From 628387de8c337daad88a86bc41bc9102cc8954d6 Mon Sep 17 00:00:00 2001
From: OG T <ogt@WOOOMacMiniM4.local>
Date: Thu, 2 Apr 2026 09:13:13 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20risklevel=20migration=20=E8=87=AA?=
 =?UTF-8?q?=E5=8B=95=E5=8C=96=20+=20Telegram=20Whitelist=20=E6=B3=A8?=
 =?UTF-8?q?=E5=85=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1. init_db() 啟動時自動確保 risklevel enum 包含 'high' 值
   (Phase 23 新增，避免舊 DB 缺值導致 InvalidTextRepresentation)

2. CD Pipeline 新增 OPENCLAW_TG_USER_WHITELIST 自動注入
   (之前為 CHANGE_ME，已更新為實際 user ID 5619078117)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/cd.yaml |  9 +++++++++
 apps/api/src/db/base.py  | 19 +++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml
index 28ba5f11..5a1918f8 100644
--- a/.gitea/workflows/cd.yaml
+++ b/.gitea/workflows/cd.yaml
@@ -142,6 +142,8 @@ jobs:
           # 2026-04-01 Claude Code: Langfuse LLMOps keys (Phase 15.1 補齊 CD 注入)
           LANGFUSE_PUBLIC_KEY: ${{ secrets.LANGFUSE_PUBLIC_KEY }}
           LANGFUSE_SECRET_KEY: ${{ secrets.LANGFUSE_SECRET_KEY }}
+          # 2026-04-02 Claude Code: Telegram 白名單 (授權簽核用)
+          TG_USER_WHITELIST: ${{ secrets.OPENCLAW_TG_USER_WHITELIST }}
         run: |
           mkdir -p ~/.ssh
           echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key
@@ -186,6 +188,13 @@ jobs:
             echo "⚠️ LANGFUSE_PUBLIC_KEY/SECRET_KEY 未設定，跳過 (現有 K8s secret 值維持不變)"
           fi
 
+          # 2026-04-02 Claude Code: Telegram Whitelist (授權簽核用戶 ID)
+          if [ -n "${TG_USER_WHITELIST}" ]; then
+            sudo kubectl patch secret awoooi-secrets -n awoooi-prod --type='json' -p='[
+              {"op":"add","path":"/data/OPENCLAW_TG_USER_WHITELIST","value":"'$(echo -n "${TG_USER_WHITELIST}" | base64 -w 0)'"}
+            ]' && echo "✅ TG_USER_WHITELIST 已注入" || echo "⚠️ TG_USER_WHITELIST patch 失敗"
+          fi
+
           echo "✅ 所有 Secrets 注入完成"
           SECRETS
 
diff --git a/apps/api/src/db/base.py b/apps/api/src/db/base.py
index 4fe5b810..5ada0444 100644
--- a/apps/api/src/db/base.py
+++ b/apps/api/src/db/base.py
@@ -16,6 +16,7 @@ Features:
 from collections.abc import AsyncGenerator
 from contextlib import asynccontextmanager
 
+from sqlalchemy import text
 from sqlalchemy.ext.asyncio import (
     AsyncEngine,
     AsyncSession,
@@ -145,6 +146,24 @@ async def init_db() -> None:
     async with engine.begin() as conn:
         await conn.run_sync(Base.metadata.create_all)
 
+        # 2026-04-02 Claude Code: 確保 risklevel enum 包含 'high' 值
+        # Phase 23 新增，避免舊 DB 缺少此值導致 InvalidTextRepresentation
+        await conn.execute(
+            text("""
+            DO $$
+            BEGIN
+                IF NOT EXISTS (
+                    SELECT 1 FROM pg_enum
+                    WHERE enumtypid = 'risklevel'::regtype
+                      AND enumlabel = 'high'
+                ) THEN
+                    ALTER TYPE risklevel ADD VALUE 'high';
+                END IF;
+            END
+            $$;
+            """)
+        )
+
 
 async def close_db() -> None:
     """