fix(recovery): harden runner failclosed authority copy [skip ci]

scripts/reboot-recovery/awoooi-enforce-runner-failclosed-110.sh

@@ -8,4 +8,8 @@ if [ -x "$SCRIPT_DIR/enforce-110-runner-failclosed.sh" ]; then
   exec "$SCRIPT_DIR/enforce-110-runner-failclosed.sh" "$@"
 fi
 
+if [ -x /usr/local/lib/awoooi/enforce-110-runner-failclosed.authority.sh ]; then
+  exec /usr/local/lib/awoooi/enforce-110-runner-failclosed.authority.sh "$@"
+fi
+
 exec /usr/local/lib/awoooi/enforce-110-runner-failclosed.sh "$@"

scripts/reboot-recovery/enforce-110-runner-failclosed.sh

@@ -9,6 +9,7 @@ MODE="check"
 STAMP="$(date +%Y%m%dT%H%M%S%z)"
 APPLY_PERFORMED=0
 CANONICAL_ENFORCER="/usr/local/lib/awoooi/enforce-110-runner-failclosed.sh"
+AUTHORITY_ENFORCER="/usr/local/lib/awoooi/enforce-110-runner-failclosed.authority.sh"
 COMPAT_ENFORCER="/usr/local/bin/awoooi-enforce-runner-failclosed-110.sh"
 
 usage() {
@@ -335,16 +336,25 @@ repair_enforcer_entrypoints() {
   local tmp
   current="$(readlink -f "$0" 2>/dev/null || printf '%s' "$0")"
   as_root mkdir -p "$(dirname "$CANONICAL_ENFORCER")" >/dev/null 2>&1 || true
+  as_root mkdir -p "$(dirname "$AUTHORITY_ENFORCER")" >/dev/null 2>&1 || true
   if [ -f "$current" ] && [ "$current" != "$CANONICAL_ENFORCER" ]; then
     as_root chattr -i "$CANONICAL_ENFORCER" >/dev/null 2>&1 || true
     as_root install -o root -g root -m 0755 "$current" "$CANONICAL_ENFORCER" >/dev/null 2>&1 || true
   fi
   as_root chattr +i "$CANONICAL_ENFORCER" >/dev/null 2>&1 || true
+  if [ -f "$current" ] && [ "$current" != "$AUTHORITY_ENFORCER" ]; then
+    as_root chattr -i "$AUTHORITY_ENFORCER" >/dev/null 2>&1 || true
+    as_root install -o root -g root -m 0755 "$current" "$AUTHORITY_ENFORCER" >/dev/null 2>&1 || true
+  fi
+  as_root chattr +i "$AUTHORITY_ENFORCER" >/dev/null 2>&1 || true
 
   tmp="$(mktemp)"
   cat >"$tmp" <<'EOF'
 #!/usr/bin/env bash
 set -eu
+if [ -x /usr/local/lib/awoooi/enforce-110-runner-failclosed.authority.sh ]; then
+  exec /usr/local/lib/awoooi/enforce-110-runner-failclosed.authority.sh "$@"
+fi
 exec /usr/local/lib/awoooi/enforce-110-runner-failclosed.sh "$@"
 EOF
   as_root chattr -i "$COMPAT_ENFORCER" >/dev/null 2>&1 || true
@@ -365,13 +375,13 @@ repair_enforcer_systemd_units() {
   cat >"$service_tmp" <<'EOF'
 [Unit]
 Description=AWOOOI 110 runner/CD lane fail-closed enforcer
-Documentation=file:/usr/local/lib/awoooi/enforce-110-runner-failclosed.sh
+Documentation=file:/usr/local/lib/awoooi/enforce-110-runner-failclosed.authority.sh
 Wants=network-online.target
 After=network-online.target docker.service
 
 [Service]
 Type=oneshot
-ExecStart=/usr/local/lib/awoooi/enforce-110-runner-failclosed.sh --apply
+ExecStart=/usr/local/lib/awoooi/enforce-110-runner-failclosed.authority.sh --apply
 TimeoutStartSec=180
 EOF
 
@@ -395,13 +405,13 @@ EOF
   cat >"$authority_service_tmp" <<'EOF'
 [Unit]
 Description=AWOOOI 110 runner/CD lane fail-closed authority
-Documentation=file:/usr/local/lib/awoooi/enforce-110-runner-failclosed.sh
+Documentation=file:/usr/local/lib/awoooi/enforce-110-runner-failclosed.authority.sh
 Wants=network-online.target
 After=network-online.target docker.service
 
 [Service]
 Type=oneshot
-ExecStart=/usr/local/lib/awoooi/enforce-110-runner-failclosed.sh --apply
+ExecStart=/usr/local/lib/awoooi/enforce-110-runner-failclosed.authority.sh --apply
 TimeoutStartSec=180
 EOF
 
@@ -455,7 +465,7 @@ repair_enforcer_cron_authority() {
   cat >"$tmp" <<'EOF'
 SHELL=/bin/bash
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-* * * * * root /usr/local/lib/awoooi/enforce-110-runner-failclosed.sh --apply >>/var/log/awoooi-runner-failclosed-authority-cron.log 2>&1
+* * * * * root /usr/local/lib/awoooi/enforce-110-runner-failclosed.authority.sh --apply >>/var/log/awoooi-runner-failclosed-authority-cron.log 2>&1
 EOF
   as_root install -o root -g root -m 0644 "$tmp" /etc/cron.d/awoooi-runner-failclosed-authority >/dev/null 2>&1 || true
   rm -f "$tmp"