#!/usr/bin/env bash # patch-inclusion-gate.sh — block image creation unless Red Bear patches are auditable. # # Public scripts that create harddrive images or live ISOs must call this before # invoking `make all`, `make live`, or a direct image target. The cookbook still # applies patches from recipe.toml; this gate verifies the durable patch store is # classified and that active ledger entries are wired into recipes. set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)" cd "$PROJECT_ROOT" if [ "${REDBEAR_SKIP_PATCH_INCLUSION_GATE:-0}" = "1" ]; then echo "WARNING: REDBEAR_SKIP_PATCH_INCLUSION_GATE=1; patch inclusion gate bypassed" >&2 exit 0 fi ledger_gate="local/scripts/classify-patches-ledger.py" if [ ! -x "$ledger_gate" ]; then echo "ERROR: missing executable patch ledger gate: $ledger_gate" >&2 exit 1 fi echo ">>> Verifying Red Bear patch inclusion before image creation" python3 local/scripts/ensure-patches-wired.py python3 "$ledger_gate" --strict