Make the first RAG slice executable without risking production data
Some checks failed
verify / verify (push) Has been cancelled

The Stage 1 foundation now proves provider contracts with mocks and validates PostgreSQL/pgvector ingestion, approval binding, retrieval, reranking, and idempotency using only synthetic data. Live Bailian validation remains gated on rotating the exposed key.

Constraint: The key shown in chat is compromised and cannot be used or committed

Rejected: Mark Stage 1 complete from mock and offline results | real three-model smoke is still required

Confidence: high

Scope-risk: moderate

Reversibility: clean

Directive: Do not enable real-data ingestion until Stage 3 cloud approval and outbound manifest controls are enforced end to end

Tested: make verify; 41 pytest tests; strict mypy; Ruff; Compose config; pinned image build; empty-volume migration; role denial; two idempotent 20-vector seeds; database restart persistence

Not-tested: Live Bailian calls require a newly rotated key; React product UI is not implemented
This commit is contained in:
2026-07-12 15:41:58 +08:00
parent ec1acb36b5
commit f4ba5d5342
61 changed files with 6886 additions and 20 deletions

View File

@@ -1,13 +1,19 @@
name: secret-scan
name: verify
on:
push:
pull_request:
jobs:
scan:
verify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Verify design and scan repository files
run: make verify-design
- uses: astral-sh/setup-uv@v6
with:
version: "0.11.3"
enable-cache: true
- name: Install locked backend dependencies
run: make backend-sync
- name: Verify design, secrets, backend, and schema contracts
run: make verify-ci