msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
830aa1afa7dad38b5f91f5578034b7bde3c16e4d3ddf9ed41f29017e3dae5fc8
CISS.debian.installer/AGENTS.md
T
msw 261d770e42
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled
Details
V9.14.000.2026.06.07 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-06-07 15:46:30 +01:00

154 lines
8.8 KiB
Markdown
Raw Blame History

# AGENTS.md
## Purpose
This repository builds and maintains CISS.debian.installer, a script-driven Debian installer for hardened and reproducible
system installation workflows.
Treat every change as security-sensitive, disk-destruction-sensitive, and boot-chain-sensitive. Persistent coding details live
in `docs/CODING_CONVENTION.md`. Review-only instructions live in `code_review.md`.
## Instruction precedence for this repository
Use this order when instructions differ:
1. The current task prompt defines the immediate objective and task-specific acceptance criteria.
2. This `AGENTS.md` defines repository-wide constraints and routing guidance.
3. `docs/CODING_CONVENTION.md` defines detailed coding conventions.
4. `code_review.md` applies when performing a review or final self-review.
5. Personal/global Codex instructions apply only where they do not conflict with repository rules.
When instructions conflict, prefer the safer, smaller, more easily reviewable change and explain the conflict.
## Non-negotiable constraints
- Target Debian 13 Trixie unless the task or repository explicitly states otherwise.
- Do not introduce Ubuntu-specific assumptions.
- Do not invent Debian Installer, debootstrap, initramfs-tools, cryptsetup, GRUB, systemd, Btrfs, Debian package, or upstream
tool behavior.
- Verify uncertain behavior against existing repository code or authoritative upstream documentation.
- Preserve encrypted-root and boot-chain security assumptions unless the task explicitly changes them.
- Preserve existing module source guards, especially `guard_sourcing`, `source_guard`, and `readonly -f` conventions.
- Do not overwrite existing `ERR`, `EXIT`, `INT`, or `TERM` traps from modules or runtime scripts.
- Prefer simple, explicit, inspectable Bash over clever abstraction.
- Do not use `eval`.
- Do not print secrets, passphrases, private keys, tokens, or sensitive environment values.
- Do not perform destructive disk operations in validation unless explicitly requested and safely isolated.
## Repository map
Common areas:
- `ciss_debian_installer.sh`: primary installer entrypoint and phase orchestration.
- `meta_loader_*.sh`: ordered module, library, and variable sourcing.
- `.preseed/preseed.yaml`, `.preseed/partitioning.yaml`, `.preseed/SECRETS.yaml`: installer configuration, partition recipes,
and secret input material.
- `var/*.sh`: global variables, colors, terminal settings, and error codes.
- `lib/cdi_0000_preliminary/*`: contact, usage, and version helpers.
- `lib/cdi_0005_guard/*`: sourcing, source-guard, safe-execution, directory, and variable guards.
- `lib/cdi_0010_basic/*`, `lib/cdi_0025_logging/*`, `lib/cdi_0030_checks/*`, `lib/cdi_0050_debug/*`,
`lib/cdi_0060_traps/*`: basic helpers, logging, package/git checks, debug support, and traps.
- `lib/cdi_0100_arg/*`, `lib/cdi_0110_interactive/*`, `lib/cdi_0200_dialog/*`: argument handling and interactive dialogs.
- `func/cdi_1000_helper/*`: chroot helpers, GRUB helpers, module helpers, sanitizers, secure downloads, and YAML helpers.
- `func/cdi_1200_validation/*`, `func/cdi_1250_yaml/*`: validation and preseed/YAML processing.
- `func/cdi_3200_partitioning/*`: destructive partitioning, LUKS setup, formatting, mounting, and UUID logging.
- `func/cdi_4000_debootstrap/*`: debootstrap, target mount preparation, and base target setup.
- `func/cdi_4100_base/*`: APT sources, kernel, initramfs, systemd, firmware, and base package setup.
- `func/cdi_4200_boot/*`: fstab, crypttab, cryptsetup, GRUB, GRUB password, and boot parameter handling.
- `func/cdi_4300_network/*`: network setup, Dropbear initramfs remote unlock, initramfs updates, and SSH setup.
- `func/cdi_4400_hardening/*`, `func/cdi_4500_user/*`, `func/cdi_4600_packages/*`: hardening, account setup, package
installation, security verification, and auditing packages.
- `func/cdi_4900_xtended/*`, `func/cdi_5000_recovery/*`: final commands, logrotate, chroot exit, and recovery target handling.
- `includes/target/*`: files installed into the target system, including initramfs-tools hooks, scripts, Dropbear unlock
files, GRUB assets, SSH, OpenSSL, sysctl, modprobe, PAM, and profile configuration.
- `includes/chroot/hooks/*`: hook payloads copied into or executed inside the target environment.
- `upgrades/*`: vendored or upgrade-related materials for Dropbear, Linux image options, and Secure Boot work.
- `py/*`: Python-based configurator support.
- `docs/*`, `.gitea/workflows/*`: project documentation and repository automation.
## Working method
Before editing:
1. Inspect the relevant scripts, configuration files, documentation, workflows, and naming conventions.
2. Identify the affected installer phase: host orchestration, YAML/preseed handling, destructive disk setup, target chroot,
initramfs, bootloader, network/Dropbear, hardening, user setup, package installation, finalization, or recovery.
3. Check existing source guards, trap behavior, logging, secret handling, and helper APIs before changing code.
4. Give a concise implementation plan and list likely files to touch unless the change is trivial.
While editing:
- Keep changes minimal and local to the task.
- Preserve existing architecture, naming style, error handling, formatting, and security posture.
- Do not perform unrelated cleanup or formatting churn.
- Reuse existing helpers for logging, fatal errors, validation, source guards, chroot execution, secure downloads, temporary
files, and secret cleanup where available.
- Prefer arrays for command argument composition.
- Do not introduce new runtime dependencies unless technically necessary and justified.
After editing:
- Run only the narrowest checks that prove the change.
- Changed Bash files: run `bash -n <file>` and `shellcheck <file>` if ShellCheck is available.
- Changed POSIX shell files: run `sh -n <file>`.
- Changed CLI behavior: update `usage()` and relevant documentation, then run the safest available parser/help check if the
environment permits it.
- Changed Python files: run the relevant checks configured under `py/` when applicable.
- Changed installer, disk, initramfs, cryptsetup, GRUB, or Dropbear behavior: state the required Debian 13 Trixie validation
command or isolated test, but do not run destructive or full installer validation unless explicitly requested.
- For documentation-only changes, confirm the target files exist and review the final diff.
## Bash conventions summary
See `docs/CODING_CONVENTION.md` for details.
- Use Bash for installer logic unless an existing Debian interface file must remain POSIX shell.
- Preserve module source guards and `readonly -f` usage where surrounding files use them.
- Prefer strict Bash mode where feasible and consistent with the file's execution context.
- Use `declare` for variables inside functions.
- Quote expansions unless word splitting or globbing is explicitly required.
- Prefer arrays where argument boundaries matter.
- Use `[[ ... ]]`, `case`, and `$(...)`.
- Avoid parsing `ls`; prefer structured tool output or existing helpers.
- Prefer `command -v` over `which`.
- Code comments must be in English.
## Security-sensitive areas
Before finalizing a change, check whether it affects:
- disk wiping, partition table creation, partition type codes, or filesystem formatting
- cryptsetup/LUKS2 parameters, passphrases, key files, key slots, LUKS header backups, or nuke behavior
- Btrfs subvolumes, mount ordering, mount options, snapshots, or labels
- `/etc/fstab`, `/etc/crypttab`, UUIDs, PARTUUIDs, or mapper names
- initramfs-tools hooks, scripts, included binaries, or early boot behavior
- Dropbear initramfs remote unlock, forced commands, firewalling, host keys, unlock wrapper signatures, or hashes
- GRUB installation, GRUB modules, encrypted `/boot`, UEFI/BIOS paths, NVRAM handling, or Secure Boot material
- chroot command execution, mount propagation, target/root separation, or environment sanitization
- APT sources, package authentication, TLS, signatures, checksums, or remote downloads
- account setup, SSH policy, PAM, sudo, permissions, hardening files, or network exposure
- logging, debug tracing, traps, cleanup paths, or exposure of sensitive values
If affected, document the concrete risk and mitigation in the final response.
## Validation policy
Use the narrowest validation that proves the requested change. Do not run full installer builds, debootstrap runs, live disk
tests, destructive partitioning, broad repository audits, or network-heavy validation unless the task explicitly asks for them
or the change cannot be validated responsibly without them.
## Final response
Return a concise implementation report:
- changed files
- what changed
- checks run and result
- real remaining risks or follow-up steps
Do not claim success for checks that were not run.
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
Reference in New Issue View Git Blame Copy Permalink