fix: update build system tooling and configuration

Update cookbook fetch.rs for protected recipe handling and atomic
patch application. Update config.mk, device services, and legacy
base configs. Add patch-inclusion-gate script.
This commit is contained in:
2026-05-11 10:10:35 +01:00
parent 4e24760a22
commit daa875fc56
7 changed files with 78 additions and 460 deletions
+29
View File
@@ -0,0 +1,29 @@
#!/usr/bin/env bash
# patch-inclusion-gate.sh — block image creation unless Red Bear patches are auditable.
#
# Public scripts that create harddrive images or live ISOs must call this before
# invoking `make all`, `make live`, or a direct image target. The cookbook still
# applies patches from recipe.toml; this gate verifies the durable patch store is
# classified and that active ledger entries are wired into recipes.
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
cd "$PROJECT_ROOT"
if [ "${REDBEAR_SKIP_PATCH_INCLUSION_GATE:-0}" = "1" ]; then
echo "WARNING: REDBEAR_SKIP_PATCH_INCLUSION_GATE=1; patch inclusion gate bypassed" >&2
exit 0
fi
ledger_gate="local/scripts/classify-patches-ledger.py"
if [ ! -x "$ledger_gate" ]; then
echo "ERROR: missing executable patch ledger gate: $ledger_gate" >&2
exit 1
fi
echo ">>> Verifying Red Bear patch inclusion before image creation"
python3 local/scripts/ensure-patches-wired.py
python3 "$ledger_gate" --strict