diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 890b7bdc..a8afca07 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -27594,3 +27594,105 @@ production browser smoke: - Ansible / PlayBook check-mode runtime:約 95%;runtime gate 仍 ready。 - 完整自動修復 production claim:約 3%;`verified_success` 仍為 0,不能宣稱全自動修復已完成。下一步是把 `observe_only_playbook` 轉成真正 mutating repair PlayBook 或 gated Ansible apply,然後用 24h production evidence 拉高 verified_success。 - 完整 AI Agent 自動化飛輪:約 61%;監控、告警、證據鏈、MCP、前端可視化已高,但「自動修復成功且驗證成功」仍是主要缺口。 + +## 2026-06-02 | ADR-100 Gate 5 approval 投影到 AwoooP Approvals + +**背景**:`INC-20260601-B51DFD` 的 runtime replay Gate 5 approval 已能建立 legacy HITL approval,但 AwoooP Approvals 平台清單仍顯示 `AwoooP 0`,operator 只能在 legacy HITL / Telegram 看到簽核,無法從 AwoooP run id、step journal、狀態鏈追蹤「跑到哪一關」。同時,若只是把 run 建成 `waiting_approval` 而不擋 `/decide`,前端按鈕會把 projection 假轉成 `running`,形成假自動化。 + +**完成變更**: +- `apps/api/src/services/adr100_remediation_service.py` + - `adr100_runtime_replay_gate5` approval 建立後,寫入 idempotent AwoooP projection run。 + - deterministic `run_id=uuid5(...)`,寫入 `awooop_run_state`、`awooop_run_idempotency`、`awooop_run_step_journal`。 + - Projection 明確標記 `projection_mode=approval_projection_only`、`execution_authorized=false`、`repair_executed=false`、`required_handoff=legacy_gate5_approval_to_auto_repair_executor`。 + - approval history context / history item 補 `awooop_projection`,讓後續查詢能追到 projection run。 +- `apps/api/src/services/platform_operator_service.py` + - `/api/v1/platform/approvals` 回傳 `trigger_type`、`trigger_ref`、`is_shadow`。 + - `/api/v1/platform/approvals/{run_id}/decide` 對 `adr100_runtime_replay_gate5` projection-only run 回 409,不轉 `running`,並寫入 blocked step journal。 +- `apps/api/src/api/v1/platform/operator_runs.py` + - `ApprovalItem` schema 補 projection 欄位。 +- `apps/web/src/app/[locale]/awooop/approvals/page.tsx` + - AwoooP approvals list 顯示 `Gate 5 投影 / 等待 executor handoff`。 +- `apps/web/src/app/[locale]/awooop/approvals/[run_id]/page.tsx` + - Gate 5 projection detail 顯示 execution boundary,不顯示 approve / reject 按鈕。 + - API error body 會顯示後端 409 說明,不再只有 `HTTP 409`。 +- `apps/web/messages/zh-TW.json`、`apps/web/messages/en.json` + - 補 Gate 5 projection 相關 i18n 文案。 + +**驗證與部署**: +- Local validation: + - `python3 -m py_compile apps/api/src/services/adr100_remediation_service.py apps/api/src/services/platform_operator_service.py apps/api/src/api/v1/platform/operator_runs.py apps/api/tests/test_adr100_remediation_service.py` + - `DATABASE_URL=postgresql://test:test@localhost:5432/test PYTHONPATH=apps/api /Users/ogt/.pyenv/shims/pytest apps/api/tests/test_adr100_remediation_service.py -q` + - 結果:`15 passed` + - `python3 -m json.tool apps/web/messages/zh-TW.json` + - `python3 -m json.tool apps/web/messages/en.json` + - `pnpm --dir apps/web exec tsc --noEmit --tsBuildInfoFile /tmp/awoooi-gate5-projection.tsbuildinfo` + - `NEXT_PUBLIC_API_URL=https://awoooi.wooo.work NEXT_PRIVATE_BUILD_WORKER_COUNT=1 pnpm --dir apps/web run build` + - `git diff --check` + - `python3 scripts/security/security-mirror-progress-guard.py --root .` → `SECURITY_MIRROR_PROGRESS_GUARD_OK` +- Commit:`17ba879a feat(adr100): project gate5 approvals into awooop`,已推 `gitea main`。 +- Gitea: + - `code-review #2469` success。 + - `cd #2468` success:`tests`、`build-and-deploy`、`post-deploy-checks` 全部 success。 + - CD deploy commit:`7ea91fba chore(cd): deploy 17ba879 [skip ci]`。 +- Production image / rollout: + - `awoooi-api=192.168.0.110:5000/awoooi/api:17ba879ac66fba8372269c9c8eeffcfb1cb99128` + - `awoooi-worker=192.168.0.110:5000/awoooi/api:17ba879ac66fba8372269c9c8eeffcfb1cb99128` + - `awoooi-web=192.168.0.110:5000/awoooi/web:17ba879ac66fba8372269c9c8eeffcfb1cb99128` +- Production health / route: + - `/api/v1/health` 回 `status=healthy`、`mock_mode=false`。 + - `/api/v1/platform/ai-route-status?workload_type=deep_rca`:policy order 為 `ollama_gcp_a → ollama_gcp_b → ollama_local → gemini`,目前 selected provider `ollama_gcp_a`。 +- Production Gate 5 projection: + - `POST /api/v1/ai/slo/remediation/approval-request` + - work item:`verification:INC-20260601-B51DFD:c9635db3-ec54-405f-a909-7e6371775676` + - legacy approval:`9c425000-aaa3-485a-aadc-096eae234ecd` + - AwoooP projection run:`4417fa40-9639-587e-ae0c-bfe472b7f162` + - `awooop_projection.projected=true` + - `state=waiting_approval` + - `decision_endpoint_enabled=false` + - `execution_authorized=false` + - `repair_executed=false` + - 第二次同 payload 重打: + - `writes_approval_record=false` + - `deduplicated=true` + - `awooop_projection.inserted=false` + - `awooop_projection.deduplicated=true` + - run id 維持 `4417fa40-9639-587e-ae0c-bfe472b7f162` + - `/api/v1/platform/approvals?project_id=awoooi&run_id=4417fa40-9639-587e-ae0c-bfe472b7f162` + - `total=1` + - `trigger_type=adr100_runtime_replay_gate5` + - `trigger_ref=adr100_gate5:INC-20260601-B51DFD:9c425000-aaa3-485a-aadc-096eae234ecd` + - `remediation_summary.total=7` + - status chain 連到 `INC-20260601-B51DFD`,MCP evidence `31/39` success、failed `8`。 + - `/api/v1/platform/runs/4417fa40-9639-587e-ae0c-bfe472b7f162/detail?project_id=awoooi` + - run `state=waiting_approval` + - `step_count=2` + - step 1:`adr100.runtime_replay_gate5.waiting_approval` / `pending` / `was_blocked=true` / `block_reason=approval_projection_only` + - step 2:`operator_console.approval_projection_guard` / `failed` / `was_blocked=true` + - Authenticated `/decide` probe: + - 回 `HTTP 409` + - detail:`adr100_runtime_replay_gate5_projection_only...尚未接上 auto_repair_executor 執行 handoff,不能直接由平台按鈕轉成 running。` + - run 保持 `waiting_approval`。 +- Production browser: + - `https://awoooi.wooo.work/zh-TW/awooop/approvals/4417fa40-9639-587e-ae0c-bfe472b7f162?project_id=awoooi&_v=17ba879a-gate5-projection` + - 顯示 `這是 Gate 5 投影,不是可直接執行的 AwoooP 審批` + - 顯示 `execution_authorized=false / repair_executed=false / approval_projection_only` + - 顯示 `trigger_type=adr100_runtime_replay_gate5` + - 沒有 `核准` / `拒絕` 動作按鈕。 + - `https://awoooi.wooo.work/zh-TW/awooop/approvals?project_id=awoooi&incident_id=INC-20260601-B51DFD&_v=17ba879a-gate5-list` + - summary 顯示 `AwoooP 1 / Legacy HITL 29` + - 列表 row 顯示 `4417fa40`、`Gate 5 投影`、`等待 executor handoff` + - row 內可見 MCP / 自建 MCP、Sentry / SigNoz、PlayBook / Ansible、KM / Learning 與 status chain 證據。 + +**新揭露技術債**: +- Legacy HITL 仍有同 incident 舊 approval `2291cd3c-0bc0-4558-a809-a88056955a30` 與新 approval `9c425000-aaa3-485a-aadc-096eae234ecd` 同時 pending。新版 idempotency 從 `9c425000...` 起生效,但需要下一階段做 legacy duplicate reconciliation / supersede policy,避免 operator 被兩張同 scope approval 誤導。 +- Gate 5 projection 已進 AwoooP,但批准後真正 `legacy_gate5_approval_to_auto_repair_executor` handoff 尚未完成。這是下一段工作,不得宣稱 runtime replay 自動修復已可執行。 +- `INC-20260601-B51DFD` 的 source correlation 仍是 `provider_fresh_no_match`,Sentry / SigNoz 有 heartbeat 但未 match incident;需進 source-link drill-down 補規則或候選連結。 + +**目前整體進度(本階段完成後)**: +- AwoooP Approvals / legacy HITL 合流:約 99.2%;Gate 5 legacy approval 已可被 AwoooP run/state/step/status chain 追蹤,仍缺 legacy duplicate reconciliation 與批准後 executor handoff。 +- Telegram / DB / AwoooP / 前端 truth-chain:約 99.97%;operator 已能從前端看見 incident、MCP、自建 MCP、Sentry/SigNoz、Ansible、KM 與 approval projection 邊界。 +- MCP / 自建 MCP 可視化:約 99%;本事件 row 顯示 Gateway 31/39 success、failed 8、policy 39。下一步是針對 failed 8 做原因收斂。 +- Sentry / SigNoz source correlation:約 99.1%;provider heartbeat 正常,但此 incident 仍未 match,需補 source-link matching。 +- Ansible / PlayBook runtime:約 95%;候選 PlayBook 已呈現在 AwoooP,但本 incident 尚無 check/apply 紀錄。 +- 完整自動修復 production claim:約 3.5%;Gate 5 projection 是可見性與安全閘,不是自動修復成功。真正提升要完成 executor handoff 並用 24h verified_success 拉高。 +- 完整 AI Agent 自動化飛輪:約 63%;監控、告警、審批、證據鏈、前端可視化更完整,但執行成功率與學習閉環仍是主缺口。