4j'dZddlmZddlZddlmcmZddl m Z m Z m Z ddZ dZdZdZd Zd Zd Zd Zd ZdZdZdZdZdZdZdZdZdZy)utask-2611+2 — C7_OWNER_PAT vs C7_CREDENTIAL precedence 정합 regression. AUTO_REMEDIATION (SAFE·non-Critical): owner-scoped 신규 rule (C7_OWNER_PAT_PRIORITY) 을 C7_CREDENTIAL 앞에 평가하여 owner-PAT 표기가 credential 대신 owner_pat 으로 정확 분류되도록 정합. additive only — 기존 selftest 17/17·8/8 CHAIR_HOLD·is_critical7·7 family·약화가드 무회귀. Track B(task-2618) fix-and-regression-candidates REG-1..REG-9 계약 검증. ) annotationsN) CHAIR_HOLDCritical7Rulesetclassify_critical7c tdd|dS)NtHIGH)idseveritymessage)r)msgs A/home/jay/workspace/tests/regression/test_critical7_classifier.py_crs SfM NNctd}|j}d}||k(}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|dx}x}}|j}d }||k(}|stjd|fd ||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|dx}x}}|j}|tk(}|stjd|fd |tfdt j vstj |rtj|ndtj|d t j vstj trtjtnd d z}dd|iz}ttj|dx}}|j}d}||u}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|dx}x}}y)NDexecutor used owner personal access token to authenticate GitHub API owner_pat==z.%(py2)s {%(py2)s = %(py0)s.family } == %(py5)srpy0py2py5assert %(py7)spy7C7_OWNER_PAT_PRIORITYz7%(py2)s {%(py2)s = %(py0)s.matched_rule_id } == %(py5)sz/%(py2)s {%(py2)s = %(py0)s.verdict } == %(py4)srrrpy4assert %(py6)spy6Tisz4%(py2)s {%(py2)s = %(py0)s.is_critical7 } is %(py5)srfamily @pytest_ar_call_reprcompare @py_builtinslocals_should_repr_global_name _safereprAssertionError_format_explanationmatched_rule_idverdictr is_critical7r @py_assert1 @py_assert4 @py_assert3 @py_format6 @py_format8 @py_format5 @py_format7s r5test_owner_personal_access_token_classifies_owner_patr=s QRA 88"{"8{ """"8{""""""1"""1"""8"""{"""""""  7 77  7 7777  777777717771777 777 77777777 99"9 """"9 """"""1"""1"""9"""""" """ """"""" >>!T!>T !!!!>T!!!!!!1!!!1!!!>!!!T!!!!!!!rctd}|j}d}||k(}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|dx}x}}|j}d }||k(}|stjd|fd ||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|dx}x}}|j}|tk(}|stjd|fd |tfdt j vstj |rtj|ndtj|d t j vstj trtjtnd d z}dd|iz}ttj|dx}}|j}d}||u}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|dx}x}}y)N used owner access token for pushrrrrrrrrrr rr!r#r$Tr%r'r(r5s r,test_owner_access_token_classifies_owner_patr@!s -.A 88"{"8{ """"8{""""""1"""1"""8"""{"""""""  7 77  7 7777  777777717771777 777 77777777 99"9 """"9 """"""1"""1"""9"""""" """ """"""" >>!T!>T !!!!>T!!!!!!1!!!1!!!>!!!T!!!!!!!rc:td}|j}d}||k(}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|dx}x}}|j}|tk(}|stjd|fd |tfdt j vstj |rtj|ndtj|d t j vstj trtjtnd d z}d d |iz}ttj|dx}}|j}d}||u}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|dx}x}}y)N)leaked personal access token in build log credentialrrrrrrr rr!r#r$Tr%r') rr)r*r+r,r-r.r/r0r1r3rr4r5s r0test_bare_personal_access_token_stays_credentialrD,sc 67A 88#|#8| ####8|######1###1###8###|####### 99"9 """"9 """"""1"""1"""9"""""" """ """"""" >>!T!>T !!!!>T!!!!!!1!!!1!!!>!!!T!!!!!!!rc8td}|j}d}||k(}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|dx}x}}|j}d }||u}|stjd |fd ||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|dx}x}}y) Nz*rotated access token leaked in CI artifactrCrrrrrrTr%r' rr)r*r+r,r-r.r/r0r1r4rr6r7r8r9r:s r'test_bare_access_token_stays_credentialrH3s 78A 88#|#8| ####8|######1###1###8###|####### >>!T!>T !!!!>T!!!!!!1!!!1!!!>!!!T!!!!!!!rc8td}|j}d}||k(}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|dx}x}}|j}d }||u}|stjd |fd ||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|dx}x}}y) N)used OWNER PAT to authenticate GitHub APIrrrrrrrTr%r'rFrGs r%test_owner_pat_phrase_still_owner_patrK:s 67A 88"{"8{ """"8{""""""1"""1"""8"""{""""""" >>!T!>T !!!!>T!!!!!!1!!!1!!!>!!!T!!!!!!!rc8td}|j}d}||k(}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|dx}x}}|j}d }||u}|stjd |fd ||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|dx}x}}y) N+used a fine-grained PAT for GitHub API callrrrrrrrTr%r'rFrGs r%test_fine_grained_pat_still_owner_patrN@s 89A 88"{"8{ """"8{""""""1"""1"""8"""{""""""" >>!T!>T !!!!>T!!!!!!1!!!1!!!>!!!T!!!!!!!rc8td}|j}d}||k(}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|dx}x}}|j}d }||u}|stjd |fd ||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|dx}x}}y) N0hardcoded api key ghp_ABCDEFGH12345678 committedrCrrrrrrTr%r'rFrGs rtest_ghp_token_still_credentialrQGs =>A 88#|#8| ####8|######1###1###8###|####### >>!T!>T !!!!>T!!!!!!1!!!1!!!>!!!T!!!!!!!rcPtj}|j|jDchc]}|j d}}dD]}||v}|st j d|fd||fdtjvst j|rt j|nddtjvst j|rt j|nddz}dd |iz}tt j|d}ycc}w) Nr))securityrC permissionforbidden_pathscope_expansion merge_writer)in)z%(py0)s in %(py2)sfamfamiliesrrzassert %(py4)sr") rload_assert_ruleset_not_weakenedrulesgetr*r+r,r-r.r/r0r1)rsrrZrYr6 @py_format3r;s r,test_seven_families_present_and_guard_passesrbNs    B##%)+2Ah2H2 hshsshh 3sD#cgd}|D]}t|}|j}|tk(}|stjd|fd|tfdt j vstj|rtj|ndtj|dt j vstjtrtjtnddz}tj|dzd|iz}ttj|dx}}|j}d }||u}|stjd |fd ||fdt j vstj|rtj|ndtj|tj|d z}tj|d zd|iz} ttj| dx}x}}y)N)rr?rJrBzowner PAT leaked in CI logsz3privileged github token (owner token) used to mergerPrMrr rrr! >assert %(py6)sr$Tr%r'rz >assert %(py7)sr) rr3rr*r+r,r-r.r/_format_assertmsgr0r1r4) probesr rr6r8r;r<r7r9r:s r2test_all_owner_credential_probes_remain_chair_holdrg_s" F+ sGyy+yJ&+++yJ++++++q+++q+++y++++++J+++J++++++++++~~**~%***~******q***q***~******s*******+rcddlm}|}d}||k(}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|dx}x}}y) Nr) _selftestr)z)%(py2)s {%(py2)s = %(py0)s() } == %(py5)srirrr) anu_v3.critical7_classifierrir*r+r,r-r.r/r0r1)rir6r7r8r9r:s r#test_builtin_selftest_no_regressionrkqsp5 ;!;! ;!99;!rcgd}|D]}t|}|j}| }|stjd|d|jdzdt j vstj|rtj|ndtj|dz}ttj|dx}}|j}|tk7}|stjd|fd |tfdt j vstj|rtj|ndtj|d t j vstjtrtjtnd d z}tjd |d zd|iz}ttj|dx}}y)uC7R3 'credential write 0' REFUTATION — task-2615 collector adjudication 의 false-positive 정본 사례. '0 credential writes' / 'no credential write' 같은 부정/제로 패턴은 더 이상 C7_CREDENTIAL 로 매치되지 않는다.)uSPR/merge/credential write 0 — 본 task 는 credential 도 token 도 쓰지 않음z2credential write = 0 (no executor self-credential)u7executor wrote no credential — credential write 0 건uBREFUTATION: hardcoded api key 없음 (intended_is_critical7=False)z/false positive: credential write 0 in audit logu"REFUTATION false-positive 잔존:  -> 6 >assert not %(py2)s {%(py2)s = %(py0)s.is_critical7 }rr[N)!=)z/%(py2)s {%(py2)s = %(py0)s.verdict } != %(py4)srr!uREFUTATION CHAIR_HOLD 잔존: rdr$)rr4r*rer)r,r-r.r/r0r1r3rr+)refutation_msgsr rr6r8 @py_format4r;r<s r8test_task2615_c7r3_credential_write_0_refutation_blockedrrs&OQ sG>>]>!]!]]%GwdSTS[S[R\#]]]]]]]1]]]1]]]>]]]]]]yyPyJ&PPPyJPPPPPPqPPPqPPPyPPPPPPJPPPJPPPP*H(PPPPPPPPQrcgd}|D]}t|}|j}| }|stjd|d|jdzdt j vstj|rtj|ndtj|dz}ttj|dx}}y)utask-2611+2 SAFE precedence — '본 task 보안 취약점 없음' 같은 명시적 부정문이 C7_SECURITY false-positive 를 일으키지 않는다.)u1본 task SQL injection 없음 — read-only auditz;SQL injection: 0 (no entrypoint executes user-supplied SQL)uBREFUTATION: command injection 없음 (intended_is_critical7=False)z(forbidden path write = 0 (additive only)u+scope expansion 없음 — allowlist 한정z SAFE precedence false-positive: rmrnrr[N rr4r*rer)r,r-r.r/r0r1rpr rr6r8rqs r>test_task2611p2_safe_precedence_negated_security_terms_blockedrvsO\ sG>>[>![![[%EcWDQRQYQYPZ#[[[[[[[1[[[1[[[>[[[[[[\rcgd}|D]}t|}|j}| }|stjd|d|jdzdt j vstj|rtj|ndtj|dz}ttj|dx}}y)udoc/test 안의 키워드 등장 (설명/부정문/REFUTATION) — 분류기가 문맥을 인지하여 false-positive 차단.)uGRFC: explain what 'forbidden path write' means — false-positive guardzFtest fixture comment: REFUTATION sentence asserting credential write 0uOdoc: 'git push to main' 에 대한 설명 (forbidden — false positive 회피)zdoc/test false-positive: rmrnrr[Nrtrus r3test_doc_test_keyword_in_refutation_context_blockedrxsO U sG>>T>!T!TT%>sgT!((#TTTTTTT1TTT1TTT>TTTTTTUrcgd}|D]B\}}t|}|j}||u}|stjd|fd||fdt j vstj |rtj|ndtj|dt j vstj |rtj|nddz}tjd|d|jd zd |iz}ttj|d x}}|j}|tk(}|stjd |fd |tfdt j vstj |rtj|ndtj|dt j vstj trtjtnddz}tjd|d zd |iz}ttj|d x}}Ey )u진성 Critical7 사례 8개가 모두 CHAIR_HOLD 유지 — negation/REFUTATION 패턴이 없는 진짜 위협은 그대로 분류된다(detection coverage 감소 0).))z1potential SQL injection in query builder (CWE-89)T)rPT)z3script runs chmod 777 on output dir, world-writableT)u0write outside allowlist — wrote to .git/configT)z5scope expansion: modified files not in task allowlistT)z!executor ran git push origin mainT)rJT)u4frozen anchor modified — byte-0 violation detectedTr%)z4%(py2)s {%(py2)s = %(py0)s.is_critical7 } is %(py4)srexpectedr!u-진성 Critical7 misclassification (약화): rmrdr$Nrr ru$진성 Critical7 escalation 약화: )rr4r*r+r,r-r.r/rer)r0r1r3r)genuiner rzrr6r8r;r<s rCtest_genuine_critical7_eight_of_eight_still_chair_hold_no_weakeningr|sG$! X sG~~ ~)   ~   6         6  "*  "*  d}t|}|j}d}||u}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|d x}x}}|j}d }||k(}|stjd |fd ||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|d x}x}}|j}|tk(}|stjd |fd |tfdt j vstj |rtj|ndtj|dt j vstj trtjtnddz}dd|iz}ttj|d x}}y )uSAFE 방향: 같은 문서에 negation 동반 occurrence + 진짜 신호 occurrence 가 동시에 등장하면 진짜 신호는 살아남는다(detection coverage 감소 0).zncredential write 0 in audit log (REFUTATION). However, hardcoded api key ghp_REALLEAK12345678 committed in PR.Tr%r'rrrrNrCrrr rr!r#r$) rr4r*r+r,r-r.r/r0r1r)r3r) r rr6r7r8r9r:r;r<s rOtest_negation_preprocessor_does_not_drop_partial_match_when_real_signal_presentr~sn K 3A >>!T!>T !!!!>T!!!!!!1!!!1!!!>!!!T!!!!!!! 88#|#8| ####8|######1###1###8###|####### 99"9 """"9 """"""1"""1"""9"""""" """ """""""rctj}|jtddddgdd}|j}d}||u}|st j d|fd ||fd tjvst j|rt j|nd t j|t j|d z}d d |iz}tt j|dx}x}}|j}d}||k(}|st j d|fd||fd tjvst j|rt j|nd t j|t j|d z}d d |iz}tt j|dx}x}}|j}|tk(}|st j d|fd|tfd tjvst j|rt j|nd t j|dtjvst jtrt jtnddz}dd|iz}tt j|dx}}y)uv약화가드 + 7 family + invariant_break 신호 byte-0 (구조 metadata 매치는 negation 으로 회피 불가).z f-cat-invr shared_invariant_breachzfrozen-anchor-modifiedu;REFUTATION test — but category is shared_invariant_breach)r r categorytagsr Tr%r'rrrrNinvariant_breakrrr rr!r#r$)rr\r]rr4r*r+r,r-r.r/r0r1r)r3r) r`rr6r7r8r9r:r;r<s r9test_negation_preprocessor_invariant_break_signals_byte_0rs    B##%-)*P  A >>!T!>T !!!!>T!!!!!!1!!!1!!!>!!!T!!!!!!! 88(((8( ((((8(((((((1(((1(((8((((((((((( 99"9 """"9 """"""1"""1"""9"""""" """ """""""rc tj}|j|jDcgc]}|j d}}|j }d}||}|j }d}||}||k} | s>t jd| fd||fdtjvst j|rt j|ndt j|t j|t j|dtjvst j|rt j|ndt j|t j|t j|dz} dd | iz} tt j| d x}x}x}x} x}x}}y cc}w) uE7 family 약화가드 + critical7 ruleset 우선순위 byte-0 확인.r r C7_CREDENTIAL)<)z%(py6)s {%(py6)s = %(py2)s {%(py2)s = %(py0)s.index }(%(py4)s) } < %(py14)s {%(py14)s = %(py10)s {%(py10)s = %(py8)s.index }(%(py12)s) } ids_in_order)rrr"r$py8py10py12py14zassert %(py16)spy16N)rr\r]r^r_indexr*r+r,r-r.r/r0r1) r`rrr6r8 @py_assert5 @py_assert9 @py_assert11 @py_assert13 @py_assert7 @py_format15 @py_format17s r4test_seven_family_ruleset_byte0_after_negation_patchrs.    B##%)+2AAEE$K2L2   \5\ 5 6\9K9K\O\9KO9\\ 69\ \\\\ 69\\\\\\\<\\\<\\\ \\\5\\\ 6\\\\\\\\\\\\9K\\\O\\\9\\\\\\\\\3sG)r str)__doc__ __future__rbuiltinsr,_pytest.assertion.rewrite assertionrewriter*rjrrrrr=r@rDrHrKrNrQrbrgrkrrrvrxr|r~rrrrrs}#O """"" "" "+$Q" \ U > ##&]r