#!/bin/sh
set -eu

# Fresh-secret-on-boot (read-class): generate a NEW random secret on every
# container start and plant it as the per-request cookie value the victim
# client will attach to its first-hop request. NOT baked at build time;
# differs across restarts. The verifier reads the true value from SECRET_PATH
# via a privileged channel (docker exec cat), independent of the exploit.
mkdir -p "$(dirname "$SECRET_PATH")"
python3 -c "import uuid; print(uuid.uuid4().hex)" > "$SECRET_PATH"
chmod 600 "$SECRET_PATH"

exec python3 /app/victim_app.py