fix: risklevel migration 自動化 + Telegram Whitelist 注入

1. init_db() 啟動時自動確保 risklevel enum 包含 'high' 值 (Phase 23 新增，避免舊 DB 缺值導致 InvalidTextRepresentation) 2. CD Pipeline 新增 OPENCLAW_TG_USER_WHITELIST 自動注入 (之前為 CHANGE_ME，已更新為實際 user ID 5619078117) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-02 09:13:13 +08:00
parent 3ecfe7b3f5
commit 628387de8c
2 changed files with 28 additions and 0 deletions
--- a/.gitea/workflows/cd.yaml
+++ b/.gitea/workflows/cd.yaml
@@ -142,6 +142,8 @@ jobs:
          # 2026-04-01 Claude Code: Langfuse LLMOps keys (Phase 15.1 補齊 CD 注入)
          LANGFUSE_PUBLIC_KEY: ${{ secrets.LANGFUSE_PUBLIC_KEY }}
          LANGFUSE_SECRET_KEY: ${{ secrets.LANGFUSE_SECRET_KEY }}
+          # 2026-04-02 Claude Code: Telegram 白名單 (授權簽核用)
+          TG_USER_WHITELIST: ${{ secrets.OPENCLAW_TG_USER_WHITELIST }}
        run: |
          mkdir -p ~/.ssh
          echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key
@@ -186,6 +188,13 @@ jobs:
            echo "⚠️ LANGFUSE_PUBLIC_KEY/SECRET_KEY 未設定，跳過 (現有 K8s secret 值維持不變)"
          fi

+          # 2026-04-02 Claude Code: Telegram Whitelist (授權簽核用戶 ID)
+          if [ -n "${TG_USER_WHITELIST}" ]; then
+            sudo kubectl patch secret awoooi-secrets -n awoooi-prod --type='json' -p='[
+              {"op":"add","path":"/data/OPENCLAW_TG_USER_WHITELIST","value":"'$(echo -n "${TG_USER_WHITELIST}" | base64 -w 0)'"}
+            ]' && echo "✅ TG_USER_WHITELIST 已注入" || echo "⚠️ TG_USER_WHITELIST patch 失敗"
+          fi
+
          echo "✅ 所有 Secrets 注入完成"
          SECRETS

--- a/apps/api/src/db/base.py
+++ b/apps/api/src/db/base.py
@@ -16,6 +16,7 @@ Features:
 from collections.abc import AsyncGenerator
 from contextlib import asynccontextmanager

+from sqlalchemy import text
 from sqlalchemy.ext.asyncio import (
    AsyncEngine,
    AsyncSession,
@@ -145,6 +146,24 @@ async def init_db() -> None:
    async with engine.begin() as conn:
        await conn.run_sync(Base.metadata.create_all)

+        # 2026-04-02 Claude Code: 確保 risklevel enum 包含 'high' 值
+        # Phase 23 新增，避免舊 DB 缺少此值導致 InvalidTextRepresentation
+        await conn.execute(
+            text("""
+            DO $$
+            BEGIN
+                IF NOT EXISTS (
+                    SELECT 1 FROM pg_enum
+                    WHERE enumtypid = 'risklevel'::regtype
+                      AND enumlabel = 'high'
+                ) THEN
+                    ALTER TYPE risklevel ADD VALUE 'high';
+                END IF;
+            END
+            $$;
+            """)
+        )
+

 async def close_db() -> None:
    """