Prompt #139

RAG Add Lesson with AP3 Secret Scan

Flow · openai/gpt-4.1

5/5

Variables: lesson_body, topic, tags
Tags: stack-aware,rag-stack,rag-add,ap3,secret-scan,lessons
Source: research-2026-05-01-stack-aware
Use count: 0
Created: 2026-05-01T18:30:48.776731+00:00
Updated: 2026-05-01T18:30:48.776731+00:00

Content

Add a new lesson to rag-stack using the rag-add CLI with AP3 secret-scan compliance.

Step-by-step:
1. Verify no secrets in lesson body (AP3 + FU2): avoid `gho_`, `ghp_`, `sk-`, `AKIA*`,
   base64 blobs > 32 chars with entropy > 4.5
2. Run: `rag-add "{lesson_body}" --topic "{topic}" --tags="{tags},internal/code"`
   CLI lives at /usr/local/bin/rag-add → delegates to /nvmetank1/projects/rag-stack/bin/rag-wrappers/rag-add
3. The gateway at bin/agent-gateway runs secret-scan BEFORE insertion into /persistent/rag-stack/rag.db
4. Verify insertion: `rag-search "{topic}" --limit 3`
5. Check trust_level was set to `internal/code` (not `untrusted/web`)

On rejection: scan log at /var/log/secret-scan.jsonl for the blocked entry.
Required lesson metadata: author=ai, confidence=low|medium|high, status=proposed.