Expose a runnable backend without giving the ingress layer secrets
Some checks failed
verify / verify (push) Has been cancelled
Some checks failed
verify / verify (push) Has been cancelled
The backend can now be inspected through a loopback-only gateway while the database-aware API remains on the internal data network. A governed synthetic demo proves readiness, pgvector retrieval, reranking, and citation output through real HTTP without invoking cloud models. Constraint: The previously exposed Bailian key is compromised and cannot be used for live validation Constraint: The API must be locally reachable while retaining no internet egress Rejected: Attach the API directly to the ingress network | a real socket test proved that configuration still had egress Rejected: Publish a port from the internal-only network | Docker Desktop did not expose the host port Confidence: high Scope-risk: moderate Reversibility: clean Directive: Keep model and database credentials out of the gateway; do not relax the fixed demo identity/profile filters Tested: make verify; 63 pytest tests; strict mypy; Ruff; Secret scan; Compose config; three backend image builds; API/DB/gateway healthy; migration exit 0; Swagger browser check; live/ready/meta/status/search HTTP; 20/20/20 index; API egress ENETUNREACH; empty gateway mounts and business environment Not-tested: Live Bailian calls require a newly rotated key; full generated-answer flow and React UI are not implemented
This commit is contained in:
@@ -21,7 +21,7 @@ bash scripts/init-local-secrets.sh
|
||||
离线模式使用确定性的 1024 维 feature-hash 向量和词法重排器,只验证数据治理、批处理、迁移、向量写入、权限过滤、检索、重排和幂等性,不把它当成真实模型质量。
|
||||
|
||||
```bash
|
||||
docker compose up -d --build db migrate
|
||||
docker compose up -d --build gateway
|
||||
docker compose --profile tools run --rm seed-demo-offline
|
||||
docker compose --profile tools run --rm seed-demo-offline
|
||||
```
|
||||
@@ -44,6 +44,28 @@ Seed 的实际流程是:
|
||||
7. 对 Top K 候选重排并输出虚构问题的 Hit@3;
|
||||
8. 相同输入再次执行使用相同 ID 和幂等 upsert,不增加行数。
|
||||
|
||||
### 2.1 查看后端运行效果
|
||||
|
||||
内部 API 只连接 `internal` data 网络,只挂载 app 数据库 Secret,不连接外网,也不挂载百炼 Key。无 Secret、无数据库凭证的 gateway 同时连接 ingress 与 data 网络,并且仅发布到本机回环地址 `127.0.0.1:8000`。两个容器都以数值非 root 用户运行,根文件系统只读,并移除 Linux capabilities。
|
||||
|
||||
```bash
|
||||
curl http://127.0.0.1:8000/health/live
|
||||
curl http://127.0.0.1:8000/health/ready
|
||||
curl http://127.0.0.1:8000/api/v1/demo/status
|
||||
curl -X POST http://127.0.0.1:8000/api/v1/demo/search \
|
||||
-H 'Content-Type: application/json' \
|
||||
--data '{"query":"花岗斑岩铜矿化特征","top_k":3}'
|
||||
```
|
||||
|
||||
预期结果:
|
||||
|
||||
- readiness 返回 `database=ok`;
|
||||
- demo status 返回 chunks/vectors/searchable = 20/20/20;
|
||||
- search 只返回 `synthetic-demo` 数据集中的合成标题、批准后的片段、页码、分数和不透明 citation ID;
|
||||
- Swagger 位于 <http://127.0.0.1:8000/docs>。
|
||||
|
||||
该接口是 Stage 1 的离线可见效果,不调用百炼,也不代表完整问答生成链或 React 前端已经完成。
|
||||
|
||||
## 3. 真实百炼能力探测
|
||||
|
||||
完成旧 Key 轮换后:
|
||||
|
||||
Reference in New Issue
Block a user