feat(auto-rate): rule_engine 路徑開啟自動執行,預計 42% → 70%+
Some checks failed
CD Pipeline / build-and-deploy (push) Has been cancelled
Some checks failed
CD Pipeline / build-and-deploy (push) Has been cancelled
修法 3(debugger 建議):CS2 is_rule_based=True + kubectl 有值 + 非 CRITICAL/DESTRUCTIVE → 直接 auto-execute,不建 PENDING record 安全防線(5 層): - CRITICAL risk → 絕對不自動執行 - _DESTRUCTIVE_PATTERNS 命中 → 絕對不自動執行 - NO_ACTION → 不執行 - kubectl 空字串 → 不執行 - 任何例外 → catch + 降級到 PENDING,不 crash 15 tests 驗收(1487 passed) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1334,6 +1334,62 @@ async def _process_new_alert_background(
|
||||
except Exception as _shadow_err_cs2:
|
||||
logger.warning("shadow_auto_approve_failed", error=str(_shadow_err_cs2))
|
||||
|
||||
# 2026-04-27 ogt + Claude Sonnet 4.6: CS2 規則引擎自動執行
|
||||
# 設計:is_rule_based=True 確定性高,滿足條件直接執行,不等人工審核
|
||||
# 安全防線:CRITICAL / destructive patterns / NO_ACTION / 空 kubectl → 全部降級 PENDING
|
||||
try:
|
||||
from src.services.auto_approve import _DESTRUCTIVE_PATTERNS
|
||||
from src.models.approval import ApprovalRequest, ApprovalStatus
|
||||
from src.services.approval_execution import ApprovalExecutionService
|
||||
|
||||
_destructive_set = set(p.lower() for p in _DESTRUCTIVE_PATTERNS)
|
||||
_can_auto = (
|
||||
bool(rule_kubectl)
|
||||
and rule_risk != RiskLevel.CRITICAL
|
||||
and not any(p in rule_kubectl.lower() for p in _destructive_set)
|
||||
and "NO_ACTION" not in rule_action
|
||||
)
|
||||
if _can_auto:
|
||||
_auto_approval = ApprovalRequest(
|
||||
incident_id=None, # 尚未建立,稍後 update_incident_id 補上
|
||||
action=rule_action,
|
||||
description=approval_create.description,
|
||||
requested_by="auto_approve_rule_engine",
|
||||
required_signatures=0,
|
||||
status=ApprovalStatus.APPROVED,
|
||||
risk_level=rule_risk.value,
|
||||
matched_playbook_id=_approval_metadata_cs2.get("playbook_id"),
|
||||
)
|
||||
# 使用 DB 中剛建立的 approval.id 讓 executor 可回寫
|
||||
_auto_approval.id = approval.id
|
||||
|
||||
_cs2_executor = ApprovalExecutionService()
|
||||
_cs2_exec_success = await _cs2_executor.execute_approved_action(_auto_approval)
|
||||
|
||||
# 更新 DB approval 執行狀態
|
||||
try:
|
||||
await service.update_execution_status(approval.id, _cs2_exec_success)
|
||||
except Exception as _upd_err:
|
||||
logger.warning(
|
||||
"cs2_auto_execute_status_update_failed",
|
||||
approval_id=str(approval.id),
|
||||
error=str(_upd_err),
|
||||
)
|
||||
|
||||
logger.info(
|
||||
"rule_engine_auto_executed",
|
||||
approval_id=str(approval.id),
|
||||
rule_id=rule_response.get("rule_id", "unknown"),
|
||||
kubectl=rule_kubectl,
|
||||
exec_success=_cs2_exec_success,
|
||||
)
|
||||
except Exception as _auto_err:
|
||||
logger.warning(
|
||||
"cs2_auto_execute_failed_degraded_to_pending",
|
||||
approval_id=str(approval.id),
|
||||
error=str(_auto_err),
|
||||
)
|
||||
|
||||
incident_id = await create_incident_for_approval(
|
||||
approval_id=str(approval.id),
|
||||
risk_level=rule_risk.value,
|
||||
|
||||
Reference in New Issue
Block a user