Some checks failed
verify / verify (push) Has been cancelled
The Stage 1 foundation now proves provider contracts with mocks and validates PostgreSQL/pgvector ingestion, approval binding, retrieval, reranking, and idempotency using only synthetic data. Live Bailian validation remains gated on rotating the exposed key. Constraint: The key shown in chat is compromised and cannot be used or committed Rejected: Mark Stage 1 complete from mock and offline results | real three-model smoke is still required Confidence: high Scope-risk: moderate Reversibility: clean Directive: Do not enable real-data ingestion until Stage 3 cloud approval and outbound manifest controls are enforced end to end Tested: make verify; 41 pytest tests; strict mypy; Ruff; Compose config; pinned image build; empty-volume migration; role denial; two idempotent 20-vector seeds; database restart persistence Not-tested: Live Bailian calls require a newly rotated key; React product UI is not implemented
25 lines
847 B
Python
25 lines
847 B
Python
"""Secret-file helpers that never include secret values in errors or reprs."""
|
|
|
|
from pathlib import Path
|
|
|
|
|
|
class SecretFileError(RuntimeError):
|
|
"""Raised when a configured secret file cannot be read safely."""
|
|
|
|
|
|
def read_secret_file(path: Path) -> str:
|
|
"""Read one Docker/Kubernetes secret without exposing its content."""
|
|
|
|
try:
|
|
if not path.is_file():
|
|
raise SecretFileError(f"Secret file is missing or not a file: {path}")
|
|
value = path.read_text(encoding="utf-8").strip()
|
|
except OSError as exc:
|
|
raise SecretFileError(f"Secret file cannot be read: {path}") from exc
|
|
|
|
if not value:
|
|
raise SecretFileError(f"Secret file is empty: {path}")
|
|
if "\n" in value or "\r" in value:
|
|
raise SecretFileError(f"Secret file must contain exactly one logical line: {path}")
|
|
return value
|