j&*4dZddlmZddlZddlZddlZddlZddlmZmZddl m Z ddl m Z e hdZe dZd Zdd Zdd Zddd Zdd Zdd ddZdd ddZddddd ddZy)uOutils/review_thread_guard.py — Gemini review thread 임의 resolve 차단 + audit. task-2472 구현 1: resolveReviewThread 호출 경로 통제. medium/high/critical severity thread는 chairman approval evidence 없으면 resolve 불가. fail-closed: 거부 시 GraphQL mutation 절대 호출 안 함. audit 누락 시도 시 fail. ) annotationsN)datetimetimezone)Path)Optional>highmediumcriticalz9memory/orchestration-audit/review-thread-resolution.jsonlz mutation ResolveThread($threadId: ID!) { resolveReviewThread(input: {threadId: $threadId}) { thread { id isResolved } } } cftjtjj dS)z ISO 8601 UTC.z%Y-%m-%dT%H:%M:%SZ)rnowrutcstrftime0/home/jay/workspace/utils/review_thread_guard.py_now_isor,s! << % . ./C DDrctj|dd}tj|j dj S)u2sha256(json.dumps(record, sort_keys=True)) 반환.TF) sort_keys ensure_asciiutf-8)jsondumpshashlibsha256encode hexdigest)record serializeds r_evidence_hash_strr1s7FdGJ >>*++G4 5 ? ? AArc\|xs)ttjjddS)NWORKSPACE_ROOTz/home/jay/workspace)rosenvironget workspaces r_workspace_rootr'7s#  URZZ^^,<>STUUrcPt|tsyhd}|t|jz }|rddt |fS|j ddj sy|j ddj sy |j d dj sy y ) uoapproval_evidence 형식 검증. 필수 키: approved_by, evidence_path, ts Returns (ok, reason). )Fz approval_evidence must be a dict>ts approved_by evidence_pathFu!approval_evidence 누락 필드: r*)Fu+approval_evidence.approved_by 빈 문자열r+)Fu-approval_evidence.evidence_path 빈 문자열r))Fu"approval_evidence.ts 빈 문자열)Tok) isinstancedictsetkeyssortedr$strip)evidencerequiredmissings r_validate_approval_evidencer7;s h %85HX]]_--G9&/9JKKK << r * 0 0 2C << , 2 2 4E <<b ! ' ' ): r)approval_evidencec|xsdjj}hd}||vrdd|d||||ddS|tvr/|dd |d |||dd dSt|\}}|sdd |||||d dSd d||||d dS)ureview thread resolve 가능 여부 판정. Parameters ---------- thread_id: GitHub review thread ID. severity: "low" / "medium" / "high" / "critical" actor: 요청자 식별자 (bot name, user login 등). approval_evidence: chairman approval evidence dict. 형식: {"approved_by": str, "evidence_path": str, "ts": str} Returns ------- dict {"ok": bool, "reason": str, "detail": {...}} 규칙: - severity in ("medium", "high", "critical") → approval_evidence 필수. 없거나 형식 부적합 → ok=False. - severity == "low" → evidence 없어도 OK (audit은 별도로 필수). r,>lowrr r Fu알 수 없는 severity: 'u '. 허용: ) thread_idseverityactorr-reasondetailNz severity='uh' 스레드 resolve는 chairman approval_evidence 필수. evidence 없이 resolve 시도 → fail-closed)r;r<r=r8u!approval_evidence 형식 불량: Turesolve 허용)lowerr3APPROVAL_REQUIRED_SEVERITIESr7)r;r<r=r8valid_severitiesev_ok ev_reasons rcan_resolve_threadrFUs>B%%'--/H<''28*KHXGYZ$-8eT  //  $  +EE"+ (")-   77HIy=i[I!* ("):   "" !2    rr%c 8t} ||||||||| d } t| } i| d| i} t|} | tz }|jj ddt j| ddz}tjt|tjtjztjzd} tj||jd tj ||S#tj |wxYw) uresolve 시도 audit 기록 (JSONL atomic append). memory/orchestration-audit/review-thread-resolution.jsonl 에 line append. 필수 필드 10개: task_id, pr_number, thread_id, severity, actor, approval_evidence, result, reason, timestamp, evidence_hash ) task_id pr_numberr;r<r=r8resultr? timestamp evidence_hashT)parentsexist_okF)r ir)rrr'AUDIT_JSONL_RELparentmkdirrrr"openstrO_WRONLYO_APPENDO_CREATwriterclose)rHrIr;r<r=r8rJr?r&rK base_recordev_hashr work_roottargetlinefds rrecord_resolution_auditr`s$ I. K!-G 6 6_g 6F *I  (F MMt4 ::f5 1D 8D VbkkBKK7"**De LB T[[)*  M  s %DDF)r8repodry_runr&c | tjjdd} t||||} | ds2t ||||||d| d| } d| di| d d t | id S|r&t ||||||d d | } dd|t | dd S|} t jdddddtdd|gddddd} | jdk(} | jj}| jj}| rd }d}nd}d|}t ||||||||| } | |||t | dd S#t$r}d} d}t |}Yd}~Rd}~wwxYw)NGH_REPOzJeon-Jonghyuk/dev_workspace)r=r8r-rejectedr?) rHrIr;r<r=r8rJr?r&Fr@ audit_pathr>allowedu$dry_run=True, mutation 호출 생략Tudry_run: mutation 호출 생략)r;rfghapigraphqlz-fzquery=z-Fz threadId=)capture_outputtexttimeoutshellcheckrr,u#resolveReviewThread mutation 성공u%resolveReviewThread mutation 실패: )r;mutation_outputrf)r"r#r$rFr`rT subprocessrun_RESOLVE_MUTATION returncodestdoutr3stderr Exception)r;r<rHrIr=r8rarbr&gaterf_proc mutation_ok mutation_out mutation_errexc mut_result mut_reasons rresolve_thread_via_graphqlrs |zz~~i)FG  85  8nGhGs:G  ,/9  7$-S_M   A ~~eY012 )-     oo* {{((* {{((*  :  <\NK )+ J"+j/  3    3x  sA/D99 EEE)returnrT)rr/rrT)N)r&Optional[Path]rr)r4objectrztuple[bool, str]) r;rTr<rTr=rTr8Optional[dict]rr/)rHrTrIintr;rTr<rTr=rTr8rrJrTr?rTr&rrr)r;rTr<rTrHrTrIrr=rTr8rraz Optional[str]rbboolr&rrr/)__doc__ __future__rrrr"rrrrpathlibrtypingr frozensetrBrPrtrrr'r7rFr`rrrrrs # ' ))GHRS  E B V>)- MMM  M & M  Mt!%. .. .  .  .&. . .. .p)- $||| |  |  |&| ||| |r