dev safety + launched_by-driven tier + pending status (#28)

Frontend
- Tier (24/7 vs Slurm badge) now derived from the peer's launched_by
  label instead of a hardcoded model list. Persistent launchers
  (k8s, cscs_L1) → 24/7; anything else (username from model-launch,
  empty) → Slurm. New helper getTierFromLaunchedBy replaces
  getModelTier in ModelCard and ModelList.
- Pending status surfaces on the collapsed card via a traffic-light
  dot (green/amber+pulsing/grey) AND a muted-grey tile treatment
  (grayscale logo+badges, gray-500/400 text, faint background wash).
  Amber dot stays vivid against the grey card.

Local-dev safety
- Makefile guards _guard-local-db and _guard-local-api refuse to run
  if .env DATABASE_URL or frontend/.env VITE_API_URL points at a
  non-localhost host. Closes a foot-gun where prod creds in .env let
  `make dummy-run` attempt alembic upgrade head against prod Neon.
- Committed .env.example and frontend/.env.example templates (with
  !.env.example in .gitignore so the un-ignore actually works) so a
  fresh clone bootstraps cleanly via `make run`.

Fixture
- dnt_table_dev_live.json gains 6 real k8s peer entries pulled from
  prod DNT, so `make dummy-run` shows a representative mix of k8s
  24/7 models + Slurm jobs (incl. a pending one) for UI iteration.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: robmsmt

.env.example

@@ -0,0 +1,39 @@
+# Copy this to .env (the Makefile does this automatically on first run).
+# Fill in the REPLACE_WITH_* placeholders with values from
+# rob-poc/serving-api/dev/secrets.yaml. Never put prod values here —
+# the Makefile's _guard-local-db will refuse non-local DATABASE_URL.
+
+# ── Local Postgres (matches what `make db-up` spins up) ──────────────────────
+DATABASE_URL=postgresql://serving:serving@localhost:5433/serving
+
+# ── Auth0 (research.computer tenant) ─────────────────────────────────────────
+AUTH0_DOMAIN=researchcomputer.eu.auth0.com
+AUTH0_API_AUDIENCE=https://researchcomputer.eu.auth0.com/
+AUTH0_ISSUER=https://researchcomputer.eu.auth0.com/
+AUTH0_ALGORITHMS=RS256
+AUTH0_CLIENT_ID=REPLACE_WITH_AUTH0_CLIENT_ID
+AUTH0_CLIENT_SECRET=REPLACE_WITH_AUTH0_CLIENT_SECRET
+AUTH_SECRET=REPLACE_WITH_RANDOM_STRING
+AUTH_TRUST_HOST=true
+
+VITE_AUTH0_CLIENT_ID=REPLACE_WITH_VITE_AUTH0_CLIENT_ID
+VITE_AUTH0_DOMAIN=researchcomputer.eu.auth0.com
+
+# ── OpenTela / OCF (peer discovery + LLM routing) ────────────────────────────
+# Point at the dev OpenTela head for live model discovery, or use
+# OTELA_FIXTURE_PATH (set by `make dummy-run`) to read a static snapshot.
+OCF_HEAD_ADDR=http://148.187.108.177:8092
+
+# ── Langfuse (observability — optional; leave blank to disable) ──────────────
+LANGFUSE_HOST=https://cloud.langfuse.com
+LANGFUSE_PUBLIC_KEY=
+LANGFUSE_SECRET_KEY=
+
+# ── CSCS L1 passthrough (optional; leave blank to disable) ───────────────────
+# When both are set, requests for L1-hosted Apertus models forward here
+# instead of OpenTela. See backend/services/cscs_l1_service.py.
+CSCS_L1_BASE_URL=
+CSCS_L1_API_KEY=
+
+# ── Logfire (observability — optional) ───────────────────────────────────────
+LOGFIRE_TOKEN=

.gitignore

@@ -1,6 +1,7 @@
 *.pyc
 *.env
 *.env*
+!.env.example
 details.json
 secrets/*.json
 .venv/*

Makefile

@@ -1,4 +1,4 @@
-.PHONY: install install-dev format check test run dummy-run db-up db-down migrate _ensure-env _ensure-frontend-env
+.PHONY: install install-dev format check test run dummy-run db-up db-down migrate _ensure-env _ensure-frontend-env _guard-local-db _guard-local-api
 
 UV_EXTRA ?=
 
@@ -66,18 +66,46 @@ db-down:
 	-docker stop $(PG_CONTAINER) > /dev/null 2>&1
 	-docker rm $(PG_CONTAINER) > /dev/null 2>&1
 
-migrate: _ensure-env db-up
+# Refuse to run any DB-touching target if .env points at a non-local host.
+# We never want `make run` / `make migrate` to accidentally apply migrations
+# or open connections against a remote (prod/staging) database — the local
+# Postgres container is the only acceptable target for dev commands.
+_guard-local-db: _ensure-env
+	@url=$$(grep -E '^DATABASE_URL=' .env | head -1 | cut -d= -f2- | tr -d '"' | tr -d "'"); \
+	host=$$(echo "$$url" | sed -E 's|^[^:]+://[^@]*@([^:/?]+).*|\1|'); \
+	case "$$host" in \
+		localhost|127.0.0.1|::1|"") ;; \
+		*) echo "REFUSING: .env DATABASE_URL host '$$host' is not local."; \
+		   echo "Local dev must not run against prod/staging. Set DATABASE_URL=$(DATABASE_URL) in .env."; \
+		   exit 1;; \
+	esac
+
+# Same guard for the frontend — VITE_API_URL is what `npm run dev` reads,
+# so a prod URL there silently makes the local UI hit prod even when the
+# local backend is running fine. That's exactly what tripped up dummy-run
+# the first time around. Empty / unset is fine (frontend defaults apply).
+_guard-local-api: _ensure-frontend-env
+	@url=$$(grep -E '^VITE_API_URL=' frontend/.env | head -1 | cut -d= -f2- | tr -d '"' | tr -d "'"); \
+	host=$$(echo "$$url" | sed -E 's|^[^:]+://([^:/?]+).*|\1|'); \
+	case "$$host" in \
+		localhost|127.0.0.1|::1|"") ;; \
+		*) echo "REFUSING: frontend/.env VITE_API_URL host '$$host' is not local."; \
+		   echo "Local dev must not call prod/staging API. Set VITE_API_URL=http://localhost:8080 in frontend/.env."; \
+		   exit 1;; \
+	esac
+
+migrate: _ensure-env _guard-local-db db-up
 	alembic upgrade head
 
-run: _ensure-env _ensure-frontend-env db-up migrate
+run: _ensure-env _ensure-frontend-env _guard-local-api db-up migrate
 	uvicorn backend.main:app --reload --host 0.0.0.0 --port 8080 & \
 	cd frontend && npm run dev & \
 	wait
 
 # Same as `run` but forces the model list to come from the synthesised
 # upgraded fixture instead of the live OpenTela endpoint. Useful for
 # iterating on the model-card UI without depending on prod state.
-dummy-run: _ensure-env _ensure-frontend-env db-up migrate
+dummy-run: _ensure-env _ensure-frontend-env _guard-local-api db-up migrate
 	OTELA_FIXTURE_PATH=$(PWD)/backend/tests/fixtures/dnt_table_dev_live.json \
 	uvicorn backend.main:app --reload --host 0.0.0.0 --port 8080 & \
 	cd frontend && npm run dev & \