V8.03.256.2025.06.02

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

README.md

@@ -33,7 +33,7 @@ and service security. It integrates into your build pipeline to deliver an isola
 cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows 
 based on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant
 changes and made publicly available for download. The latest generic ISO is available at:
-[CISS.debian.live.ISO PUBLIC](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/DL_PUB_ISO.md)
+**[PUBLIC CISS.debian.live.ISO](/docs/DL_PUB_ISO.md)**
 
 Check out more:
 * [CenturionNet Services](https://coresecret.eu/cnet/) 
@@ -49,14 +49,25 @@ Check out more:
 Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to 
 move to a room-gapped environment. ^^
 
-### 1.1.2. HSTS and DNSSEC
+### 1.1.2. DNSSEC, HSTS, TLS
 
 Please note that `coresecret.dev` is included in the [(HSTS Preload List)](https://hstspreload.org/) and always serves the headers:
 ````nginx configuration pro
 add_header Expect-CT                 "max-age=86400, enforce"                       always;
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 ````
-Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at [DNSSEC Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_DNSSEC.md)
+
+* Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at: **[DNSSEC Audit Report](/docs/AUDIT_DNSSEC.md)**
+* A comprehensive TLS audit of the `git.coresecret.dev` Gitea server is also available. See: **[TLS Audit Report](/docs/AUDIT_TLS.md)**
+
+### 1.1.3. Gitea Action Runner Hardening
+
+The CI runners operate on a dedicated host system located in a completely separate Autonomous System (AS). This host is solely 
+dedicated to providing CI runners and does not perform any other tasks. Each runner is hermetically isolated from others using 
+non-privileged, shell-less user accounts with no direct login capability. Additionally, each runner executes within its own 
+separate directory tree, employs `DynamicUser` features, and adheres to strict systemd hardening policies (achieving a security 
+rating of 2.6). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use 
+of both UFW software firewalls and dedicated hardware firewall appliances.
 
 ## 1.2. Immutable Source-of-Truth System
 
@@ -85,11 +96,11 @@ source-defined infrastructure logic.<br>
 After build and configuration, the following audit reports can be generated:
 
 * **Haveged Audit Report**: Validates entropy daemon health and confirms '/dev/random' seeding performance.
-  Type `chkhvg` at the prompt. See example report: [Haveged Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_HAVEGED.md)
+  Type `chkhvg` at the prompt. See example report: **[Haveged Audit Report](/docs/AUDIT_HAVEGED.md)**
 * **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline.
-  Type `lsadt` at the prompt. See example report: [Lynis Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_LYNIS.md)
+  Type `lsadt` at the prompt. See example report: **[Lynis Audit Report](/docs/AUDIT_LYNIS.md)**
 * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
-  Type `ssh-audit <IP>:<PORT>`. See example report: [SSH Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_SSH.md)
+  Type `ssh-audit <IP>:<PORT>`. See example report: **[SSH Audit Report](/docs/AUDIT_SSH.md)**
 
 ## 1.3. Preview