V9.14.022.2026.06.10

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.archive/generate_PRIVATE_trixie_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 

.archive/generate_PRIVATE_trixie_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 

.archive/generate_PUBLIC_iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10
 
 name: 💙 Generating a PUBLIC Live ISO.
 

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -25,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V9.14.020.2026.06.08"
+      placeholder: "e.g., Master V9.14.022.2026.06.10"
     validations:
       required: true
 

.gitea/TODO/dockerfile

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10
 
 FROM debian:bookworm
 

.gitea/TODO/render-md-to-html.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10
 
 name: 🔁 Render README.md to README.html.
 

.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V9.14.020.2026.06.08
+  version: V9.14.022.2026.06.10
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V9.14.020.2026.06.08
+  version: V9.14.022.2026.06.10
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V9.14.020.2026.06.08
+  version: V9.14.022.2026.06.10
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_trixie_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 

.gitea/workflows/generate_PRIVATE_trixie_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10
 
 name: 💙 Generating a PUBLIC Live ISO.
 

.gitea/workflows/linter_char_scripts.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10
 
 # Gitea Workflow: Shell-Script Linting
 #

.gitea/workflows/render-dnssec-status.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10
 
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 

.gitea/workflows/render-dot-to-png.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10
 
 name: 🔁 Render Graphviz Diagrams.
 

.version.properties

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V9.14.020.2026.06.08"
+properties_version="V9.14.022.2026.06.10"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V9.14.020.2026.06.08
+PackageVersion: Master V9.14.022.2026.06.10
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.020.2026.06.08-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.022.2026.06.10-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 **CISS.debian.live.builder — First of its own.**<br>
 **World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
@@ -175,7 +175,7 @@ installer toolchain.
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `V9.14.020.2026.06.08`
+Example: `V9.14.022.2026.06.10`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 
@@ -365,6 +365,10 @@ For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-cis
 ## 2.9. UFW Hardening
 
 * **Description**: Defaults to `deny incoming` and (optionally) `deny outgoing`; automatically opens only whitelisted ports.
+* **Primordial SSH exception**: `--primordial-ssh <port>` adds an outgoing-only UFW TCP exception for a bootstrap/recovery SSH
+  port when the live system's UFW outgoing policy is `deny`. It adds no incoming firewall rule and does not replace
+  `--ssh-port`. If the requested port already matches an existing outgoing SSH exception, the current hook still emits the
+  requested labelled rule because this repository has no separate UFW rule deduplication layer.
 * **Rationale**: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after
   deployment.
 
@@ -520,6 +524,7 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
      --signing_key_pass=signing_key_pass.txt \
      --signing_key=signing_key.asc \
      --ssh-port 4242 \
+     --primordial-ssh 2222 \
      --ssh-pubkey /dev/shm/cdlb_secrets \
      --sshfp \
      --trixie
@@ -569,6 +574,7 @@ preview it or run it.
     SSH_PUBKEY=/dev/shm/cdlb_secrets
 
     # Optional
+    PRIMORDIAL_SSH_PORT=2222
     PROVIDER_NETCUP_IPV6=2001:cdb::1
     # comma-separated; IPv6 in [] is fine
     JUMP_HOSTS=[2001:db8::1],[2001:db8::2]     

REPOSITORY.md

@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. Repository Structure
 
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **9.14**, Build **V9.14.020.2026.06.08** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.022.2026.06.10** (as of 2025-10-11)
 
 ## 3.1. Top-Level Layout
 

ciss.secureboot/private/README.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. CISS Secure Boot Private Material
 

ciss.secureboot/public/README.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. CISS Secure Boot Public Material
 

config.mk.sample

@@ -15,6 +15,8 @@ BUILD_DIR            ?=
 DROPBEAR_VERSION     ?=
 ### Optional SOPS release override; empty uses VAR_SOPS_VERSION from var/global.var.sh:
 SOPS_VERSION         ?=
+### Optional outgoing bootstrap/recovery SSH port; empty disables the extra UFW rule:
+PRIMORDIAL_SSH_PORT  ?=
 PROVIDER_NETCUP_IPV6 ?=
 ROOT_PASSWORD_FILE   ?=
 ### Secure Boot profile; debian-shim or ciss-uki:

config/hooks/live/0900_ufw_setup.chroot

@@ -15,6 +15,7 @@ printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 declare -r UFW_OUT_POLICY="deny"
 declare -r SSHPORT="SSHPORT_MUST_BE_SET"
+# PRIMORDIAL_SSH_PORT_DECLARATION_MUST_BE_SET
 
 ufw --force reset
 
@@ -44,7 +45,8 @@ if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
   ufw allow out  853/tcp comment 'Outgoing DoT'
   ufw allow out  993/tcp comment 'Outgoing IMAPS'
   ufw allow out 4460/tcp comment 'Outgoing NTS'
-  ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH (Custom-Port)'
+  ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH Custom-Port'
+  # PRIMORDIAL_SSH_RULE_MUST_BE_SET
   ufw allow out   53/udp comment 'Outgoing DNS'
   ufw allow out  123/udp comment 'Outgoing NTP'
   ufw allow out  443/udp comment 'Outgoing QUIC'

config/includes.chroot/etc/ssh/ssh_known_hosts

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10
 
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==

config/includes.chroot/etc/ssh/sshd_config

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened

@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V9.14.020.2026.06.08"
+declare -gr VERSION="Master V9.14.022.2026.06.10"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/preseed.cfg

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V9.14.020.2026.06.08 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.022.2026.06.10 at: 10:18:37.9542

docs/AUDIT_DNSSEC.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. DNSSEC Status
 

docs/AUDIT_HAVEGED.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. Haveged Audit on Netcup RS 2000 G11
 

docs/AUDIT_LYNIS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. Lynis Audit:
 

docs/AUDIT_SSH.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. SSH Audit by ssh-audit.com
 

docs/AUDIT_TLS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. TLS Audit:
 ````text

docs/BOOTPARAMS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. Hardened Kernel Boot Parameters
 

docs/CHANGELOG.md

@@ -8,11 +8,16 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. Changelog
 
+## V9.14.022.2026.06.10
+* **Added**: [9999_cdi_starter.sh](../scripts/usr/local/sbin/9999_cdi_starter.sh) Retrieve rdns for Primordial-Workflow™
+* **Added**: [0900_ufw_setup.chroot](../config/hooks/live/0900_ufw_setup.chroot) SSH ufw out exception for Primordial-Workflow™
+
 ## V9.14.020.2026.06.08
+* **Added**: [bootscreen.txt](../bootscreen.txt)
 * **Changed**: ``sops 3.13.0`` to ``sops 3.13.1``
 
 ## V9.14.018.2026.06.07
@@ -132,7 +137,7 @@ include_toc: true
 * **Changed**: [lib_check_secrets.sh](../lib/lib_check_secrets.sh) + updated shopt handling.
 * **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) + integrates and generates sha512sum and GPG signatures on CISS specific LIVE boot artifacts.
 * **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) + integration of optional import of offline GPG CA public keys.
-* **Changed**: [lib_primordial.sh](../lib/lib_primordial.sh) + Updates for CISS and PhysNet primordial-workflow™.
+* **Changed**: [lib_primordial.sh](../lib/lib_primordial.sh) + Updates for CISS and PhysNet Primordial-Workflow™.
 * **Changed**: [lib_usage.sh](../lib/lib_usage.sh) + ``--signing_ca=*``.
 * **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) + ``! -path './live/filesystem.squashfs'``
 * **Changed**: [9999_cdi_starter.sh](../scripts/usr/local/sbin/9999_cdi_starter.sh) + increased verbosity.
@@ -186,10 +191,10 @@ include_toc: true
 * **Added**: [marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc](../.pubkey/marc_s_weidner_msw%2Bdeploy%40coresecet.dev_0x2CCF4601_public.asc)
 * **Added**: [0870_bashdb.chroot](../config/hooks/live/0870_bashdb.chroot) bashdb debugger https://github.com/Trepan-Debuggers/bashdb.git
 * **Added**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) Unified handling via includes.chroot.
-* **Added**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) Updates for CISS and PhysNet primordial-workflow™.
-* **Added**: [lib_ciss_upgrades_build.sh](../lib/lib_ciss_upgrades_build.sh) Updates for CISS and PhysNet primordial-workflow™.
-* **Added**: [lib_gnupg.sh](../lib/lib_gnupg.sh) Updates for CISS and PhysNet primordial-workflow™.
-* **Added**: [lib_primordial.sh](../lib/lib_primordial.sh) Updates for CISS and PhysNet primordial-workflow™.
+* **Added**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) Updates for CISS and PhysNet Primordial-Workflow™.
+* **Added**: [lib_ciss_upgrades_build.sh](../lib/lib_ciss_upgrades_build.sh) Updates for CISS and PhysNet Primordial-Workflow™.
+* **Added**: [lib_gnupg.sh](../lib/lib_gnupg.sh) Updates for CISS and PhysNet Primordial-Workflow™.
+* **Added**: [lib_primordial.sh](../lib/lib_primordial.sh) Updates for CISS and PhysNet Primordial-Workflow™.
 * **Added**: [0030-ciss-verify-checksums](../scripts/usr/lib/live/boot/0030-ciss-verify-checksums) Unified handling via includes.chroot.
 * **Bugfixes**: [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}"
 * **Bugfixes**: [render-dnssec-status.yaml](../.gitea/workflows/render-dnssec-status.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}"
@@ -197,11 +202,11 @@ include_toc: true
 * **Changed**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) Rewritten for new secrets handling.
 * **Changed**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) + VAR_DATE improvements.
 * **Changed**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + VAR_DATE improvements.
-* **Changed**: [9930_hardening_ssh.chroot](../config/hooks/live/9930_hardening_ssh.chroot) Rewritten for CISS and PhysNet primordial-workflow™.
+* **Changed**: [9930_hardening_ssh.chroot](../config/hooks/live/9930_hardening_ssh.chroot) Rewritten for CISS and PhysNet Primordial-Workflow™.
 * **Changed**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot) + Final update-initramfs
 * **Changed**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) + Less strict MaxStartups settings.
 * **Changed**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) + tmux
-* **Changed**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh) Rewritten for CISS and PhysNet primordial-workflow™.
+* **Changed**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh) Rewritten for CISS and PhysNet Primordial-Workflow™.
 * **Changed**: [lib_arg_priority_check.sh](../lib/lib_arg_priority_check.sh) Unified UI.
 * **Changed**: [lib_cdi.sh](../lib/lib_cdi.sh) + Commandline parameters: verify-checksums=sha512,sha384 verify-checksums-signatures
 * **Changed**: [lib_change_splash.sh](../lib/lib_change_splash.sh) Unified UI.
@@ -210,11 +215,11 @@ include_toc: true
 * **Changed**: [lib_check_kernel.sh](../lib/lib_check_kernel.sh) Minor declare unification.
 * **Changed**: [lib_check_pkgs.sh](../lib/lib_check_pkgs.sh) Improved command checks. Unified UI.
 * **Changed**: [lib_check_provider.sh](../lib/lib_check_provider.sh) Unified variables.
-* **Changed**: [lib_clean_up.sh](../lib/lib_clean_up.sh) Secure deletion of CISS and PhysNet primordial-workflow™ artifacts.
+* **Changed**: [lib_clean_up.sh](../lib/lib_clean_up.sh) Secure deletion of CISS and PhysNet Primordial-Workflow™ artifacts.
 * **Changed**: [lib_debug.sh](../lib/lib_debug.sh) + Integrated EPOCH in PS4.
 * **Changed**: [lib_debug_header.sh](../lib/lib_debug_header.sh) + Integrated SOURCE_DATE_EPOCH.
 * **Changed**: [lib_hardening_root_pw.sh](../lib/lib_hardening_root_pw.sh) Unified UI.
-* **Changed**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) Rewritten for CISS and PhysNet primordial-workflow™.
+* **Changed**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) Rewritten for CISS and PhysNet Primordial-Workflow™.
 * **Changed**: [lib_hardening_ssh_tcp.sh](../lib/lib_hardening_ssh_tcp.sh) Unified UI.
 * **Changed**: [lib_lb_build_start.sh](../lib/lib_lb_build_start.sh) Deterministic return code examination.
 * **Changed**: [lib_lb_config_start.sh](../lib/lib_lb_config_start.sh) Removed potential disown race condition.
@@ -254,11 +259,11 @@ include_toc: true
 ## V8.13.290.2025.10.26
 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + ESP/FAT/UEFI mods
 * **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot)
-* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh) Preparations for CISS and PhysNet primordial-workflow™.
+* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh) Preparations for CISS and PhysNet Primordial-Workflow™.
 
 ## V8.13.288.2025.10.24
-* **Added**: Preparations for CISS and PhysNet primordial-workflow™.
-* **Added**: [0865_yq.chroot](../config/hooks/live/0865_yq.chroot)Preparations for CISS and PhysNet primordial-workflow™.
+* **Added**: Preparations for CISS and PhysNet Primordial-Workflow™.
+* **Added**: [0865_yq.chroot](../config/hooks/live/0865_yq.chroot)Preparations for CISS and PhysNet Primordial-Workflow™.
 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + nftables mods
 * **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) + banaction = nftables-*
 * **Updated**: [0900_ufw_setup.chroot](../config/hooks/live/0900_ufw_setup.chroot) changed var injection

docs/CNET.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. Centurion Net - Developer Branch Overview
 

docs/CODING_CONVENTION.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. Purpose
 

docs/CONTRIBUTING.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. Contributing / participating
 

docs/CREDITS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. Credits
 

docs/DL_PUB_ISO.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
 

docs/DOCUMENTATION.md

@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2.1. Usage
 ````text
                         CDLB(1)                        CISS.debian.live.builder                        CDLB(1)
 
 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V9.14.020.2026.06.08
+Master V9.14.022.2026.06.10
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2026
@@ -98,6 +98,14 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
     Provides statistic only after successful building a CISS.debian.live-ISO. While enabling '--log-statistics-only'
     the argument '--build-directory' MUST be provided.
 
+  --primordial-ssh <INTEGER>
+    Adds one outgoing UFW TCP exception for a bootstrap/recovery SSH port.
+    Outgoing only: no incoming firewall rule is added, and this option does not replace '--ssh-port'.
+    Effective only when the Live System's UFW outgoing policy is 'deny'.
+    Port MUST be a decimal integer between '1' and '65535'.
+    Example fragment:
+      ./ciss_live_builder.sh --ssh-port 42842 --primordial-ssh 2222
+
   --provider-netcup-ipv6
     Activates IPv6 support for Netcup Root Server. One unique IPv6 address MUST be provided in this case and MUST be
     encapsulated with [], e.g., [1234::abcd].
@@ -168,7 +176,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/
 
-                        V9.14.020.2026.06.08                        2026-05-17                         CDLB(1)
+                        V9.14.022.2026.06.10                        2026-05-17                         CDLB(1)
 ````
 
 # 3. Booting

docs/MAN_CISS_ISO_BOOT_CHAIN.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)
 

docs/MAN_SSH_Host_Key_Policy.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer
 

docs/REFERENCES.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. Resources
 

docs/documentation/30-ciss-hardening.conf.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. ``30-ciss-hardening.conf``
 

docs/documentation/90-ciss-local.hardened.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. ``90-ciss-local.hardened``
 

docs/documentation/ciss_live_builder.sh.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>
 
 # 2. ``ciss_live_builder.sh``
 

lib/lib_arg_parser.sh

@@ -38,6 +38,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   VAR_ISO8601
 #   VAR_LUKS
 #   VAR_LUKS_KEY
+#   VAR_PRIMORDIAL_SSH_PORT
 #   VAR_REIONICE_CLASS
 #   VAR_REIONICE_PRIORITY
 #   VAR_SIGNER
@@ -287,6 +288,23 @@ arg_parser() {
           shift 1
           ;;
 
+        --primordial-ssh)
+          if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
+
+            # shellcheck disable=SC2034
+            declare -gix VAR_PRIMORDIAL_SSH_PORT="${2}"
+            shift 2
+
+          else
+
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ Error: --primordial-ssh MUST be an integer between '1' and '65535'.\e[0m\n" >&2
+            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR__SSH__PORT}"
+
+          fi
+          ;;
+
         --provider-netcup-ipv6)
           if [[ -n "${2-}" && "${2}" != -* ]]; then
             declare -i count=0

lib/lib_hardening_ultra.sh

@@ -13,13 +13,14 @@
 guard_sourcing || return "${ERR_GUARD_SRCE}"
 
 #######################################
-# Module for accompanying all 'CISS.debian.hardening' features into the Live ISO image.
+# Module for following all 'CISS.debian.hardening' features into the Live ISO image.
 # Globals:
 #   ARY_HANDLER_JUMPHOST
 #   ARY_HANDLER_JUMPHOST_UNIQUE
 #   BASH_SOURCE
 #   VAR_ARCHITECTURE
 #   VAR_HANDLER_BUILD_DIR
+#   VAR_PRIMORDIAL_SSH_PORT
 #   VAR_SSHFP
 #   VAR_SSHPORT
 #   VAR_SSHPUBKEY
@@ -196,12 +197,26 @@ hardening_ultra() {
   sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
 
   ### /config/hooks/live/0900_ufw_setup.chroot
-  sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
+  declare ufw_file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
+  sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${ufw_file}"
+
+  declare primordial_ssh_port="${VAR_PRIMORDIAL_SSH_PORT:-}"
+  if [[ -n "${primordial_ssh_port}" ]]; then
+
+    sed -i "s|^# PRIMORDIAL_SSH_PORT_DECLARATION_MUST_BE_SET$|declare -r PRIMORDIAL_SSH_PORT=\"${primordial_ssh_port}\"|" "${ufw_file}"
+    sed -i "s|^[[:space:]]*# PRIMORDIAL_SSH_RULE_MUST_BE_SET$|  ufw allow out \"\${PRIMORDIAL_SSH_PORT}\"/tcp comment 'Outgoing Primordial SSH'|" "${ufw_file}"
+
+  else
+
+    sed -i '/^# PRIMORDIAL_SSH_PORT_DECLARATION_MUST_BE_SET$/d' "${ufw_file}"
+    sed -i '/^[[:space:]]*# PRIMORDIAL_SSH_RULE_MUST_BE_SET$/d' "${ufw_file}"
+
+  fi
 
   ### /config/hooks/live/0900_ufw_setup.chroot
   if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
 
-    declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
+    declare file="${ufw_file}"
 
     sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
 
@@ -251,7 +266,7 @@ hardening_ultra() {
   ### ./config/hooks/live/9950_hardening_fail2ban.chroot -----------------------------------------------------------------------
   if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
 
-    printf "\e[95m🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
+    printf "\e[95m🧪 Updating fail2ban Jump-hosts IPs ... \e[0m\n"
 
     # Join array entries with spaces, preserving any newlines
     declare ips="${ARY_HANDLER_JUMPHOST[*]}"
@@ -265,7 +280,7 @@ hardening_ultra() {
     # Perform an in-place replacement of IGNORE_IP_MUST_BE_SET with the cleaned list
     sed -i -E "/^[[:space:]]*ignoreip[[:space:]]*=/ s|IGNORE_IP_MUST_BE_SET|${flat_ips}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
 
-    printf "\e[92m✅ Updating fail2ban Jumphosts IPs done. \e[0m\n"
+    printf "\e[92m✅ Updating fail2ban Jump-hosts IPs done. \e[0m\n"
 
   else
 

lib/lib_primordial.sh

@@ -90,7 +90,7 @@ init_primordial() {
 
   fi
 
-  ### Check for SSH CISS and PhysNet primordial-workflow(tm) integration -------------------------------------------------------
+  ### Check for SSH CISS and PhysNet Primordial-Workflow™ integration -------------------------------------------------------
   if [[ "${VAR_SSHFP,,}" == "true" ]]; then
 
     install -d -m 0700                      "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"

lib/lib_usage.sh

@@ -39,13 +39,13 @@ usage() {
   # shellcheck disable=SC2155
   declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
   # shellcheck disable=SC2155
-  declare var_footer=$(center "V9.14.020.2026.06.08                        2026-06-08                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V9.14.022.2026.06.10                        2026-06-10                         CDLB(1)" "${var_cols}")
 
   {
     echo -e "\e[1;97m${var_header}\e[0m"
     echo
     echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V9.14.020.2026.06.08\e[0m"
+    echo -e "\e[92mMaster V9.14.022.2026.06.10\e[0m"
     echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
     echo
     echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m"
@@ -120,6 +120,12 @@ usage() {
     echo "    Provides statistic only after successful building a CISS.debian.live-ISO. While enabling '--log-statistics-only'"
     echo "    the argument '--build-directory' MUST be provided."
     echo
+    echo -e "\e[97m  --primordial-ssh <INTEGER> \e[0m"
+    echo "    Adds one outgoing UFW TCP exception for a bootstrap SSH port."
+    echo "    Outgoing only: no incoming firewall rule is added, and this option does not replace '--ssh-port'."
+    echo "    Effective only when the Live System's UFW outgoing policy is 'deny'."
+    echo "    Port MUST be a decimal integer between '1' and '65535'."
+    echo
     echo -e "\e[97m  --provider-netcup-ipv6 \e[0m"
     echo "    Activates IPv6 support for Netcup Root Server. One unique IPv6 address MUST be provided in this case and MUST be"
     echo "    encapsulated with [], e.g., [1234::abcd]."

makefile

@@ -25,7 +25,7 @@ TIMESTAMP            ?= $(shell date -u +%Y-%m-%dT%H-%M-%S)
 
 ### Core parameters (safe defaults; override in config.mk, rename config.mk.sample to config.mk and apply the remaining values):
 ARCH                 ?= amd64
-AUTOBUILD            ?= 6.16.3+deb13-amd64
+AUTOBUILD            ?= 7.0.10+deb13-amd64
 CONTROL              ?= $(TIMESTAMP)
 DROPBEAR_VERSION     ?= 2026.91
 SOPS_VERSION         ?= 3.13.1
@@ -63,6 +63,7 @@ define COMPOSE_AND
 	[[ -n '$(FLAG_DEBUG)'           ]] && cmd+=( --debug )
 	[[ -n '$(FLAG_DHCP_CENTURION)'  ]] && cmd+=( --dhcp-centurion )
 	[[ -n '$(FLAG_TRIXIE)'          ]] && cmd+=( --trixie )
+	[[ -n '$(PRIMORDIAL_SSH_PORT)'  ]] && cmd+=( --primordial-ssh '$(PRIMORDIAL_SSH_PORT)' )
 	[[ -n '$(PROVIDER_NETCUP_IPV6)' ]] && cmd+=( --provider-netcup-ipv6 '$(PROVIDER_NETCUP_IPV6)' )
 	[[ -n '$(RENICE)'               ]] && cmd+=( --renice-priority '$(RENICE)' )
 	if [[ -n '$(REIONICE_CLASS)' && -n '$(REIONICE_PRIO)' ]]; then

scripts/usr/local/sbin/9999_cdi_starter.sh

@@ -13,6 +13,8 @@
 set -Ceuo pipefail
 umask 0077
 
+declare -gx   VAR_RDNS_DOMAIN=""             # Forward-confirmed reverse DNS domain.
+declare -gx   VAR_RDNS_IPV4=""               # IPv4 address used for RDNS verification.
 declare -grx  VAR_SEMAPHORE="/root/cdi.ciss" # Semaphore to appear.
 declare -girx VAR_TIMEOUT=3600               # Semaphore timer in seconds.
 
@@ -90,6 +92,238 @@ net_wait() {
 # shellcheck disable=SC2034
 readonly -f net_wait
 
+#######################################
+# Validate an IPv4 address.
+# Globals:
+#   None
+# Arguments:
+#   $1: IPv4 address
+# Returns:
+#   0: valid IPv4 address
+#   1: invalid IPv4 address
+#######################################
+is_ipv4() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r var_ip="${1:-}"
+  declare -a ary_octets=()
+  declare     var_octet=""
+
+  [[ "${var_ip}" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]] || return 1
+
+  IFS='.' read -r -a ary_octets <<< "${var_ip}"
+
+  for var_octet in "${ary_octets[@]}"; do
+
+    if ! ((10#${var_octet} <= 255)); then
+
+      return 1
+
+    fi
+
+  done
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f is_ipv4
+
+#######################################
+# Validate a DNS domain name returned by RDNS.
+# Globals:
+#   None
+# Arguments:
+#   $1: domain name
+# Returns:
+#   0: valid domain name
+#   1: invalid domain name
+#######################################
+is_dns_name() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r var_name="${1:-}"
+
+  [[ "${#var_name}" -le 253 ]] || return 1
+  [[ "${var_name}" =~ ^[A-Za-z0-9]([A-Za-z0-9-]{0,61}[A-Za-z0-9])?(\.[A-Za-z0-9]([A-Za-z0-9-]{0,61}[A-Za-z0-9])?)+$ ]] \
+    || return 1
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f is_dns_name
+
+#######################################
+# Retrieve and forward-confirm reverse DNS for the active IPv4 route.
+# Globals:
+#   VAR_RDNS_DOMAIN
+#   VAR_RDNS_IPV4
+# Arguments:
+#   $1: module log file
+# Returns:
+#   0: on confirmed RDNS
+#   1: on missing or unconfirmed RDNS
+#######################################
+# retrieve_rdns() intentionally probes optional resolver tools and validation helpers inside conditionals.
+# shellcheck disable=SC2310,SC2312
+retrieve_rdns() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r var_log="${1:-}"
+  declare -a ary_a=()
+  declare -a ary_rdns=()
+  declare -a ary_targets=()
+  declare    var_a="" var_ipv4="" var_rdns="" var_target=""
+
+  VAR_RDNS_DOMAIN=""
+  VAR_RDNS_IPV4=""
+
+  mapfile -t ary_targets < <(
+    getent ahostsv4 git.coresecret.dev 2>/dev/null \
+      | awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}[[:space:]]/ && !seen[$1]++ { print $1 }'
+  )
+  ary_targets+=( "1.1.1.1" "9.9.9.9" "8.8.8.8" )
+
+  if command -v ip >/dev/null 2>&1; then
+
+    for var_target in "${ary_targets[@]}"; do
+
+      if var_ipv4="$(
+        ip -o -4 route get "${var_target}" 2>/dev/null \
+          | awk '{ for (i = 1; i <= NF; i++) { if ($i == "src") { print $(i + 1); exit } } }'
+      )" && is_ipv4 "${var_ipv4}"; then
+
+        break
+
+      fi
+
+      var_ipv4=""
+
+    done
+
+    if [[ -z "${var_ipv4}" ]]; then
+
+      mapfile -t ary_targets < <(
+        ip -o -4 addr show scope global up 2>/dev/null \
+          | awk '{ split($4, addr, "/"); if (!seen[addr[1]]++) { print addr[1] } }'
+      )
+
+      for var_target in "${ary_targets[@]}"; do
+
+        if is_ipv4 "${var_target}"; then
+
+          var_ipv4="${var_target}"
+          break
+
+        fi
+
+      done
+
+    fi
+
+  fi
+
+  if [[ -z "${var_ipv4}" ]]; then
+
+    logger -t cdi-watcher "retrieve_rdns(): no active IPv4 address found; continuing without RDNS."
+    printf "Command: [retrieve_rdns] no active IPv4 address found; continuing without RDNS.\n" >> "${var_log}"
+    return 1
+
+  fi
+
+  if command -v dig >/dev/null 2>&1; then
+
+    mapfile -t ary_rdns < <(
+      dig +time=3 +tries=1 +short -x "${var_ipv4}" 2>/dev/null \
+        | sed 's/[.]$//' \
+        | awk 'NF && !seen[$0]++ { print $0 }'
+    )
+
+  fi
+
+  if ((${#ary_rdns[@]} == 0)) && command -v host >/dev/null 2>&1; then
+
+    mapfile -t ary_rdns < <(
+      host "${var_ipv4}" 2>/dev/null \
+        | awk '/domain name pointer/ { sub(/[.]$/, "", $NF); if (!seen[$NF]++) { print $NF } }'
+    )
+
+  fi
+
+  if ((${#ary_rdns[@]} == 0)); then
+
+    mapfile -t ary_rdns < <(
+      getent hosts "${var_ipv4}" 2>/dev/null \
+        | awk '{ for (i = 2; i <= NF; i++) { sub(/[.]$/, "", $i); if (!seen[$i]++) { print $i } } }'
+    )
+
+  fi
+
+  for var_rdns in "${ary_rdns[@]}"; do
+
+    var_rdns="${var_rdns%.}"
+    var_rdns="${var_rdns,,}"
+
+    if ! is_dns_name "${var_rdns}"; then
+
+      continue
+
+    fi
+
+    ary_a=()
+
+    if command -v dig >/dev/null 2>&1; then
+
+      mapfile -t ary_a < <(
+        dig +time=3 +tries=1 +short A "${var_rdns}" 2>/dev/null \
+          | awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}$/ && !seen[$0]++ { print $0 }'
+      )
+
+    fi
+
+    if ((${#ary_a[@]} == 0)) && command -v host >/dev/null 2>&1; then
+
+      mapfile -t ary_a < <(
+        host -t A "${var_rdns}" 2>/dev/null \
+          | awk '/ has address / && !seen[$NF]++ { print $NF }'
+      )
+
+    fi
+
+    if ((${#ary_a[@]} == 0)); then
+
+      mapfile -t ary_a < <(
+        getent ahostsv4 "${var_rdns}" 2>/dev/null \
+          | awk '!seen[$1]++ { print $1 }'
+      )
+
+    fi
+
+    for var_a in "${ary_a[@]}"; do
+
+      if is_ipv4 "${var_a}" && [[ "${var_a}" == "${var_ipv4}" ]]; then
+
+        VAR_RDNS_IPV4="${var_ipv4}"
+        VAR_RDNS_DOMAIN="${var_rdns}"
+        logger -t cdi-watcher "retrieve_rdns(): confirmed IPv4 ${VAR_RDNS_IPV4} RDNS ${VAR_RDNS_DOMAIN}."
+        printf "Command: [retrieve_rdns] confirmed IPv4 [%s] RDNS [%s].\n" \
+          "${VAR_RDNS_IPV4}" "${VAR_RDNS_DOMAIN}" >> "${var_log}"
+        return 0
+
+      fi
+
+    done
+
+  done
+
+  logger -t cdi-watcher "retrieve_rdns(): no forward-confirmed RDNS for IPv4 ${var_ipv4}; continuing without RDNS."
+  printf "Command: [retrieve_rdns] no forward-confirmed RDNS for IPv4 [%s]; continuing without RDNS.\n" \
+    "${var_ipv4}" >> "${var_log}"
+
+  return 1
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f retrieve_rdns
+
 #######################################
 # Wrapper for loading CISS hardened Kernel Parameters.
 # Globals:
@@ -130,7 +364,7 @@ main() {
   touch "${var_log}"
 
 
-  printf "CISS.debian.installer Master V9.14.020.2026.06.08 is up! \n" >> "${var_log}"
+  printf "CISS.debian.live.builder V9.14.022.2026.06.10 calling CISS.debian.installer ... \n" >> "${var_log}"
 
   ### Sleep a moment to settle boot artifacts.
   sleep 8
@@ -153,6 +387,12 @@ main() {
   fi
   printf "Command: [net_wait] executed.\n" >> "${var_log}"
 
+  ### Retrieve forward-confirmed reverse DNS.
+  printf "Command: [retrieve_rdns] to be executed ... \n" >> "${var_log}"
+  # shellcheck disable=SC2310
+  retrieve_rdns "${var_log}" || true
+  printf "Command: [retrieve_rdns] executed.\n" >> "${var_log}"
+
   ### apt update.
   if ! apt-get update >> "${var_log}"; then
 
@@ -209,7 +449,7 @@ main() {
 
   ### Timeout reached without acceptable semaphore.
   logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V9.14.020.2026.06.08: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.live.builder V9.14.022.2026.06.10: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
 
   exit 0
 }

var/early.var.sh

@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V9.14.020.2026.06.08"
+declare -grx VAR_VERSION="Master V9.14.022.2026.06.10"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
   # Print $4 and $5; include $6 only if it exists
   out = $4

var/global.var.sh

@@ -34,6 +34,7 @@ declare -g  VAR_HANDLER_CDI="false"
 declare -g  VAR_HANDLER_NETCUP_IPV6="false"
 declare -g  VAR_HANDLER_SPLASH=""
 declare -g  VAR_HASHED_PWD=""
+declare -g  VAR_PRIMORDIAL_SSH_PORT=""
 declare -g  VAR_SCRIPT_SUCCESS="false"
 declare -g  VAR_SOPS_VERSION="3.13.1"
 declare -g  VAR_SSHFP="false"