j@ `UdZddlmZddlZddlZddlmZmZmZm Z m Z e hdZ de d<Gdd eZe hd Zde d <e hd Zde d <ddZddZe hdZde d<ddZddd ddZddZddddddddd d dZgdZy)!uanu_v2.ci_gemini_watcher_gh_adapter — task-2719, GET-only gh_runner 어댑터. 설계 원칙: - runner (ci_gemini_watcher_runner.py) 는 무수정 import-only. - GitHub write 0: 실제 comment, merge, post_review 등 write op 절대 금지. - decision-only, dry_run 항상 True 고정. - one-way isolation: anu_v2/* 와 표준 라이브러리(json, subprocess) 만 import. utils / dispatch / scripts / dashboard 의존성 0. ) annotationsN)AnyCallableFinalMappingSequence>reviewsfindings ci_rollup diff_paths actual_headzFinal[frozenset[str]]READ_OPSceZdZdZy)GhWriteForbiddenErroru5write op 또는 비허용 메서드 요청 시 raise.N)__name__ __module__ __qualname____doc__T/home/jay/workspace/.worktrees/task-2723-dev2/anu_v2/ci_gemini_watcher_gh_adapter.pyrrs?rr> editlockclosemergereadycreatedeletereopenreviewunlockcomment_WRITE_SUBCMDS>-F-f--field--input --raw-field_WRITE_INDUCING_FLAGSct|}|D]3}t|jtvs#t d|d|dt |D]\}}t|}|dvrM|dzt |ks't||dzjdk7sJt d||dzd|d|jdr9|jd ddjdk7st d|d|d|jd st |d kDs|d d jdk7st d|d|d|D]8}t|}|tvs|jd s(t d|d|dy )u3GET-only 보장 — argv **전체**에서 다음을 검사해 GhWriteForbiddenError raise. (1) write 서브커맨드 (전역 플래그로 서브커맨드 위치가 밀려도 탐지) (2) 비-GET 메서드 — ``-X``/``--method`` 분리·``--method=POST`` 등호·``-XPOST`` 붙여쓰기 (3) 암묵적 POST 유도 데이터 플래그 — ``-f``/``-F``/``--field``/``--raw-field``/``--input`` (``gh api`` 는 ``-X`` 없이도 데이터 플래그가 있으면 POST 로 승격) defense-in-depth 방어선 — gh_cli 호출 직전 실행. z$write subcommand forbidden in argv: z (argv=))-Xz--methodGETznon-GET method forbidden: z --method==r,N)z--field=z --raw-field=z--input=z$write-inducing data flag forbidden: ) liststrlowerr#r enumeratelenupper startswithsplitr))argv argv_listtokeni token_strs r_assert_readonly_argvr>3sT I u:    /'6uiwymSTU i(5J * *1us9~%#iA.>*?*E*E*G5*P+01q51A0DGI=XYZ ! !+ .sA&q)//1U:+0 WYMQRS ! !$ 'C NQ,>}""$-+0 WYMQRS&J - -1E1E 42 (6ym79-WXY  rc|r|jnd}|sy tj|S#tjtf$rYywxYw)uOstdout 을 JSON 파싱. 빈 문자열/공백이면 None 반환 (예외 금지).N)stripjsonloadsJSONDecodeError ValueError)stdoutstrippeds r _parse_jsonrHhsH!'v||~RH zz(##  * -s.A  A >FAILURE CANCELLED TIMED_OUTACTION_REQUIREDSTARTUP_FAILURE_FAILURE_CONCLUSIONSc|sdddSt|tsdddS|D]N}t|tst|j dxsdj }|t vsIdddcS|D]N}t|tst|j dxsdj }|sC|dk7sId ddcSd ddS) ustatusCheckRollup 리스트에서 CI state 도출. 반환: {"state": "SUCCESS"|"FAILURE"|"PENDING"|"UNKNOWN", "remediable": False} UNKNOWNFstate remediable conclusionr@rIstatus COMPLETEDPENDINGSUCCESS) isinstancer1dictr2getr6rN)rollupitemrTrUs r_derive_ci_stater^|s "%88 fd #"%88=$% ,/526<<> - -&e< < ==$% TXXh'-2.446 f +&e< < =e 44rr@ownerrepoc d fd d fd d fd d fd d fd dfd dfd d fd }|S)uGET-only gh_runner closure 반환. Args: gh_cli : `gh ` 실행 후 stdout(JSON 텍스트) 반환하는 callable. owner : GitHub owner (빈 문자열이면 --repo 플래그 생략). repo : GitHub repo (빈 문자열이면 --repo 플래그 생략). Returns: op 5종(actual_head / diff_paths / ci_rollup / reviews / findings)을 dispatch 하는 gh_runner callable. Raises: GhWriteForbiddenError: 알 수 없는 op 또는 write op 요청 시. c"r r ddgSgS)u9owner/repo 둘 다 있을 때만 --repo 플래그 생성.z--repo/rr_sr _repo_flagsz-build_readonly_gh_runner.._repo_flagss# Tq/0 0 rc0ddt|gzS)u:gh pr view [--repo owner/repo] 공통 argv 앞부분.prview)r2)rgres r _pr_base_argvz/build_readonly_gh_runner.._pr_base_argvsfc"g&66rc|ddgz}t||}t|}t|tsyt |j dxsdS)u0PR HEAD SHA 반환. 실패 시 "" (fail-closed).--json headRefOidr@)r>rHrYrZr2r[) pr_numberr9rFdatarigh_clis r _actual_headz.build_readonly_gh_runner.._actual_headsXY'8\*BBd#6"$%488L)/R00rcX|ddgz}t| |}t|}t|tsgS|j d}t|t sgSg}|D]A}t|ts|j d}|(|j t|C|S)u1PR diff 파일 경로 list 반환. 실패 시 [].rkfilespath)r>rHrYrZr[r1appendr2) rmr9rFrnrrresultfrsriros r _diff_pathsz-build_readonly_gh_runner.._diff_pathssY'8W*==d#6"$%I!%&I -A!T"uuV}#MM#d),  -  rc|ddgz}t||}t|}t|tsdddS|j d}t |S)uCI rollup state dict 반환.rkstatusCheckRolluprPFrQ)r>rHrYrZr[r^)rmr9rFrnr\riros r _ci_rollupz,build_readonly_gh_runner.._ci_rollupsbY'85H*IId#6"$%&e< <-.''rct|jdk7rtd|ddd|g}t||}t |}t |t r|SgS)uJGET-only review 목록 반환. method != GET 이면 GhWriteForbiddenError.r.z&reviews op: non-GET method forbidden: apir,)r2r6rr>rHrYr1)methodrsr9rFrnros r_reviewsz*build_readonly_gh_runner.._reviewssn v;   % ''8 C tUD)d#6" dD !K rcxsd} xsd}d|d|d|d}ddd |g}t||}t|}t|tr|SgS) u%PR 코멘트(findings) 목록 반환.OWNERREPOz/repos/rdz/pulls/z /commentsr|r,r.)r>rHrYr1) rm_owner_reporsr9rFrnror`ras r _findingsz+build_readonly_gh_runner.._findingssm!'&% {)DtUD)d#6" dD !K rc|dk(r |dS|dk(r |dS|dk(r |dS|dk(r)|jdd|jdd S|d k(r |dStd |) uop 에 따라 5종 GET-only 동작을 dispatch. 알 수 없는 op (write op 포함) 은 GhWriteForbiddenError raise. r rmr r r r}r.rsr@r zwrite/unknown op forbidden: )r[r)opkwargsrprzrwrr~s r _gh_runnerz,build_readonly_gh_runner.._gh_runners  { 34 4  vk23 3  f[12 2 ?FJJx7FB9OP P  VK01 1#&B2&$IJJr)return list[str])rgintrr)rmrrr2)rmrrr)rmrrrZ)r}r2rsr2rr1)rmrrr1)rr2rrrrr) ror`rarrprzrwrrirer~s ``` @@@@@@@rbuild_readonly_gh_runnerrs;* 7 1& (  KK$ rct|tjdgtt|dddd}|j dk7ry|j S)uo실 gh CLI 를 subprocess 로 GET-only 호출하는 read-only one-shot dry-run helper. - _assert_readonly_argv 검사 통과 후 gh 프로세스 실행. - returncode != 0 이면 "" 반환 (fail-closed). - 주의: 이 함수는 단발(one-shot) 호출 전용입니다. 자동 반복/polling/스케줄 실행 목적으로 사용하지 마세요. ghTF)capture_outputtexttimeoutcheckrr@)r> subprocessrunmapr2 returncoderF)r9rus rdefault_gh_clirsT$ ^^ C  FA ==rz task-2719)ror`ratask_id owner_proofdedupe_checkerrecord_triggertriagecbddlm} t||nt||} | |||| |||||| | d S)uGET-only, dry_run=True 고정 단발 실행 진입점. gh_cli 가 None 이면 default_gh_cli 사용. dry_run 은 항상 True 고정 — 인자로 노출하지 않음 (실 write 0 보장). Returns: WatchResult (ci_gemini_watcher_runner.WatchResult). r)run_watch_cycle)ror`raT) rm expected_headexpected_files gh_runnerr`rarrrrrdry_run)anu_v2.ci_gemini_watcher_runnerrrr) rmrrror`rarrrrrr runner_cbs rrun_one_shot_dry_runr7sU,@(+v I #% %%  r)rrrrr)r9 Sequence[str]rNone)rFr2rr)r\rrrZ)rozCallable[[Sequence[str]], str]r`r2rar2rzCallable[..., Any])r9rrr2)rmrrr2rrroz%Callable[[Sequence[str]], str] | Noner`r2rar2rr2rzMapping[str, Any] | Nonerrrrrrrr)r __future__rrBrtypingrrrrr frozensetr__annotations__ RuntimeErrorrr#r)r>rHrNr^rrr__all__rrrrss# :: #,E# @L@)2)%0950, .j/8O/+ 5L x *x x  x  x~<59,0***"* 2 *  * ****** * *b r