V9.14.022.2026.06.11: document and test audit safeguards

lib/lib_usage.sh

@@ -67,6 +67,10 @@ usage() {
     echo
     echo -e "\e[97m  --build-directory </path/to/build_directory> \e[0m"
     echo "    Where the Debian Live Build Image should be generated. RECOMMENDED path: </opt/cdlb>"
+    echo "    The path MUST be canonical and dedicated to the builder; a new directory's canonical parent MUST already exist."
+    echo "    New or empty directories receive the"
+    echo "    '.ciss-live-builder-owned' marker; populated unmarked directories are rejected. Cleanup is intentionally"
+    echo "    destructive only inside the exact validated marker-owned directory."
     echo "    MUST be provided."
     echo
     echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon> \e[0m"
@@ -87,6 +91,7 @@ usage() {
     echo -e "\e[97m  --debug, -d \e[0m"
     echo "    Enables debug logging for the main program routine. Detailed logging information are written to:"
     echo "    </tmp/ciss_live_builder_$$.log>"
+    echo "    A final exact-value sanitisation pass is defence in depth and does not replace careful tracing discipline."
     echo
     echo -e "\e[97m  --dhcp-centurion \e[0m"
     echo "    If a DHCP lease is provided, the provider's name server will be overridden and the hardened, privacy-focused "
@@ -108,11 +113,13 @@ usage() {
     echo
     echo -e "\e[97m  --key_age=* \e[0m"
     echo "    The SOPS AGE private keyring for decryption operations. Change '*' to your desired SOPS AGE key file."
+    echo "    '*' MUST be a filename only without slashes, '.' or '..' traversal."
     echo "    File MUST be placed in:"
     echo "    </dev/shm/cdlb_secrets>"
     echo
     echo -e "\e[97m  --key_luks=* \e[0m"
     echo "    The LUKS encryption / decryption passphrase for '/'-fs-encryption. Change '*' to your desired passphrase file."
+    echo "    '*' MUST be a filename only without slashes, '.' or '..' traversal."
     echo "    File MUST be placed in:"
     echo "    </dev/shm/cdlb_secrets>"
     echo
@@ -162,7 +169,7 @@ usage() {
     echo -e "\e[97m  --root-password-file </dev/shm/cdlb_secrets/password.txt>> \e[0m"
     echo "    Password file for 'root', if given, MUST be a string of 42 to 64 characters."
     echo "    If the argument is omitted, no further login authentication is required for the local console."
-    echo "    MUST be placed in:"
+    echo "    Safe absolute paths remain supported and are validated separately. RECOMMENDED path:"
     echo "    </dev/shm/cdlb_secrets/password.txt>"
     echo
     echo -e "\e[97m  --secure-boot-profile <STRING> one of <debian-shim | ciss-uki> \e[0m"
@@ -178,7 +185,8 @@ usage() {
     echo "    specified via '--signing_key=*'. If the keyring is protected, then provide the passphrase in its own file."
     echo "    Specify the fingerprint of the key to use via '--signing_key_fpr=*'."
     echo "    Optionally import an offline GPG CA signing public key via: '--signing_ca=*'."
-    echo "    Change '*' to your desired files / fingerprint. Files MUST be placed in:"
+    echo "    Change '*' to your desired filename-only files / fingerprint. Filename-only values MUST NOT contain slashes"
+    echo "    or traversal. Files MUST be placed in:"
     echo "    </dev/shm/cdlb_secrets>"
     echo
     echo -e "\e[97m  --sops-version <STRING> \e[0m"
@@ -212,6 +220,9 @@ usage() {
     echo
     echo -e "\e[93m💡 Notes: \e[0m"
     echo -e "\e[93m🔵 You MUST be 'root' to run this script. \e[0m"
+    echo -e "\e[93m🔵 Private operator control does not remove the requirement for strict local secret path validation. \e[0m"
+    echo -e "\e[93m🔵 '/dev/shm/cdlb_secrets' MUST be tmpfs-backed, root-owned, mode 0700, and contain only \e[0m"
+    echo -e "\e[93m   single-link regular secret files with mode 0400 or 0600. Secure deletion with shred is best-effort only. \e[0m"
     echo
     echo -e "\e[95m💷 Please consider donating to my work at: \e[0m"
     echo -e "\e[95m🌐 https://coresecret.eu/spenden/ \e[0m"