#j'PdZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl m Z m Z ddl mZe jj!dejj#ejj%ed ddlmZmZmZmZej6dZd Zd Zd Zd Z d Z!ddZ"ddZ#ddZ$ddZ%d dZ&d!dZ' d"dZ( d#dZ)ef d$dZ* d%dZ+ d&dZ,ddddef d'dZ-d(d)dZ.e/dk(r e0e.y#e$rddlmZmZmZmZYwxYw)*u' gemini_cli_gate_check.py — G4 Pre-PR Gemini CLI Gate (task-2562) 회장 §명시 2026-05-12 Track C 박제: - Pre-PR Gemini CLI 단발 gate (OAuth-personal). 공식 merge gate 아님. - GitHub Gemini App은 PR open 후 자동 호출되는 공식 merge gate로 별도 유지. - 본 모듈은 PR open 전 single shot 호출로 code-changing issue를 사전 감지한다. 핵심 결정 박제: - fix_loop_count max = 2 (회장 §명시) - Lv 기반 mixed gate Lv.1~2 : soft (warning + PR open 허용) Lv.2 : risk-trigger hard (보안 민감 파일 / affected_files > 5 / danger 키워드) Lv.3+ : hard (.done 차단 + PR open 금지) - scope_violation = True → 즉시 ESCALATED (fix_loop 진입 0) - API key 사용 금지 (GEMINI_API_KEY env var 감지 시 즉시 abort) - codex_gate_check.py 60% 재사용 (helper utilities) OAuth-personal 사용 범위: - gemini CLI 0.31.0 binary 호출 (~/.config/gemini/oauth_token.json auto-refresh) - 단발 호출 (per-task 1회 입력 → JSON 결과 1회 출력) - long polling 0 (max wait < 60s) ) annotationsN)datetimetimezone)Anyz..)_extract_json_from_output_normalize_affected_item_read_file_safe_detect_workspace_rootgemini_cli_gate_checkgemini<) u인증u결제u보안u권한PIIu 개인정보uAPI키u토큰authpaymentsecrettoken credential)zauth/zpayment/z dispatch/ owner_triggerz.envg3_independent_verifierexecutor_schedulercztjjddj}|r t dy)u6API key 사용을 즉시 차단 (회장 §명시 1:1).GEMINI_API_KEYuxFORBIDDEN_CAPABILITY_USE: GEMINI_API_KEY env var detected — G4 gate는 OAuth-personal 강제 (회장 §명시 박제).N)osenvirongetstrip RuntimeError)api_keys Q/home/jay/workspace/.worktrees/task-2729+10-dev6/scripts/gemini_cli_gate_check.py_assert_oauth_personal_onlyr"Ws;jjnn-r288:G I  cRtjj||d}tjj|sy t |dd5}t |j jxsdcdddS#1swYyxYw#ttf$rYywxYw)N.g4-fix-loop-countrrutf-8encoding0) rpathjoinisfileopenintreadrOSError ValueError) events_dirtask_idr+fs r!_read_fix_loop_countr6as 77<< wi/A$B CD 77>>$  $g . 0!qvvx~~'.3/ 0 0 0 Z s0B+B> BB BBB&%B&c(tj|dtjj||d}|dz}t |dd5}|j t |dddtj||y#1swY xYw)NTexist_okr%.tmpwr'r()rmakedirsr+r,r.writestrreplace)r3r4countr+tmpr5s r!_write_fix_loop_countrBlsvKK T* 77<< wi/A$B CD -C c3 )Q E JJsDs BBc|sytjd|}|sy|jdj}tjd|ryd|vsd|vsd|vryy) u:task md에서 레벨 추출. 'lv1'/'lv2'/'lv3plus' 반환.lv1u##\s*레벨\s*\n([^\n]+)z+lv\.?\s*[34]|level\s*[34]|critical|securitylv3pluszlv.2lv2zlevel 2)researchgrouplower) task_contentmraws r!_detect_level_from_task_filerOusa  -|5 (=)zdanger_keywords=,Nzlv2_risk_trigger:+softlv1_or_lv2_no_risk)rWr[lenr^r,)rcrRrLtriggerskwss r!_classify_gate_moderos ?UKKH ~ ( 8 OO5 6 ~  " OO1#n2E1FaH I"<0  OO.sxxBQ/@.AB C+>(AS+S^cdd';e LLr#c|sdgfS|Dchc]#}|js|j%}}g}|D]&}t|\}}||vs|j|(t||fScc}w)uLexpected_files 외 파일이 affected_files에 포함되면 scope_violation.F)rrr[bool)rRexpected_filesp expected_setextrasrSr+rTs r!_detect_scope_violationrvs by'5C!AGGICLCF *40a | # MM$   <  Ds A/A/c tjj}|jdd|jdd t j |g|ddt ||}|jdk7r!dd|jd|jdd fSt|j}|y |dfS#t$rYy tj$rdd t d fcYSt$r'}ddt|jd|fcYd}~Sd}~wwxYw)u~Gemini CLI 0.31.0 binary 단발 호출 (OAuth-personal, stdin). Returns (parsed_json or None, error_reason or None). rNGOOGLE_API_KEYT)inputcapture_outputtexttimeoutcwdenvrzgemini_cli_nonzero_exit rc=z stderr=)Ngemini_cli_json_parse_fail)Ngemini_cli_binary_not_foundzgemini_cli_timeout (>zs)zgemini_cli_exception::)rrcopypop subprocessrunGEMINI_TIMEOUT_S returncodestderrrstdoutFileNotFoundErrorTimeoutExpired Exceptiontype__name__)prompt target_dir gemini_binr~resultparsedes r!_run_gemini_clirs% **// CGG d#GG d#D L$     !6v7H7H6IRXR_R_`dadReQfgg g*6==9 >5t| 32  $ $B,-=,>bAAA D,T!W-=-=,>asCCCDs7AB1B1-B11 D <D D $DD D ctjd||g}g}tjj |s|j dd|dn2t |}|js|j dd|d|D]}t|\} } tjj| r| ntjj|| } tjj | rr| r|j dd| d|j dd | d|s|j d td |D} | ||d |d S)uTGemini CLI 호출 실패 시 규칙 기반 fallback (codex maat fallback과 동질).z,gemini fallback: workspace_root=%s reason=%scriticalu설계 문서 누락: severity descriptionu설계 문서 비어있음: infou"신규 파일 (아직 미생성): highu파일 누락 또는 오타: u'Gemini CLI 폴백: 정적 검증 통과c3,K|] }|ddk(yw)rrN.0r&s r! z)_gemini_fallback_check..sBqq} 2Bsgemini_fallback_static)passrisks suggestionssourcefallback_reason) loggerdebugrr+r-r[r rrisabsr,any) task_filerRworkspace_rootrrrrcontentrS file_pathis_newresolved has_criticals r!_gemini_fallback_checkrsX LL?Q`a"$EK 77>>) $ &!7 {C  "),}} LL *%A)#M 4T: 6 " i 89bggll:W`>aww~~h' $*)KI;'W $*)Fyk'R& DEBEBBL  "**  r#c tj|dddddd}|j|d|d }tjj |||}|d z}t |d d 5}t ji|||tjtjjd|dddddtj|||S#1swY!xYw)uk G4 marker 파일 생성 (atomic write — _write_fix_loop_count 와 동일 패턴). marker_kind: "soft" → memory/events/.g4-soft-warning.json "fail" → memory/events/.g4-failed "scope" → memory/events/.g4-scope-violation.json "cap" → memory/events/.g4-fix-loop-cap.json Tr8z.g4-soft-warning.jsonz .g4-failedz.g4-scope-violation.jsonz.g4-fix-loop-cap.json)rjfailscopecapz.g4-z.jsonr:r;r'r()r4 marker_kindts_utcFr ensure_asciiindentN)rr<rr+r,r.jsondumprnowrutc isoformatr?) r3r4rpayload suffix_mapsuffixr+rAr5s r!_save_g4_markerr)sKK T*'+& J ^^K4 }E)B CF 77<< wix$8 9D -C c3 )  Q   "*",,x||4>>@      JJsD K   s ,ACC&ct| t|}t|tsJtj j |dd}|xs|}t|} t| } t| || } | d} | d} t||\}}|r t||nd}|rPd}|r t||d|t|xsg|dd }d d d | d dt|d|dddgdgdd|td|d|dS|rD|tk\r;t||d|tdd}d d d| d d|dtddgdgdd|td gd|dSg}|D]}t!|\}}tj j#|r|ntj j ||}tj j%|s|j'd|d t|}|j'd|d!||rd"j |nd#}d$| d%|d&}t)|||'\}}|-t+||||xsd(|}|d)}|d*}|d+}|d,} |d-}!n=|j-d*g}|j-d+g}t/d.|D}"|" }d/} d}!d}#d0}$|}%|r|d1z}%t1|||%|s4| d2k(rd0}$|r+t||d2||| |%d3}#nd4}$|rt||d5||| |%d3}#|| | | ||| |!|%td g|$|#dS)6u9 G4 Pre-PR Gemini CLI gate 메인 함수. Returns dict: pass: bool gate_mode: "soft" | "hard" gate_trigger: str level: "lv1" | "lv2" | "lv3plus" risks: list suggestions: list source: "gemini_cli" | "gemini_fallback_static" fallback_reason: str | None fix_loop_count: int fix_loop_max: int scope_violation: bool scope_violation_extras: list[str] action: "PR_OPEN_ALLOWED" | "PR_OPEN_BLOCKED" | "ESCALATED_OWNER_DECISION" marker_path: str | None Nmemoryeventsrarbrru7scope_violation → 즉시 ESCALATED, fix_loop 진입 0)scope_violation_extrasrrfix_loop_count rationaleFr`scope_violationru+scope_violation: expected_files 외 파일 u개 — reruMexpected_files 외 파일 제거 후 재시도 또는 owner_decision_requiredstatic_pre_checkTESCALATED_OWNER_DECISION)r gate_mode gate_triggerrcrrrrr fix_loop_maxrraction marker_pathru2FIX_LOOP_CAP_VIOLATION → OWNER_DECISION_REQUIRED)rrr fix_loop_capzfix_loop_count=z >= max=u — OWNER_DECISION_REQUIREDu/회장 결정 필요 (fix_loop hard cap 도달)z--- u( --- (파일 없음 또는 디렉토리)z --- z u(영향받는 파일 없음)u다음 설계 문서와 코드를 Pre-PR 검증으로 리뷰하세요. JSON으로만 응답하세요. 응답 형식: {"risks": [{"severity": "critical|high|medium|low", "description": "..."}], "suggestions": ["..."]} 설계 문서: u 영향받는 코드:  )runknownrrrrrc3hK|]*}|jdxsdjdk(,yw)rrrN)rrKrs r!rz(gemini_cli_gate_check..s1 @AQUU:  $" + + - ; s02 gemini_cliPR_OPEN_ALLOWEDrErj)rrrrPR_OPEN_BLOCKEDr)r"r isinstancer>rr+r,r rOrorvr6rlistrl FIX_LOOP_MAXrrr-r[rrrrrB)&rrRrr4rrrrr3effective_targetrLrc gate_classrrscope_v scope_extras fix_loop_nowmarker code_partsrSrrTrr code_contentrrerrfallback_result gate_passrrrrrrr new_counts& r!r r Rs8 !/ : nc ** *nhAJ!3^"9-L ( 6E$UNLIJ6"Ii(L4NNSG\@G' G+?R&@&2!Z  F-!+%PQTUaQbPccklxy{z{l|k}#~ ll(#*(#&20!'  .<</   ". ,Q   *!+%4\N(<.Xt#u NN(#*($&(0!'  .J=/5 1 " i 89bggllK[]f>gww~~h'   YK/XY Z !(+D 6';<=/96;;z*>\L (.(B<.PR T "&*:zRKFC ~0 ~~s7GiIY $F+ (%m4  *)*;< 7B'jj3  EJ  %$ #K FI 1$ j'9=   &F-!&'2(4*3   'F-!&'2(4*3   $"*#$ "$" r#c Xtjd}|jdd|jdd|jddg|jd dd|jd d d d |jdd|jdt|j |}t j t jd t|j}|K|jr?|j xsd}t"j$j'|dd|jd}||j)dt+||j,|j |j|j.|j0|j2}ttj|dd|j5ddk(ry|j5ddk(ry y!#t$r5}ttjddt|dYd}~yd}~wwxYw)"Nz7G4 Pre-PR Gemini CLI Gate (OAuth-personal, single shot))rz --task-id)defaultz --task-filez--affected-files*)nargsrz--expected-filesz--workspace-rootz --workspacer)destrz --target-dirz --gemini-binz1%(asctime)s [%(levelname)s] %(name)s: %(message)s)rcformatFABORTED)rrerrorrz/home/jay/workspacertasksz.mdu#--task-file 또는 --task-id 필요)rrRrr4rrrrrrrrrEr)argparseArgumentParser add_argumentGEMINI_BIN_DEFAULT parse_argslogging basicConfigINFOr"rprintrdumpsr>rr4rrr+r,rr rRrrrrr)argvparserargsexcrwsrs r!mainr(s  $ $MF  T2  t4 *#rB *#tD *M@PZ^_ 5 0BC   T "D ll#V #% IT\\  9$9GGLLXw4<<.8LM  :; "**** **????F $**V% :; zz(99 zz(00 5  djj%9s3xPQRs G++ H)4+H$$H)__main__)returnNone)r3r>r4r>rr/)r3r>r4r>r@r/rr)rLr>rr>)rR list[Any]rrq)rLr>rz list[str])rcr>rRrrLr>rdict[str, Any])rRrrrlist[str] | Nonerztuple[bool, list[str]])rr>rr>rr>rztuple[dict | None, str | None]) rr>rRrrr>rr>rr>rr) r3r>r4r>rr>rrrr>)rr>rRrr str | Noner4r rrr rr rr>rrrY)rr rr/)1__doc__ __future__rrrrrrHrsys_sysrrtypingrr+insertr,dirname__file__scripts.codex_gate_checkrrr r ImportErrorcodex_gate_check getLoggerrrrrrZrQr"r6rBrOrWr^rorvrrrr rr SystemExitrr#r!rsY0#  ' BGGLL!:DAB    2 3    M MMM M:    $    &)#D #D#D#D$ #DL;;;; ;  ;  ;|&& && &  &X"&'+!(SSSS S % S  SSSl. b z TV Us D55E E