"jRdZddlmZddlZddlZddlZddlZddlZddlm Z ddl m Z m Z m Z dZgdZdd ggd d Zgd Zgd ZgdZgdddggdgdgddZej*dej*dej*dgZdZdZdZd#dZd$dZd$dZd$dZd$d Zd%d!Ze d"k(r e!ey)&uanu_pickup_preflight_check.py — ANU result-pickup 활성화 전 안전성 점검 (read-only). 절대 제약: - systemd service 실행/enable/restart 금지 (is-enabled/is-active 조회만) - ANU spawn / subprocess claude 호출 금지 - 파일 수정/생성 금지 (점검 전용) - ANU key raw 값 출력 금지 사용: python3 anu_pickup_preflight_check.py [--candidate-root ] ) annotationsN)Path)DictListTuplez//home/jay/workspace/.worktrees/task-2729+2-dev2)$dispatch/anu_result_pickup_runner.pydispatch/anu_pickup_driver.pyzdeploy/systemd/anu-pickup.pathz!deploy/systemd/anu-pickup.service scripts/anu_pickup_entrypoint.shPathExistsGlob_OR_PathChangedzUnit=) ExecStartz Type=oneshotWorkingDirectory)anu-pickup.pathanu-pickup.service) pickup_onceanu_runner_pickup_and_firePICKUP_WAKE_BUILT) scan_once process_oneACTIVATION_FLAG_REL is_activated)flockXDG_RUNTIME_DIRp0b_driver_enabledenabled) idempotent SKIP_DEDUPE SKIP_TERMINALdeduperlock)z pickup.donez pickup.ackedterminal) NOOP_DISABLEDACTIVATION_FLAGrr)sealed_key_loader ENV_ANU_KEYCOKACDIR_KEY_ANU env_loader) idempotencyrterminal_marker runaway_guard key_sealingz (?K) LL.tfAdV5I J55$)!! **( 7 ^^ 6dA !ii224R  8Q1RR  LL.wi8 9 %  LLG H YY[9,y86AN>L>S>S>U$~**=9:[]K 2K3PqCF3P2QRS! OP'dVG E>I% /.,, #" '"1# 'S 7 1!56674QsZAF,7G1G, G,$,G1+H , G):G)G)G$$G),G11 H:HHcg}g}g}tD]}t||z }|j}|js.|j dt d|d|j |\|j d|g}|dk(rt }n)|dk(rt}n|tvr t|}n |dk(rt}|s |jdd |D]} d | vrz| jd } tfd| D} tfd| Dd } | rtnt } |j d| d| dd| dd| r d| xsdzdzndn0| v} | rtnt } |j d| d| d| rdnd| r|j |d| |s|rt nt}||fS#t$r}|j d |Yd }~d }~wwxYw)u9후보 5개 파일 존재 확인 + 결선 키워드 grep. [] u: 파일 없음z [FOUND] anu_result_pickup_runner.pyanu_pickup_driver.pyanu_pickup_entrypoint.shutf-8replaceencodingerrorsz read error: N_OR_c3&K|]}|v ywN.0pcontents r[ z(check_candidate_files..s<W <c3,K|] }|vs| ywrjrkrls r[rpz(check_candidate_files..s$F1gQ$Fs z [z ] keyword 'rz OR z': zfound ()zMISSING (neither)foundMISSINGz::)CANDIDATE_FILESrnamerHrDr,RUNNER_KEYWORDSDRIVER_KEYWORDS UNIT_KEYWORDSENTRYPOINT_KEYWORDS read_textOSErrorsplitanynextr+)rootrMmissing keyword_failsrelpathfpathbasenamekwsrSkwpartsrvfound_kwrRrZros @r[check_candidate_filesrs EG!M"*=T W$::||~ LL3tfBwi? @ NN7 #  z'+, 4 4!C / /!C  &)C 3 3%C  //79/M =R<HHV,ENabd 'ME%*TFLL5 B4se7YbBc!de!((G9Brd);-  /s34 s9F11 G:GGc g}g}tt|jd}tt|jd}||z}|Dcgc]8}dt|vs dt|vrdt|vrdt|vr|:}}|D]} |j dd } t | jd D]x\} } | j} | jd r(tD]H} | j| }|st|j|}|jd |d | xz|rW|ddD]}|jd|t|dkDr!|jdt|dz dt}||fS|jdt }||fScc}w#t $rY3wxYw)uY소스에서 평문 key 패턴 검출. 실제 key 값 출력 금지 — 위치만 기록.z*.pyz*.shdispatchscriptsz.git __pycache__rcrdrers#zRAW_KEY_EXPOSURE_SUSPECTED at :Nz [WARN] u ... 외 u건 더u# raw key 패턴 검출 0건 (PASS))rIrrglobrKr~r enumeraterEr? startswithRAW_KEY_PATTERNSsearch relative_torDlenr-r+)rrMsuspectspy_filessh_files all_filesrY target_filesrrolinenolinestrippedpatmrelsrZs r[check_raw_key_exposurersEHDJ$$V,-HDJ$$V,-H8#I #a& IQ$7 #a& Q ' L oowyoIG&g&8&8&:A> LFDzz|H""3'' JJt$e//56COO&DSE6($ST    $#2 *A LL9QC ) * x=2  LL:c(mb&8%9A B E>  :; E>G   s=F7F<< G G c g}g}gd}d |D]8}t||z }|js" |jddz :tj D]t\}}t fd|D}|rtnt} |D cgc] } | vs|  } } |jd| d|d |rd | nd |z|rd|j|v|rtnt} | |fS#t$rYwxYwcc} w) uRrunner/driver/entrypoint 소스에서 안전속성 키워드 존재 여부 확인.)rr r rtrcrdrec3&K|]}|v ywrjrk)rmrcombineds r[rpz(check_safety_keywords..s52h5rqr^r_z: zfound uMISSING — expected one of ) rrHr~rSAFETY_KEYWORDSitemsrr+r,rD)rrMfails check_filesrrpropr found_anyrRr found_kwsrZrs @r[check_safety_keywordsrs'EEKHT W$ <<> EOOWYOOO %**,  c555 ""%8BxR8 8 &D6 $'0 {#8TUXTY6Z \  LL  dG E>   9sC& C5C5& C21C2cg}g}t|dz dz }|jrV|jdd}d|vxs d|vxrd|v}|jd |rtnt d |j|n*|jd t d |jd t|d z dz }|jr|jdd}d|vxrd|v}|jd |rtnt d|j|d|vxrd|v} |jd | rtnt d|j| d|vxsd|v} |jd | rtnt d|j| n|jd t dt|d z dz } | jr| jdd} d| vxrd| v} |jd | rtnt d|j| d| vxr d| vxrd| v}|jd |rtnt d|jd t|rtnt }||fS)udriver/entrypoint 의 실 ANU spawn 0 가드 확인. - activation flag 가드 (default DISABLED) - pickup_fn 주입 가능 (mock 교체 가능) - entrypoint FLAG_VALUE != 'enabled' → exit 0 가드 - driver 는 argv 를 실행하지 않음 (P0-a dry_run 주석) rrbrcrdrezFLAG_VALUE" != "enabled" FLAG_VALUEzexit 0r^z=] entrypoint: activation flag guard (exit 0 when not enabled)u:] anu_pickup_entrypoint.sh 파일 없음 — 점검 스킵TrraVERDICT_NOOP_DISABLEDrz4] driver scan_once: NOOP_DISABLED when not activatedzimport subprocessz subprocess.u:] driver: subprocess import/호출 0건 (실 spawn 없음)zpickup_fn=Nonez pickup_fn =u9] driver: pickup_fn 주입 가능 (테스트/mock 교체)u/] anu_pickup_driver.py 없음 — 점검 스킵r`u:] runner: subprocess import/호출 0건 (실 spawn 없음)argvzwake_built=Trueu] runner: WAKE_BUILT 는 argv dict 반환만 (실 실행 없음 — '실 발사는 권한 있는 ANU 세션이 수행' 주석 확인))rrHr~rDr+r,r-all)rrMchecksepep_texthas_flag_guarddriverdrv_texthas_noophas_no_subprocess has_injectionrunnerrun_texthas_no_subprocess_runner has_argv_onlyrZs r[check_dry_run_guardrsEF di "< 4t<X;U s8466jkl h x / .X-   s#44$??yz{ '()H4Q 8Q  s=4d;;tuv m$ s6("QRS$Z* $'D DF }}##WY#G x / .X- !  s#;4FGAB C ./ h  4!X- 4#83   -$V45g h   d&kdtG E>ctjdd}|jdtdtd|j }|j }t d|t d tjj|t i}t d t\}}|D] }t |t d |||d |d <t t dt|\}}|D] }t |t d |||d |d<t t dt|\} } | D] }t |t d | | | d |d<t t dt|\} } | D] }t |t d | | | d |d<t t dt|\} }|D] }t |t d | | |d |d<t t d||jDcic] \}}||d c}}t d}t#d|j%D}t#d|j%D}|r t&|d<n |r t(|d<t t+j,|ddt |d}|t&k(r t dy |t(k(r t d!y"t d#y"cc}}w)$Nanu_pickup_preflight_checkuSANU result-pickup 활성화 전 안전성 점검 (read-only, 실 service 미실행))prog descriptionz--candidate-rootu'점검 대상 worktree 루트 (기본: ru)defaulthelpz[preflight] candidate-root: z[preflight] root exists: u0=== [1] systemd user unit 상태 (read-only) ===z => )rZdetail systemd_unitsu8=== [2] 후보 파일 존재 + 결선 키워드 grep ===candidate_filesu,=== [3] ANU key raw 노출 정적 스캔 ===raw_key_exposureuR=== [4] 안전속성 키워드 (idempotency/lock/terminal/runaway/key-sealing) ===safety_keywordsu3=== [5] dry-run / 실 ANU spawn 0 가드 확인 === dry_run_guardu=== 종합 preflight 결과 ===rZ)candidate_rootroverallc34K|]}|dtk(ywrZN)r,rmvs r[rpzmain..sBA1Y<4'Bc34K|]}|dtk(ywr)r-rs r[rpzmain..sFQy\V+FrrF) ensure_asciiindentuG[preflight] OVERALL: FAIL — 활성화 전 필수 항목 해결 필요rsuI[preflight] OVERALL: CAVEAT — 경고 항목 확인 후 활성화 검토ru2[preflight] OVERALL: PASS — 모든 항목 통과)argparseArgumentParser add_argumentDEFAULT_CANDIDATE_ROOT parse_argsrprintospathisdirr\rrrrrr+rvaluesr,r-jsondumps)apargsrresultsv1l1rv2l2v3l3v4l4v5l5krsummaryany_fail any_caveatrs r[mainras  )i BOO&67M6Na P ==?D   D ( /0 %bggmmD&9%: ;< G!G <= "FB d  E",+-G  G 89 #D )FB d  E",.0B"?G  G ^_ "4 (FB d  E",-/2!>G  G ?@  &FB d  E",+-r s # $$K;GDK UUSP(Ba] BJJ23BJJJKBJJ'(    2p3r-f!NFX[| z TV r