feat: add legacy security warning API and UI modal for pre-factory-seal machines

Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/f7c8f11b-873b-403f-ac55-8b5b7cd9f1fb Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
2026-04-07 15:49:25 +00:00
parent a40ea61415
commit 13c686a8a1
6 changed files with 147 additions and 0 deletions
--- a/app/sovran_systemsos_web/server.py
+++ b/app/sovran_systemsos_web/server.py
@@ -59,6 +59,11 @@ REBOOT_COMMAND = ["reboot"]
 ONBOARDING_FLAG = "/var/lib/sovran/onboarding-complete"
 AUTOLAUNCH_DISABLE_FLAG = "/var/lib/sovran/hub-autolaunch-disabled"

+# ── Legacy security check constants ──────────────────────────────
+
+SECURITY_STATUS_FILE  = "/var/lib/sovran/security-status"
+SECURITY_WARNING_FILE = "/var/lib/sovran/security-warning"
+
 # ── Tech Support constants ────────────────────────────────────────

 SUPPORT_KEY_FILE = "/root/.ssh/sovran_support_authorized"
@@ -2916,6 +2921,37 @@ async def api_domains_check(req: DomainCheckRequest):
    return {"domains": list(check_results)}


+# ── Legacy security check ─────────────────────────────────────────
+
+@app.get("/api/security/status")
+async def api_security_status():
+    """Return the legacy security status and warning message, if present.
+
+    Reads /var/lib/sovran/security-status and /var/lib/sovran/security-warning.
+    Returns {"status": "legacy", "warning": "<message>"} for legacy machines,
+    or {"status": "ok", "warning": ""} when the files are absent.
+    """
+    try:
+        with open(SECURITY_STATUS_FILE, "r") as f:
+            status = f.read().strip()
+    except FileNotFoundError:
+        status = "ok"
+
+    warning = ""
+    if status == "legacy":
+        try:
+            with open(SECURITY_WARNING_FILE, "r") as f:
+                warning = f.read().strip()
+        except FileNotFoundError:
+            warning = (
+                "This machine was manufactured before the factory-seal process. "
+                "The default system password may be known to the factory. "
+                "Please change your system and application passwords immediately."
+            )
+
+    return {"status": status, "warning": warning}
+
+
 # ── Matrix user management ────────────────────────────────────────

 MATRIX_USERS_FILE = "/var/lib/secrets/matrix-users"