From f19fe4aa907f93651ed0ed5e589ab35b9ccbd040 Mon Sep 17 00:00:00 2001 From: AWOOOI CD Date: Wed, 13 May 2026 10:41:33 +0800 Subject: [PATCH 1/2] chore(cd): deploy 1a03bce [skip ci] --- k8s/awoooi-prod/kustomization.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/k8s/awoooi-prod/kustomization.yaml b/k8s/awoooi-prod/kustomization.yaml index d957ee49..b6ca3166 100644 --- a/k8s/awoooi-prod/kustomization.yaml +++ b/k8s/awoooi-prod/kustomization.yaml @@ -40,7 +40,7 @@ resources: images: - name: 192.168.0.110:5000/library/api:IMAGE_TAG_PLACEHOLDER newName: 192.168.0.110:5000/awoooi/api - newTag: 42789dbe9ebf5d1f3405048173ee1406997bec0b + newTag: 1a03bceb5c57bc906b6b95acc3947ea71dcd7927 - name: 192.168.0.110:5000/library/web:IMAGE_TAG_PLACEHOLDER newName: 192.168.0.110:5000/awoooi/web - newTag: 42789dbe9ebf5d1f3405048173ee1406997bec0b + newTag: 1a03bceb5c57bc906b6b95acc3947ea71dcd7927 From 85a1bcef52dbae20a8457db1fddebe5fccf8055c Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 13 May 2026 10:46:25 +0800 Subject: [PATCH 2/2] docs(awooop): record t8 post verify gateway deployment --- docs/LOGBOOK.md | 51 +++++++++++++++++++ ...-04-15-MASTER-ai-autonomous-flywheel-v2.md | 15 +++++- 2 files changed, 65 insertions(+), 1 deletion(-) diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 9569b503..6bf74e3b 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,54 @@ +## 2026-05-13 | T8 PostExecutionVerifier read-only Gateway path 已推版 + +**背景**:T7 已把 pre-decision sense path 接進 first-class AwoooP MCP Gateway,但修復後驗證 `PostExecutionVerifier` 仍是直接呼叫 provider。這會讓 Operator 看得到執行前 MCP,但看不清「修復後是否真的透過治理閘門重新取證」。 + +**修正**: +- `post_execution_verifier.py` 新增 `_execute_tool()`。 +- production `AuditedMCPToolProvider` 改走 `McpGateway`: + - `project_id=awoooi` + - `agent_id=post_execution_verifier` + - `required_scope=read` + - `is_shadow=true` + - `flywheel_node=verify` +- 測試 / 手動注入的 raw provider 維持直呼,不破壞既有 unit tests。 +- 邊界:只處理 read-only 修復後驗證;approval execution SSH / write/admin tool 尚未改走 Gateway。 + +**驗證與推版**: +- Local: + - `py_compile apps/api/src/services/post_execution_verifier.py`:pass。 + - `ruff --select F,E9 apps/api/src/services/post_execution_verifier.py apps/api/tests/test_post_execution_verifier.py`:pass。 + - `pytest tests/test_post_execution_verifier.py tests/test_pre_decision_investigator.py tests/test_mcp_gateway_audit.py -q`:58 passed。 + - `pytest tests/test_post_execution_verifier.py tests/test_self_healing_validator_integration.py tests/test_p3_tier1_integrations.py tests/test_learning_chain_e2e.py tests/test_mcp_gateway_audit.py tests/test_mcp_gateway_gate5.py tests/test_mcp_audit_service.py -q`:65 passed。 + - `git diff --check`:pass。 +- Gitea: + - `1a03bceb feat(awooop): route post verify mcp through gateway` 已推 `gitea main`。 + - Code Review run `1980`:success。 + - CD run `1979`:success。 + - Deploy marker:`f19fe4aa chore(cd): deploy 1a03bce [skip ci]`。 +- Production: + - API/Web/Worker image 均為 `1a03bceb5c57bc906b6b95acc3947ea71dcd7927`。 + - K3s rollout status:API/Web/Worker success。 + - Health:host-local NodePort `127.0.0.1:32334` healthy / mock_mode=false,PostgreSQL / Redis / OpenClaw / SignOz 皆 up。 + - Gateway smoke: + - `trace_id=codex-t8-postverify-ccdeacfd` + - registry tools:56。 + - `state_keys=['k8s_describe_pod','k8s_get_events','k8s_get_hpa_status','k8s_get_node_conditions','k8s_get_pod_logs']` + - audit rows:5 筆 `agent_id=post_execution_verifier`,全部 `gateway_path=awooop_mcp_gateway`、`policy_enforced=true`、`required_scope=read`、`is_shadow=true`。 + - post-verify gateway counts:`post_verify_total=179`、`post_verify_first_class=5`、`post_verify_success=92`、`post_verify_failed=87`。 + +**整體進度**: +- Wave 0:MOMO PostgreSQL backup → AwoooP 失敗通知接線完成並已推版。 +- T0:Truth-chain read-only API 完成、部署、production smoke 完成。 +- T1:Channel Event hardening 完成、部署、production smoke 完成。 +- T2:legacy MCP audit bridge / backfill / truth-chain visibility 完成、部署、production smoke 完成。 +- T3:Ansible audit contract + decision candidate dry-run audit 完成、部署、production smoke 完成。 +- T4:Config Drift stable fingerprint / repeat-state / Telegram stage visibility 完成、部署、production smoke 完成。 +- T5:Incident / Approval / Execution reconciliation 完成、部署、production smoke 完成。 +- T6:Incident timeline / Telegram detail reconciliation visibility 完成、部署、production smoke 完成。 +- T7:first-class MCP Gateway read-only sense path 完成、部署、production smoke 完成。 +- T8:PostExecutionVerifier read-only Gateway path 完成、部署、production smoke 完成。 +- 整體完成度:約 62%。仍未完成 write/admin MCP Gateway enforcement、approval execution SSH 路徑改走 Gateway、Ansible 真正 check-mode executor / diff / apply / rollback、Operator Console 前端完整呈現、root cause 修復 execution / incident closure 矛盾。 + ## 2026-05-13 | T7 first-class MCP Gateway read-only sense path 已推版 **背景**:T2 已把 legacy MCP 呼叫 bridge/backfill 到 `awooop_mcp_gateway_audit`,但 production 真相是 `awooop_mcp_tool_registry` / grants / active agent contracts 對 `awoooi` 幾乎未啟用,`first_class=0`。這代表 Operator 雖看得到 MCP 相關紀錄,仍不能證明告警調查真的穿過 AwoooP MCP Gateway 五閘門。 diff --git a/docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md b/docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md index 924038a2..7ee6cb5e 100644 --- a/docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md +++ b/docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md @@ -369,7 +369,7 @@ source_event_received **T0 first implementation(2026-05-12 22:50 台北)**:新增 read-only `GET /api/v1/platform/truth-chain/{source_id}`,由 Operator Console auth 保護,聚合 incident / drift / approval / evidence / legacy MCP / AwoooP MCP Gateway / automation_operation_log / KM / timeline / outbound mirror。此 endpoint 只揭露現況與缺口,不改任何 incident、approval、execution 或 Telegram state。 -**當前紅線**:T0-T7 已補上第一批查詢/詳情可觀測性,且 T7 已讓 pre-decision read-only sense path 進入 first-class AwoooP MCP Gateway;但這仍不是「所有 MCP / 自建 MCP / write-admin tool 全面 enforcement」。T3 仍不是 Ansible check-mode / apply executor,T6 也只把 reconciliation 推進詳情層。任何「中低風險告警已有完整 AI 自動修復」仍必須逐案查證,不能全域宣稱。 +**當前紅線**:T0-T8 已補上第一批查詢/詳情可觀測性,且 T7/T8 已讓 pre-decision sense 與 post-execution verify 的 read-only MCP path 進入 first-class AwoooP MCP Gateway;但這仍不是「所有 MCP / 自建 MCP / write-admin tool 全面 enforcement」。T3 仍不是 Ansible check-mode / apply executor,T6 也只把 reconciliation 推進詳情層。任何「中低風險告警已有完整 AI 自動修復」仍必須逐案查證,不能全域宣稱。 **T1 first implementation(2026-05-12 23:20 台北)**:開始補 `awooop_outbound_message` 的真相鏈欄位:`content_redacted`、`redaction_version`、`source_envelope`。設計邊界是只保存 redacted rendered card 與 source metadata 摘要;raw Telegram payload、完整 callback data、未遮蔽 token 不入庫。production DB migration 已預套用,API app role 在 `app.project_id=awoooi` 下可讀 outbound rows(`total=312`),代表 T1 的 RLS visibility 紅燈已先驗證可見;新欄位需等 T1 API image 上線後才會產生非空資料。 @@ -2002,6 +2002,19 @@ Phase 6 完成後 - first-class Gateway count:0 → 16 - 邊界:T7 只完成 pre-decision read-only sense path。write/admin MCP、PostExecutionVerifier production path、approval execution SSH、Ansible check-mode/apply/rollback 仍未完成,不能宣稱所有 MCP 或自動修復流程都已全面治理。 +**T8 PostExecutionVerifier read-only Gateway path production verified(2026-05-13 台北)**: +- `1a03bceb feat(awooop): route post verify mcp through gateway` 已推 Gitea main。 +- Deploy marker:`f19fe4aa chore(cd): deploy 1a03bce [skip ci]`;Code Review run `1980` success,CD run `1979` success。 +- Production API/Web/Worker image 均為 `1a03bceb5c57bc906b6b95acc3947ea71dcd7927`,K3s rollout success,host-local health healthy / `mock_mode=false`。 +- `PostExecutionVerifier` production audited providers 會以 `agent_id=post_execution_verifier`、`required_scope=read`、`is_shadow=true` 呼叫 AwoooP MCP Gateway;raw unit-test provider 維持直呼。 +- Production Gateway smoke: + - `trace_id=codex-t8-postverify-ccdeacfd` + - registry tools:56 + - state keys:`k8s_describe_pod`、`k8s_get_events`、`k8s_get_hpa_status`、`k8s_get_node_conditions`、`k8s_get_pod_logs` + - 5 筆 audit rows 全部為 `gateway_path=awooop_mcp_gateway`、`policy_enforced=true`、`required_scope=read`、`is_shadow=true` + - `post_verify_first_class=5` +- 邊界:T8 只完成修復後 read-only 驗證 path。approval execution SSH / write-admin MCP / Ansible check-mode / apply / rollback 仍未完成,不能宣稱真正自動修復閉環已全面完成。 + --- ### 2026-04-20 晚 (台北) — C1-C4 全流程串接 — Playbook 鏈路保護(commit de2d34d)