V9.14.022.2026.06.11: enforce secret and cleanup safeguards

ciss_live_builder.sh

@@ -124,22 +124,28 @@ sleep 4
 printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
 declare -grx VAR_SETUP="true"
 
-### SECURING SECRETS ARTIFACTS.
-test ! -L "${VAR_TMP_SECRET}" || {
-  . ./var/global.var.sh
-  printf "\e[91m❌ Refusing symlink: '%s'! Bye... \e[0m\n" "${VAR_TMP_SECRET}" >&2
-  exit "${ERR_SECRETSSYM}"
-}
-find "${VAR_TMP_SECRET}" -type f -exec chmod 0400 {} +
-find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
-
 ### SOURCING VARIABLES.
 [[ "${VAR_SETUP}" == true ]] && {
   source_guard "./var/color.var.sh"
   source_guard "./var/global.var.sh"
 }
 
-### SOURCING LIBRARIES.
+### SOURCE THE MINIMUM REQUIRED FOR EARLY EXIT CLEANUP COVERAGE.
+[[ "${VAR_SETUP}" == true ]] && {
+  source_guard "./lib/lib_secret_validation.sh"
+  source_guard "./lib/lib_build_directory.sh"
+  source_guard "./lib/lib_debug_sanitizer.sh"
+  source_guard "./lib/lib_clean_up.sh"
+  source_guard "./lib/lib_trap_on_err.sh"
+  source_guard "./lib/lib_trap_on_exit.sh"
+}
+
+trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
+
+### Validate the fixed tmpfs secret staging area without modifying operator-provided files.
+validate_secret_staging_area
+
+### SOURCING REMAINING LIBRARIES.
 [[ "${VAR_SETUP}" == true ]] && {
   source_guard "./lib/lib_arg_parser.sh"
   source_guard "./lib/lib_arg_priority_check.sh"
@@ -158,7 +164,6 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
   source_guard "./lib/lib_ciss_upgrades_boot.sh"
   source_guard "./lib/lib_ciss_upgrades_build.sh"
   source_guard "./lib/lib_clean_screen.sh"
-  source_guard "./lib/lib_clean_up.sh"
   source_guard "./lib/lib_copy_integrity.sh"
   source_guard "./lib/lib_gnupg.sh"
   source_guard "./lib/lib_hardening_root_pw.sh"
@@ -174,12 +179,13 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
   source_guard "./lib/lib_run_analysis.sh"
   source_guard "./lib/lib_sanitizer.sh"
   source_guard "./lib/lib_secureboot_profile.sh"
-  source_guard "./lib/lib_trap_on_err.sh"
-  source_guard "./lib/lib_trap_on_exit.sh"
   source_guard "./lib/lib_update_microcode.sh"
   source_guard "./lib/lib_usage.sh"
 }
 
+### Add ERR handling after all remaining libraries are available.
+trap 'trap_on_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
+
 ### PRE-SCAN SECURE BOOT PROFILE FOR BUILD-HOST PACKAGE CHECKS.
 ### Formal validation still happens in arg_parser().
 for ((idx=0; idx<${#ARY_PARAM_ARRAY[@]}; idx++)); do
@@ -223,10 +229,6 @@ if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n
 ### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
 
-### Following the CISS Bash naming and ordering scheme:
-trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
-trap 'trap_on_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
-
 ### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
 arg_check "$@"