Isolate cloud model access before enabling product RAG workflows
Some checks failed
verify / verify (push) Has been cancelled
Some checks failed
verify / verify (push) Has been cancelled
The API and ingestion tools now use a fixed internal model gateway while governed profiles, embedding cache assignments, traceable citations, and stable API errors establish the boundaries required by later workflows. Constraint: The current Alibaba Cloud workspace rejects all three live model calls with authentication failures Rejected: Give the API or seed tools the Bailian key and direct egress | combines database access, cloud credentials, and public network access Rejected: Mix offline and Bailian vectors in one demo namespace | makes profile activation and retrieval ambiguous Confidence: high Scope-risk: moderate Reversibility: clean Directive: Keep Bailian credentials and egress exclusive to model-gateway and create a new immutable profile hash for any embedding identity change Tested: make verify; 121 backend tests; 14 frontend tests; fresh and populated Alembic upgrade-downgrade-upgrade; two idempotent offline seeds; Docker health and HTTP retrieval; isolated provider smoke Not-tested: Successful live Bailian responses because the supplied workspace credential currently fails authentication
This commit is contained in:
@@ -36,6 +36,7 @@ def test_compose_isolates_database_credentials_and_networks() -> None:
|
||||
db = _service_block("db")
|
||||
migrate = _service_block("migrate")
|
||||
api = _service_block("api")
|
||||
model_gateway = _service_block("model-gateway")
|
||||
gateway = _service_block("gateway")
|
||||
web = _service_block("web")
|
||||
provider_smoke = _service_block("provider-smoke")
|
||||
@@ -51,20 +52,37 @@ def test_compose_isolates_database_credentials_and_networks() -> None:
|
||||
assert "postgres_app_password" not in migrate
|
||||
|
||||
assert "postgres_app_password" in api
|
||||
assert "model_gateway_api_token" in api
|
||||
assert "postgres_bootstrap_password" not in api
|
||||
assert "postgres_migrator_password" not in api
|
||||
assert "bailian_api_key" not in api
|
||||
assert '"127.0.0.1:8000:8000"' not in api
|
||||
assert " - data" in api
|
||||
assert " - model" in api
|
||||
assert " - edge" not in api
|
||||
assert " - egress" not in api
|
||||
assert "read_only: true" in api
|
||||
assert "no-new-privileges:true" in api
|
||||
assert "cap_drop:" in api and " - ALL" in api
|
||||
|
||||
assert "bailian_api_key" in model_gateway
|
||||
assert "model_gateway_api_token" in model_gateway
|
||||
assert "model_gateway_worker_token" in model_gateway
|
||||
assert "postgres_" not in model_gateway
|
||||
assert " - model" in model_gateway
|
||||
assert " - egress" in model_gateway
|
||||
assert " - data" not in model_gateway
|
||||
assert " - edge" not in model_gateway
|
||||
assert " - ingress" not in model_gateway
|
||||
assert "ports:" not in model_gateway
|
||||
assert "read_only: true" in model_gateway
|
||||
assert "no-new-privileges:true" in model_gateway
|
||||
assert "cap_drop:" in model_gateway and " - ALL" in model_gateway
|
||||
|
||||
assert '"127.0.0.1:8000:8000"' not in gateway
|
||||
assert " - ingress" in gateway
|
||||
assert " - data" in gateway
|
||||
assert " - model" not in gateway
|
||||
assert " - edge" not in gateway
|
||||
assert " - egress" not in gateway
|
||||
assert "secrets:" not in gateway
|
||||
@@ -77,6 +95,7 @@ def test_compose_isolates_database_credentials_and_networks() -> None:
|
||||
assert " - edge" in web
|
||||
assert " - ingress" in web
|
||||
assert " - data" not in web
|
||||
assert " - model" not in web
|
||||
assert " - egress" not in web
|
||||
assert "secrets:" not in web
|
||||
assert "POSTGRES_" not in web
|
||||
@@ -85,13 +104,20 @@ def test_compose_isolates_database_credentials_and_networks() -> None:
|
||||
assert "no-new-privileges:true" in web
|
||||
assert len(re.findall(r"(?m)^ ports:$", COMPOSE)) == 1
|
||||
|
||||
assert "bailian_api_key" in provider_smoke
|
||||
assert "bailian_api_key" not in provider_smoke
|
||||
assert "model_gateway_api_token" in provider_smoke
|
||||
assert "postgres_" not in provider_smoke
|
||||
assert " - model" in provider_smoke
|
||||
assert " - egress" not in provider_smoke
|
||||
|
||||
assert "postgres_app_password" in seed_demo
|
||||
assert "postgres_bootstrap_password" not in seed_demo
|
||||
assert "postgres_migrator_password" not in seed_demo
|
||||
assert "bailian_api_key" in seed_demo
|
||||
assert "bailian_api_key" not in seed_demo
|
||||
assert "model_gateway_worker_token" in seed_demo
|
||||
assert "MODEL_GATEWAY_CALLER: worker" in seed_demo
|
||||
assert " - model" in seed_demo
|
||||
assert " - egress" not in seed_demo
|
||||
assert "./data/samples/public:/demo:ro" in seed_demo
|
||||
|
||||
assert "postgres_app_password" in seed_demo_offline
|
||||
@@ -101,6 +127,7 @@ def test_compose_isolates_database_credentials_and_networks() -> None:
|
||||
|
||||
assert re.search(r"(?ms)^ data:\n.*?^ internal: true$", COMPOSE)
|
||||
assert re.search(r"(?ms)^ ingress:\n.*?^ internal: true$", COMPOSE)
|
||||
assert re.search(r"(?ms)^ model:\n.*?^ internal: true$", COMPOSE)
|
||||
assert re.search(r"(?m)^ edge:$", COMPOSE)
|
||||
assert re.search(r"(?m)^ egress:$", COMPOSE)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user