Files
RAG/scripts/init-local-secrets.sh
YoVinchen 75592af33a
Some checks failed
verify / verify (push) Has been cancelled
Isolate cloud model access before enabling product RAG workflows
The API and ingestion tools now use a fixed internal model gateway while
governed profiles, embedding cache assignments, traceable citations, and
stable API errors establish the boundaries required by later workflows.

Constraint: The current Alibaba Cloud workspace rejects all three live model calls with authentication failures
Rejected: Give the API or seed tools the Bailian key and direct egress | combines database access, cloud credentials, and public network access
Rejected: Mix offline and Bailian vectors in one demo namespace | makes profile activation and retrieval ambiguous
Confidence: high
Scope-risk: moderate
Reversibility: clean
Directive: Keep Bailian credentials and egress exclusive to model-gateway and create a new immutable profile hash for any embedding identity change
Tested: make verify; 121 backend tests; 14 frontend tests; fresh and populated Alembic upgrade-downgrade-upgrade; two idempotent offline seeds; Docker health and HTTP retrieval; isolated provider smoke
Not-tested: Successful live Bailian responses because the supplied workspace credential currently fails authentication
2026-07-13 04:09:06 +08:00

52 lines
1.5 KiB
Bash
Executable File

#!/usr/bin/env bash
set -euo pipefail
umask 077
secret_dir="${SECRET_DIR:-secrets}"
mkdir -p "$secret_dir"
chmod 700 "$secret_dir"
generate_secret() {
local name="$1"
local path="$secret_dir/$name"
if [[ -s "$path" ]]; then
printf 'Kept existing local secret: %s\n' "$path"
return
fi
openssl rand -hex 32 >"$path"
chmod 600 "$path"
printf 'Created local secret: %s\n' "$path"
}
generate_secret postgres_bootstrap_password
generate_secret postgres_migrator_password
generate_secret postgres_app_password
generate_secret model_gateway_api_token
generate_secret model_gateway_worker_token
if [[ "${1:-}" == "--with-bailian" ]]; then
bailian_path="$secret_dir/bailian_api_key"
if [[ -s "$bailian_path" ]]; then
printf 'Kept existing local secret: %s\n' "$bailian_path"
exit 0
fi
printf 'Paste the NEWLY ROTATED Bailian API key (input is hidden): ' >&2
IFS= read -r -s bailian_key
printf '\n' >&2
if [[ ! "$bailian_key" =~ ^sk-[A-Za-z0-9_-]{20,}$ ]]; then
printf 'Refused: the value does not look like a Bailian API key.\n' >&2
exit 2
fi
printf '%s' "$bailian_key" >"$bailian_path"
chmod 600 "$bailian_path"
unset bailian_key
printf 'Created local Bailian secret without echoing its value: %s\n' "$bailian_path"
else
if [[ -s "$secret_dir/bailian_api_key" ]]; then
printf 'Existing local Bailian secret was not modified.\n'
else
printf 'Bailian key not created. Rotate the exposed key, then rerun with --with-bailian.\n'
fi
fi