#!/usr/bin/env bash
# scripts/checks/d011-06-vault-unseal.sh -- D-011 item 6 (as amended by D-069):
# second-person Vault unseal rehearsal. This is NOT scriptable -- it requires a
# different human to unseal. So this check is an ATTESTATION GATE: it reads the
# SEC-003 row in docs/security-ledger.md and reports the manual item's status.
# It NEVER auto-passes an undone safety item (the failure mode D-070 just retired).
# Exit (standard contract):
# 0 PASS SEC-003 shows the rehearsal DONE/CLOSED/REHEARSED
# 3 PASS_PENDING_MANUAL SEC-003 OPEN/PENDING -- rehearsal still outstanding
# 2 HOLD ledger or SEC-003 row missing / status unrecognized
set -uo pipefail
HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=scripts/lib-validate.sh
. "$HERE/../lib-validate.sh"
ID=d011-06-vault-unseal; vr_begin "$ID"
LEDGER="${VR_LEDGER:-$HERE/../../docs/security-ledger.md}"
[ -r "$LEDGER" ] || { emit "$ID" "$VR_HOLD" "security-ledger not readable: $LEDGER"; exit "$VR_HOLD"; }
ROW="$(grep -E '^\|[[:space:]]*SEC-003[[:space:]]*\|' "$LEDGER" | head -1)"
[ -n "$ROW" ] || { emit "$ID" "$VR_HOLD" "SEC-003 row not found in ledger"; exit "$VR_HOLD"; }
# status is the LAST pipe-delimited column
STATUS="$(awk -F'|' '{print $(NF-1)}' <<<"$ROW" | sed 's/^ *//; s/ *$//')"
echo " SEC-003 status: $STATUS"
SU="$(tr '[:lower:]' '[:upper:]' <<<"$STATUS")"
case "$SU" in
*CLOSED*|*DONE*|*REHEARSED*|*COMPLETE*|*PASS*)
emit "$ID" "$VR_PASS" "SEC-003 rehearsal attested: $STATUS"; exit "$VR_PASS" ;;
*OPEN*|*PENDING*|*TODO*)
emit "$ID" "$VR_MANUAL" "SEC-003 second-person unseal rehearsal OUTSTANDING (manual)"; exit "$VR_MANUAL" ;;
*)
emit "$ID" "$VR_HOLD" "SEC-003 status unrecognized: '$STATUS'"; exit "$VR_HOLD" ;;
esac