{
  "schema": "anu.critical7_label_mismatch_repro.v1",
  "task_id": "task-2618",
  "ts_kst": "2026-05-19 13:58 KST",
  "purpose": "C7_OWNER_PAT vs C7_CREDENTIAL family label mismatch + escalation-route 불변 재현 fixture (read-only, 실 classifier 기반).",
  "how_to_reproduce": "python3 anu_v3/critical7_classifier.py --input <this.findings>  (baseline) / --rules /tmp-copy reordered (가상 R1). 실제 config/critical7_rules.yaml 무변조.",
  "classifier_entrypoint": "anu_v3/critical7_classifier.py :: Critical7Ruleset.classify (first-match line 231) -> classify_critical7",
  "rule_order_baseline": ["C7_SECURITY", "C7_CREDENTIAL", "C7_PERMISSION", "C7_FORBIDDEN_PATH", "C7_SCOPE_EXPANSION", "C7_MERGE_WRITE", "C7_OWNER_PAT"],
  "rule_order_reordered_R1": ["C7_SECURITY", "C7_OWNER_PAT", "C7_CREDENTIAL", "C7_PERMISSION", "C7_FORBIDDEN_PATH", "C7_SCOPE_EXPANSION", "C7_MERGE_WRITE"],

  "findings": [
    {"id": "p1-owner-pat-access-token", "severity": "HIGH", "message": "executor used owner personal access token to authenticate GitHub API"},
    {"id": "p2-owner-access-token", "severity": "HIGH", "message": "used owner access token for push"},
    {"id": "p3-pinned-fpat", "severity": "HIGH", "message": "used OWNER PAT to authenticate GitHub API"},
    {"id": "p4-bare-pat", "severity": "HIGH", "message": "used a fine-grained PAT for GitHub API call"},
    {"id": "p5-personal-access-token-no-owner", "severity": "HIGH", "message": "leaked personal access token in build log"},
    {"id": "p6-owner-pat-bare", "severity": "HIGH", "message": "owner PAT leaked in CI logs"},
    {"id": "p7-pure-credential", "severity": "HIGH", "message": "hardcoded api key ghp_ABCDEFGH12345678 committed"},
    {"id": "p8-owner-token-word", "severity": "HIGH", "message": "privileged github token (owner token) used to merge"}
  ],

  "expected_baseline": [
    {"id": "p1-owner-pat-access-token", "matched_rule_id": "C7_CREDENTIAL", "family": "credential", "verdict": "CHAIR_HOLD", "is_critical7": true, "label_mismatch": true, "matched_terms": ["kw:access token"]},
    {"id": "p2-owner-access-token", "matched_rule_id": "C7_CREDENTIAL", "family": "credential", "verdict": "CHAIR_HOLD", "is_critical7": true, "label_mismatch": true, "matched_terms": ["kw:access token"]},
    {"id": "p3-pinned-fpat", "matched_rule_id": "C7_OWNER_PAT", "family": "owner_pat", "verdict": "CHAIR_HOLD", "is_critical7": true, "label_mismatch": false, "note": "pinned f-pat selftest 계약 보존 — regression anchor"},
    {"id": "p4-bare-pat", "matched_rule_id": "C7_OWNER_PAT", "family": "owner_pat", "verdict": "CHAIR_HOLD", "is_critical7": true, "label_mismatch": false},
    {"id": "p5-personal-access-token-no-owner", "matched_rule_id": "C7_CREDENTIAL", "family": "credential", "verdict": "CHAIR_HOLD", "is_critical7": true, "label_mismatch": false, "note": "owner 접두 없음 — credential 라벨이 정합 (selftest f-pat-words 계약)"},
    {"id": "p6-owner-pat-bare", "matched_rule_id": "C7_OWNER_PAT", "family": "owner_pat", "verdict": "CHAIR_HOLD", "is_critical7": true, "label_mismatch": false},
    {"id": "p7-pure-credential", "matched_rule_id": "C7_CREDENTIAL", "family": "credential", "verdict": "CHAIR_HOLD", "is_critical7": true, "label_mismatch": false},
    {"id": "p8-owner-token-word", "matched_rule_id": "C7_OWNER_PAT", "family": "owner_pat", "verdict": "CHAIR_HOLD", "is_critical7": true, "label_mismatch": false}
  ],

  "expected_reordered_R1": [
    {"id": "p1-owner-pat-access-token", "family": "owner_pat", "verdict": "CHAIR_HOLD", "is_critical7": true, "delta": "label credential->owner_pat (FIX 효과)"},
    {"id": "p2-owner-access-token", "family": "credential", "verdict": "CHAIR_HOLD", "is_critical7": true, "delta": "label 불변 (owner_pat regex 가 'owner access token' 미포착 — 'owner ... personal access' 패턴 필요; 잔존 mismatch)"},
    {"id": "p3-pinned-fpat", "family": "owner_pat", "verdict": "CHAIR_HOLD", "is_critical7": true, "delta": "불변 (regression anchor 보존)"},
    {"id": "p4-bare-pat", "family": "owner_pat", "verdict": "CHAIR_HOLD", "is_critical7": true, "delta": "불변"},
    {"id": "p5-personal-access-token-no-owner", "family": "owner_pat", "verdict": "CHAIR_HOLD", "is_critical7": true, "delta": "label credential->owner_pat — SIDE-EFFECT over-label (owner 접두 없는 PAT 도 owner_pat 로 광역화; SAFE이나 라벨 정밀도 역회귀)"},
    {"id": "p6-owner-pat-bare", "family": "owner_pat", "verdict": "CHAIR_HOLD", "is_critical7": true, "delta": "불변"},
    {"id": "p7-pure-credential", "family": "credential", "verdict": "CHAIR_HOLD", "is_critical7": true, "delta": "불변 (순수 credential 영향 0)"},
    {"id": "p8-owner-token-word", "family": "owner_pat", "verdict": "CHAIR_HOLD", "is_critical7": true, "delta": "불변"}
  ],

  "assertions": {
    "A1_label_mismatch_exists_baseline": "p1,p2 = owner-PAT 의미인데 family=credential (mismatch=true) — 재현됨",
    "A2_escalation_route_invariant": "baseline 8/8 verdict=CHAIR_HOLD·is_critical7=true. credential 라벨군·owner_pat 라벨군 escalation route 동일. family mismatch 가 route 변경 0건 — DISPROVEN(route 영향 없음)",
    "A3_reorder_no_detection_weakening": "reordered_R1 8/8 여전히 verdict=CHAIR_HOLD·is_critical7=true. Critical7 escape 0. 탐지 약화 없음 — DISPROVEN",
    "A4_reorder_mutates_priority_invariant": "rule_order_baseline != rule_order_reordered_R1 → task-2611+1.result.json#invariants.critical7_priority_unchanged 가 false 로 변형됨 — 기록 frozen invariant 속성 변경 PROVEN(부분)",
    "A5_reorder_side_effect_regression": "p5 (owner 접두 없는 personal access token) credential->owner_pat 광역화 = 라벨 정밀도 역회귀 + selftest f-pat-words(expected family=credential) FAIL 유발 가능 — regression 후보 핵심",
    "A6_pinned_anchor_preserved": "p3 (used OWNER PAT) = selftest f-pat 계약, baseline·R1 양쪽 owner_pat 유지"
  },
  "real_yaml_unmodified_proof": {
    "config/critical7_rules.yaml": "80bdf2420cc633c52171d6629120f4f82f2ea2c60ca75524f43e615f6665f6b0 (before == after, 실파일 무변조; reorder 는 /tmp 사본·--rules override 로만)"
  }
}