V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m0s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m0s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -23,7 +23,7 @@ structured logs with full environmental metadata and deterministic command evalu
|
||||
|
||||
## 2.2. Component Modules
|
||||
|
||||
### 2.2.1 [0050_debug_pre_scan.sh](../../lib/0050_debug_pre_scan.sh)
|
||||
### 2.2.1 [0050_debug_pre_scan.sh](../../lib/cdi_0050_debug/0050_debug_pre_scan.sh)
|
||||
|
||||
**Purpose**: Parses the script's argument vector (`$@`) to detect and initialize debug mode before the main installer logic
|
||||
executes.
|
||||
@@ -36,7 +36,7 @@ executes.
|
||||
- Explicitly sets the necessary global flags: `VAR_DEBUG_TRACE` and/or `VAR_DEBUG_TRAP`.
|
||||
|
||||
|
||||
### 2.2.2. [0051_debug_var_dump.sh](../../lib/0051_debug_var_dump.sh)
|
||||
### 2.2.2. [0051_debug_var_dump.sh](../../lib/cdi_0050_debug/0051_debug_var_dump.sh)
|
||||
|
||||
**Functions**:
|
||||
- `dump_vars_initial()`: Captures the initial state of all non-internal variables.
|
||||
@@ -52,7 +52,7 @@ executes.
|
||||
- Operates with `set +x` to avoid leaking secrets to stdout.
|
||||
- Temporary files are created with `mktemp` and removed after usage.
|
||||
|
||||
### 2.2.3. [0052_debug_trace.sh](../../lib/0052_debug_trace.sh)
|
||||
### 2.2.3. [0052_debug_trace.sh](../../lib/cdi_0050_debug/0052_debug_trace.sh)
|
||||
|
||||
**Purpose**: Initializes Bash's `xtrace` (`set -x`) with rich metadata formatting and redirects output to `LOG_TRC`.
|
||||
|
||||
@@ -70,7 +70,7 @@ executes.
|
||||
- Serves as a non-interfering, shell-native audit mechanism.
|
||||
- Avoid collision with terminal output or stderr logging.
|
||||
|
||||
### 2.2.4. [0053_debug_trace_header.sh](../../lib/0053_debug_trace_header.sh)
|
||||
### 2.2.4. [0053_debug_trace_header.sh](../../lib/cdi_0050_debug/0053_debug_trace_header.sh)
|
||||
|
||||
**Purpose**: Prints an extensive contextual header to `LOG_TRC`, including:
|
||||
|
||||
@@ -82,7 +82,7 @@ executes.
|
||||
|
||||
This header facilitates offline analysis and correlates script execution to external events or CI/CD timelines.
|
||||
|
||||
### 2.2.5. [0054_debug_trap.sh](../../lib/0054_debug_trap.sh)
|
||||
### 2.2.5. [0054_debug_trap.sh](../../lib/cdi_0050_debug/0054_debug_trap.sh)
|
||||
|
||||
**Purpose**: Implements runtime-level command introspection using the `DEBUG` trap.
|
||||
|
||||
@@ -101,7 +101,7 @@ This header facilitates offline analysis and correlates script execution to exte
|
||||
- Designed to be safely enabled in production with obfuscation of credentials and secrets.
|
||||
- Provides a temporal correlation of command execution and exit codes.
|
||||
|
||||
### 2.2.6. [0055_debug_trap_header.sh](../../lib/0055_debug_trap_header.sh)
|
||||
### 2.2.6. [0055_debug_trap_header.sh](../../lib/cdi_0050_debug/0055_debug_trap_header.sh)
|
||||
|
||||
**Purpose**: Similar to `debug_trace_header()`, this module prints an elaborate preamble into the `LOG_DBG` file.
|
||||
|
||||
|
||||
@@ -44,7 +44,7 @@ exhaustive state introspection. The defined options anticipate and actively prev
|
||||
conditions or shell misbehavior.
|
||||
|
||||
|
||||
## 2.3. [0060_trap_err.sh](../../lib/0060_trap_err.sh)
|
||||
## 2.3. [0060_trap_err.sh](../../lib/cdi_0060_traps/0060_trap_err.sh)
|
||||
|
||||
### 2.3.1. Purpose
|
||||
|
||||
@@ -68,7 +68,7 @@ anomalies precisely, log them comprehensively, and expose them to the console an
|
||||
- Integrates gracefully with dialog-driven user interfaces (e.g., `dialog_box_cleaner`, `dialog_gauge_cleaner`).
|
||||
- Evaluates `VAR_DEBUG_TRACE` and `VAR_DEBUG_TRAP` to determine the scope of runtime introspection.
|
||||
|
||||
## 2.4. [0070_trap_exit.sh](../../lib/0070_trap_exit.sh)
|
||||
## 2.4. [0070_trap_exit.sh](../../lib/cdi_0060_traps/0070_trap_exit.sh)
|
||||
|
||||
### 2.4.1. Purpose
|
||||
|
||||
@@ -95,7 +95,7 @@ error. Notably, it complements `trap_err()` by catching unbound variable errors
|
||||
- Isolates early trap context via local read-only declarations to avoid overwriting.
|
||||
- Ensures that debug logs and variable states are flushed before exit.
|
||||
|
||||
## 2.5. [0080_trap_int.sh](../../lib/0080_trap_int.sh)
|
||||
## 2.5. [0080_trap_int.sh](../../lib/cdi_0060_traps/0080_trap_int.sh)
|
||||
|
||||
### 2.5.1. Purpose
|
||||
|
||||
|
||||
52
docs/man/LINTER_CHAR.md
Normal file
52
docs/man/LINTER_CHAR.md
Normal file
@@ -0,0 +1,52 @@
|
||||
---
|
||||
gitea: none
|
||||
include_toc: true
|
||||
---
|
||||
|
||||
# 1. CISS.debian.installer
|
||||
|
||||
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
||||
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
|
||||
**Master Version**: 8.00<br>
|
||||
**Build**: V8.00.000.2025.06.17<br>
|
||||
|
||||
# 2. Git Workflow Linter — Character Set Policy Enforcement
|
||||
|
||||
## 2.1. Overview
|
||||
|
||||
The **[linter_char_scripts.yaml](../../.gitea/workflows/linter_char_scripts.yaml)** defines a declarative policy framework for
|
||||
sanitizing and validating character scripts within a Git repository. It enforces linguistic and typographic constraints at the
|
||||
commit level, preventing the introduction of ambiguous, non-printable, homoglyphic, or non-standard Unicode character classes.
|
||||
This mechanism enhances both the integrity and auditability of the codebase, particularly in contexts where multilingual input,
|
||||
identity obfuscation, or supply-chain risk (e.g., Trojan Source attacks) must be mitigated.
|
||||
|
||||
## 2.2. Purpose
|
||||
|
||||
The core intent of this linter is to:
|
||||
|
||||
- **Detect forbidden Unicode scripts or codepoints** within staged files.
|
||||
- **Ensure locale-hygienic commits** by permitting only explicitly whitelisted language/script groups.
|
||||
- **Enforce character uniformity** across source files, configuration, and metadata.
|
||||
- **Block malicious or ambiguous glyph injection**, including bidirectional override, homoglyph attacks, or zero-width characters.
|
||||
|
||||
## 2.3. Security Considerations
|
||||
|
||||
This linter serves as a preventive supply-chain control by reducing exposure to:
|
||||
|
||||
- Invisible character injection (e.g. \u200e, \u202e)
|
||||
- Homoglyphic substitution (e.g. Cyrillic а vs. Latin a)
|
||||
- Bidirectional override attacks (Trojan Source)
|
||||
- Untraceable backdoors hidden in user comments or unused string literals
|
||||
|
||||
It complements traditional static analysis and code review processes by operating at a syntactic level of representation,
|
||||
thus neutralizing attacks that bypass semantic inspection.
|
||||
|
||||
## 2.4. Conclusion
|
||||
The ``linter_char_scripts.yaml`` is a vital component of the **CISS.debian.installer** secure development lifecycle. It defines
|
||||
a robust, extensible, and policy-driven control layer against linguistic abuse and typographic ambiguity in version-controlled
|
||||
assets. Its utility is especially salient in multi-language environments, cryptographic infrastructure code, and supply-chain
|
||||
sensitive repositories.
|
||||
|
||||
---
|
||||
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
|
||||
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
|
||||
Reference in New Issue
Block a user