jF`dZddlmZddlZddlZddlZddlZddlmZmZddl m Z ddl m Z e dZ e dz Zd Ze d Zdd Zdd Zddd ZddZddZddZd dZd!dZddd"dZddd"dZddd d#dZddd"dZdd d$dZy)%uutils/state_repair.py — checksum mismatch 복구 코드 경로 + chairman approval evidence. task-2472 구현 5: state 파일 수리는 반드시 이 모듈을 통해서만. manual 편집 금지 — evidence + sha256 백업 + audit 없으면 fail-closed. repair_action 종류: - "recompute_checksum": 기존 state 그대로 유지하고 _checksum 재계산 - "rollback_to_backup": 가장 최신 backup 파일로 복원 - "manual_fixup": new_state로 덮어쓰기 (위험, evidence 강력 검증) ) annotationsN)datetimetimezone)Path)Optionalz .tasks/statez.backupsz.verify-pending-z0memory/orchestration-audit/checksum-repair.jsonlcftjtjj dS)Nz%Y-%m-%dT%H:%M:%SZrnowrutcstrftime)/home/jay/workspace/utils/state_repair.py_now_isor&s! << % . ./C DDrcftjtjj dS)u0파일명용 타임스탬프 (YYYYMMDDTHHMMSSZ).z%Y%m%dT%H%M%SZr r rr_now_ts_compactr*s! << % . ./? @@rc\|xs)ttjjddS)NWORKSPACE_ROOTz/home/jay/workspace)rosenvironget workspaces r_workspace_rootr/s#  URZZ^^,<>STUUrctj}|jd5tfddD]}|j | ddd|j S#1swY|j SxYw)u#파일의 sha256 hex digest 반환.rbc&jdS)Ni)read)fsrz_sha256_file..7s!&&-rrN)hashlibsha256openiterupdate hexdigest)pathhchunkrs @r _sha256_filer*3sjA 4A/5 E HHUO  ;;= ;;=s &A&&A>cHtj|jSN)r!r"r&)datas r _sha256_bytesr.<s >>$  ) ) ++rctj|dd}tj|j dj S)NTF sort_keys ensure_asciiutf-8)jsondumpsr!r"encoder&)record serializeds r_evidence_hash_strr9@s7FdGJ >>*++G4 5 ? ? AArc|jDcic]\}}|dk7s ||}}}tj|dd}tj|j dj Scc}}w)u6state dict에서 _checksum 제외한 내용의 sha256. _checksumTFr0r3)itemsr4r5r!r"r6r&) state_dictkvcleanr8s r_compute_checksumrAEsh(..0 EdaA4DQT EE EETFJ >>*++G4 5 ? ? AA Fs A4A4c|jjddtj|dd}t j |jd\}} t j|dd 5}|j|d d d t j|d t j||y #1swY6xYw#t$r' t j|#t$rYwxYwwxYw) utempfile + os.replace 방식 atomic write. Gemini 리뷰 medium: tempfile.mkstemp 기본 권한이 0o600이라 os.replace 후 state 파일 권한이 제한됨. 0o644로 명시 chmod 후 replace. Tparentsexist_okF)r2indentz.tmp)dirsuffixwr3encodingN)parentmkdirr4r5tempfilemkstemprfdopenwritechmodreplace ExceptionunlinkOSError)r'r-contentfdtmprs r_atomic_write_jsonr\Ls  KKdT2jjE!GB  YYr3 1 Q GGG   e 3     IIcN     sHC3B:4C:C?C C6C&%C6& C2/C61C22C6rct|}|tz |dz }g}dddddd|d}|js|jd||Sd|d< |j d }d|d < t j|}d|d <|jdxs|jd|d<|jd} | s|jd|Sd|d<t|} | | k7r |jd| ddd| ddd|Sd|d<|S#t $r }|jd ||cYd}~Sd}~wwxYw#t j$r }|jd ||cYd}~Sd}~wwxYw)uL.tasks/state/{task_id}.json 검사. Returns ------- dict { "exists": bool, "readable": bool, "json_valid": bool, "checksum_present": bool, "checksum_match": bool, "current_state": str | None, "issues": [str, ...] } .jsonFN)existsreadable json_validchecksum_presentchecksum_match current_stateissuesstate 파일 없음: Tr_r3rKr`state 파일 읽기 실패: rau!state 파일 JSON 파싱 실패: statestatusrdr;u_checksum 필드 없음rbzchecksum mismatch: stored= z..., computed=z...rc) r STATE_DIR_RELr_append read_textrVr4loadsJSONDecodeErrorrrA) task_idr work_root state_pathreresultrYexcrhstored_checksumcomputeds r inspect_staterwgs  *I]*y->>JF!F     -j\:; F8&&&8!z  7##| $ii0GEIIh4GF?ii ,O  /0 !%F  'H?" (")=(>nXVYWY]O[^ _ M$( M=  4SE:;     9#?@ s<D+D: D7D2,D72D7:E- E("E-(E-ct|}|tz |dz }t}|js ddd|d|dS |j }t |}|tz }|jdd ||d |dz } | j|dt| ||d S#t $r}ddd|d|dcYd}~Sd}~wwxYw#t $r}dt| ||d |dcYd}~Sd}~wwxYw) u.tasks/state/{task_id}.json의 sha256 + 원본 백업 보존. 백업 위치: .tasks/state/.backups/{task_id}-{timestamp}.json Returns ------- dict {"ok": bool, "backup_path": str, "sha256": str, "ts": str} r^Frf)ok backup_pathr"tsreasonrgNTrC-u백업 파일 쓰기 실패: )rzr{r"r|) rrkrr_ read_bytesrVr.BACKUP_DIR_RELrO write_bytesstr) rprrqrrr|rYrtr" backup_dirr{s rbackup_state_filersC *I]*y->>J  B    -j\:     '')7 #F^+JTD1'!B4u55K  (;'  3  4SE:     {+5cU;    s<B%C% C. B>8C>C C-C("C-(C-) new_staterc &t|}|tz |dz }t|} | js|| z } | j s dd| ddddSt ||} | dsdd | j d dddddS| d } | d } |tz t|z } | jjd d | jtj|||tddddd}d}d} |dk(rc|j sd}ntj|j!d}t#||d<t%||t'|}d }d}n|dk(r|t(z }t+|j-|dd }|Dcgc]}t/|| k7s|}}|sd}n}|d}|j1}|j3|t'|}d }d |j4}n:|d!k(r/|d"}n0t#||d<t%||t'|}d }d#}nd$|d%}|rdnd'}|r7 | jtj|||td(ddd t7||||t/| | || |||) }||t/|| dS#t$r}dd|dd| dcYd}~Sd}~wwxYwcc}w#t$r}d&|}d}Yd}~d}~wwxYw#t$rY~wxYw#t$r}dd*|d+d| dcYd}~Sd}~wwxYw),ustate 파일 수리 (chairman approval evidence 필수). fail-closed: - evidence_path 파일 부재 → reject - sha256 백업 실패 → reject - audit 기록 실패 → reject - repair 후 .verify-pending 마커 생성 (verify_consistency 호출 강제) Parameters ---------- approved_by_chairman: chairman 승인자 식별자. evidence_path: approval evidence 파일 경로 (반드시 실제 파일 존재). actor: 요청자. repair_action: "recompute_checksum" | "rollback_to_backup" | "manual_fixup" new_state: manual_fixup 시 새 state dict. Returns ------- dict {"ok": bool, "reason": str, "audit_path": str, "backup_path": str} r^Fuevidence_path 파일 없음: u — repair 거부 (fail-closed)ry)rzr} audit_pathr{rrzusha256 백업 실패: r}r"r{TrCz pre-repair)rp repair_actionactorr|stager2r3rKu,verify-pending 마커 사전 생성 실패: u — repair 중단 (fail-closed)Nrecompute_checksumu/state 파일 없음 (recompute_checksum 불가)r;uchecksum 재계산 완료rollback_to_backupz-*.json)reverseu%복원할 이전 backup 파일 없음rubackup 복원 완료: manual_fixupu manual_fixup에 new_state 필수u.manual_fixup 완료 (chairman approval 적용)u알 수 없는 repair_action: ''urepair 실행 중 예외: rejectedz post-repair) rprrapproved_by_chairman evidence_pathinput_state_sha256output_state_sha256r{rsr}ruaudit 기록 실패: u — fail-closed)rrkr is_absoluter_rrVERIFY_PENDING_PREFIXrNrO write_textr4r5rrVrnrmrAr\r*rsortedglobrrrnamerecord_repair_audit)rprrrrrrrqrrev_path backup_result input_sha256r{ marker_pathrt output_sha256 repair_ok repair_reasonrhrbackupsb prev_backups latest_backuprY result_strrs r repair_statersH *I]*y->>J=!G    g% >> 5gY>^_   &gCM  .}/@/@2/N.OOop   !*L .K m+1F0Gy.QQK    = JJ&%2""*) #   ,MIM- 0 0$$& Q  :#7#7#7#IJ%6u%=k"":u5 ,Z 8  ; 2 2"^3JZ__y-@A4PG'.H!#a&K2GAHLH G ,Q '224&&w/ ,Z 8  "89K9K8L M n , B *;9)E +&":y9 ,Z 8  P =m_ANM# J   " " #*)6!&&j!. "' ! # $ ('!5g,+ -#   .*o"  Y  DSEIij&    >I2 4SE:  0   &  -cU2BC&    s"AJ ) J93J>9J>K K KK # K/.K/2 L; L L Lct|}|tz t|z }i}t||}||d<|dsdd|dS|dsdd|dS|d sdd |dS|d s dd |d |dSd|d<|j r |j d|d<n d|d<d|d<dd|dS#t $r}d|d<dd||dcYd}~Sd}~wwxYw)urepair 후 호출되어야 하는 후속 검증. 체크: - state file checksum 일치 - .verify-pending 마커 제거 (consistency 통과 시) - FAIL 시 마커 유지 Returns ------- dict {"ok": bool, "reason": str, "checks": {...}} r state_inspectr_Fu/state 파일 없음 — verify-consistency FAIL)rzr}checksrau;state 파일 JSON 파싱 실패 — verify-consistency FAILrbu3_checksum 필드 없음 — verify-consistency FAILrcu7checksum mismatch — verify-consistency FAIL. issues: reT checksum_okverify_pending_removedu%verify-pending 마커 제거 실패: Nu*마커가 없어 제거 불필요 (정상)verify_pending_noteuFverify-consistency PASS: checksum 일치, verify-pending 마커 제거)rrkrrwr_rWrV)rprrqrr inspectionrts rverify_consistencyrs` *Im+1F0Gy.QQKFw)8C>Cc <t} |||||||||| | d } t| } i| d| i}t| }|tz }|jj ddt j|ddz}tjt|tjtjztjzd} tj||jd tj ||S#tj |wxYw) u#checksum repair audit 기록. memory/orchestration-audit/checksum-repair.jsonl 에 line append. 필수 필드: task_id, actor, repair_action, approved_by_chairman, evidence_path, input_state_sha256, output_state_sha256, backup_path, result, reason, timestamp, evidence_hash ) rprrrrrrr{rsr} timestamp evidence_hashTrCFr rMr3)rr9rAUDIT_JSONL_RELrNrOr4r5rr#rO_WRONLYO_APPENDO_CREATrSr6close)rprrrrrrr{rsr}rr base_recordev_hashr7rqtargetlinerZs rrrs( I& 4&02" K!-G 6 6_g 6F *I  (F MMt4 ::f5 1D 8D VbkkBKK7"**De LB T[[)*  M  s %DD)returnrr,)rOptional[Path]rr)r'rrr)r-bytesrr)r7dictrr)r=rrr)r'rr-rrNone)rprrrrr)rprrrrrrrrrrzOptional[dict]rrrr)rprrrrrrrrrrrrrr{rrsrr}rrrrr)__doc__ __future__rr!r4rrPrrpathlibrtypingrrkrrrrrrr*r.r9rAr\rwrrrrr rrrs # '^$ +*IJEA V,B B6@DDNDH7B!% $E EE E  E  EEE EPEIFj!%0 0 0 0  0  0000 0 00 0r