chore(rls): 新增 manual script gate 與 canary wave1

2026-05-12 20:23:22 +08:00
parent be8ddf4599
commit 8c4dc7a5a8
15 changed files with 562 additions and 9 deletions
--- a/apps/api/scripts/awooop_phase1_batch1_backfill.py
+++ b/apps/api/scripts/awooop_phase1_batch1_backfill.py
@@ -9,7 +9,7 @@ AwoooP Phase 1 Batch 1 回填腳本
  awooop_phase1_batch1_rls_2026-05-04.sql Step A（ADD COLUMN nullable）已執行

 執行方式：
-  export DATABASE_URL="postgresql+asyncpg://awoooi:<password>@192.168.0.188:5432/awoooi_prod"
+  從 secret manager / operator vault 設定 DATABASE_URL，禁止在指令或檔案中寫入 URL。
  cd apps/api && python scripts/awooop_phase1_batch1_backfill.py

 2026-05-04 ogt + Claude Sonnet 4.6（ADR-118 Batch 1 C-3 修正）
--- a/apps/api/scripts/reembed_bge_m3.py
+++ b/apps/api/scripts/reembed_bge_m3.py
@@ -37,6 +37,7 @@ logging = structlog.get_logger(__name__)
 OLLAMA_URL = os.getenv("OLLAMA_URL", "http://34.143.170.20:11434")
 EMBEDDING_MODEL = "bge-m3:latest"
 EXPECTED_DIM = 1024
+PROJECT_ID = os.getenv("AWOOOP_PROJECT_ID", "awoooi")


 async def embed_text(client: httpx.AsyncClient, text: str) -> list[float]:
@@ -162,6 +163,7 @@ async def main(dry_run: bool, batch_size: int) -> None:

        conn = await asyncpg.connect(database_url)
        try:
+            await conn.execute("SELECT set_config('app.project_id', $1, FALSE)", PROJECT_ID)
            # 統計待嵌入筆數
            rag_null = await conn.fetchval("SELECT COUNT(*) FROM rag_chunks WHERE embedding IS NULL")
            pb_null = await conn.fetchval("SELECT COUNT(*) FROM playbook_embeddings WHERE embedding IS NULL")
--- a/apps/api/scripts/run_migration.py
+++ b/apps/api/scripts/run_migration.py
@@ -15,7 +15,7 @@ from sqlalchemy import text
 from sqlalchemy.ext.asyncio import create_async_engine

 # 2026-04-22 ogt: 移除硬碼 changeme，改為讀取環境變數（強制要求設定）。
-# 執行前: export DATABASE_URL="postgresql+asyncpg://awoooi:<password>@192.168.0.188:5432/awoooi_prod"
+# 執行前: 從 secret manager / operator vault 設定 DATABASE_URL，禁止在指令或檔案中寫入 URL。
 DATABASE_URL = os.environ["DATABASE_URL"]

 MIGRATION_SQLS = [