â§8).)r(   r)   r+   r,   r5   u·   callback owner is an independent ANU key (collector_role=ANU, owner != executor key, 4-tuple valid) â€” executor self-collector structurally impossible from here (Â§2 / regression 1).rJ   )r^   rL   ÚENFORCER_SCHEMAÚHOLDÚKNOWN_ENTRY_PATHSÚappendr   rI   r   r   r   r"   r   Ú_validate_owner_4tupler   Úextendr   Úaddr
   r   )r(   r-   r.   r/   r0   r+   r,   r)   r2   rQ   rP   r    r5   r3   r4   ra   Ú	owner_keyrU   ÚclsÚowner_is_executorÚowner_is_anuÚtuple_reasonsÚseenÚorderedÚcrM   rR   s                              r!   Úenforce_callback_ownerrr   ß   sŒ  € ðd $Ò: }Ò:¸€IØ€Gñ
 ¤d¨8¤nÜ-ò 
Ý"ð
åð
ñ ð
ñ ð	
ñ
 &ð
ñ (ð
ñ !*ð
ñ *ð
ñ &>ð
ñ '@ð
ñ .ð
ñ +Hð
ñ #8ð
ñ "ð
ñ )Dð
ñ  &+ð!
ð$*ñð#
ð 	
ð2 €CàÔ*Ñ*Ø
‰
Ô2Ô3Ø‰Ø˜*˜ð (,ð ,ô	
ð Ô+Ò+Ø
‰
Ô-Ô.Ø‰Ø˜nÐ/ð 0$ð $ô	
ñ ™¨,¸-Ò*GØ
‰
Ô+Ô,Ø‰ð;ô	
ô
 ˜Y›ÒE¨I¸Ñ,EÐÙØ
‰
Ô+Ô,Ø‰ðô	
ô ˜i¨Ó2€LÙ"Ñ(9ÁØ
‰
Ô*Ô+Ø‰ðô	
ñ Ñ 1Ø
‰
Ô*Ô+Ø‰Ø! ) ð /@ð @ô	
ô
 +ØØ)Ø!9Ø";Øô€Mñ Ø
‰
Ô*Ô+Ø‰}Ô%ô “€DØ€GØò ˆØDŠ=ØH‰HQŒKØN‰N˜1Õðñ
 "d¤t€Gàò 	1Ø!Ð!ò	1àÔ0Ñ0ð ð
 ”$‚Ø‰ðPô	
ô *ò Ýðáðñ  ðñ ð	ñ
 "ðñ $ðñ &ðñ &ðñ ":ðñ #<ðñ *ðñ 'Dðñ 4ðñ ðñ %@ðñ  ":ð!ñ" ð#ð r#   c                ó¦   — g }| s|j                  d«       |s|j                  d«       |s|j                  d«       |s|s|j                  d«       |S )z@4-tuple invalidity reasons (mirrors the +32/+44 mandatory rule).z'task_id empty (CALLBACK_4TUPLE_INVALID)z0dispatch_cron_id empty (CALLBACK_4TUPLE_INVALID)u£   normal_collector_cron_id missing â€” MANDATORY independent-ANU normal completion callback lifecycle signal; NO-CRON does NOT exempt this (CALLBACK_4TUPLE_INVALID).znfallback_callback_cron_id missing and no explicit no_fallback contract (safety path, CALLBACK_4TUPLE_INVALID).)rf   )r(   r)   r+   r,   r5   Úrs         r!   rg   rg   š  s\   € ð €AÙØ	‰Ð:Ô;ÙØ	‰ÐCÔDÙ#Ø	‰ð5ô	
ñ
 %©[Ø	‰ð?ô	
ð €Hr#   c                  ól   — e Zd ZU ded<   ded<   ded<   ded<    ee¬«      Zd	ed
<   edd„«       Zdd„Z	y)ÚSelfActionGuardResultr'   r<   rM   r*   Úclassificationr   Úis_executor_self_sessionrS   rN   rU   c                ó(   — | j                   t        k(  S rW   rX   r8   s    r!   rY   zSelfActionGuardResult.ok¿  rZ   r#   c                óˆ   — | j                   | j                  | j                  | j                  t	        | j
                  «      dœS )N©r<   rM   rw   rx   rU   )r<   rM   rw   rx   r^   rU   r8   s    r!   rA   zSelfActionGuardResult.to_jsonÃ  s8   € à—k‘kØ—|‘|Ø"×1Ñ1Ø(,×(EÑ(EÜ˜DŸL™LÓ)ñ
ð 	
r#   Nr_   rB   ©
rD   rE   rF   rH   r   r^   rU   r`   rY   rA   rJ   r#   r!   rv   rv   ·  s>   … àƒKØƒLØ!Ó!Ø"Ó"Ù¨tÔ4€GˆYÓ4àò$ó ð$ô
r#   rv   c                óP   — t        |«      xr || k(  }|t        |«      nd}|xs |S )NF)r   )r-   Ú	actor_keyrx   Úkey_derivedÚexplicits        r!   Ú_is_self_sessionr   Í  s?   € ô y“/Ò? i°<Ñ&?€Kð $Ð/ô 	Ð%Ô&àð ð
 Ò"˜(Ð"r#   )r~   Úis_codex_auditÚis_adjudicationrx   c           
     ó
  — t        | ||«      }|r\|s|rXg }|r|j                  d«       |r|j                  d«       t        t        t        t
        dddj                  |«      › dg¬«      S t        t        t        d|d	g¬«      S )
u!  executor self session ì´ Codex audit / ANU-Codex adjudication ì„ ìˆ˜í–‰
    í•˜ë©´ invalid (Â§2 / regression 7).

    Codex audit Â· adjudication Â· í›„ì† íšŒìˆ˜Â·ê²€ì¦ ì€ ë°˜ë“œì‹œ ë…ë¦½ ANU collector
    ì„¸ì…˜ì´ ìˆ˜í–‰í•œë‹¤. executor self session ì´ ê·¸ê²ƒì„ í•˜ë©´ FAIL.
    zCodex auditzANU-Codex adjudicationTz!executor self session performing z + u    â€” invalid; this MUST be done by the independent ANU collector session, never the executor self session (Â§2 / regression 7).r{   Nzano executor self-adjudication (Codex audit/adjudication is not run by the executor self session).)r   rf   rv   rc   r   r   Újoinr
   )r-   r~   r‚   rƒ   rx   Úself_sessionÚwhats          r!   Úassert_not_self_adjudicationrˆ   â  s¢   € ô $ØiÐ!9ó€Lñ ™©?ØˆÙØK‰K˜Ô&ÙØK‰KÐ0Ô1Ü$Ü"ÜÜ?Ø%)à3°E·J±J¸tÓ4DÐ3Eð F(ð (ðô
ð 	
ô !ÜÜØØ!-ð5ð
ô	ð 	r#   )r~   Úis_followup_dispatchrx   c                ó   — t        | ||«      }|r|rt        t        t        t        ddg¬«      S t        t        t
        d|dg¬«      S )u—   executor self session ì´ í›„ì† task dispatch ë¥¼ ìˆ˜í–‰í•˜ë©´ invalid
    (Â§2 / regression 8). ì‹ ê·œ dispatchÂ·delegation ì€ ë…ë¦½ ANU ì„¸ì…˜ë§Œ.TuÓ   executor self session performing a follow-up task dispatch/delegation â€” invalid; executor ìžê¸°ìž‘ì—…ì¤‘ ì‹ ê·œ dispatchÂ·delegation 0, only the independent ANU session may dispatch (Â§2/Â§10 / regression 8).r{   Nzno executor self-dispatch.)r   rv   rc   r   r   r
   )r-   r~   r‰   rx   r†   s        r!   Úassert_not_self_dispatchr‹     sb   € ô $ØiÐ!9ó€Lñ Ñ,Ü$Ü"ÜÜ2Ø%)ð:ðô
ð 	
ô !ÜÜØØ!-Ø-Ð.ôð r#   c                  óŠ   — e Zd ZU ded<   ded<   ded<   ded<   ded<   ded<   d	ed
<    ee¬«      Zd	ed<   edd„«       Zdd„Z	y)ÚWritebackBindingAuditResultr'   r<   rM   rw   r(   r   ÚconflictÚmatched_idempotency_keyrN   Úconflicting_fieldsrS   rU   c                ó(   — | j                   t        k(  S rW   rX   r8   s    r!   rY   zWritebackBindingAuditResult.ok?  rZ   r#   c           
     óÜ   — | j                   | j                  | j                  | j                  | j                  | j
                  t        | j                  «      t        | j                  «      dœS )N©r<   rM   rw   r(   rŽ   r   r   rU   )	r<   rM   rw   r(   rŽ   r   r^   r   rU   r8   s    r!   rA   z#WritebackBindingAuditResult.to_jsonC  sT   € à—k‘kØ—|‘|Ø"×1Ñ1Ø—|‘|ØŸ™Ø'+×'CÑ'CÜ"& t×'>Ñ'>Ó"?Ü˜DŸL™LÓ)ñ	
ð 		
r#   Nr_   rB   r|   rJ   r#   r!   r   r   4  sN   … àƒKØƒLØÓØƒLØƒNØ!Ó!Ø!Ó!Ù¨tÔ4€GˆYÓ4àò$ó ð$ô

r#   r   c               ó’  — d}| D ]ï  }	 t        |dd«      }	t        |dd«      }
t        |dd«      }t        |dd«      }t        |dd«      }t        |dd«      }|	d	k7  rŒX|
|k(  sŒ^t        |«      t        |«      k(  sŒv||k(  sŒ|d
}g }||k7  r|j                  d|›d|›d«       ||k7  r|j                  d|›d|›d«       |sŒ½t	        t
        t        t        |d
d
|ddj                  |«      z   g¬«      c S  |r t	        t
        t        t        |dd
g dg¬«      S t	        t
        t        t        |ddg dg¬«      S # t        $ r Y Œ@w xY w)u  +47 idempotency key ë³´ê°• (Â§2 line 20/21).

    The +47 ``write_back_completed`` idempotency key is
    ``(dispatch_id, chat_id, normal_collector_cron_id)`` ONLY â€” it ignores
    ``role`` / ``fallback_callback_cron_id``. So a SECOND write-back that
    shares the collector identity but carries a DIFFERENT role/fallback
    binding is silently treated as an idempotent skip (LOW). This audit runs
    over the +44 read-only ledger ``history`` (the +44 module stays byte-0;
    history is the value of ``registry.history_for(task_id)``):

      * a COMPLETED record with the SAME idempotency key AND the SAME
        role/fallback binding -> ``WRITEBACK_IDEMPOTENT_SKIP`` (PASS,
        regression 12 â€” a true duplicate).
      * a COMPLETED record with the SAME idempotency key but a DIFFERENT
        role / fallback binding -> ``WRITEBACK_BINDING_CONFLICT`` (FAIL,
        regression 11) â€” RECORDED, never a silent skip (Â§2 line 21).
      * no idempotency-key match -> ``WRITEBACK_NO_CONFLICT`` (PASS â€” a
        normal new append).

    Read-only. ZERO cron / dispatch / subprocess. The +44 registry is NOT
    escalated to a merge/dispatch executor (Â§5/Â§6).
    FÚstatusNÚdispatch_idr2   r+   Úroler,   Ú	COMPLETEDTzrole(record=z vs candidate=ú)z!fallback_callback_cron_id(record=u  an existing COMPLETED record shares the +47 idempotency key (dispatch_id, chat_id, normal_collector_cron_id) but has a DIFFERENT role/fallback binding â€” WRITEBACK_BINDING_CONFLICT. This is RECORDED, NOT a silent idempotent skip (Â§2 line 20/21 / regression 11). Conflicting: z; r“   uŸ   COMPLETED record with identical idempotency key AND identical role/fallback binding â€” a true duplicate; idempotent SKIP, no duplicate append (regression 12).u^   no COMPLETED record matches the +47 idempotency key â€” a normal new write-back (no conflict).)ÚgetattrÚ	Exceptionr'   rf   r   rc   r   r   r…   r
   r   r   )Úhistoryr(   r–   r2   r+   Úcandidate_roleÚcandidate_fallback_cron_idÚmatchedrt   r•   Úr_dispatch_idÚ	r_chat_idÚr_nccÚr_roleÚr_fbÚfieldss                   r!   Ú audit_writeback_binding_conflictr¦   P  sÅ  € ð@ €GØò 0ˆð	Ü˜Q ¨$Ó/ˆFÜ# A }°dÓ;ˆMÜ  9¨dÓ3ˆIÜ˜AÐ9¸4Ó@ˆEÜ˜Q ¨Ó-ˆFÜ˜1Ð9¸4Ó@ˆDð [Ò Øð ˜[Ó(ÜI“¤# g£,Ó.ØÐ1Ó1àˆGØ "ˆFØ˜Ò'Ø—‘Ø" 6 *¨NØ%Ð(¨ð+ôð Ð1Ò1Ø—‘Ø7¸°xð @!Ø!;Ð >¸aðAôò Ü2Ü*Ü Ü#=Ø#Ø!Ø,0Ø'-ðJð Ÿ)™) FÓ+ñ,ðôò ð?0ñb Ü*Ü"ÜÜ4ØØØ$(Ø!ðHðô
ð 	
ô 'ÜÜÜ,ØØØ %Øð3ð
ôð øôq ò 	Úð	ús   ‰AD9Ä9	EÅE) rc   r?   r
   r   rd   r   r   r   r   r   r   r   r   r   r   r   rI   ÚANU_KEY_2553ÚDEFAULT_ANU_KEYSÚEXECUTOR_SELF_KEY_EXAMPLEÚPATH_DISPATCH_PYÚPATH_CRON_DIRECTre   r"   r&   rL   rr   rv   rˆ   r‹   r   r¦   )r   r*   r    úSequence[str]rC   r   )"r(   r'   r-   r'   r.   r'   r/   r*   r0   r'   r+   r*   r,   r*   r)   r'   r2   r'   rQ   r   rP   r'   r    r¬   r5   r   r3   r'   r4   r'   ra   r   rC   rL   )r(   r'   r)   r'   r+   r*   r,   r*   r5   r   rC   rN   )r-   r'   r~   r*   rx   úOptional[bool]rC   r   )r-   r'   r~   r*   r‚   r   rƒ   r   rx   r­   rC   rv   )
r-   r'   r~   r*   r‰   r   rx   r­   rC   rv   )rœ   zSequence[object]r(   r'   r–   r'   r2   r'   r+   r*   r   r'   rž   r*   rC   r   )1rG   Ú
__future__r   Údataclassesr   r   Útypingr   r   r   r	   rc   r?   r
   r   rd   r   r   r   r   r   r   r   r   r   rH   r   r   rI   r§   Ú	frozensetr¨   r©   rª   r«   re   r"   r&   rL   Útuplerr   rg   rv   r   rˆ   r‹   r   r¦   Ú__all__rJ   r#   r!   ú<module>r´      s’  ðò/õ` #ç (ß 2Ó 2à:€Ø9Ð ð €Ø€Ø€ð 6Ð Ø'MÐ $Ø3Ð Ø3Ð Ø9Ð Ø3Ð Ø"CÐ Ø9Ð ð Ø(ØØØØØ#Øð	(Ð _ó 	ð 0Ð Ø7Ð ð Ð ð "€Ù˜l˜^Ó,Ð ð
 /Ð ð
 (Ð Ø)Ð ÙÐ/Ð1AÐBÓCÐ ó.ñ $Ô÷0ð 0ó ð0ðf ÷1
ð 1
ó ð1
ðr *.ð
 Ø(-Ø&Ù#Ð$4Ó5ØØ);Ø!3Ø $ñ#xàðxð ðxð ð	xð
 'ðxð ðxð ,ðxð  -ðxð ðxð ðxð "&ðxð ðxð ðxð ðxð $'ðxð  ð!xð" ð#xð$ $ó%xðvàðð ðð ,ð	ð
  -ðð ðð óð: ÷
ð 
ó ð
ð*#Øð#àð#ð -ð#ð 
ó	#ð0  $Ø Ø!Ø/3ñ,àð,ð ð,ð ð	,ð
 ð,ð -ð,ð ó,ðd  $Ø!&Ø/3ñàðð ðð ð	ð
 -ðð óðF ÷
ð 
ó ð
ð6mØðmð ðmð ð	mð
 ðmð ,ðmð ðmð !.ðmð !ómò`!r#   