From a Principal Engineer to a Mentee

🚀 How I’d Walk You Through This Codebase (Principal Engineer Mode)

1. High-Level: What Are We Building?

“Alright, so you’ve built a modern, modular microservice-based RAG (Retrieval Augmented Generation) pipeline. Think of it like a mini-OpenAI-powered backend that can:

  • Take in documents from users

  • Parse and store them

  • Let users ask questions about their uploaded docs

  • Authenticate users, and

  • Log everything for traceability

Everything talks via HTTP REST, and you’ve separated concerns well into small, understandable pieces. This is really the direction most cloud-native systems are going—even for internal tools.”

2. The Components (Services) and What Each Does

Let’s break down each service, the order in which requests flow, and their responsibilities:

A. Identity Backend

  • Purpose: Authenticates users, issues JWTs (tokens that other services can verify).

  • How: Implements a basic OAuth2/OIDC “authorization code” flow (that’s the flow most big SaaS apps use for login, including Google, Microsoft, etc.).

  • Why: Keeps all authentication logic in one place; services don’t roll their own login/auth, which reduces risk.

B. API Gateway (a.k.a. UI/Web App)

  • Purpose: Central user-facing service; presents upload/query UI, handles login, enforces auth for all user-facing routes.

  • How:

    • If a user is not logged in, redirects them to Identity for login.

    • Gets an auth code, exchanges for JWT, stores in session.

    • Allows file uploads (stored locally), job status checks, RAG querying, and even logs viewing (for now).

    • Talks to Worker, Parser, Logging Service, Ollama and OpenAI as needed.

C. Worker

  • Purpose: Picks up uploaded files/jobs, processes them (e.g., calls Parser), and stores results.

  • How: Polls the job database, grabs “queued” jobs, calls Parser service to extract text, updates job status/results.

  • Why: Decouples heavy lifting (parsing, embeddings) from web UI—keeps UI snappy, lets you scale parsing independently.

D. Parser Service

  • Purpose: Receives files, extracts raw text.

  • How: Simple Flask endpoint, returns parsed text up to 20,000 chars (for MVP).

E. Logging Service

  • Purpose: Receives logs from all other services (via HTTP POST), stores in SQLite, viewable in the UI.

  • Why: Centralized observability—can add more features later (alerts, log search, dashboards).

3. Request/Flow Example: User Upload to RAG Query

  1. User goes to /

    • Not logged in? Redirected to /login, which bounces them to the Identity backend

  2. Login

    • User enters creds at Identity. If correct, gets redirected back to Gateway with a one-time code

    • Gateway exchanges code for id_token (JWT), stores it in session

  3. Upload

    • User uploads a file via UI

    • Gateway saves the file, writes a job to SQLite, shows status

  4. Worker picks up job

    • Worker polls for “queued” jobs, calls Parser, stores extracted text/result in DB

  5. User queries docs

    • User submits question; Gateway retrieves all parsed docs, crafts a prompt, calls OpenAI (or Ollama), shows the answer

Everything is logged—both locally (file) and centrally (Logging Service), so you can audit any action.

4. Security & Auth—How it Fits Together

  • All user actions go through Gateway, which checks JWT validity before showing private pages.

  • JWTs are issued by Identity, so only valid users can access private functionality.

  • Service-to-service calls (like logging) are authenticated by sharing secrets (JWTs signed with a shared secret).

  • For now, most stuff is local and low-risk, but everything is structured for easy upgrade to prod-level security.

5. Why Is This a Good Foundation?

  • Separation of concerns: Each service is focused—easy to reason about, debug, and replace.

  • Evolvability: Want a faster parser? Replace the parser service. Need to use ChromaDB? Update Worker logic only.

  • Observability: With central logging, you’re set up for production-like troubleshooting.

  • Security-conscious by design: All endpoints intended to be private are gated by auth, and you’re following real OAuth2 flows.

6. Common Gotchas or “Mentor Mode” Notes

  • JWT signature must be verified! (Never just decode w/o checking the sig)

  • Session cookies: Set them as Secure, HttpOnly, SameSite.

  • Never expose OpenAI keys in frontend code.

  • Always clean up test endpoints (like public /logs) before shipping.

  • Use strong, unique secrets—never leave "dev-secret" anywhere in prod.

7. If You Want to Level Up

  • Add RBAC/roles: The JWT could include roles/scopes for more granular access.

  • User registration/password reset: Could be handled in Identity backend, eventually with hashed passwords in a DB.

  • Rate-limiting & brute-force protection: Flask-Limiter is easy to add and pays off quickly.

  • Async processing: Move to Celery/RQ for large-scale workloads.

  • HTTPS everywhere: Use a reverse proxy (e.g., nginx) to enforce HTTPS in front of all services.

  • JWT Key rotation: Move to RSA keys and expose JWKS endpoint for zero-downtime key changes.

8. TL;DR: The “Elevator Pitch”

“You’ve built a clean, testable microservice MVP for a RAG pipeline. Each service is small and does one thing well. User auth is centralized and industry-standard. Logging is centralized for auditability. The whole thing is built for evolution—swap parts, add features, or harden security without massive rewrites.
Your next steps are to lock down secrets, enforce signature verification, and close public debug endpoints before you go public.”

9. “Baby Steps” to See it All Work

  • Start the Logging Service

  • Start the Parser Service

  • Start the API Gateway/UI

  • Start the Worker

  • Visit the UI:

    • You’ll be asked to log in (handled by Identity backend)

    • Upload a file, see job status, ask questions about your data

    • View logs (but remember, only for dev!)

Let me know if you want to dive into any file line-by-line or focus on real-world deployment upgrades.
And always ask yourself: “What’s the easiest way this could break, and how would I detect it?”—that’s what separates a dev from a principal engineer!

Comments

Post a Comment

Popular posts from this blog

Feature: Audit log for one login, and identity service

Image
Customer (Product) Page High-Level System Design Diagram (PlantUML) Sequence Diagram: Audit Event Ingestion Sequence Diagram: Orchestration Event For a High-Level System (Component) Diagram The queue is implemented as message_queue (generic), and the audit log service consumes from it, writing to a dedicated audit_log table. The logging service also consumes from the same message_queue and writes to log_store. Orchestration/other services use the same queue. Summary Table: What Writes Where Event Type Goes Into Consumed By Final Storage audit message_queue Audit Log Service audit_log table log message_queue Logging Service log_store table doc_uploaded message_queue Orchestration Worker (business DB, or triggers next event) ocr_ready message_queue Notification Worker, etc. (notification log, etc.)  Core Tables message_queue – universal event bus (temp buffer) audit_log – immutable audit/compliance events log_store – application logs (op...
Read more

Getting started - Build your data science lab environment

This guide explains how to set up a complete data science environment for the udemy program. A proper setup ensures compatibility and avoids recurring environment issues.  1. Overview Goal : Create a full-featured environment with sufficient resources for all course exercises. Recommendation : Use Anaconda for the most reliable setup. Alternative : Use a Python virtual environment with pip if Anaconda isn’t working. 2. Setup Options Primary (Recommended) Create a dedicated Anaconda environment (isolated, compatible). Alternative Use a standard Python virtualenv + pip (faster but less reliable). 3. Windows Setup Steps Clone Course Repository git clone https://github.com/ed-donner/llm_engineering/ Follow the repository’s README.md instructions for additional setup details. Create Anaconda Environment Inside the llm_engineering folder: conda env create -f environment.yml ⏳ This may take several minutes. Activate the environment: conda activate llms Deactivat...
Read more

QA - Run #1 - Results

Image
# QA Report for Tag QA_July2025_A - **Tag/Commit:** QA_July2025_A (`f32abc1`) - **Date:** 2025-08-01 - **QA Outcomes:** All tests passed except for file upload (see below)... - **Environment:** Windows 10, Python 3.12, requirements.txt as of tag - **Notes:** See log for detailed results. ## Issue Found - **Step:** - **Bug:** - **Log excerpt:** - **Screenshot:** For this QA run, we begin with pristine state by: Stop all services Delete logs.db, and jobs.db Delete all files in doc_store folder Start all services Test, you should see no data on index page, and query should result in no data found error Next, go ahead and upload new1.txt, and after that new2.txt Issue the query: "can you summarize all of the todo items you can find, seperating each one on a single line, with due date first, then title, and description with any details you can augment" Expected Answer: - August 1, 2025: Respond to Amira and discuss weekend plans - August 3, 2025: Go to Somesh class and finish ta...
Read more