juB JdZddlmZddlZddlZddlZddlZddlZddlZddl m Z m Z ddl m Z dZ dZdZe ej j#d ee ej)j*j*Zed z d z Zej0d Zej0d ej4Zej0dZej0dej:Zej0dej4Zej0dej4Z ej0dej4Z!d$dZ"d%dZ#d&dZ$d'dZ%d'dZ&d(d)dZ'd*dZ(d*dZ)d*dZ*d+dZ+d,dZ,e,Z-gdZ.d-dZ/d.d Z0efd/d!Z1d0d"Z2e3d#k(rejhe2yy)1u0gemini_evidence_verify.py — Gemini App evidence-based gate verifier. Phase 3 redesign (task-2465, 2026-05-06). - Gemini API 호출 0건 — GitHub App이 박제한 evidence(review/comment/check-run)만 신뢰 - gh api (subprocess) 만 사용 — 직접 HTTP 호출 금지 - GEMINI_API_KEY 의존 0건 ) annotationsN)datetimetimezone)Pathi,zJonghyukJeon/dev_workspacezgemini-code-assist[bot] WORKSPACEmemoryauditu [🔴❌]zseverity\s*:\s*(high|critical)z \b(BLOCKING|CRITICAL|MUST FIX)\bz#^\s*##\s+(High|Critical|Blocking)\bz \bsecurity\bz \bdata loss\bz\bregression\bcdtjtjj SN)rnowrutc isoformatO/home/jay/workspace/.worktrees/task-2644-dev1/scripts/gemini_evidence_verify.py_now_isor) << % / / 11rcdtjtjj Sr )rr rr timestamprrr_now_tsr-rrcj|s|Stjdd|}tjdd|}|S)u?fenced code block (``` ... ```) 과 inline code (`...`) 제거.z```[\s\S]*?``` z `[^`\n]*`)resub)bodycleaneds rstrip_code_blocksr1s4  ff&T2Gff\30G NrcX|sgSt|}g}tj|r|jdtj|r|jdt j|r|jdt j|r|jd|S)uMbody에서 high-severity 패턴 매칭 결과 반환 (code block 제외 후).uemoji:🔴/❌zseverity:high/criticalz"keyword:BLOCKING/CRITICAL/MUST_FIXzheader:##High/Critical/Blocking)r _HS_EMOJIsearchappend _HS_SEVERITY _HS_KEYWORD _HS_HEADER)rstrippedhitss rmatch_high_severityr'<s   &HD! $%8$ ,-(# 89" 56 Krc |sgSt|}g}tj|r|jdtj|r|jdt j|r|jd|S)u=보조 신호 매칭 (단독 차단 금지 — audit 전용).security data_loss regression)r_SUPP_SECURITYr r!_SUPP_DATA_LOSS_SUPP_REGRESSION)rr%sigss rmatch_supplementaryr0Msl   &HDX& Jh' K x( L! Krcr tjdd|gdd|}|j}|dk7s|jj s|gfS t j |j}||fS#t j$r|gfcYSwxYw#tj$rdgfcYSt$rdgfcYSwxYw)u@gh api {endpoint} 호출 → (returncode, parsed_json_or_empty).ghapiT)capture_outputtexttimeoutr) subprocessrun returncodestdoutstripjsonloadsJSONDecodeErrorTimeoutExpired Exception)endpointr6procrcdatas r_gh_apirF\s~~ 5( #dG __ 7$++++-r6M ::dkk*D4x## r6M   $ $2v 2v s<A BA1-B1B B B  BB6' B65B6ctd|d|d\}}t|tsgS|Dcgc]-}|jdijdtk(s,|/c}Scc}w)u4PR reviews — gemini-code-assist[bot] 발행분만.repos//pulls/z/reviewsuserloginrF isinstancelistgetGEMINI_BOT_LOGIN)repopr_rErs r_fetch_reviewsrUqs`tfGB4x89GAt dD !  R!quuVR044W=AQQA RR R -A!A!ctd|d|d\}}t|tsgS|Dcgc]-}|jdijdtk(s,|/c}Scc}w)uLPR review comments (line comments) — gemini-code-assist[bot] 발행분만.rHrI /commentsrJrKrLrQrRrSrEcs r_fetch_review_commentsr[ys`tfGB4y9:GAt dD !  R!quuVR044W=AQQA RR RrVctd|d|d\}}t|tsgS|Dcgc]-}|jdijdtk(s,|/c}Scc}w)u=Issue (PR) comments — gemini-code-assist[bot] 발행분만.rHz/issues/rXrJrKrLrYs r_fetch_issue_commentsr]s`tfHRD :;GAt dD !  R!quuVR044W=AQQA RR RrVc td|d|d\}}t|tsgS|jdg}t|tsgSg}|D];}|jdijdd}|dk(s+|j |=|S) uZcheck-runs for head_sha — app.slug == 'gemini-code-assist' 발행분만 (엄격 매칭).rH /commits/z /check-runs check_runsappslugzgemini-code-assist)rFrMdictrOrNr!)rQhead_sharSrErunsresultr9app_slugs r_fetch_check_runsristfIhZ{CDGAt dD ! 88L" %D dD ! F775"%))&"5 + + MM#   Mrcg}g}|dkDrtd|d|\}}t|trvdD]q}|}|D]'} t|tr|j| }%d}nt|tsBt |} | P|j | |j |std|d|\}} t| trK | ddd } t| tr/t | } | "|j | |j | |sy|jt|} || S#ttf$rd} YtwxYw) uhead SHA의 마지막 push 시각 추정 — PR updated_at, head.repo.pushed_at, committer.date 중 가장 늦은 시각. 각 후보의 의미와 한계: - `pulls/{pr}.updated_at`: PR-level 마지막 활동 시각 (push/comment/review 모두). PR-specific으로 가장 좁음. - `pulls/{pr}.head.repo.pushed_at`: head 저장소 전체의 최근 push 시각 (다른 branch push도 반영) — 너무 광범위. - `commits/{sha}.commit.committer.date`: commit 작성 시각 (push 시각 아님). force-push 시 옛날 시각. 세 후보의 max를 취하면 "실제 push 시각 이후의 가장 가까운 보수적 추정"이 됨. None인 경우는 무시. rrHrI)) updated_at)headrQ pushed_atNr_commit committerdate) rFrMrdrOstr _parse_isor!KeyError TypeErrorindexmax)rQ pr_numberre candidatesraw_strsrSpr_datakey_pathnodektsrEcommitter_datemax_idxs r_fetch_head_pushed_atrse!JH1}vdV79+>? 7 gt $L .*1!A!$-#xx{#  dC(#D)B~"))"- - .tfIhZ89GAt$ "!(^K8@N nc *N+B~!!"%/ s:/G G )$ "!N "s D55E E ) evaluate_gater'r0rr_fetch_head_sha_datec|sy tj|jdd}|jS#t$rYywxYw)uISO8601 → POSIX timestamp.NZz+00:00)r fromisoformatreplacerrA)sdts rrrrrsF   # #AIIc8$< =||~ s4: AAcRtjtjj d}t j ddt d|dz }|jdd5}|jtj|d d zd d d y #1swYy xYw) u3memory/audit/gemini-gate-YYYYMMDD.jsonl 에 append.z%Y%m%dT)parentsexist_okz gemini-gate-z.jsonlazutf-8)encodingF) ensure_ascii N) rr rr strftime AUDIT_DIRmkdiropenwriter=dumps)recorddate_str audit_pathfs r _append_auditrs||HLL)228???s **BB&c ^t}t|||}t|}|rt||z ntdz}t ||}t ||}t||} t||} g} g} g} |D]}|jddxsd}|jdd}t|xr||k7}t|}t|}d|jd|dd|||d }| j||r| j||s| j||D]}|jddxsd}|jdd}t|xr||k7}t|}t|}d |jd|dd|||d }| j||r| j||s| j|| D]}|jddxsd}t|}t|}|jd xs|jd }t|}||d }n||k}d|jd|ddd|||d}| j||r| j||s| j|g}| D]u}|jd|jd|jd|jd|jd|jdijddw| Dcgc] }|dr | }}t| dkDxrt!d| D}t#t$j'| }t#t$j'| }|rd} d|}!nC|rd} d}!n<|rd} dt|d}!n(|tkrd } d!|d"td#}!nd} d$td%zd&}!| |!| |||d'|xsd|td(}"t)|||| |!|t| t|t|||d) }# t+|#|"Scc}w#t,$rY|"SwxYw)*a Returns: { "state": "pass" | "hold" | "block", "reason": str, "evidence": { "primary": list of {type, id, body_snippet, commit_sha, stale: bool, severity_matches: list}, "secondary": list (check_runs from gemini-code-assist app), "high_severity_hits": list of pattern matches, "supplementary_signals": list of supplementary signals }, "head_pushed_at": ISO8601 str, "elapsed_seconds": int, "timeout_seconds": 300 } rrc commit_idreviewidN)typer body_snippet commit_shastaleseverity_matchesreview_comment created_atrkT issue_comment)rrrrrrr check_runnamestatus conclusionrarb)rrrrrrhrrc3&K|] }|d yw)rNr).0es r z evaluate_gate..fs(E7(Esblockzhigh severity matched: z!all evidence stale (SHA mismatch)passzvalid evidence found: z item(s)holdzno evidence yet, elapsed zs < z s timeoutzevidence timeout (<z min exceeded), no valid evidence)primary secondaryhigh_severity_hitssupplementary_signals)statereasonevidencehead_pushed_atelapsed_secondstimeout_seconds) rrRsharQrrr primary_countvalid_primary_countsecondary_countrr)rrrrintTIMEOUT_SECONDSrUr[r]rirOboolr'r0r!extendlenallrNrdfromkeysrrrA)$rwrerQnow_tshead_pushed_at_strhead_pushed_at_tselapsedreviewsreview_commentsissue_commentsr`rall_high_severityall_supplementaryrTrrrhssuppentryrZcreated_at_str created_tsstale_icrr9r valid_primary all_stale unique_hs unique_supprrrg audit_records$ rrrs YF/tYI"#561Bc&,,-Z[H[GT9-G,T9=O*4;N"42JG#%#%+uuVR &BEE+r* Y89#89  &"4(%%+ #J# "   u  $ $R (   $ $T *%+*+uuVR &BEE+r* Y89#89  &"4($%%+ #J# "   u  $ $R (   $ $T *%+,+uuVR &B  &"4(|,Cl0C/  $ (:H"$55H#%%+ #J( "  u  $ $R (   $ $T *5+:I ''$-GGFOggh''',/r*..v6    !(:1qzQ:M:G q ES(EW(E%EIT]]#456It}}%678K*9+6 4 )#m*<)=XF ? ",WIT/9J)T%o&;%<<\]""+%0  -2"* F Z"W"=1y>'!, L l# Mu;l   M  s PP P P,+P,c tjd}|jdtdd|jddd |jd td |jd ddd|j }t |j|j|j}|d}|jr"ttj|ddntd|td|dtd|dd|ddtdt|dd d!t|dd"|dd#rtd$|dd#|d%k(ry&|d'k(ry(y))NuIgemini_evidence_verify — Gemini App evidence 기반 PR 게이트 검증) descriptionz --pr-numberTz PR number)rrequiredhelpz --head-shazHead commit SHA)rrz--repoz0OWNER/REPO (default: JonghyukJeon/dev_workspace))defaultrz--json store_truejson_outu JSON 출력)actiondestrrF)rindentzstate=zreason=rzelapsed=rz s / timeout=rrzprimary=rrz secondary=rrzHIGH SEVERITY: rrrr)argparseArgumentParser add_argumentr DEFAULT_REPO parse_argsrrwrerQrprintr=rr)apargsrgrs rmainrsr  _ BOOMdOMOOL46GOHOOHl9kOlOOH\ OW ==?D 4>>4==$)) DF 7OE }} djjeA>? ug x()*+  123<GX@Y?ZZ[\] VJ/ :;r s#  '+ ,  Sh1G1G1I1P1P1W1W-XY Z  7 *  BJJ| $ rzz;R]]K bjj<= RZZ> M OR]];"**-r}}=2::/?22" *SSS"/h- ?>Jrj@ z CHHTVr