Make the first RAG slice executable without risking production data
Some checks failed
verify / verify (push) Has been cancelled
Some checks failed
verify / verify (push) Has been cancelled
The Stage 1 foundation now proves provider contracts with mocks and validates PostgreSQL/pgvector ingestion, approval binding, retrieval, reranking, and idempotency using only synthetic data. Live Bailian validation remains gated on rotating the exposed key. Constraint: The key shown in chat is compromised and cannot be used or committed Rejected: Mark Stage 1 complete from mock and offline results | real three-model smoke is still required Confidence: high Scope-risk: moderate Reversibility: clean Directive: Do not enable real-data ingestion until Stage 3 cloud approval and outbound manifest controls are enforced end to end Tested: make verify; 41 pytest tests; strict mypy; Ruff; Compose config; pinned image build; empty-volume migration; role denial; two idempotent 20-vector seeds; database restart persistence Not-tested: Live Bailian calls require a newly rotated key; React product UI is not implemented
This commit is contained in:
@@ -13,10 +13,19 @@ check_file() {
|
||||
fi
|
||||
}
|
||||
|
||||
check_staged_file() {
|
||||
local file="$1"
|
||||
if git cat-file -e ":$file" 2>/dev/null \
|
||||
&& grep -I -q -E "$secret_pattern" < <(git show ":$file"); then
|
||||
printf 'Potential secret detected in staged content: %s\n' "$file" >&2
|
||||
found=1
|
||||
fi
|
||||
}
|
||||
|
||||
case "$mode" in
|
||||
--staged)
|
||||
while IFS= read -r -d '' file; do
|
||||
check_file "$file"
|
||||
check_staged_file "$file"
|
||||
done < <(git diff --cached --name-only --diff-filter=ACMR -z)
|
||||
;;
|
||||
--all)
|
||||
|
||||
45
scripts/init-local-secrets.sh
Executable file
45
scripts/init-local-secrets.sh
Executable file
@@ -0,0 +1,45 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
umask 077
|
||||
secret_dir="${SECRET_DIR:-secrets}"
|
||||
mkdir -p "$secret_dir"
|
||||
chmod 700 "$secret_dir"
|
||||
|
||||
generate_secret() {
|
||||
local name="$1"
|
||||
local path="$secret_dir/$name"
|
||||
if [[ -s "$path" ]]; then
|
||||
printf 'Kept existing local secret: %s\n' "$path"
|
||||
return
|
||||
fi
|
||||
openssl rand -hex 32 >"$path"
|
||||
chmod 600 "$path"
|
||||
printf 'Created local secret: %s\n' "$path"
|
||||
}
|
||||
|
||||
generate_secret postgres_bootstrap_password
|
||||
generate_secret postgres_migrator_password
|
||||
generate_secret postgres_app_password
|
||||
|
||||
if [[ "${1:-}" == "--with-bailian" ]]; then
|
||||
bailian_path="$secret_dir/bailian_api_key"
|
||||
if [[ -s "$bailian_path" ]]; then
|
||||
printf 'Kept existing local secret: %s\n' "$bailian_path"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
printf 'Paste the NEWLY ROTATED Bailian API key (input is hidden): ' >&2
|
||||
IFS= read -r -s bailian_key
|
||||
printf '\n' >&2
|
||||
if [[ ! "$bailian_key" =~ ^sk-[A-Za-z0-9_-]{20,}$ ]]; then
|
||||
printf 'Refused: the value does not look like a Bailian API key.\n' >&2
|
||||
exit 2
|
||||
fi
|
||||
printf '%s' "$bailian_key" >"$bailian_path"
|
||||
chmod 600 "$bailian_path"
|
||||
unset bailian_key
|
||||
printf 'Created local Bailian secret without echoing its value: %s\n' "$bailian_path"
|
||||
else
|
||||
printf 'Bailian key not created. Rotate the exposed key, then rerun with --with-bailian.\n'
|
||||
fi
|
||||
Reference in New Issue
Block a user