wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 3 Packages Projects Releases Wiki Activity

fix(auto-execute): 修復 kubectl pattern 攔截 + 補 auto_execute KM 寫入
Some checks failed
CD Pipeline / build-and-deploy (push) Has been cancelled
Details

Browse Source 
問題 1:_ALLOWED_KUBECTL_PATTERN 不允許 resource type keyword
  根因:LLM 輸出 "kubectl rollout restart deployment clickhouse"
        但 pattern 只允許 "kubectl rollout restart clickhouse"(無 deployment 關鍵字)
  結果:_action_safe=False → auto_execute_blocked_unresolved_placeholder
        → 所有 low/medium risk 告警降為人工審核,飛輪完全停轉
  修法:pattern 新增可選的 resource type group(deployment/pod/service/...)
        + re.ASCII flag 防 unicode bypass,12/12 test cases 通過

問題 2:auto_execute 路徑 KM 寫入斷鏈
  根因:_write_execution_result_to_km 只在人工審核路徑呼叫
  修法:auto_execute 完成後補 _fire_and_forget(executor._write_execution_result_to_km)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Your Name
2026-04-25 09:47:27 +08:00
parent b8b5c68f31
commit 6baa5054bc
1 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
apps/api/src/services/decision_manager.py
View File

@@ -53,10 +53,16 @@ def _fire_and_forget(coro) -> asyncio.Task:
return task
# P1 fix 2026-04-11: kubectl action dangerous char whitelist
# 2026-04-25 ogt + Claude Sonnet 4.6: 補允許 K8s resource type keyword
# LLM 常輸出 "kubectl rollout restart deployment clickhouse" (含 deployment 關鍵字)
# 原 pattern 只允許 verb 後直接接名稱,導致 _action_safe=False → 全部被攔截 → 飛輪 0
# 修法:在名稱前加可選的 resource type group (deployment/pod/service/...)
import re as _re_module
_ALLOWED_KUBECTL_PATTERN = _re_module.compile(
r"^kubectl\s+(rollout restart|rollout undo|scale|delete pod|get|describe|logs)"
r"\s+[a-zA-Z0-9_./-]+(\s+(-n|--namespace)\s+[a-zA-Z0-9_-]+)?$"
r"\s+(?:(?:deployment|pod|pods|service|services|statefulset|sts|daemonset|ds|svc|configmap|cm)\s+)?"
r"[a-zA-Z0-9_./-]+(\s+(-n|--namespace)\s+[a-zA-Z0-9_-]+)?$",
_re_module.ASCII,
)
@@ -2082,6 +2088,14 @@ class DecisionManager:
_push_auto_repair_result(incident, action, success=_exec_success)
)
# 2026-04-25 ogt + Claude Sonnet 4.6: 飛輪閉環 — auto_execute 路徑補 KM 寫入
# 根因Explore agent 確認 _write_execution_result_to_km 只在人工審核路徑呼叫
# auto_execute 路徑執行完成後沒有 KM 回寫 → 學習飛輪斷鏈
# 修法:複用 executor._write_execution_result_to_km與人工路徑共享同一 KM schema
_fire_and_forget(
executor._write_execution_result_to_km(approval, _exec_success, None)
)
except Exception as e:
logger.error(
"auto_execute_failed",