IjU zUdZddlmZddlZddlZddlZddlmZmZddlm Z ddl m Z m Z m Z mZddlmZmZdZd ed <d Zd ed <d Zd ed<dZd ed<dZded<ehdZded<ddddddZded<dZded <d!Zded"<d#Zd$ed%<d&Zd ed'<d(Zd ed)<d*Z d ed+<d,Z!d ed-<Gd.d/e"Z#dAd0Z$dd1dBd2Z%dCd3Z& dDd4Z'eee e!ed5 dEd6Z(d7eeee e!eed8d9dd:d; dFd<Z)dGd=Z* dHd>Z+dIdJd?Z,e-d@k(r e.e,y)Kuoanu_v3.pre_authorized_evidence_bundle_builder — task-2553+1 F1-solo evidence bundle 을 **실 git / scan 증거에서 기계 생성** (task-2553+6 §7.1, 9-R.2). 회장 §3.1 11항목은 개념 요약. 머신 계약 권위 = task-2553+5 deriver 의 ``REQUIRED_EVIDENCE_KINDS`` 19개 + evidence object 5-key (``kind,source,observed_value,collected_ts,derivation_rule_id``) + ``schemas/pre_authorized_evidence_bundle.schema.json`` (9-R.2 권위). 본 모듈 한정 책임 (self-assert 0, fail-closed): - 실 git **read-only** 명령 (rev-parse / merge-base / rev-list / show / diff --name-only) 으로 머신 사실 수집. **GitHub mutation / push / merge / gh subprocess 0** (read-only allowlist 정적 강제). - GO-ready packet 의 boolean 주장은 **비권위** — 식별자만 차용, gate 관련 모든 값은 git/scan/spec-parse 로 독립 산출 (9-R.3). - task-2553+6 §5 single-authority 6 effective-diff 파일 (#2 = ``test_owner_trigger_2553_plus1_high_fix.py``, D-SPEC-EXACTNESS) 을 expected_files / scope 로 사용. - 출력 = evidence bundle 스키마(``anu_v3.pre_authorized_evidence_bundle.v1``) 통과 필수. 미정렬/누락/모호 → deriver 가 gate 도달 전 auto-HOLD. - 9-R.8 ``_provenance`` 미리보기 stamp 부착 (canonical sha256 = 실 번들 재해시, ``_provenance`` 제외 — deriver/binding 동일 함수 재검증). one-way: deriver 의 **public** API 만 사용 (``canonical_evidence_sha256`` / ``REQUIRED_EVIDENCE_KINDS``). private helper 복제·import 금지 (9-R.6). git read-only 수집은 builder 책임 — deriver/gate/binding 은 subprocess 0 불변. ) annotationsN)datetimetimezone)Path)AnyFinalMappingSequence)REQUIRED_EVIDENCE_KINDScanonical_evidence_sha256z-anu_v3.pre_authorized_evidence_bundle_builderz Final[str]BUILDER_MODULE1.0.0BUILDER_VERSIONz(anu_v3.pre_authorized_evidence_bundle.v1EVIDENCE_BUNDLE_SCHEMA_NAMEz&anu_v3.pre_authorized_contract_deriverDERIVER_MODULE_NAMEkindsourceobserved_value collected_tsderivation_rule_idzFinal[tuple[str, ...]]_EVIDENCE_OBJECT_KEYS>cat-filediffshowrev-list rev-parse merge-basezFinal[frozenset[str]]_GIT_READONLY_ALLOWLIST)zAKIA[0-9A-Z]{16}z"-----BEGIN [A-Z ]*PRIVATE KEY-----z$(?i)\bpassword\s*=\s*['\"][^'\"]{6,}z,(?i)\bclient_secret\s*[=:]\s*['\"][^'\"]{8,})zghp_[A-Za-z0-9]{30,}zgithub_pat_[A-Za-z0-9_]{30,}z(?i)\bOWNER_PAT\b\s*=z(?i)\bGH_OWNER_TOKEN\b)z0(?i)\brequests\.(get|post|put|patch|delete)\s*\(z4(?i)\bhttpx\.(get|post|put|patch|delete|Client)\s*\(z#(?i)\burllib\.request\.urlopen\s*\(z(?i)api\.github\.com)z(?i)\bgit\s+push\bz (?i)\bgh\s+pr\s+(create|merge)\bz4(?i)\bsubprocess\.[A-Za-z_]+\(\s*\[?['\"]?(git|gh)\b)z(?i)\blimited_real_write\bz(?i)\bheld_real_write_track\bz(?i)\bREAL_WRITE_TRACK\bcredential_scanowner_pat_scanactual_api_scanreal_write_scanlimited_real_write_scanz!Final[dict[str, tuple[str, ...]]]_SCAN_PATTERNS)zanu_v2/owner_trigger_pat.pyz:tests/regression/test_owner_trigger_2553_plus1_high_fix.pyzmemory/reports/task-2553+1.mdz%memory/events/task-2553+1.result.jsonz*memory/events/task-2553+1.red-evidence.logz,memory/events/task-2553+1.green-evidence.logTASK_2553P1_EFFECTIVE_DIFF_6)z$anu_v3/pre_authorized_action_gate.pyz)anu_v3/pre_authorized_contract_deriver.pyz)anu_v3/pre_authorized_executor_binding.pyz2schemas/pre_authorized_action_contract.schema.jsonz2schemas/pre_authorized_action_decision.schema.json2schemas/pre_authorized_evidence_bundle.schema.jsonz3tests/regression/test_pre_authorized_action_gate.pyz;tests/regression/test_pre_authorized_contract_derivation.pyz8tests/regression/test_pre_authorized_executor_binding.pyz+utils/anu_delegation_completion_callback.pyzXmemory/fixtures/task-2553+1.duplicate-callback-ignored.collector-regression-fixture.jsonzLtests/regression/test_completion_callback_dup_ignored_realworld_2553plus1.pyz dispatch.pyzscripts/finish-task.shz task-timer.py#TASK_2553P6_FORBIDDEN_WRITE_TARGETSfz Final[int]SOURCE_PR_NUMBERztask/task-2553-dev5 SOURCE_BRANCH(bd5ad74f5d443b354319fc8b3cb006816b8a9025RECORDED_SOURCE_HEAD(7346df8260803308df30a6d04ec32d66d4cdfa5bFRESH_BASE_SHAz%task/task-2553p1-f1-clean-replacementNEW_CLEAN_REPLACEMENT_BRANCHceZdZdZy) BuilderErroruOevidence 수집/조립 실패. fail-closed: 절대 부분 번들 방출 금지.N)__name__ __module__ __qualname____doc__D/home/jay/workspace/anu_v3/pre_authorized_evidence_bundle_builder.pyr3r3sYr9r3cftjtjj dS)Nz%Y-%m-%dT%H:%M:%SZ)rnowrutcstrftimer8r9r:_now_utcr?s! << % . ./C DDr9defaultc |r |dtvr&td|r|dnddttd tjddt |g|ddd d }|jdk7rI||Std dj|d|jd|jj|jjS#t tjf$r#}||cYd }~Std |dd||d }~wwxYw)ugit **read-only** 명령만 실행. 화이트리스트 외 subcommand → BuilderError. GitHub mutation / push / network 0. 실패 시 default(있으면) 또는 raise. ru git read-only allowlist 위반: zu (허용: )git-CTF)capture_outputtexttimeoutcheckNzgit u 실패:  z rc=z: ) rr3sorted subprocessrunstrOSErrorSubprocessError returncodejoinstderrstripstdout)reporAargsoutes r: _git_readonlyr[s1 47"99.$tAwI.PQ678 ;   @nn D#d) +d +   ~~  N388D>"$s~~&6b9I9I9K8L M   ::    Z// 0@  NT$q')A378a?@s#(CD (D+D 1DD c g}t|D]D}tj||D])}|j|d|d|j +F|S)uV변경 자산 텍스트에서 forbidden 패턴 적극 탐지 (negative 적극 증명).:@)r&refinditerappendstart)rHrhitspatms r:_scanrfs_Dd#5S$' 5A KK4&#a {3 4 55 Kr9cv||t|||dtfdtDrtd|S)Nrc3&K|]}|v ywNr8).0kobjs r: z_ev..s 7A1C< 7suevidence object 5-key 누락: )dictanyrr3)rrrrule_idtsrls @r:_evrrsI~.%  C 7!6 77;D6BCC Jr9 source_branchrecorded_source_headfresh_base_sha new_branchexpected_filesc t|}|dz jstd|t|d|d}t|ddd}t j ddt |d d |dgd d d jdk(} t|dd|d|d} t| } t|dd|ddk7} | r^t|dd|d|d} | jDcgc]}|js|}}t|d|d}d|ddd|}nt|}d}d}t|d|dd}tDcic]}|t||}}d|ddd}||t| | |||||| d S#t$rd} YwxYwcc}wcc}w)!u실 git read-only 수집. clean replacement branch 미materialize 시 effective_diff = 계획 6파일(dry-run plan, branch≠source 검증된 상태).z.gitugit repo 아님: rr@z origin/mainrDrErz --is-ancestorTrFF)rGrIrJrrz--count..0z--verifyrz --name-onlyzgit diff --name-only NuuPLANNED (clean replacement branch 미materialize — dry-run): task-2553+6 §5 single-authority 6-file effective diffrz:anu_v2/owner_trigger_pat.pyz git show u:anu_v2/owner_trigger_pat.py | scan(forbidden-patterns); F1 = endpoint/args allowlist 강화, token transport 무관 (task-2553+1 §2)) recomputed_source_headcurrent_origin_main_shafresh_base_is_ancestorsource_branch_push_counteffective_fileshead_sha diff_basis scan_results scan_basis branch_exists)rexistsr3r[rMrNrOrRint ValueError splitlinesrUlistr&rfbool) repo_pathrtrurvrwrxrWrecomputed_head origin_mainis_ancpush_count_rawrrdiff_outfrrr asset_textrkrrs r:collect_real_git_factsrsJ  ?D 6M ! ! #.tf566# k="O  k="K D     *   "#   =/2 N&#&~#6 dKZL     b -  '/&9&9&;Iqwwy1II +z2 $N2A$6#7r* F  ~. E    <= J 6DDAuZ++DLD (!,-.3 4#2#."&v,$<* $ &  _ &#% &J2Es$ E3F4F>F 3 FFz task-2553+1PASS_WITH_RECOMMENDATIONSFT) task_idsource_pr_numberrtrurvrwrxforbidden_write_targets codex_verdict critical_7factsstampc  t} | t||||||} | d}| d}tdd|||dd| td d d ||d d | tdd||dd| tdd|d|d|| ddd| tdd|ddd||| ddd| td d!|ddd"|| d#| d$d%d&| td'd(d)t|id*| td+| d,|| d-xsd.t| d/d0d1| td2d3d4t|id5| td6d7d8t | id9| td:d;d<| id=| td>d?d@d@d@d@d@d@d@d@t|dA dB| tdCdDdEdEdFdEdEdEdEdGdH| tdIdJdKd@dEd@d@d@d@d@d@d@d@d@d@d@dL idM| dN}dOD]6}t||dEt||dPdQ|j dRdS| ||<8t Dcgc] }||vs| }}|rtdT|t||dU}| r t|}|Scc}w)Vu2실 git/scan 사실 → deriver 19-kind 정렬 evidence bundle (스키마 통과). self-assert 0: gate 관련 값은 git/scan/spec-parse 독립 산출. GO-ready packet boolean 은 hint-only(go_ready_packet_claims) 로만 기록 — deriver 가 독립 재계산, mismatch → HOLD (9-R.3). Nrsrr task_identityuDtask md 파일명 + dispatch marker + go-ready packet (3-way 일치))go_ready_packet_task_idtask_md_filename_task_iddispatch_marker_task_idz9-R.2/task_id/3wayaction_method_markeruYtask-2553+1.md method 선언 (Option B clean replacement) + git(신규 branch ≠ source)clean_replacement_pr_open)methodrwrtz9-R.2/action_type/method+git source_pru?PR #102 source marker (identifier — packet authority allowed))numberbranchz9-R.2/source_pr/identifiersource_pr_preservationzgit rev-parse z vs recorded PR#z headr)recorded_head_sharecomputed_head_shaz9-R.2/source_pr/git-rev-parsesame_branch_push_zerozgit rev-list --count r~r{r)rtrz9-R.2/same_branch_push/rev-list fresh_basez9git rev-parse origin/main + git merge-base --is-ancestor z origin/mainrr)recorded_base_shar is_ancestorz%9-R.2/fresh_base/origin-main-ancestorrxuVtask-2553+6 §5 single-authority 6-file effective diff (#2=high_fix, D-SPEC-EXACTNESS)filesz#9-R.2/expected_files/spec-authoritygit_effective_diffrrPLANNED_DRY_RUNr)base_sharrz9-R.2/effective_diff/git-diffforbidden_path_scanuCeffective_diff_files ∩ forbidden_write_targets (task-2553+6 §13)rz9-R.2/forbidden/intersectioncritical_7_markerz9task-2553+1 Critical-7 classification marker (structured)rz9-R.2/critical_7/markercodex_verdict_markerz4task-2553+1 Codex post-result marker `verdict` fieldverdictz9-R.2/codex_verdict/markerscope_declarationu3task-2553+1.md F1-only least-privilege scope 선언F) requires_credentialrequires_owner_patrequires_actual_apirequires_real_writerequires_limited_real_writerequires_mergerequires_auto_closeoutrequires_dev_status_changedeclared_scope_filesz9-R.2/scope/task-mdcallback_policy_markeruDcallback (a) STANDARDIZED marker (collector-only/no-write 인코딩)Tcollector_only)normalfallback authorityno_writeno_dev_reactivation no_dispatch no_closeoutz9-R.2/callback/marker+invariantgo_ready_packet_claimsuCGO-ready packet self-asserted booleans (hint-only, 비권위 9-R.3)claimed_booleans) same_branch_pushreffective_diff_contaminationrcredential_change_requiredowner_pat_touch_requiredactual_api_call_requiredreal_write_required!limited_real_write_entry_requiredscope_expansionmerge_required auto_closeoutdev_status_changez9-R.3/packet-hint-only)rrrrrrrxrrrrrrrr )scannedrcz9-R.2/negative/rfrzu19-kind 미정렬 — 누락: )schemarevidence) r?rrrrrreplacer r3rstamp_provenance)rrrrtrurvrwrxrrrrrrqsrrr scan_kindrkmissingbundles r:build_evidence_bundler5s, B }& '!5)!)   ~ B|$J  R+2,3+2  !   !$ " .6(!.  +  !   M'= A (   #& $]O+;  4     . d>* + 1   " , *!*-B1Be$567  ,    # ! Q &-D(E F *   !  G 4 + , %   !$ " B  & (  ! !  A',&+',',/4"'*/.3(,^(<  "  "#& $ R - '+##  . # #& $ Q"(-"&49"'270505+09>',&+%*).% " % +# O^ H~  "  d2i=&9 :i//<= >     2GQQh5FqGGG;G9EFF.F  !&) MHs  H H ct|jDcic]\}}|dk7s ||}}}t|}t|ddd|d<|Scc}}w)u9-R.8 ``_provenance`` 미리보기 stamp. canonical sha = 실 번들 재해시 (``_provenance`` 제외 — deriver/binding 과 동일 ``canonical_evidence_sha256``). _provenanceTr) derived_byevidence_bundle_sha256recomputed_all_gate_booleansderiver_version)rnitemsr r)rrkvrYshas r:rrsb!L..0 GDAqA4F1a4 GC G #C (C)"%(," C  J Hs AAc< ddl}tjt |j d} |jt||y#t$r}td|d}~wwxYw#|j$r}td|j|d}~wwxYw)uNevidence bundle 스키마 정적 검증 (jsonschema). 실패 → BuilderError.rNu0jsonschema 미설치 — 스키마 검증 불가utf-8encodingu"evidence bundle 스키마 위반: ) jsonschema ImportErrorr3jsonloadsr read_textvalidaternValidationErrormessage)r schema_pathrrZrs r:validate_bundler#sVZZ[)33W3E FFTDL&1 VMNTUUV  % %T? {KLRSSTs.AA. A+ A&&A+.B=BBcNddl}|jd}|jdd|jdd |jd d |j|}t |j }t |j |jz }|jr t||tj|d ddz}|jr?t |jj|dtd|jyt|y)uQstandalone: 실 git → fixture 방출 (auto-derive fixture, _provenance 포함).rNz&PRE_AUTHORIZED evidence bundle builder) descriptionz--repoz/home/jay/workspacer@z--outrzz--schemar()rF)indent ensure_ascii rruevidence bundle → )argparseArgumentParser add_argument parse_argsrrWrrrrrdumpsrY write_textprint)argvrprXrrrHs r:mainr 2s,TUANN8%:N;NN7BN'NND << D "TYY 7Ftyy/DKK/K , ::fQU ;d BD xx TXX!!$!9 $TXXJ/0  d r9__main__)returnrO)rWrrXrOrAz str | Noner rO)rHrOrrOr z list[str]) rrOrrOrMapping[str, Any]rprOrqrOr dict[str, Any])r str | PathrtrOrurOrvrOrwrOrx Sequence[str]r r)rrOrrrrrtrOrurOrvrOrwrOrxrrrrrOrrrzMapping[str, Any] | Nonerrr r)rr r r)rr rrr Noneri)rzSequence[str] | Noner r)/r7 __future__rrr_rMrrpathlibrtypingrrr r &anu_v3.pre_authorized_contract_deriverr r r __annotations__rrrr frozensetrr&r'r)r+r,r.r0r1 Exceptionr3r?r[rfrrrrrrr r4 SystemExitr8r9r:rs6# '00 M L%%*TZT"JZJ1-2;G2.     151D84?#%;& #*"1 z1#MjMG G+RjRZ9ZEAE>  &    ,' 4(2$@iii i  i  i"ii\!,& 4(2$@-P4&*] ]] ]  ]  ]]]"]+]]] $] ]]@  T  T,6 T  T 4 z TV r9