From 72453c80bf4b438ebc9273a83c1ed6896004e4f5 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 7 Apr 2026 18:25:47 +0000
Subject: [PATCH 1/3] Initial plan


From 5a27b79b510d578bd6eafa79f0185bfc817bb9db Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 7 Apr 2026 18:26:54 +0000
Subject: [PATCH 2/3] Fix security warning reappearing after every reboot

Add two early-exit checks in sovran-legacy-security-check before the
legacy fallthrough block:
1. Exit if /var/lib/sovran/onboarding-complete exists (Hub onboarding done)
2. Exit if /var/lib/secrets/free-password exists and is not "free" (password changed)

This prevents the boot-time service from overwriting the security-status
file that /api/change-password clears after a successful password change.

Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/c18311e4-609d-4edf-a2a1-a018baede373

Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
---
 modules/core/factory-seal.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/modules/core/factory-seal.nix b/modules/core/factory-seal.nix
index 74db537..fc8be3d 100644
--- a/modules/core/factory-seal.nix
+++ b/modules/core/factory-seal.nix
@@ -116,6 +116,15 @@ EOF
         exit 0
       fi
 
+      # If the user completed Hub onboarding, they've addressed security
+      [ -f /var/lib/sovran/onboarding-complete ] && exit 0
+
+      # If the free password has been changed from the factory default, no warning needed
+      if [ -f /var/lib/secrets/free-password ]; then
+        CURRENT=$(cat /var/lib/secrets/free-password)
+        [ "$CURRENT" != "free" ] && exit 0
+      fi
+
       # No flags at all + secrets exist = legacy (pre-seal era) machine
       if [ -f /var/lib/secrets/root-password ]; then
         mkdir -p /var/lib/sovran

From 069f6c3ec7908661f9d1bace2e65aec379cd4a0e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 7 Apr 2026 18:27:32 +0000
Subject: [PATCH 3/3] Avoid storing password in variable to prevent process
 listing exposure

Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/c18311e4-609d-4edf-a2a1-a018baede373

Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
---
 modules/core/factory-seal.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/core/factory-seal.nix b/modules/core/factory-seal.nix
index fc8be3d..148239f 100644
--- a/modules/core/factory-seal.nix
+++ b/modules/core/factory-seal.nix
@@ -121,8 +121,7 @@ EOF
 
       # If the free password has been changed from the factory default, no warning needed
       if [ -f /var/lib/secrets/free-password ]; then
-        CURRENT=$(cat /var/lib/secrets/free-password)
-        [ "$CURRENT" != "free" ] && exit 0
+        [ "$(cat /var/lib/secrets/free-password)" != "free" ] && exit 0
       fi
 
       # No flags at all + secrets exist = legacy (pre-seal era) machine