docs: record gate5 awooop projection rollout [skip ci]

This commit is contained in:
Your Name
2026-06-02 11:35:42 +08:00
parent e9a4e3fade
commit e8a92295eb

View File

@@ -27594,3 +27594,105 @@ production browser smoke:
- Ansible / PlayBook check-mode runtime約 95%runtime gate 仍 ready。
- 完整自動修復 production claim約 3%`verified_success` 仍為 0不能宣稱全自動修復已完成。下一步是把 `observe_only_playbook` 轉成真正 mutating repair PlayBook 或 gated Ansible apply然後用 24h production evidence 拉高 verified_success。
- 完整 AI Agent 自動化飛輪:約 61%監控、告警、證據鏈、MCP、前端可視化已高但「自動修復成功且驗證成功」仍是主要缺口。
## 2026-06-02 | ADR-100 Gate 5 approval 投影到 AwoooP Approvals
**背景**`INC-20260601-B51DFD` 的 runtime replay Gate 5 approval 已能建立 legacy HITL approval但 AwoooP Approvals 平台清單仍顯示 `AwoooP 0`operator 只能在 legacy HITL / Telegram 看到簽核,無法從 AwoooP run id、step journal、狀態鏈追蹤「跑到哪一關」。同時若只是把 run 建成 `waiting_approval` 而不擋 `/decide`,前端按鈕會把 projection 假轉成 `running`,形成假自動化。
**完成變更**
- `apps/api/src/services/adr100_remediation_service.py`
- `adr100_runtime_replay_gate5` approval 建立後,寫入 idempotent AwoooP projection run。
- deterministic `run_id=uuid5(...)`,寫入 `awooop_run_state``awooop_run_idempotency``awooop_run_step_journal`
- Projection 明確標記 `projection_mode=approval_projection_only``execution_authorized=false``repair_executed=false``required_handoff=legacy_gate5_approval_to_auto_repair_executor`
- approval history context / history item 補 `awooop_projection`,讓後續查詢能追到 projection run。
- `apps/api/src/services/platform_operator_service.py`
- `/api/v1/platform/approvals` 回傳 `trigger_type``trigger_ref``is_shadow`
- `/api/v1/platform/approvals/{run_id}/decide``adr100_runtime_replay_gate5` projection-only run 回 409不轉 `running`,並寫入 blocked step journal。
- `apps/api/src/api/v1/platform/operator_runs.py`
- `ApprovalItem` schema 補 projection 欄位。
- `apps/web/src/app/[locale]/awooop/approvals/page.tsx`
- AwoooP approvals list 顯示 `Gate 5 投影 / 等待 executor handoff`
- `apps/web/src/app/[locale]/awooop/approvals/[run_id]/page.tsx`
- Gate 5 projection detail 顯示 execution boundary不顯示 approve / reject 按鈕。
- API error body 會顯示後端 409 說明,不再只有 `HTTP 409`
- `apps/web/messages/zh-TW.json``apps/web/messages/en.json`
- 補 Gate 5 projection 相關 i18n 文案。
**驗證與部署**
- Local validation
- `python3 -m py_compile apps/api/src/services/adr100_remediation_service.py apps/api/src/services/platform_operator_service.py apps/api/src/api/v1/platform/operator_runs.py apps/api/tests/test_adr100_remediation_service.py`
- `DATABASE_URL=postgresql://test:test@localhost:5432/test PYTHONPATH=apps/api /Users/ogt/.pyenv/shims/pytest apps/api/tests/test_adr100_remediation_service.py -q`
- 結果:`15 passed`
- `python3 -m json.tool apps/web/messages/zh-TW.json`
- `python3 -m json.tool apps/web/messages/en.json`
- `pnpm --dir apps/web exec tsc --noEmit --tsBuildInfoFile /tmp/awoooi-gate5-projection.tsbuildinfo`
- `NEXT_PUBLIC_API_URL=https://awoooi.wooo.work NEXT_PRIVATE_BUILD_WORKER_COUNT=1 pnpm --dir apps/web run build`
- `git diff --check`
- `python3 scripts/security/security-mirror-progress-guard.py --root .``SECURITY_MIRROR_PROGRESS_GUARD_OK`
- Commit`17ba879a feat(adr100): project gate5 approvals into awooop`,已推 `gitea main`
- Gitea
- `code-review #2469` success。
- `cd #2468` success`tests``build-and-deploy``post-deploy-checks` 全部 success。
- CD deploy commit`7ea91fba chore(cd): deploy 17ba879 [skip ci]`
- Production image / rollout
- `awoooi-api=192.168.0.110:5000/awoooi/api:17ba879ac66fba8372269c9c8eeffcfb1cb99128`
- `awoooi-worker=192.168.0.110:5000/awoooi/api:17ba879ac66fba8372269c9c8eeffcfb1cb99128`
- `awoooi-web=192.168.0.110:5000/awoooi/web:17ba879ac66fba8372269c9c8eeffcfb1cb99128`
- Production health / route
- `/api/v1/health``status=healthy``mock_mode=false`
- `/api/v1/platform/ai-route-status?workload_type=deep_rca`policy order 為 `ollama_gcp_a → ollama_gcp_b → ollama_local → gemini`,目前 selected provider `ollama_gcp_a`
- Production Gate 5 projection
- `POST /api/v1/ai/slo/remediation/approval-request`
- work item`verification:INC-20260601-B51DFD:c9635db3-ec54-405f-a909-7e6371775676`
- legacy approval`9c425000-aaa3-485a-aadc-096eae234ecd`
- AwoooP projection run`4417fa40-9639-587e-ae0c-bfe472b7f162`
- `awooop_projection.projected=true`
- `state=waiting_approval`
- `decision_endpoint_enabled=false`
- `execution_authorized=false`
- `repair_executed=false`
- 第二次同 payload 重打:
- `writes_approval_record=false`
- `deduplicated=true`
- `awooop_projection.inserted=false`
- `awooop_projection.deduplicated=true`
- run id 維持 `4417fa40-9639-587e-ae0c-bfe472b7f162`
- `/api/v1/platform/approvals?project_id=awoooi&run_id=4417fa40-9639-587e-ae0c-bfe472b7f162`
- `total=1`
- `trigger_type=adr100_runtime_replay_gate5`
- `trigger_ref=adr100_gate5:INC-20260601-B51DFD:9c425000-aaa3-485a-aadc-096eae234ecd`
- `remediation_summary.total=7`
- status chain 連到 `INC-20260601-B51DFD`MCP evidence `31/39` success、failed `8`
- `/api/v1/platform/runs/4417fa40-9639-587e-ae0c-bfe472b7f162/detail?project_id=awoooi`
- run `state=waiting_approval`
- `step_count=2`
- step 1`adr100.runtime_replay_gate5.waiting_approval` / `pending` / `was_blocked=true` / `block_reason=approval_projection_only`
- step 2`operator_console.approval_projection_guard` / `failed` / `was_blocked=true`
- Authenticated `/decide` probe
- 回 `HTTP 409`
- detail`adr100_runtime_replay_gate5_projection_only...尚未接上 auto_repair_executor 執行 handoff不能直接由平台按鈕轉成 running。`
- run 保持 `waiting_approval`
- Production browser
- `https://awoooi.wooo.work/zh-TW/awooop/approvals/4417fa40-9639-587e-ae0c-bfe472b7f162?project_id=awoooi&_v=17ba879a-gate5-projection`
- 顯示 `這是 Gate 5 投影,不是可直接執行的 AwoooP 審批`
- 顯示 `execution_authorized=false / repair_executed=false / approval_projection_only`
- 顯示 `trigger_type=adr100_runtime_replay_gate5`
- 沒有 `核准` / `拒絕` 動作按鈕。
- `https://awoooi.wooo.work/zh-TW/awooop/approvals?project_id=awoooi&incident_id=INC-20260601-B51DFD&_v=17ba879a-gate5-list`
- summary 顯示 `AwoooP 1 / Legacy HITL 29`
- 列表 row 顯示 `4417fa40``Gate 5 投影``等待 executor handoff`
- row 內可見 MCP / 自建 MCP、Sentry / SigNoz、PlayBook / Ansible、KM / Learning 與 status chain 證據。
**新揭露技術債**
- Legacy HITL 仍有同 incident 舊 approval `2291cd3c-0bc0-4558-a809-a88056955a30` 與新 approval `9c425000-aaa3-485a-aadc-096eae234ecd` 同時 pending。新版 idempotency 從 `9c425000...` 起生效,但需要下一階段做 legacy duplicate reconciliation / supersede policy避免 operator 被兩張同 scope approval 誤導。
- Gate 5 projection 已進 AwoooP但批准後真正 `legacy_gate5_approval_to_auto_repair_executor` handoff 尚未完成。這是下一段工作,不得宣稱 runtime replay 自動修復已可執行。
- `INC-20260601-B51DFD` 的 source correlation 仍是 `provider_fresh_no_match`Sentry / SigNoz 有 heartbeat 但未 match incident需進 source-link drill-down 補規則或候選連結。
**目前整體進度(本階段完成後)**
- AwoooP Approvals / legacy HITL 合流:約 99.2%Gate 5 legacy approval 已可被 AwoooP run/state/step/status chain 追蹤,仍缺 legacy duplicate reconciliation 與批准後 executor handoff。
- Telegram / DB / AwoooP / 前端 truth-chain約 99.97%operator 已能從前端看見 incident、MCP、自建 MCP、Sentry/SigNoz、Ansible、KM 與 approval projection 邊界。
- MCP / 自建 MCP 可視化:約 99%;本事件 row 顯示 Gateway 31/39 success、failed 8、policy 39。下一步是針對 failed 8 做原因收斂。
- Sentry / SigNoz source correlation約 99.1%provider heartbeat 正常,但此 incident 仍未 match需補 source-link matching。
- Ansible / PlayBook runtime約 95%;候選 PlayBook 已呈現在 AwoooP但本 incident 尚無 check/apply 紀錄。
- 完整自動修復 production claim約 3.5%Gate 5 projection 是可見性與安全閘,不是自動修復成功。真正提升要完成 executor handoff 並用 24h verified_success 拉高。
- 完整 AI Agent 自動化飛輪:約 63%;監控、告警、審批、證據鏈、前端可視化更完整,但執行成功率與學習閉環仍是主缺口。