build: fail-fast release gate for baked mother SSH key

The image-assembly guard (build/mother-ssh-key, #113) refuses to copy the mother key into a release image, but only after a full build run. Add the same check to check_release_gate so a BUILD_CHANNEL=release build with the key present on the host aborts in seconds, not after fetch/build/assemble. The assembly-time guard stays as defense in depth. (BUILD_CHANNEL already defaults to dev in build.cfg:17, so no change needed there.) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 09:53:36 +02:00 · 2026-06-22 09:53:36 +02:00 · 80dcbfef2e
commit 80dcbfef2e
parent 72491ee3b8
1 changed files with 8 additions and 0 deletions
--- a/build.sh
+++ b/build.sh
@ -512,6 +512,14 @@ check_release_gate() {
        _release_errors=$(( _release_errors + 1 ))
    fi

+    # A baked mother SSH private key must never reach a publicly hosted release
+    # image. Fail fast here so a release build aborts in seconds; the image
+    # assembly step also refuses to copy it, as defense in depth.
+    if [ -f "/home/clawdie/.ssh/osa-mother-2026" ]; then
+        echo "ERROR: mother SSH key present on build host (/home/clawdie/.ssh/osa-mother-2026) — refuse to bake it into a release image. Remove it, or build with BUILD_CHANNEL=dev."
+        _release_errors=$(( _release_errors + 1 ))
+    fi
+
    if [ "${_release_errors}" -gt 0 ]; then
        echo "ERROR: release build aborted — ${_release_errors} modified repo(s). Use BUILD_CHANNEL=dev for iteration builds."
        exit 1