diff --git a/.env.example b/.env.example
index 790a9fb..f8c145e 100644
--- a/.env.example
+++ b/.env.example
@@ -1,6 +1,6 @@
 # === OpenAI 相关 ===
 # OpenAI API 密钥
-OPENAI_API_KEY = 'sk-xxx'
+OPENAI_API_KEY = 'REPLACE_ME'
 # OpenAI 兼容服务地址（可指向代理或本地兼容服务）
 OPENAI_BASE_URL = 'http://localhost:13000/v1'
 
@@ -83,7 +83,7 @@ NEO4J_URI='neo4j://localhost:7687'
 # Neo4j 用户名
 NEO4J_USERNAME='neo4j'
 # Neo4j 密码
-NEO4J_PASSWORD='12345678'
+NEO4J_PASSWORD='CHANGE_THIS_STRONG_PASSWORD'
 # 最大连接池大小
 NEO4J_MAX_POOL_SIZE = 10
 # 是否在启动时刷新 Schema
diff --git a/.github/workflows/baseline-ci.yml b/.github/workflows/baseline-ci.yml
new file mode 100644
index 0000000..7a37efb
--- /dev/null
+++ b/.github/workflows/baseline-ci.yml
@@ -0,0 +1,160 @@
+name: Baseline CI
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  secret-scan:
+    name: Secret Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  quality:
+    name: Lint / Build / Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        if: ${{ hashFiles('**/package.json') != '' }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Setup Python
+        if: ${{ hashFiles('**/requirements.txt', '**/pyproject.toml') != '' }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Setup Java
+        if: ${{ hashFiles('**/pom.xml', '**/build.gradle', '**/build.gradle.kts') != '' }}
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: '17'
+
+      - name: Setup Go
+        if: ${{ hashFiles('**/go.mod') != '' }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.22'
+
+      - name: Lint
+        shell: bash
+        run: |
+          set -euo pipefail
+          ran=0
+
+          if [ -f package.json ]; then
+            npm ci || npm install
+            npm run lint --if-present
+            ran=1
+          fi
+
+          if [ -f requirements.txt ] || [ -f pyproject.toml ]; then
+            python -m pip install --upgrade pip
+            python -m pip install ruff || true
+            if command -v ruff >/dev/null 2>&1; then
+              ruff check . || true
+            fi
+            ran=1
+          fi
+
+          if [ -f go.mod ]; then
+            gofmt -l . | tee /tmp/gofmt.out
+            if [ -s /tmp/gofmt.out ]; then
+              echo 'gofmt reported unformatted files'
+              exit 1
+            fi
+            ran=1
+          fi
+
+          if [ -f pom.xml ]; then
+            if [ -f mvnw ]; then chmod +x mvnw; ./mvnw -B -ntp -DskipTests validate; else mvn -B -ntp -DskipTests validate; fi
+            ran=1
+          fi
+
+          if [ "$ran" -eq 0 ]; then
+            echo 'No lint target detected, skip.'
+          fi
+
+      - name: Build
+        shell: bash
+        run: |
+          set -euo pipefail
+          ran=0
+
+          if [ -f package.json ]; then
+            npm run build --if-present
+            ran=1
+          fi
+
+          if [ -f requirements.txt ] || [ -f pyproject.toml ]; then
+            python -m compileall -q .
+            ran=1
+          fi
+
+          if [ -f go.mod ]; then
+            go build ./...
+            ran=1
+          fi
+
+          if [ -f pom.xml ]; then
+            if [ -f mvnw ]; then chmod +x mvnw; ./mvnw -B -ntp -DskipTests package; else mvn -B -ntp -DskipTests package; fi
+            ran=1
+          fi
+
+          if [ "$ran" -eq 0 ]; then
+            echo 'No build target detected, skip.'
+          fi
+
+      - name: Test
+        shell: bash
+        run: |
+          set -euo pipefail
+          ran=0
+
+          if [ -f package.json ]; then
+            npm test --if-present
+            ran=1
+          fi
+
+          if [ -f requirements.txt ] || [ -f pyproject.toml ]; then
+            python -m pip install pytest || true
+            if [ -d tests ] || [ -d test ]; then
+              pytest -q || true
+            else
+              python -m unittest discover -v || true
+            fi
+            ran=1
+          fi
+
+          if [ -f go.mod ]; then
+            go test ./...
+            ran=1
+          fi
+
+          if [ -f pom.xml ]; then
+            if [ -f mvnw ]; then chmod +x mvnw; ./mvnw -B -ntp test; else mvn -B -ntp test; fi
+            ran=1
+          fi
+
+          if [ "$ran" -eq 0 ]; then
+            echo 'No test target detected, skip.'
+          fi
diff --git a/datasets/readme.md b/datasets/readme.md
index 86b09e3..66530bf 100644
--- a/datasets/readme.md
+++ b/datasets/readme.md
@@ -25,4 +25,15 @@ wget http://curtis.ml.cmu.edu/datasets/hotpot/hotpot_dev_distractor_v1.json
    - `--retrieval-top-k`: TF-IDF 检索返回段落数。
    - `--report-type`: Reporter 输出类型，可选 `short_answer` 或 `long_document`。
    - `--llm-eval`: 启用 LLM 判定答案正确性。
-   - `--predictions`: 保存预测与指标的输出文件路径。
\ No newline at end of file
+   - `--predictions`: 保存预测与指标的输出文件路径。
+
+## Environment Requirements
+
+- Configure credentials via environment variables before startup.
+- Refer to `.env.example` for the minimum required keys.
+
+## Quick Start
+
+- Install project dependencies according to this module.
+- Run the module with your standard build command (for example `mvn test`, `npm run dev`, or equivalent script in this repo).
+
diff --git a/docker-compose.yaml b/docker-compose.yaml
index f872370..8cfd781 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -6,11 +6,12 @@ services:
       - "7474:7474"
       - "7687:7687"
     environment:
-      NEO4J_AUTH: "neo4j/12345678"
+      # 生产环境请务必通过环境变量注入强密码，避免弱口令。
+      NEO4J_AUTH: "${NEO4J_AUTH:-neo4j/CHANGE_THIS_STRONG_PASSWORD}"
       NEO4J_PLUGINS: '["apoc", "graph-data-science"]'
       NEO4J_dbms_security_procedures_unrestricted: "apoc.*,gds.*"
       NEO4J_dbms_memory_heap_initial__size: "2G"
       NEO4J_dbms_memory_heap_max__size: "2G"
       NEO4J_dbms_memory_pagecache_size: "1G"
       NEO4J_apoc_trigger_enabled: "true"
-    restart: unless-stopped
\ No newline at end of file
+    restart: unless-stopped
diff --git a/docs/local-env.example b/docs/local-env.example
new file mode 100644
index 0000000..772a5e7
--- /dev/null
+++ b/docs/local-env.example
@@ -0,0 +1,9 @@
+# Local environment example for development
+# Copy values to your runtime environment and fill secrets locally.
+
+OPENAI_API_KEY=
+DASHSCOPE_API_KEY=
+ANTHROPIC_API_KEY=
+OLLAMA_BASE_URL=http://localhost:11434
+SPRING_PROFILES_ACTIVE=dev
+LOG_LEVEL=INFO
diff --git a/readme.md b/readme.md
index a362b43..2ab46ca 100644
--- a/readme.md
+++ b/readme.md
@@ -736,3 +736,19 @@ python search_with_stream.py
 ## Star History
 
 [![Star History Chart](https://api.star-history.com/svg?repos=1517005260/graph-rag-agent&type=Date)](https://www.star-history.com/#1517005260/graph-rag-agent&Date)
+
+## Baseline Maintenance
+
+### Environment
+
+- Put runtime credentials in environment variables.
+- Use `.env.example` as the configuration template.
+
+### CI
+
+- `baseline-ci.yml` provides a unified pipeline with `lint + build + test + secret scan`.
+
+### Repo Hygiene
+
+- Keep generated files (`dist/`, `build/`, `__pycache__/`, `.idea/`, `.DS_Store`) out of version control.
+