Make the first RAG slice executable without risking production data
Some checks failed
verify / verify (push) Has been cancelled

The Stage 1 foundation now proves provider contracts with mocks and validates PostgreSQL/pgvector ingestion, approval binding, retrieval, reranking, and idempotency using only synthetic data. Live Bailian validation remains gated on rotating the exposed key.

Constraint: The key shown in chat is compromised and cannot be used or committed

Rejected: Mark Stage 1 complete from mock and offline results | real three-model smoke is still required

Confidence: high

Scope-risk: moderate

Reversibility: clean

Directive: Do not enable real-data ingestion until Stage 3 cloud approval and outbound manifest controls are enforced end to end

Tested: make verify; 41 pytest tests; strict mypy; Ruff; Compose config; pinned image build; empty-volume migration; role denial; two idempotent 20-vector seeds; database restart persistence

Not-tested: Live Bailian calls require a newly rotated key; React product UI is not implemented
This commit is contained in:
2026-07-12 15:41:58 +08:00
parent ec1acb36b5
commit f4ba5d5342
61 changed files with 6886 additions and 20 deletions

View File

@@ -13,10 +13,19 @@ check_file() {
fi
}
check_staged_file() {
local file="$1"
if git cat-file -e ":$file" 2>/dev/null \
&& grep -I -q -E "$secret_pattern" < <(git show ":$file"); then
printf 'Potential secret detected in staged content: %s\n' "$file" >&2
found=1
fi
}
case "$mode" in
--staged)
while IFS= read -r -d '' file; do
check_file "$file"
check_staged_file "$file"
done < <(git diff --cached --name-only --diff-filter=ACMR -z)
;;
--all)