V9.14.004.2026.05.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-05-17 14:28:12 +01:00
parent 6307bc2b7c
commit c80b45417f
48 changed files with 299 additions and 117 deletions
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17

 name: 💙 Generating a PUBLIC Live ISO.

@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V9.14.002.2026.05.13"
+      placeholder: "e.g., Master V9.14.004.2026.05.17"
    validations:
      required: true

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17

 FROM debian:bookworm

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17

 name: 🔁 Render README.md to README.html.

@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V9.14.002.2026.05.13
+  version: V9.14.004.2026.05.17
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V9.14.002.2026.05.13
+  version: V9.14.004.2026.05.17
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V9.14.002.2026.05.13
+  version: V9.14.004.2026.05.17
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17

 name: 💙 Generating a PUBLIC Live ISO.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17

 # Gitea Workflow: Shell-Script Linting
 #
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17

 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17

 name: 🔁 Render Graphviz Diagrams.

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V9.14.002.2026.05.13"
+properties_version="V9.14.004.2026.05.17"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -0,0 +1,86 @@
+# AGENTS.md
+
+## Repository purpose
+
+This repository builds and maintains Debian-based live/installer infrastructure.
+Treat changes as security-sensitive and boot-chain-sensitive.
+Follow `docs/CODING_CONVENTION.md` for coding style and `code_review.md` for reviews.
+
+## Non-negotiable constraints
+
+- Target distribution: Debian 13 Trixie unless explicitly stated otherwise.
+- Do not introduce Ubuntu-specific assumptions.
+- Do not invent live-build, initramfs, cryptsetup, systemd, GRUB, or Debian package behavior. Verify against existing files or
+  official documentation.
+- Do not add phase-argument gates to live-boot/initramfs scripts. Script execution is controlled by Debian hook placement.
+- Preserve encrypted-root / encrypted-SquashFS architecture unless the task explicitly changes it.
+- Prefer simple, inspectable Bash over clever abstractions.
+
+## Repository workflow
+
+Before editing:
+- Inspect the relevant scripts, hooks, config files, README files, and existing naming conventions.
+- Identify the exact boot/build phase affected by the change.
+- Explain the minimal intended change.
+
+Boot/build phases:
+- host-side orchestration: `ciss_live_builder.sh`, `lib/*.sh`, `makefile`
+- live-build hooks: `config/hooks/live/*.chroot` and `config/hooks/live/*.binary`
+- initramfs hooks/scripts: `config/includes.chroot/etc/initramfs-tools/*`
+- live-boot runtime scripts: `config/includes.chroot/usr/lib/live/boot/*`
+
+After editing:
+- Run the most relevant available checks.
+- At minimum, run syntax checks for changed shell scripts:
+  - `bash -n <file>`
+  - `shellcheck <file>` if available
+- If POSIX shell scripts are changed, run `sh -n <file>` where Bash syntax is not expected.
+- If the make wrapper or builder argument composition changes, run `make dry-run`.
+- If Python files are introduced or changed:
+  - `ruff check`
+  - `mypy`
+  - `pytest` if tests exist
+- If CLI options or user-facing behavior change, update `usage()` and the relevant README/docs.
+- If live-build, initramfs, or ISO behavior changes, describe the required Debian Trixie live-build or ISO validation command.
+
+## Bash conventions
+
+- Use explicit error handling.
+- Quote expansions.
+- Prefer arrays where word splitting matters.
+- Avoid `eval`.
+- Avoid parsing `ls`.
+- Keep functions small and readable.
+- Use English comments.
+- Explain security-sensitive fallbacks.
+- Fail closed where possible.
+
+## Python conventions
+
+- Use Python 3.14-compatible code unless the project states otherwise.
+- Use pathlib.
+- Add type hints.
+- Keep ruff and mypy compatibility.
+- Avoid broad `except Exception` unless justified and logged.
+- Prefer explicit models/config objects over unstructured dictionaries for durable interfaces.
+
+## Security review checklist
+
+Before finalizing a change, check whether it affects:
+- boot trust
+- initramfs behavior
+- cryptsetup/LUKS handling
+- key material
+- remote unlock
+- TLS/mTLS verification
+- signature/hash verification
+- network exposure
+- file permissions
+- persistence
+- logging of sensitive values
+
+If affected, document the risk and mitigation in the final response.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V9.14.002.2026.05.13
+PackageVersion: Master V9.14.004.2026.05.17
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.002.2026.05.13-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.004.2026.05.17-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 **CISS.debian.live.builder — First of its own.**<br>
 **World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
@@ -175,7 +175,7 @@ installer toolchain.

 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.

-Example: `V9.14.002.2026.05.13`
+Example: `V9.14.004.2026.05.17`

 `x.y.z` represents major (x), minor (y), and patch (z) version increments.

@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Repository Structure

 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **9.14**, Build **V9.14.002.2026.05.13** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.004.2026.05.17** (as of 2025-10-11)

 ## 3.1. Top-Level Layout

@@ -0,0 +1,49 @@
+# code_review.md
+
+Review priorities, in order:
+
+1. Correctness
+2. Security regressions
+3. Boot/build reproducibility
+4. Data loss risk
+5. Error handling
+6. Test coverage
+7. Maintainability
+8. Minimality of diff
+9. Style consistency
+
+Finding classes:
+- BLOCKER: proven correctness bug, security regression, build break, boot break, or data loss risk that must be fixed before
+  merge
+- RISK: plausible issue or security concern that is not fully proven from the available context
+- CLEANUP: maintainability, readability, or consistency improvement that is not required for correctness
+- NOTE: observation only; no change requested
+
+Review output format:
+- List findings first, ordered by severity.
+- Cite file paths and line numbers where possible.
+- For each finding, explain the concrete impact, and the smallest reasonable fix.
+- Separate observations, inferences, and recommendations.
+- After findings, list missing checks or residual risks.
+- If there are no findings, say so explicitly and still mention relevant test gaps.
+
+Do not nitpick formatting if automated tooling exists.
+Do not invent requirements not present in the task, repository, or documentation.
+
+Security-sensitive review checklist:
+- boot trust
+- initramfs behavior
+- cryptsetup/LUKS handling
+- encrypted SquashFS handling
+- key material
+- remotely unlock
+- TLS/mTLS verification
+- signature/hash verification
+- network exposure
+- file permissions
+- persistence
+- logging of sensitive values
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17

 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17

 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.002.2026.05.13
+# Version Master V9.14.004.2026.05.17

 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-declare -gr VERSION="Master V9.14.002.2026.05.13"
+declare -gr VERSION="Master V9.14.004.2026.05.17"

 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh

 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V9.14.002.2026.05.13 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.004.2026.05.17 at: 10:18:37.9542
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. DNSSEC Status

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Haveged Audit on Netcup RS 2000 G11

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Lynis Audit:

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. SSH Audit by ssh-audit.com

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. TLS Audit:
 ````text
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Hardened Kernel Boot Parameters

@@ -8,10 +8,15 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Changelog

+## V9.14.004.2026.05.17
+* **Added**: [AGENTS.md](../AGENTS.md)
+* **Added**: [code_review.md](../code_review.md)
+* **Changed**: [CODING_CONVENTION.md](CODING_CONVENTION.md)
+
 ## V9.14.002.2026.05.13
 * **Added**: [9935_hardening_ssl.chroot](../config/hooks/live/9935_hardening_ssl.chroot)
 * **Added**: [dropbear-2026.91.tar.bz2](../upgrades/dropbear/dropbear-2026.91.tar.bz2)
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Centurion Net - Developer Branch Overview

@@ -6,86 +6,128 @@ include_toc: true
 # 1. CISS.debian.live.builder

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
-*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*

-# 2. Coding Style
+# 2. Purpose

-## 2.1. PR
+This document defines the coding and review conventions for this repository.

-You'd make the life of the maintainers easier if you submit only _one_ patch with _one_ functional change per PR.
+The project builds Debian-based live and installer infrastructure. Treat every change as security-sensitive and
+boot-chain-sensitive, especially changes that affect initramfs behavior, encrypted SquashFS handling, LUKS, Dropbear, GRUB,
+checksums, signatures, package sources, hardening settings, or network exposure.

-## 2.2 Documentation
+# 3. Change discipline

-Some people really read that ! New features would need to be documented in the appropriate section in `usage()` and in
-`~/docs/DOCUMENTATION.md`.
+* Keep changes small, local, and reviewable.
+* Make one functional change per pull request or patch set.
+* Preserve existing architecture, naming style, error handling, formatting, and security posture.
+* Do not introduce Ubuntu-specific assumptions. The default target distribution is Debian 13 Trixie.
+* Do not invent live-build, live-boot, initramfs, cryptsetup, GRUB, systemd, or Debian package behavior. Verify against existing
+  code or authoritative Debian/upstream documentation.
+* Do not weaken cryptography, authentication, sandboxing, permission checks, TLS verification, signature verification, checksum
+  verification, or input validation unless the task explicitly requires it and the risk is documented.
+* Prefer simple, inspectable Bash over clever abstractions.

-## 2.3. Coding
+# 4. Boot and build phases

-### 2.3.1. Shell / bash
+Identify the affected phase before changing behavior:

-Bash is actually quite powerful—not only with respect to sockets. It's not as mighty as perl or python, but there are a lot of
-neat features. Here's how you make use of them. Besides those short hints here, there's a wealth of information there.
+* `ciss_live_builder.sh` and `lib/*.sh`: host-side orchestration and argument handling.
+* `makefile`: local wrapper for composing and executing builder invocations.
+* `config/hooks/live/*.chroot`: live-build chroot hooks.
+* `config/hooks/live/*.binary`: live-build binary-image hooks.
+* `config/includes.chroot/etc/initramfs-tools/hooks/*`: initramfs build hooks.
+* `config/includes.chroot/etc/initramfs-tools/scripts/*`: initramfs boot scripts.
+* `config/includes.chroot/usr/lib/live/boot/*`: live-boot runtime scripts.
+* `scripts/*`: source files copied into the generated image or used by build helpers.

-* Don't use backticks anymore, use `$(..)` instead
-* Use double square `[[]]` brackets (_conditional expressions)_ instead of single square `[]` brackets
-* In double square brackets, avoid quoting at the right-hand side if not necessary. For regex matching (`=~`) you shouldn't
-  quote at all.
-* The [BashPitfalls](http://mywiki.wooledge.org/BashPitfalls) is a good read!
-* Whenever possible try to avoid `tr` `sed` `awk` and use bash internal functions instead, see
-  e.g., [bash shell parameter substitution](http://www.cyberciti.biz/tips/bash-shell-parameter-substitution-2.html). It is
-  slower as it forks, fopens and pipes back the result.
-* `read` often can replace `awk`: `IFS=, read -ra a b c <<< "$line_with_comma"`
-* Bash can also deal perfectly with regular expressions, see
-  e.g., [here](https://www.networkworld.com/article/2693361/unix-tip-using-bash-s-regular-expressions.html)
-  and [here](https://unix.stackexchange.com/questions/421460/bash-regex-and-https-regex101-com).
-* If you still need to use any of `tr`, `sed` and `awk`: try to avoid a mix of several external binaries e.g., if you can
-  achieve the same with e.g. `awk`.
-* Be careful with very advanced bash features. Mac OS X is still using bash version
-  3 ([differences](http://tldp.org/LDP/abs/html/bashver4.html)).
-* Always use a return value for a function/method. 0 means all is fine.
-* Make use of [shellcheck](https://github.com/koalaman/shellcheck) if possible.
-* Follow the [shellformat](https://google.github.io/styleguide/shellguide.html) Shell-Style Guide.
+Do not add ad-hoc phase arguments to live-boot or initramfs scripts. Execution phase must be controlled by the directory and
+hook placement expected by Debian tooling.

-### 2.3.2. Shell specific
+# 5. Bash style

-* Security:
-  * Watch out for any input especially (but not only) supplied from the server. Input should never be trusted.
-  * Unless you're really sure where the values come from, variables need to be put in quotes.
+* Use Bash for builder scripts and live-build hooks when the existing file uses Bash.
+* Use POSIX `sh` only where Debian hook interfaces or neighboring files require it. Keep such files POSIX-compatible.
+* Prefer `set -Ceuo pipefail` for Bash scripts where feasible. If a script cannot use strict mode safely, keep the exception
+  local and make the reason clear.
+* Quote expansions unless word splitting or globbing is explicitly required.
+* Prefer arrays where arguments or file names may contain whitespace.
+* Use `[[ ... ]]` for Bash conditionals. For regular-expression matches with `=~`, do not quote the right-hand regex.
+* Use `$(...)` command substitution, not backticks.
+* Avoid `eval`.
+* Avoid parsing `ls`.
+* Prefer `command -v` over `which`.
+* Check command results explicitly when failure needs custom handling.
+* Use `case` for option dispatch and multi-branch string handling.
+* Keep functions small and readable.
+* Use English comments. Add comments for non-obvious security or boot-chain decisions, not for obvious assignments.

-### 2.3.3. Variables
+# 6. Variables and functions

-* Use **"speaking variables"** but don't overdo it with the length.
-* No _camelCase_, please. We distinguish between lowercase and uppercase only.
-  * Global variables:
-    * use them only when really necessary,
-    * in CAPS,
-    * initialize them (`declare -g VAR_EXAMPLE=""`),
-    * SHOULD start with:
-      * `ARY_`  for Arrays,
-      * `C_`    for Variables defining colored outputs,
-      * `ERR_`  for Error Codes Variables,
-      * `HMP_`  for HashMap Arrays,
-      * `LOG_`  for Logfile Variables,
-      * `PID_`  for PID Variables,
-      * `PIPE_` for PIPE Variables,
-      * `VAR_`  for Variables
-  * Local variables:
-    * are lower case,
-    * declare them before usage (`declare` eq `local`),
-    * initialize them (`declare var_example=""`),
-    * SHOULD start with:
-      * `ary_` for Arrays,
-      * `c_` for Variables defining colored outputs,
-      * `err_` for Error Codes Variables,
-      * `hmp_` for HashMap Arrays,
-      * `log_` for Logfile Variables,
-      * `var_` for Variables.
+Follow the existing repository naming style:

-# 3. Misc
+* Global variables are uppercase and initialized before use.
+* Global arrays use the `ARY_` prefix where this convention already applies.
+* Other established global prefixes include `C_`, `ERR_`, `HMP_`, `LOG_`, `PID_`, `PIPE_`, and `VAR_`.
+* Local variables are lowercase and initialized before use.
+* Local array and helper prefixes include `ary_`, `c_`, `err_`, `hmp_`, `log_`, and `var_`.
+* Function names use lowercase words separated by underscores.
+* Prefer `declare` or `local` consistently with the surrounding file.

-* Test before doing a PR! Best if you check with two bad and two good examples, which should then work as expected.
+# 7. Input, secrets, and files
+
+* Treat CLI arguments, environment variables, generated file paths, network data, package metadata, and user-provided files as
+  untrusted until validated.
+* Validate ports, IP addresses, kernel version strings, paths, package names, and feature flags before use.
+* Fail closed when validation cannot prove that continuing is safe.
+* Do not print secrets, private keys, passphrases, tokens, or sensitive environment values.
+* Use restrictive permissions for generated secret material.
+* Prefer `mktemp` for temporary files and clean them up with traps when appropriate.
+* Do not create persistent state unless the behavior is intentional and documented.
+
+# 8. Dependencies and downloads
+
+* Do not add new runtime dependencies unless the task requires them. Prefer standard Debian tooling or existing project helpers.
+* When a dependency is needed, document why an existing or standard-library alternative is insufficient.
+* Do not add remote downloads, auto-update behavior, telemetry, or network callbacks without explicit justification.
+* For required downloads, use HTTPS where applicable and preserve or add signature/checksum verification.
+* Do not use `curl | sh`, `wget | sh`, or equivalent execution of unaudited remote content.
+
+# 9. Documentation
+
+Update documentation together with behavior:
+
+* New or changed CLI options must update `usage()` and relevant README or documentation sections.
+* Boot parameter changes must update `docs/BOOTPARAMS.md` where applicable.
+* Security-sensitive behavior changes must update the relevant audit, manual, or security documentation.
+* Generated examples must stay valid for Debian 13 Trixie unless the task explicitly targets another release.
+* Code comments, embedded prompts, commit messages, and repository documentation should normally be written in English.
+
+# 10. Formatting
+
+* Preserve SPDX headers and existing file headers where present.
+* New source or configuration files should include the project SPDX header when comparable files already use one.
+* Follow `.editorconfig`: LF line endings, UTF-8 where configured, two-space Markdown indentation, and tabs for `makefile`
+  recipes.
+* Keep line lengths readable and consistent with neighboring files.
+* Do not churn formatting unrelated to the task.
+
+# 11. Checks
+
+Run the narrowest checks that prove the change:
+
+* Shell files: `bash -n <file>` for Bash scripts, and `shellcheck <file>` when ShellCheck is available.
+* POSIX shell files: `sh -n <file>` where Bash syntax is not expected.
+* Make wrapper or argument-composition changes: `make dry-run`.
+* Python files, if introduced or changed: `ruff check`, `mypy`, and `pytest` when tests exist.
+* Live-build, initramfs, or ISO behavior changes: document the required Debian Trixie build validation command, normally
+  `make live` or the equivalent `./ciss_live_builder.sh ...` invocation.
+
+If a relevant check cannot be run in the current environment, state the exact reason and the command that should be run locally.
+
+# 12. Code review
+
+Reviews follow `code_review.md`.

 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Contributing / participating

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Credits

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Download the latest PUBLIC CISS.debian.live.ISO

@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2.1. Usage
 ````text
                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)

 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V9.14.002.2026.05.13
+Master V9.14.004.2026.05.17
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.

 (c) Marc S. Weidner, 2018 - 2025
@@ -152,7 +152,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/

-                        V9.14.002.2026.05.13                        2025-11-06                         CDLB(1)
+                        V9.14.004.2026.05.17                        2025-11-06                         CDLB(1)
 ````

 # 3. Booting
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Resources

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. ``30-ciss-hardening.conf``

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. ``90-ciss-local.hardened``

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.002.2026.05.13<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. ``ciss_live_builder.sh``

@@ -39,13 +39,13 @@ usage() {
  # shellcheck disable=SC2155
  declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V9.14.002.2026.05.13                        2026-05-13                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V9.14.004.2026.05.17                        2026-05-13                         CDLB(1)" "${var_cols}")

  {
    echo -e "\e[1;97m${var_header}\e[0m"
    echo
    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V9.14.002.2026.05.13\e[0m"
+    echo -e "\e[92mMaster V9.14.004.2026.05.17\e[0m"
    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
    echo
    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m"
@@ -130,7 +130,7 @@ main() {
  touch "${var_log}"


-  printf "CISS.debian.installer Master V9.14.002.2026.05.13 is up! \n" >> "${var_log}"
+  printf "CISS.debian.installer Master V9.14.004.2026.05.17 is up! \n" >> "${var_log}"

  ### Sleep a moment to settle boot artifacts.
  sleep 8
@@ -209,7 +209,7 @@ main() {

  ### Timeout reached without acceptable semaphore.
  logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V9.14.002.2026.05.13: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.installer Master V9.14.004.2026.05.17: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"

  exit 0
 }
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V9.14.002.2026.05.13"
+declare -grx VAR_VERSION="Master V9.14.004.2026.05.17"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
  # Print $4 and $5; include $6 only if it exists
  out = $4