feat: natural language query + production hardening

Features: - Add /api/ask endpoint for plain-language audit log queries - Regex-based time/entity extraction (no LLM required for parsing) - LLM-powered narrative summarisation with OpenAI-compatible APIs - Graceful fallback to structured bullet lists when LLM is unavailable - Frontend ask panel with markdown rendering and cited events Production: - Harden Dockerfile: non-root user, gunicorn+uvicorn workers - Add docker-compose.prod.yml with internal networks and health checks - Add nginx reverse proxy with security headers - MongoDB no longer exposed externally in production Tests: - 29 new tests for ask parsing, query building, and endpoint behaviour - Fix conftest monkeypatch for routes.ask events collection Bump version to 1.1.0
2026-04-20 15:10:55 +02:00
parent b0eba09f0f
commit 0ef50c91f7
16 changed files with 1097 additions and 4 deletions
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -1,6 +1,27 @@
 FROM python:3.11-slim
+
+# Security: run as non-root
+RUN groupadd -r aoc && useradd -r -g aoc aoc
+
 WORKDIR /app
+
+# Install dependencies first for layer caching
 COPY requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt
+
+# Copy application code
 COPY . .
-CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]
+
+# Create directories for potential volume mounts and fix permissions
+RUN mkdir -p /app/data && chown -R aoc:aoc /app
+
+USER aoc
+
+# Production: use gunicorn with uvicorn workers
+# Workers = 2-4 x $NUM_CORES; keep it conservative for containerised workloads
+ENV PYTHONUNBUFFERED=1
+ENV PYTHONDONTWRITEBYTECODE=1
+
+EXPOSE 8000
+
+CMD ["gunicorn", "main:app", "-k", "uvicorn.workers.UvicornWorker", "--bind", "0.0.0.0:8000", "--workers", "2", "--timeout", "120", "--access-logfile", "-", "--error-logfile", "-"]