V9.14.000.2026.06.07

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-06-07 15:46:30 +01:00
parent aa94c53d65
commit 261d770e42
54 changed files with 515 additions and 203 deletions
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./setup.sh -v`."
-      placeholder: "e.g., Master V8.00.000.2025.06.17"
+      placeholder: "e.g., Master V9.14.000.2026.06.07"
    validations:
      required: true

@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.00.000.2025.06.17
+  version: V9.14.000.2026.06.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.00.000.2025.06.17
+### Version Master V9.14.000.2026.06.07

 # Gitea Workflow: Shell-Script Linting
 #
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.00.000.2025.06.17
+### Version Master V9.14.000.2026.06.07

 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.00.000.2025.06.17
+### Version Master V9.14.000.2026.06.07

 name: 🔁 Render Graphviz Diagrams.

@@ -11,7 +11,7 @@
 #
 #
 # This file contains all required Secrets, Tokens and Public and Private Keys for the CISS.debian.installer
-# Master V8.00.000.2025.06.17
+# Master V9.14.000.2026.06.07
 # YAML specification: 1.2
 #
 secrets:
@@ -19,7 +19,7 @@ secrets:
  created_at: "2025-10-23"
  created_for: "host_domain_tld"
  name: "CISS.debian.installer"
-  version: "V8.00.000.2025.06.17"
+  version: "V9.14.000.2026.06.07"
  x_files: "false"
  ################################################################################################################################
  # Grub bootloader passphrase
@@ -11,7 +11,7 @@
 %YAML 1.2
 ---
 # This file contains configurations for the CISS.debian.installer
-# Master V8.00.000.2025.06.17
+# Master V9.14.000.2026.06.07
 # YAML specification: 1.2
 #
 preseed:
@@ -19,7 +19,7 @@ preseed:
  created_at: "2025-10-23"
  created_for: "host_domain_tld"
  name: "CISS.debian.installer"
-  version: "V8.00.000.2025.06.17"
+  version: "V9.14.000.2026.06.07"
 #
 ################################################################################################################################
 # APT settings
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.installer"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.00.000.2025.06.17"
+properties_version="V9.14.000.2026.06.07"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -0,0 +1,153 @@
+# AGENTS.md
+
+## Purpose
+
+This repository builds and maintains CISS.debian.installer, a script-driven Debian installer for hardened and reproducible
+system installation workflows.
+
+Treat every change as security-sensitive, disk-destruction-sensitive, and boot-chain-sensitive. Persistent coding details live
+in `docs/CODING_CONVENTION.md`. Review-only instructions live in `code_review.md`.
+
+## Instruction precedence for this repository
+
+Use this order when instructions differ:
+
+1. The current task prompt defines the immediate objective and task-specific acceptance criteria.
+2. This `AGENTS.md` defines repository-wide constraints and routing guidance.
+3. `docs/CODING_CONVENTION.md` defines detailed coding conventions.
+4. `code_review.md` applies when performing a review or final self-review.
+5. Personal/global Codex instructions apply only where they do not conflict with repository rules.
+
+When instructions conflict, prefer the safer, smaller, more easily reviewable change and explain the conflict.
+
+## Non-negotiable constraints
+
+- Target Debian 13 Trixie unless the task or repository explicitly states otherwise.
+- Do not introduce Ubuntu-specific assumptions.
+- Do not invent Debian Installer, debootstrap, initramfs-tools, cryptsetup, GRUB, systemd, Btrfs, Debian package, or upstream
+  tool behavior.
+- Verify uncertain behavior against existing repository code or authoritative upstream documentation.
+- Preserve encrypted-root and boot-chain security assumptions unless the task explicitly changes them.
+- Preserve existing module source guards, especially `guard_sourcing`, `source_guard`, and `readonly -f` conventions.
+- Do not overwrite existing `ERR`, `EXIT`, `INT`, or `TERM` traps from modules or runtime scripts.
+- Prefer simple, explicit, inspectable Bash over clever abstraction.
+- Do not use `eval`.
+- Do not print secrets, passphrases, private keys, tokens, or sensitive environment values.
+- Do not perform destructive disk operations in validation unless explicitly requested and safely isolated.
+
+## Repository map
+
+Common areas:
+
+- `ciss_debian_installer.sh`: primary installer entrypoint and phase orchestration.
+- `meta_loader_*.sh`: ordered module, library, and variable sourcing.
+- `.preseed/preseed.yaml`, `.preseed/partitioning.yaml`, `.preseed/SECRETS.yaml`: installer configuration, partition recipes,
+  and secret input material.
+- `var/*.sh`: global variables, colors, terminal settings, and error codes.
+- `lib/cdi_0000_preliminary/*`: contact, usage, and version helpers.
+- `lib/cdi_0005_guard/*`: sourcing, source-guard, safe-execution, directory, and variable guards.
+- `lib/cdi_0010_basic/*`, `lib/cdi_0025_logging/*`, `lib/cdi_0030_checks/*`, `lib/cdi_0050_debug/*`,
+  `lib/cdi_0060_traps/*`: basic helpers, logging, package/git checks, debug support, and traps.
+- `lib/cdi_0100_arg/*`, `lib/cdi_0110_interactive/*`, `lib/cdi_0200_dialog/*`: argument handling and interactive dialogs.
+- `func/cdi_1000_helper/*`: chroot helpers, GRUB helpers, module helpers, sanitizers, secure downloads, and YAML helpers.
+- `func/cdi_1200_validation/*`, `func/cdi_1250_yaml/*`: validation and preseed/YAML processing.
+- `func/cdi_3200_partitioning/*`: destructive partitioning, LUKS setup, formatting, mounting, and UUID logging.
+- `func/cdi_4000_debootstrap/*`: debootstrap, target mount preparation, and base target setup.
+- `func/cdi_4100_base/*`: APT sources, kernel, initramfs, systemd, firmware, and base package setup.
+- `func/cdi_4200_boot/*`: fstab, crypttab, cryptsetup, GRUB, GRUB password, and boot parameter handling.
+- `func/cdi_4300_network/*`: network setup, Dropbear initramfs remote unlock, initramfs updates, and SSH setup.
+- `func/cdi_4400_hardening/*`, `func/cdi_4500_user/*`, `func/cdi_4600_packages/*`: hardening, account setup, package
+  installation, security verification, and auditing packages.
+- `func/cdi_4900_xtended/*`, `func/cdi_5000_recovery/*`: final commands, logrotate, chroot exit, and recovery target handling.
+- `includes/target/*`: files installed into the target system, including initramfs-tools hooks, scripts, Dropbear unlock
+  files, GRUB assets, SSH, OpenSSL, sysctl, modprobe, PAM, and profile configuration.
+- `includes/chroot/hooks/*`: hook payloads copied into or executed inside the target environment.
+- `upgrades/*`: vendored or upgrade-related materials for Dropbear, Linux image options, and Secure Boot work.
+- `py/*`: Python-based configurator support.
+- `docs/*`, `.gitea/workflows/*`: project documentation and repository automation.
+
+## Working method
+
+Before editing:
+
+1. Inspect the relevant scripts, configuration files, documentation, workflows, and naming conventions.
+2. Identify the affected installer phase: host orchestration, YAML/preseed handling, destructive disk setup, target chroot,
+   initramfs, bootloader, network/Dropbear, hardening, user setup, package installation, finalization, or recovery.
+3. Check existing source guards, trap behavior, logging, secret handling, and helper APIs before changing code.
+4. Give a concise implementation plan and list likely files to touch unless the change is trivial.
+
+While editing:
+
+- Keep changes minimal and local to the task.
+- Preserve existing architecture, naming style, error handling, formatting, and security posture.
+- Do not perform unrelated cleanup or formatting churn.
+- Reuse existing helpers for logging, fatal errors, validation, source guards, chroot execution, secure downloads, temporary
+  files, and secret cleanup where available.
+- Prefer arrays for command argument composition.
+- Do not introduce new runtime dependencies unless technically necessary and justified.
+
+After editing:
+
+- Run only the narrowest checks that prove the change.
+- Changed Bash files: run `bash -n <file>` and `shellcheck <file>` if ShellCheck is available.
+- Changed POSIX shell files: run `sh -n <file>`.
+- Changed CLI behavior: update `usage()` and relevant documentation, then run the safest available parser/help check if the
+  environment permits it.
+- Changed Python files: run the relevant checks configured under `py/` when applicable.
+- Changed installer, disk, initramfs, cryptsetup, GRUB, or Dropbear behavior: state the required Debian 13 Trixie validation
+  command or isolated test, but do not run destructive or full installer validation unless explicitly requested.
+- For documentation-only changes, confirm the target files exist and review the final diff.
+
+## Bash conventions summary
+
+See `docs/CODING_CONVENTION.md` for details.
+
+- Use Bash for installer logic unless an existing Debian interface file must remain POSIX shell.
+- Preserve module source guards and `readonly -f` usage where surrounding files use them.
+- Prefer strict Bash mode where feasible and consistent with the file's execution context.
+- Use `declare` for variables inside functions.
+- Quote expansions unless word splitting or globbing is explicitly required.
+- Prefer arrays where argument boundaries matter.
+- Use `[[ ... ]]`, `case`, and `$(...)`.
+- Avoid parsing `ls`; prefer structured tool output or existing helpers.
+- Prefer `command -v` over `which`.
+- Code comments must be in English.
+
+## Security-sensitive areas
+
+Before finalizing a change, check whether it affects:
+
+- disk wiping, partition table creation, partition type codes, or filesystem formatting
+- cryptsetup/LUKS2 parameters, passphrases, key files, key slots, LUKS header backups, or nuke behavior
+- Btrfs subvolumes, mount ordering, mount options, snapshots, or labels
+- `/etc/fstab`, `/etc/crypttab`, UUIDs, PARTUUIDs, or mapper names
+- initramfs-tools hooks, scripts, included binaries, or early boot behavior
+- Dropbear initramfs remote unlock, forced commands, firewalling, host keys, unlock wrapper signatures, or hashes
+- GRUB installation, GRUB modules, encrypted `/boot`, UEFI/BIOS paths, NVRAM handling, or Secure Boot material
+- chroot command execution, mount propagation, target/root separation, or environment sanitization
+- APT sources, package authentication, TLS, signatures, checksums, or remote downloads
+- account setup, SSH policy, PAM, sudo, permissions, hardening files, or network exposure
+- logging, debug tracing, traps, cleanup paths, or exposure of sensitive values
+
+If affected, document the concrete risk and mitigation in the final response.
+
+## Validation policy
+
+Use the narrowest validation that proves the requested change. Do not run full installer builds, debootstrap runs, live disk
+tests, destructive partitioning, broad repository audits, or network-heavy validation unless the task explicitly asks for them
+or the change cannot be validated responsibly without them.
+
+## Final response
+
+Return a concise implementation report:
+
+- changed files
+- what changed
+- checks run and result
+- real remaining risks or follow-up steps
+
+Do not claim success for checks that were not run.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-06-17T12:00:00Z
 Package: CISS.debian.installer
 PackageName: CISS.debian.installer
-PackageVersion: Master V8.00.000.2025.06.17
+PackageVersion: Master V9.14.000.2026.06.07
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.installer
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.installer
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.00.000.2025.06.17-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.installer)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.000.2026.06.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.installer)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -11,9 +11,10 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.7-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.26.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Runner-1.0.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2026.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.12-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&logo=x&logoColor=white&logoSize=auto&label=SocialMedia&color=%23000000)](https://x.com/coresecret_eu) &nbsp;
@@ -25,8 +26,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

 This is a digitally signed, self-verifying shell script for installing a hardened Debian Bookworm server environment, based on 
 the latest server and service hardening best practices. Compared to the original Debian installer, this installer offers much 
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

 # 2. DNSSEC Status

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

 # 2. TLS Audit:

@@ -7,12 +7,12 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

 # 2. Changelog

-## V8.00.000.2025.06.17
+## V9.14.000.2026.06.07

 * Initial Release

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

 # 2. Centurion Net - Developer Branch Overview

@@ -7,84 +7,200 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

-# 2. Coding Style
+# 2. Purpose

-## 2.1. PR
+This document defines detailed coding conventions for CISS.debian.installer. `AGENTS.md` is the short operational guide for
+Codex. `code_review.md` is used for review tasks and final self-review.

-You'd make the life of the maintainers easier if you submit only _one_ patch with _one_ functional change per PR.
+The repository implements a Bash-first Debian installer for hardened, reproducible system installation workflows. Treat every
+change as security-sensitive, disk-destruction-sensitive, and boot-chain-sensitive, especially changes affecting partitioning,
+LUKS, Btrfs, initramfs, Dropbear remote unlock, GRUB, package sources, signatures, checksums, hardening settings, or logs.

-## 2.2 Documentation
+# 3. Change discipline

-Some people really read that ! New features would need to be documented in the appropriate section in `usage()` and in
-`~/docs/DOCUMENTATION.md`.
+- Keep changes small, local, and reviewable.
+- Make one functional change per patch set.
+- Preserve existing architecture, naming style, error handling, formatting, and security posture.
+- Target Debian 13 Trixie unless the task or repository explicitly states otherwise.
+- Do not introduce Ubuntu-specific assumptions.
+- Do not invent Debian Installer, debootstrap, initramfs-tools, cryptsetup, GRUB, systemd, Btrfs, Debian package, or upstream
+  tool behavior.
+- Verify uncertain behavior against repository code or authoritative upstream documentation.
+- Do not weaken cryptography, authentication, sandboxing, permission checks, TLS verification, signature verification,
+  checksum verification, provenance verification, or input validation unless explicitly requested and documented.
+- Do not perform unrelated cleanup or formatting churn.

-## 2.3. Coding
+# 4. Installer phase awareness

-### 2.3.1. Shell / bash
+Identify the affected phase before changing behavior:

-Bash is actually quite powerful—not only with respect to sockets. It's not as mighty as perl or python, but there are a lot of
-neat features. Here's how you make use of them. Besides those short hints here, there's a wealth of information there.
+- `ciss_debian_installer.sh`: host-side entrypoint, root/Bash checks, lock handling, trap activation, and phase order.
+- `meta_loader_*.sh`: ordered sourcing of variables, functions, and libraries via `source_guard`.
+- `.preseed/preseed.yaml`, `.preseed/partitioning.yaml`, `.preseed/SECRETS.yaml`: installer settings, partition recipes, and
+  secret material.
+- `lib/cdi_0100_arg/*`: CLI argument sanitation, parsing, priority handling, and passphrase-module argument support.
+- `func/cdi_1200_validation/*` and `func/cdi_1250_yaml/*`: element, IP, preseed, YAML, and secret validation.
+- `func/cdi_3200_partitioning/*`: destructive disk wiping, partition creation, LUKS setup, formatting, mount ordering, and UUID
+  logging.
+- `func/cdi_4000_debootstrap/*`: debootstrap, target mount preparation, base target setup, hostname, resolver, timezone, and
+  locale setup.
+- `func/cdi_4100_base/*`: APT source generation, updates, kernel/initramfs installation, toolset, systemd, machine-id,
+  firmware, microcode, Chrony, and base packages.
+- `func/cdi_4200_boot/*`: fstab, crypttab, cryptsetup-initramfs, GRUB installation, GRUB password, and boot parameters.
+- `func/cdi_4300_network/*`: target networking, network security, Dropbear build/initramfs/setup, initramfs update, and SSH.
+- `func/cdi_4400_hardening/*`: kernel modules, sysctl, fail2ban, filesystem permissions, entropy, memory, OpenSSL, UFW, USB,
+  and malware-auditing hardening.
+- `func/cdi_4500_user/*`: account preparation, password policy, user setup, SSH keys, privileges, and timing fields.
+- `func/cdi_4600_packages/*`: package installation, security profile installation, verification, and auditing packages.
+- `func/cdi_4900_xtended/*`: final commands, logrotate setup, and target chroot exit.
+- `func/cdi_5000_recovery/*`: recovery target debootstrap and finalization when recovery is enabled.
+- `includes/target/*`: files installed into the target system, including initramfs-tools hooks/scripts/files and service
+  configuration.
+- `includes/chroot/hooks/*`: chroot hook payloads.
+- `upgrades/*`: vendored upgrade/build material for Dropbear, Linux image options, and Secure Boot work.
+- `py/*`: Python configurator support.

-* Don't use backticks anymore, use `$(..)` instead
-* Use double square `[[]]` brackets (_conditional expressions)_ instead of single square `[]` brackets
-* In double square brackets, avoid quoting at the right-hand side if not necessary. For regex matching (`=~`) you shouldn't
-  quote at all.
-* The [BashPitfalls](http://mywiki.wooledge.org/BashPitfalls) is a good read!
-* Whenever possible try to avoid `tr` `sed` `awk` and use bash internal functions instead, see
-  e.g., [bash shell parameter substitution](http://www.cyberciti.biz/tips/bash-shell-parameter-substitution-2.html). It is
-  slower as it forks, fopens and pipes back the result.
-* `read` often can replace `awk`: `IFS=, read -ra a b c <<< "$line_with_comma"`
-* Bash can also deal perfectly with regular expressions, see
-  e.g., [here](https://www.networkworld.com/article/2693361/unix-tip-using-bash-s-regular-expressions.html)
-  and [here](https://unix.stackexchange.com/questions/421460/bash-regex-and-https-regex101-com).
-* If you still need to use any of `tr`, `sed` and `awk`: try to avoid a mix of several external binaries e.g., if you can
-  achieve the same with e.g. `awk`.
-* Be careful with very advanced bash features. Mac OS X is still using bash version 3 ([differences](http://tldp.org/LDP/abs/html/bashver4.html)).
-* Always use a return value for a function/method. 0 means all is fine.
-* Make use of [shellcheck](https://github.com/koalaman/shellcheck) if possible.
-* Follow the [shellformat](https://google.github.io/styleguide/shellguide.html) Shell-Style Guide.
+Keep host-side behavior, target chroot behavior, initramfs behavior, and bootloader behavior separate.

-### 2.3.2. Shell specific
+# 5. Bash baseline

-* Security:
-  * Watch out for any input especially (but not only) supplied from the server. Input should never be trusted.
-  * Unless you're really sure where the values come from, variables need to be put in quotes.
+- Use Bash for installer logic and orchestration.
+- Use POSIX shell only where an existing Debian interface file requires it, such as an initramfs hook or script that already
+  declares `#!/bin/sh`.
+- The main installer requires Bash 5.1 or newer; do not add compatibility code for older Bash versions unless explicitly
+  requested.
+- Prefer `set -Ceuo pipefail` for executable Bash scripts where feasible. In sourced modules, preserve the caller's shell
+  option and trap model unless the surrounding code already changes it intentionally.
+- Preserve `guard_sourcing || return "${ERR_GUARD_SOURCE}"` in sourced modules that use it.
+- Preserve `source_guard`-based module loading.
+- Preserve `readonly -f` on functions where surrounding files use it.
+- Do not overwrite existing `ERR`, `EXIT`, `INT`, or `TERM` traps. Coordinate any trap change with `lib/cdi_0060_traps/*` and
+  initramfs runtime scripts.

-### 2.3.3. Variables
+# 6. Bash style

-* Use **"speaking variables"** but don't overdo it with the length.
-* No _camelCase_, please. We distinguish between lowercase and uppercase only.
-  * Global variables:
-    * use them only when really necessary,
-    * in CAPS,
-    * initialize them (`declare -g VAR_EXAMPLE=""`),
-    * SHOULD start with:
-      * `ARY_`  for Arrays,
-      * `C_`    for Variables defining colored outputs,
-      * `ERR_`  for Error Codes Variables,
-      * `HMP_`  for HashMap Arrays,
-      * `LOG_`  for Logfile Variables,
-      * `PID_`  for PID Variables,
-      * `PIPE_` for PIPE Variables,
-      * `VAR_`  for Variables
-  * Local variables:
-    * are lower case,
-    * declare them before usage (`declare` eq `local`),
-    * initialize them (`declare var_example=""`),
-    * SHOULD start with:
-      * `ary_` for Arrays,
-      * `c_` for Variables defining colored outputs,
-      * `err_` for Error Codes Variables,
-      * `hmp_` for HashMap Arrays,
-      * `log_` for Logfile Variables,
-      * `var_` for Variables.
+- Quote expansions unless word splitting or globbing is explicitly required.
+- Prefer arrays for commands and options.
+- Use `[[ ... ]]` for Bash conditionals.
+- Use `case` for option dispatch and multi-branch string handling.
+- Use `$(...)` command substitution, not backticks.
+- Do not use `eval`.
+- Avoid parsing `ls`.
+- Prefer `command -v` over `which`.
+- Check command results explicitly when failure needs custom logging or cleanup.
+- Keep functions small enough to review.
+- End functions explicitly with `return 0` where consistent with surrounding code.
+- Use English comments. Comment non-obvious security, disk, cryptographic, initramfs, or boot-chain decisions.

-# 3. Misc
+# 7. Variables and naming

-* Test before doing a PR! Best if you check with two bad and two good examples, which should then work as expected.
+Follow the existing repository naming style:
+
+- Global variables are uppercased and initialized before use.
+- Global arrays and maps use established prefixes such as `ARY_`, `HMP_`, `C_`, `ERR_`, `LOG_`, `PID_`, `PIPE_`, and `VAR_`.
+- Local variables are lowercase and initialized before use.
+- Local arrays and helper variables use established prefixes such as `ary_`, `hmp_`, `c_`, `err_`, `log_`, and `var_`.
+- Use `declare` consistently with surrounding files.
+- Function names use lowercase words separated by underscores.
+- Avoid new global variables when an argument, local variable, or existing helper is sufficient.
+- Keep Boolean-like values normalized where existing code expects lowercase strings.
+
+# 8. Input validation, secrets, and files
+
+- Treat CLI arguments, YAML values, environment variables, generated paths, network data, package metadata, and user-provided
+  files as untrusted until validated.
+- Validate disk names, partition numbers, mount paths, filesystem names, Debian suites, architecture names, ports, IP
+  addresses, package names, URLs, feature flags, and file paths before use.
+- Fail closed when validation cannot prove that continuing is safe.
+- Do not print secrets, passphrases, private keys, tokens, decrypted SOPS values, or sensitive environment values.
+- Keep debug tracing disabled around secret handling unless the local guard explicitly protects sensitive values.
+- Use restrictive permissions for generated key material, passphrase files, LUKS header backups, SSH material, and root-only
+  configuration.
+- Prefer `mktemp` for temporary files and clean them up with existing cleanup or trap helpers.
+- Preserve existing secure deletion helpers where used for passphrase or key material.
+- Do not add a persistent state unless the behavior is intentional, scoped, and documented.
+
+# 9. Disk, partitioning, and cryptsetup safety
+
+- Treat changes under `func/cdi_3200_partitioning/*` as destructive by default.
+- Never run partitioning, formatting, LUKS, `blkdiscard`, `sgdisk --zap-all`, or `dd` validation on a real device unless the
+  task explicitly requests it, and the target is safely isolated.
+- Preserve explicit device scoping from `.preseed/partitioning.yaml`.
+- Preserve udev settling and UUID/PARTUUID collection where disk identity is needed by later phases.
+- Preserve LUKS2 defaults and stronger cryptographic settings unless the task explicitly changes them.
+- Do not weaken PBKDF, cipher, hash, key size, integrity, discard, or keyslot behavior without documenting the risk.
+- Preserve the special handling for encrypted `/boot`, root, recovery, ephemeral `SWAP`, and ephemeral `/tmp`.
+- Keep LUKS header backups encrypted when backup behavior is enabled and remove plaintext backup material after encryption.
+- Keep `/etc/fstab` and `/etc/crypttab` generation consistent with mapper names, UUIDs, PARTUUIDs, filesystem types, and mount
+  options.
+- Preserve Btrfs subvolume and snapshot semantics when changing Btrfs mount or formatting logic.
+
+# 10. Chroot, target, and boot-chain safety
+
+- Use `chroot_exec` for simple command execution in the target.
+- Use `chroot_script` or `chroot_stdin` for shell constructs, redirection, pipelines, loops, or larger payloads.
+- Preserve the sanitized `env -i` target environment unless a task explicitly requires a new variable.
+- Do not leak host paths or host environment assumptions into the target system.
+- Preserve target mount setup and teardown behavior.
+- Keep initramfs-tools hooks and scripts in their expected directories; do not add ad-hoc phase arguments.
+- Preserve Dropbear initramfs forced-command, unlock-wrapper integrity checks, signature verification, and nuke behavior.
+- Preserve GRUB support for encrypted boot paths, and the repository's UEFI/BIOS handling unless explicitly changed.
+- Do not change UEFI NVRAM behavior or fallback boot paths without documenting the boot-chain impact.
+
+# 11. Dependencies and downloads
+
+- Do not add new runtime dependencies unless the task requires them.
+- Prefer standard Debian tooling or existing project helpers.
+- When a dependency is needed, document why the existing toolchain, or a standard alternative is insufficient.
+- Do not add remote downloads, auto-update behavior, telemetry, or network callbacks without explicit justification.
+- For required downloads, use HTTPS where applicable and preserve or add signature, checksum, or provenance verification.
+- Do not use `curl | sh`, `wget | sh`, or equivalent execution of unaudited remote content.
+- Preserve package authentication and APT source integrity checks.
+
+# 12. Documentation rules
+
+- Update documentation together with behavior changes.
+- New or changed CLI options must update `usage()` and relevant documentation.
+- New or changed YAML/preseed keys must update the relevant `.preseed` example or project documentation.
+- Boot parameter changes must update `docs/man/BOOTPARAMS.md` when applicable.
+- Security-sensitive behavior changes must update the relevant manual, audit, or security documentation when applicable.
+- Generated examples must stay valid for Debian 13 Trixie unless the task explicitly targets another release.
+- Code comments, embedded prompts, commit messages, and repository documentation should normally be written in English.
+
+# 13. Formatting
+
+- Preserve SPDX headers and existing file headers where present.
+- New source or configuration files should include the project SPDX header when comparable files already use one.
+- Follow `.editorconfig`: LF line endings, UTF-8, two-space indentation for most repository files, four-space indentation for
+  Python, and readable line lengths.
+- Preserve the local Vim modeline style in source/config files where neighboring files use it.
+- Keep Markdown concise and structured. Avoid decorative text that does not define repository behavior.
+- Do not churn formatting unrelated to the task.
+
+# 14. Narrow validation policy
+
+Run only the narrowest checks that prove the change:
+
+- Bash files: `bash -n <file>` and `shellcheck <file>` when ShellCheck is available.
+- POSIX shell files: `sh -n <file>`.
+- CLI or parser changes: the safest available help/parser check, if the environment permits it without performing installer
+  actions.
+- YAML/preseed changes: parse or validate the changed file with repository tooling if a cheap parser or validator is present.
+- Python files: run the relevant checks configured under `py/`, such as Ruff, mypy, or pytest, when applicable.
+- Documentation-only changes: confirm the target files exist, check the final diff, and run Markdown linting only when the
+  repository has a cheap configured Markdown lint command.
+
+Do not run full installer builds, debootstrap, destructive disk tests, broad repository audits, or network-heavy validation
+unless explicitly requested or technically required to validate the change.
+
+If a relevant check cannot be run, state the exact reason, and the command that should be run locally.
+
+# 15. Code review
+
+Reviews follow `code_review.md`.

 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

 # 2. Contributing / participating

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

 # 2. Credits

@@ -7,13 +7,13 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

 # 2. Usage
 ````text
 CISS.debian.installer
-Master V8.00.000.2025.06.17
+Master V9.14.000.2026.06.07

 (c) Marc S. Weidner, 2018 - 2025
 (p) Centurion Press, 2024 - 2025
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

 # 2. ToC

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

 # 2. Resources

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

 # 2. Hardened Kernel Boot Parameters

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>


 # 2. Debugging and Tracing Infrastructure
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

 # 2. Global Environment and Error Handling in CISS.debian.installer

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

 # 2. Git Workflow Linter — Character Set Policy Enforcement

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

 # 2. Interplay Between Global Hardening Settings and TRAP Mechanisms

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

 # 2. [1080_helper_chroot.sh](../1080_helper_chroot.sh)
 **Scope:** This note explains *what to use when* among
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

 # 2. [4000_debootstrap.sh](../4000_debootstrap.sh)
 This module provisions a minimal Debian userspace into the installers target root (`$TARGET`) using `debootstrap`.
@@ -13,7 +13,7 @@
 guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
-# Setup chrony NTPSec client.
+# Set up chrony NTPSec client.
 # Every 'apt-get install' command is invoked by adding 'export INITRD=No'
 # to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage:
 # https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
@@ -26,7 +26,7 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 dropbear_build() {
  ### Declare Arrays, HashMaps, and Variables.
-  declare     var_dropbear_version="2025.88"
+  declare     var_dropbear_version="2026.91"
  declare     var_tar="${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
  declare     var_build_dir="${DIR_TMP}/build/dropbear-${var_dropbear_version}"
  declare -r  var_logfile="/root/.ciss/cdi/log/4310_dropbear_build.log"
@@ -44,7 +44,7 @@ dropbear_initramfs() {
  chroot_script "${var_target}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-    apt-get purge -y dropbear dropbear-run || true
+    apt-get purge -y dropbear || true
  "

  chroot_script "${var_target}" "
@@ -84,17 +84,17 @@ dropbear_setup() {
  write_dropbear_conf

  ### Install the script to be called by 'update-initramfs' for updating 'PATH'-variable inside initramfs.
-  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-premount/1000-fixpath.sh" \
-    "${TARGET}/etc/initramfs-tools/scripts/init-premount/1000-fixpath"
-  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-top/0000-fixpath.sh" \
-    "${TARGET}/etc/initramfs-tools/scripts/init-top/0000-fixpath"
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh" \
+    "${TARGET}/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh"
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh" \
+    "${TARGET}/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh"

  ### Install the script to be called by 'update-initramfs' for customizing dropbear inside initramfs.
-  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/9999-custom-initramfs.sh" \
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/9999_ciss_initramfs.sh" \
    "${TARGET}/etc/initramfs-tools/hooks/"

  ### Install the script to be called by 'update-initramfs' for customizing prompt inside initramfs environment.
-  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/9999-custom-prompt.sh" \
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/9999_ciss_prompt.sh" \
    "${TARGET}/etc/initramfs-tools/hooks/"

  ### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
@@ -1,4 +1,7 @@
 #!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck shell=sh
+
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
@@ -13,7 +16,7 @@

 set -e

-printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999-custom-initramfs.sh] \n\e[0m"
+printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999_ciss_initramfs.sh] \n\e[0m"

 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
@@ -137,6 +140,6 @@ install -m 0444 /etc/dropbear/initramfs/banner "${DESTDIR}/etc/dropbear/banner"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}"


-printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999-custom-initramfs.sh] \n\e[0m"
+printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_initramfs.sh] \n\e[0m"

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -1,4 +1,7 @@
 #!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck shell=sh
+
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
@@ -13,10 +16,11 @@

 set -e

-printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999-custom-prompt.sh] \n\e[0m"
+printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999_ciss_prompt.sh] \n\e[0m"

 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
+# shellcheck disable=SC2249
 case "${1}" in
  prereqs) prereqs; exit 0 ;;
 esac
@@ -34,6 +38,6 @@ export PS1='$( STATUS=$?; \
  fi; ) '
 EOF

-printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999-custom-prompt.sh] \n\e[0m"
+printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_prompt.sh] \n\e[0m"

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -1,4 +1,7 @@
 #!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck shell=sh
+
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
@@ -14,6 +17,7 @@ set -e

 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
+# shellcheck disable=SC2249
 case "${1}" in
  prereqs) prereqs; exit 0 ;;
 esac
@@ -1,4 +1,7 @@
 #!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck shell=sh
+
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
@@ -14,6 +17,7 @@ set -e

 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
+# shellcheck disable=SC2249
 case "${1}" in
  prereqs) prereqs; exit 0 ;;
 esac
@@ -415,8 +415,12 @@ CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:ECDHE+ARIA256-GCM:ECDHE+CAMELLIA2
 # TLS 1.3 cipher policy: AES-256 and ChaCha20-Poly1305 only:
 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

+# ToDo: Update PQC Groups to include P-521 and P-384.
+
 # Prefer strong, widely-supported ECDHE groups (first = most preferred):
-Groups = X448:X25519:P-521:P-384
+Groups = X448:P-521:P-384
+
+SignatureAlgorithms = rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256

 # Operational flags:
 # -SessionTicket   => disable TLS session tickets (TLS 1.2 + 1.3)
@@ -1,4 +1,6 @@
 #!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck shell=sh

 PREREQ="udev"

@@ -6,6 +8,7 @@ prereqs() {
  echo "${PREREQ}"
 }

+# shellcheck disable=SC2249
 case "$1" in
  prereqs)
    prereqs
@@ -23,7 +26,7 @@ run_dropbear() {
  ### Only accepts flags from '/etc/dropbear/dropbear.conf'.

  #local flags="Fs"
-    # shellcheck disable=SC2292
+  # shellcheck disable=SC2034,SC2154,SC2292
  [ "${debug}" != y ] || flags="E${flags}" # log to standard error

  # Always run configure_networking() before dropbear(8); on NFS
@@ -37,6 +40,7 @@ run_dropbear() {
  # init-bottom script to kill the remaining ipconfig processes if
  # someone unlocks the rootfs from the console while the network is
  # being configured
+  # shellcheck disable=SC2086
  exec /sbin/dropbear ${DROPBEAR_OPTIONS-}
 }

@@ -57,3 +61,5 @@ fi

 run_dropbear &
 echo $! >/run/dropbear.pid
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -37,9 +37,9 @@ usage() {
  declare var_cols=$(tput cols 2> /dev/null || echo 80)

  # shellcheck disable=SC2155
-  declare var_header=$(center "V8.00.000.2025.06.17                                          CISS.debian.installer" "${var_cols}")
+  declare var_header=$(center "V9.14.000.2026.06.07                                          CISS.debian.installer" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.00.000.2025.06.17                                          CISS.debian.installer" "${var_cols}")
+  declare var_footer=$(center "V9.14.000.2026.06.07                                          CISS.debian.installer" "${var_cols}")

  {
    echo -e "\e[97m${var_header} \e[0m"
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

 # 2. Preliminary Components – `cdi_0000_preliminary`

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

 # 2. Guarding and Safe Execution – `cdi_0005_guard`

@@ -25,7 +25,7 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 debug_trace() {
  ### Set a verbose PS4 prompt including timestamp, source, line, exit status of previous command, and function name
-  declare -grx PS4='\e[97m+\e[0m\e[96m$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
+  declare -grx PS4='\e[97m+\e[96m[${EPOCHREALTIME}]\e[97m:\e[94m[$$]\e[97m:\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[97m:\e[93m[${?}]\e[97m:\e[95m[${FUNCNAME[0]:-main}()]\e[97m>>\e[0m '
  # shellcheck disable=SC2155
  declare -grx LOG_TRC="${DIR_LOG}/ciss_debian_installer_$$_trace.log"
  ### Generates empty LOG_TRC
@@ -1,24 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512

-eb16a13aa44732cab4db009bd55903e45f8756598683377bfe55185fbf0e3265  CHANGES
-738b7f358547f0c64c3e1a56bbc5ef98d34d9ec6adf9ccdf01dc0bf2caa2bc8d  dropbear-2025.87.tar.bz2
-af24198895f604c2e114abe29a2f0c3fe30831e6db26e0f93fd5f78e734b61be  dropbear-2025.87.tar.bz2.asc
-783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4  dropbear-2025.88.tar.bz2
-fe40fd8f40a7c5498025cc2058eaecbcd9e649a833d6cdecdab35f1156f4d411  dropbear-2025.88.tar.bz2.asc
+16be820347723271b0fea6049ffeed6d6680d7429c65406d8af37776393a0250  dropbear-2026.90.tar.bz2
+594ac6bd51f361890f6bd829bfe1ce92d241e5f8662d595c13a789e31563f5f7  dropbear-2026.90.tar.bz2.asc
+defa924475abf6bc1e74abc00173e46bfdc804bd47caafa14f5a4ef0cc76da34  dropbear-2026.91.tar.bz2
+26888fbc9cca8ae8026ea754d711edeb5fdbde0a31f897164695bf59035693fb  dropbear-2026.91.tar.bz2.asc
 -----BEGIN PGP SIGNATURE-----

-iQIzBAEBCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbUOIACgkQRJMUlPKc
-Z3OS6w//bPQkIfs5ErkEBNRJDkYCDGekydYur0e2KtA2FX+vgPYI289FM4tXaD5f
-hlBBT5oBQ740ekTLWMMnKcJV3Ut0QYnaXwiH2dHKtT4OEgRQIYqFlbAimpNPMZOL
-IiBv+v9g71XJ3MrFyJSUo00mryIIIeuVQEWl8zxzsG8sf5usOUDwiJNWPul3fOJL
-Ur+vTmCr7XYuq9kFG4YdJNLPLwDZ68e2u1fEpxpsnBmYFx5VS/WvD+qyuUfkR81h
-HmcDgQJUJgx6Taq0OQJa4KnE4+HWjMd6V6JsDTsfYp4CjASO6HP2bON4zJWyphqL
-cyrHAxiADtfU3RO59+XQ6AhTzhtGpZRgHLqetv40DjGN2lOGOdRk3TbE3/dbDl4W
-f9zaPFGXyTA49iiVMMz2GVWlydpjs9HKsIKwwO7vU/EIi4S/USNJRI9wKUji3qKH
-HO09YNoO0XuWzIpeGwfqbeaQ+SCPRPAMQMM0a2Mt10VzympY6w2kHAVbMV48kJ2i
-AMtkgsxLUFdptDSdGKc/KHkbWRR22YCSSUXr1lxCA3fuCUWkS/2pAGzfbd+sd9BS
-QkAiGVCWeFQML61aaoNxMT2+MbS80zrOWm8fjXblg3wCU6F3+TTmmDUNKI3NFi8z
-4TVeAM0oGqeI+PX4hP7pyBy06dGiWiYEAGMiyno6vRXWJrwTVzI=
-=/DnI
+iQIzBAEBCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmoAZXsACgkQRJMUlPKc
+Z3NxYA//TmgdzpN6Jh8zNCL3cjK9J3IgJWIxgtPnoPDb0GxMt5rSME9uAQLggVut
+310OAJ9CCfVYyCECm9ZpgbaeXPHP02Xx6sccpU7bU3nMa1W+Pu0dea3ToFWGFv5i
+52INS0UGP+R58JJzGlxlwm1oRNXoG3tfJHR7FHof5G0a60jdcxqjW2JfkN4x28kR
+RLXCqCWfJOjVMIVVQLsVmjZQlBkXLuykg2rbocqBu2dNH4nOuekDWFUpLXoGm2Zd
+OhdFmWGIJfLFybPersLBGSO6LJFhzi5KoloeesaCQ26X2ld8R+cu6rKae2f0zDQi
+O63yQIg7Oxr4XUnthziZdYA4karVrUdx97I39xTP9ioYxnEWHSdWk2iwKWsLhrPd
+X9TEcsmTMia0RSNqarNlsnXiloWFIRKuxlEBO1SMHG45Fr5mXsPxFLc81acQlGtl
+Kvwl3O5vxaa8Qd46EtLJXsNQW09tW0j1yM3JyAoLZs69/N8iB5lk74nYT+jZhI0b
+9/+tfHLRoa+ccJdNfCdfWzCTZpFxG0D6ah6SJY8CgMMvITBT5OfYTR4tvSbt1Sa4
+y65YOPB4QabxuaUC6p0JQ57STUX6D8NtvJwpoZUDb6XDovpXsVb3T0di9eKKYQSv
+/TsSRvf57OiCL9u/C5bIV2g0N5pkN9Bsddye0wUqfEdYH/NwXBs=
+=OTzQ
 -----END PGP SIGNATURE-----
@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbTlUACgkQRJMUlPKc
-Z3PY2xAAkSmMipofQkVDE8owIY1VrXGICpFFby7oIzog1oiWrTWlqjGPBwxrLEAa
-W5qXPez0mu9CMs0eGgqHnpUCOR2OJKXzlllSwWcO2Q9Ioi+fSYB//A/+FRK5Jyvf
-P3H6Iq4N4vCbOGS0zHwmlAhTMh1ezKuqnjCrP9z6gvOj6hiiI0DtX2YtYfXml4o8
-Xgvv+w3uReC/Pf7Z7Zia18tWlLIC1DoVC18CmLmnnyqE032Cn8HsE/scboTehgJd
-SKfpztf8/9IjAJpkoeuh3VEXeq5gUjdaW13cBvaPBg798+GsnY7ot7g2PLgnpc7w
-Y1Npg2QZebKE2KHSEGhvIfHeGC6uSEekQnNbck6/ge8ytRzvfzxtTFCMWlGVdgd4
-dFLNajFRt1VOYXMgm7w725cndXYjpvi7zNgGI/kuOQG92hGR8ZaQYYHUTI+B9sr1
-Fit8VmaOsLN7ES8UcNlWeRPHAlvkhdfjltcCSVBziJWGW5rYsuT03X/gbjSiflA5
-kwB/5A2Bf5DHtORbdtx9kfd5yqsnWaLczEKRjyikJqDUXW6CcclbEiucWIgR75cS
-Ee9cf8ILKn/Dr6z+h60y0VQ+1gUcVDnK9yxoqywS5/QoUFXltzu032ZmhyDdgfex
-93NbacgaVtges8t0S0s7PgfzpUSLgNte6aHOYwl5mDAh0zLGpoo=
-=uS3y
-----END PGP SIGNATURE-----
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmn22d8ACgkQRJMUlPKc
+Z3Ndlg//Vj21j/hlAIPD0AOAgYYLvudvR2bA1gJBHrlAQB4FQSWWgW+C0xdHks7X
+YUkKFhLMMP8twemA2EApfMtEp+YayfN/djiwCTfhrCI2ObTZJZU6FwyKiENviKGo
+hH7rFeh1HdSJuU+HExF9bCq+1oGFjhpOKh982R0hasLzKgN2PmF1v/jEqNpibyIc
+o7/7xXFGne39xTrwIuvhjl44iCrIKrcqpObt2cHKRx3D5E1b5nz1JriceCQr4zPa
+tRBXyvl7Ub/N0xZ0K81LA5cDuP2h5H1W1X0BEVTMi+4vIJhaFfOCZhFp9vjlKuuW
+vLhPJWakaLOM2o0PawHW3pVQfq9vOPOGUYcQoSCjgplEsvySbIHS33/nHrPq9ncb
+S6kYQnXtNmWOuWoZfUmGNSBItzd9aOWJ/CukhtovJHRCvM9W68GhR4kqNhZpfvhY
+NL35NC3IydxvzZUZzW6OvaBzGnAVshILyVnlrGkI9ikc8BJUY6GllcMopD5+vCbt
+YYKZhThckaHmtZL4bkyA1v8KN7uVprCKQSgC56lbXD+fr7qM/sjNLmp+UVCnjTuU
+XDFnS7dELDZCXweTmxIowwPetaDtnfBPuYWmGtSezG63Zbsv32/UMAy3YCT7vg/V
+9dzK0h2/EG6GCZ9UfYj/uYCuvb8HhbVji0fMYbzo1eT4NAJwPpY=
+=/+S8
+-----END PGP SIGNATURE-----
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmoAZREACgkQRJMUlPKc
+Z3P87g//ZamgpADh+1CziP9UJ8iiQSi+6lGDcNmkLwNfw1dXA7zAJ2L10uz1We5V
+ercshPNSurf/rYCQJIvav1JE2x4oHXAgnzO1pnrIDriBmCa17EJD2udDHImE1A4K
+KP6JxeaaZTkPYCQftIh3bj7kyJnjpRIptN41GHLeyfQ9bD/ikpGm7uVVqOv1y08O
+Z1pBlZ4IeKrdN7ghHclTTS7+w9nDcYuP62B+KOg7U2oE6+hTfO6PZnHxumUqFlck
+iDEOpdjWixp62ju5ad2o+qWsV4QDg5y/smb51ZDIiFkQh3BJKs6qS83ZNBseGdCX
+vtfKLBSpH/k28WlIwzNq3xiwD7xLR1niX4IrNFUF71eFZhFt6FAMk7oBhSse86qs
+TUUDsssQBAGgNbyRAGSkjBKQ9hdrGXuqV7r8PnDGo+n+EF7pRBJTObM29jshgnjm
+CZ8zMu8LB5cCzWJCXUhNX9HqcW4LIDPGI6v24ychxGqLS5ekKHbv7Pr/xguHyVJq
+U7HXsUtA43HAXnk1RaVYV3I9CzLinJ9Cs3sNBRpcIEKQfpYXTDL58lEg/mJRloqC
+EIBgb9pB8EvFbIz3mbOayvrLnMzmyL1ujsc1CYUcEti1MV6IrgOjGxi/kUrcrZaQ
+1kPA/eRcG1iRpyYk19/cD1JyI477HRnRQDeqMPRO9VTeCMOXO2s=
+=PPW+
+-----END PGP SIGNATURE-----
@@ -1,12 +1,12 @@
 /* # SPDX-Version: 3.0 */
-/* # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev> */
-/* # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git */
+/* # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev> */
+/* # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git */
 /* # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency */
 /* # SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu> */
 /* # SPDX-FileType: SOURCE */
-/* # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 */
+/* # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1  */
 /* # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. */
-/* # SPDX-PackageName: CISS.debian.installer */
+/* # SPDX-PackageName: CISS.debian.live.builder */
 /* # SPDX-Security-Contact: security@coresecret.eu */

 #ifndef DROPBEAR_LOCALOPTIONS_H_
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

+# ToDo: Update to the latest Kernel Version.
+
 ### https://kspp.github.io/

 set   -o errexit
@@ -9,6 +9,8 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

+# ToDo: Update to the latest version of the CISS PKI.
+
 # Keep the corresponding ROOT CA strict offline, offsite and air-gapped and maybe in a HSM or at least encrypted in a vault.
 #
 # The firmware does not check "whether KEK originates from PK in terms of certificate logic." It only checks whether the
@@ -87,7 +89,7 @@ clearance_max					          = 64
 serialNumber					          = QSCD Serial Number
 serialNumber_max				        = 64
 ############################### = 1234567890123456789012345678901234567890123456789012345678901234
-commonName_default				      = CISS Secure Boot Root CA 2025 RSA 4096
+commonName_default				      = CISS Secure Boot Root CA 2026 RSA 4096
 organizationName_default        = Centurion Intelligence Consulting Agency
 organizationalUnitName_default 	= CISO
 organizationIdentifier_default	= VATPT-307086887
@@ -104,7 +106,7 @@ subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid:always,issuer
 authorityInfoAccess		          = @ciss_sb_pki
 certificatePolicies		          = 2.5.29.32.0, @ciss_sb_policy
-nsComment                       = "CISS Secure Boot Root CA 2025 RSA 4096"
+nsComment                       = "CISS Secure Boot Root CA 2026 RSA 4096"

 [ v3_pk ]
 basicConstraints                = critical, CA:true, pathlen:0
@@ -147,6 +149,4 @@ CPS.0				                    = "https://policy.quantumsign.eu/"
 fullname                        = URI:https://crl.quantumign.eu/
 reasons                         = keyCompromise, CACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn, AACompromise

-
-
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
-**Master Version**: 8.00<br>
-**Build**: V8.00.000.2025.06.17<br>
+**Master Version**: 9.00<br>
+**Build**: V9.14.000.2026.06.07<br>

 # 2. [bash.var.sh](../bash.var.sh)
 This module establishes the global execution profile for all modules of the `CISS.debian.installer`. It is sourced at the very 
@@ -24,7 +24,7 @@ declare -grx VAR_BASH_VER="$(bash --version | head -n1 | awk '{
 declare -grx VAR_CONTACT="security@coresecret.eu"
 # shellcheck disable=SC2155
 declare -grx VAR_DS_VER="$(debootstrap --version)"
-declare -grx VAR_VERSION="Master V8.00.000.2025.06.17"
+declare -grx VAR_VERSION="Master V9.14.000.2026.06.07"
 # shellcheck disable=SC2155
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
 declare -gx VAR_ARG_SANITIZED=""