mirror of
https://github.com/mudler/LocalAI.git
synced 2026-06-22 15:49:12 -04:00
63bcbf6c12
* fix(pii): post-merge review fixes + live NER e2e for the privacy-filter tier Follow-up to the NER tier engine (#10360), already on master. This carries only the incremental review fixes and tests that postdate that merge — the feature itself is not re-introduced. Review fixes: - openai_completion.go: remove the dead `elem >= 0` conjunct in applyAnyText (the `elem < 0` guard above already returns). - application.go: collapse ResolvePIIPolicy's inline re-implementation of PIIIsEnabled to a single cfg.PIIIsEnabled() call (sole source of the "explicit pii.enabled wins, else cloud-proxy default" rule) and return true past the !enabled guard where it is provable. - pattern.go: hoist the triple `appConfig != nil && EnableTracing` check in patternDetector.Detect into one local. - grammar.go: MaxQuantifier was 4096, but Go's regexp/syntax rejects repeat bounds above 1000 at Parse time, so walk()'s {n,m} guard could never fire — dead code shadowed by the parser. Lower it to 512 so a bound in (512,1000] is rejected here with an actionable error; >1000 still fails closed via Parse. Specs pin the relationship so the guard can't silently revert. - PatternListEditor.jsx: clamp a directly-typed negative min_len to >=0 and force the DOM value back when clamping (min={0} only constrained the spinner, so a negative reached saved config and silently disabled the length filter). Tests: - piipattern_test.go: MaxQuantifier guard specs (must stay live, not dead). - model-config.spec.js: assert the min_len clamp, and that entity_actions collapses a duplicate group to a single row (map semantics; regression guard against emitting an array that drops a row on save). - tests/e2e-backends: token_classify capability driving the TokenClassify gRPC RPC against the backend image, asserting byte-correct, UTF-8 rune-aligned spans (entity.Text == text[start:end]) at threshold 0. Verified on CPU via `make test-extra-backend-privacy-filter` (3/3 specs). - Makefile: test-extra-backend-privacy-filter wrapper. - tests/e2e: e2e_pii_ner_test.go drives /api/pii/analyze + /api/pii/redact (mask + block) through the full HTTP -> detector -> redactor path; gated on PII_NER_MODEL_GGUF so the default suite is unaffected. - .github/workflows/tests-pii-ner-e2e.yml: path-filtered / nightly CI job running the container harness on CPU. Assisted-by: Claude:claude-opus-4-8 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> * feat(gallery): add privacy-filter-nemotron (f16 + q8) GGUF conversions of OpenMed/privacy-filter-nemotron — a fine-grained English PII token-classifier (55 categories / 221 BIOES classes), fine-tuned from openai/privacy-filter on NVIDIA's Nemotron-PII dataset. Sibling to the existing privacy-filter-multilingual entry, trading language breadth for category depth. - privacy-filter-nemotron: F16 reference artifact (~2.8 GB). - privacy-filter-nemotron-q8: Q8_0 quant (~1.64 GB) for RAM-constrained / edge use; description notes the size/speed tradeoff and to validate on your own data (a single dropped span is a PII leak). Both run on the privacy-filter backend with known_usecases [token_classify] and a default mask policy (min_score 0.5); operators add per-category entity_actions as needed. sha256s taken from the HF repo's LFS object ids. Assisted-by: Claude:claude-opus-4-8 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> --------- Signed-off-by: Richard Palethorpe <io@richiejp.com>
98 lines
3.7 KiB
YAML
98 lines
3.7 KiB
YAML
---
|
|
name: 'PII NER tier E2E (live GGUF, CPU)'
|
|
|
|
# Runs the real privacy-filter GGUF NER tier end-to-end on CPU — the gap the
|
|
# hermetic tests/e2e suite cannot cover (it only exercises the in-process
|
|
# pattern tier). Heavy (builds the C++ backend image + downloads a ~2.7 GB
|
|
# GGUF), so it is path-filtered on PRs and otherwise runs nightly / on demand.
|
|
#
|
|
# This drives the container-level harness (tests/e2e-backends) via
|
|
# `make test-extra-backend-privacy-filter`: it builds the privacy-filter image,
|
|
# downloads the model, loads it on CPU, and asserts byte-correct, UTF-8-aligned
|
|
# TokenClassify spans. The complementary HTTP-path specs in tests/e2e
|
|
# (e2e_pii_ner_test.go) Skip unless PII_NER_MODEL_GGUF is wired.
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
schedule:
|
|
- cron: '0 3 * * *'
|
|
push:
|
|
branches:
|
|
- master
|
|
paths:
|
|
- 'backend/cpp/privacy-filter/**'
|
|
- 'backend/Dockerfile.privacy-filter'
|
|
- 'core/services/routing/pii/**'
|
|
- 'core/services/routing/piidetector/**'
|
|
- 'core/backend/token_classify.go'
|
|
- 'core/http/endpoints/localai/pii.go'
|
|
- 'core/schema/pii.go'
|
|
- 'tests/e2e-backends/**'
|
|
- 'tests/e2e/e2e_pii_ner_test.go'
|
|
- 'tests/e2e/e2e_suite_test.go'
|
|
- '.github/workflows/tests-pii-ner-e2e.yml'
|
|
pull_request:
|
|
paths:
|
|
- 'backend/cpp/privacy-filter/**'
|
|
- 'backend/Dockerfile.privacy-filter'
|
|
- 'core/services/routing/pii/**'
|
|
- 'core/services/routing/piidetector/**'
|
|
- 'core/backend/token_classify.go'
|
|
- 'core/http/endpoints/localai/pii.go'
|
|
- 'core/schema/pii.go'
|
|
- 'tests/e2e-backends/**'
|
|
- 'tests/e2e/e2e_pii_ner_test.go'
|
|
- 'tests/e2e/e2e_suite_test.go'
|
|
- '.github/workflows/tests-pii-ner-e2e.yml'
|
|
|
|
concurrency:
|
|
group: ci-tests-pii-ner-e2e-${{ github.event.pull_request.number || github.sha }}-${{ github.repository }}
|
|
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
|
|
|
|
jobs:
|
|
tests-pii-ner-e2e:
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
matrix:
|
|
go-version: ['1.25.x']
|
|
steps:
|
|
- name: Clone
|
|
uses: actions/checkout@v6
|
|
with:
|
|
submodules: true
|
|
- name: Free disk space
|
|
run: |
|
|
sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc /opt/hostedtoolcache/CodeQL || true
|
|
sudo docker image prune --all --force || true
|
|
df -h
|
|
- name: Configure apt mirror on runner
|
|
uses: ./.github/actions/configure-apt-mirror
|
|
- name: Setup Go ${{ matrix.go-version }}
|
|
uses: actions/setup-go@v5
|
|
with:
|
|
go-version: ${{ matrix.go-version }}
|
|
cache: false
|
|
- name: Proto Dependencies
|
|
run: |
|
|
curl -L -s https://github.com/protocolbuffers/protobuf/releases/download/v26.1/protoc-26.1-linux-x86_64.zip -o protoc.zip && \
|
|
unzip -j -d /usr/local/bin protoc.zip bin/protoc && \
|
|
rm protoc.zip
|
|
go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.34.2
|
|
go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@1958fcbe2ca8bd93af633f11e97d44e567e945af
|
|
PATH="$PATH:$HOME/go/bin" make protogen-go
|
|
- name: Dependencies
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y build-essential
|
|
# Builds local-ai-backend:privacy-filter, downloads the GGUF, loads it on
|
|
# CPU and runs the token_classify capability spec (byte-offset contract).
|
|
- name: Run live PII NER backend E2E
|
|
run: PATH="$PATH:$HOME/go/bin" make test-extra-backend-privacy-filter
|
|
- name: Setup tmate session if tests fail
|
|
if: ${{ failure() }}
|
|
uses: mxschmitt/action-tmate@v3.23
|
|
with:
|
|
detached: true
|
|
connect-timeout-seconds: 180
|
|
limit-access-to-actor: true
|