- server.py: add _is_free_password_default() helper that reads /etc/shadow
and hashes known defaults ("free", "gosovransystems") via crypt module;
update api_password_is_default to use it instead of reading the secrets file
- factory-seal.nix: replace file-based free-password check with shadow-based
cryptographic check using python3 + crypt module; add pkgs.python3 to path;
pass values via env vars to avoid shell expansion of hash $ characters
Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/31e6fc93-8b4b-47af-9c47-568da0905301
Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
Add two early-exit checks in sovran-legacy-security-check before the
legacy fallthrough block:
1. Exit if /var/lib/sovran/onboarding-complete exists (Hub onboarding done)
2. Exit if /var/lib/secrets/free-password exists and is not "free" (password changed)
This prevents the boot-time service from overwriting the security-status
file that /api/change-password clears after a successful password change.
Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/c18311e4-609d-4edf-a2a1-a018baede373
Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
