s j#dZddlZddlZddlZddlZddlZdZdZdZejdZ dZ dZ d Z d Zd Zed k(reyy) u+task-2553+26 redacted BOT_GITHUB_TOKEN auth preflight. Source-scope correction of the +24 redacted auth verifier (sole allowed code modification per task-2553+26 §4/§6.1 carve-out). The +24 verifier evaluated ``os.environ`` only and therefore reported ``token_present:false`` even though a non-empty ``ghs_`` App installation token is present in the canonical ``.env.keys`` secret path (kept current by refresh-bot-token.timer). Minimal 1-scope expansion: - prefer ``os.environ['BOT_GITHUB_TOKEN']`` (executor sourced .env.keys env) - else parse canonical ``.env.keys`` line ``^(export )?BOT_GITHUB_TOKEN=`` only Redaction discipline (unchanged from +24, hard invariants): - token raw value and .env.keys file content are NEVER printed / cat / echoed / written / logged / put on a marker / passed as argv / used in a manual ``-H "Authorization:"`` header. ``gh auth token`` is never invoked. - token value is only ever used in-memory for a 4-char prefix slice and boolean comparisons. - subprocess auth/permission probes are tokenless from gh's perspective: the token is handed to gh only via the child-process ``GH_TOKEN`` env entry (never echoed, never in argv, never traced); gh constructs Authorization internally. All captured child output is redacted before any use. - every exception / traceback is redacted. The output JSON keeps the +24 strict whitelist schema (no raw field, no .env.keys content field). The condition-result map is named ``cond6_results`` and carries exactly the §4 6-check booleans/enum (no 7th condition). Nz/home/jay/workspace/.env.keysBOT_GITHUB_TOKENzJeon-Jonghyuk/dev_workspacez1gh[psoura]_[A-Za-z0-9_]+|github_pat_[A-Za-z0-9_]+c` tjdt|S#t$rYywxYw)zCReturn text with any token-shaped substring replaced. Never raises. [REDACTED]) _TOKEN_SHAPEsubstr Exception)texts I/home/jay/workspace/memory/events/task-2553+26.run_bot_token_preflight.py_redactr .s0 c$i88 s ! --c6tjjt}|r|j }|r|dfS t t ddd5}|D]}tjdtjtzdz|}|s9|jdj }t|d k\r|d |d k(r |d d vr|dd }|r|d fccdddSdddy dddy#1swYyxYw#t$rYyt$rYywxYw)a`Resolve the bot token into memory only. Returns (value_or_None, token_source) where token_source is 'sourced_env' (process env, executor sourced .env.keys) or 'env_keys' (parsed from canonical .env.keys). The raw value is never printed, written or logged anywhere; only the caller's in-memory prefix/boolean checks consume it. sourced_envrutf-8replace)encodingerrorsz^\s*(?:export\s+)?z=(.*)$r)'"env_keysN)Nr)osenvirongetENV_VARstripopen ENV_KEYS_PATHrematchescapegrouplenFileNotFoundErrorr )env_valfhlinemraws r _resolve_tokenr,6s%jjnnW%G--/ M) ) -wy I (R (HH2RYYw5GG)SUYZggaj&&(s8q=SVs2w%63q6Z;Oa)C ?* ( (( ( ( ( (" # ("      sNDBC6 D!C6"D+C6-D6C?;D?D D DDcRttj}|r ||d<||d<|jdd|jdd t j ||ddd}|j t|jt|jfS#t$rYy wxYw) zRun gh tokenlessly (token via child GH_TOKEN env only) and return (returncode, redacted_stdout, redacted_stderr). Token never in argv, never echoed, never traced.GH_TOKEN GITHUB_TOKENGH_DEBUGNGH_PROMPT_DISABLEDT<)envcapture_outputr timeout)rr) dictrrpop subprocessrun returncoder stdoutstderrr )argstoken child_envprocs r _run_redactedrB]sRZZ I !& *$) .! MM*d# MM&- #~~    4gdkk6JJJ #"#s AB B&%B&c t\}}t|}|r|ddnd}|dk(}t|xr|dvxs|jd}t|xr|xr| }d}d}|r]|r[tgd|\} } } | d k(}|rBtd d d tzg|\} } }| d k(r#td d d tzddg|\}}}|d k(rd}d }||||||d k(d}|xr|xr|xr|xr |dk(xr|d k(}|j Dcgc]\}}|dus|dk(r|}}}||||||gd||t djdd }|||fScc}}w)Nr6ghs_)ghp_gho_ github_pat_FFAIL)ghauthstatusz --hostnamez github.comrrJapiz!repos/%s/collaborators?per_page=1zrepos/%s/pulls/129z--jqz.numberPASS) token_present prefix_ghs not_owner_patgh_auth_capablemerge_perm_preflightraw_exposure_zero)(env_keys_or_sourced_env_presence_boolean$prefix4_slice_app_installation_checkowner_pat_prefix_exclusion#gh_auth_status_nonverbose_tokenless%gh_api_permission_read_only_get_probe raw_exposure_static_and_spy_zerotimez%Y-%m-%d %H:%M:%S) rO prefix_is_ghsis_app_token_not_owner_patrRmerge_permission_preflight raw_exposure checked_via cond6_results token_sourcets)r,bool startswithrBREPOitems __import__strftime)r?rbrOprefix4r\ is_owner_patr]rRr^rc_o_erc2_o2_e2rc3_o3_e3r_raall_passkvfail_conditionsevidences r preflightrzvs(*E<KM eBQibGv%M;##Fu'7'7 'F"&e!S!S|CSO!'3" @% B' *uADHIMCcax -5"6"=Y(! S# !817.L'#3* :)Q. M     &    '& 0   A   &3%8%8%:9TQ:1;9O9 '&&@*&@$ '$ ))*=>#H& _h ../9s?Ec t\}}}d}t |dd5}tj|dd |j d dddttjd d tj |rd ydy#t$r7tjj dtj dYwxYw#1swYxYw)Nzpreflight error (redacted) zB/home/jay/workspace/memory/events/task-2553+26.auth-preflight.jsonwr)rrT)indent sort_keys rb)gate0_all_passrxrbr) rzr sysr=writeexitrjsondumpprintdumps)rurxryout_pathr(s r mainrs.7k+/8 TH hg ." (BqD9   $**"* 0  HH(Q""!  78   sB+C=CCC#__main__)__doc__rrr!r9rr rrfcompilerr r,rBrzr__name__r rsm:  / $rzzNO $N#2X/v#, zFr