̦j~CrdZddlmZddlZddlmcmZddl Z ddl Z ddl Z ddl m Z ddlmZmZmZddlZe ej)j*dZeee j0vr"e j0j3deeddlmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$ddd Z%d Z&d Z'ed z d z Z(ddd ddZ)ejTjWdgd ddZ,ddZ- d dZ. d dZ/ d dZ0 d dZ1ddZ2 d!dZ3ddZ4y)"utests.regression.test_owner_trigger_security_boundaries_2553 — fixture 5 + 보안 경계. 회장 §명시: - fixture 5: **non-queue-head blocked** — queue-head 아닌 PR 에 trigger 시 fail-fast - 15 금지 박제 (보안 경계 적대적 평가 핵심, Lv.4 security) 본 regression 의 7 테스트 케이스는 다음 doctrine 위반 시나리오를 차단한다: 1. queue-head 아닌 PR 에 trigger (금지 #9) 2. comment body strict equality 위반 (금지 #7) 3. endpoint allowlist 위반 (금지 #1~5: merge/approve/close/reopen/push) 4. token value log (금지 #12, #13) 5. default GH_TOKEN fallback (금지 #14) 6. owner_trigger_pat.py 소스 안에 forbidden endpoint 호출 표현식 0 7. OWNER PAT env value leak (금지 #12, #13 — stdout/stderr/audit 어디에도 노출 0) 본 모듈은 `anu_v2.owner_trigger_pat` 를 **수정하지 않고** 정적 + behavioral 검증만 수행. ) annotationsN)Path)AnyMappingSequence) ALLOWED_COMMENT_BODYDECISION_REJECTERR_BODY_NOT_ALLOWED!EVIDENCE_MISSING_FOR_CURRENT_HEAD OUTCOME_OKOUTCOME_REJECTEDOWNER_PAT_ENV_NAMEOwnerTriggerPatassert_body_allowedwrite_decision_jsonc4tjg|||S)N)args returncodestdoutstderr) subprocessCompletedProcess)rrrs S/home/jay/workspace/tests/regression/test_owner_trigger_security_boundaries_2553.py_cpr1s  & &B:f]c ddghp_SECRET12345z2026-05-11T12:00:00+00:00anu_v2zowner_trigger_pat.pyfail_returncode fail_stderrcXdfd }d fd }d fd }t|||dddS) Ncrjt|t|xsidtS)N)renv)rr)appendlistdictr)rr%r!r"gh_callss r gh_runnerz _make_trigger..gh_runnerFs-dDODEokBBrc:jt|yN)r&r()record audit_callss r audit_writerz#_make_trigger..audit_writerJs4<(rcjjt|t|dt||y)N)payloadpath)r&r(strr)r1r2decision_callss rdecision_writerz&_make_trigger..decision_writerMs($w-TKLGT*rz jeon-jonghyukz taskctl-anuctSr,) _FIXED_TSrrz_make_trigger..Wsir)r*r/r5ownerrepoclock)rz Sequence[str]r%zMapping[str, str]returnsubprocess.CompletedProcess)r-Mapping[str, Any]r=None)r1r?r2rr=r@)r)r)r.r4r!r"r*r/r5s````` r _make_triggerrA>s4C)+ !'   rbad_queue_position)r c  |jttg}g}g}t|||}|j dd|t |dz |dz }|j }|tk(} | stjd| fd|tfdtjvstj|rtj|ndtj|d tjvstjtrtjtnd d z} d d | iz} ttj| d x}} |j j#} g}d} | | v}|}|sd}|| v}|}|sXtjd|fd| | ftj| dtjvstj| rtj| nddz}dd|iz}|j%||stjdfd| ftj|dtjvstj| rtj| nddz}dd|iz}|j%|tj&|diz}dd|iz}ttj|d x}x}x} x}x}}t)|} d}| |k(}|stjd|fd| |fdtjvstjt(rtjt(ndd tjvstj|rtj|nd tj| tj|d!z} d"d#| iz}ttj|d x} x}}t+j,|dz j/d$%}|d&}|t0k(} | stjd| fd'|t0ftj|d(tjvstjt0rtjt0nd(d)z}d*d+|iz}ttj|d x}} y ),uwqueue_position != 0 인 PR trigger 시도 → REJECT + gh 호출 0. 회장 §명시 fixture 5 + 15 금지 #9. *nqh audit.jsonl decision.json pr_numberhead_shaqueue_positiongemini_evidence_stateaudit_log_pathdecision_json_path==z/%(py2)s {%(py2)s = %(py0)s.outcome } == %(py4)soutrpy0py2py4assert %(py6)spy6N QUEUE_HEADNOT_QUEUE_HEADin)z%(py3)s in %(py5)s reason_upper)py3py5z%(py7)spy7)z%(py10)s in %(py12)s)py10py12z%(py14)spy14rCzassert %(py17)spy17rz0%(py3)s {%(py3)s = %(py0)s(%(py1)s) } == %(py6)slenr)rWpy1rar[assert %(py8)spy8utf-8encodingdecisionz%(py1)s == %(py3)sr rkraassert %(py5)srb)setenvr_FAKE_OWNER_PATrAtrigger_gemini_reviewr outcomer @pytest_ar_call_reprcompare @py_builtinslocals_should_repr_global_name _safereprAssertionError_format_explanationreasonupperr&_format_booloprijsonloads read_textr )tmp_pathrB monkeypatchr)r.r4triggerrU @py_assert1 @py_assert3 @py_format5 @py_format7r` @py_assert2 @py_assert4 @py_assert0 @py_assert9 @py_assert11 @py_format6 @py_format8 @py_format13 @py_format15 @py_format16 @py_format18 @py_assert5 @py_format9 decision_data @py_format4s rtest_non_queue_head_blockedr\s)?;%'H(*K+-NHk>BG  ' ')?-/#o5 ( C ;;*;* ****;*******3***3***;******************::##%LOLOLL (O.>O.>,.NOOOOLLOOOLOOOOOOLOOOLOOOOOOO.>,OOO.>OOOOOO,OOO,OOOOOOOOOOOOOO x=A=A =A33xx=AJJ? :EEwEWXM  $7 $ 7777 $777 $7777777777777777rc Jttgd}|D]}tjt5}t|dddj }t |}t|v}|sCtjd|fdt|fdtjvstjtrtjtnddtjvstjt rtjt nddtjvstj|rtj|ndtj|tj|dz}d d |iz}ttj|dx}x}}d }t|k(}|stjd |fd t|fdtjvstjtrtjtndtj|dz} dd| iz} ttj| dx}}t!tt } | sddtjvstjt rtjt nddtjvstjtrtjtnddtjvstjt rtjt ndtj| dz} ttj| d} y#1swY[xYw)u`/gemini review` 외 body 입력 시 RuntimeError("BODY_NOT_ALLOWED") raise. 회장 §명시 15 금지 #7 + 6 허용 #1: comment body 정확히 `/gemini review` only. strict equality (대소문자/공백/접미사 등 모두 차단). ) z/gemini review pleasez /gemini reviewz/gemini review z/gemini Reviewz/Gemini reviewz/gemini-reviewz/gemini reviewz/gemini review z/gemini review;rz gemini reviewz/gemini review!Nr^)zK%(py0)s in %(py7)s {%(py7)s = %(py2)s(%(py5)s {%(py5)s = %(py3)s.value }) }r r3exc)rWrXrarbrcassert %(py9)spy9z/gemini reviewrRz%(py0)s == %(py3)sr rWrartrb5assert %(py4)s {%(py4)s = %(py0)s(%(py1)s, %(py2)s) } isinstancerWrkrXrY)rr pytestraises RuntimeErrorvaluer3r ryrzr{r|r}r~rrr) bad_bodiesbodyrr @py_assert6rr @py_format10rrrrrs r2test_comment_body_strict_equality_rejects_variantsrs,- J6 ]]< ( &C  % &+.995s9~5#~5555#~555555#555#555555s555s555555355535559555~55555556$43 #3 3333 #3333333 333 333#33333333 *C 00 000000:000:000000*000*000000C000C000 0000000 & &s NN" c |jttg}g}g}t|||}d}|j |ddt |dz |dz }|j }|tk(} | stjd| fd|tfd tjvstj|rtj|nd tj|d tjvstjtrtjtnd d z} d d | iz} ttj| dx}} t!|} d} | | k(}|stjd|fd| | fdtjvstjt rtjt nddtjvstj|rtj|ndtj| tj| dz} dd| iz}ttj|dx} x}} |dd}dddd|dddt"g}||k(}|stjd|fd||fdtjvstj|rtj|nddtjvstj|rtj|ndd z}d!d"|iz} ttj| d}d#j%|}d$}|D]}||v}|stjd%|fd&||fd'tjvstj|rtj|nd'd(tjvstj|rtj|nd(d z}tj&d)|d*|d+zd"|iz} ttj| d}y),ugh_runner 에 전달되는 args 가 정확히 issue comments POST 1 endpoint 형식. 회장 §명시 15 금지 #1~5: merge / approve / close / reopen / push 호출 0. Qep_testrrIrJrKrRrTrUr rVrZr[NrCrhrir)rjrlrmrapiz-XPOSTz(/repos/jeon-jonghyuk/taskctl-anu/issues/z /commentsz-fzbody=)z%(py0)s == %(py2)sexpectedrWrXassert %(py4)srY )z/mergesz/mergez /approvalsz/approvez/reviewsz state=closedz state=openzpr mergez pr approvezpr closez pr reopenzgit pushz /git/refsz /branches/z/pulls/not inz%(py0)s not in %(py2)sfragflatzforbidden fragment z found in args:  >assert %(py4)s)rurrvrArwr rxr ryrzr{r|r}r~rrrir join_format_assertmsg)rrr)r.r4rprrUrrrrrrrrrr @py_format3rforbidden_fragmentsrs r+test_endpoint_allowlist_enforced_exact_argsrs)?;%'H(*K+-NHk>BG B  ' '?-/#o5 ( C ;;$;* $$$$;*$$$$$$3$$$3$$$;$$$$$$*$$$*$$$$$$$ x=A=A =A33xx=A A;v D tV 22$i@ *+,H 8 484488 88D>D$V4UUUt4UUUUUUtUUUtUUUUUU4UUU4UUUU#6th>Ntf!UUUUUUUVrc |jttg}g}g}t|||}|j dddt |dz |dz }|j }|tk(}|stjd|fd|tfd tjvstj|rtj|nd tj|d tjvstjtrtjtnd d z} d d | iz} ttj| dx}}|d} t!j"| d} t| v}|stjd|fdt| fdtjvstjtrtjtnddtjvstj| rtj| nddz} dd| iz} ttj| d}| d}d}||u}|sltjd|fd||ftj|tj|dz} d d | iz} ttj| dx}x}}d}|| v}|stjd|fd|| ftj|d tjvstj| rtj| nd d!z}d"d#|iz}ttj|dx}}| d}t%|t&}|s d$d%tjvstjt$rtjt$nd%dtjvstj|rtj|ndd&tjvstjt&rtjt&nd&tj|d'z} ttj| d}t)|}d(}||k(}|stjd|fd)||fd*tjvstjt(rtjt(nd*dtjvstj|rtj|ndtj|tj|d+z} d,d-| iz}ttj|dx}x}}d.|D}t+|}|sd/d0tjvstjt*rtjt*nd0tj|tj|d z} ttj| dx}}|dz j-d12}t|v}|stjd|fdt|fdtjvstjtrtjtndd3tjvstj|rtj|nd3dz} dd| iz} ttj| d}|j.}t|v}|stjd|fd4t|fdtjvstjtrtjtndd tjvstj|rtj|nd tj|d z} d d | iz} ttj| dx}}y)5utoken=`ghp_SECRET12345` 환경에서 trigger 후 audit dict 직렬화에 token raw 0 + token_hash 12자. 회장 §명시 15 금지 #12, #13. audit 에는 token_present (bool) 또는 token_hash (sha256 prefix 12자 hex) 만 등장. rlogtestrrIrJrKrRrTrUr rVrZr[NT) sort_keysrrrv serializedrrrY token_present)is)z%(py1)s is %(py4)s)rkrY token_hashr^)z%(py1)s in %(py3)sr-rsrtrbrrr3r rhrirjrlrmc3$K|]}|dv yw)0123456789abcdefNr8).0cs r z9test_token_value_never_logged_in_audit..s;1q&&;sz,assert %(py4)s {%(py4)s = %(py0)s(%(py2)s) }allrnro decision_textz2%(py0)s not in %(py4)s {%(py4)s = %(py2)s.reason })rurrvrArwr rxr ryrzr{r|r}r~rrrdumpsrr3rirrr)rrr)r.r4rrUrrrrr-rrrrrrrrrrrs r&test_token_value_never_logged_in_auditrs)?;%'H(*K+-NHk>BG  ' '?-/#o5 ( C ;;$;* $$$$;*$$$$$$3$$$3$$$;$$$$$$*$$$*$$$$$$$_FFd3J * ,,,,?*,,,,,,?,,,?,,,,,,*,,,*,,,,,,, / "*d* "d **** "d*** "***d******* !<6 !!!!<6!!!<!!!!!!6!!!6!!!!!!! %J j# && &&&&&&:&&&:&&&&&&j&&&j&&&&&&#&&&#&&& &&&&&&& z? b ?b    ?b      3   3      z   z   ?   b       ; ;;3; ;; ;;;;;;3;;;3;;;;;;; ;;;;;;;/::G:LM - ////?-//////?///?//////-///-///////#&**,?* ,,,,?*,,,,,,?,,,?,,,,,,#,,,#,,,*,,,,,,,rc (|jttg}g}g}t|||ddtd}|j dddt |dz |d z }|j }d }||k(} | stjd | fd ||fdtjvstj|rtj|ndtj|tj|dz} dd| iz} ttj| dx}x} }|j} t| v}|stjd|fdt| fdtjvstjtrtjtnddtjvstj|rtj|ndtj| dz} dd| iz} ttj| dx}} |d}t j"} | |}t|v}|sCtjd|fdt|fdtjvstjtrtjtnddtjvstjt rtjt ndtj| dtjvstj|rtj|ndtj|dz} dd| iz}ttj|dx}x} }y) ufgh stderr 에 token 이 우연히 박혀도 redact 처리되어 reason/audit 어디에도 token raw 0.rCz401 unauthorized: token=z expiredr rfailrrIrJrKfailedrR)z/%(py2)s {%(py2)s = %(py0)s.outcome } == %(py5)srU)rWrXrbassert %(py7)srcNrrrvrVrZr[r)zO%(py0)s not in %(py7)s {%(py7)s = %(py4)s {%(py4)s = %(py2)s.dumps }(%(py5)s) }rr-)rWrXrYrbrcrr)rurrvrArwr rxryrzr{r|r}r~rrrrr)rrr)r.r4rrUrrrrrrrr-rrs r.test_token_value_redacted_on_gh_runner_failurers )?;%'H(*K+-N+~..?xHG  ' '?-/#o5 ( C ;;"(";( """";(""""""3"""3""";"""(""""""""%**,?* ,,,,?*,,,,,,?,,,?,,,,,,#,,,#,,,*,,,,,,, _F"&**4*V"44?"4 4444?"4444444?444?444444$444$444*444444V444V444"44444444rc 8 |jtd|jdd|jddg}g}g}t|||}|j dddt |d z |d z }|j }|tk(}|stjd |fd |tfdtjvstj|rtj|ndtj|dtjvstjtrtjtnddz} dd| iz} ttj| dx}}d} |j } | | v} | stjd| fd| | ftj| dtjvstj|rtj|ndtj| dz}dd|iz}ttj|dx} x} } t#|} d}| |k(} | stjd | fd| |fdtjvstjt"rtjt"nddtjvstj|rtj|ndtj| tj|dz} dd| iz}ttj|dx} x} }d} t$j&} |d }| |}| |v} | stjd!| fd"| |ftj| d#tjvstjt$rtjt$nd#tj| tj|tj|d$z}d%d&|iz}ttj|dx} x} x} x}}d} |j } | | v} | stjd!| fd'| | ftj| dtjvstj|rtj|ndtj| dz}dd|iz}ttj|dx} x} } y)(uOWNER_GEMINI_TRIGGER_PAT 누락 + GH_TOKEN 존재 시 fallback X — REJECT. 회장 §명시 15 금지 #14: default GH_TOKEN fallback. 누락 시 즉시 REJECT (silent skip 금지). F)raisingGH_TOKENghp_FALLBACK_FAKE GITHUB_TOKENr nofallbackrrIrJrKrRrTrUrrVrZr[N token_missingr^)z.%(py1)s in %(py5)s {%(py5)s = %(py3)s.reason })rkrarbrrcrhrir)rjrlrmrr)zO%(py1)s not in %(py9)s {%(py9)s = %(py5)s {%(py5)s = %(py3)s.dumps }(%(py7)s) }r)rkrarbrcrzassert %(py11)spy11)z2%(py1)s not in %(py5)s {%(py5)s = %(py3)s.reason })delenvrrurArwr rxrryrzr{r|r}r~rrrrirr)rrr)r.r4rrUrrrrrrrrrrrr @py_assert8r @py_format12s r&test_default_gh_token_fallback_blockedr"s)59z#67~':;%'H(*K+-NHk>BG  ' '?-/#o5 ( C ;;*;* ****;*******3***3***;****************** (cjj(?j ((((?j(((?((((((c(((c(((j((((((( x=A=A =A33xx=A AdjjARAj&AA &A AAAA &AAAA AAAAAAdAAAdAAAjAAAAAA&AAAAAAAA 0cjj0 j 0000 j000 000000c000c000j0000000rctjd}d}|D]}||v}|stjd|fd||fdt j vstj |rtj|nddt j vstj |rtj|nddz}tjd |d zd |iz}ttj|d }|jd }d}||k(}|stjd|fd||fdt j vstj |rtj|ndtj|dz}tjd|dzd|iz} ttj| d x}}y )unowner_trigger_pat.py 소스에 merge/approve/close/reopen/push 호출 표현식 0. 회장 §명시 15 금지 #1~5 박제. 본 테스트는 모듈 소스를 파일 read 후 정적 grep. docstring / 주석 / forbidden fragment 상수 (의도된 negative list) 는 검사 대상에서 제외한다. 실제 gh api 호출 표현식이 존재하면 fail. rnro) z "pr", "merge"z"pr", "approve"z "pr", "close"z"pr", "reopen"zsubprocess.run(["git", "push"z("/repos/{owner}/{repo}/pulls/{pr}/merge"z*"/repos/{owner}/{repo}/pulls/{pr}/reviews"z .merge_pr(z .approve_pr(z .close_pr(z .reopen_pr(z .push_commit(rrpatsrcrz(forbidden call pattern found in source: rrYNzself._gh(args, env)rCrRr gh_call_countrz%expected 1 self._gh(...) call, found  >assert %(py5)srb) _OWNER_TRIGGER_SRCrryrzr{r|r}r~rrrcount) rforbidden_call_patternsrrrrrrrrs r6test_merge_approve_close_reopen_push_no_call_in_sourcerFs&  & & & 8C"'R#~QQQs#QQQQQQsQQQsQQQQQQ#QQQ#QQQQ!I#QQQQQQQR II34MV=A VVV=AVVVVVV=VVV=VVVAVVV!F}oVVVVVVVrc |jttg}g}g}t|||}|j dddt |dz |dz }|j }|tk(} | stjd| fd|tfd tjvstj|rtj|nd tj|d tjvstjtrtjtnd d z} d d | iz} ttj| dx}} |j!} | j"} t| v}|stjd|fdt| fdtjvstjtrtjtnddtjvstj| rtj| ndtj| d z} d d | iz} ttj| dx}} | j$} t| v}|stjd|fdt| fdtjvstjtrtjtnddtjvstj| rtj| ndtj| d z} d d | iz} ttj| dx}} t'j(|d} t| v}|stjd|fdt| fdtjvstjtrtjtnddtjvstj| rtj| nddz}dd|iz} ttj| d}|dz j+d}t|v}|stjd|fdt|fdtjvstjtrtjtnddtjvstj|rtj|nddz}dd|iz} ttj| d}|j,} t| v}|stjd|fdt| fdtjvstjtrtjtndd tjvstj|rtj|nd tj| d z} d d | iz} ttj| dx}} |j.} t| v}|stjd|fdt| fdtjvstjtrtjtndd tjvstj|rtj|nd tj| d z} d d | iz} ttj| dx}} |ddd }|tk(}|stjd|fd!|tftj|dtjvstjtrtjtndd"z}d#d$|iz}ttj|dx}}y)%utrigger 후 OWNER PAT 값이 stdout/stderr/audit 어디에도 leak 0. 회장 §명시 15 금지 #12, #13: token value log 0. r isolationrrIrJrKrRrTrUr rVrZr[Nr)z/%(py0)s not in %(py4)s {%(py4)s = %(py2)s.out }rvcaptured)z/%(py0)s not in %(py4)s {%(py4)s = %(py2)s.err }rr record_textrrrYrnrorr)z9%(py0)s not in %(py4)s {%(py4)s = %(py2)s.decision_path }r%rrrrsrtrb)rurrvrArwr rxr ryrzr{r|r}r~rr readouterrrUerrrrrr decision_path)rrcapsysr)r.r4rrUrrrrrrrrrrrrs r=test_owner_pat_env_isolated_no_leak_in_stdout_stderr_or_auditrksN)?;%'H(*K+-NHk>BG  ' '?-/#o5 ( C ;;$;* $$$$;*$$$$$$3$$$3$$$;$$$$$$*$$$*$$$$$$$  "H"*,,.?, ....?,......?...?......(...(...,......."*,,.?, ....?,......?...?......(...(...,.......**[_-K + ----?+------?---?------+---+-------/::G:LM - ////?-//////?///?//////-///-///////#&**,?* ,,,,?*,,,,,,?,,,?,,,,,,#,,,#,,,*,,,,,,,"%"3"33?"3 3333?"3333333?333?333333#333#333"33333333 A;u j )< )_ <<<< )_<<< )<<<<<<_<<<_<<<<<<) r)list[dict[str, Any]]r.r r4r r!r r"r3r=r)rrrBr rpytest.MonkeyPatchr=r@)r=r@)rrrr r=r@)rrrr rzpytest.CaptureFixture[str]r=r@)5__doc__ __future__rbuiltinsr{_pytest.assertion.rewrite assertionrewriteryrrsyspathlibrtypingrrrr__file__resolveparentsrr3r2insertanu_v2.owner_trigger_patr r r r r rrrrrrrvr7rrAmark parametrizerrrrrrrrrr8rrrs$#  )) x.((*2215sxx'HHOOAs?+,   e$ ' h!77 "%)    <-}=888$8 8>8D 1H.V.V#.V .Vd+-+-#+- +-\55#5 5> 1 1# 1  1H!WJ+=+=#+= '+= +=^r