feat(auto-rate): CS1 LLM 高信心度路徑自動執行（confidence ≥ 0.85）

繼 CS2 rule_engine 後，CS1 LLM 路徑也開啟自動執行： - confidence >= 0.85 + low/medium risk + kubectl 有值 → auto-execute - CRITICAL / DESTRUCTIVE_PATTERNS / NO_ACTION → 絕對不執行 - 例外降級到 PENDING，不 crash - 9 tests 驗收（1469 passed） Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-27 16:12:26 +08:00
parent dfbf3f8f20
commit e3bad58842
2 changed files with 279 additions and 0 deletions
--- a/apps/api/src/api/v1/webhooks.py
+++ b/apps/api/src/api/v1/webhooks.py
@@ -1055,6 +1055,64 @@ async def receive_alert(
        except Exception as _shadow_err:
            logger.warning("shadow_auto_approve_failed", error=str(_shadow_err))

+        # 2026-04-27 ogt + Claude Sonnet 4.6: CS1 LLM 高信心度自動執行
+        # 設計：confidence ≥ 0.85 + 非 CRITICAL + 非破壞性 + 有 kubectl 指令 → 直接執行
+        # 安全防線：CRITICAL / destructive patterns / NO_ACTION/INVESTIGATE/OBSERVE / 空 kubectl → 降級 PENDING
+        if analysis_result:
+            from src.services.auto_approve import _DESTRUCTIVE_PATTERNS as _cs1_destr_patterns
+
+            _cs1_kubectl = analysis_result.kubectl_command.strip() if analysis_result.kubectl_command else ""
+            _cs1_can_auto = (
+                bool(_cs1_kubectl)
+                and analysis_result.confidence >= 0.85
+                and risk_level != RiskLevel.CRITICAL
+                and _sa_val not in _non_destructive_actions
+                and not any(p in _cs1_kubectl.lower() for p in _cs1_destr_patterns)
+            )
+            if _cs1_can_auto:
+                try:
+                    from src.models.approval import ApprovalRequest, ApprovalStatus
+                    from src.services.approval_execution import ApprovalExecutionService
+
+                    _cs1_auto_approval = ApprovalRequest(
+                        incident_id=str(approval.incident_id) if approval.incident_id else None,
+                        action=approval_create.action,
+                        description=approval_create.description,
+                        requested_by="auto_approve_llm_high_confidence",
+                        required_signatures=0,
+                        status=ApprovalStatus.APPROVED,
+                        risk_level=risk_level.value,
+                        matched_playbook_id=None,
+                    )
+                    _cs1_auto_approval.id = approval.id
+
+                    _cs1_executor = ApprovalExecutionService()
+                    _cs1_exec_success = await _cs1_executor.execute_approved_action(_cs1_auto_approval)
+
+                    try:
+                        await service.update_execution_status(approval.id, _cs1_exec_success)
+                    except Exception as _cs1_upd_err:
+                        logger.warning(
+                            "cs1_auto_execute_status_update_failed",
+                            approval_id=str(approval.id),
+                            error=str(_cs1_upd_err),
+                        )
+
+                    logger.info(
+                        "llm_high_confidence_auto_executed",
+                        approval_id=str(approval.id),
+                        confidence=analysis_result.confidence,
+                        exec_success=_cs1_exec_success,
+                        action=_cs1_kubectl[:80],
+                    )
+                except Exception as _cs1_auto_err:
+                    logger.warning(
+                        "llm_high_confidence_auto_execute_failed",
+                        approval_id=str(approval.id),
+                        error=str(_cs1_auto_err),
+                    )
+                    # 降級：維持 PENDING，流程繼續到 Telegram 推送
+
        logger.info(
            "approval_auto_created_with_fingerprint",
            alert_id=alert_id,