4j.dZddlmZddlZddlZddlmZddlmZm Z edZ e dz Z e dz Z e d z Z e d z Zd Zd Zd ZdZe fddZddZ ddZ ddZddZ ddZdddZedk(r eey)urun_test_only_hardening_pr_merge.py — profile-driven PR merge lifecycle runner. task-2553+16 / Track 1. Profile-as-code orchestrator binding: profile load -> merge-readiness gate -> (BOT merge, head-pinned) -> post-merge smoke -> reconcile -> closeout Fail-closed by construction. The runner NEVER calls the GitHub merge endpoint unless the merge_ready_predicate evaluates ALL_PASS *and* the runtime auth invariant (9-R.5) holds *and* the caller passes --execute. Gate-only is the default mode and is side-effect free. 9-R bindings enforced here: 9-R.1 Gemini-thread resolve hard-bound: exactly-1 unresolved + unique blocking id + sole-remaining-blocker, else resolve 0 / PRE_MERGE_HOLD. 9-R.2 review-state fail-closed allowlist {APPROVED, ""}; CLEAN is the only affirmative-safe mergeStateStatus. 9-R.3 liveness budget; on exceed -> PRE_MERGE_HOLD (no spin). 9-R.4 emits pre-merge-gate.json (pre-merge decision) + result.json (final). 9-R.5 runtime auth invariant: BOT_GITHUB_TOKEN ghs_ App token only. 9-R.6 deterministic merge_method: squash > merge ; rebase-only -> HOLD. stdlib only. ) annotationsN)Path)AnyOptionalz/home/jay/workspacezCschemas/policy_profiles/test_only_hardening_pr_merge_v1.schema.jsonz;memory/policy_profiles/test_only_hardening_pr_merge_v1.jsonz.memory/events/task-2553+16.pre-merge-gate.jsonz&memory/events/task-2553+16.result.jsonPRE_MERGE_HOLDPOST_MERGE_HOLD MERGE_READYMERGEDc|jstd|tj|j d}|j ddk7r t ddD]}||vst d||S) z=Load the profile JSON. Fail-closed: missing/invalid -> raise.zprofile missing: utf-8encoding profile_idtest_only_hardening_pr_merge_v1z!profile_id mismatch (fail-closed))merge_ready_predicatehold_conditions merge_methodauthgemini_thread_resolveliveness_budgetirreversibility_policyscope_invariantsz#profile missing mandatory section: )existsFileNotFoundErrorjsonloads read_textget ValueError) profile_pathdatakeys ?/home/jay/workspace/scripts/run_test_only_hardening_pr_merge.py load_profiler$3s    "3L> BCC ::l,,g,> ?D xx !BB<==>J d?B3%HI I J Kcp|dd}|sy|jdry|j|sdd|dfSy ) zTrue only if token is the pre-configured taskctl-bot App token. OWNER PAT / personal PAT (ghp_/gho_/pat) / new token / absent / empty -> fail-closed (False). rtoken_prefix_expected)Fauth_absent_or_empty)ghp_gho_ github_pat_)Fowner_or_personal_pat_detectedFz!unexpected_token_prefix(expected ))Tgithub_app_installation_token) startswith)tokenprofileexpected_prefixs r#auth_okr3GsR fo&=>O , 786   O ,9/9J!LLL 0r%cr|dd}t|jdt|jdt|jd|d}|jdr d|d<d|fS|jdr d|d<d|fS|jdrd|d<d |d <d|fSd|d<d |d <d|fS) z,squash > merge ; rebase-only -> HOLD (None).rresolution_prioritysquashmergerebase)repo_allow_squash_mergerepo_allow_merge_commitrepo_allow_rebase_merger5selectedNrebase_only_forbidden hold_reasonno_merge_method_available)boolr) repo_allowr1prio provenances r#resolve_merge_methodrD\s > "#8 9D#' x(@#A#' w(?#@#' x(@#A# J ~~h!) :##~~g!( : ""~~h!% :$; =!Z!Jz ;J}  r%c:|d}||dk7rdd|dfS|sy|ryy) zResolve permitted only when: unresolved == exactly 1, the single blocking thread is uniquely identified, it is the sole remaining blocker. Otherwise resolve 0. rrequire_exact_unresolved_countFzunresolved_count=_not_exactly_1)F'blocking_thread_not_uniquely_identified)Fother_blockers_present)Teligible_single_resolve)unresolved_countunique_blocking_identifiedrIr1cfgs r#thread_resolve_eligiblerOzsC ) *C3?@@)*:);>JJJ %?. *r%c|d}i}|d|jd|jd|dk(d|d<|d|jd|jd|dvd|d<|jd }|d vrd n|}|d |||d vd |d <d|jd|jddud|d<d|jd|jddk(d|d<d|jd|jddud|d<|dd|jd|jd|ddk(d|d<|dd|jd|jd|ddk(d|d<td|jD}|jDcgc] \}}|dr |} }}||| dScc}}w)aEvaluate the AND-gate predicate against an observation dict. obs keys: mergeable, merge_state_status, review_decision, ci_all_success, unresolved_review_threads, effective_diff_test_only, production_byte0_sha256, head_sha r mergeable_eq mergeable)expectedmeasuredpassmerge_state_status_inmerge_state_status) expected_inrTrUmerge_state_status_cleanreview_decision)Nr[review_decision_allowlist) allowlistrTrUTci_all_successrunresolved_review_threadsunresolved_review_threads_eq_0effective_diff_test_onlyproduction_byte0baseline_sha256production_byte0_sha256)expected_sha256rTrUtargetsanctioned_head_shahead_shahead_sha_eq_sanctionedc3&K|] }|d yw)rUNrK).0cs r# z%evaluate_predicate..s61V96srU)checksALL_PASSfailed)rallvaluesitems) obsr1prnrdrd_normall_passkrlrps r#evaluate_predicaterzs= '(A(*Fn%GGK( $.(99F> 01GG01,-3J1KK*F %& " #B*$b"G231899+F &' GG,-()T1 F  GG783490F +, GG6723t;*F %& /01BCGG5612a8J6KL]6^^"F  H%&;<GGJ' #wx'89N'OO(F #$ 6fmmo66H"LLN unresolvedr_)rNrMFrITzthread_resolve:)okreason)decisionro predicatermerge_method_provenancemerge_method_selectedrOreasons) rzr3rDr rappendjoinrrO)rtr1r0rApredok_auth auth_reasonmethod method_provrrurc resolve_eligresolve_reasons r#decidersA c7 +D"5'2G[.z7CFK":.{NHG  (388DN+CCD !*[89 ~! )UUV ''- .CL )'>  GG0% 8 GG,d 3  ( $ n (89:$+6#.!'#/  r%c tj}|jdd|jdd|jddd |jd tt|j |}d dl}t}|js&ttjd tdytjt|jjd}|j j#|j$}|j#di}t'||||}t|j(j+tj|ddd|dt,k7r(ttj|d|ddy |j.s&ttjt,ddy ttjt,ddy )Nz --observationzpath to observation JSON)helpz --token-envBOT_GITHUB_TOKEN)defaultz --execute store_truez@permit BOT merge if and only if MERGE_READY (default: gate-only))actionrz --emit-gaterno_observation_supplied)errorrr r rAF)indent ensure_asciirr)rrzgate-only; --execute withheld)rnotez:execute requested; defer to orchestrator head-pinned merge)argparseArgumentParser add_argumentstr GATE_PATH parse_argsosr$ observationprintrdumpsrrrrenvironr token_envr emit_gate write_textr execute) argvapargsrr1rtr0rAgates r#mainrs  "BOOO*DOEOOM+=O>OOK []OOM3y>O: == D nG    djj#<.YZ[ **T$**+55w5G HC JJNN4>> *Er*J #wz 2D## 46$J J;& djjd:&64 ?STU << djjk;Z[\]  $**+7st uv r%__main__)r rreturndict[str, Any])r0 Optional[str]r1rrtuple[bool, str])rAdict[str, bool]r1rrz$tuple[Optional[str], dict[str, Any]]) rLintrMr@rIr@r1rrr)rtrr1rrr) rtrr1rr0rrArrr)N)rzOptional[list[str]]rr)__doc__ __future__rrrpathlibrtypingrr WORKSPACE SCHEMA_PATH PROFILE_PATHr RESULT_PATHrrr r r$r3rDrOrzrr__name__ SystemExitrKr%r#rs2#  & ' __ XX H H BB !# '3 ( 1*"05Y<+8<+48+&4+9I+.7Ft((-<(AO(`% P z TV r%