Commit Graph

146 Commits

Author SHA1 Message Date
OG T
2c6ed4e9cf fix(k8s): 修復 ArgoCD probe 失敗 + drift-scanner egress 封鎖
All checks were successful
CD Pipeline / build-and-deploy (push) Successful in 14m36s
問題 1 — ArgoCD "All connection attempts failed":
- ARGOCD_URL 指向 192.168.0.120:30443,但 node 120 kube-proxy 對
  30443 有路由 bug(ArgoCD pod 在 121)
- 修復: ARGOCD_URL → 192.168.0.121:30443
- NetworkPolicy: 補白名單 192.168.0.121/32:30443
- NetworkPolicy: 補白名單 192.168.0.125/32:30443 (keepalived VIP)

問題 2 — drift-scanner Error x5 / 系統沉默 9.4h:
- CronJob pod template 缺少 system=awoooi label
- default-deny-all 封鎖所有 egress,allow-required-egress 僅對
  system=awoooi pods 生效
- 修復: drift-cronjob pod template 新增 system: awoooi

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-14 15:28:52 +08:00
AWOOOI CD
dd378ac698 chore(cd): deploy 684d6cf [skip ci] 2026-04-14 06:50:00 +00:00
AWOOOI CD
5d8feaad2a chore(cd): deploy 38ff2bb [skip ci] 2026-04-12 15:01:47 +00:00
AWOOOI CD
6dec8ce491 chore(cd): deploy db4d428 [skip ci] 2026-04-12 14:32:47 +00:00
OG T
3de45aa2c3 fix(k8s): deployment env 同步 + 停用 ENABLE_NEMOTRON_COLLABORATION
Some checks failed
CD Pipeline / build-and-deploy (push) Has been cancelled
將 live-patch 的 env: 覆蓋同步回 Git,避免 ArgoCD drift:
- ENABLE_NEMOTRON_COLLABORATION: false (Ollama timeout 修復)
- USE_AI_ROUTER, OLLAMA_URL, OPENCLAW_* 等覆蓋值納入 GitOps 管理

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-12 22:06:10 +08:00
AWOOOI CD
b6caabd8e3 chore(cd): deploy b3d4b9c [skip ci] 2026-04-12 13:29:40 +00:00
OG T
efca6f816a fix(nemotron): 停用 Nemotron 協作 — Ollama timeout 導致 confidence=0.0
Some checks failed
CD Pipeline / build-and-deploy (push) Failing after 2m1s
Ollama 111 tool_call 60s×2 > asyncio.wait_for 30s
→ expert_system fallback → confidence=0.0 → 告警卡顯示規則匹配 0%

暫停 ADR-044 直到 Ollama 穩定,OpenClaw LLM 仍正常運作

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-12 21:06:27 +08:00
AWOOOI CD
f64393e4cb chore(cd): deploy eda0cfd [skip ci] 2026-04-12 12:30:49 +00:00
AWOOOI CD
f4675872f9 chore(cd): deploy c3fea26 [skip ci] 2026-04-12 12:17:06 +00:00
AWOOOI CD
6490c6a885 chore(cd): deploy e5791b9 [skip ci] 2026-04-12 11:34:56 +00:00
AWOOOI CD
9f264ebad1 chore(cd): deploy e89d878 [skip ci] 2026-04-12 11:07:02 +00:00
AWOOOI CD
022b3cd7d4 chore(cd): deploy 7fc1e0a [skip ci] 2026-04-12 10:12:04 +00:00
AWOOOI CD
295869d6c7 chore(cd): deploy 99b489c [skip ci] 2026-04-12 09:25:11 +00:00
AWOOOI CD
cce55d560d chore(cd): deploy f0e1413 [skip ci] 2026-04-12 09:10:35 +00:00
AWOOOI CD
d2286ca827 chore(cd): deploy 93f9522 [skip ci] 2026-04-12 08:42:45 +00:00
AWOOOI CD
c8e9fbb518 chore(cd): deploy effd788 [skip ci] 2026-04-12 08:23:16 +00:00
AWOOOI CD
444b17513d chore(cd): deploy 9b1812c [skip ci] 2026-04-12 07:52:09 +00:00
OG T
ec6a341f3e feat(m5): ADR-074 M5 — Docker 188 / Redis Streams / PostgreSQL 磁碟告警
新增 awoooi_infrastructure_detailed 告警群組:
- DockerContainerUnhealthyDetailed: 188 容器無活動 > 2min
- RedisStreamBacklogHigh: Stream 積壓 > 500 筆
- PostgreSQLDiskGrowthRate: 磁碟 1h 增長 > 500MB

2026-04-12 ogt (ADR-074 M5)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-12 15:36:54 +08:00
OG T
c1c96ab47b feat(m4): ADR-074 M4 — 備份還原週排程驗證 CronJob
- scripts/cron_backup_restore_test.sh: Velero restore dry-run 腳本
- k8s/awoooi-prod/16-cronjob-backup-restore-test.yaml: 每週日 02:00 台北執行
- k8s/awoooi-prod/17-configmap-backup-restore-scripts.yaml: 腳本 ConfigMap
- flywheel-alerts.yaml: BackupRestoreTestFailed + BackupRestoreTestStale 告警

失敗時寫入 node-exporter textfile → Prometheus 告警 → TYPE-3 Incident

2026-04-12 ogt (ADR-074 M4)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-12 15:36:30 +08:00
OG T
00a31abb85 feat(heartbeat): ADR-073 P2 心跳整合重構 — HeartbeatReportService + RedisLock
Some checks failed
CD Pipeline / build-and-deploy (push) Has been cancelled
- 新增 HeartbeatReportService:11 個並行探針(Ollama/Nemotron/Gemini/Claude/MCP×4/ArgoCD/Velero)
- 重寫 send_heartbeat():RedisLock 防重發 + 統一發送 SRE_GROUP_CHAT_ID
- 簡化 _heartbeat_loop():移除散落的 silence 多次發送
- config.py:新增 OLLAMA_REQUIRED_MODELS 欄位
- 03-secrets.example.yaml:補 SRE_GROUP_CHAT_ID 確保 CD Inject 不遺漏

2026-04-12 ogt (ADR-073 Phase 2-3/4)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-12 15:35:13 +08:00
OG T
16d682346a feat(adr-074): M1 飛輪健康度 Exporter + M2 主機網路監控
Some checks failed
CD Pipeline / build-and-deploy (push) Has been cancelled
ADR-074 M1:
  - FlywheelStatsService: 計算6項飛輪指標(Playbook數/成功率/KM向量化/alertname NULL/卡住數)
  - GET /api/v1/stats/flywheel — 六節點即時狀態(C1 前端用)
  - GET /api/v1/stats/summary — KPI 面板數據(C1 前端用)
  - GET /api/v1/stats/flywheel/metrics — Prometheus text format
  - flywheel-alerts.yaml: 5條告警規則(FlywheelPlaybookZero/ExecutionSuccessLow/KMVectorizationLow/AlertnameNullHigh/IncidentsStuck)
  - prometheus.yml: awoooi-flywheel scrape job(5分鐘間隔)

ADR-074 M2:
  - prometheus.yml: host-connectivity Blackbox TCP probe(110:22/188:22/120:6443/121:6443)
  - flywheel-alerts.yaml: HostNetworkPartition 告警規則

597 unit tests passed

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-12 15:31:01 +08:00
OG T
0d239838b4 fix(cr): Code Review P2 — 測試覆蓋 + CronJob 腳本重構
Some checks failed
CD Pipeline / build-and-deploy (push) Has been cancelled
P2-1: CronJob inline Python 抽成 scripts/cron_km_vectorize.py
      Dockerfile 加入 COPY scripts/,CronJob YAML 改用腳本路徑
P2-2: 新增 test_classify_alert_early.py — 23 tests 覆蓋 7 條分類規則
      含邊界情況:VeleroBackupFailed(backup優先於k8s)、優先順序驗證

595 unit tests passed

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-12 15:14:44 +08:00
OG T
f2fc4712ad feat(flywheel): Phase 4 — KM conversion hook + daily vectorize cron
Some checks failed
CD Pipeline / build-and-deploy (push) Has been cancelled
ADR-073 Phase 4-2: incident_service.resolve_incident() KM conversion hook
- resolve 時 fire-and-forget KMConversionService.convert(incident)
- 已解決的 Incident 自動轉換為結構化 KM 條目,完成飛輪「學習固化」節點
- KMConversionService (Phase 4-1) 已存在 (km_conversion_service.py, 336 lines)

ADR-073 Phase 4-3: 15-cronjob-km-vectorize.yaml
- 每日 03:00 台北時間呼叫 /api/v1/knowledge/embed-all
- 自動向量化當日新增 KM 條目,確保 RAG 查詢不遺漏新知識
- 加入 kustomization.yaml resources

Phase 4-4: handle_callback log_manual_fix 已存在 (telegram_gateway.py:2468)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-12 14:40:33 +08:00
AWOOOI CD
59b7d8ea32 chore(cd): deploy 6dc03c9 [skip ci] 2026-04-12 06:30:20 +00:00
OG T
6dc03c9a55 fix(argocd)+feat(flywheel): Phase 1 完成 — ArgoCD image 斷路修復 + 冷啟動腳本
Some checks failed
CD Pipeline / build-and-deploy (push) Has been cancelled
1. k8s/argocd/awoooi-prod-app.yaml:
   移除 Deployment image ignoreDifferences
   - 原設計造成 CD 更新 kustomization.yaml 後 ArgoCD 不更新 image
   - 修復後 GitOps 閉環恢復正常

2. scripts/cold_start_playbooks.py:
   ADR-073 Phase 1 Step 8 — 生成 15 個基礎 Playbook (K8s/Docker/DB/Infra)
   執行結果: Playbooks 0 → 15

3. scripts/batch_vectorize_km.py:
   ADR-073 Phase 1 Step 9 — 批次向量化 KM
   執行結果: 711/713 embedding IS NOT NULL

Phase 1 全部完成,飛輪已解封:
- Pod 運行 105998d(含 8be87b0 所有修復)
- debounce 30min + alertname NULL 修復 + _collect_mcp_context 啟用
- 15 Playbooks + 711 KM 向量化

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-12 14:20:52 +08:00
AWOOOI CD
b3fdabeb91 chore(cd): deploy 105998d [skip ci] 2026-04-12 06:06:03 +00:00
OG T
7c4b36c2cd fix(flywheel): Phase 1 — 部署 8be87b0 + debounce 30min + alertname NULL 修復
Some checks failed
CD Pipeline / build-and-deploy (push) Failing after 2m29s
ADR-073 Phase 1 三項修復:

1. k8s/kustomization.yaml: newTag a86ecf38be87b0
   - 解封 _collect_mcp_context + auto_approve + DESTRUCTIVE_PATTERNS
   - 這是飛輪解封的關鍵

2. webhooks.py: DEBOUNCE_WINDOW_MINUTES 5 → 30
   - 防止同一問題每 5 分鐘重建 Incident,改為 30 分鐘收斂窗口

3. incident_repository.py: signals JSONB 補充 alertname key
   - signal.model_dump() 只有 alert_name,DB query 用 signals->0->>'alertname'
   - 補充 alertname alias,修復 132 筆 incidents.alertname = NULL 根因

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-12 13:41:22 +08:00
AWOOOI CD
fdb8c2b97b chore(cd): deploy a86ecf3 [skip ci] 2026-04-12 04:28:38 +00:00
OG T
a86ecf32a2 fix(cd): 修復 non-fast-forward push 失敗 + 部署 8be87b0 修復版
All checks were successful
CD Pipeline / build-and-deploy (push) Successful in 19m9s
1. kustomization.yaml: c4392778be87b0 (auto_approve/decision_manager/webhooks)
2. cd.yaml: git push 前先 fetch+rebase,避免 CI 期間其他 commit 造成 non-fast-forward

8be87b0 包含:
- auto_approve: high risk 開放自動執行 + DESTRUCTIVE_PATTERNS 攔截
- decision_manager: classify_notification() 接通 + NO_ACTION 早退 + MCP context 收集
- webhooks: target_resource 修正 (name/container label 提取,DockerContainerUnhealthy 不再 target=alertname)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-12 12:17:02 +08:00
AWOOOI CD
45cf1b869f chore(cd): deploy c439277 [skip ci] 2026-04-11 14:04:07 +00:00
AWOOOI CD
33a6f34104 chore(cd): deploy 615822d [skip ci] 2026-04-11 13:29:38 +00:00
AWOOOI CD
37dfbaf26c chore(cd): deploy f23176c [skip ci] 2026-04-11 13:19:04 +00:00
OG T
f23176cbb9 fix(k8s): ArgoCD MCP 網路連線修復 — ARGOCD_URL 改用 120:30443
Some checks are pending
CD Pipeline / build-and-deploy (push) Has started running
- NetworkPolicy v1.4: 加入 ArgoCD MCP egress 規則
  - argocd namespace Pod selector (port 8080, ClusterIP fallback)
  - 192.168.0.120:30443 NodePort(ClusterIP DNAT 跨 namespace 不穩定)
- ARGOCD_URL: 192.168.0.125 → 192.168.0.120:30443(K3s Master NodePort,更穩定)
- 已驗證: 192.168.0.120:30443 從 Pod 內部可達,apps=[awoooi-prod]

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-11 21:10:52 +08:00
AWOOOI CD
4a00573a20 chore(cd): deploy 4b591d1 [skip ci] 2026-04-11 13:07:59 +00:00
OG T
4b591d130f chore: ArgoCD MCP egress NetworkPolicy + LOGBOOK Session 6
Some checks failed
CD Pipeline / build-and-deploy (push) Has been cancelled
- k8s NetworkPolicy v1.4: 新增 argocd namespace egress (port 80/443)
- LOGBOOK: Session 6 審計條目

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-11 20:59:25 +08:00
AWOOOI CD
59dff1a478 chore(cd): deploy f2c18c4 [skip ci] 2026-04-11 12:54:21 +00:00
AWOOOI CD
694471891f chore(cd): deploy 82e1c05 [skip ci] 2026-04-11 12:45:05 +00:00
AWOOOI CD
2ad2a7ba45 chore(cd): deploy f323633 [skip ci] 2026-04-11 12:18:44 +00:00
OG T
b5aa607a30 fix(mcp): 修正 Prometheus URL (110:9090) + Sentry DSN 改 HTTP 內網
Some checks failed
CD Pipeline / build-and-deploy (push) Failing after 8m45s
- PROMETHEUS_URL: 188:9090 → 110:9090 (Prometheus server 正確位置)
- SENTRY_DSN: https://sentry.wooo.workhttp://192.168.0.110:9000 (消除 SSL hostname mismatch)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-11 19:51:20 +08:00
OG T
95b61802be fix(mcp): ssh-mcp-key volumeMount 路徑修正 — subPath 對齊 ssh_provider.py
Some checks failed
CD Pipeline / build-and-deploy (push) Failing after 7m45s
- ssh_mcp_key → /run/secrets/ssh_mcp_key (SSH_KEY_PATH)
- known_hosts → /etc/ssh-mcp/known_hosts (SSH_MCP_KNOWN_HOSTS_FILE)

同步: K8s Secret 重建(含 ssh_mcp_key + known_hosts)
      188/110 authorized_keys 已加入公鑰
      SSH 連線驗證: 188 OK / 110 OK

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-11 09:59:29 +08:00
OG T
b1c1091787 feat(mcp): MCP Phase 2a — SSH MCP key volume + SSH/ArgoCD/Sentry MCP 啟用
Some checks failed
CD Pipeline / build-and-deploy (push) Failing after 7m58s
- 06-deployment-api.yaml: ssh-mcp-key volume 定義(optional: true, 0400)
- 04-configmap.yaml: SSH_MCP_ENABLED/KNOWN_HOSTS_FILE + ARGOCD_MCP_ENABLED + SENTRY_MCP_ENABLED

MCP Phase 1-4 全部實作完成,10 providers 全部已啟用(ArgoCD/Sentry/SSH 需人工 Secret)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-11 09:35:52 +08:00
OG T
7f4ec717ef feat(gitops): Sprint B-2/B-3 — ArgoCD Application + CD GitOps 模式
B-2: k8s/argocd/awoooi-prod-app.yaml
  - ArgoCD Application awoooi-prod 建立(已 apply 到 K8s)
  - automated sync: prune + selfHeal
  - ignoreDifferences: Deployment image + Secret data
  - 全部 17 個 K8s 資源已確認 Synced

B-3: .gitea/workflows/cd.yaml — Deploy step 重寫
  - 舊: kubectl set image(與 ArgoCD selfHeal 衝突)
  - 新: kustomize edit set image → git commit [skip ci] → push → ArgoCD sync
  - 新增等待 ArgoCD Synced + Healthy(最多 120s)
  - 需建立 Gitea Secret: GITEA_CD_TOKEN(見 ADR-069)

docs/adr/ADR-069-infra-gitops-sprint-b.md
  - 決策記錄:循環觸發防護 + ignoreDifferences 設計

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-11 02:57:42 +08:00
OG T
6351e9a0e9 feat(mcp-phase2): MCP Phase 2 — Prometheus MCP + SSH MCP + alert labels
All checks were successful
CD Pipeline / build-and-deploy (push) Successful in 13m37s
Deploy Alert Rules / Deploy Prometheus Alert Rules (push) Successful in 35s
MCP-2b: prometheus_provider.py
  - prometheus_query (PromQL 即時查詢)
  - prometheus_query_range (歷史趨勢,預設 15 分鐘)
  - prometheus_get_alert_history (告警觸發歷史)
  - config: PROMETHEUS_URL + PROMETHEUS_MCP_ENABLED

MCP-2a: ssh_provider.py
  - 群組A 9 個只讀診斷工具 (top/disk/memory/logs/status/port/nginx/swap)
  - 群組B 6 個安全操作工具 (restart/compose/systemctl/clear-log/ssl/nginx-reload)
  - 四層安全守衛 (白名單/allowed_hosts/forbidden_patterns/trust_score)
  - config: SSH_MCP_ENABLED + SSH_MCP_ALLOWED_HOSTS

K8s: 04-ssh-mcp-secret.example.yaml (ssh-mcp-key Secret 範本 + 建立步驟)

Alert labels: alerts-unified.yml 補充 mcp_provider/host_type/alert_category
  覆蓋: HostHighCpuLoad/HostOutOfMemory/HostOutOfDiskSpace/DockerContainer*
        SignOzDown/SentryDown/HarborDown/GiteaDown

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-11 02:35:35 +08:00
OG T
45b13f1d7c fix(k8s): 更新 03-secrets.example.yaml — Sentry DSN 改 HTTPS 公網域名
ADR-069 Sprint A A-0-5:
- SENTRY_DSN: http://...@192.168.0.110:9000/3https://...@sentry.wooo.work/3
- 同步 Web DSN 範例(NEXT_PUBLIC_SENTRY_DSN)
- 加入取得 DSN 的步驟說明
- system.url-prefix 已設定為 https://sentry.wooo.work

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-11 02:05:11 +08:00
OG T
dbb8104557 fix(drift): kubectl not found + RBAC services/configmaps/ingresses
Some checks failed
CD Pipeline / build-and-deploy (push) Has been cancelled
drift_detector 用 kubectl 比對 Git YAML vs K8s 實際狀態,但:
1. API image 沒有 kubectl binary → No such file or directory: 'kubectl'
2. awoooi-executor ClusterRole 缺少 services/configmaps/ingresses list 權限

修復:
- Dockerfile: apt install curl + download kubectl v1.29.0 amd64
- 07-rbac.yaml: 加入 services/configmaps (core) + ingresses (networking.k8s.io) get/list/watch

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-10 00:49:56 +08:00
OG T
62cb274735 feat(host_aggregator+k8s): 新增 121 K3s Worker 主機監控
Some checks failed
CD Pipeline / build-and-deploy (push) Has been cancelled
HOST_CONFIGS 加入 192.168.0.121(K3s Worker):
- K3s API tcp:6443
- awoooi-api NodePort tcp:32334
- awoooi-web NodePort tcp:32335

NetworkPolicy 補開 121 egress: 6443/32334/32335
NodePort 服務實際在 121(mon1),非 120(mon)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-09 23:36:36 +08:00
OG T
c92cdeea0f feat(drift): B4 drift_reports DB 持久化 + CronJob 修復
All checks were successful
CD Pipeline / build-and-deploy (push) Successful in 12m17s
- drift_repository.py: DriftReportRepository (save/get/list/update)
- drift.py router: 移除 in-memory dict,改用 DB repository
- drift-cronjob.yaml: 修正 SA/NetworkPolicy/NodePort 問題
- allow-intra-namespace NetworkPolicy (已套用至 prod)
- migrate-phase8/9: symptoms_hash + drift_reports migration Job YAML

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-09 20:28:55 +08:00
OG T
c200d7a52d fix(web+k8s): CSRF mismatch + NetworkPolicy 缺少監控端口
All checks were successful
CD Pipeline / build-and-deploy (push) Successful in 12m19s
1. pending-approvals-card: 改為點擊時即時 fetch 新 CSRF token
   避免多 useCSRF 實例互相覆蓋 cookie 導致 header/cookie 不一致
2. NetworkPolicy: 補開 110:3002(Grafana) 9090(Prometheus) 3001(Gitea)
   修正 monitoring probe "All connection attempts failed"

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-09 20:11:00 +08:00
OG T
34f0228d92 fix(executor): K8s ClusterIP 10.43.0.1 不可達 — 加 K8S_API_SERVER_URL 覆蓋 + migration job
All checks were successful
CD Pipeline / build-and-deploy (push) Successful in 12m0s
問題: in-cluster config 讀到 10.43.0.1:443,但 K3s Pod 內 iptables/kube-proxy
      沒把流量導到實際 API server,導致 Connection refused,批准後 kubectl 永遠失敗

修復:
- executor.py: load_incluster_config() 後讀 K8S_API_SERVER_URL env 覆蓋 host
- 04-configmap.yaml: 設 K8S_API_SERVER_URL=https://192.168.0.120:6443
- migrate-sprint5r-telegram-message-id.yaml: approval_records 新增兩欄 migration job

E2E 驗證: kubectl rollout restart deployment/awoooi-worker success=True 

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-09 19:10:27 +08:00
OG T
a4d6b3f3e6 fix(review): 首席架構師+QA 修復 C1/P1/P2/I2/I3 — Sprint 5R Review 修正
Some checks failed
CD Pipeline / build-and-deploy (push) Has been cancelled
C1/P1-1: DB migration — approval_records 新增 telegram_message_id/telegram_chat_id
  - apps/api/migrations/sprint5r_telegram_message_id.sql (新增)
  - apps/api/src/db/base.py: init_db() 加 ALTER TABLE ADD COLUMN IF NOT EXISTS
  - k8s/jobs/migrate-sprint5r-telegram-message-id.yaml (追蹤)

P1-2: risk_map 補 "high" 鍵防止 LLM 回傳 high 時降為 MEDIUM
  - apps/api/src/services/proposal_service.py:183

I2/M3: kubectl_command 回填補齊 delete_deployment/drain_node/cordon_node/delete_service
       + 抽取 _backfill_kubectl_command() helper 消除重複邏輯
  - apps/api/src/services/openclaw.py

I3: _notify_approval_result 靜默 except 改為 logger.warning
  - apps/api/src/services/telegram_gateway.py

P2-2: PendingApprovalsCard 審批動作加 loading/disabled 防止重複點擊
  - apps/web/src/components/shared/pending-approvals-card.tsx

P2-3: SecurityPanel/CompliancePanel error 死碼修復 — catch() 補 setError()
  - apps/web/src/components/panels/SecurityPanel.tsx (含 'Unresolved' i18n)
  - apps/web/src/components/panels/CompliancePanel.tsx

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-09 18:38:10 +08:00