From 6baa5054bcdeeb384d5797b4bd1f555cdcfbac37 Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Sat, 25 Apr 2026 09:47:27 +0800
Subject: [PATCH] =?UTF-8?q?fix(auto-execute):=20=E4=BF=AE=E5=BE=A9=20kubec?=
 =?UTF-8?q?tl=20pattern=20=E6=94=94=E6=88=AA=20+=20=E8=A3=9C=20auto=5Fexec?=
 =?UTF-8?q?ute=20KM=20=E5=AF=AB=E5=85=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

問題 1：_ALLOWED_KUBECTL_PATTERN 不允許 resource type keyword
  根因：LLM 輸出 "kubectl rollout restart deployment clickhouse"
        但 pattern 只允許 "kubectl rollout restart clickhouse"（無 deployment 關鍵字）
  結果：_action_safe=False → auto_execute_blocked_unresolved_placeholder
        → 所有 low/medium risk 告警降為人工審核，飛輪完全停轉
  修法：pattern 新增可選的 resource type group（deployment/pod/service/...）
        + re.ASCII flag 防 unicode bypass，12/12 test cases 通過

問題 2：auto_execute 路徑 KM 寫入斷鏈
  根因：_write_execution_result_to_km 只在人工審核路徑呼叫
  修法：auto_execute 完成後補 _fire_and_forget(executor._write_execution_result_to_km)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 apps/api/src/services/decision_manager.py | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/apps/api/src/services/decision_manager.py b/apps/api/src/services/decision_manager.py
index a1748ebc..eb4771d8 100644
--- a/apps/api/src/services/decision_manager.py
+++ b/apps/api/src/services/decision_manager.py
@@ -53,10 +53,16 @@ def _fire_and_forget(coro) -> asyncio.Task:
     return task
 
 # P1 fix 2026-04-11: kubectl action dangerous char whitelist
+# 2026-04-25 ogt + Claude Sonnet 4.6: 補允許 K8s resource type keyword
+#   LLM 常輸出 "kubectl rollout restart deployment clickhouse" (含 deployment 關鍵字)
+#   原 pattern 只允許 verb 後直接接名稱，導致 _action_safe=False → 全部被攔截 → 飛輪 0
+#   修法：在名稱前加可選的 resource type group (deployment/pod/service/...)
 import re as _re_module
 _ALLOWED_KUBECTL_PATTERN = _re_module.compile(
     r"^kubectl\s+(rollout restart|rollout undo|scale|delete pod|get|describe|logs)"
-    r"\s+[a-zA-Z0-9_./-]+(\s+(-n|--namespace)\s+[a-zA-Z0-9_-]+)?$"
+    r"\s+(?:(?:deployment|pod|pods|service|services|statefulset|sts|daemonset|ds|svc|configmap|cm)\s+)?"
+    r"[a-zA-Z0-9_./-]+(\s+(-n|--namespace)\s+[a-zA-Z0-9_-]+)?$",
+    _re_module.ASCII,
 )
 
 
@@ -2082,6 +2088,14 @@ class DecisionManager:
                 _push_auto_repair_result(incident, action, success=_exec_success)
             )
 
+            # 2026-04-25 ogt + Claude Sonnet 4.6: 飛輪閉環 — auto_execute 路徑補 KM 寫入
+            # 根因：Explore agent 確認 _write_execution_result_to_km 只在人工審核路徑呼叫
+            #       auto_execute 路徑執行完成後沒有 KM 回寫 → 學習飛輪斷鏈
+            # 修法：複用 executor._write_execution_result_to_km，與人工路徑共享同一 KM schema
+            _fire_and_forget(
+                executor._write_execution_result_to_km(approval, _exec_success, None)
+            )
+
         except Exception as e:
             logger.error(
                 "auto_execute_failed",