From a4d655ea7f050ce22ffc4e893e8fb6da4a5e609f Mon Sep 17 00:00:00 2001 From: OG T Date: Fri, 10 Apr 2026 23:57:17 +0800 Subject: [PATCH] =?UTF-8?q?fix(auto=5Fexecute):=20=E5=AE=89=E5=85=A8?= =?UTF-8?q?=E5=AE=88=E8=A1=9B=20=E2=80=94=20=E6=8B=92=E7=B5=95=E5=9F=B7?= =?UTF-8?q?=E8=A1=8C=E5=90=AB=20unknown=20=E6=88=96=E6=9C=AA=E8=A7=A3?= =?UTF-8?q?=E6=9E=90=20placeholder=20=E7=9A=84=20action?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 主機層告警(HostHighCpuLoad、DockerContainerUnhealthy 等)沒有對應 K8s deployment 名稱,affected_services=[],導致 _target='unknown', 執行 'kubectl rollout restart deployment unknown' 這種無意義命令。 修復: 替換後若 action 仍含 'unknown' 或 <...>/{...} 格式, 直接拒絕執行並通知人工介入,不允許帶 placeholder 的命令上線。 Co-Authored-By: Claude Sonnet 4.6 --- apps/api/src/services/decision_manager.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/apps/api/src/services/decision_manager.py b/apps/api/src/services/decision_manager.py index 291d47ec..c5187065 100644 --- a/apps/api/src/services/decision_manager.py +++ b/apps/api/src/services/decision_manager.py @@ -678,6 +678,25 @@ class DecisionManager: action = _re.sub(r"", _target, action) action = _re.sub(r"<[^>]+>", _target, action) + # 安全守衛: 替換後仍含 "unknown" 或未替換的 <...>/{...} → 拒絕執行 + # 主機層告警(HostHighCpuLoad 等)沒有 deployment 名稱,不應盲目執行 + if "unknown" in action or _re.search(r"[<{][^>}]+[>}]", action): + logger.warning( + "auto_execute_blocked_unresolved_placeholder", + incident_id=incident.incident_id, + action=action, + target=_target, + reason="action 含未解析的 placeholder 或 unknown,拒絕執行", + ) + token.state = DecisionState.ERROR + token.error = f"Auto-execute blocked: unresolved placeholder in action: {action[:80]}" + await self._save_token(token) + asyncio.create_task( + _push_auto_repair_result(incident, action, success=False, + error="無法確認 deployment 名稱,請人工確認後手動執行") + ) + return + try: # 延遲導入避免循環依賴 from src.models.approval import ApprovalRequest, ApprovalStatus