fix(advisor): tote Collection bp_compliance_recht aus RAG-Suche entfernen

bp_compliance_recht existiert nicht in Qdrant -> 500 bei jeder Advisor-Suche (graceful verworfen, aber unnoetige Last + ein toter von 6 Such-Pfaden). Entdeckt beim BDSG-Chunk-Audit. Reaktivieren, sobald die Collection befuellt ist. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-22 21:22:37 +02:00
7 changed files with 11 additions and 233 deletions
@@ -130,11 +130,10 @@ rsync -avz --exclude node_modules --exclude .next --exclude .git \
 **breakpilot-core MUSS laufen!** Dieses Projekt nutzt Core-Services:
 - Valkey (Session-Cache)
 - Vault (Secrets)
 - RAG-Service (Vektorsuche fuer Compliance-Dokumente)
 - Nginx (Reverse Proxy)
 Secrets liegen in Infisical (`secrets.meghsakha.com`); die Projektverknuepfung steht in `.infisical.json`. Lokal mit `infisical run --env=dev -- docker compose up` (oder `make dev`) starten — `.env`/`.env.local` werden nicht mehr verwendet.
 **Externe Services (Production):**
 - PostgreSQL 17 (sslmode=require) — Schemas: `compliance`, `public`
 - Qdrant @ `qdrant-dev.breakpilot.ai` (HTTPS, API-Key)
@@ -317,7 +316,7 @@ ssh macmini "/usr/local/bin/docker compose -f /Users/benjaminadmin/Projekte/brea
 ### 5. Sensitive Dateien
 **NIEMALS aendern oder committen:**
- `.env`, `.env.local`, Infisical-Tokens, SSL-Zertifikate
+- `.env`, `.env.local`, Vault-Tokens, SSL-Zertifikate
 - `*.pdf`, `*.docx`, kompilierte Binaries, grosse Medien
 ---
@@ -92,7 +92,7 @@ Wenn Hochrisiko:
 - [ ] **Transit:** TLS 1.3 für alle Verbindungen
 - [ ] **Rest:** Datenbank-Verschlüsselung
- [ ] **Secrets:** Infisical (`secrets.meghsakha.com`) für Credentials
+- [ ] **Secrets:** Vault für Credentials
 ### Zugriffskontrollen
@@ -1,5 +0,0 @@
 {
    "workspaceId": "996bda36-9e01-4071-ae8d-69a9f9ff5a23",
    "defaultEnvironment": "",
    "gitBranchToEnvironmentMapping": null
 }
@@ -1,157 +0,0 @@
 # Infisical Setup for Local Development
 This is the per-developer onboarding for accessing the `breakpilot-compliance` secrets while developing locally. Once this is done, **everything you launch through `make dev` (or `infisical run …`) gets the dev secrets injected as environment variables** — including any Claude Code session that spawns those commands.
 Secrets live in the self-hosted Infisical instance at **`secrets.meghsakha.com`**. The project link is committed in `.infisical.json`, so you don't need to know the project ID.
 ---
 ## 1. Install the Infisical CLI
 **macOS (recommended):**
 ```bash
 brew install infisical/get-cli/infisical
 ```
 **Other platforms / manual install:**
 See <https://infisical.com/docs/cli/overview>. Verify with:
 ```bash
 infisical --version
 # infisical version 0.43.x (or newer)
 ```
 ---
 ## 2. Log in to the self-hosted instance
 ```bash
 infisical login --domain https://secrets.meghsakha.com
 ```
 This opens a browser for SSO. The login is persisted to your OS keychain — you only do this once per machine.
 Sanity check:
 ```bash
 cd ~/projects/breakpilot-compliance   # wherever you cloned the repo
 infisical --domain https://secrets.meghsakha.com secrets --env=dev
 ```
 You should see a table of secret names + values. If you get an auth error, re-run `infisical login`.
 ---
 ## 3. Verify the project link
 The repo already contains `.infisical.json` pointing at the `breakpilot-compliance` project:
 ```bash
 cat .infisical.json
 # { "workspaceId": "996bda36-9e01-4071-ae8d-69a9f9ff5a23", ... }
 ```
 If the file is missing (rare — only if you reset the repo), recreate it:
 ```bash
 infisical init --domain https://secrets.meghsakha.com
 ```
 Pick the `breakpilot-compliance` project from the picker.
 ---
 ## 4. Launch the stack
 ```bash
 make dev
 ```
 This runs `infisical run --env=dev -- docker compose up`. Every service in the compose stack sees its secrets as normal env vars — no `.env` file ever touches disk.
 Other targets:
 | Target | What it does |
 |--------|--------------|
 | `make dev-build` | Same as `make dev` but rebuilds images first |
 | `make dev-down` | Stop the stack (no secrets needed) |
 | `make dev-logs` | Tail logs |
 | `make dev-ps` | List running containers |
 | `make secrets` | Print all secrets in `dev` (read-only) |
 | `make secrets-set KEY=FOO VALUE=bar` | Add or update a secret in `dev` |
 To target a different environment:
 ```bash
 make dev ENV=staging
 make secrets ENV=prod
 ```
 ---
 ## 5. Using secrets from Claude Code
 When Claude Code runs commands in this repo via its Bash tool, the commands inherit your shell's environment. Two patterns:
 **Pattern A — let Claude launch the stack normally**
 Claude just runs `make dev`. The Infisical CLI inside that command resolves secrets at run time and passes them to docker compose. Claude doesn't see plaintext secrets in its context, but the running services do.
 **Pattern B — let Claude run a one-off script with secrets**
 If Claude needs to execute a Python/Go script that requires secrets, wrap the command:
 ```bash
 infisical run --env=dev -- python scripts/some_one_off.py
 ```
 This works for any subprocess: pytest, alembic, go run, npm scripts. If Claude proposes a command that reads env vars and runs raw, ask it to wrap it in `infisical run --env=dev --` first.
 **What Claude should not do:**
 - `infisical export --env=dev > .env` — defeats the whole point and the `.gitignore` will still try to keep the file out.
 - `infisical secrets get KEY --env=dev --raw` and pasting the value into a code edit — secrets must stay out of the repo.
 If you want Claude to never accidentally dump secrets, add this to your `.claude/settings.json` permissions (project-level or user-level):
 ```json
 {
  "permissions": {
    "deny": [
      "Bash(infisical export*)",
      "Bash(infisical secrets get*)"
    ]
  }
 }
 ```
 ---
 ## Troubleshooting
 | Symptom | Fix |
 |---------|-----|
 | `please either run infisical init or pass --projectId` | `.infisical.json` is missing or unreadable — re-run `infisical init` |
 | `unauthorized` / `please log in` | Re-run `infisical login --domain https://secrets.meghsakha.com` |
 | `make dev` says secret is empty | Check the name in `make secrets` matches what docker-compose expects, then update the service config or rename the secret in Infisical |
 | Browser SSO doesn't open | Use `infisical login --domain https://secrets.meghsakha.com --method=user` and paste the URL manually |
 ---
 ## What the dev env contains
 Run `make secrets` to see the live list. As of this writing the dev env includes (at minimum):
 - `BREAKPILOT_DB_PASSWORD`
 - `BREAKPILOT_QDRANT_API_KEY`
 - `LITELLM_API_KEY`
 Every other variable in `.env.example` either has a sane default in `docker-compose.yml` or needs to be added to Infisical. To add one:
 ```bash
 make secrets-set KEY=ANTHROPIC_API_KEY VALUE=sk-ant-xxxx
 ```
 Or via the web UI: <https://secrets.meghsakha.com>.
@@ -1,57 +0,0 @@
 # breakpilot-compliance — developer workflow
 #
 # Secrets are managed in Infisical (secrets.meghsakha.com). The project
 # link lives in .infisical.json. To get started:
 #   1) infisical login --domain https://secrets.meghsakha.com   (once per machine)
 #   2) make dev
 #
 # .env / .env.local are NOT used in this repo anymore. Anything that needs
 # secrets MUST be launched through `infisical run` so the values come from
 # the secrets store instead of disk.
 INFISICAL ?= infisical
 INFISICAL_DOMAIN ?= https://secrets.meghsakha.com
 ENV ?= dev
 INFISICAL_RUN := $(INFISICAL) --domain $(INFISICAL_DOMAIN) run --env=$(ENV) --
 INFISICAL_SECRETS := $(INFISICAL) --domain $(INFISICAL_DOMAIN) secrets --env=$(ENV)
 .PHONY: help dev dev-build dev-down dev-logs dev-ps secrets secrets-set check-loc
 help:
 	@echo "Targets:"
 	@echo "  dev           Start the full compose stack with secrets injected from Infisical"
 	@echo "  dev-build     Same as dev, but force a rebuild first"
 	@echo "  dev-down      Stop the compose stack (no secrets needed)"
 	@echo "  dev-logs      Tail logs from all services"
 	@echo "  dev-ps        Show running containers"
 	@echo "  secrets       List all secrets in the current env ($(ENV))"
 	@echo "  secrets-set   Set a secret (KEY=... VALUE=...)"
 	@echo "  check-loc     Run the 500-line LOC guard"
 dev:
 	$(INFISICAL_RUN) docker compose up
 dev-build:
 	$(INFISICAL_RUN) docker compose up --build
 dev-down:
 	docker compose down
 dev-logs:
 	docker compose logs -f
 dev-ps:
 	docker compose ps
 secrets:
 	$(INFISICAL_SECRETS)
 secrets-set:
 	@if [ -z "$(KEY)" ] || [ -z "$(VALUE)" ]; then \
 		echo "Usage: make secrets-set KEY=MY_KEY VALUE=my_value"; exit 1; \
 	fi
 	$(INFISICAL) --domain $(INFISICAL_DOMAIN) secrets set $(KEY)=$(VALUE) --env=$(ENV)
 check-loc:
 	bash scripts/check-loc.sh
@@ -42,26 +42,23 @@ All containers share the external `breakpilot-network` Docker network and depend
 ## Quick Start
-**Prerequisites:** Docker, Go 1.24+, Python 3.12+, Node.js 20+, [Infisical CLI](https://infisical.com/docs/cli/overview)
+**Prerequisites:** Docker, Go 1.24+, Python 3.12+, Node.js 20+
 ```bash
 git clone ssh://git@gitea.meghsakha.com:22222/Benjamin_Boenisch/breakpilot-compliance.git
 cd breakpilot-compliance
-# One-time per machine: log in to the self-hosted Infisical instance
+# Copy and populate secrets (never commit .env)
-infisical login --domain https://secrets.meghsakha.com
+cp .env.example .env
-# Start the full stack with secrets injected from Infisical (env=dev)
+# Start all services
-make dev
+docker compose up -d
 ```
 Secrets are pulled from Infisical (`secrets.meghsakha.com`) at runtime; `.env` files are not used. See [INFISICAL_SETUP.md](./INFISICAL_SETUP.md) for full onboarding, and `make help` for the rest of the targets (`dev-build`, `dev-down`, `secrets`, `secrets-set`).
 For the Orca/Hetzner production target (x86_64), use the override:
 ```bash
-make dev ENV=prod  # or:
+docker compose -f docker-compose.yml -f docker-compose.hetzner.yml up -d
 infisical run --env=prod -- docker compose -f docker-compose.yml -f docker-compose.hetzner.yml up -d
 ```
 ---
@@ -23,7 +23,8 @@ export const COMPLIANCE_COLLECTIONS = [
  'bp_compliance_ce',
  'bp_compliance_datenschutz',
  'bp_dsfa_corpus',
-  'bp_compliance_recht',
+  // 'bp_compliance_recht' entfernt 2026-06-22: existiert NICHT in Qdrant -> 500 bei jeder Suche
  // (wird still verworfen, aber unnoetige Last). Wieder aufnehmen, sobald die Collection befuellt ist.
  'bp_legal_templates',
 ] as const