OG T
a391dfc389
feat(aiops): capacity_forecaster — Phase 4 Holt-Winters MVP (predict_linear)
...
CD Pipeline / build-and-deploy (push) Has been cancelled
統帥批准 4 項下階段候選之一完成: AI 容量預測.
新增 capacity_forecaster_job.py (~220 行):
每日 05:00 Taipei 跑預測 (02:00 scanner → 03:00 compliance →
04:00 Hermes → 05:00 forecaster 形成完整日鏈).
預測方法論 (MVP):
Prometheus predict_linear(metric[7d], 86400*7) — 基於過去 7d 做線性外推
3 個預測 query:
1. disk_saturation_7d: predict_linear(node_filesystem_avail_bytes[7d], 7d) < 0
2. mem_saturation_7d: predict_linear(MemAvailable[7d], 7d) / MemTotal < 10%
3. cpu_high_7d_trend: avg_over_time(cpu_used_pct[7d]) > 70%
發現高風險 host → 寫 aol(capacity_recommendation) + 推 Telegram
- input: host + horizon + findings count
- output: findings list + proposed_actions + requires_human_decision=true
proposed_actions 依 findings 推導:
- disk: 清理 log/docker/PG WAL 或擴容
- mem: top consumer / JVM 調整
- cpu: scale out / vCPU 擴充
統帥鐵律對齊:
✅ 只推建議不自動 scale up
✅ 7d window 有足夠樣本
✅ AI 預測 + 人工決策
未來 TODO:
- 真 Holt-Winters (含季節性) — 需 Python statsmodels
- 業務週期調整 (週一高峰/週末低谷)
Wire main.py lifespan asyncio.create_task()
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 20:00:36 +08:00
OG T
53618b25c9
docs(logbook): 2026-04-19 20:00 本 session 22 commits 全景記錄
...
記錄:
- 統帥決策 Rule 1 deprecate + Rule 2 保留 + noise 算法修正
- Hermes LLM 升級 (OpenClaw 分析假報真因)
- coverage_evaluator 擴充 4 維 (7 維全實作)
- deploy-alerts workflow 部署 HostDiskUsageHigh/Critical 到 Prometheus
- Review 發現 5 個 bug 全修復
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 19:56:56 +08:00
OG T
c1f23cfabe
feat(coverage_evaluator): 擴充 4 維 — playbook/remediation/rule_matching/rule_creation
...
CD Pipeline / build-and-deploy (push) Has been cancelled
Review 盲點: coverage 7 維中原只實作 3 維 (monitoring/alerting/km),其餘 4 維永遠 unknown
v2 擴充:
+ auto_playbook: asset.name 出現在 playbooks.symptom_pattern/description (approved 狀態) → green
沒對應 playbook 但 type='k8s_workload' → yellow
+ auto_remediation: 過去 30d remediation_events.target_resource ILIKE asset.name → green
沒 target 但 k8s_workload/container → red (應有修復能力但沒)
+ auto_rule_matching: 過去 30d incidents.affected_services ILIKE asset.name
或 incidents.alertname match alert_rule.labels.host/namespace → green
沒觸發 → yellow (可能沒問題也可能沒覆蓋)
+ auto_rule_creation: alert_rule_catalog source='ai_generated' match asset → green
目前全 yaml_hardcoded → 全 red (表示尚未由 AI 主動建規則)
未來 Hermes 產出 AI rule 後會變 green
解鎖: coverage 7 維完整 SLO KPI (MASTER §7.1)
- red count = 真正的治理缺口
- green ratio = 自動化成熟度
- AI 可主動推薦 red asset 的補覆蓋動作
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 19:54:36 +08:00
AWOOOI CD
576f9dad18
chore(cd): deploy ba18ad2 [skip ci]
2026-04-19 11:46:35 +00:00
OG T
ba18ad2ef8
feat(hermes+rules): LLM 升級 Hermes + 統帥決策 deprecate PostgreSQLDiskGrowthRate
...
Deploy Alert Rules / Deploy Prometheus Alert Rules (push) Successful in 40s
CD Pipeline / build-and-deploy (push) Successful in 8m37s
統帥 2026-04-19 決策:
- Rule 1 PostgreSQLDiskGrowthRate → 選項 C: deprecate + 替代新規則
- Rule 2 NoAlertsReceived2Hours → 保留 (真實告警鏈路守護)
- noise_rate 算法先修正 (NO_ACTION 不算 fp),觀察後動態調整
1. rule_stats_updater v2 noise 算法:
原: 任何 EXPIRED approval 都算 fp
問題: NO_ACTION/OBSERVE/INVESTIGATE 是 AI 純觀察,不該算假報
修: WHERE ar.action NOT ILIKE '%NO_ACTION%' AND NOT ILIKE '%OBSERVE%' AND ...
2. hermes_rule_quality v2 LLM 升級:
新增 _llm_analyze_noisy_rule:
- 用 OpenClaw (Ollama/NemoTron/Gemini) 分析每條噪音 rule
- JSON 輸出: probable_root_causes/recommended_actions/confidence/should_deprecate
- 3 路 parse fallback (直接 / NemoTron wrapper / description nested)
_write_advisory_aol 加 llm_analysis 到 output_payload
_send_telegram_summary 加 AI 判定 + top 2 建議 (8 條上限避免太長)
符合統帥鐵律: AI 分析但不自動動作,仍人工決策
3. ops/monitoring/alerts-unified.yml 替換 Rule 1:
刪 PostgreSQLDiskGrowthRate (500MB/h 增長 → 觸發 WAL 正常行為誤報)
加 HostDiskUsageHigh (>80% for 10m, warning)
加 HostDiskUsageCritical (>90% for 5m, critical)
兩者 labels.supersedes='PostgreSQLDiskGrowthRate' 供追溯
(待 deploy-alerts workflow 下次 apply 到 Prometheus)
4. DB 即時 mark deprecated (避免等 alerts yaml 部署前 Hermes 又推):
UPDATE alert_rule_catalog SET review_status='deprecated' WHERE rule_name='PostgreSQLDiskGrowthRate'
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 19:39:05 +08:00
OG T
c015a77011
docs(logbook): Phase 7 完整化記錄 — 8/8 表全寫入 + 5 bugs 修 + Hermes E3
...
記錄本輪 review 深入發現的 5 個 bug + 8 個新 scanner/evaluator/advisor.
8 張 ADR-090 0 writer 表覆蓋率 100%.
2 條 100% noise rule 待 Hermes 推建議後人工決策.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 19:28:28 +08:00
AWOOOI CD
e84338e615
chore(cd): deploy 6ab0ce9 [skip ci]
2026-04-19 10:18:43 +00:00
OG T
6ab0ce9c75
feat(aiops): Hermes rule quality advisor — E3 AI 規則品質建議 (保守版)
...
CD Pipeline / build-and-deploy (push) Successful in 8m22s
實證 rule_stats 跑完後發現 2 條 100% noise_rate 規則:
- PostgreSQLDiskGrowthRate (tp=0 fp=2)
- NoAlertsReceived2Hours (tp=0 fp=1)
加上 MoWoooWorkDown (33%), KubePodCrashLooping (25%)
新增 hermes_rule_quality_job.py (~210 行):
每日 04:00 Taipei 分析 alert_rule_catalog:
- threshold: noise_rate >= 0.7 AND 樣本 >= 5
- 為每條寫 aol('rule_rejected', proposed_action='review_or_deprecate')
- 推 Telegram 摘要給 SRE group
統帥鐵律對齊:
✅ 不自動改 review_status (人工決策 deprecate,AI 只推建議)
✅ threshold 作為「觸發討論」而非「最終決策」
✅ aol(rule_rejected) 留 trail,未來可升級 LLM 辯證
解鎖 E3 Hermes 基礎: 後續可加 LLM 分析假報真因 (expr 缺 for: window、
label match 太寬泛、metric 本身 noisy 等),產出具體改進建議.
Wire main.py lifespan asyncio.create_task()
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 18:11:26 +08:00
AWOOOI CD
691bdc6cc1
chore(cd): deploy e677773 [skip ci]
2026-04-19 09:35:27 +00:00
OG T
e677773e39
fix(asset_scanner): Pod→Deployment via ReplicaSet 橋樑 (relationship 漏掉修復)
...
CD Pipeline / build-and-deploy (push) Successful in 9m31s
Review 盲點: 實測 asset_relationship 52 筆,但都是 Pod→StatefulSet + Pod→ConfigMap,
完全沒有 Pod→Deployment!
真因:
K8s 中 Pod.ownerReferences[0].kind = 'ReplicaSet' (99% 案例)
Deployment 管 ReplicaSet 管 Pod (兩層 owner chain)
原 code 只 match kind in (deployment/statefulset/daemonset) → 跳過 ReplicaSet
→ Pod→Deployment 關係全部漏掉
修復 v3.1:
0. 新增 collect replicasets pass (僅作為 bridge,不寫 asset_inventory)
建 rs_to_deployment map: {ns/rs_name: deployment_name}
2. Pod ownerRef.kind='ReplicaSet' → 反查 rs_to_deployment → 建 Pod→Deployment
預期效果:
- asset_relationship 從 52 → 150+ (所有 Deployment-managed Pod 都有 relationship)
- OpenClaw blast_radius 計算 Deployment 影響的 Pod 數 = 正確
不寫 ReplicaSet 為 asset (他是 ephemeral 中介,滾動更新會大量產生,污染 inventory)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 17:26:57 +08:00
OG T
c8b263db06
fix(coverage_evaluator): KM 欄位修正 ke.body → ke.content + 擴大 title 匹配
...
CD Pipeline / build-and-deploy (push) Has been cancelled
實測 df71c9anoreply@anthropic.com >
2026-04-19 17:24:46 +08:00
OG T
92349bc37c
feat(aiops): asset_change_tracker — 8 張 0 writer 表全數上線
...
CD Pipeline / build-and-deploy (push) Has been cancelled
Review 盲點 10: asset_change_event 仍 0 筆 (最後一張 0 writer 表)
新增 asset_change_tracker_job.py (~180 行):
每 1h 比對最近兩次 asset_discovery_run,寫 asset_change_event:
✅ asset_added: newer run 有但 older run 沒有 (EXCEPT SET)
✅ asset_removed: older 有但 newer 沒有
✅ lifecycle_changed: asset_inventory.lifecycle_state='deprecated' 且 updated_at 近 2h
使用 SET EXCEPT 避免 N+1, 單次 INSERT 完成所有 diff
8 張 ADR-090 0 writer 表到此全數有 writer:
✅ asset_inventory / asset_discovery_run / asset_coverage_snapshot
/ asset_relationship / asset_change_event / asset_compliance_snapshot (asset_*)
✅ alert_rule_catalog
✅ host_capacity_snapshot / capacity_violation_event (capacity_*)
Phase 7 資產盤點 + 覆蓋矩陣 + 變化追蹤完整實作.
接下來可以上 Hermes AI agent 分析品質 (deprecate noisy rules, 推薦 coverage 修復).
Wire main.py lifespan asyncio.create_task()
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 17:18:34 +08:00
AWOOOI CD
46677a3392
chore(cd): deploy df71c9a [skip ci]
2026-04-19 09:12:54 +00:00
OG T
df71c9a37b
feat(aiops): rule_stats_updater — 計算 noise_rate + true/false positive
...
CD Pipeline / build-and-deploy (push) Successful in 8m26s
Review 盲點 5: alert_rule_catalog 68 筆但 noise_rate/TP/FP/last_fired_at 全 NULL
新增 rule_stats_updater_job.py (~170 行):
每 1h UPDATE 全表 alert_rule_catalog,從 incidents + approval_records 推算:
- last_fired_at = max(incidents.created_at WHERE alertname=rule_name)
- true_positive_count = count incidents.status='RESOLVED' past 30d
- false_positive_count = count approval_records.status='EXPIRED' past 30d
(EXPIRED = 48h 無人處理,視為假警報 proxy)
- noise_rate = fp / (tp + fp)
窗口: 30 天 (可配置)
使用單一 UPDATE + subquery,避免 N+1 (68 rule × 3 query = 204 queries → 1 query)
解鎖 E3 Hermes:
後續 Hermes AI agent 讀 alert_rule_catalog WHERE noise_rate > 0.5
提案 review_status='deprecated' 或 superseded_by_rule_id
Wire main.py lifespan asyncio.create_task()
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 17:05:30 +08:00
OG T
505232336b
feat(aiops): coverage_evaluator — 把 coverage_snapshot 從 unknown 升為真實 status
...
CD Pipeline / build-and-deploy (push) Has been cancelled
Review 盲點 4: asset_coverage_snapshot 546 筆全是 'unknown',沒實際意義
新增 coverage_evaluator_job.py (~270 行):
每 1h 針對最新 asset_discovery_run 的 coverage_snapshot 做 3 維升級:
✅ auto_monitoring: Prometheus /api/v1/targets 看 host asset IP
→ green (有 target) / red (無 target)
✅ auto_alerting: alert_rule_catalog.labels 是否 match asset
→ host/namespace/layer 三種 match 策略, green/red
✅ auto_km_creation: knowledge_entries.body ILIKE asset.name
→ green (有 KM) / yellow (無 KM)
evidence JSONB 記錄升級依據,供 AI 後續稽核
未實作 (留 unknown):
⏳ auto_rule_matching (需 alert history 統計)
⏳ auto_playbook / auto_remediation / auto_rule_creation (需 playbook 表)
預期效果 (下次 evaluator 跑 + coverage_snapshot UPDATE):
- 546 筆 coverage 從 100% unknown → 30-50% green/red/yellow
- 真正可以算 "覆蓋率 SLO" KPI (MASTER §7.1)
- AI 可從 coverage_snapshot 看出 red asset,主動推 remediation
Wire main.py lifespan asyncio.create_task()
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 17:02:30 +08:00
AWOOOI CD
0d2455ae9a
chore(cd): deploy fdf8b73 [skip ci]
2026-04-19 09:01:49 +00:00
OG T
fdf8b739f1
feat(asset_scanner): v3 擴充多資源類型 + asset_relationship builder
...
CD Pipeline / build-and-deploy (push) Has been cancelled
Review 原本 MVP 只掃 pods (39 assets) 盲點,本次擴充:
新增資源類型掃描:
- nodes (asset_type='host') — 實體主機
- deployments/statefulsets/daemonsets (asset_type='k8s_workload')
- services (asset_type='k8s_resource')
- configmaps (asset_type='k8s_resource')
跳過 secrets (awoooi-executor RBAC 禁止 list,正確設計)
新增 asset_relationship 自動建立:
- Pod → Deployment/StatefulSet/DaemonSet (depends_on, via ownerReferences)
- Service → Pod (routes_to, via spec.selector 匹配 Pod.labels)
- Pod → ConfigMap (depends_on, via spec.volumes[].configMap.name)
用 ON CONFLICT (from/to/type) DO UPDATE last_verified_at 保持 idempotent
新增 _fetch_kubectl_json helper (nodes 不帶 --all-namespaces)
新增 _build_{pod,workload,service,node,configmap}_asset 各自 asset 建構器
預期效果 (下次 scan 1h 後或 Pod 重啟時):
- asset_inventory: 39 → 300+ (全集群多種資源)
- asset_relationship: 0 → 數百 (OpenClaw 爆炸半徑計算終於有拓樸)
解鎖下游:
- AI 計算 blast_radius 可查 asset_relationship (之前無資料)
- MASTER §3.3 D3 Declarative Remediation 的 blast_radius_calculator 有真實依賴圖
Refs: ADR-090 §3.3, MASTER §3.1 L6×D1 (8D 感官拓樸)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 16:54:18 +08:00
AWOOOI CD
c77ce63a32
chore(cd): deploy 0226344 [skip ci]
2026-04-19 08:39:23 +00:00
OG T
5d011de917
docs(logbook): 2026-04-19 Phase 7 scanner 完成 + CI 修復歷程
...
記錄本輪 6 個 commits 的全景與 CI cd.yaml B5 3 輪除錯歷程,
供未來 session 接手時理解當前進度。
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 16:36:30 +08:00
OG T
02263445c2
fix(asset_scanner): kubectl 改 subprocess — K8sProvider 不支援 --all-namespaces
...
CD Pipeline / build-and-deploy (push) Successful in 9m9s
5b9b36fnoreply@anthropic.com >
2026-04-19 16:31:26 +08:00
OG T
4259a104f5
feat(aiops): capacity_scanner + compliance_scanner (ADR-090 Phase 7 剩 2)
...
CD Pipeline / build-and-deploy (push) Has been cancelled
完成 ADR-090 Phase 7 第 3+4 個 service,解鎖 2 張 0 writer 表:
B3. apps/api/src/jobs/capacity_scanner_job.py (~300 行)
- 每日 02:00 Taipei 撈 Prometheus node_exporter
- 寫 host_capacity_snapshot (load1/5/15, cpu, iowait, mem, swap)
- heuristic ai_verdict: cpu>80 or mem>85 → critical; >60/70 → warning
- 超過硬閾值 → 寫 capacity_violation_event
- 寫 aol(capacity_recommendation)
B4. apps/api/src/jobs/compliance_scanner_job.py (~270 行)
- 每日 03:00 Taipei 遍歷 asset_inventory active assets
- 為每個 asset 寫 7 維 compliance snapshot
- secret_rotated: 真實檢查 (metadata.creationTimestamp > 90d = warning)
- 其他 6 維 (ssl_cert_valid / cve_scan / backup_tested /
audit_log_enabled / access_reviewed / encryption_at_rest) 占位 'unknown'
+ detail TODO,後續 agent 補邏輯
- 寫 aol(coverage_recalculated) summary
main.py lifespan 同步 wire 2 個新 loop
預期解鎖 (配合 B1 asset_scanner + B2 rule_catalog_sync):
- asset_inventory: 0 → 數百 (B1)
- asset_discovery_run: 0 → 每小時 1 (B1)
- asset_coverage_snapshot: 0 → assets × 7 維 (B1)
- alert_rule_catalog: 0 → ~68 條 (B2)
- host_capacity_snapshot: 0 → 每日 hosts (B3)
- capacity_violation_event: 0 → 超閾值時 (B3)
- asset_compliance_snapshot: 0 → assets × 7 維 (B4)
automation_operation_log 新增 4 個 op_type: asset_discovered / rule_created /
rule_updated / capacity_recommendation / coverage_recalculated
8 張 0 writer 表到此全數有 writer,ADR-090 Phase 7 實作完成.
Refs: ADR-090 §4.2 Phase 4, MASTER §3.5 D5 (capacity-aware)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 16:23:27 +08:00
AWOOOI CD
2dd02bec3f
chore(cd): deploy 5b9b36f [skip ci]
2026-04-19 08:18:49 +00:00
OG T
5b9b36f30d
fix(ci)+feat(aiops): cd.yaml shared network + rule_catalog_sync (ADR-090 E3)
...
CD Pipeline / build-and-deploy (push) Successful in 14m31s
CI 修復 (c0f3509c0f3509noreply@anthropic.com >
2026-04-19 16:08:34 +08:00
OG T
c0f3509d39
fix(drift-card): Drift Diff HTTP 400 — item-by-item 累計長度避免切斷 HTML
...
CD Pipeline / build-and-deploy (push) Failing after 2m0s
統帥回報 14:18 點 [查看 Diff] 收到 'Drift Diff 查詢失敗: HTTP error: 400'
真因 (telegram_gateway.py:2087 _send_drift_diff_detail):
- report_id=7ffe78ae 有 48 items,單筆 git_value 最長 1794 字 (env array)
- 累計 _full 遠超 4096,執行 _full[:3950] 截斷
- 截斷可能切在 HTML tag 中間 (<code>... 或 < entity 中間)
- Telegram parse_mode='HTML' 拒絕不完整 HTML → 400
修復:
- item-by-item 累計長度,單個 item 算 _block 長度+1
- 預留 3800 上限 (4096 - 250 buffer 給 header + '… 還有 X 項' 提示)
- 確保 _full 永遠是完整 HTML 結構
驗證: 下次 drift report 出現 + 統帥點 [查看 Diff] 應正常顯示 (本 session 的下個 cycle)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 14:26:29 +08:00
OG T
ddb902f1ff
fix(ci+aiops): cd.yaml grep set-e bug + 新增 asset_scanner_job (ADR-090)
...
CD Pipeline / build-and-deploy (push) Has been cancelled
CI 修復 (b636d3be7ba8cbnoreply@anthropic.com >
2026-04-19 14:15:45 +08:00
OG T
b636d3b30b
fix(ci): cd.yaml B5 integration test 修 docker network 隔離 (run 984/985 root cause)
...
CD Pipeline / build-and-deploy (push) Failing after 44s
連續 2 次 CD fail (run 984 + 985) 真因:
- act runner 把 ci-runner container 跑在獨立 user-defined network
- cd.yaml line 159-167 docker run pg-test-b5 沒 --network → 預設 host bridge
- ci-runner 看不到 host bridge IP 172.17.0.2:5432 → timeout
- host SSH 直連 PG 健康 (確認 PG 沒問題,純網路隔離)
修復:
+ 動態抓 act task network: docker network ls | grep '^GITEA-ACTIONS-TASK-[0-9]+_WORKFLOW-.*-network$'
+ pg-test-b5 加入該 network: --network=$ACT_NET (找不到時 fallback bridge)
+ 連線改 container name 'pg-test-b5' (不依賴 IP)
驗證: 本 commit push 後 CI 自己跑就是 E2E 驗證
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 13:19:04 +08:00
OG T
7e4d83e66e
chore(cd): manual deploy e7ba8cb (CI B5 network bug bypass) [skip ci]
...
CI B5 Integration Tests 因 docker network 隔離無法連 pg-test-b5,
連續 2 次 fail (run 984 + 985)。
905 unit test + 26 verifier test 全 pass,確認 e7ba8cbnoreply@anthropic.com >
2026-04-19 12:46:36 +08:00
OG T
e7ba8cb181
fix(aiops): 打通 AI 自主學習鏈 — verifier 改 await + aol 動作回灌
...
CD Pipeline / build-and-deploy (push) Failing after 7m29s
統帥 2026-04-19 全景審計發現:
- automation_operation_log: 22 筆 (全部 drift_narrator),33 件/7d approval 動作 0 筆回灌
- incident_evidence.verification_result: 1212 筆 100% NULL,verifier 從未寫入
- 根因: _run_post_execution_verify 用 asyncio.create_task fire-and-forget,
Pod recycle 時 task 被殺,verification_result 永遠寫不進去
修復 (打通 verifier→learning→Playbook EWMA→finetune 全鏈):
approval_execution.py:
+ _log_aol_started: 主流程開始時 INSERT aol(playbook_executed, pending)
+ _log_aol_completed: 4 個 return 點 UPDATE aol 為 success/failed + duration + stderr
└ NO_ACTION / parse_fail / K8s 成功 / K8s 失敗 全部留痕
~ _run_post_execution_verify 兩處 (成功+失敗 path) 從 create_task 改 await + 60s timeout
+ 失敗時 stderr_feed_back 寫入 result.error → 解開 E6 stderr 回灌閉環
declarative_remediation.py:
~ _log_remediation_event task 加 named + add_done_callback,task 失敗時有 log
(原 fire-and-forget 0 筆寫入,現在可診斷為何 task 死掉)
預期效果:
- aol playbook_executed 即時可見 (33 件/7d 立刻有資料)
- incident_evidence.verification_result 開始累積 → finetune_exporter 7d cron 終於有料
- Playbook EWMA trust_score 開始動態變化
- stderr_feed_back 接通 → 失敗訊號回灌 retry/Playbook 負向強化
不影響:
- background_task 跑在背景,+60s 延遲不阻塞 API
- aol 寫入失敗只 logger.warning,不阻塞執行主流程
Refs: MASTER §3.1 L6×D1 (ADR-081 PostExecutionVerifier),
MASTER §3.4 D4 (ADR-083 學習閉環),
ADR-090 監控盲區治理 (2026-04-18 全景審計)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 12:07:29 +08:00
AWOOOI CD
da7956187e
chore(cd): deploy 2abc91e [skip ci]
2026-04-19 03:38:47 +00:00
OG T
2abc91e360
fix(drift-card): 修 drift 卡片 2 bug — AI 研判 copy 樣式 + Diff 按鈕 AttributeError
...
CD Pipeline / build-and-deploy (push) Successful in 13m8s
Bug 1: 按「🔍 查看 Diff」失敗
錯誤: 'DriftReportRepository' object has no attribute 'get_by_id'
根因: DriftReportRepository 方法叫 get(), 其他 repo 都叫 get_by_id()
修法: 加 get_by_id() alias, 對齊 repo 介面慣例
Bug 2: AI 研判內容被渲染成 code block + copy 按鈕
根因: telegram_gateway line 1962 用 <pre> 包 diff_summary
但 diff_summary 是 AI 研判敘述 + emoji 清單, 非 code
修法: 移除 <pre>, 改以分隔線 + html.escape 純文字顯示
驗收:
- 下次 drift 卡片: AI 研判段落純文字(無紫色 code block + copy)
- 按「🔍 查看 Diff」→ 送完整 diff 詳情(非 AttributeError)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 11:27:13 +08:00
OG T
eab3f527cd
feat(monitoring): Phase 7 盲區治理 — L2 配額 + 自監控告警 (ADR-090)
...
Deploy Alert Rules / Deploy Prometheus Alert Rules (push) Successful in 1m21s
CD Pipeline / build-and-deploy (push) Failing after 9m24s
戰場:110 load=17 持續 13 天 + 188 cadvisor 321% CPU 重啟無效
統帥鐵律:不要只降低,要長期解決 → 結構性治理而非補丁
本 commit 涵蓋:
1. k8s/monitoring/docker-compose-110.yml
- cadvisor 加 mem_limit 512M + cpus 1.0(L2 防爆網)
- 備註 110 live 與本檔 drift(下一 session 納入 CD)
2. ops/monitoring/alerts-unified.yml 新增 infra_self_monitoring 群組:
- CadvisorDown / MemoryPressure / CPUThrottled
- NodeExporterDown / CPUThrottled
- SentryClickHouseMemoryPressure / CPUThrottled
- GiteaMemoryPressure / CPUThrottled
- PrometheusDown(監控自監控元層)
→ 全部用 (memory usage / spec_memory_limit) 動態判斷,
不寫死 80% 或 MB 數,配額改閾值自動跟著變
其他配套(非本 repo,已 SSH patch 到 110/188):
- /home/ollama/wooo-aiops/docker-compose.yml:188 cadvisor 加 --disable_metrics / --docker_only / --housekeeping_interval + 1g/1.5c
- /home/wooo/monitoring/docker-compose.yml:110 cadvisor + node-exporter 納管 + 降維 flags + 配額
- /opt/sentry/docker-compose.override.yml:Sentry L2 配額(clickhouse 8g/4c, kafka 3g/2c 等)
- /home/wooo/gitea/docker-compose.yml:Gitea 3g/3c
- /home/wooo/act-runner/docker-compose.yml:Actions Runner 2g/2c
對映:
- feedback_monitor_self_monitoring.md 🔴 🔴 🔴 監控工具必須被監控
- feedback_ai_autonomous_direction.md 動態閾值 ≠ 寫死規則
- ADR-090 Layer 2 資源配額強制
驗收(48h):
- 188 cadvisor CPU 從 321% → <50%(配額強制)
- 110 load5 從 18 → <10(Sentry/Gitea 釋壓後)
- 自監控告警無誤報
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 01:50:41 +08:00
OG T
2524aa983a
docs(adr): ADR-091 Telegram 子系統 Round 3 全景審計正式文件
...
- 11 按鈕 × handler 覆蓋矩陣定版
- 三缺一鐵律(callback格式+handler+能力)升級 ADR 層級
- callback_data 雙格式(nonce vs INFO)正式認定
- Long Polling by design 確認
- approval 三戳鐵律(editMarkup + editText + DB message_id)
- NO_ACTION 不誤標 FAILED 救 MASTER §7.1 #11
對應 commits 877c847
2026-04-19 01:32:52 +08:00
OG T
0670fe4d76
docs(master): §8 追加 Phase 7 Round 3 Telegram 子系統修復記錄
...
Round 3 Changelog 條目:
- 9 bugs 盤點 + 5 commits 清單
- git tag v7.3.0
- 交接指引給下個 Session
2026-04-19 凌晨 — ogt + Claude Opus 4.7
2026-04-19 01:32:52 +08:00
AWOOOI CD
be76100112
chore(cd): deploy 4b8be32 [skip ci]
2026-04-18 17:26:35 +00:00
OG T
4b8be32610
fix(telegram+approval): TG-1 + AP-1/2/3 — 4 修 Telegram UX
...
CD Pipeline / build-and-deploy (push) Failing after 25m27s
Ansible Lint / lint (push) Has been cancelled
2026-04-19 凌晨(台北時區)— ogt + Claude Opus 4.7 (1M)
## TG-1: INFO_ACTIONS 加 view
security_interceptor.py — 'view' 按鈕現在走 2-part 讀格式,
不再誤觸發 4-part nonce 寫格式。
## AP-1: approval_records.telegram_message_id 持久化
telegram_gateway.send_approval_card send 成功後,在 DB 層 UPDATE
approval_records SET telegram_message_id, telegram_chat_id
(不只 Redis, Pod 重啟仍可找回原卡片)。
## AP-2: approval 執行完成原卡片 edit + KM/Playbook 增量
approval_execution._push_execution_result_to_alert 除了 reply 原卡片,
還 editMessageReplyMarkup 移除按鈕(修「永遠執行中」卡片問題)。
- 同步查 knowledge_entries/playbooks 2min 內增量,附加到訊息
顯示 "📚 KM +N 🎯 Playbook 更新×M"
- 成功: ✅ 執行成功 + action + KM 增量
- 失敗: ❌ 執行失敗 + 原因 + KM 增量
## AP-3: primary_responsibility 正規化降「❓ 未知」比例
openclaw._parse_analysis_result: 若 LLM 填空/None/不在白名單
(FE/BE/INFRA/DB/COLLAB),強制 fallback: kubectl 關鍵字有 → INFRA,
否則 BE。之前只檢查 "not in data" 但 None 或空字串會穿過。
## 跳過: TG-3 (refactor) + TG-5 (webhook 為棄用 endpoint,design 採 Long Polling)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 01:15:58 +08:00
OG T
68a42a3c97
fix(openclaw): 幻覺驗證雙路徑覆蓋 + 抽出共用 helper
...
CD Pipeline / build-and-deploy (push) Has been cancelled
2026-04-19 凌晨(台北時區)— ogt + Claude Opus 4.7 (1M)
根因:
commit 7e9448fnoreply@anthropic.com >
2026-04-19 01:11:09 +08:00
OG T
fdce0a3ab9
fix(approval): NO_ACTION 不再誤標 EXECUTION_FAILED (MASTER §7.1 #11 修)
...
CD Pipeline / build-and-deploy (push) Has been cancelled
2026-04-19 凌晨(台北時區)— ogt + Claude Opus 4.7 (1M)
根因:
approval.action='NO_ACTION - 待分析' (幻覺 validator 降級產物) 丟進
parse_operation_from_action → operation_type=None → background_execution_skip
→ update_execution_status(success=False) → 標為 EXECUTION_FAILED。
污染 KPI:
MASTER §7.1 #11 auto_execute 成功率 = EXECUTION_SUCCESS / (SUCCESS+FAILED)
NO_ACTION 本來就不該計入失敗,但卻被算進去拖垮指標。
實測 30d 成功率 0.9% 有很大比例是 NO_ACTION 誤標造成。
修復:
parse 失敗時先判斷是否 NO_ACTION 類 (action 含 NO_ACTION/OBSERVE/INVESTIGATE
等關鍵字) → 走專屬 noop 分支:
- log event=background_execution_noop (info 級)
- update_execution_status(success=True) → EXECUTION_SUCCESS
- timeline 標 ✅ 純觀察類動作完成
- reply 原告警卡片顯示成功
- return True
真正解析失敗 (非 NO_ACTION) 保留原失敗路徑,但補上 error_message
(P0.2 延伸),讓 rejection_reason 有 "Could not parse operation type from
action: <action>" 而非空字串。
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 01:08:16 +08:00
OG T
2e988bdb81
fix(telegram): drift 執行結果貼回卡片 + audit log user_id
...
CD Pipeline / build-and-deploy (push) Has been cancelled
IDE 抓到 _stamp 未使用(結果沒送)+ user_id 未使用(audit 缺漏)。
修:
1. _edit_drift_card_outcome 不只移除按鈕,還 send 簽核戳訊息
(reply_to 原卡片,若 msg_id 存在),格式:
✅ 已採納 by @username (成功)
Drift <report_id>
2. _handle_drift_action 加 drift_callback_dispatched log(audit)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 01:07:13 +08:00
OG T
877c8479e0
fix(telegram): TG-2 + TG-4 修 drift 按鈕 black hole
...
CD Pipeline / build-and-deploy (push) Has been cancelled
2026-04-19 凌晨(台北時區)— ogt + Claude Opus 4.7 (1M)
統帥截圖直擊: 按「查看 Diff」→ 變成「執行中」,且看不到還有 21 項。
全景盤點發現 9 個 Telegram 子系統 bug,本 commit 修 2 個最痛的:
## TG-2: drift_view/drift_adopt/drift_revert 3 按鈕**無 handler**
點擊 → fallthrough → UX 黑洞 / 誤觸發 approve 路徑。
修復: handle_callback 在 state guard 後(line 2752 後)加 Step 1.85
offroute: 3 個 drift_* action → _handle_drift_action 專職處理,
不走 nonce approve/reject dispatch,避免誤觸發執行流。
3 個按鈕實作:
- drift_view: 讀 drift_reports → 送新訊息展示全部 items
(HIGH/MEDIUM/INFO emoji + Git vs K8s 原值對照,上限 50 項 4000 字)
- drift_adopt: 呼叫 drift_adopt_service.adopt_drift()
- drift_revert: 呼叫 drift_remediator.revert()
## TG-4: drift card message_id 沒存 Redis → edit 回不了卡片
修復: send_drift_card 成功後 setex f"tg_drift:{incident_id}" TTL 24h,
供 _edit_drift_card_outcome 在 adopt/revert 執行後更新原卡片(先移除
按鈕 + 加「XX by @username (成功/失敗)」簽核戳)。
## 未包含(follow-up):
TG-1 INFO_ACTIONS 擴充(view) — 下一 commit
TG-3 handler 重複分派 — 評估中
TG-5 Bot webhook URL 未設 — 需統帥決策公開 URL
approval card NO_ACTION 誤標 FAILED — 下一 commit
approval card description 矛盾 / responsibility 未知 / 執行後 edit
全景 9 bug 清單詳見 project_phase7_round3_telegram_subsystem_audit(待建)。
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 01:06:30 +08:00
AWOOOI CD
41e6b503e2
chore(cd): deploy 98aef55 [skip ci]
2026-04-18 16:11:01 +00:00
OG T
98aef55b31
feat(kpi): ADR-090-D MASTER §7.1 北極星 KPI 5 斷鏈全修
...
CD Pipeline / build-and-deploy (push) Successful in 11m49s
run-migration / migrate (push) Failing after 15s
2026-04-18 晚(台北時區)— ogt + Claude Opus 4.7 (1M)
MASTER §7.1 15 個北極星 KPI 實測對標發現 5 個斷鏈:
#3 fine-tune JSONL /week — finetune_exports 表不存在
#4 MCP 呼叫/24h — timeline_events 沒 mcp_call event_type
#6 Declarative 修復使用率 — remediation_events 表不存在
#7 general 兜底 17.3% — classify_alert_early 漏 5 類
#10 notification_outcomes /week — 表不存在
本 commit 全修。
## 1. Migration: adr090d_kpi_data_sources.sql (3 張表)
- finetune_exports — P3 Fine-tune JSONL 追蹤
- remediation_events — P5 Declarative 修復追蹤
- notification_outcomes — 通知品質 + RLHF 語料
Idempotent (CREATE TABLE IF NOT EXISTS), 已 apply 進 prod。
## 2. classify_alert_early 擴 4 類規則 (降 general 兜底)
- test 攔截: Test*/FPTest/FingerprintTest/ADR089*Test/L4Closure*/*FreshUniq*
→ category='test', TYPE-1 純通知
- High*CPU/Memory/Disk/Load → host_resource
- TLS*/SSL*/*ProbeFailure* → ssl_cert
- PostgreSQL*/MySQL*/MongoDB*/*DiskGrowthRate → database
預期 general 17.3% → 3-5% (達標 <10%)。
## 3. finetune_exporter DB 寫入
_run_export() 結尾寫 finetune_exports 一筆,含 checksum/size/record_count。
## 4. declarative_remediation DB 寫入
evaluate() 後 fire-and-forget _log_remediation_event() 寫 remediation_events
(status='pending', remediation_type 依 tier 自動判為 declarative/imperative/gitops_pr)。
## 5. telegram_gateway DB 寫入 (send_approval_card)
_send_request 成功返回 message_id 後寫 notification_outcomes 一筆,
channel='telegram', delivery_status='delivered|failed'。未來人類按鈕時
update user_action → RLHF 訓料黃金。
## 6. pre_decision_investigator MCP 呼叫追蹤
_call_single_tool() finally 寫 timeline_events event_type='mcp_call',
含 provider/tool/status/duration_ms/error。24h 內 MCP 呼叫可 SQL 量測。
## 預期量化改善
| KPI | 修前 | 修後 24h 後應見 |
|-----|------|----------------|
| #3 fine-tune /week | 0 (表不存在) | >=10 (每週 cron 跑) |
| #4 MCP 呼叫/24h | 0 | >0 (實測將寫 timeline) |
| #6 declarative 使用率 | 表不存在 | 有資料 (pending/success/failed 分佈) |
| #7 general 兜底 | 17.3% | <10% |
| #10 notification_outcomes | 0 | 每次 approval card 寫一筆 |
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-19 00:00:31 +08:00
AWOOOI CD
805230436d
chore(cd): deploy 898145d [skip ci]
2026-04-18 15:38:17 +00:00
OG T
898145d68e
refactor(openclaw): SuggestedAction 改用頂部 import (避免 inline 三重巢狀)
...
CD Pipeline / build-and-deploy (push) Successful in 11m17s
Ansible Lint / lint (push) Has been cancelled
IDE 對 inline "from src.models.ai import" 誤報(但運行正常)。
改為頂部 import 既滿足 IDE 也更 Pythonic。
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-18 23:28:19 +08:00
OG T
e6e484c1dc
fix(openclaw): import path 修正 — src.models.ai (非 openclaw_schema)
...
CD Pipeline / build-and-deploy (push) Has started running
IDE 正確抓到的 bug(非 false positive),SuggestedAction 在 src/models/ai.py。
_SA.NO_ACTION 現在能正確降級。
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-18 23:26:45 +08:00
OG T
7e9448f6d0
fix(openclaw): 幻覺 deployment 名雙層防禦 — Prompt + Python validator
...
CD Pipeline / build-and-deploy (push) Has been cancelled
2026-04-18 晚(台北時區)— ogt + Claude Opus 4.7 (1M)
生產事件 (approval f763bedf, 22:58):
- Alert: KubePodCrashLooping, labels.deployment="awoooi-api"
- NEMOTRON 雖收 inventory "awoooi-api, awoooi-web, awoooi-worker"
仍輸出 kubectl_command="kubectl rollout restart deployment/awoooi-prod"
(把 namespace 誤當 deployment 名)
- 執行結果: "Deployment 'awoooi-prod' not found in namespace 'awoooi-prod'"
## Layer 1: NEMOTRON_SYSTEM_PROMPT 強化 (prompts.py)
新增「🔒 DEPLOYMENT NAME RULE (STRICTLY ENFORCED)」區塊:
- namespace NEVER is a deployment name
- "awoooi-prod" 是 NAMESPACE,不可寫 deployment/awoooi-prod
- 若有 inventory,deployment 必須 exact match
- 優先用 labels.deployment,unknown → NO_ACTION
## Layer 2: Python 後驗證 (openclaw.py:1322+)
LLM 回應解析後 regex 抽出 deployment 名,對照 _k8s_inventory:
- 在清單內 → 通過
- 不在清單內 → 降級:
* kubectl_command → "kubectl get deploy -n {ns}"(純調查)
* suggested_action → NO_ACTION
* target_resource → "unknown(hallucinated)"
* confidence → 0.0
* description 加註 [安全降級] 並列出合法 inventory
- log 'openclaw_deployment_hallucination_detected' 記錄
效果: 就算 LLM 無視 prompt,Python 層也會擋下。
破壞性 kubectl 絕不執行於不存在的 deployment。
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-18 23:26:09 +08:00
AWOOOI CD
87d0859a98
chore(cd): deploy 6ad73b4 [skip ci]
2026-04-18 12:22:38 +00:00
OG T
6ad73b4834
fix(flywheel): 三修 L5/L6 斷鏈 — RBAC 擴權 + 失敗原因入庫 + verifier 失敗時也跑
...
CD Pipeline / build-and-deploy (push) Successful in 11m6s
2026-04-18 晚(台北時區) — ogt + Claude Opus 4.7 (1M)
全景飛輪診斷暴露 3 個真斷鏈:
- L5 執行 30d: EXECUTION_FAILED 216 / EXECUTION_SUCCESS 2 (失敗率 99%)
- L6 驗證 7d: verification_result 全 NULL (988 筆 evidence 都沒驗)
- 所有 rejection_reason / error_message 欄位全空(無法診斷)
根因: awoooi-executor ServiceAccount RBAC 不足,executor.py 每次
kubectl get nodes/HPA 都 Forbidden,連 evidence 都抓不到,後面 repair
全炸,verifier 因為 execution 沒 success 永遠不 trigger,evidence
驗證結果永遠 NULL。修一個 RBAC 解 3 個節點。
## P0.1 RBAC 擴權 (k8s/awoooi-prod/07-rbac.yaml)
新增 cluster-scope 讀權(僅 list/get/watch,零寫入):
- nodes + nodes/status (evidence gathering 必需)
- horizontalpodautoscalers (HPA 狀態)
- metrics.k8s.io: nodes + pods (resource metrics)
- statefulsets + daemonsets (完整 workload 視圖)
已 kubectl apply + 煙霧測試: kubectl get nodes 可跑。
## P0.2 失敗時必寫 rejection_reason (approval_db.py)
update_execution_status() 新增 error_message 參數,失敗時寫入
rejection_reason (截 2000 字) → 之後診斷有依據。
approval_execution.py 呼叫端同步更新,result.error 一路傳進 DB。
## P0.3 Verifier 失敗時也跑 (approval_execution.py)
原邏輯: verifier 只在 result.success=True 時呼叫 → 99% 失敗下
永遠不跑。
新邏輯: 失敗 path 也 create_task 跑 verifier,action_taken 後綴
加 ":FAILED" 標記。verifier 抓 post_state 寫
verification_result='failed' 回 incident_evidence。
L7 learning 從此有失敗樣本可學,playbook trust 負向 2x 衰減才
真正生效。
預期效果:
- EXECUTION_FAILED 率 30d 內應從 99% 降到 <30%
- incident_evidence.verification_result NULL 率應從 100% 降到 <10%
- approval_records.rejection_reason 補齊率從 0% 到 100%
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-18 20:12:57 +08:00
AWOOOI CD
1dac23fd56
chore(cd): deploy b0d560d [skip ci]
2026-04-18 10:21:41 +00:00
OG T
b0d560dbb3
fix(drift-narrator): shortener 用 replace — 包容 LLM 加 'Resource/Name:' 前綴幻覺
...
CD Pipeline / build-and-deploy (push) Successful in 10m50s
2026-04-18 下午(台北時區)— ogt + Claude Opus 4.7
Round 4 LLM 自己在 field 前加資源識別符:
'Deployment/awoooi-web: spec.template.spec.containers'
導致 startswith 模式 shortener 失效(前綴不在開頭)。
防禦式修法: startswith 不中 → 改用 replace 清除任何位置的前綴。
結果:
'Deployment/awoooi-web: containers' ✅
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-18 18:12:15 +08:00
AWOOOI CD
c40f3506e3
chore(cd): deploy b63aed7 [skip ci]
2026-04-18 09:20:51 +00:00
