Skip to main content

CertOps Local Bridge

While the CLI excels as an automated Gatekeeper in your CI/CD pipelines, testing and evaluating AI responses shouldn't require you to commit your code, wait for a build, and deploy to a staging environment just to see if your latest prompt tweak improved performance.

The CertOps Local Bridge (Hybrid Mode) allows you to securely expose a local service running on your laptop directly to the CertOps evaluation engine.

This makes life significantly easier for developers. You can run massive, high-volume regression matrices comparing your uncommitted local code directly against the hosted production baseline—all without leaving your development environment.

How it Works

When you trigger a run using the CLI, you can pass local:PORT instead of a public HTTPS URL.

# Target 1 (retriever) matches against the public prod endpoint
# Target 2 (generator) matches against your local development server
certops run --host "target1=https://prod-api.acme.com" --host "target2=local:8080"
  1. Detection: The CLI parses the --host arguments. When it detects the local: prefix, it initiates the Bridge Protocol.
  2. Ephemeral Tunnel: The CLI spins up a secure, background tunnel (using TLS and TCP multiplexing) connecting your localhost:8080 port to the CertOps EC2 Relay server.
  3. Subdomain Generation: You are dynamically assigned a secure, temporary subdomain for the duration of the test (e.g., https://alice-generator.dev.certops.ai).
  4. Runtime Swap: The CLI automatically sends ephemeral URL for run request, replacing local:8080 before submitting the evaluation matrix to the SaaS backend.
  5. High-Volume Execution: The CertOps SaaS fires its evaluation load (e.g., 1,000+ dataset samples) at the ephemeral URL. The requests are securely tunneled down to your local process.
  6. Teardown: Once the evaluation matrix completes (Success or Failure) or you press Ctrl+C, the CLI safely tears the tunnel down down and destroys the public routing.

Security Guardrails

The Local Bridge was designed with enterprise security in mind:

  • Encrypted Traffic: All local evaluation traffic is end-to-end tunneled via TLS.
  • Authentication Injection: Tunnels cannot be opened anonymously. The CLI injects your secure session token into the tunnel configuration to prevent unauthorized use of the Relay.
  • Ephemeral Scoping: The public endpoint only exists for the exact duration of the certops run process constraint. As soon as the PID dies, the bridge collapses.