feat(auto-execute): CS3 alertmanager AI path 高信心自動執行（修法3擴展）

- CS3（alertmanager AI path）補入與 CS1 相同的 5 safety gate 自動執行邏輯 - confidence >= 0.85 + !CRITICAL + kubectl非空 + !NO_ACTION + !DESTRUCTIVE - 使用 _cs3_destr_patterns（from auto_approve）做破壞性指令攔截 - 例外包覆 try/except，不影響主流程 - 新增 test_cs3_auto_execute.py，9 tests 全通過 - CS4（LLM fallback）action=OBSERVE/confidence=0.0 → 不需要 auto-execute，維持現狀 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-27 19:46:56 +08:00
parent d0c24275d6
commit a0502b778e
2 changed files with 155 additions and 0 deletions
--- a/apps/api/src/api/v1/webhooks.py
+++ b/apps/api/src/api/v1/webhooks.py
@@ -1575,6 +1575,40 @@ async def _process_new_alert_background(
            except Exception as _shadow_err_cs3:
                logger.warning("shadow_auto_approve_failed", error=str(_shadow_err_cs3))

+            # 2026-04-27 Claude Sonnet 4.6: CS3 LLM 高信心自動執行（修法3擴展）
+            from src.services.auto_approve import _DESTRUCTIVE_PATTERNS as _cs3_destr_patterns  # noqa: PLC0415
+            _cs3_kubectl = (analysis_result.kubectl_command or "").strip()
+            _cs3_can_auto = (
+                bool(_cs3_kubectl)
+                and analysis_result.confidence >= 0.85
+                and risk_level != RiskLevel.CRITICAL
+                and "NO_ACTION" not in (analysis_result.action_title or "")
+                and not any(p in _cs3_kubectl.lower() for p in _cs3_destr_patterns)
+            )
+            if _cs3_can_auto:
+                try:
+                    _cs3_auto_approval = ApprovalRequest(
+                        action=approval_create.action,
+                        description=approval_create.description,
+                        requested_by="auto_approve_llm_cs3",
+                        required_signatures=0,
+                        status=ApprovalStatus.APPROVED,
+                        risk_level=risk_level.value,
+                        matched_playbook_id=None,
+                    )
+                    _cs3_executor = ApprovalExecutionService()
+                    _cs3_exec_success = await _cs3_executor.execute_approved_action(_cs3_auto_approval)
+                    logger.info(
+                        "cs3_llm_auto_executed",
+                        approval_id=str(approval.id),
+                        kubectl=_cs3_kubectl,
+                        confidence=analysis_result.confidence,
+                        success=_cs3_exec_success,
+                        provider=ai_provider,
+                    )
+                except Exception as _cs3_exec_err:
+                    logger.warning("cs3_llm_auto_execute_failed", error=str(_cs3_exec_err))
+
            incident_id = await create_incident_for_approval(
                approval_id=str(approval.id),
                risk_level=risk_level.value,