Skip to content

feat(tier2): pin model to a verified hf revision and harden the daemon boundary#16

Merged
venkateshamatam merged 1 commit into
mainfrom
feat/tier-2-pinned-model
May 3, 2026
Merged

feat(tier2): pin model to a verified hf revision and harden the daemon boundary#16
venkateshamatam merged 1 commit into
mainfrom
feat/tier-2-pinned-model

Conversation

@venkateshamatam
Copy link
Copy Markdown
Owner

@venkateshamatam venkateshamatam commented May 3, 2026
edited
Loading

Summary

  • pin the tier-2 prompt-guard model to a known hf revision + per-file SHA, with one shared models/pin.json driving both the downloader and the runtime
  • harden the daemon http + websocket surface so the loopback boundary is real (chunked-safe body cap, CORS + Origin allowlists, payload depth caps, sessionId uuid validation)
  • give the tier-2 sidecar a real supervisor: bounded restart, ready-state reset on crash, structured JSON logs, env-scrubbed spawn
  • electron renderer goes sandbox: true; daemon child process gets a health probe before show + escalating SIGTERM→SIGKILL shutdown
  • python sdk: split types/exceptions out of client.py, real context managers that close both httpx clients, Protocol-typed bridge that fails loud on shape drift
  • new drizzle migration 0002_add_check_constraints.sql locks the action-ledger enum + range invariants at the DB level
  • docker-compose binds dev services to 127.0.0.1 only; CI runs desktop build + sidecar smoke + lockfile-shape gate; deps pinned across all manifests
  • top-level NOTICE for Llama 4 attribution; README rewritten around the pinned-model flow

Test plan

  • bun run typecheck
  • bun run lint
  • bun test src/daemon/*.test.ts scripts/download-model.test.ts → 65 pass + 1 skip + 0 fail
  • bun test src/daemon/check.test.ts → 7 pass + 1 skip + 0 fail
  • bun run model:verify against the committed lockfile
  • live boot the sidecar from local pinned weights, hit /health + /classify benign + injection prompt
  • python: uv run ruff check, uv run mypy --strict, uv run pytest
  • CI green on all jobs (desktop build, sidecar smoke, model lockfile shape, daemon, python sdk)

Follow-ups

  • render tier-2 score in the electron modal (today the score lives in the ledger only)
  • production packaging for the tier-2 sidecar via electron-builder `extraResources`
  • benchmark CLI + per-category threshold ADR

@venkateshamatam
feat(tier2): pin model to a verified hf revision and harden the daemo…
6d1e886 
…n boundary

- pin gravitee-io/Llama-Prompt-Guard-2-22M-onnx via models/pin.json (single
  source of truth; downloader + sidecar both load it) and lock SHA-256 of every
  required file in models/prompt-guard-2-22m.lock.json
- scripts/download-model.ts streams + hashes per chunk, verifies against
  the lockfile, atomically rotates the model dir on revision bump, and
  fails --verify hard on missing/malformed/incomplete lockfiles
- sidecar verifies repo + revision + per-file SHA at LOAD time against
  pin.json before pipeline() runs; refuses remote fetch unless
  AIRBAG_TIER2_ALLOW_REMOTE=1; structured JSON logs; EPIPE-tolerant
- daemon defaults tier-2 ON when the pinned model is on disk, falls
  back to disabled cleanly when not
- supervisor owns tier-2 spawn: bounded exponential-backoff restart,
  ready-state reset on death, carry-buffered stdout for chunk-safe port
  discovery, secret-scrubbed env
- daemon http boundary: chunked-aware body-cap middleware (rejects 413
  before unbounded buffering), CORS allowlist, ws origin guard,
  recursive payload schema with depth + key + length caps, uuid + page
  caps on /v1/sessions/:id/actions
- ws hub: 30s heartbeat, slow-consumer drop via getBufferedAmount, max
  inbound size, no-subscriber timer auto-clear
- electron renderer sandbox: true, daemon supervisor with health probe
  before show + escalating shutdown + bounded auto-restart that resets
  the attempt counter on a successful boot
- python sdk split into types.py + exceptions.py, sync/async context
  managers that close BOTH httpx clients, browser-use bridge now uses
  a Protocol-typed envelope_from() that raises TypeError on shape drift
- drizzle migration 0002 adds DB CHECK constraints on action_ledger
  enum + range invariants
- ci adds desktop build + sidecar smoke + lockfile-shape jobs; pinned
  setup-uv version; sidecar smoke installs via the bun workspace
- docker-compose binds postgres / clickhouse / redis to 127.0.0.1 only
- top-level NOTICE reproduces Llama 4 Community License attribution;
  README rewritten around the pinned-model flow
- all transitive deps pinned to exact versions in package.json,
  sidecar/package.json, apps/desktop/package.json
- 65 daemon tests + 7 download tests + 3 python tests passing; bun
  lint + typecheck + ruff + mypy strict all clean
@venkateshamatam venkateshamatam merged commit f69c93e into main May 3, 2026
4 of 5 checks passed
@venkateshamatam venkateshamatam deleted the feat/tier-2-pinned-model branch May 3, 2026 20:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@venkateshamatam