Newer
Older
openstack-caracal-ipv4 / scripts / checks / d011-06-vault-unseal.sh
#!/usr/bin/env bash
# scripts/checks/d011-06-vault-unseal.sh -- D-011 item 6 (as amended by D-069):
# second-person Vault unseal rehearsal. This is NOT scriptable -- it requires a
# different human to unseal. So this check is an ATTESTATION GATE: it reads the
# SEC-003 row in docs/security-ledger.md and reports the manual item's status.
# It NEVER auto-passes an undone safety item (the failure mode D-070 just retired).
# Exit (standard contract):
#   0 PASS               SEC-003 shows the rehearsal DONE/CLOSED/REHEARSED
#   3 PASS_PENDING_MANUAL SEC-003 OPEN/PENDING -- rehearsal still outstanding
#   2 HOLD               ledger or SEC-003 row missing / status unrecognized
set -uo pipefail
HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=scripts/lib-validate.sh
. "$HERE/../lib-validate.sh"
ID=d011-06-vault-unseal; vr_begin "$ID"
LEDGER="${VR_LEDGER:-$HERE/../../docs/security-ledger.md}"

[ -r "$LEDGER" ] || { emit "$ID" "$VR_HOLD" "security-ledger not readable: $LEDGER"; exit "$VR_HOLD"; }
ROW="$(grep -E '^\|[[:space:]]*SEC-003[[:space:]]*\|' "$LEDGER" | head -1)"
[ -n "$ROW" ] || { emit "$ID" "$VR_HOLD" "SEC-003 row not found in ledger"; exit "$VR_HOLD"; }

# status is the LAST pipe-delimited column
STATUS="$(awk -F'|' '{print $(NF-1)}' <<<"$ROW" | sed 's/^ *//; s/ *$//')"
echo "  SEC-003 status: $STATUS"
SU="$(tr '[:lower:]' '[:upper:]' <<<"$STATUS")"
case "$SU" in
  *CLOSED*|*DONE*|*REHEARSED*|*COMPLETE*|*PASS*)
    emit "$ID" "$VR_PASS" "SEC-003 rehearsal attested: $STATUS"; exit "$VR_PASS" ;;
  *OPEN*|*PENDING*|*TODO*)
    emit "$ID" "$VR_MANUAL" "SEC-003 second-person unseal rehearsal OUTSTANDING (manual)"; exit "$VR_MANUAL" ;;
  *)
    emit "$ID" "$VR_HOLD" "SEC-003 status unrecognized: '$STATUS'"; exit "$VR_HOLD" ;;
esac