#!/usr/bin/env bash # bundle_counsel_packet — assemble the counsel-review packet tarball. # # Specification: docs/counsel/COUNSEL_REVIEW_PACKET_.md §9. # # Why this exists: the cover note references a list of documents. # Counsel needs them as a single transmittable artifact, with per-file # integrity hashes so they can verify nothing changed in transit. # # Output: # reports/counsel/counsel_packet_.tar.gz # reports/counsel/counsel_packet_.manifest.txt (sha256 per file) # # Usage: # bundle_counsel_packet.sh [--date YYYY-MM-DD] # # Exit codes: # 0 — packet bundled successfully # 1 — one or more referenced documents are missing # 2 — script error (missing tools, write failure) set -uo pipefail cd "$(dirname "$0")/../.." DATE="$(date -u +%Y-%m-%d)" while [ "$#" -gt 0 ]; do case "$1" in --date) DATE="$2"; shift 2 ;; -h|--help) sed -n '2,20p' "$0" | sed 's/^# \?//' exit 0 ;; *) echo "unknown flag: $1" >&2; exit 2 ;; esac done # Dependency gate. for cmd in tar sha256sum; do if ! command -v "$cmd" >/dev/null 2>&1; then echo "[bundle] FAIL: required tool '$cmd' not found in PATH" >&2 exit 2 fi done # Files in the packet. Order is the recommended counsel-review order # from the cover note §6. FILES=( "docs/counsel/COUNSEL_REVIEW_PACKET_${DATE}.md" "docs/policies/consent/biometric_retention_schedule_v1.md" "docs/policies/consent/biometric_consent_template_v1.md" "docs/runbooks/BIPA_DESTRUCTION_RUNBOOK.md" "docs/attestations/BIPA_PRE_IDENTITYD_ATTESTATION_2026-05-03.md" "docs/runbooks/LEGAL_AUDIT_KEY_ROTATION.md" "docs/specs/GATE_3B_DEEPFACE_DESIGN.md" "docs/PHASE_1_6_BIPA_GATES.md" ) # Verify all referenced files exist before opening the tarball. MISSING=0 for f in "${FILES[@]}"; do if [ ! -r "$f" ]; then echo "[bundle] MISSING: $f" >&2 MISSING=$((MISSING + 1)) fi done if [ "$MISSING" -gt 0 ]; then echo "[bundle] FAIL: $MISSING required documents missing — aborting" >&2 exit 1 fi OUT_DIR="reports/counsel" mkdir -p "$OUT_DIR" TARBALL="$OUT_DIR/counsel_packet_${DATE}.tar.gz" MANIFEST="$OUT_DIR/counsel_packet_${DATE}.manifest.txt" # Build the manifest first — counsel uses this to verify integrity. { echo "# Counsel Packet Manifest — $DATE" echo "# Generated: $(date -u +%Y-%m-%dT%H:%M:%SZ)" echo "# Each file is listed with its SHA-256 hash. To verify on receipt:" echo "# tar xzf counsel_packet_${DATE}.tar.gz" echo "# sha256sum -c counsel_packet_${DATE}.manifest.txt" echo "# (re-format the lines below with two spaces between hash and path" echo "# for sha256sum -c compatibility — sha256sum's strict format)" echo for f in "${FILES[@]}"; do sha256sum "$f" done } > "$MANIFEST" # Build the tarball — include the manifest itself. tar -czf "$TARBALL" "${FILES[@]}" "$MANIFEST" PACKET_HASH=$(sha256sum "$TARBALL" | awk '{print $1}') echo "[bundle] packet: $TARBALL" echo "[bundle] manifest: $MANIFEST" echo "[bundle] tarball SHA-256: $PACKET_HASH" echo "[bundle] files: ${#FILES[@]}"