m4/org/openalice-gatewayci failure

openalice-gateway

Features
5
Status
·unknown
Last activity
1mo ago
Branch
mvp

Architecture rating

D1mo ago
securityC

Purpose-built auth/rate-limit/circuit-break gateway; 401 on unauth probe confirms auth enforcement is live, deny.toml guards supply-chain — but no visible SSRF/injection regression tests and CI is currently failing, so guards are unverified.

consistencyC

Manifest valid (100), 0 dead imports, 0 cycles, clean substrate adoption — undercut by env drift (5 declared-unused GATEWAY_URL_* vars) and 4 god modules / 2 duplicate signatures.

docsC-

Manifest present+valid (100), AGENTS.md and 5 @feature annotations, roadmap 95 — but README excerpt is empty and 55 missing docstrings across modules.

reliabilityC-

Circuit breaking + rate limiting declared (good resilience posture), zero circular deps — but CI conclusion=failure (2026-06-15), uptime_24h=0%, max complexity 19 and 4 god modules; graceful-shutdown/retry/idempotency unverified by tests.

observabilityD

Health endpoint exists (probed at alice.blal.pro) but no metrics, tracing, or structured-log signal surfaced; 401/down probe and 0% uptime suggest probes aren't wired to a real readiness path.

data layerD

Stateless proxy: manifest owns zero tables, no migrations dir, no schema/RLS/FK signal — appropriate for a gateway but nothing to evidence, graded conservatively for absence.

testingF

No tests directory detected in clone and CI run concluded in failure — zero evidence of coverage on auth/rate-limit/proxy critical paths; the dominant weakness for this repo.

source · auto-grader-2026-06-16

Ecosystem manifest

.atlas-deps.yml

API gateway — auth enforcement, rate limiting, circuit breaking, and HTTP/WS reverse proxy for the OpenAlice microservice ecosystem.

Runtime deps
  • via GATEWAY_URL_AUTH
    Validate API keys by calling /auth/me on the auth service (fail-closed)
  • openalicehttpoptional
    via GATEWAY_URL_ALICE
    Proxy /alice/* requests to the main OpenAlice service (120s timeout for LLM calls)
  • openalice-a2ahttpoptional
    via GATEWAY_URL_A2A
    Proxy /a2a/* requests to the agent-to-agent service
  • via GATEWAY_URL_ML
    Proxy /ml/* requests to the ML gateway
  • openalice-personahttpoptional
    via GATEWAY_URL_PERSONA
    Proxy /persona/* HTTP and /ws/persona WebSocket requests to the persona backend
  • openalice-registryhttpoptional
    via GATEWAY_URL_REGISTRY
    Proxy /registry/* requests to the agent registry
  • openalice-rtwsoptional
    via GATEWAY_URL_RT
    Proxy /rt/* HTTP and /ws/rt WebSocket requests to the realtime backend
  • via GATEWAY_URL_SOCIAL
    Proxy /social/* requests to the social API backend
  • openalice-voicehttpoptional
    via GATEWAY_URL_VOICE
    Proxy /voice/* HTTP and /ws/voice WebSocket requests to the voice backend
Consumed env
  • SHARED_JWT_SECRET
  • GATEWAY_JWT_SECRET
  • GATEWAY_PORT
  • GATEWAY_BIND
  • GATEWAY_RATE_LIMIT
  • GATEWAY_ANON_RATE_LIMIT
  • GATEWAY_URL_AUTH
  • GATEWAY_URL_SOCIAL
  • GATEWAY_URL_VOICE
  • GATEWAY_URL_RT
  • GATEWAY_URL_PERSONA
  • GATEWAY_URL_A2A
  • GATEWAY_URL_ML
  • GATEWAY_URL_ALICE
  • GATEWAY_URL_REGISTRY
Exposes
  • docker_image: openalice-gateway
  • http_endpoint: https://alice.blal.pro/api/*
Env drift · manifest ⇄ code

Atlas grepped the repo's source for env reads (rust env::var · ts process.env · py os.environ · shell $VAR) and diffed against the manifest's consumes_env. Two lists below: stale declarations and undeclared reads.

Manifest declares, code unused
  • GATEWAY_URL_A2A
  • GATEWAY_URL_ALICE
  • GATEWAY_URL_ML
  • GATEWAY_URL_REGISTRY
  • GATEWAY_URL_SOCIAL
Observed reads: 10 · declared: 15

Roadmap · what's planned next

56% avg4 goals

Code composition

tokei · loc
2.1kloc
  • Rust96.4%
  • TOML3.6%
  • Rust96.4%· 2,041
  • TOML3.6%· 76
Language% codecodecommentsblanksfiles
Rust96.4%2,0418324610
TOML3.6%765492
Markdown0.0%0831

Telemetry ribbon · last 90 days

5 events
MAYJUNJUL2026-05-21 · commit · new commit cc8299b → c5a50fb2026-06-14 · commit · new commit c5a50fb → e30e8e62026-06-14 · commit · new commit e30e8e6 → d518b512026-06-15 · commit · new commit d518b51 → 959c04a2026-06-15 · commit · new commit 959c04a → ec14be4NOW
commitmanifestlifecyclekind

gateway/auth

1 feature
  • gateway.auth.middleware
    src/auth.rs:39
    Authenticate via JWT > session > API key, fall through to anonymous; exempt paths bypass.
    since 0.1.0

gateway/proxy

2 features
  • gateway.proxy.forward
    src/proxy.rs:16
    HTTP reverse proxy with auth, rate-limit, circuit breaker, and prefix-stripped backend forward.
    since 0.1.0
  • gateway.proxy.ws
    src/ws_proxy.rs:15
    Bidirectional WebSocket proxies for /ws/rt, /ws/voice, /ws/persona — bridge browser to internal services.
    since 0.1.0

gateway/ratelimit

1 feature
  • gateway.ratelimit.token-bucket
    src/ratelimit.rs:5
    Per-user token-bucket rate limiter (separate user/anon caps) using DashMap.
    since 0.1.0

gateway/resilience

1 feature
  • gateway.circuit.breaker
    src/circuit_breaker.rs:8
    Per-backend circuit breaker (Closed/Open/HalfOpen) — short-circuit failing services with 503.
    since 0.1.0