V9.14.004.2026.05.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-05-17 14:28:12 +01:00
parent 6307bc2b7c
commit c80b45417f
48 changed files with 299 additions and 117 deletions
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17
 name: 💙 Generating a PUBLIC Live ISO.
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V9.14.002.2026.05.13"
+      placeholder: "e.g., Master V9.14.004.2026.05.17"
    validations:
      required: true
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17
 FROM debian:bookworm
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17
 name: 🔁 Render README.md to README.html.
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V9.14.002.2026.05.13
+  version: V9.14.004.2026.05.17
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V9.14.002.2026.05.13
+  version: V9.14.004.2026.05.17
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V9.14.002.2026.05.13
+  version: V9.14.004.2026.05.17
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17
 name: 💙 Generating a PUBLIC Live ISO.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17
 # Gitea Workflow: Shell-Script Linting
 #
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17
 name: 🔁 Render Graphviz Diagrams.
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V9.14.002.2026.05.13"
+properties_version="V9.14.004.2026.05.17"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -0,0 +1,86 @@
 # AGENTS.md
 ## Repository purpose
 This repository builds and maintains Debian-based live/installer infrastructure.
 Treat changes as security-sensitive and boot-chain-sensitive.
 Follow `docs/CODING_CONVENTION.md` for coding style and `code_review.md` for reviews.
 ## Non-negotiable constraints
 - Target distribution: Debian 13 Trixie unless explicitly stated otherwise.
 - Do not introduce Ubuntu-specific assumptions.
 - Do not invent live-build, initramfs, cryptsetup, systemd, GRUB, or Debian package behavior. Verify against existing files or
  official documentation.
 - Do not add phase-argument gates to live-boot/initramfs scripts. Script execution is controlled by Debian hook placement.
 - Preserve encrypted-root / encrypted-SquashFS architecture unless the task explicitly changes it.
 - Prefer simple, inspectable Bash over clever abstractions.
 ## Repository workflow
 Before editing:
 - Inspect the relevant scripts, hooks, config files, README files, and existing naming conventions.
 - Identify the exact boot/build phase affected by the change.
 - Explain the minimal intended change.
 Boot/build phases:
 - host-side orchestration: `ciss_live_builder.sh`, `lib/*.sh`, `makefile`
 - live-build hooks: `config/hooks/live/*.chroot` and `config/hooks/live/*.binary`
 - initramfs hooks/scripts: `config/includes.chroot/etc/initramfs-tools/*`
 - live-boot runtime scripts: `config/includes.chroot/usr/lib/live/boot/*`
 After editing:
 - Run the most relevant available checks.
 - At minimum, run syntax checks for changed shell scripts:
  - `bash -n <file>`
  - `shellcheck <file>` if available
 - If POSIX shell scripts are changed, run `sh -n <file>` where Bash syntax is not expected.
 - If the make wrapper or builder argument composition changes, run `make dry-run`.
 - If Python files are introduced or changed:
  - `ruff check`
  - `mypy`
  - `pytest` if tests exist
 - If CLI options or user-facing behavior change, update `usage()` and the relevant README/docs.
 - If live-build, initramfs, or ISO behavior changes, describe the required Debian Trixie live-build or ISO validation command.
 ## Bash conventions
 - Use explicit error handling.
 - Quote expansions.
 - Prefer arrays where word splitting matters.
 - Avoid `eval`.
 - Avoid parsing `ls`.
 - Keep functions small and readable.
 - Use English comments.
 - Explain security-sensitive fallbacks.
 - Fail closed where possible.
 ## Python conventions
 - Use Python 3.14-compatible code unless the project states otherwise.
 - Use pathlib.
 - Add type hints.
 - Keep ruff and mypy compatibility.
 - Avoid broad `except Exception` unless justified and logged.
 - Prefer explicit models/config objects over unstructured dictionaries for durable interfaces.
 ## Security review checklist
 Before finalizing a change, check whether it affects:
 - boot trust
 - initramfs behavior
 - cryptsetup/LUKS handling
 - key material
 - remote unlock
 - TLS/mTLS verification
 - signature/hash verification
 - network exposure
 - file permissions
 - persistence
 - logging of sensitive values
 If affected, document the risk and mitigation in the final response.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V9.14.002.2026.05.13
+PackageVersion: Master V9.14.004.2026.05.17
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.002.2026.05.13-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.004.2026.05.17-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 **CISS.debian.live.builder — First of its own.**<br>
 **World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
@@ -175,7 +175,7 @@ installer toolchain.
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V9.14.002.2026.05.13`
+Example: `V9.14.004.2026.05.17`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 # 2. Repository Structure
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **9.14**, Build **V9.14.002.2026.05.13** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.004.2026.05.17** (as of 2025-10-11)
 ## 3.1. Top-Level Layout
@@ -0,0 +1,49 @@
 # code_review.md
 Review priorities, in order:
 1. Correctness
 2. Security regressions
 3. Boot/build reproducibility
 4. Data loss risk
 5. Error handling
 6. Test coverage
 7. Maintainability
 8. Minimality of diff
 9. Style consistency
 Finding classes:
 - BLOCKER: proven correctness bug, security regression, build break, boot break, or data loss risk that must be fixed before
  merge
 - RISK: plausible issue or security concern that is not fully proven from the available context
 - CLEANUP: maintainability, readability, or consistency improvement that is not required for correctness
 - NOTE: observation only; no change requested
 Review output format:
 - List findings first, ordered by severity.
 - Cite file paths and line numbers where possible.
 - For each finding, explain the concrete impact, and the smallest reasonable fix.
 - Separate observations, inferences, and recommendations.
 - After findings, list missing checks or residual risks.
 - If there are no findings, say so explicitly and still mention relevant test gaps.
 Do not nitpick formatting if automated tooling exists.
 Do not invent requirements not present in the task, repository, or documentation.
 Security-sensitive review checklist:
 - boot trust
 - initramfs behavior
 - cryptsetup/LUKS handling
 - encrypted SquashFS handling
 - key material
 - remotely unlock
 - TLS/mTLS verification
 - signature/hash verification
 - network exposure
 - file permissions
 - persistence
 - logging of sensitive values
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V9.14.002.2026.05.13"
+declare -gr VERSION="Master V9.14.004.2026.05.17"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V9.14.002.2026.05.13 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.004.2026.05.17 at: 10:18:37.9542
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 # 2. DNSSEC Status
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 # 2. Haveged Audit on Netcup RS 2000 G11
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 # 2. Lynis Audit:
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 # 2. SSH Audit by ssh-audit.com
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 # 2. TLS Audit:
 ````text
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 # 2. Hardened Kernel Boot Parameters
@@ -8,10 +8,15 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 # 2. Changelog
 ## V9.14.004.2026.05.17
 * **Added**: [AGENTS.md](../AGENTS.md)
 * **Added**: [code_review.md](../code_review.md)
 * **Changed**: [CODING_CONVENTION.md](CODING_CONVENTION.md)
 ## V9.14.002.2026.05.13
 * **Added**: [9935_hardening_ssl.chroot](../config/hooks/live/9935_hardening_ssl.chroot)
 * **Added**: [dropbear-2026.91.tar.bz2](../upgrades/dropbear/dropbear-2026.91.tar.bz2)
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 # 2. Centurion Net - Developer Branch Overview
@@ -6,86 +6,128 @@ include_toc: true
 # 1. CISS.debian.live.builder
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
-*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
 **Master Version**: 9.14<br>
 **Build**: V9.14.002.2026.05.13<br>
-# 2. Coding Style
+# 2. Purpose
-## 2.1. PR
+This document defines the coding and review conventions for this repository.
-You'd make the life of the maintainers easier if you submit only _one_ patch with _one_ functional change per PR.
+The project builds Debian-based live and installer infrastructure. Treat every change as security-sensitive and
 boot-chain-sensitive, especially changes that affect initramfs behavior, encrypted SquashFS handling, LUKS, Dropbear, GRUB,
 checksums, signatures, package sources, hardening settings, or network exposure.
-## 2.2 Documentation
+# 3. Change discipline
-Some people really read that ! New features would need to be documented in the appropriate section in `usage()` and in
+* Keep changes small, local, and reviewable.
-`~/docs/DOCUMENTATION.md`.
+* Make one functional change per pull request or patch set.
 * Preserve existing architecture, naming style, error handling, formatting, and security posture.
 * Do not introduce Ubuntu-specific assumptions. The default target distribution is Debian 13 Trixie.
 * Do not invent live-build, live-boot, initramfs, cryptsetup, GRUB, systemd, or Debian package behavior. Verify against existing
  code or authoritative Debian/upstream documentation.
 * Do not weaken cryptography, authentication, sandboxing, permission checks, TLS verification, signature verification, checksum
  verification, or input validation unless the task explicitly requires it and the risk is documented.
 * Prefer simple, inspectable Bash over clever abstractions.
-## 2.3. Coding
+# 4. Boot and build phases
-### 2.3.1. Shell / bash
+Identify the affected phase before changing behavior:
-Bash is actually quite powerful—not only with respect to sockets. It's not as mighty as perl or python, but there are a lot of
+* `ciss_live_builder.sh` and `lib/*.sh`: host-side orchestration and argument handling.
-neat features. Here's how you make use of them. Besides those short hints here, there's a wealth of information there.
+* `makefile`: local wrapper for composing and executing builder invocations.
 * `config/hooks/live/*.chroot`: live-build chroot hooks.
 * `config/hooks/live/*.binary`: live-build binary-image hooks.
 * `config/includes.chroot/etc/initramfs-tools/hooks/*`: initramfs build hooks.
 * `config/includes.chroot/etc/initramfs-tools/scripts/*`: initramfs boot scripts.
 * `config/includes.chroot/usr/lib/live/boot/*`: live-boot runtime scripts.
 * `scripts/*`: source files copied into the generated image or used by build helpers.
-* Don't use backticks anymore, use `$(..)` instead
+Do not add ad-hoc phase arguments to live-boot or initramfs scripts. Execution phase must be controlled by the directory and
-* Use double square `[[]]` brackets (_conditional expressions)_ instead of single square `[]` brackets
+hook placement expected by Debian tooling.
 * In double square brackets, avoid quoting at the right-hand side if not necessary. For regex matching (`=~`) you shouldn't
  quote at all.
 * The [BashPitfalls](http://mywiki.wooledge.org/BashPitfalls) is a good read!
 * Whenever possible try to avoid `tr` `sed` `awk` and use bash internal functions instead, see
  e.g., [bash shell parameter substitution](http://www.cyberciti.biz/tips/bash-shell-parameter-substitution-2.html). It is
  slower as it forks, fopens and pipes back the result.
 * `read` often can replace `awk`: `IFS=, read -ra a b c <<< "$line_with_comma"`
 * Bash can also deal perfectly with regular expressions, see
  e.g., [here](https://www.networkworld.com/article/2693361/unix-tip-using-bash-s-regular-expressions.html)
  and [here](https://unix.stackexchange.com/questions/421460/bash-regex-and-https-regex101-com).
 * If you still need to use any of `tr`, `sed` and `awk`: try to avoid a mix of several external binaries e.g., if you can
  achieve the same with e.g. `awk`.
 * Be careful with very advanced bash features. Mac OS X is still using bash version
  3 ([differences](http://tldp.org/LDP/abs/html/bashver4.html)).
 * Always use a return value for a function/method. 0 means all is fine.
 * Make use of [shellcheck](https://github.com/koalaman/shellcheck) if possible.
 * Follow the [shellformat](https://google.github.io/styleguide/shellguide.html) Shell-Style Guide.
-### 2.3.2. Shell specific
+# 5. Bash style
-* Security:
+* Use Bash for builder scripts and live-build hooks when the existing file uses Bash.
-  * Watch out for any input especially (but not only) supplied from the server. Input should never be trusted.
+* Use POSIX `sh` only where Debian hook interfaces or neighboring files require it. Keep such files POSIX-compatible.
-  * Unless you're really sure where the values come from, variables need to be put in quotes.
+* Prefer `set -Ceuo pipefail` for Bash scripts where feasible. If a script cannot use strict mode safely, keep the exception
  local and make the reason clear.
 * Quote expansions unless word splitting or globbing is explicitly required.
 * Prefer arrays where arguments or file names may contain whitespace.
 * Use `[[ ... ]]` for Bash conditionals. For regular-expression matches with `=~`, do not quote the right-hand regex.
 * Use `$(...)` command substitution, not backticks.
 * Avoid `eval`.
 * Avoid parsing `ls`.
 * Prefer `command -v` over `which`.
 * Check command results explicitly when failure needs custom handling.
 * Use `case` for option dispatch and multi-branch string handling.
 * Keep functions small and readable.
 * Use English comments. Add comments for non-obvious security or boot-chain decisions, not for obvious assignments.
-### 2.3.3. Variables
+# 6. Variables and functions
-* Use **"speaking variables"** but don't overdo it with the length.
+Follow the existing repository naming style:
 * No _camelCase_, please. We distinguish between lowercase and uppercase only.
  * Global variables:
    * use them only when really necessary,
    * in CAPS,
    * initialize them (`declare -g VAR_EXAMPLE=""`),
    * SHOULD start with:
      * `ARY_`  for Arrays,
      * `C_`    for Variables defining colored outputs,
      * `ERR_`  for Error Codes Variables,
      * `HMP_`  for HashMap Arrays,
      * `LOG_`  for Logfile Variables,
      * `PID_`  for PID Variables,
      * `PIPE_` for PIPE Variables,
      * `VAR_`  for Variables
  * Local variables:
    * are lower case,
    * declare them before usage (`declare` eq `local`),
    * initialize them (`declare var_example=""`),
    * SHOULD start with:
      * `ary_` for Arrays,
      * `c_` for Variables defining colored outputs,
      * `err_` for Error Codes Variables,
      * `hmp_` for HashMap Arrays,
      * `log_` for Logfile Variables,
      * `var_` for Variables.
-# 3. Misc
+* Global variables are uppercase and initialized before use.
 * Global arrays use the `ARY_` prefix where this convention already applies.
 * Other established global prefixes include `C_`, `ERR_`, `HMP_`, `LOG_`, `PID_`, `PIPE_`, and `VAR_`.
 * Local variables are lowercase and initialized before use.
 * Local array and helper prefixes include `ary_`, `c_`, `err_`, `hmp_`, `log_`, and `var_`.
 * Function names use lowercase words separated by underscores.
 * Prefer `declare` or `local` consistently with the surrounding file.
-* Test before doing a PR! Best if you check with two bad and two good examples, which should then work as expected.
+# 7. Input, secrets, and files
 * Treat CLI arguments, environment variables, generated file paths, network data, package metadata, and user-provided files as
  untrusted until validated.
 * Validate ports, IP addresses, kernel version strings, paths, package names, and feature flags before use.
 * Fail closed when validation cannot prove that continuing is safe.
 * Do not print secrets, private keys, passphrases, tokens, or sensitive environment values.
 * Use restrictive permissions for generated secret material.
 * Prefer `mktemp` for temporary files and clean them up with traps when appropriate.
 * Do not create persistent state unless the behavior is intentional and documented.
 # 8. Dependencies and downloads
 * Do not add new runtime dependencies unless the task requires them. Prefer standard Debian tooling or existing project helpers.
 * When a dependency is needed, document why an existing or standard-library alternative is insufficient.
 * Do not add remote downloads, auto-update behavior, telemetry, or network callbacks without explicit justification.
 * For required downloads, use HTTPS where applicable and preserve or add signature/checksum verification.
 * Do not use `curl | sh`, `wget | sh`, or equivalent execution of unaudited remote content.
 # 9. Documentation
 Update documentation together with behavior:
 * New or changed CLI options must update `usage()` and relevant README or documentation sections.
 * Boot parameter changes must update `docs/BOOTPARAMS.md` where applicable.
 * Security-sensitive behavior changes must update the relevant audit, manual, or security documentation.
 * Generated examples must stay valid for Debian 13 Trixie unless the task explicitly targets another release.
 * Code comments, embedded prompts, commit messages, and repository documentation should normally be written in English.
 # 10. Formatting
 * Preserve SPDX headers and existing file headers where present.
 * New source or configuration files should include the project SPDX header when comparable files already use one.
 * Follow `.editorconfig`: LF line endings, UTF-8 where configured, two-space Markdown indentation, and tabs for `makefile`
  recipes.
 * Keep line lengths readable and consistent with neighboring files.
 * Do not churn formatting unrelated to the task.
 # 11. Checks
 Run the narrowest checks that prove the change:
 * Shell files: `bash -n <file>` for Bash scripts, and `shellcheck <file>` when ShellCheck is available.
 * POSIX shell files: `sh -n <file>` where Bash syntax is not expected.
 * Make wrapper or argument-composition changes: `make dry-run`.
 * Python files, if introduced or changed: `ruff check`, `mypy`, and `pytest` when tests exist.
 * Live-build, initramfs, or ISO behavior changes: document the required Debian Trixie build validation command, normally
  `make live` or the equivalent `./ciss_live_builder.sh ...` invocation.
 If a relevant check cannot be run in the current environment, state the exact reason and the command that should be run locally.
 # 12. Code review
 Reviews follow `code_review.md`.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 # 2. Contributing / participating
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 # 2. Credits
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 # 2.1. Usage
 ````text
                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)
 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V9.14.002.2026.05.13
+Master V9.14.004.2026.05.17
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 (c) Marc S. Weidner, 2018 - 2025
@@ -152,7 +152,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/
-                        V9.14.002.2026.05.13                        2025-11-06                         CDLB(1)
+                        V9.14.004.2026.05.17                        2025-11-06                         CDLB(1)
 ````
 # 3. Booting
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 # 2. Resources
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 # 2. ``30-ciss-hardening.conf``
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 # 2. ``90-ciss-local.hardened``
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>
 # 2. ``ciss_live_builder.sh``
@@ -39,13 +39,13 @@ usage() {
  # shellcheck disable=SC2155
  declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V9.14.002.2026.05.13                        2026-05-13                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V9.14.004.2026.05.17                        2026-05-13                         CDLB(1)" "${var_cols}")
  {
    echo -e "\e[1;97m${var_header}\e[0m"
    echo
    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V9.14.002.2026.05.13\e[0m"
+    echo -e "\e[92mMaster V9.14.004.2026.05.17\e[0m"
    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
    echo
    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m"
@@ -130,7 +130,7 @@ main() {
  touch "${var_log}"
-  printf "CISS.debian.installer Master V9.14.002.2026.05.13 is up! \n" >> "${var_log}"
+  printf "CISS.debian.installer Master V9.14.004.2026.05.17 is up! \n" >> "${var_log}"
  ### Sleep a moment to settle boot artifacts.
  sleep 8
@@ -209,7 +209,7 @@ main() {
  ### Timeout reached without acceptable semaphore.
  logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V9.14.002.2026.05.13: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.installer Master V9.14.004.2026.05.17: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
  exit 0
 }
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V9.14.002.2026.05.13"
+declare -grx VAR_VERSION="Master V9.14.004.2026.05.17"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
  # Print $4 and $5; include $6 only if it exists
  out = $4