Some checks failed
verify / verify (push) Has been cancelled
Expose the verified synthetic retrieval path through a typed React client and a non-root Nginx edge while keeping database credentials and data-network reachability out of the browser tier. A fixed-origin gateway preserves request boundaries and now closes upstream streams even when downstream disconnects before body iteration. The deployment ADR and runbooks record the four-network topology and its accepted Web edge-egress risk. Constraint: The previously exposed Bailian key must be revoked and no live provider credential may enter Git, images, logs, or the browser. Rejected: Connect Web directly to the data network | expands lateral reach to PostgreSQL. Rejected: Publish the database-aware API on the edge network | gives a credential-bearing process a public default route. Rejected: Buffer streaming responses in either proxy | prevents incremental chat delivery in the future. Confidence: high Scope-risk: moderate Reversibility: clean Directive: Do not mark Stage 1 or Stage 2 complete until the rotated-key live smoke and remaining stage gates pass. Tested: make verify; 65 backend tests; 14 frontend tests; Docker image build; container health and isolation probes; real HTTP demo/status/search/docs/OpenAPI checks. Not-tested: Live Bailian models, real document ingestion, business chat SSE generation, and final browser screenshot automation because the browser skill runtime was unavailable.
75 lines
2.0 KiB
Makefile
75 lines
2.0 KiB
Makefile
.PHONY: setup-hooks check-secrets docs-check links-check verify-design backend-sync \
|
|
backend-format backend-lint backend-type backend-test backend-check compose-check \
|
|
frontend-sync frontend-format frontend-lint frontend-type frontend-test \
|
|
frontend-build frontend-check verify-ci verify
|
|
|
|
setup-hooks:
|
|
git config core.hooksPath .githooks
|
|
chmod +x .githooks/pre-commit scripts/check-secrets.sh
|
|
|
|
check-secrets:
|
|
./scripts/check-secrets.sh --all
|
|
|
|
docs-check:
|
|
test -f docs/00-overall-design.md
|
|
test -f docs/01-data-and-evaluation.md
|
|
test -f docs/02-deployment-and-security.md
|
|
test -f docs/03-implementation-plan.md
|
|
test -f docs/04-project-todo.md
|
|
test -f docs/05-stage1-runbook.md
|
|
test -f docs/06-frontend-demo-runbook.md
|
|
|
|
links-check:
|
|
python3 scripts/check_markdown_links.py
|
|
|
|
verify-design: check-secrets docs-check links-check
|
|
git diff --check
|
|
git diff --cached --check
|
|
|
|
backend-sync:
|
|
cd backend && UV_CACHE_DIR=.uv-cache uv sync --all-groups --frozen
|
|
|
|
backend-format:
|
|
backend/.venv/bin/ruff format --check backend/app backend/tests backend/migrations
|
|
|
|
backend-lint:
|
|
backend/.venv/bin/ruff check backend/app backend/tests backend/migrations
|
|
|
|
backend-type:
|
|
cd backend && .venv/bin/mypy app tests
|
|
|
|
backend-test:
|
|
cd backend && .venv/bin/pytest
|
|
|
|
backend-check: backend-sync backend-format backend-lint backend-type backend-test
|
|
|
|
frontend-sync:
|
|
cd frontend && npm ci
|
|
|
|
frontend-format:
|
|
cd frontend && npm run format:check
|
|
|
|
frontend-lint:
|
|
cd frontend && npm run lint
|
|
|
|
frontend-type:
|
|
cd frontend && npm run typecheck
|
|
|
|
frontend-test:
|
|
cd frontend && npm run test
|
|
|
|
frontend-build:
|
|
cd frontend && npm run build
|
|
|
|
frontend-check: frontend-sync frontend-format frontend-lint frontend-type frontend-test frontend-build
|
|
|
|
compose-check:
|
|
docker compose --env-file .env.example config --quiet
|
|
|
|
# CI does not assume its runner exposes a Docker daemon. Schema and Compose
|
|
# security contracts still run in backend-test; local verification also asks the
|
|
# Docker CLI to render the real Compose model.
|
|
verify-ci: verify-design backend-check frontend-check
|
|
|
|
verify: verify-ci compose-check
|