From 80dcbfef2eb4a632ebe919e54cf123d28684ead9 Mon Sep 17 00:00:00 2001
From: Sam & Claude <hello@clawdie.si>
Date: Mon, 22 Jun 2026 09:53:36 +0200
Subject: [PATCH] build: fail-fast release gate for baked mother SSH key

The image-assembly guard (build/mother-ssh-key, #113) refuses to copy the
mother key into a release image, but only after a full build run. Add the
same check to check_release_gate so a BUILD_CHANNEL=release build with the
key present on the host aborts in seconds, not after fetch/build/assemble.

The assembly-time guard stays as defense in depth.

(BUILD_CHANNEL already defaults to dev in build.cfg:17, so no change needed
there.)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 build.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/build.sh b/build.sh
index 62e107f3..3252e6be 100755
--- a/build.sh
+++ b/build.sh
@@ -512,6 +512,14 @@ check_release_gate() {
         _release_errors=$(( _release_errors + 1 ))
     fi
 
+    # A baked mother SSH private key must never reach a publicly hosted release
+    # image. Fail fast here so a release build aborts in seconds; the image
+    # assembly step also refuses to copy it, as defense in depth.
+    if [ -f "/home/clawdie/.ssh/osa-mother-2026" ]; then
+        echo "ERROR: mother SSH key present on build host (/home/clawdie/.ssh/osa-mother-2026) — refuse to bake it into a release image. Remove it, or build with BUILD_CHANNEL=dev."
+        _release_errors=$(( _release_errors + 1 ))
+    fi
+
     if [ "${_release_errors}" -gt 0 ]; then
         echo "ERROR: release build aborted — ${_release_errors} modified repo(s). Use BUILD_CHANNEL=dev for iteration builds."
         exit 1
-- 
2.45.3