Fix security warning reappearing after every reboot

Add two early-exit checks in sovran-legacy-security-check before the legacy fallthrough block: 1. Exit if /var/lib/sovran/onboarding-complete exists (Hub onboarding done) 2. Exit if /var/lib/secrets/free-password exists and is not "free" (password changed) This prevents the boot-time service from overwriting the security-status file that /api/change-password clears after a successful password change. Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/c18311e4-609d-4edf-a2a1-a018baede373 Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
2026-04-07 18:26:54 +00:00
parent 72453c80bf
commit 5a27b79b51
1 changed files with 9 additions and 0 deletions
--- a/modules/core/factory-seal.nix
+++ b/modules/core/factory-seal.nix
@@ -116,6 +116,15 @@ EOF
        exit 0
      fi

+      # If the user completed Hub onboarding, they've addressed security
+      [ -f /var/lib/sovran/onboarding-complete ] && exit 0
+
+      # If the free password has been changed from the factory default, no warning needed
+      if [ -f /var/lib/secrets/free-password ]; then
+        CURRENT=$(cat /var/lib/secrets/free-password)
+        [ "$CURRENT" != "free" ] && exit 0
+      fi
+
      # No flags at all + secrets exist = legacy (pre-seal era) machine
      if [ -f /var/lib/secrets/root-password ]; then
        mkdir -p /var/lib/sovran