From 489e326ccc6127eaa614f6c0cda27994fc856c7e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 9 Apr 2026 03:23:42 +0000
Subject: [PATCH] Fix Verify System Integrity: use temp dir + result symlink
 instead of --print-out-paths

Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/b90b9352-56a0-4987-822b-ea4b9d4fdf92

Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
---
 app/sovran_systemsos_web/server.py | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/app/sovran_systemsos_web/server.py b/app/sovran_systemsos_web/server.py
index a74941d..78e17e2 100644
--- a/app/sovran_systemsos_web/server.py
+++ b/app/sovran_systemsos_web/server.py
@@ -12,6 +12,7 @@ import re
 import shutil
 import socket
 import subprocess
+import tempfile
 import time
 import urllib.error
 import urllib.parse
@@ -3087,14 +3088,27 @@ async def api_security_verify_integrity():
     expected_system_path = ""
     try:
         current_system_path = os.path.realpath("/run/current-system")
-        result = subprocess.run(
-            ["/run/current-system/sw/bin/nixos-rebuild", "build", "--flake", "/etc/nixos",
-             "--no-build-output", "--print-out-paths"],
-            capture_output=True, text=True, timeout=600,
-        )
-        if result.returncode == 0:
-            expected_system_path = result.stdout.strip()
-            system_matches = (current_system_path == expected_system_path)
+        # Use a temp directory so the ./result symlink doesn't pollute anything
+        tmpdir = tempfile.mkdtemp(prefix="sovran-verify-")
+        try:
+            result = subprocess.run(
+                ["/run/current-system/sw/bin/nixos-rebuild", "build", "--flake", "/etc/nixos",
+                 "--no-build-output"],
+                capture_output=True, text=True, timeout=600,
+                cwd=tmpdir,
+            )
+            if result.returncode == 0:
+                result_link = os.path.join(tmpdir, "result")
+                if os.path.islink(result_link):
+                    expected_system_path = os.path.realpath(result_link)
+                    system_matches = (current_system_path == expected_system_path)
+                else:
+                    expected_system_path = "Build succeeded but no result symlink found"
+            else:
+                # Surface the error so the UI can show what went wrong
+                expected_system_path = f"Build failed: {(result.stderr or result.stdout).strip()[:500]}"
+        finally:
+            shutil.rmtree(tmpdir, ignore_errors=True)
     except subprocess.TimeoutExpired:
         expected_system_path = "Build timed out"
     except Exception as exc: