From 502ce30e6be39ae91d35a93fa5581fb639d2614c Mon Sep 17 00:00:00 2001
From: Alexander Amiri <alexander.amiri@piano.io>
Date: Sat, 14 Mar 2026 01:18:21 +0100
Subject: [PATCH] Fix check-risk-block to check S3 for override before blocking

The script was unconditionally blocking on HIGH risk without checking
if an override had been signed. Now checks for override.json in the
plan bucket before blocking apply.
---
 scripts/check-risk-block.sh | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/scripts/check-risk-block.sh b/scripts/check-risk-block.sh
index 7f518b4..165994e 100644
--- a/scripts/check-risk-block.sh
+++ b/scripts/check-risk-block.sh
@@ -1,11 +1,11 @@
 #!/bin/sh
-# Block apply if risk is HIGH or FAILED.
+# Block apply if risk is HIGH or FAILED, unless an override exists.
 #
 # Usage: check-risk-block.sh <risk_level>
 #
 # Exits 0 if safe to apply, 1 if blocked.
-# Slack notification is handled by notify-high-risk.sh in the review step —
-# no duplicate alert here.
+# On HIGH risk, checks S3 for an override.json signed by the apply-gate Lambda.
+# Requires: PLAN_BUCKET, GITHUB_REPOSITORY, GITHUB_RUN_ID env vars.
 
 set -e
 
@@ -17,5 +17,15 @@ if [ "$RISK" != "HIGH" ] && [ "$RISK" != "FAILED" ] && [ -n "$RISK" ]; then
   exit 0
 fi
 
-echo "Auto-apply blocked (risk=${RISK})."
+# Check for a signed override in S3
+PLAN_PREFIX="plans/${GITHUB_REPOSITORY}/${GITHUB_RUN_ID}"
+OVERRIDE_KEY="${PLAN_PREFIX}/override.json"
+
+if aws s3 ls "s3://${PLAN_BUCKET}/${OVERRIDE_KEY}" > /dev/null 2>&1; then
+  echo "Override found: s3://${PLAN_BUCKET}/${OVERRIDE_KEY}"
+  echo "Proceeding with HIGH risk apply."
+  exit 0
+fi
+
+echo "Auto-apply blocked (risk=${RISK}). No override found."
 exit 1