# code_review.md Use this file for explicit review tasks and final self-review after implementation. Do not treat it as a mandate for an unlimited audit unless the user asks for one. ## Review priorities Review findings in this order: 1. Correctness 2. Security regressions 3. Data loss risk 4. Boot-chain integrity 5. Reproducibility and deterministic behavior 6. Error handling and cleanup 7. Test or validation coverage 8. Maintainability 9. Minimality of diff 10. Style consistency ## Finding classes - `BLOCKER`: proven correctness bug, security regression, installer break, boot break, or data loss risk that must be fixed before merge. - `RISK`: plausible issue or security concern that is not fully proven from the available context. - `CLEANUP`: maintainability, readability, or consistency improvement that is not required for correctness. - `NOTE`: observation only; no change requested. ## Review output format List findings first, ordered by severity. For each finding include: - class - file path and line number where possible - observation - concrete impact - smallest reasonable fix Then include: - missing checks or validation gaps - residual risks - concise final recommendation If there are no findings, say so explicitly and still mention relevant validation gaps. ## Scope control - Review the requested change, touched files, and directly affected code paths. - Do not expand a small implementation task into a broad repository audit. - Do not nitpick formatting when automated tooling exists. - Do not invent requirements not present in the task, repository, or documentation. - Do not request a full installer run, debootstrap run, destructive disk test, or network-heavy validation unless the changed path cannot be checked responsibly any other way. - Prefer a small actionable finding over a broad speculative warning. - Separate observation, inference, and recommendation when the evidence is incomplete. ## Installer-specific security checklist Check whether the change affects: - destructive disk operations, disk selection, partition table wiping, or formatting - partition boundaries, GPT/MBR type codes, bootable flags, or firmware mode selection - cryptsetup/LUKS2 parameters, passphrases, key files, key slots, LUKS UUIDs, header backups, or nuke behavior - Btrfs filesystem creation, subvolumes, snapshots, labels, compression, or mount options - `/etc/fstab`, `/etc/crypttab`, UUIDs, PARTUUIDs, mapper names, or initramfs flags - initramfs-tools hooks, scripts, included binaries, early boot paths, or update-initramfs behavior - Dropbear initramfs remote unlock, forced commands, host keys, firewalling, unlock-wrapper signatures, or hashes - GRUB package selection, GRUB modules, encrypted `/boot`, UEFI fallback paths, BIOS install paths, or NVRAM behavior - chroot command construction, `env -i` sanitization, target mount handling, or host/target path separation - APT source generation, package authentication, Debian suite selection, signature verification, or hash verification - remote downloads, TLS settings, bundled source archives, provenance, or checksum files - key material, SSH keys, PGP keys, SOPS/AGE values, passphrase files, or secret cleanup - logging, debug traces, trap output, and accidental disclosure of sensitive values - file permissions, ownership, sudo policy, PAM, SSH policy, UFW, fail2ban, sysctl, modprobe, or hardening files - recovery target behavior and consistency with the primary target - reproducibility, deterministic ordering, and generated file stability - direct or indirect data loss risk --- **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**