Some checks failed
verify / verify (push) Has been cancelled
The Stage 1 foundation now proves provider contracts with mocks and validates PostgreSQL/pgvector ingestion, approval binding, retrieval, reranking, and idempotency using only synthetic data. Live Bailian validation remains gated on rotating the exposed key. Constraint: The key shown in chat is compromised and cannot be used or committed Rejected: Mark Stage 1 complete from mock and offline results | real three-model smoke is still required Confidence: high Scope-risk: moderate Reversibility: clean Directive: Do not enable real-data ingestion until Stage 3 cloud approval and outbound manifest controls are enforced end to end Tested: make verify; 41 pytest tests; strict mypy; Ruff; Compose config; pinned image build; empty-volume migration; role denial; two idempotent 20-vector seeds; database restart persistence Not-tested: Live Bailian calls require a newly rotated key; React product UI is not implemented
48 lines
1.2 KiB
Bash
Executable File
48 lines
1.2 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
mode="${1:---staged}"
|
|
secret_pattern='(sk-(ws[-_]?)?[A-Za-z0-9_-]{24,}|llm-[a-z0-9]{12,}|AKIA[0-9A-Z]{16}|-----BEGIN ([A-Z0-9 ]+ )?PRIVATE KEY-----)'
|
|
found=0
|
|
|
|
check_file() {
|
|
local file="$1"
|
|
if [[ -f "$file" ]] && grep -I -q -E "$secret_pattern" "$file"; then
|
|
printf 'Potential secret detected in: %s\n' "$file" >&2
|
|
found=1
|
|
fi
|
|
}
|
|
|
|
check_staged_file() {
|
|
local file="$1"
|
|
if git cat-file -e ":$file" 2>/dev/null \
|
|
&& grep -I -q -E "$secret_pattern" < <(git show ":$file"); then
|
|
printf 'Potential secret detected in staged content: %s\n' "$file" >&2
|
|
found=1
|
|
fi
|
|
}
|
|
|
|
case "$mode" in
|
|
--staged)
|
|
while IFS= read -r -d '' file; do
|
|
check_staged_file "$file"
|
|
done < <(git diff --cached --name-only --diff-filter=ACMR -z)
|
|
;;
|
|
--all)
|
|
while IFS= read -r -d '' file; do
|
|
check_file "$file"
|
|
done < <(git ls-files --cached --others --exclude-standard -z)
|
|
;;
|
|
*)
|
|
printf 'Usage: %s [--staged|--all]\n' "$0" >&2
|
|
exit 2
|
|
;;
|
|
esac
|
|
|
|
if [[ "$found" -ne 0 ]]; then
|
|
printf 'Commit blocked. Rotate any exposed credential before continuing.\n' >&2
|
|
exit 1
|
|
fi
|
|
|
|
printf 'Secret scan passed.\n'
|