chore: wire read-only secrets/ volume for session bundles

Mounts ./secrets to /secrets:ro so LINGMA_SESSION_BUNDLE_FILE can point at a host-managed file without the bundle ever being baked into the image or committed to git. secrets/ is git-ignored except for .gitkeep so the directory exists on fresh clones. Made-with: Cursor
2026-04-18 09:47:03 +08:00
parent 4e08d1af36
commit 3130533888
3 changed files with 4 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,5 @@ bin/
 runtime-bin/
 data/*
 !data/.gitkeep
+secrets/*
+!secrets/.gitkeep
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -14,4 +14,6 @@ services:
      - "${PORT:-8317}:${PORT:-8317}"
    volumes:
      - ./data:/app/data
+      # Read-only secrets (session bundles, etc). Created outside git; see README.
+      - ./secrets:/secrets:ro
    restart: unless-stopped
--- a/secrets/.gitkeep
+++ b/secrets/.gitkeep