270 Commits

Author	SHA1	Message	Date
Your Name	d934242846	feat(infra): ADR-110 補齊 Local Fallback + 密碼 SSH 恢復工具	2026-05-05 00:49:14 +08:00
Your Name	8629ac709b	feat(awooop): Phase 1-8 完整實作 — AwoooP Agent Platform 六平面架構 ... ## Phase 1-3: Control Plane + Contract System - awooop_phase1_control_plane_2026-05-04.sql: 12 張核心表 + RLS - awooop_phase1_batch1_rls_2026-05-04.sql: 全部 FORCE RLS + GRANT - packages/awooop-contracts/: 六合約 JSON Schema + golden fixtures - src/models/awooop_contracts.py: Pydantic v2 contract models（extra=forbid） - src/repositories/contract_repository.py: contract lifecycle（draft→published→active） - src/services/contract_service.py: HMAC publish sig + Redis multi-sig activate - src/services/schema_validator.py: LLM output validator（retry×3, E-SCHEMA-001） ## Phase 2: Tenant Isolation - awooop_phase2_budget_ledger_2026-05-04.sql: budget_ledger + RLS - src/services/budget_service.py: Token Budget Hard Kill 三層防線 - src/core/context.py: PROJECT_ID ContextVar（31 background loop 自動繼承） - src/db/base.py + models.py: project_id 欄位 + RLS set_config 注入 - src/hermes/nl_gateway.py: project_id Redis key 前綴（Phase A 雙寫） - src/services/anomaly_counter.py: per-project 改造（Phase A fallback） ## Phase 4: Platform Shell in Shadow Mode - awooop_phase4_run_state_2026-05-04.sql: run_state + step_journal + idempotency - src/services/run_state_machine.py: 8-state FSM + SKIP LOCKED + stale reaper - src/services/platform_runtime.py: UUID v7 + W3C trace_id + shadow_execute - src/services/audit_sink.py: PII/secret redaction 9 patterns - src/api/v1/platform/runs.py: POST/GET /v1/platform/runs（Router→Service 架構） - src/workers/platform_worker.py: SKIP LOCKED worker + heartbeat + reaper loop - src/main.py: platform router + lifespan worker start/stop ## Phase 5: MCP Gateway 五閘門 - awooop_phase5_mcp_gateway_2026-05-04.sql: 4 表 + RLS - src/plugins/mcp/gateway.py: McpGateway（Gate 1~5, E-MCP-GATE-001~009） - src/plugins/mcp/redaction_middleware.py: 雙層 redaction + 16K 截斷 - src/plugins/mcp/registry.py: __provider name mangling（ADR-116） - src/plugins/mcp/credential_resolver.py: k8s secret ref 解析 - tests/test_mcp_credential_isolation.py: 10 個迴歸測試（secret leak 防再現） ## Phase 6-8: EwoooC + Channel Hub + Approval Token - awooop_phase6_ewoooc_onboarding_2026-05-04.sql: ewoooc tenant + 4 read-only MCP tools - awooop_phase7_channel_hub_2026-05-04.sql: conversation_event + outbound_message - src/services/provider_proxy.py: ProviderProxy + PlatformEnvelope（ADR-115） - src/services/channel_hub.py: Telegram inbound mirror + Progressive Feedback（30s） - src/services/awooop_approval_token.py: HS256 + jti NX replay 防護 + suggest mode Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-04 19:31:53 +08:00
Your Name	898d7b0ff2	docs(logbook): 更新 Phase 2 進度（P0-05/06/11/12 全部完成） ... Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-04 13:55:14 +08:00
Your Name	f2f5148ca6	fix(awooop): Phase 2 第二批 P0 安全強化 + Redis key 命名空間修正 ... ## P0-05 Callback Nonce 防偽造（ADR-116） - security_interceptor.py：generate_callback_nonce() 新增 HMAC-SHA256[:16] 附加 - 新 5-part 格式：{action}:{short_id}:{ts}:{rand}:{hmac16} - CALLBACK_HMAC_SECRET 未設定時降級 warning（向後相容） - security_interceptor.py：parse_callback_data() 新增 5-part 分支 + HMAC 驗證 - config.py：新增 CALLBACK_HMAC_SECRET: str = Field(default="") ## P0-06 Webhook HMAC Replay 防護（ADR-116） - security_interceptor.py：新增 check_webhook_nonce()（Service 層，get_redis 在此層合法） - webhooks.py：verify_webhook_signature() 新增兩個可選 Header - X-Webhook-Timestamp：±300s 窗口驗證（若提供） - X-Webhook-Nonce：呼叫 check_webhook_nonce()（Redis NX dedup，fail open） - 移除直接 get_redis import（leWOOOgo 積木化修正） ## P0-11 ollama:current_primary Redis key 遷移 Phase A（ADR-110） - ollama_auto_recovery.py：_REDIS_PRIMARY_KEY = "platform:ollama:current_primary" - 雙寫舊 key "ollama:current_primary"（Phase A 30 天） - 讀取以新 key 為主，fallback 舊 key ## P0-12 consensus Redis key 加 project namespace Phase A - consensus_engine.py：新增 _consensus_key() / _consensus_legacy_key() helper - 新 key：{project_id}:consensus:{consensus_id} - project_id=None 時 fallback __platform__:consensus:{consensus_id} - Phase A 雙寫 + fallback 讀取，現有呼叫方零修改 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-04 13:54:38 +08:00
Your Name	13e51802fe	feat(awooop): Phase 0 全 ADR + Phase 1 control plane schema（含 critic 四項修正） ... ## Phase 0（文件層，全部 Accepted） - ADR-106/107：AwoooP 平台架構 + 儲存策略 - ADR-111~118：Bootstrap → RLS 七項核心 ADR - ADR-119~124：SAGA → Singleton Decomposition 六項 ADR - ADR-UI-01~04：Operator Console 四個 UI ADR ## Phase 1（DB schema + migration） - awooop_phase1_control_plane_2026-05-04.sql：7 張新表 + trigger + RLS - Step 1：三角色（platform_admin/migration BYPASSRLS，awooop_app 受 RLS） - Step 13：GRANT awooop_app 最小權限（7 條） - Step 14：RLS fail-closed，移除 __platform__ 後門 - awooop_phase1_batch1_rls_2026-05-04.sql：高流量四表三步式 ADD COLUMN - awooop_phase1_batch1_backfill.py：SKIP LOCKED 分批回填腳本 - awooop_models.py：7 個 SQLAlchemy 2.x models ## Critic 修正（4 Critical + 3 Major） - C-1：ADD CONSTRAINT IF NOT EXISTS → DO 塊 + pg_constraint 查詢 - C-2：__mapper_args__ 字串 list → primary_key=True on mapped_column - C-3：__platform__ RLS 後門 → 全移除，改用 BYPASSRLS role - C-4：awooop_app role 從未建立 → Step 1 + 7 條 GRANT - M-1：active_pointer_guard SECURITY DEFINER（FORCE RLS 跨租戶保護） - M-2：pg_partman create_parent 加冪等防護 - M-3：immutability trigger 新增身份欄位保護（project_id/family/contract_id） ## Task 1.2 修補 - agent_loader.py：硬編碼 Mac 路徑 → AGENTS_DIR 環境變數 - Dockerfile：補 COPY .claude/agents/ Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-04 13:37:11 +08:00
Your Name	b1ef05fa8c	feat(ollama): ADR-110 GCP 三層容災架構（GCP-A → GCP-B → Local → Gemini） ... ## 變更摘要 - Primary: http://34.143.170.20:11434 (GCP-A SSD, 9x 載速 + 2x 推理) - Secondary: http://34.21.145.224:11434 (GCP-B SSD) - Fallback: http://192.168.0.111:11434 (M1 Pro Local HDD，最後防線) - 廢止 ADR-105「111 唯一鐵律」，新建 ADR-110 ## 核心改動 - config.py: 新增 OLLAMA_SECONDARY_URL；validator 加 GCP IP 白名單（34.143.170.20, 34.21.145.224） - ollama_failover_manager.py: 三層 Ollama 決策矩陣；並行健康檢查三台；health_111 → health_gcp_a - ollama_health_monitor.py: host label 萃取改為通用版（支援 GCP 公網 IP） - failover_alerter.py: 故障/恢復主機動態顯示，不再硬編碼「Ollama 111 (GPU)」 - ollama_auto_recovery.py: notify_recovery 改為 ollama_gcp_a；recovered_host 動態 - k8s/awoooi-prod: configmap + deployment + network-policy 同步更新（egress 加 GCP /32） - 服務層: 10 個服務檔案硬編碼 192.168.0.111 改為讀 settings.OLLAMA_URL - 測試: URL 常數更新，新增三層容災場景，GCP IP 白名單驗證測試 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-03 22:49:23 +08:00
Your Name	b710f3f38f	feat(governance): normalize AI治理告警輸出與元告警解析度	2026-05-02 23:49:59 +08:00
Your Name	ed0553c337	docs(governance): add AI governance alert schema and consolidation playbook	2026-05-02 23:47:00 +08:00
Your Name	3059897318	feat(governance): auto-deprecate low-trust unused playbooks (>30d) ... trust_drift previously fired alerts forever for playbooks stuck below the 0.2 threshold. With user authorization for governance-class auto-fixes, check_trust_drift now retires playbooks that have been unused for 30+ days (or never used and created 30+ days ago) by flipping status to 'deprecated' before alerting. Alerts now report drifted_count, auto_deprecated_count, and the kept playbook_ids that still need human review (those in their 30d trial window). Existing alert noise from the four currently-drifted playbooks should drop to whatever fraction is genuinely in trial. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-02 12:31:37 +08:00
Your Name	607358c4dd	fix(approval): route SSH actions through SSHProvider on manual approve ... parse_operation_from_action only knew kubectl and Chinese restart phrases, so any "ssh host '...'" action approved via Telegram fell through to "Could not parse operation type" and reported a fake failure even though the LLM had proposed a valid host repair. Adds OperationType.SSH_HOST, makes the parser detect ssh prefixes (with optional flags / user@host) before kubectl patterns, and routes the SSH_HOST branch in approval_execution.execute_in_background through SSHProvider with the same tool keywords decision_manager uses (ssh_docker_prune / ssh_docker_restart / ssh_systemctl_restart / ssh_diagnose). Unroutable SSH actions now fail loudly with a descriptive error instead of silently breaking. Trigger: 2026-05-02 incidents INC-20260502-D6D0B7 / E12EE4 / 557055 were approved by the user but executor reported "Could not parse" and left the alerts pending. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-02 12:31:37 +08:00
Your Name	3156ff1c69	feat(aiops): add ssh_docker_prune to auto-repair flywheel for disk-full alerts ... Adds Group B SSH MCP tool ssh_docker_prune (image+volume+builder prune with ≥75% disk usage gate) and routes "docker prune" actions through it. Flips HostDiskUsageHigh from auto_repair=false to true with mcp_provider routing labels so the flywheel can self-heal next disk-full event without hitting the emergency_channel Telegram path. Trigger: 2026-05-01 → 05-02 Telegram alert storm (peak 53/hr) caused by empty ssh-mcp-key/known_hosts secret rejecting all SSH and forcing every disk-full alert through "Host key is not trusted → escalate" loop. known_hosts patched live; this commit closes the playbook gap so the next occurrence resolves without manual intervention. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-02 12:31:37 +08:00
Your Name	443947ffa1	fix(ci): avoid code review sigpipe on large diffs [skip ci]	2026-05-01 20:59:14 +08:00
Your Name	7795f027d2	fix(aiops): persist emergency intervention traces	2026-05-01 20:34:33 +08:00
Your Name	8e49f2ea88	fix(ci): preserve ssh mcp known hosts [skip ci]	2026-05-01 17:18:32 +08:00
Your Name	433f7b068e	fix(aiops): close ssh and telegram remediation gaps	2026-05-01 16:53:02 +08:00
Your Name	3650fc727a	docs(ci): record runner user service takeover state	2026-05-01 16:30:54 +08:00
Your Name	bc295eaec2	fix(ci): allow user service for gitea host runner	2026-05-01 16:24:45 +08:00
Your Name	cb5ab900c4	fix(ci): preserve gitea runner jobs on shutdown	2026-05-01 16:16:27 +08:00
Your Name	b0da6da1e9	feat(aiops): structure agent loop shadow output	2026-05-01 15:09:57 +08:00
Your Name	f8e44971c1	feat(aiops): enable read-only agent loop canary	2026-05-01 14:20:16 +08:00
Your Name	6ec3f116fd	fix(ci): normalize migration database url for psql	2026-05-01 13:30:32 +08:00
Your Name	7e4d995e4b	feat(aiops): add mcp agent loop foundation	2026-05-01 13:21:19 +08:00
Your Name	9db87f177e	fix(aiops): suppress repeated llm alert loops	2026-05-01 13:02:07 +08:00
Your Name	11673d80ea	fix(aiops): route backup decisions through ssh	2026-05-01 12:50:01 +08:00
Your Name	3a6acae408	fix(km): add phase25 knowledge enum labels	2026-05-01 11:03:03 +08:00
Your Name	2c12bce135	fix(aiops): use existing escalation event type	2026-05-01 10:56:59 +08:00
Your Name	97be5dedd7	fix(aiops): escalate failed host verification	2026-05-01 10:47:42 +08:00
Your Name	e4aef6ac4e	fix(aiops): block k8s playbooks for host repair	2026-05-01 10:33:52 +08:00
Your Name	ca22ec2fd2	fix(aiops): route backup failures rule-first	2026-05-01 10:11:10 +08:00
Your Name	f154ac022e	feat(playbook): version generated playbooks	2026-04-30 23:59:39 +08:00
Your Name	f0d14ab6c4	fix(aiops): escalate blocked auto repair	2026-04-30 23:49:17 +08:00
Your Name	6e04fe9c8a	feat(playbook): generate drafts with local llm	2026-04-30 23:04:58 +08:00
Your Name	95110971f3	fix(telegram): close remaining DM alert routes	2026-04-30 23:02:17 +08:00
Your Name	712d3e5a77	fix(ci): send workflow alerts to SRE group	2026-04-30 15:05:16 +08:00
Your Name	61f5a6a419	fix(telegram): route alerts to SRE war room	2026-04-30 15:01:23 +08:00
Your Name	ed2a4838f2	fix(auto): use action parser for repair gates	2026-04-30 14:06:09 +08:00
Your Name	4723499955	fix(cd): install playwright system deps for smoke	2026-04-30 11:02:12 +08:00
Your Name	e27b462bef	fix(ops): keep disabled gitea runner stopped	2026-04-30 10:59:46 +08:00
Your Name	0f7e9d3467	fix(cd): run docker builds on host runner	2026-04-30 10:43:33 +08:00
Your Name	7cc10b2599	fix(cd): serialize gitea docker builds	2026-04-30 10:11:50 +08:00
Your Name	e91db52858	docs(logbook): record 639bb64 prod deployment [skip ci]	2026-04-30 09:45:48 +08:00
Your Name	639bb64788	feat(flywheel): surface ai automation and code review	2026-04-30 00:09:25 +08:00
Your Name	4a57c2d04f	feat(flywheel): expose incident processing timeline	2026-04-29 23:38:30 +08:00
Your Name	f5f41543c9	docs: ADR-105 推翻 A2 + LOGBOOK 2026-04-29 LLM 飛輪復活戰 ... ADR-105 完整記錄推翻 A2 鐵律的決策： - Context: A2 歷史背景 + 2 個月後事實基礎變化（GPU + qwen2.5:7b） - Decision: 4 處修改（IntentType.DIAGNOSE override / chain / openclaw.py task_type / 6 regression test） - Consequences: 正面（飛輪復活）+ 負面（Ollama 單點）+ 已知債（ADR-106-109 後續） - Validation: 部署前 1635 tests 全綠，部署後 5 項驗證指標 - Rollback: env 切換 / git revert LOGBOOK 加 2026-04-29 條目： - 真根因：4 provider 全死 + A2 鐵律排除 Ollama - CD 連環血淚：5 個 commit 全 failure（setup_test_schema.sql 缺欄） - 已落地（不依賴 CD）：Prometheus 17 條 rule + Gemini sanitize - Memory 索引同步更新（指向 project_revert_a2_ollama_primary.md） 注意：docs/ 不在 cd.yaml paths trigger，此 commit 不影響 CD。 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-29 20:59:53 +08:00
Your Name	6eb33594c2	docs(logbook): T0 12-Agent 全景驗證紀錄 ... 承接前段 session wave2 (commit 143c15f0) + DB cleanup + Gitea HMAC + ArgoCD/Sentry MCP， 派四位專家並行驗證（critic / db-expert / debugger / tool-expert）。 詳情：B1/B2 鬼魂按鈕 + KM 早期吞例外 + M1-M4 中度問題 + G1-G3 環境治理 gap。 此 commit 主要為 LOGBOOK 索引補齊，本次 P0/P1 修復內容詳見前 2 個 commit。 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-29 10:44:39 +08:00
Your Name	cc547736ab	feat(wave6-8): P2.1 fusion + P2.2 governance + P2.4 consensus + Wave 7/8 BLOCKER 修復 ... 承接 Wave 6/7/8 多 engineer 在 agent 限額前完成的代碼，補 commit 解 production HEAD 隱性 import error（decision_fusion 已被 decision_manager 引用但檔案 untracked）。 新增（後端核心）: - decision_fusion.py (562 行) — P2.1 方法 III（OpenClaw + Hermes + Elephant 三 LLM 融合） - aiops_timeline.py + aiops_timeline_service.py — critic B4 修復 /api/v1/aiops/timeline endpoint，DB 存取抽到 service 層遵守 leWOOOgo 積木化 - migrations/p2_decision_fusion_columns.sql + rollback — approval_records fusion 欄位 修改（後端整合）: - decision_manager.py — fusion 三斷鏈修補（critic B1+B2+B3）： · B1: 寫 _evidence_snapshot_ref 到 token.proposal_data · B2: fusion 前計算 complexity_score 並寫 token · B3: fusion composite 寫 token.proposal_data["decision_fusion"] - auto_approve.py — fusion + consensus 認識（critic B3+B5）： · composite > 0.7 → auto_execute_eligible bypass min_confidence · source=consensus_engine + score>=0.6 → 規則可信路徑 - consensus_engine.py — db-fix _save_consensus 重用 agent_sessions - governance_agent.py — db-fix _alert PG 寫入 ai_governance_events - approval_db.py — fusion 3 欄位 + 2 partial index + CheckConstraint - db/models.py — schema 對齊 migration - core/config.py — vuln #1 修復：OLLAMA_URL/_FALLBACK_URL field_validator 拒絕公網 IP + 外部域名，僅允許私網/loopback/K8s SVC 白名單 - core/feature_flags.py — P2 fusion + consensus flags - main.py — governance_agent lifespan 啟動 - failover_alerter.py — Wave8-X2: in-memory dedup fallback（Redis 拒絕後不 fail-open） - ollama_*.py — metrics 整合 + recovery 改善 - auto_repair_service.py — verifier 接線 新增（測試 2438 行）: - test_decision_fusion.py / test_governance_agent.py / test_consensus_integration.py - test_p2_db_fixes.py / test_wave8_fusion_fixes.py - test_config_url_validation.py（vuln #1 12 tests） - test_failover_alerter.py +Wave8-X2 in-memory dedup 補測 驗收: 116 tests pass (decision_fusion + wave8_fusion + config_url + consensus + governance + p2_db_fixes + failover_alerter) Conflict resolution: - 3 檔（config.py + auto_approve.py + decision_manager.py）git stash pop 衝突 保留 stashed (engineer 最終版)，補回 ValueError 「公網 IP」字樣對齊 test Note: 此 commit 解 production HEAD 隱性 import error 仍未修: vuln #4 prompt injection / debugger B14 quota fail-closed / B25-B26 drain_pending_tasks / B8 governance fail alert Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-Authored-By: Multiple Engineers (Wave 6/7/8) <noreply@anthropic.com>	2026-04-27 08:11:40 +08:00
Your Name	7cd53c0228	fix(monitoring): 記憶體告警改用 working_set，停止 page cache 假告警 ... - alerts-unified.yml: - SentryClickHouseMemoryPressure: usage_bytes → working_set_bytes，0.8 → 0.85 - GiteaMemoryPressure: 同步修正（同樣 page cache 虛高根因） - ops/monitoring/tests/clickhouse_memory_test.yml: promtool 4 cases - 04-awoooi-devops-commander.md v2.8: Prometheus 指標選擇規範 + Gitea HMAC Webhook 規範 - LOGBOOK: 記錄 T0 五大並行任務（A 按鈕 / B ClickHouse / C Gitea webhook / D ElephantAlpha / F Code review） 鐵證: 2026-04-23 23:13 sentry-clickhouse usage_bytes=88.5% vs working_set=7.8% 根因: container_memory_usage_bytes 含 OS page cache，OOM killer 不視為壓力 修法: 改用 K8s/cadvisor 認可的 working_set_bytes (RSS + active cache)，閾值 0.85 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-26 20:16:12 +08:00
Your Name	689839cd83	docs(logbook): 記錄 2026-04-25 自動化飛輪四修 + Hermes + qwen3 ... Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-25 09:49:50 +08:00
Your Name	d467cac709	fix(hermes): 改用 anthropic Python SDK 直呼，棄用需要 claude CLI 的 claude-agent-sdk ... 根因：claude-agent-sdk 需要 spawn claude CLI，prod pod 沒有 CLI 所以 SDK 回空。 修法：改用 anthropic.AsyncAnthropic().messages.create() 直呼 API。 model: claude-haiku-4-5-20251001（快速低成本，適合 Telegram QA） Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-25 03:08:51 +08:00
Your Name	86ee013cdf	feat(hermes-complete): Hermes NL 三項補強 + ConsensusEngine + ADR 收尾 ... ## Hermes NL 補強（nl_gateway.py） - T1 hermes_dispatch_log DB 寫入（asyncio.create_task 非阻擋） - T2 Redis 速率限制：per-chat_id 20 req/min，fail-open - T3 Multi-turn session：hermes:session:{chat_id}:{user_id} TTL=300s，最近 3 輪 ## ConsensusEngine（ADR-095 宣告式設計） - consensus_engine.py: CONSENSUS_WEIGHTS class 屬性 security=0.4 鎖定，9 個 Claude Code agent 分配 0.6 - config.py: ENABLE_12AGENT_CONSENSUS=False feature flag ## ADR 狀態 - ADR-093/094/095: Proposed → 🟡 批准實作中 - 各 ADR 加 v1.1 變更紀錄 ## K8s ConfigMap - prod 04-configmap.yaml: 加 3 個 feature flags（均 false） - dev 02-configmap.yaml: 同步加入 ## LOGBOOK - 記錄 WS0–WS6 + 補強完成，feature flags 啟用指引 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-25 02:22:40 +08:00