>jÞZUdZddlmZddlZddlmZmZddlmZmZddl m Z m Z m Z m Z mZdZdZd Zd Zd Zd ZeeeeeeehZd ed<dZdZdZehdZd ed<ehdZd ed<dZdZdZdZ dZ!dZ"dZ#dZ$dZ%ee"e%hZ&d ed<d Z'd!ed"<d#Z(ed$%Gd&d'Z)eGd(d)Z*e e e+e fgdfZ,e e e+e fe+ge-fZ.dId*Z/dJd+Z0dKd,Z1dKd-Z2dLd.Z3d/Z4d!ed0<ejjd1jmd2e4DejnZ8dMd3Z9Gd4d5Z:ed$%Gd6d7Z;dNd8Z< dOd9Z=d:Z>d;Z?d!ed<<d=ddd> dPd?Z@ed$%Gd@dAZA dQdBZBdCZCdDZDdEZEdFZFdGZG dRdHZHy)Suanu_v2.auto_gemini_triage — ANU v2 Gemini review evidence 자동 분류기 (task-2538 + task-2558). 회장 §명시 (2026-05-10) 4 분류 + task-2558 (2026-05-12) §명시 1 분류 확장: 1. false_positive → dismiss (회귀 fixture 매칭) 2. style_only → dismiss (코드 동작 무관) 3. minor_fix_in_scope → expected_files 내부 자동 적용 4. scope_expansion → Critical 7종 #N 보고 5. minor_in_expected_files → single_follow_up_commit_allowed (max 1 hard cap, cascade reply+resolve) — task-2558 PR #110 실전 패턴 박제. 설계 원칙: - one-way isolation: anu_v2/* 만 import. utils/dispatch/scripts/dashboard 의존성 0. - 외부 부수효과 (audit / file write) 는 주입 가능한 callable 로 추상화. - executor (task-2531) 인터페이스 contract: triage_batch → {"applied", "dismissed", "escalated"}. - chat_id tag + filter 로 다른 chat record 노출 차단 (default chat=6937032012). - token raw 0: classify/triage 결과/audit record 어디에도 BOT_GITHUB_TOKEN 등 raw 토큰 미노출. - minor_in_expected_files (§task-2558): 9조건 game-tree 평가 → 17필드 decision schema. follow-up 1회 hard cap. cascade 신규 finding 은 non-functional 이면 reply+resolve. follow-up commit 후 기존 Gemini evidence stale → owner_trigger_only 자동 재트리거. 회장 수동 `/gemini review` fallback 금지. ) annotationsN) dataclassfield)datetimetimezone)AnyCallableIterableMappingSequencedismiss_false_positivedismiss_style_onlyauto_apply_minor_fixescalate_scope_expansionsingle_follow_up_commit_allowedreply_and_resolvezfrozenset[str]ACTIONSminor_in_expected_files escalation> dead-code small-guardclarityloggingmessage dead_code small_guardMINOR_FIX_NATURE_BUCKETS>docsstylerrr consistency documentationCASCADE_NON_FUNCTIONAL_BUCKETSGEMINI_REAL_BUG_SCOPE_EXPANSIONhighmediumlowsecurityr bug performancerSTYLE_ONLY_CATEGORIES) github_tokenbot_github_tokengh_token owner_patghp_ghs_ github_pat_z x-api-key authorizationsecretpasswordtuple[str, ...]TOKEN_KEY_HINTS 6937032012T)frozenc8eZdZUdZded<dZded<dZded<y) FalsePositiveFixtureufalse_positive 박제 fixture. - rule_id: Gemini rule code (예: `unused-import`, `redundant-cast`). - signature: optional finding 본문 signature 요약 (regex). None 이면 rule_id 만 매칭. - reason: dismiss 사유 기록 (audit 용). strrule_idN str | None signaturereason)__name__ __module__ __qualname____doc____annotations__r?rA0/home/jay/workspace/anu_v2/auto_gemini_triage.pyr;r;os" L Iz FCrHr;ceZdZUdZeeZded<eeZded<eeZ ded<d dZ e d dZ y ) TriageResultutriage_batch 결과 — executor 인터페이스 contract 의 raw container. serialize() 호출 시 회장 §명시 3 키 (applied / dismissed / escalated) 만 노출. )default_factorylist[dict[str, Any]]applied dismissed escalatedct|jt|jt|jdS)N)rNrOrP)listrNrOrPselfs rI serializezTriageResult.serializes0DLL)dnn-dnn-  rHc,t|jSN)boolrPrSs rIhas_escalationzTriageResult.has_escalationsDNN##rHN)returndict[str, list[dict[str, Any]]])rZrX) rBrCrDrErrRrNrFrOrPrUpropertyrYrGrHrIrKrK|sR%*$$?G !?&+D&AI#A&+D&AI#A $$rHrKc ||f}y)u기본 fix_applier — 본 v0 는 분류만 보장하고 실제 patch 적용 자체는 호출부가 담당. 분류 결과가 minor_fix_in_scope 인 finding 은 호출부가 별도 패치 적용 후 결과를 fix_applier 로 리포트한다. default 는 항상 성공으로 가정 (테스트에서 실패 mock 주입). 인자는 시그니처 유지를 위해 받기만 하고, 본 default 는 부수효과 없이 True 반환. TrG)finding target_file_s rI_default_fix_applierras +A rHchtjtjj dS)Nseconds)timespec)rnowrutc isoformatrGrHrI_now_isorhs# << % / / / CCrHcZ|yt|jj}|S)uIseverity 값을 lowercase 로 정규화. 미지정 = "" (low 와 구분).r@r<striplower)valuetexts rI_normalize_severityros* } u:    # # %D KrHcV|yt|jjS)Nr@rj)rms rI_normalize_categoryrqs& } u:    # # %%rHct|trpi}|jD]Y\}}t|}|t |j ndt fdtDrd||<Lt|||<[|St|tttfr|Dcgc] }t|c}St|trtd|DSt|trtj|ry|S|Scc}w)u dict / list / str 안에 박혀있을 수 있는 raw 토큰 / secret 흔적 제거. - dict key 가 token hint 매치 → 값 `***REDACTED***`. - str 값에 `ghp_` / `ghs_` prefix 가 보이면 `***REDACTED***`. - 재귀 처리 (list/Mapping/tuple 중첩 허용). - dict 의 key 자체에도 토큰이 박혀 있을 수 있어 _redact_tokens 재귀 적용 (Gemini 6차 Security-High 박제 — key 를 통한 token raw 누출 차단). - OrderedDict / TypedDict 등 dict 가 아닌 Mapping 도 동일하게 처리. r@c3&K|]}|v ywrWrG).0hint key_lowers rI z!_redact_tokens..sA49$Asz***REDACTED***c32K|]}t|ywrW)_redact_tokens)rtvs rIrwz!_redact_tokens..s61^A&6s) isinstancer itemsryr<rlanyr7rRset frozensettuple_TOKEN_VALUE_REsearch)rmoutkrz k_redactedrvs @rIryrys%! KKM 4DAq'*J*+-A RIAAA"2J"0"3J 4 %$Y/0,11aq!11%6666%  ! !% (# L2s!D)r0r1r2_TOKEN_VALUE_PREFIXES|c#FK|]}tj|ywrW)reescape)rtps rIrwrws 9aRYYq\ 9s!ctj|}d|jddjddjddjddzd z}tj||d uS) uforbidden_paths / expected_files glob 매칭 (task-2531 동일 규칙). `**/foo.py` 형태가 루트 파일 `foo.py` 도 매칭하도록 `**/` 를 우선 처리. ^z\*\*\/z(?:.*/)?z\*\*/z\*\*z.*z\*z[^/]*$N)rrreplacematch)patternpathescapedregexs rI _glob_matchrss ii G //)[ 1'(K0''4('%)  *     88E4  ,,rHceZdZdZddedd ddZ ddZ ddZ dd Z dd Z dd Z dd Z dd Z ddZ y)AutoGeminiTriageuANU v2 Gemini review evidence 자동 분류기 v0. 회장 §명시 4 분류: - false_positive: 회귀 fixture 매칭 → dismiss - style_only: 코드 동작 무관 → dismiss - minor_fix_in_scope: expected_files 내부 → 자동 적용 - scope_expansion: expected_files 밖 → Critical 7종 #N 보고 executor (task-2531) 인터페이스 contract: input: `gemini_findings: list[dict]`, `expected_files: set` output: `{"applied": list, "dismissed": list, "escalated": list}` NrGunknown) fix_applierfalse_positive_fixtureschat_idtask_idc||_||nt|_t||_t ||_t ||_yrW)_auditra _fix_applierr _fixturesr<_chat_id_task_id)rT audit_writerrrrrs rI__init__zAutoGeminiTriage.__init__s># 7B7N Th;@AX;YG  G  rHct|tr|n|j|}t|j ddj }t |j d}t|j d}t|j ddj }|j||}|t||j|dfS|tk(xr |tk(} | r.|j||rt||||ddfSt||||d dfS|t vr|tk7r t"|||d fS|j||rt||||d dfSt||||d dfS) uDGemini finding 1건 분류 → (action, details). action ∈ ACTIONS. 분류 우선순위 (회장 §): 1. false_positive fixture 매칭 → dismiss_false_positive (rule_id 일치 검사) 2. severity=high & category=security → in-scope 면 minor_fix, 아니면 escalate (Security-High 는 style 분류와 무관하게 우선 적용, 단 scope 내부일 때만) 3. style_only → dismiss_style_only 4. in-scope minor_fix → auto_apply_minor_fix 5. out-of-scope → escalate_scope_expansion r=r@severitycategoryr)r=fixture_reasonrsecurity_high_in_scope)r=rrrrAsecurity_high_out_of_scope)r=rrminor_fix_in_scopescope_expansion_required)r{r~_normalize_expectedr<getrkrorq_match_false_positiveACTION_DISMISS_FALSE_POSITIVErA SEVERITY_HIGHCATEGORY_SECURITY is_in_scopeACTION_AUTO_APPLY_MINOR_FIXACTION_ESCALATE_SCOPE_EXPANSIONr+ACTION_DISMISS_STYLE_ONLY) rTgemini_findingexpected_files expected_setr=rr finding_pathfpis_security_highs rIclassify_evidencez"AutoGeminiTriage.classify_evidences(.#. )).9  n((B78>>@&~'9'9*'EF&~'9'9*'EF>--fb9:@@B  ' ' @ >-&&(ii( $}4VEV9V  l;/#*$,$, ,":   0& ( ((:    , ,]1J)& ((    L, 7+& ( ((2    ,"$$$4    rHc|syt|tr|n|j|}|sy||vry|D]}t||syy)ufinding 의 path 가 expected_files 집합 내부인지 검증. - exact match 와 glob match 모두 허용 (`**` / `*`). - finding_path 가 비어 있으면 False (path 미지정 → 자동 적용 불가). - expected_files 가 이미 정규화된 set 인 경우 재정규화 생략 (triage_batch 루프 내부 호출 핫패스 — Gemini medium #3 박제 최적화). FT)r{r~rr)rTrrrrs rIrzAutoGeminiTriage.is_in_scope{sb.#. )).9   < '# G7L1 rHct} t|jt||}d}||rdnd|j|jt|jdd||| |tt|d }|j||S#t$r&}d}t |j d|}Yd}~d}~wwxYw) u8minor fix 자동 적용 — expected_files 내부만 (호출부에서 scope 보장 가정). - fix_applier callable 호출. 성공 시 applied=True, 실패 시 escalate=True 로 전환. - 결과 record 는 token raw 0 (redact) 보장. - audit 기록: `kind=auto_apply_minor_fix`. r@Fz: Nrauto_apply_failed_escalatedr=) tskindrrr=r_rNrPerrorr^) rhrXrdict ExceptiontyperBrrr<rryr)rTr^r_rokerr_msgexcrecords rIapply_minor_fixz AutoGeminiTriage.apply_minor_fixsZ d''W {CDB G.0*6S}}}}7;;y"56&%d7m4   F ' 5Bc++,Bse4G 5s$B CCCcnt}|d|j|jtt |j ddt |j dt|j dt |j ddtt|d }|j||S)u(scope 확장 요구 → Critical 7종 #N 보고 record 생성. - critical_code = `GEMINI_REAL_BUG_SCOPE_EXPANSION` (task-2531 정의 재참조). - audit 기록: `kind=scope_expansion_critical`. - 회장 §명시: 본 record 가 곧 회장 보고 source-of-truth. scope_expansion_criticalr=r@rrr) rrrr critical_coder=rrrr^) rhrrCRITICAL_GEMINI_SCOPE_EXPANSIONr<rrorqryrr)rTr^rrs rIrz)AutoGeminiTriage.escalate_scope_expansionsZ.}}}}<7;;y"56+GKK ,CD+GKK ,CD FB/0%d7m4   F rHc Lt}|j|}|D]}t|}|j||\}}||j dd|j ddt |d} |t k(rX|jji| ddi|jtd|j|j| dd|tk(rY|jji| dd i|jtd |j|j| dd|tk(r|j|| d} | j d r&|j ji| d | dil|j#i|d di} |j$ji| t&d | dd|j#|} |j$ji| | d|j ddd|j)S)u+task-2531 executor 인터페이스 contract. input : `gemini_findings: list[dict]`, `expected_files: set` output : `{"applied": list, "dismissed": list, "escalated": list}` escalated 비어있으면 호출부 자동 진행, 비어있지 않으면 Critical 보고. r=r@r)actionr=rdetailsrAfalse_positiver )rrrrr= style_onlyrrNr_auto_apply_failedTr)rrArscope_expansion)rrA)rKrrrrryrrOappendrrhrrrrrrNrrPrrU) rTgemini_findingsrresultr raw_findingr^rrbaserNrs rI triage_batchzAutoGeminiTriage.triage_batchsA//? *2 K;'G"44WlKOFG ";;y"5 FB/)'2 D66  ''(L4(L;K(LM "*4#}}#}}#I 44  ''(H4(H<(HI "*0#}}#}}#I 66..wV E;;y)NN))*OT*O=$v,*OP"&!>!>@!@+T@"J$$++--"A"5)3O)D -"::7C   ''))%/%@%kk(4EF)]2 h!!rHcg}|D]P}t|jdd}||jk7r.|jt t |R|S)uM주어진 audit record stream 에서 본 인스턴스 chat_id 의 record 만 반환. 회장 §명시 chat=6937032012 격리 — 다른 chat record 노출 0. - 동일 chat_id 만 통과 - chat_id 누락 record 는 차단 (보수적) - 추가로 token redact 한 번 더 적용 (이중 안전) rr@)r<rrrryr)rT all_recordskeptreccids rIlist_chat_auditz AutoGeminiTriage.list_chat_auditsX&( 3Ccggi,-Cdmm# KKtCy1 2  3  rHc|Dchc]5}t|jst|j7c}Scc}wrW)r<rk)rTrrs rIrz$AutoGeminiTriage._normalize_expected1s,(6I1#a&,,.A IIIs AAc |syd}|jD]}|j|k7r|j|cS|js0|:t|j dddzt|j ddz} t j |j|r|cSy#t j$r+|jtd||jdYwxYw)uGfixture 매칭 — rule_id 일치 + (signature 있으면) regex 매칭.Nbodyr@ titlefixture_regex_error)rrr=fixture_signature) rr=r?r<rrrrrrh)rTr=r^rrs rIrz&AutoGeminiTriage._match_false_positive4s .. BzzW$||# <<|7;;vr23c9C GUW@X.s%23Q -%sT) C1_severity_allowedC2_path_in_expected_filesC3_no_forbidden_pathC4_no_scope_expansion-C5_no_functionality_impact_or_test_guaranteedC6_fix_nature_minorC7_follow_up_within_cap#C8_effective_diff_in_expected_filesC9_revalidated_fresh_ci_clean) conditionsfailed_conditions)rorrr<rk SEVERITY_LOWSEVERITY_MEDIUMrrrrrrXrrrlrrrMAX_FOLLOW_UP_COMMITS_HARD_CAPrallrrrr|CLASSIFICATION_ESCALATION&CLASSIFICATION_MINOR_IN_EXPECTED_FILES)evsevrc1_severity_allowed c2_in_scopec3_no_forbiddenc4_no_scope_expansionc5_no_func_impactc6_fix_nature_okc7_followup_capc8_effective_diff_in_scopec9_revalidatedrrrzfailedrs @rI classify_minor_in_expected_filesr$s& bkk *C796G6GZ3q6<<>c!fllnZL,!DD&rww =K444O " ; ;;00A5Q$r?P?P:Q}}**,224<bANF C C / , !7$7M  *  E E #6,#78S#TU 2 3rzz?  S&  C 3 34   ' 4   BGG   .  "#:  "4(B(B#C  #D)D)D$E  B$;$; <  tB$:$:;  -  !?  !#b&?&?"@  /? )+N48 $ ! &  ' ( t$45)   sE0cXeZdZUdZded<ded<ded<ded<ded<ded <ded <y ) CascadeFindinguMfollow-up commit 후 새 Gemini fresh review 에서 발견된 신규 finding.r<rrrX is_real_bugbehavior_changingrrnatureN)rBrCrDrErFrGrHrIr8r8s,WM I!!"" KrHr8ct|j}g}|jr|jd|jr|jd|j r|jd|j r|jd|ttdhvr|jd|jjjjdd}t|j|}|rtd ||j|d fS|t k\r8|t"vr|rt$d ||jd d fStd||j|d fS|t"vr|rt$d||jd d fStd||j|d fS)ucascade 신규 finding 처리 결정. 회장 §명시 (task-2558 §3): - real bug / behavior_changing / forbidden_path / scope_expansion → escalation - follow_up_commits_used >= MAX_FOLLOW_UP_COMMITS_HARD_CAP 이면 추가 code change 금지 - severity <= medium 이고 non-functional/consistency/style 성격 + path 가 expected_files 내부 → reply_and_resolve 허용 (2번째 code change 없이 thread 해결) - 그 외 → escalation (보수적) real_bugr:forbidden_pathrr@severity_high_or_unknownrr`escalation_required)rAfactorsrin_scopecap_reached_non_functionalT)rAr;rrBcap_reached_blockingnon_functional_in_scopedefault_escalate_conservative)rorr9rr:rrrrr;rkrlrrrrrr#ACTION_REPLY_AND_RESOLVE)r5rrr reason_parts nature_normrBs rIhandle_cascade_findingrJ&s bkk *C L ~~J' /0 !!,- ""-. <"5567))//#))+33C=K#BGG^r+z bool | NonerZr)r5r8rrrrrZr) rYrXrZr<rQr<r[rXrZr)IrE __future__rr dataclassesrrrrtypingrr r r r rrrrr/rGrrrFrrrrr#rrrrrCATEGORY_STYLE CATEGORY_BUGCATEGORY_PERFORMANCE CATEGORY_DOCSr+r7rr;rKr<rrX FixApplierrarhrorqryrcompilejoin IGNORECASErrrrrr$r0r,r6r8rJrVrWrUrX,OWNER_TRIGGER_RESULT_MANUAL_REVIEW_FORBIDDENr\rGrHrIris#,# ('==!904"<)J&.#!#* %*C&("#,56,.2;<2#D   $ )2>=2Q(R~R$ $    $$ $,S)*D01 wsCx(#.4 5  D& "N*IH"**HH 9#8 99MM -$``H  $&&&2.;!;;~$F 2057#'+ 5!525 5 % 5  5r $XX X" X  Xx&D"%;".*C'/H,3!3!$3 3 ! 3  3rH