Make the governed RAG evidence path executable end to end
Some checks failed
verify / verify (push) Has been cancelled

Separate local parsing from model indexing, bind review decisions to immutable manifests, persist vectors behind active profiles, and expose retrieval, chat, evaluation, and document workflows through the React workbench.

Constraint: Live Bailian authentication currently fails for all three configured capabilities

Rejected: Direct upload-to-embedding flow | bypasses local review and manifest binding

Confidence: high

Scope-risk: broad

Directive: Keep private-data deployment blocked until authentication, RBAC, and separate database roles land

Tested: make verify; fresh and replay Docker document smoke; worker recovery smoke; frozen synthetic evaluation; migration 0003-0004 roundtrip

Not-tested: Successful live Bailian calls, OCR, real multi-user authorization
This commit is contained in:
2026-07-13 05:58:11 +08:00
parent 75592af33a
commit ecdb10c37a
111 changed files with 25457 additions and 152 deletions

View File

@@ -1,5 +1,6 @@
"""Small fixed-origin ingress gateway with explicit proxy boundaries."""
import re
from collections.abc import AsyncIterator, Mapping
from contextlib import asynccontextmanager
@@ -10,7 +11,9 @@ from starlette.types import Receive, Scope, Send
UPSTREAM_ORIGIN = httpx.URL("http://api:8000")
MAX_REQUEST_BODY_BYTES = 1024 * 1024
SUPPORTED_METHODS = ["GET", "POST", "HEAD", "OPTIONS"]
MAX_UPLOAD_BODY_BYTES = 100 * 1024 * 1024
SUPPORTED_METHODS = ["GET", "POST", "PUT", "HEAD", "OPTIONS"]
UPLOAD_CONTENT_PATH = re.compile(r"^/api/v1/document-uploads/[0-9a-fA-F-]{36}/content$")
REQUEST_HEADER_ALLOWLIST = frozenset(
{
@@ -22,6 +25,7 @@ REQUEST_HEADER_ALLOWLIST = frozenset(
"content-type",
"if-match",
"if-none-match",
"idempotency-key",
"origin",
"range",
"traceparent",
@@ -30,6 +34,11 @@ REQUEST_HEADER_ALLOWLIST = frozenset(
}
)
class RequestBodyTooLarge(Exception):
"""Internal control flow for a streamed body that exceeded its hard cap."""
RESPONSE_HEADER_ALLOWLIST = frozenset(
{
"accept-ranges",
@@ -113,6 +122,27 @@ async def _bounded_body(request: Request) -> bytes | None:
return bytes(body)
def _declared_body_is_too_large(request: Request, maximum: int) -> bool:
declared_length = request.headers.get("content-length")
if declared_length is None:
return False
try:
parsed_length = int(declared_length)
except ValueError:
return True
return parsed_length < 0 or parsed_length > maximum
async def _bounded_upload_stream(request: Request) -> AsyncIterator[bytes]:
total = 0
async for chunk in request.stream():
total += len(chunk)
if total > MAX_UPLOAD_BODY_BYTES:
raise RequestBodyTooLarge
if chunk:
yield chunk
def create_gateway_app(transport: httpx.AsyncBaseTransport | None = None) -> FastAPI:
"""Create a no-secret gateway; an injected transport enables hermetic tests."""
@@ -147,12 +177,22 @@ def create_gateway_app(transport: httpx.AsyncBaseTransport | None = None) -> Fas
@gateway.api_route("/{path:path}", methods=SUPPORTED_METHODS, include_in_schema=False)
async def proxy(request: Request, path: str) -> Response: # noqa: ARG001
body = await _bounded_body(request)
if body is None:
is_upload = request.method == "PUT" and UPLOAD_CONTENT_PATH.fullmatch(request.url.path)
if is_upload and _declared_body_is_too_large(request, MAX_UPLOAD_BODY_BYTES):
return JSONResponse(
status_code=status.HTTP_413_CONTENT_TOO_LARGE,
content={"detail": "request body too large"},
)
if is_upload:
body: bytes | AsyncIterator[bytes] = _bounded_upload_stream(request)
else:
bounded = await _bounded_body(request)
if bounded is None:
return JSONResponse(
status_code=status.HTTP_413_CONTENT_TOO_LARGE,
content={"detail": "request body too large"},
)
body = bounded
upstream_request = upstream_client.build_request(
request.method,
@@ -162,6 +202,11 @@ def create_gateway_app(transport: httpx.AsyncBaseTransport | None = None) -> Fas
)
try:
upstream_response = await upstream_client.send(upstream_request, stream=True)
except RequestBodyTooLarge:
return JSONResponse(
status_code=status.HTTP_413_CONTENT_TOO_LARGE,
content={"detail": "request body too large"},
)
except httpx.RequestError:
return JSONResponse(
status_code=status.HTTP_502_BAD_GATEWAY,