Skip to content

11. Open Questions and Risks

Unanswered architecture questions

Question Why it matters
Intended deployment topology (single host vs GPU pool)? Capacity planning
Is public exposure ever planned? Auth roadmap
Shared NFS/S3 for jobs/ in multi-node workers? Scale-out correctness
Official retention policy for disk artifacts? Compliance / disk fill
Preferred default production vlm_mode / model? Ops runbooks

Unclear or drifting implementation details

Item Notes
worker_prefetch_multiplier=4 vs comment "one task at a time" Likely docs/code drift in celery_app.py
test_submit_job_config_is_env_only vs live vlm_mode query Test naming may be stale
AGENTS.md mentions Minio/Postgres/Qdrant Not present in this service — template leftover
NVIDIA module header mentions nemoretriever-ocr vs model id nemoretriever-parse Naming inconsistency in comments
Full compose Redis unauthenticated vs local passworded Easy misconfiguration

Security / reliability / scalability risks

Risk Severity Mitigation idea
No auth; list/delete open High if exposed API keys / SSO; disable list or scope it
Unbounded uploads High Max body size at proxy + FastAPI
HTML iframe XSS Medium sandbox + sanitize
Redis TTL orphans on disk Medium Periodic GC job
Solo worker throughput Medium Horizontal workers + queue depth alerts
Third-party API outages Medium Timeouts already exist; add circuit breakers
amd64 emulation on ARM Medium Document perf expectations; prefer native Linux GPU hosts

Testing and documentation gaps

  • No live provider integration tests
  • No frontend tests
  • No CI workflows observed in clone inventory
  • Project docs are strong but can drift from code (compose auth, AGENTS.md)

Product / UX assumptions

  • Users understand provider tradeoffs when switching modes
  • 2s polling is acceptable latency for progress UX
  • 100MB UI claim matches operational expectations (not enforced)
  • Job history is single-tenant / single-operator

Questions for the original authors

  1. Was auth deliberately deferred, or is there a gateway in front in real deployments?
  2. Is there an external cleaner for jobs/?
  3. Which provider is considered the accuracy baseline for demos?
  4. Should worker_prefetch_multiplier be 1?
  5. Is Paddle VL server required in the default blank-VLM_MODEL path for all environments?

Practical next steps (priority)

  1. Enforce upload size and tighten CORS
  2. Add minimal auth for mutating endpoints
  3. Implement disk GC aligned with Redis TTL
  4. Fix compose Redis auth consistency and prefetch comment/value
  5. Add provider-branch unit tests with recorded fixtures
  6. Sandbox/sanitize HTML preview
  7. Decide whether this private dossier should be added to projects/publish.txt for the public hub