CertOps Local Bridge
While the CLI excels as an automated Gatekeeper in your CI/CD pipelines, testing and evaluating AI responses shouldn't require you to commit your code, wait for a build, and deploy to a staging environment just to see if your latest prompt tweak improved performance.
The CertOps Local Bridge (Hybrid Mode) allows you to securely expose a local service running on your laptop directly to the CertOps evaluation engine.
This makes life significantly easier for developers. You can run massive, high-volume regression matrices comparing your uncommitted local code directly against the hosted production baseline—all without leaving your development environment.
How it Works
When you trigger a run using the CLI, you can pass local:PORT instead of a public HTTPS URL.
# Target 1 (retriever) matches against the public prod endpoint
# Target 2 (generator) matches against your local development server
certops run --host "target1=https://prod-api.acme.com" --host "target2=local:8080"
- Detection: The CLI parses the
--hostarguments. When it detects thelocal:prefix, it initiates the Bridge Protocol. - Ephemeral Tunnel: The CLI spins up a secure, background tunnel (using TLS and TCP multiplexing) connecting your
localhost:8080port to the CertOps EC2 Relay server. - Subdomain Generation: You are dynamically assigned a secure, temporary subdomain for the duration of the test (e.g.,
https://alice-generator.dev.certops.ai). - Runtime Swap: The CLI automatically sends ephemeral URL for
runrequest, replacinglocal:8080before submitting the evaluation matrix to the SaaS backend. - High-Volume Execution: The CertOps SaaS fires its evaluation load (e.g., 1,000+ dataset samples) at the ephemeral URL. The requests are securely tunneled down to your local process.
- Teardown: Once the evaluation matrix completes (Success or Failure) or you press
Ctrl+C, the CLI safely tears the tunnel down down and destroys the public routing.
Security Guardrails
The Local Bridge was designed with enterprise security in mind:
- Encrypted Traffic: All local evaluation traffic is end-to-end tunneled via TLS.
- Authentication Injection: Tunnels cannot be opened anonymously. The CLI injects your secure session token into the tunnel configuration to prevent unauthorized use of the Relay.
- Ephemeral Scoping: The public endpoint only exists for the exact duration of the
certops runprocess constraint. As soon as the PID dies, the bridge collapses.