jE[UdZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl m Z m Z mZddlmZmZddlmZddlmZmZmZmZmZgdZd Zd Zd Zd Zd ZeeeeefZde d<dZ!dZ"edZ#GddZ$dZ%de d<dZ&de d<ejNdejNdejNdejNdejNdfZ(de d<ejNd Z)ejNd!Z*ejNd"Z+d@d#Z,dAd$Z-dBdCd%Z.dDd&Z/e d'(Gd)d*Z0 dEd+Z1dd, dFd-Z2e d'(Gd.d/Z3ed0d1dGd2Z4e4d3 dHd4Z5d'ejldd5 dId6Z7e d'(Gd7d8Z8d9Z9de d:<dd; dJd<Z:dKd=Z;dLdMd>Z``로 치환한다. 3. **Misroute detection (회장 §5)** — 잘못된 ``--session`` cron PID를 감지하고 soft kill (dry-run 우선)을 제안한다. 4. **Evidence-based recover (회장 §5)** — worktree / PR / CI / audit 7 signal로 실제 변경 발생 여부를 점검하고 ``contaminated_execution`` 또는 ``clean_abort``로 분류한다. 회장 §금지: - ❌ token / raw key / session secret 원문 기록 - ❌ admin override / owner_pat fallback - ❌ dispatch.py / cokacdir CLI 본체 수정 - ❌ Critical 7종 외 회장 보고 - ❌ SIGKILL (soft kill = SIGTERM only, dry-run default) CLI: python3 utils/cron_targeting_audit.py --append --task-kind merge_task ... python3 utils/cron_targeting_audit.py --detect-misroute --pid 448820 python3 utils/cron_targeting_audit.py --recover --task-id task-2526 ) annotationsN)asdict dataclassfield)datetimetimezone)Path)CallableMappingOptionalSequenceTuple)DEFAULT_AUDIT_JSONL_PATHREQUIRED_AUDIT_FIELDS_2526TASK_KIND_INDEPENDENTTASK_KIND_MERGE TASK_KIND_BOTTASK_KIND_FOLLOWUP_ROACTOR_BOT_SESSIONACTOR_ANU_SESSION BlockedReasonCronTargetingAuditRecordMisrouteReport RecoveryPlan hash_bot_keysanitize_command_previewensure_no_raw_secretsbuild_audit_recordappend_audit_jsonldetect_misrouted_sessionsoft_kill_misroutedevidence_based_recoverindependent_task merge_taskbot_taskfollowup_readonlyhuman_responseTuple[str, ...]ALLOWED_TASK_KINDS bot_session anu_sessionz5memory/orchestration-audit/cron-targeting-audit.jsonlc>eZdZUdZdZdZdZdZdZeeeeefZ de d<y ) ruF짧은 enum 모음 — 새 abstraction이 아닌 좁은 상수 묶음.,independent_task_must_not_resume_anu_session'merge_task_must_not_inherit_anu_sessionbot_key_missing_for_bot_task!target_bot_session_owner_mismatch owner_pat_fallback_path_detectedr(ALLN) __name__ __module__ __qualname____doc__INDEPENDENT_TASK_WITH_SESSIONMERGE_TASK_WITH_SESSIONBOT_KEY_MISSING_FOR_BOT_TASKTARGET_SESSION_OWNER_MISMATCHOWNER_PAT_FALLBACK_DETECTEDr2__annotations__1/home/jay/workspace/utils/cron_targeting_audit.pyrrdsBP$R!G#A $G!"D &$%# Cr>r)cron_id target_bottarget_bot_key_hashsession_id_presentsession_id_allowed task_kindactor_expectedactor_actual_if_knownr)command_preview_sanitizedblocked_reasonSUPPLEMENTARY_AUDIT_FIELDS_2526zghp_[A-Za-z0-9]{20,}zghs_[A-Za-z0-9]{20,}zgithub_pat_[A-Za-z0-9_]{20,}z\bsk-[A-Za-z0-9]{20,}\bz\bxoxb-[A-Za-z0-9-]{20,}\bzTuple[re.Pattern, ...]_RAW_TOKEN_PATTERNSz!(--key)(\s+|=)(['\"].*?['\"]|\S+)z%(--session)(\s+|=)(['\"].*?['\"]|\S+)zN\b([A-Z][A-Z0-9_]*(?:KEY|TOKEN|SECRET|PASSWORD)[A-Z0-9_]*)=(['\"].*?['\"]|\S+)cr|sytj|jdjddS)uSbot_key를 sha256(첫 16 hex)으로 마스킹. None / 빈 문자열은 None 반환.Nutf-8)hashlibsha256encode hexdigest)bot_keys r?rrs0  >>'..1 2 < < >s CCr>c0t|dk\r|dddSy)u*UUID-shaped 값을 short prefix로 redact.Nu …(redacted)z (redacted)len)values r? _redact_uuidrZs# 5zQ)M** r>cN |}dd d fd }tj||}d fd }tj||}d d}tj||}tD]}|jd|}t j d}d fd }|j||}|S) u``cokacdir --cron`` 형태의 command 문자열을 audit-safe 형태로 마스킹. - ``--key `` → ``--key `` - ``--session `` → ``--session …(redacted)`` - ``XXX_KEY=…`` / ``XXX_TOKEN=…`` 환경변수 → ``XXX_KEY=`` - 알려진 token prefix (ghp_/ghs_/sk-/xoxb-) → ```` - prompt 본문은 80자로 절단 (과도한 문맥 노출 차단). cPt|dk\r|d|dk(r |ddvr|ddS|S)Nr)'"rW)raws r? _strip_quotesz/sanitize_command_preview.._strip_quotess8 s8q=SVs2w.3q6Z3Gq9  r>cr|jd}|jddt|dS)Nraz )groupr)mrbrcs r?_key_subz*sanitize_command_preview.._key_subs6AGGAJ'''!*W\#%6$7q99r>c l|jddt|jdS)Nra re)rgrZ)rhrcs r? _session_subz.sanitize_command_preview.._session_subs/''!*Q|M!''!*,EFGHHr>c*|jddS)Nraz =)rg)rhs r?_env_subz*sanitize_command_preview.._env_subs''!*[))r>z z#(--cron\s+)("([^"]*)"|\'([^\']*)\')c|jd}|jd|jdn|jd}||jdSt|kDr|ddz}|d|dS)NrarerVru…r`)rgrX)rhprefixbodymax_prompt_charss r? _cron_subz+sanitize_command_preview.._cron_subszWWQZ3qwwqz <771:  t9' '))*U2D4&""r>)rbstrreturnrt)rhzre.Matchrurt) _KEY_FLAG_REsub_SESSION_FLAG_RE _KEY_ENV_RErKrecompile) commandrrsrirlrnpat cron_quote_rersrcs ` @r?rrs A: 1%AI\1-A*!$A#% GGL! $%JJEFM# )Q'A Hr>cNtj|dt}tD].}|j |}|st d|j dtjd|r t dtjd}|j |r t dy ) u_payload(any JSON-serializable)에 raw secret pattern이 남아있으면 ValueError. 회장 §4 보안 정합 — audit JSONL append 직전 호출. sanitize_command_preview를 거친 값은 ```` / ```` / ``…(redacted)`` 형태이므로 통과한다. 마스킹되지 않은 raw key/session/token만 차단한다. F) ensure_asciidefaultz6raw secret pattern detected in audit payload (pattern=z); refusing to write JSONLz--key(?:\s+|=)(?!<)\Sz:raw --key value detected in audit payload (must be hashed)z@\b[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\bz=raw session UUID detected in audit payload (must be redacted)N) jsondumpsrtrKsearch ValueErrorpatternrzr{)payloadtextr~rh full_uuid_res r?rrs ::gE3 ?D" JJt  KK?*DF  yy)40 H  ::KL4  K  !r>T)frozenceZdZUdZded<ded<ded<ded<ded<d ed <d ed <ded <d ed <ded<edZd ed<ddZy)ru:task-2526 audit record. token/session secret raw 0 노출. Optional[str]r@rArBboolrCrDrtrErFrGrHrIctjtjj j ddS)Ntz+00:00Z)rnowrutc isoformatreplacer=r>r?z!CronTargetingAuditRecord.s(HLLHLL,IY[3!7r>)default_factorytsct|SN)r)selfs r?to_dictz CronTargetingAuditRecord.to_dicts d|r>N)rudict)r3r4r5r6r<rrrr=r>r?rrs[D &&N((""!!%89B9r>rc |tvrtdtd|| 1| tjvrtdtjd| t |} t ||t ||duxr|dk7t||||| |  } | S)uRraw bot_key / raw session_id를 안전하게 hash/flag로 변환해 record 빌드.ztask_kind must be one of z, got Nzblocked_reason must be one of z or None, got ) r@rArBrCrDrErFrGrHrI)r)rrr2rrrr) r@rArS session_idrDrErFrGcommand_previewrI sanitizedrecords r?rrs**'(:';6) O  !nM->,?@!$ &  )9I %(1%T1FjB6F 23%3"+% F Mr> audit_pathc| t|nt}|j}t||j}t |r|j ddtj|ddz}t|dd 5}tj|jtj |j||jt!j"|jtj|jtj$ ddd|S#tj|jtj$wxYw#1swY|SxYw) uLfcntl 락으로 record를 JSONL append. raw secret 정적 검증 후 기록.NTparentsexist_okFr arMencoding)r rrrparentrtmkdirrropenfcntlflockfilenoLOCK_EXwriteflushosfsyncLOCK_UN)rrtargetrrlinefhs r?rrBs ",!7T* =UFnnG'" ]]F 6{ TD 1 ::gE 2T 9D fcG ,4 BIIK/ 4 HHTN HHJ HHRYY[ ! KK U]] 34 M KK U]] 34 Ms%3E-5AD692E-64E**E--E7cJeZdZUded<ded<ded<ded<ded <ded <y ) rintpidrhas_session_flagrsession_id_redactedsuspected_misroutertcmdline_preview_sanitizedreasonNr3r4r5r<r=r>r?rrbs% H&&"" r>rz/proc) proc_rootc|t|z dz } |j}|j ddj ddjS#tttf$rYywxYw)Ncmdline rMr)errors)rt read_bytesFileNotFoundErrorPermissionErrorOSErrorrdecodestrip)rrcmdfilerbs r?_read_proc_cmdlinerlso#c("Y.G  " ;;w % , ,WY , G M M OO  8sAA+*A+)cmdline_readercN||}|t|dddddSt|}ttj |}d}|r1tj |}|rt |j d}d|vxrd|vxsd |v}|xr|}|rd nd} t|||||| S) uPID의 cmdline을 검사해 ``--session `` 동반 cron 흐름이면 misroute로 분류. cmdline_reader는 테스트용 주입 포인트. NFz proc_cmdline_unreadable)rrrrrrrecokacdirz--cronsafe_cron_dispatchcron_dispatch_with_session_flag)rrrrxrrZrg) rrrr has_sessionsession_redactedrhis_cron_dispatch suspectedrs r?r r usS!G" $$&5,   )1I'..w78K&*  # #G , +AGGAJ7  w  68w#6 - G + 0 0I  *   $,$"+  r>)dry_runkillerrcPt|}|rdnd}d}|jr|s ||tjd}||j|||j|j|jd}| t|nt} | jjddt!j"t$j& j)j+d d d d |} t-| t/j0| ddz} t3| dd5} t5j6| j9t4j: | j=| | j?t5j6| j9t4j@ ddd|S#tt t f$r#}dt|j}Yd}~d}~wwxYw#t5j6| j9t4j@wxYw#1swY|SxYw)umisroute 의심 PID에 SIGTERM(soft) 신호. dry_run이면 호출만 시뮬레이트. SIGKILL 절대 사용 안 함 (회장 §5). rsigtermFTzsigterm_failed:N)rraction signal_sentrrrrrrrsoft_kill_audit_2526)rkindrrrrMr)!r rsignalSIGTERMProcessLookupErrorrrtyper3rrrr rrrrrrrrrrrrrrrrrrrr) rrrrreportrsenteresult audit_target audit_payloadrrs r?r!r!s&c *F!YyF D    : 3 'D $77--%99%+%E%EF(2'=4 #C[LdT:llhll+557??#N& M -( ::m% 84 ?D lC' 24b BIIK/ 4 HHTN HHJ KK U]] 3 4 MA#OW= :&tAw'7'7&89F :< KK U]] 3 4 Ms;F*3H !G$-2H*G!>GG!$4HHH%cJeZdZUded<ded<ded<ded<ded<ded <y ) rrttask_idclassificationr(signals_checkedsignals_with_evidence next_stepsrredispatch_requiredNrr=r>r?rrs% L$$**r>r) worktree_diffworktree_untrackedbranch_unpushed_commitsremote_branch_existsopen_pr_for_taskci_run_for_branchaudit_jsonl_evidence_RECOVERY_SIGNALSsignalscPt|tr|js td!t |dt t ddSt fdt D}t fd|D}|rt |d||d d St |d |t d d S) u7 signal mapping으로 회복 계획 산출. signals dict에 ``True``인 signal이 1개라도 있으면 ``contaminated_execution``, 모두 ``False``면 ``clean_abort``, signals=None이면 ``no_evidence``로 분류. ztask_id must be a non-empty str no_evidence)z.1) collect 7 signals from worktree/PR/CI/auditz22) re-run evidence_based_recover with signals dictFrrrrrrc3,K|] }|vs| ywrr=.0r}rs r? z)evidence_based_recover..sA!ALAAs c3HK|]}j|ds|yw)FN)getrs r?r z)evidence_based_recover..sF Au0E!Fs""contaminated_execution)z,1) freeze branch / no force-push / no rebaseuC2) report contaminated_execution to chairman chat (Critical 7종 X)z<3) verify whether commit/push/merge happened on bot identityuT4) if owner_pat fallback detected → log capability_gap, do not redispatch silentlyzT5) once chairman acknowledges, redispatch via safe_cron_dispatch with proper bot keyT clean_abort)u81) no commit/push/PR/CI/audit evidence → safe to abortzH2) redispatch via safe_cron_dispatch with correct bot key + no --session) isinstancertrrrtupler)rrchecked with_evidences ` r?r"r"s gs #7==?:;;(!G"''!&  A0AAGFWFFM3#"/!%   $#g !  r>ctjdd}|jdd}|jdd }|j d d |j d d |j d dd|j ddd|j dd|j ddt |j ddt tg|j dd |j dd|j dd |j dd |jd}|j dtd|jd }|j dtd|j d!dd"#|jd$}|j d%d|j d&dd'|S)(Ncron_targeting_auditz6task-2526 cron targeting audit / kill / recover helper)prog descriptioncmdT)destrequiredappenduaudit JSONL append 1건)helpz --cron-id)rz --target-botz --bot-keyu raw key (해시되어 기록됨))rrz --session-idu+raw session id (포함 여부만 기록됨)z--session-allowed store_true)rz --task-kind)rchoicesz--actor-expectedz--actor-actualz--command-preview)rz--blocked-reasonz --audit-pathdetect-misroutez--pid)rr soft-killz--applyu*기본 dry-run; --apply 시 SIGTERM 실송)rrrecoverz --task-idz--signals-jsonz,dict JSON e.g. '{"worktree_diff":false,...}') argparseArgumentParseradd_subparsers add_parser add_argumentr)rrr)parserrwp_appendp_detectp_killp_recs r?_build_arg_parserr+3s  $ $ #LF   UT  :C~~h-F~GH +t4 .$7 +tAC .$LN -lC -$@RS ,t#46G"HJ *D9 -= ,d; .$7~~/0H 'd; ^^K (F cD9  ,IK NN9 %E {T2 'LN Mr>c t}|j|}|jdk(rt|j|j |j |jt|j|j|j|j|j|j }t||j rt#|j nd}t%t'j(dt+|ddy|jd k(r?t-|j.}t%t'j(t1|dy|jd k(rCt3|j.|j4 }t%t'j(|dy|jd k(rd}|j6rt'j8|j6}t;|j<| }t%t'j(|j<|j>tA|jBtA|jDtA|jF|jHddy|jKy)Nr) r@rArSrrDrErFrGrrIrT)okrFrrrr)rr rrr])&r+ parse_argsrrr@rArSrrsession_allowedrErF actor_actualrrIrrr printrrrtr rrr!apply signals_jsonloadsr"rrlistrrrr print_help) argvr&argsrpathrrsig_mapplans r? _cli_mainr<Ys  F   T "D xx8#LLLL#D$8$89nn.."&"3"3 00..  " 04tDOO,T  djjCI>UST xx$$)$((3 djje<= xx;$TXX4::~F djje45 xx904   jj!2!23G%dllGD djj||"11#D$8$89%)$*D*D%Et/#'#;#;     r>__main__)rSrrur)rYrtrurt)P)r|rtrrrrurt)robjectruNone)r@rrArrSrrrrDrrErtrFrtrGrrrtrIrrur)rrrOptional[Path]rur )rrrr rur)rrrzCallable[[int], Optional[str]]rur) rrrrrzCallable[[int, int], None]rrArur)rrtrzOptional[Mapping[str, bool]]rur)ruzargparse.ArgumentParserr)r7zOptional[Sequence[str]]rur)?r6 __future__rr!rrOrrrzrsys dataclassesrrrrrpathlibr typingr r r r r__all__rrrrTASK_KIND_HUMAN_RESPONSEr)r<rrrrrrJr{rKrvrxryrrZrrrrrrrr killr!rrr"r+r<r3exitr=r>r?rKs><#  00'?? 8+ ++ 'O"!;, /O 4BJJ&'BJJ&'BJJ./BJJ)*BJJ,- /+rzz>? 2::FGbjjU D2 j F $(% %% %  %  %%%)%%"%%V"& $ @ $7;7mP6H. .3. .h)+!% 2 22 ' 2  2  2r $&?-17 7*7 7|#L2 j z CHHY[r>