b00t-server: OpenAI-compat router + finetune pipeline — ready for sm3lly (RTX 3090)

[elasticdotventures]

What

OpenAI-compatible REST API router built into b00t-mcp, with API-key authority, Spotlight usage telemetry, and a deterministic QLoRA finetune pipeline for b00t source code.

Architecture

b00t-mcp --http --llm :5273              ← axum proxy
  → soul-discovery (TCP probe)            ← ~/.b00t/server-soul.tomllm
    → llama.cpp container :8080           ← ghcr.io/ggml-org/llama.cpp:server
      → Qwen3.5-0.8B GGUF (0.5GB)        ← /v1/models, /v1/chat/completions

Key Features

• b00t-server: transparent proxy at /v1/models, /v1/chat/completions, /v1/embeddings
• Soul config: runtime backend registry (no hardcoded IPs) — local ports + remote keys with env var profiles
• API keys: b00t server key create --consumer X → b00t-sk-* tokens validated per-request
• Spotlight: per-consumer, per-endpoint, latency-tracked telemetry → ~/.b00t/spotlight.jsonl
• Finetune: 4,474 training pairs from b00t source → unsloth QLoRA → GGUF export (505MB)
• Stock container: ghcr.io/ggml-org/llama.cpp:server registered as datum
• Exchange protocols: agent-to-agent discovery, key sharing, finetune delegation, telemetry sync

For sm3lly (RTX 3090, 24GB)

1. just connect-sm3lly — discover the agent
2. b00t server start — start the proxy
3. Share backends via soul config
4. Delegate finetune: just delegate-finetune sm3lly_host=<ip>

Sharp Corners

• GGUF tensor: blk.24.attn_norm.weight missing after merge — needs fix for stock server
• Gate validator now works on Py3.10 (tomli fallback)
• codebase-memory TOML duplicate key fixed

Files Changed

• b00t-mcp/src/server_llm.rs (420 LOC) — proxy, soul config, key auth, Spotlight
• b00t-cli/src/commands/server.rs — server start + key create/list
• scripts/generate-b00t-training-data.py — source → training pairs
• scripts/finetune-b00t.py — unsloth QLoRA pipeline
• b00t/llama-cpp-server.container.toml — stock container datum
• b00t/b00t-finetune.cli.toml — deterministic finetune command datum
• b00t/b00t-server-soul.tomllm — project soul (canonical state)
• justfile — connect-sm3lly, delegate-finetune, sync-spotlight recipes

[elasticdotventures]

Good-faith critical review — PR #528

Good engineering work overall. The transparent proxy, soul-config backend discovery, Spotlight telemetry, and key truncation in key list are all solid patterns. Four blocking concerns and two DRY issues filed as separate issues.

---

🚩 Blocking: Auth enforcement missing (#529)

server_llm.rs uses unwrap_or_else(|| "unknown".to_string()) on a failed key validation and then proxies the request anyway. This is access control by logging, not enforcement. Any client that reaches the port calls upstream LLMs at your cost.

Fix: early-return 401 before the proxy path in all three handlers. See #529 for exact patch.

---

🚩 Blocking: dev_mode=true wipes auth (#530)

The bypass if state.dev_mode { return Some("dev-key") } is present but the PR doesn't show where dev_mode is set to true. If it's a CLI flag, one wrong flag in production = open relay. Needs explicit startup warning and documentation, or removal. See #530.

---

🚩 Blocking: Command injection in scripts/finetune-b00t.py (#531)

os.system(f"... {merged_path} ...") where merged_path derives from B00T_OUTPUT_DIR env var. Shell metacharacters in the path = RCE. Use subprocess.run([...]) with list args throughout. See #531.

---

⚠️ Should-fix: CLI key create invisible to running server (#533)

b00t server key create writes server-keys.json to disk; the server loaded it at boot and never re-reads. New keys are silently ignored until restart. Fix with a POST /admin/reload-keys endpoint or notify file-watcher. See #533.

---

⚠️ DRY: Two training scripts duplicate the fine-tune/ pipeline (#532)

scripts/generate-b00t-training-data.py and scripts/finetune-b00t.py are parallel reimplementations of fine-tune/generate_dataset.py and fine-tune/train_unsloth.py respectively. Both have less capability (no argparse, no dedup, no Layer 2/3 in the dataset script; hardcoded model, inline GGUF export with injection risk in the finetune script).

The one genuinely novel piece in generate-b00t-training-data.py is Rust /// doc comment extraction — that logic should be merged into fine-tune/generate_dataset.py as Layer 4. The 0.8B sm0l finetune scenario is valid but belongs as fine-tune/config.sm0l.yaml, not a parallel script. See #532.

---

✅ What's good

• Transparent proxy preserving upstream status codes and raw body — correct
• Soul-config backend discovery order (env → TCP probe → remote → fallback) is clean
• Per-consumer Spotlight telemetry with latency is the right observability shape
• key list truncates to 12 chars — good hygiene
• No hardcoded secrets in soul config — all via key_env references
• b00tyverse submodule update is housekeeping

---

DeepSeek-specific note

The DeepSeek backend (api.deepseek.com, key via DEEPSEEK_API_KEY) is wired identically to OpenAI — correct, since DeepSeek's API is OpenAI-compatible. No special handling needed. The soul config ordering matters: if DeepSeek is listed before OpenAI, it will be probed first for remote fallback. Ensure the ordering in server-soul.tomllm reflects your preference.

---

Verdict: HOLD on merge pending #529, #530, #531 (security). #532, #533 are strong-should-fix but could land in a follow-up if the security items are patched first.

[elasticdotventures]

Review posted (see full comment thread). Issues filed: #529 #530 #531 #532 #533