8fd23f7ea1
refactor(ssl): centralize SSL trust management, remove LLM_SSL_VERIFY
...
Centralized SSL via one contract: CERTS_PATH=/opt/certs mounted into all containers.
Backend:
- NEW: backend/src/core/ssl.py — system_ssl_context(), httpx_verify(),
cert_dir_inventory()
- LLMClient._get_ssl_verify() → delegates to core.ssl
- _llm_async_http._get_verify() → delegates to core.ssl
- Removed LLM_SSL_VERIFY env reading from all runtime code
Docker:
- NEW: docker/certs.sh — shared cert installer (PEM/DER/cer to .crt conversion,
update-ca-certificates, hash symlinks, NSS import)
- NEW: docker/agent.entrypoint.sh — agent entrypoint with cert installation
- backend.entrypoint.sh → uses certs.sh instead of install_llm_ca_certs
- Dockerfile.agent → adds ca-certificates, openssl, entrypoint
Compose:
- Removed LLM_CA_CERT_URLS and LLM_SSL_VERIFY from all compose files
- Added CERTS_PATH volume mount to agent (dev + enterprise)
- Added certs volume mount to backend/agent in dev compose
Env examples:
- Removed LLM_SSL_VERIFY, LLM_CA_CERT_URLS from .env.example,
.env.enterprise-clean.example, .env.current.example, .env.master.example,
backend/.env.example
- Enhanced CERTS_PATH comments with accepted formats
Diagnostics:
- diag_container.py: removed LLM_* checks, added CERTS_PATH inventory,
uses core.ssl for context creation
Tests:
- Updated test_llm_analysis_service, test_llm_async_http,
test_client_headers to verify centralized ssl context (no env disable)
- 4/4 SSL tests pass
2026-07-06 21:00:28 +03:00
43e3f4135e
fix(scripts): fix --target arg parsing in diag_container.py
2026-07-06 20:37:22 +03:00
bcabe90e13
feat(scripts): add container diagnostic script for SSL cert + encryption health
...
Checks 6 categories:
1. Environment — ENCRYPTION_KEY, LLM_SSL_VERIFY, LLM_CA_CERT_URLS
2. System CA store — ca-certificates.crt, custom/LLM certs, hash symlinks
3. OpenSSL connectivity — cafile vs capath (per ADR-0009 Finding 7)
4. Python SSLContext(capath) — what _get_ssl_verify() uses
5. httpx(capath) — integration test
6. Encryption key health — decrypt test for all LLM provider api_keys
Usage:
docker cp scripts/diag_container.py superset-tools-backend-1:/tmp/
docker compose exec backend python3 /tmp/diag_container.py --target lite.ai.rusal.com:443
2026-07-06 20:27:03 +03:00
ec6421de35
rename ss-tools to superset-tools across the entire project
...
- Replace all occurrences of 'ss-tools' with 'superset-tools' in 104 files
- Rename git bundle file ss-tools.bundle → superset-tools.bundle
- Update .gitignore pattern accordingly
- Preserve variable names (hasSsTools etc.) and code identifiers
2026-06-16 11:15:19 +03:00
6989bb0bc9
feat(coverage): add coverage-summary script, README section, ADR-0013
...
- scripts/coverage-summary.sh — unified coverage summary generator
Runs pytest+coverage (unit/integration) and vitest+coverage,
parses results, generates single HTML report with both stacks.
Supports --unit, --backend-only, --frontend-only, --output-dir.
- README.md — add 'Покрытие кода' sub-section under Тестирование
- docs/adr/ADR-0013-coverage-reporting.md — architectural decision record
2026-06-15 13:40:22 +03:00
8ecea09222
fix: capath instead of cafile for all LLM clients
...
OpenSSL 3.x ignores intermediate CA certs in -CAfile (verify code 20)
but correctly builds chains with -CApath (verify code 0).
All three clients now use capath:
- service.py: ssl.create_default_context(capath=...)
- _llm_http.py: verify='/etc/ssl/certs/'
- preview_llm_client.py: verify='/etc/ssl/certs/'
check_llm_certs.py rewritten for clarity.
2026-05-29 11:02:48 +03:00
802727b58a
fix: check_llm_certs.py — fixes from user review
...
- openssl s_client: stdin=EOF to prevent hang (input='')
- argparse for --target CLI argument
- in_bundle check: awk+openssl per-cert fingerprint comparison
- NamedTemporaryFile: mode='wb' for binary writes
- Added httpx_capath and requests_cafile_capath tests
- Graceful handling of empty ca-certificates.crt
2026-05-28 23:22:53 +03:00
8a815ab1b1
fix: check_llm_certs.py — handle DER files, openssl timeout 20s, binary PEM reads
2026-05-28 23:10:18 +03:00
05f42d5489
fix: check_llm_certs.py — clean main() structure, safe imports
2026-05-28 22:58:37 +03:00
ed4ac88c3d
feat: rewrite SSL diag in Python — tests all real libraries
...
Tests all 4 SSL methods with actual project libraries:
- httpx (verify=True/False/SSLContext cafile/cafile+capath)
- requests (verify=True/False/cafile/capath)
- openssl s_client (default/CAfile/CApath/chain bundle)
- certutil (NSS/Chromium)
- certifi vs system CA comparison
Outputs JSON summary with AI diagnosis hint.
2026-05-28 22:57:08 +03:00
2cc2896740
fix: rewrite check_llm_certs.sh — tests all methods AI needs
...
Tests 4 variants: openssl s_client (CAfile, CApath, default),
Python httpx (cafile, cafile+capath), requests (cafile, capath),
NSS certutil. Output format is machine-parseable for AI diagnosis.
2026-05-28 22:56:19 +03:00
2d4b60cef9
feat: add SSL certificate diag script (check_llm_certs.sh)
...
Runs from inside Docker container to verify all 4 SSL layers:
1. System CA store (openssl s_client)
2. NSS database (certutil) for Chromium
3. Python httpx (SSLContext with cafile)
4. Python requests (verify with system CA path)
Reads LLM_SSL_VERIFY and CA paths from .env.enterprise-clean
2026-05-28 12:13:44 +03:00
9ffa8af1dc
semantics
2026-05-26 09:30:41 +03:00
9228d071ef
fix(translate): fix batch sizing — use real available input budget, respect job.batch_size, lazy playwright in docker
...
- _batch_sizer.py: compute per_batch_budget from actual available_input_budget
(context_window - max_output_tokens) instead of sum of first N rows
- _batch_sizer.py: cap max_rows_hard_cap with job.batch_size (user config)
- _token_budget.py: add available_input_budget and max_output_tokens to return
- preview.py: validate required config fields before preview
- requirements-docker.txt: add playwright pip package (~5 MB)
- backend.entrypoint.sh: lazy playwright install chromium on first start
- build.sh: switch tar to tar.xz (-T0 -9), 5.5x smaller bundles
- README.md: add offline bundle deployment instructions
- playwright.config.js: add testMatch for *.e2e.js files
- frontend: preview tab config validation, i18n keys, translationRun store
2026-05-17 23:32:00 +03:00
fdf48491a1
fix(translate): Kilo API response_format, reasoning_effort skip, structured_outputs fallback, refusal handling
...
- Enable response_format (json_object) for all providers including Kilo/OpenRouter
- Skip reasoning_effort for Kilo/OpenRouter (returns 400 — mandatory reasoning)
- Add structured_outputs fallback: retry once without response_format if upstream
provider (e.g. StepFun) rejects it with 'structured_outputs is not supported'
- Handle model refusal field (refusal) instead of treating as empty content
- Fix None-handling guards for message/finish_reason/content fields
- Apply same fixes to both preview.py and executor.py _call_openai_compatible
- Connect orphaned TermCorrectionPopup, BulkReplaceModal, BulkCorrectionSidebar
2026-05-15 18:12:29 +03:00
7947700188
fix(translate): add EXPLORE logging for LLM JSON parse failures
...
Preview + executor now log the raw LLM response (first 1000 chars)
when JSON parsing fails, enabling debugging of malformed LLM output.
Previously ValueErrors from JSON parse failures were silently returned
as 400 without any diagnostic data in logs.
2026-05-15 09:15:36 +03:00
39ab647851
semantics
2026-05-13 14:15:33 +03:00
2da548fd71
fix: finalize semantic repair and test updates
2026-03-21 15:07:06 +03:00
81406bc2e2
fix: commit semantic repair changes
2026-03-21 11:22:25 +03:00
5e6fe2fe61
security: rotate bootstrap and clean workspace
2026-03-13 12:14:37 +03:00
0e94268980
Add docker admin bootstrap for clean release
2026-03-13 11:41:44 +03:00
3efba00b8f
chore: include docker image metadata in offline bundle manifest
2026-03-11 12:40:54 +03:00
35cdfb0184
feat: add offline docker bundle for enterprise clean releases
2026-03-11 12:35:01 +03:00