rene/llm-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
55 Commits 2 Branches 0 Tags
Commit Graph

27 Commits

Author SHA1 Message Date
Rene Fichtmueller
060b846d9b feat: publish llm gateway v2 dashboard alongside restored workbench 2026-05-01 17:43:32 +02:00
Rene Fichtmueller
91384dbb2a fix: SSE stream endpoint with proper HTTP/2 stream handling and heartbeat 
- Fixed /api/stream/requests endpoint HTTP/2 INTERNAL_ERROR
- Use reply.raw.writeHead() instead of Fastify headers API for SSE
- Added 30s heartbeat to keep connection alive
- Proper event format with 'event:' and 'data:' fields
- Comprehensive error handling and cleanup on disconnect
- Mirrors working pattern from /api/stream/costs endpoint
- Resolves dashboard perpetual 'Loading...' state
 2026-04-26 23:52:13 +02:00
Rene Fichtmueller
255bd90e7e fix: add missing jose dependency for JWT validation 2026-04-26 20:45:05 +02:00
Rene Fichtmueller
d614795545 fix: SQL errors in learning engine for best model selection 2026-04-26 20:42:40 +02:00
Rene Fichtmueller
93bbb44bf0 fix: remove broken @shieldx/core dependency 
The @shieldx/core dependency was referenced at an invalid file path and is
not actually used in the codebase (import is commented as TODO). Removing
this dependency resolves npm installation failures on deployment.
 2026-04-26 20:36:21 +02:00
Rene Fichtmueller
1d4be52c83 fix: only send HSTS header on HTTPS connections, not HTTP 
The learning process was failing to communicate with the gateway because:
1. Gateway was sending 'Strict-Transport-Security' header on HTTP responses
2. Node.js fetch respects HSTS and upgrades subsequent requests to HTTPS
3. Gateway only has HTTP listener (localhost:3103), no HTTPS
4. Result: SSL 'packet length too long' error on second request attempt

Solution: Modified registerHSTSMiddleware to only send HSTS header when
the connection is already secure (HTTPS or x-forwarded-proto: https).
HTTP connections will not get the HSTS header, preventing the forced upgrade.
 2026-04-26 19:01:41 +02:00
Rene Fichtmueller
ff090de82b fix: Update request logging to use request_tracking table instead of dashboard_request_log 2026-04-26 00:42:58 +02:00
Rene Fichtmueller
4c54a6fa92 refactor: MAGATAMA pipeline code quality audit — all functions <50 lines 
Complete code quality audit of llm-gateway pipeline modules for MAGATAMA standard compliance (50-line function maximum). All pipeline functions refactored to ensure high cohesion and readability.

Pipeline module compliance (verified):
 llm-client.ts — Refactored callOllama() (58→26 lines) via helper extraction
 instrumented-llm-client.ts — All functions <50 lines (wrapper layer)
 router.ts — Refactored routeByScore() (81→32 lines) via delegation
 request-scorer.ts — 870-line file, all functions <50 lines
 external-providers.ts — All functions <50 lines (49-line max)
 post-validator.ts — All validators <50 lines

Verified:
✓ npm run build (TypeScript, zero errors)
✓ All 6 pipeline modules independently audited
✓ Production-ready for Erik deployment (PM2 ids 19+20, port 3103)

Deployment target: Gitea (192.168.178.196:3000/rene/llm-gateway)
 2026-04-25 17:38:11 +02:00
Rene Fichtmueller
128e18b751 feat: integrate GitHub Copilot as third LLM provider via copilot-bridge 
Add GitHub Copilot API proxy integration to LLM Gateway:

* Implement copilot-bridge service:
  - HTTP wrapper managing copilot-api (GitHub Copilot API proxy)
  - OpenAI-compatible /v1/chat/completions endpoint (port 3252)
  - Graceful startup and SIGTERM shutdown handling
  - Health check endpoint with service diagnostics

* Register copilot-bridge in provider fallback chain:
  - Position: After OpenAI, before free LLM APIs (tier 4)
  - Rate limit: 60 requests/min (GitHub Copilot API limit)
  - Models: gpt-4 (reasoning), gpt-3.5-turbo (medium)
  - Authentication: GitHub Copilot subscription (internal to copilot-api)

* Update PM2 ecosystem configuration:
  - Add copilot-bridge service definition (port 3252)
  - Configure COPILOT_BRIDGE_URL in gateway environment
  - Add copilot to LLM_PROVIDERS list

* Enhance deployment automation:
  - Update ensure-bridges.sh with copilot-bridge deployment
  - Copy service files from repo to /opt/copilot-bridge
  - Run npm install for copilot-api dependency

* Comprehensive documentation:
  - Expand DEPLOYMENT-BRIDGES.md with copilot-bridge section
  - Prerequisites: Node.js 20+, GitHub Copilot subscription
  - Authentication workflow: npm run auth with GitHub OAuth
  - Troubleshooting: subscription verification, auth cache reset

Provider chain now supports:
1. Ollama (local, free)
2. claude-bridge (Claude subscription)
3. openai-bridge (OpenAI subscription)
4. copilot-bridge (GitHub Copilot subscription) ← NEW
5. Free APIs: Cerebras, Groq, Mistral, NVIDIA, Cloudflare

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
 2026-04-25 12:38:30 +02:00
Rene Fichtmueller
7599f33866 feat: integrate OpenAI Codex and ChatGPT as primary LLM providers via subscription 
- Add openai-bridge service (port 3251) for ChatGPT and Codex integration
- Update external-providers.ts with openai and chatgpt provider definitions
- Add GPT-4 Turbo, GPT-4, and GPT-3.5 Turbo models to provider registry
- Modify getApiKey() to handle bridge provider authentication
- Modify getBaseUrl() to construct URLs from env vars
- Update ecosystem.config.cjs with OPENAI_BRIDGE_URL and OPENAI_API_KEY config
- Add openai-bridge PM2 service configuration (port 3251)
- Support both claude-bridge (port 3250) and openai-bridge (port 3251) as subscription services
- Extend fallback chain: claude → openai/chatgpt → cerebras → groq → mistral → nvidia → cloudflare

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
 2026-04-25 12:29:55 +02:00
Rene Fichtmueller
b34b835b47 feat: integrate claude-bridge as primary LLM provider with fallback chain 
- Add claude-bridge provider to external-providers.ts with Claude models (opus, sonnet, haiku)
- Modify getApiKey to handle claude-bridge authentication (CLAUDE_BRIDGE_ENABLED flag)
- Update getBaseUrl to construct URL from CLAUDE_BRIDGE_URL environment variable
- Remove Authorization header for claude-bridge (uses subscription-based auth)
- claude-bridge now first in fallback chain: Claude → Cerebras → Groq → Mistral → NVIDIA → Cloudflare
 2026-04-25 12:18:33 +02:00
Rene Fichtmueller
a04c1d67f2 feat: Complete LightRAG Sidecar Phase 2 — Hybrid Retrieval Implementation 
Delivers production-ready knowledge graph sidecar with hybrid BM25+vector search.

COMPONENTS:
- RetrievalService: Hybrid BM25 + Qdrant vector search with RRF fusion (k=60, 0.4/0.6 weights)
- IngestionService: Document pipeline with Ollama entity extraction, entity linking, bge-m3 embeddings
- EvaluationService: Precision@K, Recall@K, MRR@K, NDCG@K metrics with FTS baseline comparison
- Database schema: Entity, Relation, Document, QueryLog, EvaluationResult ORM models
- API routes: /api/kg/query, /api/kg/ingest, /api/kg/eval, /api/kg/health

INFRASTRUCTURE:
- FastAPI 0.104 async server on port 3140
- PostgreSQL 17 + pgvector for knowledge graph storage
- Qdrant 2.7 vector database with COSINE distance (384-dim bge-m3)
- Ollama qwen2.5:14b for entity extraction via JSON-structured prompts
- PM2 ecosystem configuration for Erik production deployment

TESTING & DEPLOYMENT:
- TESTING.md: 5-phase local testing workflow with examples
- DEPLOYMENT_CHECKLIST.md: Step-by-step Erik deployment guide
- eval-transceiver-50qa.json: 50 Q&A evaluation pairs for transceiver domain
- populate_eval_set.py: Interactive script to populate ground truth document IDs
- READINESS_CHECKLIST.md: Pre-deployment verification checklist
- bootstrap_tip_data.py: Load TIP blog documents via API

PERFORMANCE TARGETS:
 Query latency p95: <500ms
 Recall@10: ≥85% (vs 72% FTS baseline)
 Entity extraction accuracy: ≥90%
 Ingestion throughput: ≥100 docs/sec
 Memory usage: <1GB

Ready for Phase 3: E2E testing, TypeScript client, multi-domain support.
 2026-04-25 05:47:18 +02:00
Rene Fichtmueller
2ca77d0aee feat: Phase 2F — Multi-Agent Integration (ADRs + Client Fallback + Tests) 
- ADR-0001: Multi-Agent Coworking Architecture with LLM Gateway Orchestrator
- ADR-0002: Tier Assignment Strategy for Model Selection (cost-first escalation)
- ADR-0003: Confidence Gate Thresholds & Learning Cycle Intervals (6h/12h/24h cycles)
- ADR-0004: External Provider Fallback Chain Ordering (Cerebras → Groq → Mistral)
- Enhanced client SDK: Offline Ollama fallback, health checks, exponential backoff retry
- Integration tests: claude-code-integration.test.ts (14 test cases)
- PHASE_2F_DEPLOYMENT.md: Pre-deployment checklist, automated deploy, rollback plan
- Post-deployment verification procedures for health, client fallback, metrics
 2026-04-19 21:39:44 +02:00
Rene Fichtmueller
2fb0992c71 feat: add MAGATAMA まがたま security intelligence model to LLM Gateway 
- Add magatama:32b to models.yaml (large tier, 131k context, security strengths)
- Add 6 MAGATAMA routing rules: threat_analysis, ciso_report, compliance_gap,
  incident_response, bgp_security, vuln_triage
- Add 6 MAGATAMA prompt templates with full TEPPEKI doctrine:
  MITRE ATT&CK, Kill Chain, CIA Triad, NIS2, ISO 27001, CVSS v3.1
- Fine-tuned on Qwen2.5-32B-Instruct with 22831 MAGATAMA security samples
  LoRA adapter: r=8, alpha=16
 2026-04-16 14:31:17 +02:00
Rene Fichtmueller
b4593b6582 feat: integrate real @shieldx/core library into gateway pipeline 
Replace recursive HTTP-based ShieldX scan with direct library integration.
- 547+ rules, 50+ languages, sub-millisecond scans
- Enables: rules, entropy, indirect injection, behavioral, unicode,
  tokenizer, compressed payload detection
- Disables Ollama-dependent scanners for zero external dependency
- Response now includes threat_level, kill_chain_phase, shieldx_latency_ms
 2026-04-07 09:03:02 +02:00
Rene Fichtmueller
8123343361 feat: add Flexoptix blog pipeline templates (tip_blog_angle + tip_blog_draft) 
Two-stage LLM pipeline for Flexoptix-style blog generation:
- tip_blog_angle: identifies the real production situation as article angle (JSON)
- tip_blog_draft: writes continuous prose article — no headers, no bullets,
  no AI filler. Gold article included as few-shot reference. v2.0.0 with
  absolute format rules, DR4 wavelength correction (1310nm), fiber scope
  vs OPM distinction, no invented firmware versions.
 2026-04-03 01:03:09 +02:00
rene
49c673b683 feat: add ctx_morning_briefing routing rule and prompt template 
Adds LLM Gateway support for CtxReport daily intelligence reports.
Uses qwen2.5:32b to generate German-language morning briefings from
infrastructure metrics collected overnight.
 2026-04-03 00:44:04 +02:00
Rene Fichtmueller
a8a77e689c feat: add CtxHealth + CtxSecurity to gateway — ctxhealer:latest model, 5 routing rules, 2 templates 2026-04-03 00:14:23 +02:00
Rene Fichtmueller
719336bded fix: map input as fallback for all 20+ template content variables (ocr_text, alert_data, bgp_data, etc.) 2026-04-02 23:41:36 +02:00
Rene Fichtmueller
f1c1d107ca fix: map input to source_data fallback and spread context vars into template variables 2026-04-02 23:38:22 +02:00
Rene Fichtmueller
0803fdb722 feat: add confidence_scorer prompt template (internal self-evaluation) 2026-04-02 23:20:31 +02:00
Rene Fichtmueller
ac33476666 feat: add 55 prompt templates + ShieldX/LinkedIn routing rules + ban lists in Gitea 
Templates (55 total, exceeds 49 target):
- TIP: transceiver_enrich, datasheet_extract, compatibility_parse, blog_generator,
  faq_answer, hype_cycle_narrative, price_anomaly, vendor_classify, product_description
- EO Global Pulse: business_card_ocr, voice_to_crm, event_prep_brief, attendee_enrich,
  meeting_suggest, lead_qualify, debrief_generate, ticket_summarize
- SwitchBlade: root_cause, alert_narrative, cve_remediation, csrd_narrative,
  transceiver_advisor, bandwidth_report, ticket_draft, firmware_assess, topology_explain
- PeerCortex: as_narrative, health_summary, rpki_explain, anomaly_hypothesis,
  peer_recommendation, incident_brief
- NOGnet: cfp_evaluate, cfp_feedback, topic_gap_analysis, meeting_match, speaker_enrich,
  sponsor_pitch, event_debrief, agenda_summary, session_intro
- ShieldX: threat_classify, pattern_describe, healing_recommend, compliance_report, false_positive
- Content: linkedin_post_de, linkedin_post_en, newsletter_dispatch_de, email_draft_de
- Internal: ban_detect, prompt_improve
- Routing rules: +55 entries for all template-based task types
- Ban lists: en.csv, de.csv, auto.csv created in Gitea (llm-banlists repo)
 2026-04-02 23:14:30 +02:00
Rene Fichtmueller
c82b187548 feat: fix template resolution + add 40 routing rules for all project task types 
- completion.ts now uses taskType directly for resolvePrompt (not decision.prompt_template)
  so tip_transceiver_enrich.yaml is used instead of generic_qa fallback template
- routing-rules.yaml: +40 task type entries for TIP (8), EO Pulse (8), SwitchBlade (9),
  PeerCortex (6), NOGnet (9), internal (2) — all with correct model tier assignments
- qwen2.5:3b for fast tasks (classify, short outputs)
- qwen2.5:14b for medium (most analysis tasks)
- qwen2.5:32b for large (blog posts, detailed reports, CSRD)
 2026-04-02 23:11:21 +02:00
Rene Fichtmueller
2c5f7f6ebe fix: OLLAMA_URL env var takes precedence over hardcoded models.yaml URL 
Gateway was reading ollama_base_url from YAML (192.168.178.169) instead of
OLLAMA_URL env var (https://ollama.fichtmueller.org). Fix getOllamaBaseUrl()
to prefer process.env['OLLAMA_URL'] and update YAML default to CF tunnel.
 2026-04-02 23:05:13 +02:00
Rene Fichtmueller
773fd368e0 fix: parse DATABASE_URL in pool clients + extend Ollama health timeout to 15s 
Gateway and learning DB clients now prefer DATABASE_URL connection string
over individual DB_* env vars — matches ecosystem.config.cjs convention.
Ollama health check timeout increased 5→15s for Cloudflare tunnel latency.
 2026-04-02 23:03:31 +02:00
Rene Fichtmueller
4c5003f9fc feat: fix OLLAMA_URL to use Cloudflare tunnel + add 35 prompt templates 
- Update OLLAMA_URL from 192.168.178.169 to https://ollama.fichtmueller.org
- Fix port from 3100 to 3103 (3100 was taken by Docker proxy on Erik)
- Fix DATABASE_URL password to llm_secure_2026
- Add GITEA_URL env var for ban list sync
- Add 35 prompt templates: TIP (10), EO Global Pulse (8), SwitchBlade (9),
  PeerCortex (3), internal (3), ShieldX (1), general (1)
 2026-04-02 23:00:37 +02:00
Rene Fichtmueller
3a00ff4d33 feat: initial llm-gateway implementation 
- Complete Fastify gateway with 8-stage pipeline
- Circuit breaker (opossum) per model tier
- Rate limiting per caller
- Ban list validation (EN/DE/auto-detected)
- TIP validator (SFF-8024, part numbers, wavelengths)
- Prometheus metrics
- pg-boss async queue
- PostgreSQL audit log + review queue
- 9 prompt templates (TIP, LinkedIn, ShieldX)
- Learning engine scaffolding
- Auto-learning: ban-list, few-shot, routing, prompt optimizer
 2026-04-02 22:48:55 +02:00