Chapter 295: Lock and Gap

When the taxi pulled into the underground garage of the office building, Lin Chen’s left foot had already completely lost sensation. It wasn’t numbness; it felt like it had been filled with lead. Every step sent a dull ache from his old ankle injury creeping up his calf muscles. He braced himself against the door to stand straight, drew in a deep breath of the cold air thick with the smell of motor oil and damp concrete, slung his backpack over his shoulder, and headed for the elevator. The metal doors reflected the dark circles under his eyes and the slight slump of his shoulders. He didn’t bother checking his reflection, just shifted his weight onto his right leg and pressed the floor button.

At 7:20 a.m., the office was empty except for the cleaning auntie mopping the floors. Lin Chen swiped his badge through the glass door and walked straight to his desk. The computer booted up, its cold screen light washing over the workspace. He left the overhead lights off, switching on only a desk lamp, and spread his troubleshooting notebook to the left of the keyboard. That line of red text from the Andun report was still spinning in his head: Unauthorized access, weights unencrypted.

He created a new branch and began writing the authentication middleware. Instead of relying on a heavy, off-the-shelf framework, he opted for a lightweight JWT library and wrapped his own validation logic around it. Token issuance, expiration times, refresh mechanisms—he typed them out line by line. When he hit the CORS preflight issue, he added a whitelist to allow OPTIONS routes. The code wasn’t long, but every conditional branch had to be properly closed. Traffic in a medical system wasn’t like consumer internet products; you couldn’t just rely on retry mechanisms to paper over the cracks. A single authentication failure meant an interrupted diagnostic workflow. Out of habit, he layered three tiers of exception handling: network timeouts, signature validation failures, and token expirations. Each tier mapped to a specific log level and HTTP return code.

Before nine o’clock, the authentication module was complete. He spun up a local service and used Postman to construct twenty test requests. No token, expired token, forged signature, privilege escalation—they all returned 401 or 403. Passed.

Next came the weight files. The model file was four gigabytes; encrypting it directly would drag down the loading speed. Lin Chen carved out an isolated memory block, configured the system to read from encrypted storage on startup, decrypt the data, and map it directly into RAM, with an automatic overwrite upon process termination. The keys weren’t hardcoded. He wrote an environment variable reading script and paired it with the server’s hardware encryption module for an additional layer of hash verification. It wouldn’t stop a determined attacker, but within the compliance audit framework, it was more than enough. He thought back to his early days cleaning data for Old Zhao, how garbled obscure characters had caused an entire batch to be scrapped. Technical debt never disappears; it just comes back to collect in a different form. He had to seal every gap before delivery.

At eleven, Su Man pushed the door open, carrying two cups of soy milk and some steamed buns. She set one cup on the corner of Lin Chen’s desk, pulled over a chair, and sat down. “The Andun engineers have been rescheduled to enter at two p.m. Section Chief Liu said the evaluation team temporarily added a random check for data anonymization. They require all patient identifiers in the logs to be double-hashed.”

Lin Chen took a bite of his bun and said nothing. He opened the log module of the PACS adapter script. For the sake of debugging convenience the night before, he had left a DEBUG flag enabled, which printed the raw byte stream by default. If that flag wasn’t turned off, the moment the evaluation team checked the logs, they could directly reconstruct the pre-anonymized IDs.

“I’ll fix it.” He set the bun down, his fingers returning to the keyboard.

He located the log output function and redirected all DEBUG-level prints to an in-memory buffer, configuring it to write to disk only when a fatal error occurred. At the same time, he added a regex filter to ensure that any fields resembling ID numbers or medical record numbers were replaced with asterisks before being written. After the changes, he ran a full log replay test. The terminal window scrolled rapidly; not a single line breached the rules. He stared at the screen, his breathing gradually steadying.

“For this afternoon’s penetration test, you monitor authentication and rate limiting, I’ll watch the data flow.” Su Man kept her eyes on the screen, her tone calm. “Zhao Qiming just messaged on WeChat. He said if this evaluation fails, the Series A valuation adjustment clause will trigger a buyback. His tone was uncompromising.”

“Understood.” Lin Chen hit Enter. “Code doesn’t lie. Just get it to run.”

At 1:40 p.m., Lin Chen packaged the script and pushed it to the staging environment. The server fans suddenly roared to life. He watched the monitoring dashboard: CPU usage held steady at 35%, with ample memory remaining. The rate-limiting threshold was set to two hundred requests per second; anything beyond that was dropped immediately with a retry prompt.

At two o’clock sharp, the Andun engineers came online. Lin Chen sent over the test accounts and API documentation. The request logs on the screen began jumping densely. It started with routine scanning: port probing, SQL injection, XSS cross-site scripting—all intercepted by the gateway. Then came the stress test, with concurrency gradually climbing. One hundred, one hundred fifty, one hundred eighty. The rate limiter triggered right on schedule, neatly blocking the excess requests outside.

“Authentication passed.” Su Man watched Andun’s real-time feedback window. “The weight files aren’t directly readable either. They’re running logic vulnerability tests now.”

Lin Chen didn’t relax. He kept his eyes on the anomaly tags in the logs. One request’s header contained an unconventional field, attempting to bypass the gateway and access the model service directly. His middleware caught it and returned a 403. But immediately after, the Andun script shifted tactics, beginning to probe with low-frequency, long-lived connections.

On the monitoring dashboard, the connection count slowly ticked upward. Lin Chen’s fingers tapped lightly against the desk. Low-frequency long connections would hog the connection pool; if not cleared in time, normal requests would be starved out. He quickly adjusted the Nginx timeout configuration, dropping the idle connection TTL from thirty seconds to five. Simultaneously, he added a heartbeat check at the application layer to terminate unresponsive sessions.

At 3:20 p.m., a message came from the Andun engineer: “Core interface protection passed. Weight isolation is effective. Log anonymization meets Level 3 classified protection standards. Preparing the formal report.”

Su Man let out a long breath and leaned back in her chair. “Passed.”

Lin Chen looked at the screen and nodded. He stood up to get a glass of water. The moment his left foot touched the floor, a violent spasm shot from his sole to his knee. He gripped the edge of the desk, cold sweat breaking out on his forehead. Gritting his teeth, he slowly shifted his weight back to his right leg, waiting a full half-minute before he could stand firm again.

“Your foot’s in bad shape, don’t push it.” Su Man handed him a cup of warm water. “Soak it in hot water tonight. The evaluation team arrives tomorrow, and you still need to be on-site to oversee the audit ledgers.”

“I’m fine.” Lin Chen took the cup and drank. The warmth traveled down his esophagus, and his stomach finally felt grounded.

He sat back down at his desk and began organizing the delivery documentation. API specifications, deployment checklists, emergency response plans—he checked them off one by one. His troubleshooting notebook gained a few more pages of notes: “Low-frequency long connections hogging the pool”, “DEBUG log residual risk”, “Rate-limit threshold requires dynamic adjustment”. He closed the notebook and prepared to shut down.

His phone suddenly vibrated. It was a WeChat message from Section Chief Liu, containing only one sentence: “Engineer Lin, the evaluation team just notified us that tomorrow morning’s on-site inspection will add a ‘model interpretability’ traceability test. They require the raw input and output mapping tables for all inference requests from the past thirty days. Can your data pipeline pull that?”

Lin Chen stared at the screen, his fingers hovering in midair.

Raw input-output mapping. Thirty days. Full volume.

Their data pipeline only archived metadata. To save storage, the full payloads during inference were saved as summaries by default. To pull the full volume, he would have to restore from cold backups and rerun the parsing scripts. They had less than twelve hours.

He closed his eyes, quickly running through the storage architecture and script logic in his head. It could be pulled, but the risk was extremely high. The cold backup tape drive read slowly; if it jammed midway and he couldn’t deliver the table by tomorrow morning, the evaluation would be marked a direct failure.

He opened his eyes and replied: “Yes. I’ll send it to you before 8 a.m. tomorrow.”

Outside the window, the sky gradually darkened, and the lights in the office building flickered on one by one. Lin Chen reopened his computer and launched a new terminal window. He knew the lock was installed, but a draft was already slipping through the crack in the door. He had to seal the gap shut once more before the wind flooded in.