Establish a safe foundation before implementing the geology RAG system
Some checks failed
secret-scan / scan (push) Has been cancelled

The project begins with architecture, data governance, reproducible evaluation, deployment boundaries, and secret-handling contracts so later code has measurable acceptance criteria.

Constraint: Real provider credentials, workspace identities, and restricted geological data must never enter Git

Rejected: Add placeholder runnable services in the design commit | would imply unverified implementation readiness

Confidence: high

Scope-risk: narrow

Reversibility: clean

Directive: Run make verify before every commit and update ADRs when architecture boundaries change

Tested: Secret scan, Markdown links, YAML parse, shell syntax, and staged diff validation

Not-tested: Application runtime is intentionally deferred to the implementation stage
This commit is contained in:
2026-07-12 14:42:11 +08:00
commit ec1acb36b5
55 changed files with 2882 additions and 0 deletions

38
scripts/check-secrets.sh Executable file
View File

@@ -0,0 +1,38 @@
#!/usr/bin/env bash
set -euo pipefail
mode="${1:---staged}"
secret_pattern='(sk-(ws[-_]?)?[A-Za-z0-9_-]{24,}|llm-[a-z0-9]{12,}|AKIA[0-9A-Z]{16}|-----BEGIN ([A-Z0-9 ]+ )?PRIVATE KEY-----)'
found=0
check_file() {
local file="$1"
if [[ -f "$file" ]] && grep -I -q -E "$secret_pattern" "$file"; then
printf 'Potential secret detected in: %s\n' "$file" >&2
found=1
fi
}
case "$mode" in
--staged)
while IFS= read -r -d '' file; do
check_file "$file"
done < <(git diff --cached --name-only --diff-filter=ACMR -z)
;;
--all)
while IFS= read -r -d '' file; do
check_file "$file"
done < <(git ls-files --cached --others --exclude-standard -z)
;;
*)
printf 'Usage: %s [--staged|--all]\n' "$0" >&2
exit 2
;;
esac
if [[ "$found" -ne 0 ]]; then
printf 'Commit blocked. Rotate any exposed credential before continuing.\n' >&2
exit 1
fi
printf 'Secret scan passed.\n'