build system audit: implement Phase 1-3 fixes comprehensively

Phase 1 (Critical):
- Fix broken config includes: redbear-minimal -> redbear-mini in wifi/bt experimental configs
- Fix 05_boot-essential.target dependency: 00_base -> 04_drivers for correct boot ordering
- Fix IOMMU service dependency: 00_base -> 05_boot-essential
- Fix firmware-loader dependency: 00_base -> 05_boot-essential
- Fix messagebus shell: /usr/bin/zsh -> /usr/bin/false (security)
- Add offline gate to fetch-firmware.sh (REPO_OFFLINE=1 blocks network access)
- Add --upstream gate to fetch-all-sources.sh (network access requires explicit opt-in)
- Gate U-Boot wget calls in mk/qemu.mk with REPO_OFFLINE check
- Fix patch-inclusion-gate.sh: rewrite from Python deps to pure shell implementation
- Fix build-redbear.sh: remove direct patch application, let repo fetch handle it atomically

Phase 2 (High):
- Increase redbear-full filesystem_size: 4096 -> 8192 MiB for KDE desktop
- Deprecate redbear-greeter-services.toml (orphaned, not included by any config)
- Add cascade rebuild target to Makefile (make cascade.<package>)
- Gate cargo-update.sh with REDBEAR_ALLOW_UPSTREAM
- Add deprecation notice to apply-patches.sh
- Make protected recipe list data-driven via config/protected-recipes.toml
- Replace 127-entry hardcoded Rust matches! with TOML config file reader

Phase 3 (Medium):
- Fix 5 phantom doc references in local/AGENTS.md (retired/removed docs)
- Fix stale config names: redbear-minimal -> redbear-mini across scripts
- Fix duplicate references in docs/README.md
- Fix run_full.sh and run_mini.sh: hardcoded paths -> relative paths + error handling
This commit is contained in:
2026-05-28 17:24:50 +03:00
parent 2b11b20a2f
commit a0244075e7
22 changed files with 280 additions and 234 deletions
+6 -1
View File
@@ -1,6 +1,11 @@
#!/usr/bin/env bash
set -euo pipefail
# This script runs "make f.recipe" and "cargo update" in the specified recipe
if [ "${REDBEAR_ALLOW_UPSTREAM:-0}" = "0" ]; then
echo "ERROR: cargo-update.sh modifies Cargo.lock files and may require network access." >&2
echo " Set REDBEAR_ALLOW_UPSTREAM=1 to override." >&2
exit 1
fi
recipe_name="$1"
recipe_path=$(find recipes -name "$recipe_name" -maxdepth 4)
+17 -4
View File
@@ -34,6 +34,7 @@ cd "$REPO_ROOT"
REPO_BIN="./target/release/repo"
CONFIG_NAME="${1:-redbear-full}"
ACTION="fetch"
ALLOW_UPSTREAM="${ALLOW_UPSTREAM:-0}"
# ── Colors (disabled when not a terminal) ───────────────────────────
if [ -t 1 ]; then
@@ -56,9 +57,10 @@ usage() {
echo " --status Show which sources already exist locally"
echo " --preflight Smart blake3/size check — show what needs updating"
echo " --force Force re-download even if checksums match"
echo " --upstream Allow network access for source fetching (gated)"
echo " --help Show this help"
echo ""
echo "Configs: redbear-full, redbear-minimal, redbear-live-full, redbear-live-minimal"
echo "Configs: redbear-full, redbear-mini, redbear-grub"
echo "Default config: redbear-full"
}
@@ -91,6 +93,10 @@ while [[ $# -gt 0 ]]; do
FORCE_FETCH=1
shift
;;
--upstream)
ALLOW_UPSTREAM=1
shift
;;
--help|-h)
usage
exit 0
@@ -481,7 +487,7 @@ case "$ACTION" in
preflight)
build_repo
if [ "$ALL_CONFIGS" -eq 1 ]; then
for cfg in redbear-kde redbear-live redbear-full redbear-minimal redbear-wayland; do
for cfg in redbear-full redbear-mini redbear-grub; do
preflight_scan "$cfg" || true
done
else
@@ -491,7 +497,7 @@ case "$ACTION" in
list)
build_repo
if [ "$ALL_CONFIGS" -eq 1 ]; then
for cfg in redbear-kde redbear-live redbear-full redbear-minimal redbear-wayland; do
for cfg in redbear-full redbear-mini redbear-grub; do
list_for_config "$cfg" 2>/dev/null || true
done
else
@@ -501,12 +507,19 @@ case "$ACTION" in
fetch)
build_repo
if [ "$ALLOW_UPSTREAM" -eq 0 ] && [ "${REDBEAR_ALLOW_UPSTREAM:-0}" -eq 0 ]; then
echo "ERROR: fetch-all-sources.sh requires network access." >&2
echo " Pass --upstream or set REDBEAR_ALLOW_UPSTREAM=1 to enable." >&2
echo " This script is manual-only — it is never called by 'make all' or 'make live'." >&2
exit 1
fi
if [ -n "$SINGLE_RECIPE" ]; then
fetch_single_recipe "$SINGLE_RECIPE"
elif [ "$ALL_CONFIGS" -eq 1 ]; then
echo "==> Fetching sources for ALL configs"
echo " This ensures every recipe needed by any config is downloaded."
for cfg in redbear-kde redbear-live redbear-full redbear-minimal redbear-wayland; do
for cfg in redbear-full redbear-mini redbear-grub; do
fetch_for_config "$cfg" 2>/dev/null || {
echo " WARNING: failed to fetch for $cfg (some recipes may not exist)"
echo ""
+36 -10
View File
@@ -1,10 +1,12 @@
#!/usr/bin/env bash
# patch-inclusion-gate.sh — block image creation unless Red Bear patches are auditable.
# patch-inclusion-gate.sh — block image creation unless Red Bear patches are wired.
#
# Verifies that:
# 1. Every patch file referenced in recipe.toml exists on disk
# 2. Every patch file in local/patches/ is wired into at least one recipe
#
# Public scripts that create harddrive images or live ISOs must call this before
# invoking `make all`, `make live`, or a direct image target. The cookbook still
# applies patches from recipe.toml; this gate verifies the durable patch store is
# classified and that active ledger entries are wired into recipes.
# invoking `make all`, `make live`, or a direct image target.
set -euo pipefail
@@ -18,12 +20,36 @@ if [ "${REDBEAR_SKIP_PATCH_INCLUSION_GATE:-0}" = "1" ]; then
exit 0
fi
ledger_gate="local/scripts/classify-patches-ledger.py"
if [ ! -x "$ledger_gate" ]; then
echo "ERROR: missing executable patch ledger gate: $ledger_gate" >&2
errors=0
# Check 1: every patch referenced in recipe.toml must exist on disk
while IFS= read -r recipe_toml; do
recipe_dir="$(dirname "$recipe_toml")"
patch_list=$(grep -oP 'patches\s*=\s*\[([^\]]*)\]' "$recipe_toml" 2>/dev/null | grep -oP '"[^"]+\.patch"' | tr -d '"' || true)
for patch_name in $patch_list; do
patch_path="$recipe_dir/$patch_name"
if [ ! -f "$patch_path" ]; then
echo "ERROR: $recipe_toml references '$patch_name' but file not found at $patch_path" >&2
errors=$((errors + 1))
fi
done
done < <(find recipes local/recipes -name "recipe.toml" -not -path "*/source/*" 2>/dev/null)
# Check 2: every patch in local/patches/ should be wired into at least one recipe
while IFS= read -r patch_file; do
patch_name=$(basename "$patch_file")
component=$(basename "$(dirname "$patch_file")")
wired=$(grep -rl "\"$patch_name\"" recipes/ local/recipes/ --include="recipe.toml" 2>/dev/null | head -1 || true)
if [ -z "$wired" ]; then
echo "WARNING: local/patches/$component/$patch_name is not wired into any recipe.toml" >&2
fi
done < <(find local/patches -name "*.patch" -type f 2>/dev/null)
if [ "$errors" -gt 0 ]; then
echo "ERROR: $errors patch reference(s) broken. Fix before building." >&2
exit 1
fi
echo ">>> Verifying Red Bear patch inclusion before image creation"
python3 local/scripts/ensure-patches-wired.py
python3 "$ledger_gate" --strict
echo ">>> Patch inclusion gate passed"
+1 -1
View File
@@ -29,7 +29,7 @@ Examples:
$(basename "$0") # Run existing image
$(basename "$0") --build # Build + run
$(basename "$0") --build --upstream # Build + run with upstream source refresh enabled
$(basename "$0") -b -c redbear-minimal # Build minimal + run
$(basename "$0") -b -c redbear-mini # Build mini + run
$(basename "$0") -- QEMUFLAGS="-m 8G" # Run with 8G RAM
$(basename "$0") -b -- serial=yes # Build + run with serial console
$(basename "$0") -b -- gpu=virtio kvm=no # Build + run with virtio GPU, no KVM
+26 -7
View File
@@ -1,9 +1,28 @@
#!/bin/bash
#!/usr/bin/env bash
set -euo pipefail
# Ensure cargo bin (cbindgen, rustup, etc.) is in PATH
case ":${PATH}:" in
*":$HOME/.cargo/bin:"*) ;;
*) export PATH="$HOME/.cargo/bin:$PATH" ;;
esac
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
IMAGE="${1:-$PROJECT_ROOT/build/x86_64/redbear-full/harddrive.img}"
BIOS="${OVMF_BIOS:-/usr/share/edk2/x64/OVMF_CODE.4m.fd}"
RAM="${QEMU_RAM:-8192}"
qemu-system-x86_64 -m 8G -drive if=pflash,format=raw,readonly=on,file=/usr/share/edk2/x64/OVMF_CODE.4m.fd -drive file=/home/kellito/Builds/rbos/build/x86_64/redbear-full.iso,format=raw -device virtio-gpu-pci -enable-kvm -serial mon:stdio
if [ ! -f "$IMAGE" ]; then
echo "ERROR: Image not found at $IMAGE" >&2
echo " Run 'make all CONFIG_NAME=redbear-full' first." >&2
exit 1
fi
if [ ! -f "$BIOS" ]; then
echo "ERROR: OVMF firmware not found at $BIOS" >&2
echo " Install edk2-ovmf or set OVMF_BIOS to the correct path." >&2
exit 1
fi
exec qemu-system-x86_64 \
-m "${RAM}" \
-drive if=pflash,format=raw,readonly=on,file="$BIOS" \
-drive file="$IMAGE",format=raw \
-device virtio-gpu-pci \
-enable-kvm \
-serial mon:stdio
+24 -7
View File
@@ -1,9 +1,26 @@
#!/bin/bash
#!/usr/bin/env bash
set -euo pipefail
# Ensure cargo bin (cbindgen, rustup, etc.) is in PATH
case ":${PATH}:" in
*":$HOME/.cargo/bin:"*) ;;
*) export PATH="$HOME/.cargo/bin:$PATH" ;;
esac
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
IMAGE="${1:-$PROJECT_ROOT/build/x86_64/redbear-mini/harddrive.img}"
BIOS="${OVMF_BIOS:-/usr/share/edk2/x64/OVMF_CODE.4m.fd}"
RAM="${QEMU_RAM:-8192}"
qemu-system-x86_64 -m 8G -drive if=pflash,format=raw,readonly=on,file=/usr/share/edk2/x64/OVMF_CODE.4m.fd -drive file=/home/kellito/Builds/RedBear-OS/build/x86_64/redbear-mini.iso,format=raw -device virtio-gpu-pci -enable-kvm -serial mon:stdio
if [ ! -f "$IMAGE" ]; then
echo "ERROR: Image not found at $IMAGE" >&2
echo " Run 'make all CONFIG_NAME=redbear-mini' first." >&2
exit 1
fi
if [ ! -f "$BIOS" ]; then
echo "ERROR: OVMF firmware not found at $BIOS" >&2
echo " Install edk2-ovmf or set OVMF_BIOS to the correct path." >&2
exit 1
fi
exec qemu-system-x86_64 \
-m "${RAM}" \
-drive if=pflash,format=raw,readonly=on,file="$BIOS" \
-drive file="$IMAGE",format=raw \
-serial mon:stdio