fix(telegram): bind product alerts to canonical routes
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 1s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / build-and-deploy (push) Has been cancelled
CD Pipeline / tests (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 1s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / build-and-deploy (push) Has been cancelled
CD Pipeline / tests (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled
This commit is contained in:
@@ -12,6 +12,40 @@
|
||||
- 未知 product/signal/severity/destination 一律 no-egress;不再沿用 ADR-093 的 unknown-to-shared-group fallback。
|
||||
- `AwoooI SRE 戰情室` 只收 shared infrastructure、security、DR 與 P0/P1 incident lifecycle。raw P2/P3、marketing、成功 heartbeat、未驗證 recommendation 和 bot 對話均不得進入。
|
||||
|
||||
## 監控與告警來源總帳
|
||||
|
||||
| source truth | 數量 | 角色與目前判定 |
|
||||
|---|---:|---|
|
||||
| `ops/monitoring/alerts-unified.yml` | 23 groups / 145 alert declarations | production primary Prometheus rule source;產品訊號必須帶 namespaced canonical route labels |
|
||||
| `ops/monitoring/alerts.yml` | 81 declarations | legacy duplicate source,不加入 production primary 總數;保留相同產品 labels 防止誤復用 |
|
||||
| 11 個 specialized Prometheus / SignOz rule files | 112 declarations | K3s、DB、flywheel、MinIO/Kali、NVIDIA、Ollama、SLO、agent latency、SignOz 等專項訊號 |
|
||||
| primary + specialized 合計 | 257 declarations / 226 unique alert names | 29 個 alert name 在兩個以上來源重複,extra declarations 31;重複不是多送授權,仍由 grouping/fingerprint/route policy 收斂 |
|
||||
| AWOOOI API `alert_rules` | 29 matching/action rules | 用於分類與修復候選,不是新的 signal generator,不重複計入 257 |
|
||||
| Telegram egress scanner | 805 files / 50 normalized gateway callsites | active direct Bot API 0;7 個 direct calls 全在 GitHub-frozen legacy source,禁止執行 |
|
||||
|
||||
目前可明確歸戶的產品告警如下;未列出的 shared infrastructure/security/DR/K3s/DB/host 規則屬 `awoooi`,但只有 P0/P1 allowlisted lifecycle 能進 SRE 群:
|
||||
|
||||
| product_id | 明確 signal / alert | canonical signal family | 現行 egress |
|
||||
|---|---|---|---|
|
||||
| `2026fifa` | repository 中沒有產品專屬 Prometheus rule | `data_freshness_and_recommendation` | blocked |
|
||||
| `agent-bounty-protocol` | registry 有 A2A、traffic security、treasury/onboarding 3 lanes;沒有專屬 Prometheus rule | 對應 3 個 registry families | blocked,缺 durable receipt |
|
||||
| `awooogo` | 無產品專屬 rule | `*` | disabled |
|
||||
| `awoooi` | 145 primary + 112 specialized declarations 的 shared/core owner | shared infrastructure / security / DR / incident lifecycle | 僅 P0/P1 allowlisted route allowed |
|
||||
| `bitan-pharmacy` | `BitanWoooWorkDown` | `container_and_product_health` | blocked |
|
||||
| `clawbot-openclaw` | `OpenClawDown` | `raw_monitoring_alert` | blocked;不得借用 AWOOOI TYPE-3 |
|
||||
| `momo-pro` | `MoWoooWorkDown`、`MomoScraperSuccessLow` | scheduler/sales、crawler/data freshness | blocked;configured destination 仍 `chat_not_found` |
|
||||
| `stockplatform-v2` | `StockWoooWorkDown` | `market_data_and_recommendation_freshness` | blocked |
|
||||
| `tsenyang-website` | `TsenyangWebsiteDown` | `public_site_and_agent_action_health` | blocked |
|
||||
| `vibework` | 無專屬 rule;`VibeAIAgent` 不等於 standalone VibeWork | `*` | not implemented |
|
||||
| `vtuber` | 無產品專屬 rule | `*` | disabled |
|
||||
|
||||
## Source-side route corrections
|
||||
|
||||
- Alertmanager 產品規則現在帶 `awoooi_product_id`、`awoooi_signal_family`、`awoooi_route_severity`;gateway 以這組明確 context 覆蓋 legacy `TYPE-3`,所以 blocked product 不會再落到 shared SRE。
|
||||
- SignOz public receiver 尚無 source authentication,因此即使 payload 自稱 canonical labels 也固定 no-egress;Sentry(signature verified)與 HMAC generic webhook 缺完整 namespaced context 時一律 `UNKNOWN / blocked_no_egress`。Alertmanager 另要求 direct peer 與完整 forwarded chain 都是 private IP,不再信任單一可偽造的 forwarded value。
|
||||
- `docker-compose`、production ConfigMap、docker-health scripts 與 7 個 Gitea workflows 的 11 個 raw destination defaults 已移除;runtime 只可由既有 secret/env alias 注入,缺值即 fail closed。白名單也不再內嵌 numeric default。
|
||||
- 本次只改 source policy,沒有讀 token、呼叫 Bot API、改 Telegram 群組、送測試訊息或偽造 delivery receipt。
|
||||
|
||||
## 11 產品路由清冊
|
||||
|
||||
| 產品 | 目前 proven route | 建議 canonical route | blocked unknown / egress status | source risk | receipt strength |
|
||||
|
||||
Reference in New Issue
Block a user