Make the offline RAG chain observable without widening credential access
Some checks failed
verify / verify (push) Has been cancelled

Expose the verified synthetic retrieval path through a typed React client and a non-root Nginx edge while keeping database credentials and data-network reachability out of the browser tier. A fixed-origin gateway preserves request boundaries and now closes upstream streams even when downstream disconnects before body iteration. The deployment ADR and runbooks record the four-network topology and its accepted Web edge-egress risk.

Constraint: The previously exposed Bailian key must be revoked and no live provider credential may enter Git, images, logs, or the browser.
Rejected: Connect Web directly to the data network | expands lateral reach to PostgreSQL.
Rejected: Publish the database-aware API on the edge network | gives a credential-bearing process a public default route.
Rejected: Buffer streaming responses in either proxy | prevents incremental chat delivery in the future.
Confidence: high
Scope-risk: moderate
Reversibility: clean
Directive: Do not mark Stage 1 or Stage 2 complete until the rotated-key live smoke and remaining stage gates pass.
Tested: make verify; 65 backend tests; 14 frontend tests; Docker image build; container health and isolation probes; real HTTP demo/status/search/docs/OpenAPI checks.
Not-tested: Live Bailian models, real document ingestion, business chat SSE generation, and final browser screenshot automation because the browser skill runtime was unavailable.
This commit is contained in:
2026-07-12 17:38:57 +08:00
parent 2fa27ae71c
commit c3bad0f186
60 changed files with 9062 additions and 82 deletions

View File

@@ -1,6 +1,7 @@
.PHONY: setup-hooks check-secrets docs-check links-check verify-design backend-sync \
backend-format backend-lint backend-type backend-test backend-check compose-check \
verify-ci verify
frontend-sync frontend-format frontend-lint frontend-type frontend-test \
frontend-build frontend-check verify-ci verify
setup-hooks:
git config core.hooksPath .githooks
@@ -16,6 +17,7 @@ docs-check:
test -f docs/03-implementation-plan.md
test -f docs/04-project-todo.md
test -f docs/05-stage1-runbook.md
test -f docs/06-frontend-demo-runbook.md
links-check:
python3 scripts/check_markdown_links.py
@@ -41,12 +43,32 @@ backend-test:
backend-check: backend-sync backend-format backend-lint backend-type backend-test
frontend-sync:
cd frontend && npm ci
frontend-format:
cd frontend && npm run format:check
frontend-lint:
cd frontend && npm run lint
frontend-type:
cd frontend && npm run typecheck
frontend-test:
cd frontend && npm run test
frontend-build:
cd frontend && npm run build
frontend-check: frontend-sync frontend-format frontend-lint frontend-type frontend-test frontend-build
compose-check:
docker compose --env-file .env.example config --quiet
# CI does not assume its runner exposes a Docker daemon. Schema and Compose
# security contracts still run in backend-test; local verification also asks the
# Docker CLI to render the real Compose model.
verify-ci: verify-design backend-check
verify-ci: verify-design backend-check frontend-check
verify: verify-ci compose-check