From e2b61bcdf18f4a5a0b0e8047dd6b5258196f1237 Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Mon, 22 Jun 2026 10:57:08 +1000
Subject: [PATCH] Ensure jinjifying an artifact passes through
 safe_artifact_file just in case

---
 enroll/jinjaturtle.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/enroll/jinjaturtle.py b/enroll/jinjaturtle.py
index b876177..2b8f467 100644
--- a/enroll/jinjaturtle.py
+++ b/enroll/jinjaturtle.py
@@ -9,6 +9,7 @@ from dataclasses import dataclass
 from pathlib import Path
 from typing import Any, Dict, List, Optional, Set, Tuple
 
+from .manifest_safety import ArtifactSafetyError, safe_artifact_file
 from .yamlutil import yaml_dump_mapping, yaml_load_mapping
 
 
@@ -157,8 +158,9 @@ def jinjify_artifact(
     if not (jt_enabled and jt_exe and can_jinjify_path(dest_path)):
         return None
 
-    artifact_path = Path(bundle_dir) / "artifacts" / artifact_role / src_rel
-    if not artifact_path.is_file():
+    try:
+        artifact_path = safe_artifact_file(bundle_dir, artifact_role, src_rel)
+    except (ArtifactSafetyError, FileNotFoundError):
         return None
 
     try: