V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -13,14 +13,14 @@
 # This file contains configurations for the CISS.debian.installer
 # Master V8.00.000.2025.06.17
 # YAML specification: 1.2
-
+#
 preseed:
   description: "Configuration values for automated installation of encrypted systems on this host via primordial-workflow™."
   created_at: "2025-10-23"
   created_for: "host_domain_tld"
   name: "CISS.debian.installer"
   version: "V8.00.000.2025.06.17"
-
+#
 ################################################################################################################################
 # APT settings
 ################################################################################################################################

func/cdi_1250_yaml/1256_secret_parser.sh

@@ -122,25 +122,25 @@ ciss_secrets_wiper() {
 readonly -f ciss_secrets_wiper
 
 #######################################
-# Purpose:
+#   Parsing of only "*.value" keys from 'SECRETS.yaml' into Bash globals.
-#   High-performance parsing of only "*.value" keys from 'SECRETS.yaml' into Bash globals.
 #   If the file contains SOPS markers, decrypt once (streaming) with sops/age, then yq parses in a single pass.
 #   No base64, plain values preserved (including newlines). No repeated per-key decrypts or yq calls.
 # Conventions:
 #   Variables: CISS_SECRET_<UPPER_SNAKE_CASE_PATH> (PATH excludes "secrets." and trailing ".value")
 #   All with "declare -g" (no export).
 #   Mapping: CISS_SECRETS_MAP["foo.bar"]=CISS_SECRET_FOO_BAR
-# Security:
-#   No logging of values. No plaintext temp files. Streaming pipeline; no full-doc materialization.
 # Globals:
+#   CISS_SECRETS_AGE
 #   CISS_SECRETS_MAP
 #   CISS_SECRETS_SOURCE
 #   DIR_CNF
-#   ERR_MISSING_AGE_KEY
 # Arguments:
 #   None
 # Returns:
 #   0: on success
+#   ERR_DECRYPTION_SOPS: on failure
+#   ERR_MISSING_AGE_BIN: on failure
+#   ERR_MISSING_AGE_KEY: on failure
 #######################################
 yaml_secret() {
   ### Declare Arrays, HashMaps, and Variables.
@@ -153,6 +153,9 @@ yaml_secret() {
   __umask=$(umask)
   umask 0077
 
+  # TODO: guard_trace on
+  #guard_trace on
+
   secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_if}")" || secrets_encrypted="false"
   do_log "debug" "file_only" "1256() 'secrets_encrypted' according to secrets.x_files: '${secrets_encrypted}'."
 
@@ -242,6 +245,9 @@ yaml_secret() {
   echo "Inside 1256()"
   sleep 60
 
+  # TODO: guard_trace off
+  #guard_trace off
+
   guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.

var/global.var.sh

@@ -52,13 +52,11 @@ declare -grx VAR_SETUP_PART="${DIR_CNF}/partitioning.yaml"
 
 ### Initialize SECRETS.yaml variables.
 # shellcheck disable=SC2034
-declare -gA   CISS_SECRETS_MAP=()                           # YAML path (w/o '.value' and without 'secrets.') -> varname.
+declare -gA   CISS_SECRETS_MAP=()                                # YAML path (w/o '.value' and without 'secrets.') -> varname.
 # shellcheck disable=SC2034
 declare -g    CISS_SECRETS_AGE="/root/.config/sops/age/keys.txt" # AGE PRIVATE Keyfile to decrypt SOPS encrypted values.
 # shellcheck disable=SC2034
-declare -gr   CISS_SECRETS_SOURCE="${DIR_CNF}/SECRETS.yaml"      # Effective YAML source used (plain or decrypted stream)
+declare -gr   CISS_SECRETS_SOURCE="${DIR_CNF}/SECRETS.yaml"      # Effective YAML source used (plain or decrypted stream).
-# shellcheck disable=SC2034
-declare -g    CISS_SECRETS_XFILES=""                        # Derived from SOPS presence heuristic.
 
 ### Base mount paths and variables for debootstrap.
 declare -grx TARGET="/target"