Files
RAG/Makefile
YoVinchen c3bad0f186
Some checks failed
verify / verify (push) Has been cancelled
Make the offline RAG chain observable without widening credential access
Expose the verified synthetic retrieval path through a typed React client and a non-root Nginx edge while keeping database credentials and data-network reachability out of the browser tier. A fixed-origin gateway preserves request boundaries and now closes upstream streams even when downstream disconnects before body iteration. The deployment ADR and runbooks record the four-network topology and its accepted Web edge-egress risk.

Constraint: The previously exposed Bailian key must be revoked and no live provider credential may enter Git, images, logs, or the browser.
Rejected: Connect Web directly to the data network | expands lateral reach to PostgreSQL.
Rejected: Publish the database-aware API on the edge network | gives a credential-bearing process a public default route.
Rejected: Buffer streaming responses in either proxy | prevents incremental chat delivery in the future.
Confidence: high
Scope-risk: moderate
Reversibility: clean
Directive: Do not mark Stage 1 or Stage 2 complete until the rotated-key live smoke and remaining stage gates pass.
Tested: make verify; 65 backend tests; 14 frontend tests; Docker image build; container health and isolation probes; real HTTP demo/status/search/docs/OpenAPI checks.
Not-tested: Live Bailian models, real document ingestion, business chat SSE generation, and final browser screenshot automation because the browser skill runtime was unavailable.
2026-07-12 17:38:57 +08:00

75 lines
2.0 KiB
Makefile

.PHONY: setup-hooks check-secrets docs-check links-check verify-design backend-sync \
backend-format backend-lint backend-type backend-test backend-check compose-check \
frontend-sync frontend-format frontend-lint frontend-type frontend-test \
frontend-build frontend-check verify-ci verify
setup-hooks:
git config core.hooksPath .githooks
chmod +x .githooks/pre-commit scripts/check-secrets.sh
check-secrets:
./scripts/check-secrets.sh --all
docs-check:
test -f docs/00-overall-design.md
test -f docs/01-data-and-evaluation.md
test -f docs/02-deployment-and-security.md
test -f docs/03-implementation-plan.md
test -f docs/04-project-todo.md
test -f docs/05-stage1-runbook.md
test -f docs/06-frontend-demo-runbook.md
links-check:
python3 scripts/check_markdown_links.py
verify-design: check-secrets docs-check links-check
git diff --check
git diff --cached --check
backend-sync:
cd backend && UV_CACHE_DIR=.uv-cache uv sync --all-groups --frozen
backend-format:
backend/.venv/bin/ruff format --check backend/app backend/tests backend/migrations
backend-lint:
backend/.venv/bin/ruff check backend/app backend/tests backend/migrations
backend-type:
cd backend && .venv/bin/mypy app tests
backend-test:
cd backend && .venv/bin/pytest
backend-check: backend-sync backend-format backend-lint backend-type backend-test
frontend-sync:
cd frontend && npm ci
frontend-format:
cd frontend && npm run format:check
frontend-lint:
cd frontend && npm run lint
frontend-type:
cd frontend && npm run typecheck
frontend-test:
cd frontend && npm run test
frontend-build:
cd frontend && npm run build
frontend-check: frontend-sync frontend-format frontend-lint frontend-type frontend-test frontend-build
compose-check:
docker compose --env-file .env.example config --quiet
# CI does not assume its runner exposes a Docker daemon. Schema and Compose
# security contracts still run in backend-test; local verification also asks the
# Docker CLI to render the real Compose model.
verify-ci: verify-design backend-check frontend-check
verify: verify-ci compose-check