# v3.6 PreToolUse Deny Rule Candidates (Track C · Phase 0/1)

- task_id: task-2664
- chair_authorization_id: `CHAIR-AUTH-V3-6-PRETOOLUSE-PACKET-20260525-JJONGS-PHASE-0-1-001`
- 단일소스: ANU v3 master spec section 8B (line 1397-1700) · task-2643 산출물 read-only
- 범위: **Phase 0/1 only** · candidate list 정리 · live deny rule 활성화 0
- live_enforcement: 0
- commit_push_pr_merge: 0
- base_commit: origin/main `2752182a`

## 1. 목적

ANU v3.6 Runtime Harness Enforcement Layer의 PreToolUse hook이 차단해야 할 패턴을 spec section 8B.4 / 8B.8 기준으로 후보 정리한다. **본 문서는 후보 list packet** 이며 settings.json 직접 적용은 별도 회장 verbatim signature 전까지 HOLD.

## 2. 1차 deny pattern 후보 (spec 8B.8 verbatim 1:1)

### DR-1. ANU 본체 direct CI/Gemini polling

| 필드 | 값 |
| --- | --- |
| rule_id | DR-1 |
| tool | Bash |
| match_pattern | `run_in_background=true` AND (`gh pr view` OR `gh pr checks` OR `gh run watch`) |
| verdict | `DENY` |
| reason | `ANU_SESSION_BOUND_DIRECT_CI_POLLING` |
| allowed_alternative | `DELEGATED_WATCHER_CALLBACK` (★ allow contract path) |
| spec_anchor | 8B.4 line 1474-1487 · 8B.8 line 1572-1582 |
| evidence_anchor | PR #145 bzaona6au 사건 (spec 8B.1 line 1403-1415) |

### DR-2. statusCheckRollup background polling

| 필드 | 값 |
| --- | --- |
| rule_id | DR-2 |
| tool | Bash |
| match_pattern | `run_in_background=true` AND (`statusCheckRollup` OR `--json statusCheckRollup`) |
| verdict | `DENY` |
| reason | `ANU_DIRECT_GH_STATUS_ROLLUP_POLLING` |
| allowed_alternative | watcher contract owner=dev_bot |
| spec_anchor | 8B.4 line 1476 · 8B.8 line 1576 |

### DR-3. while/until + sleep + gh pr view 또는 gh pr checks 루프

| 필드 | 값 |
| --- | --- |
| rule_id | DR-3 |
| tool | Bash |
| match_pattern | (`while ` OR `until `) AND `sleep ` AND (`gh pr view` OR `gh pr checks`) |
| verdict | `DENY` |
| reason | `ANU_SLEEP_LOOP_DIRECT_WAIT` |
| allowed_alternative | watcher contract + callback_only_reporting=true |
| spec_anchor | 8B.4 line 1476-1477 · 8B.8 line 1577-1578 |

### DR-4. gh run watch (terminal wait)

| 필드 | 값 |
| --- | --- |
| rule_id | DR-4 |
| tool | Bash |
| match_pattern | `gh run watch` |
| verdict | `DENY` |
| reason | `ANU_DIRECT_RUN_WATCH_TERMINAL_WAIT` |
| allowed_alternative | dev bot watcher contract |
| spec_anchor | 8B.4 line 1478 · 8B.8 line 1580 |

### DR-5. gh run list + sleep loop

| 필드 | 값 |
| --- | --- |
| rule_id | DR-5 |
| tool | Bash |
| match_pattern | `gh run list` AND `sleep ` AND (`while ` OR `until ` OR repeated invocation pattern) |
| verdict | `DENY` |
| reason | `ANU_DIRECT_RUN_LIST_SLEEP_LOOP` |
| allowed_alternative | dev bot watcher contract |
| spec_anchor | 8B.8 line 1581 |

### DR-6. GitHub checks/status API sleep loop

| 필드 | 값 |
| --- | --- |
| rule_id | DR-6 |
| tool | Bash |
| match_pattern | (`gh api` AND (`/check-runs` OR `/check-suites` OR `/statuses`)) AND `sleep ` |
| verdict | `DENY` |
| reason | `ANU_DIRECT_CHECKS_API_SLEEP_LOOP` |
| allowed_alternative | dev bot watcher contract |
| spec_anchor | 8B.8 line 1582 |

## 3. 2차 semantic deny pattern 후보 (spec 8B.8 verbatim 1:1)

### DR-7. CI 재실행 대기 의도

| 필드 | 값 |
| --- | --- |
| rule_id | DR-7 |
| tool | Bash / Comment / Report |
| match_pattern | text contains ("CI 재실행 대기" OR "CI rerun wait" OR "rerun and wait") AND ANU 본체 session |
| verdict | `REQUIRE_WATCHER_CONTRACT` |
| reason | `ANU_CI_RERUN_TERMINAL_WAIT_INTENT` |
| allowed_alternative | watcher contract delegation |
| spec_anchor | 8B.8 line 1585-1593 |

### DR-8. Gemini 대기 의도

| 필드 | 값 |
| --- | --- |
| rule_id | DR-8 |
| tool | Bash / Comment / Report |
| match_pattern | text contains ("Gemini 대기" OR "Gemini wait" OR "wait for Gemini") AND ANU 본체 session |
| verdict | `REQUIRE_WATCHER_CONTRACT` |
| reason | `ANU_GEMINI_TERMINAL_WAIT_INTENT` |
| allowed_alternative | watcher contract delegation |
| spec_anchor | 8B.8 line 1585-1593 |

### DR-9. phase3 대기 / terminal state wait 의도

| 필드 | 값 |
| --- | --- |
| rule_id | DR-9 |
| tool | Bash / Comment / Report |
| match_pattern | text contains ("phase3 대기" OR "phase3 wait" OR "terminal state wait") AND ANU 본체 session |
| verdict | `REQUIRE_WATCHER_CONTRACT` |
| reason | `ANU_PHASE3_OR_TERMINAL_STATE_WAIT_INTENT` |
| allowed_alternative | watcher contract delegation |
| spec_anchor | 8B.8 line 1585-1593 |

## 4. Critical / Chair-only 후보 (spec 8B.4 verbatim 1:1)

### DR-10. admin override 시도

| 필드 | 값 |
| --- | --- |
| rule_id | DR-10 |
| tool | Bash / GitHub API |
| match_pattern | (`gh api` AND `/repos/.*/merge`) OR `--admin` OR `admin merge` 시도 |
| verdict | `REQUIRE_CHAIR_APPROVAL` (★ Phase 1 default DENY 권장) |
| reason | `ANU_ADMIN_OVERRIDE_ATTEMPT` |
| allowed_alternative | chair verbatim signature + watcher contract |
| spec_anchor | 8B.4 line 1480 · 8B.11 line 1636 |

### DR-11. BOT App token 직접 사용

| 필드 | 값 |
| --- | --- |
| rule_id | DR-11 |
| tool | Bash / curl / gh |
| match_pattern | command contains `ghs_` token OR direct BOT token export OR Authorization header with `ghs_` |
| verdict | `REQUIRE_CHAIR_APPROVAL` (★ Phase 1 default DENY 권장) |
| reason | `ANU_BOT_APP_TOKEN_DIRECT_USE` |
| allowed_alternative | chair verbatim signature + watcher contract |
| spec_anchor | 8B.4 line 1481 · 8B.11 line 1637 |

### DR-12. chair_authorization 임의 발급

| 필드 | 값 |
| --- | --- |
| rule_id | DR-12 |
| tool | Write / Edit / Bash |
| match_pattern | string `chair_authorization_id` write target AND owner=ANU 본체 (★ chair verbatim 외 발급 시도) |
| verdict | `DENY` |
| reason | `ANU_CHAIR_AUTHORIZATION_SELF_ISSUANCE` |
| allowed_alternative | 회장 verbatim signature paste 후 박제만 허용 |
| spec_anchor | 8B.4 line 1482 |

### DR-13. real auto-merge activation

| 필드 | 값 |
| --- | --- |
| rule_id | DR-13 |
| tool | Bash / GitHub API |
| match_pattern | `gh pr merge --auto` OR `--auto-merge` OR settings auto_merge 활성화 |
| verdict | `REQUIRE_CHAIR_APPROVAL` |
| reason | `ANU_REAL_AUTO_MERGE_ACTIVATION` |
| allowed_alternative | chair verbatim signature only |
| spec_anchor | 8B.4 line 1483 · 8B.11 line 1638 |

### DR-14. PR #141 pilot 임의 실행

| 필드 | 값 |
| --- | --- |
| rule_id | DR-14 |
| tool | Bash |
| match_pattern | command targets `replacement_pr_runner.py` AND `--real` AND owner=ANU 본체 |
| verdict | `DENY` |
| reason | `ANU_PR_141_PILOT_UNAUTHORIZED_RUN` |
| allowed_alternative | chair verbatim signature + dev bot dispatch |
| spec_anchor | 8B.4 line 1484 |

### DR-15. finish-task / cokacdir / replacement_pr_runner 직접 수정

| 필드 | 값 |
| --- | --- |
| rule_id | DR-15 |
| tool | Write / Edit |
| match_pattern | target_path matches (`scripts/finish-task.sh` OR `/usr/local/bin/cokacdir` OR `utils/replacement_pr_runner.py` OR `scripts/replacement_pr_runner.py`) AND owner=ANU 본체 |
| verdict | `DENY` |
| reason | `ANU_RUNNER_INFRA_DIRECT_MUTATION` |
| allowed_alternative | dev bot dispatch via task md |
| spec_anchor | 8B.4 line 1485 |

### DR-16. foreign dirty cleanup

| 필드 | 값 |
| --- | --- |
| rule_id | DR-16 |
| tool | Bash |
| match_pattern | `git stash drop` OR `git reset --hard` OR `git clean -fd` AND target != current task worktree |
| verdict | `DENY` |
| reason | `ANU_FOREIGN_DIRTY_CLEANUP` |
| allowed_alternative | dev bot dispatch dedicated cleanup task |
| spec_anchor | 8B.4 line 1486 |

### DR-17. force push / reset --hard / rm-rf 위험

| 필드 | 값 |
| --- | --- |
| rule_id | DR-17 |
| tool | Bash |
| match_pattern | (`git push --force` OR `git push -f`) OR `git reset --hard origin/` OR `rm -rf /` OR `rm -rf /home/jay` |
| verdict | `DENY` |
| reason | `ANU_DESTRUCTIVE_COMMAND` |
| allowed_alternative | chair verbatim signature only |
| spec_anchor | 8B.4 line 1487 |

## 5. 차단 우선순위 (Phase 1 권장)

| priority | rule_ids | rationale |
| --- | --- | --- |
| P1 (필수) | DR-1, DR-2, DR-3, DR-4, DR-5, DR-6, DR-12, DR-17 | bzaona6au 재현 즉시 방지 + 파괴적 명령 + chair_authorization 자기발급 |
| P2 (강력 권장) | DR-15, DR-16, DR-14 | runner infra 직접 mutation + foreign dirty cleanup + pilot 임의 실행 |
| P3 (chair gate) | DR-10, DR-11, DR-13 | admin override / BOT token / auto-merge — REQUIRE_CHAIR_APPROVAL 분기 |
| P4 (semantic) | DR-7, DR-8, DR-9 | 의도 기반 — REQUIRE_WATCHER_CONTRACT 분기 |

## 6. Phase 0/1 적용 범위 (★ ANCHOR 준수)

- **Phase 0**: candidate list packet 작성 + dry-run fixture 설계 (★ 본 문서)
- **Phase 1**: shadow-mode validation (deny event marker 기록만, 실제 차단 0) — 별도 chair signature 후 진행
- **Phase 2+ 금지**: live settings.json 적용 / 실제 BLOCK / policy 승격 — 본 task 범위 0

## 7. 차단 시 event marker 형식 (참조 only · 적용 0)

```json
{
  "schema": "anu.v3_6.tool_call_gate_decision.v1",
  "tool": "Bash",
  "requested_command_hash": "sha256...",
  "background": true,
  "verdict": "DENY",
  "reason": "ANU_SESSION_BOUND_DIRECT_CI_POLLING",
  "matched_rule_id": "DR-1",
  "matched_patterns": [
    "run_in_background",
    "gh pr view",
    "statusCheckRollup",
    "sleep"
  ],
  "allowed_alternative": "DELEGATED_WATCHER_CALLBACK",
  "event_path": "memory/events/tool-call-denied-<task_id>-<unix_ts>.json"
}
```

(spec 8B.7 line 1549-1568 verbatim 1:1)

## 8. forbidden actions (본 packet 작성 중 0)

- live settings.json 변경 = 0
- hooks/** 변경 = 0
- dispatch.py 변경 = 0
- Axis 1/2 runtime 변경 = 0
- commit/push/PR/merge = 0
- task-2662 / task-2663 파일 touch = 0
- HARNESS_ENFORCED 전체 선언 = 0
- BLOCK 정책 확대 = 0

forbidden_action_count = **0**

끝