From 313053388898b3a152687d6c307ca628bd5bcffa Mon Sep 17 00:00:00 2001
From: GitHub Actions <actions@github.com>
Date: Sat, 18 Apr 2026 09:47:03 +0800
Subject: [PATCH] chore: wire read-only secrets/ volume for session bundles

Mounts ./secrets to /secrets:ro so LINGMA_SESSION_BUNDLE_FILE can point
at a host-managed file without the bundle ever being baked into the
image or committed to git. secrets/ is git-ignored except for .gitkeep
so the directory exists on fresh clones.

Made-with: Cursor
---
 .gitignore         | 2 ++
 docker-compose.yml | 2 ++
 secrets/.gitkeep   | 0
 3 files changed, 4 insertions(+)
 create mode 100644 secrets/.gitkeep

diff --git a/.gitignore b/.gitignore
index 8d2999e..71cd873 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,5 @@ bin/
 runtime-bin/
 data/*
 !data/.gitkeep
+secrets/*
+!secrets/.gitkeep
diff --git a/docker-compose.yml b/docker-compose.yml
index 77ab071..b849d01 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -14,4 +14,6 @@ services:
       - "${PORT:-8317}:${PORT:-8317}"
     volumes:
       - ./data:/app/data
+      # Read-only secrets (session bundles, etc). Created outside git; see README.
+      - ./secrets:/secrets:ro
     restart: unless-stopped
diff --git a/secrets/.gitkeep b/secrets/.gitkeep
new file mode 100644
index 0000000..e69de29