V9.14.022.2026.06.11: document and test audit safeguards

V9.14.022.2026.06.11: enforce secret and cleanup safeguards
V9.14.022.2026.06.11: add path security helpers
2026-06-11 05:08:18 +02:00 · 2026-06-11 05:08:01 +02:00 · 2026-06-11 05:07:33 +02:00 · 2026-06-10 18:57:46 +01:00 · 2026-06-10 17:57:31 +01:00 · 2026-06-09 18:11:15 +01:00
173 changed files with 4897 additions and 873 deletions
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 if [[ ! -d "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp ]]; then

@@ -107,7 +107,7 @@ options edns0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' successfully applied. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -296,7 +296,7 @@ ln -sf /etc/systemd/system/ciss-memwipe.service /etc/systemd/system/multi-user.t

 systemctl enable ciss-memwipe.service

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 mkdir -p /etc/systemd/system/clamav-daemon.service.d
 cat << 'EOF' >| /etc/systemd/system/clamav-daemon.service.d/override.conf
@@ -69,7 +69,7 @@ CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SYS_NICE
 EOF
 chmod 0644 /etc/systemd/system/clamav-freshclam.service.d/override.conf

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
@@ -63,7 +63,7 @@ EOF

 chmod 0644 /etc/network/interfaces

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10

 name: 💙 Generating a PUBLIC Live ISO.

@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.768.2025.12.06"
+      placeholder: "e.g., Master V9.14.022.2026.06.10"
    validations:
      required: true

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10

 FROM debian:bookworm

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10

 name: 🔁 Render README.md to README.html.

@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.13.768.2025.12.06
+  version: V9.14.022.2026.06.10
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.13.768.2025.12.06
+  version: V9.14.022.2026.06.10
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.13.768.2025.12.06
+  version: V9.14.022.2026.06.10
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10

 name: 💙 Generating a PUBLIC Live ISO.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10

 # Gitea Workflow: Shell-Script Linting
 #
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10

 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10

 name: 🔁 Render Graphviz Diagrams.

@@ -16,5 +16,11 @@ target/
 *.log
 *.ps1
 config.mk
+ciss.secureboot/private/*
+!ciss.secureboot/private/README.md
+ciss.secureboot/manifests/*
+!ciss.secureboot/manifests/.gitkeep
+ciss.secureboot/uki/*
+!ciss.secureboot/uki/.gitkeep
 Thumbs.db
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.768.2025.12.06"
+properties_version="V9.14.022.2026.06.10"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -0,0 +1,125 @@
+# AGENTS.md
+
+## Purpose
+
+This repository builds and maintains the CISS Debian Live Builder for Debian 13 Trixie.
+Treat every change as security-sensitive and boot-chain-sensitive.
+
+Persistent coding details live in `docs/CODING_CONVENTION.md`.
+Review-only instructions live in `code_review.md`.
+
+## Instruction precedence for this repository
+
+Use this order when instructions differ:
+
+1. The current user task prompt defines the immediate objective and task-specific acceptance criteria.
+2. This `AGENTS.md` defines repository-wide constraints and routing guidance.
+3. `docs/CODING_CONVENTION.md` defines detailed coding conventions.
+4. `code_review.md` applies when performing a review or final self-review.
+5. Personal/global Codex instructions apply only where they do not conflict with repository rules.
+
+When in doubt, choose the safer, smaller, more easily reviewable change and explain the uncertainty.
+
+## Non-negotiable constraints
+
+- Target Debian 13 Trixie unless the task explicitly states otherwise.
+- Do not introduce Ubuntu-specific assumptions.
+- Do not invent live-build, live-boot, initramfs, cryptsetup, systemd, GRUB, Debian package, or upstream tool behavior.
+- Verify uncertain behavior against existing repository code or authoritative upstream documentation.
+- Do not add phase-argument gates to live-boot or initramfs scripts. Execution phase is controlled by Debian hook placement.
+- Preserve encrypted-root and encrypted-SquashFS architecture unless the task explicitly changes it.
+- Prefer simple, explicit, inspectable Bash over clever abstraction.
+- Do not use `eval`.
+- Do not print secrets, private keys, passphrases, tokens, or sensitive environment values.
+
+## Repository map
+
+Common areas:
+
+- `ciss_live_builder.sh`, `lib/*.sh`: host-side orchestration and argument handling.
+- `makefile`: local wrapper for composing and executing builder invocations.
+- `config/hooks/live/*.chroot`: live-build chroot hooks.
+- `config/hooks/live/*.binary`: live-build binary-image hooks.
+- `config/includes.chroot/etc/initramfs-tools/hooks/*`: initramfs build hooks.
+- `config/includes.chroot/etc/initramfs-tools/scripts/*`: initramfs boot scripts.
+- `config/includes.chroot/usr/lib/live/boot/*`: live-boot runtime scripts.
+- `scripts/*`: helper scripts or files copied into the generated image.
+- `docs/*`: project documentation and conventions.
+
+## Working method
+
+Before editing:
+
+1. Inspect the relevant scripts, hooks, configuration files, documentation, tests, and naming conventions.
+2. Identify the affected build or boot phase.
+3. Give a concise implementation plan and list the likely files to touch, unless the change is trivial.
+
+While editing:
+
+- Keep changes minimal and local to the task.
+- Preserve existing architecture, naming style, error handling, formatting, and security posture.
+- Do not perform unrelated cleanup or formatting churn.
+- Reuse existing helper functions for logging, fatal errors, validation, downloads, temporary files, and tool checks where available.
+- Do not introduce new runtime dependencies unless technically necessary and justified.
+
+After editing:
+
+- Run only the narrowest checks that prove the change.
+- Changed Bash files: run `bash -n <file>` and `shellcheck <file>` if ShellCheck is available.
+- Changed POSIX shell files, if any exist and must remain POSIX: run `sh -n <file>`.
+- Make wrapper or builder argument-composition changes: run the relevant dry-run or help/parser check, usually `make dry-run` if available.
+- Changed Python files: run the repository's relevant Python checks if present.
+- CLI or user-facing behavior changes: update `usage()` and relevant documentation.
+- Live-build, initramfs, or ISO behavior changes: state the required Debian Trixie validation command. Do not run a full live build unless requested or necessary.
+
+## Bash conventions summary
+
+See `docs/CODING_CONVENTION.md` for detail.
+
+- Use Bash for new and modified project scripts unless an existing Debian interface file explicitly requires POSIX shell.
+- Prefer `set -Ceuo pipefail` where feasible.
+- Use `declare` for variables inside functions.
+- Quote expansions unless word splitting or globbing is explicitly required.
+- Prefer arrays where argument boundaries matter.
+- Use `[[ ... ]]` for Bash conditionals.
+- Use `case` for option dispatch and multi-branch string handling.
+- Avoid parsing `ls`.
+- Prefer `command -v` over `which`.
+- Keep functions small and readable.
+- End functions explicitly with `return 0` where consistent with surrounding code.
+- Code comments must be in English.
+
+## Security-sensitive areas
+
+Before finalizing a change, check whether it affects:
+
+- boot trust
+- initramfs behavior
+- live-boot runtime behavior
+- cryptsetup/LUKS handling
+- encrypted SquashFS handling
+- key material
+- remote unlock
+- TLS, mTLS, signature, checksum, or provenance verification
+- package sources or remote downloads
+- network exposure
+- file permissions
+- persistence
+- logging of sensitive values
+
+If affected, document the concrete risk and mitigation in the final response.
+
+## Final response
+
+Return a concise implementation report:
+
+- changed files
+- what changed
+- checks run and result
+- real remaining risks or follow-up steps
+
+Do not claim success for checks that were not run.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.768.2025.12.06
+PackageVersion: Master V9.14.022.2026.06.10
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.768.2025.12.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.022.2026.06.10-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -11,10 +11,10 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.25.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Runner-0.2.13-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.26.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Runner-1.0.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2026.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.12-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&logo=x&logoColor=white&logoSize=auto&label=SocialMedia&color=%23000000)](https://x.com/coresecret_eu) &nbsp;
@@ -26,11 +26,11 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.022.2026.06.10<br>

 **CISS.debian.live.builder — First of its own.**<br>
-**World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
+**World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**

 Developed and maintained as a one-man, security-driven engineering effort since 2024, **CISS.debian.live.builder** is designed 
 to serve as a reference implementation for hardened, image-based Debian deployments.
@@ -60,12 +60,15 @@ and spoofing surfaces.

 Internally, the builder employs a dedicated secret-handling pipeline backed by a tmpfs-only secrets directory
 (`/dev/shm/cdlb_secrets`). Sensitive material such as root passwords, SSH keys, and signing keys never appears on the command
-line, is guarded by strict `0400 root:root` permissions, and any symlink inside the secret path is treated as a hard failure
-that aborts the run. Critical code paths temporarily disable Bash xtrace so that credentials never leak into debug logs, and
-transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed. GNUPG homes used for signing are
-wiped, unencrypted chroot artifacts and includes are removed after `lb build`, and the final artifact is reduced to the
-encrypted SquashFS inside the LUKS2 container. At runtime, LUKS passphrases in the live ISO and installer are transported via
-named pipes inside the initramfs instead of process arguments, further minimizing exposure in process listings.
+line, is guarded by a `0700 root:root` secret root and single-link regular `0400` or `0600` root-owned files, and any symlink
+inside the secret path is treated as a hard failure that aborts the run. Filename-only secret arguments reject slashes and
+traversal.
+Critical code paths temporarily disable Bash xtrace, and a final exact-value debug-log sanitisation pass provides additional
+defence in depth. Transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed, but this is only a
+best-effort cleanup on SSD, NVMe, copy-on-write, journaled, and virtualised storage. Use tmpfs for secrets and encrypted storage
+for build workspaces. Destructive build cleanup is restricted to the exact canonical directory carrying the
+`.ciss-live-builder-owned` marker. This private operator workflow still requires strict local path validation; it does not
+define public ISO release policy.

 Check out more leading world-class services powered by Centurion Intelligence Consulting Agency:
 * [CenturionDNS Resolver](https://eddns.eu/)
@@ -175,7 +178,7 @@ installer toolchain.

 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.

-Example: `V8.13.768.2025.12.06`
+Example: `V9.14.022.2026.06.10`

 `x.y.z` represents major (x), minor (y), and patch (z) version increments.

@@ -221,7 +224,7 @@ The parameters fall into several categories.
 * The audit subsystem is configured to be always on ``audit=1`` and to tolerate heavy bursts without dropping events ``audit_backlog_limit=262144``. I treat the audit trail as an evidentiary artifact; truncation because of backlog limits is not acceptable in that model.
 * The debug surface of the kernel is reduced aggressively. ``debugfs=off`` avoids a traditional footgun that exposes kernel internals in a way that is friendly to attackers and rarely necessary in production.
 * Memory is hardened on several levels at allocation time and at free time. ``init_on_alloc=1`` and ``init_on_free=1`` provide deterministic zeroing, ``page_poison=1`` fills freed pages with a poison pattern, and ``page_alloc.shuffle=1`` shuffles the allocator so that a process can no longer rely on stable physical patterns. Together these measures raise the cost of use-after-free exploitation and other memory corruption attacks.
-* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough ``iommu.passthrough=0`` and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
+* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough, and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
 * ``kfence.sample_interval=100`` activates KFENCE with a sampling interval that is still usable in production but sensitive enough to catch a meaningful subset of memory safety bugs under real workloads.
 * Virtualization-specific knobs include ``kvm.nx_huge_pages=force``, to keep huge pages non-executable, and ``l1d_flush=on`` so that context switches flush the L1 data cache where needed.
 * ``lockdown=integrity`` places the kernel into lockdown mode with an emphasis on integrity. In this project I consider the integrity of the system more critical than the ability to introspect a running kernel from userspace.
@@ -237,7 +240,7 @@ deliberate design decision.

 ### 2.1.2. CPU Vulnerability Mitigations

-I build the kernels with the relevant mitigations for Spectre, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. 
+I build the kernels with the relevant mitigations for Specter, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. 
 The ``mitigations=auto,nosmt`` flag ensures that new mitigations integrated into the mainline kernel become effective as they 
 are added, instead of requiring that I micromanage every single toggle. The residual performance cost is acceptable in the 
 context I am targeting; stale mitigations can be revisited, but missing mitigations will not be.
@@ -365,6 +368,11 @@ For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-cis
 ## 2.9. UFW Hardening

 * **Description**: Defaults to `deny incoming` and (optionally) `deny outgoing`; automatically opens only whitelisted ports.
+* **Primordial SSH exception**: `--primordial-url <https-git-url>`, `--primordial-key <ssh-identity-filename>` and
+  `--primordial-ssh <port>` configure the CDI Primordial overlay clone. `--primordial-ssh` also adds an outgoing-only UFW TCP
+  exception for a bootstrap/recovery SSH port when the live system's UFW outgoing policy is `deny`. It adds no incoming firewall
+  rule and does not replace `--ssh-port`. If the requested port already matches an existing outgoing SSH exception, the current
+  hook still emits the requested labelled rule because this repository has no separate UFW rule deduplication layer.
 * **Rationale**: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after
  deployment.

@@ -488,10 +496,14 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
   
 2. Preparation:
   1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
-   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
-   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
-   5. Make any other changes you need to.
+   2. Create the empty build directory with `install -d -m 0700 -o root -g root /opt/cdlb`.
+   3. Create the tmpfs secret root with `install -d -m 0700 -o root -g root /dev/shm/cdlb_secrets`.
+   4. Place required secret files in the secret root as single-link regular, non-symlink, root-owned files with mode `0400`
+      or `0600`.
+   5. Place your desired SSH public key in `/dev/shm/cdlb_secrets/authorized_keys`.
+   6. Place your desired root password in `/dev/shm/cdlb_secrets/password.txt`.
+   7. Use filename-only values without slashes, `.` or `..` for `--key_age`, `--key_luks`, and signing-file arguments.
+   8. Make any other changes you need to.

 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):

@@ -514,15 +526,29 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
     --reionice-priority 1 2 \
     --renice-priority "-19" \
     --root-password-file /dev/shm/cdlb_secrets/password.txt \
+     --secure-boot-profile debian-shim \
+     --sops-version 3.13.1 \
     --signing_key_fpr=98089A472CCF4601CD51D7C7095D36535296EA14B8DE92198723C4DC606E8F76 \
     --signing_key_pass=signing_key_pass.txt \
     --signing_key=signing_key.asc \
     --ssh-port 4242 \
+     --primordial-url https://git.coresecret.dev/ahz/PhysNet.primordial.git \
+     --primordial-key id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10 \
+     --primordial-ssh 42842 \
     --ssh-pubkey /dev/shm/cdlb_secrets \
     --sshfp \
     --trixie
   ````

+   `--sops-version` selects the upstream SOPS release installed into the live system. If omitted, the builder uses
+   `VAR_SOPS_VERSION` from `var/global.var.sh`. The SOPS hook verifies the upstream checksums file with Cosign and supports
+   both the newer Sigstore bundle asset, and the legacy-split certificate/signature assets before checking the downloaded
+   SOPS binary with `sha256sum -c --ignore-missing`.
+
+   On the first run, the builder creates `.ciss-live-builder-owned` in a new or empty build directory whose canonical parent
+   already exists. A populated directory without that marker is rejected and is never adopted automatically. Cleanup remains
+   intentionally destructive inside the exact validated marker-owned directory.
+
 4. Locate your ISO in the `--build-directory`.
 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
 6. Type `sysp` for the final kernel hardening features.
@@ -544,7 +570,8 @@ preview it or run it.

 2. Preparation:
   1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
+   2. Create the empty build directory and tmpfs secret root with restrictive ownership and permissions:
+      `install -d -m 0700 -o root -g root /opt/cdlb /dev/shm/cdlb_secrets`.
   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
   5. Copy and edit the sample and set your options (no spaces around commas in lists): 
@@ -556,10 +583,15 @@ preview it or run it.
    ````bash
    BUILD_DIR=/opt/cdlb
    ROOT_PASSWORD_FILE=/dev/shm/cdlb_secrets/password.txt
+    SECURE_BOOT_PROFILE=debian-shim
+    SOPS_VERSION=3.13.1
    SSH_PORT=4242
    SSH_PUBKEY=/dev/shm/cdlb_secrets

    # Optional
+    PRIMORDIAL_URL=https://git.coresecret.dev/ahz/PhysNet.primordial.git
+    PRIMORDIAL_KEY=id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10
+    PRIMORDIAL_SSH_PORT=42842
    PROVIDER_NETCUP_IPV6=2001:cdb::1
    # comma-separated; IPv6 in [] is fine
    JUMP_HOSTS=[2001:db8::1],[2001:db8::2]     
@@ -569,7 +601,31 @@ preview it or run it.

 4. Execute the build: ````make live````

-## 5.3. CI/CD Gitea Runner Workflow Example
+## 5.3. Secure Boot Profiles
+
+The default build profile is ``--secure-boot-profile debian-shim``. It keeps the ISO broadly portable: ``lb config`` uses an
+``iso-hybrid`` image with both ``grub-pc`` and ``grub-efi`` bootloaders, and UEFI Secure Boot remains delegated to live-build's
+standard Microsoft-signed Debian shim plus Debian-signed GRUB path.
+
+The custom profile is ``--secure-boot-profile ciss-uki``. It is intended for amd64 systems whose firmware trusts the CISS Secure
+Boot key material through the platform Secure Boot database, or a custom PK/KEK/db model. In this profile a late binary hook
+builds a Unified Kernel Image from the final ``binary/live/vmlinuz-*`` and ``binary/live/initrd.img-*`` artifacts, signs it with
+``ciss.secureboot/private/ciss-efi-image.key`` and ``ciss.secureboot/public/ciss-efi-image.crt``, rebuilds
+``binary/boot/grub/efi.img``, installs the signed UKI as ``EFI/BOOT/BOOTX64.EFI``, and mirrors it into the ISO EFI tree when
+live-build created one.
+
+Required files for ``ciss-uki``:
+
+````text
+ciss.secureboot/private/ciss-efi-image.key
+ciss.secureboot/public/ciss-efi-image.crt
+````
+
+The private directory is ignored by Git. The hooks fail if the CISS EFI image signing key or module signing key appears below
+``binary/``, ``chroot/`` or ``config/includes.*``. Build-time UKI manifests are written below the build directory in
+``ciss.secureboot/manifests`` and can be checked with ``ukify inspect`` and ``sbverify``.
+
+## 5.4. CI/CD Gitea Runner Workflow Example

 1. Clone the repository:

@@ -612,10 +668,10 @@ preview it or run it.
  #...
        - name: Preparing the build environment.
          run: |
-            mkdir -p /opt/config
-            mkdir -p /opt/livebuild
-            echo "${{ secrets.CHANGE_ME }}" >| /opt/config/password.txt
-            echo "${{ secrets.CHANGE_ME }}" >| /opt/config/authorized_keys
+            install -d -m 0700 -o root -g root /opt/livebuild /dev/shm/cdlb_secrets
+            umask 0077
+            printf '%s\n' "${{ secrets.CHANGE_ME }}" >| /dev/shm/cdlb_secrets/password.txt
+            printf '%s\n' "${{ secrets.CHANGE_ME }}" >| /dev/shm/cdlb_secrets/authorized_keys
  #...
        - name: Starting CISS.debian.live.builder. This may take a while ...
          run: |
@@ -628,9 +684,9 @@ preview it or run it.
              --build-directory /opt/livebuild \
              --control "${timestamp}" \
              --jump-host "${{ secrets.CHANGE_ME }}" \
-              --root-password-file /opt/config/password.txt \
+              --root-password-file /dev/shm/cdlb_secrets/password.txt \
              --ssh-port CHANGE_ME \
-              --ssh-pubkey /opt/config
+              --ssh-pubkey /dev/shm/cdlb_secrets
  #...
        ### SKIP OR CHANGE ALL REMAINING STEPS
  ```
@@ -7,14 +7,14 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. Repository Structure

 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.768.2025.12.06** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.022.2026.06.10** (as of 2025-10-11)

 ## 3.1. Top-Level Layout

@@ -0,0 +1,33 @@
+                                          .-=+*###%%###*+=-:.
+                                      :=*%%@@@@@@@@@@@@@@@@@%#*-.
+                                   :+%@@@@%%%%@@@@@@@@%%%%%%@@@@@%*:
+                                 -#@@@%%%%@@@@%#****#%%@@@%%@@%#+=-:.
+                               .#@@%%%%%@@#+:..:::-::::-=#@@%=.
+                              -%@%%%%%%@#: .=*%@@@@@@%#+-.:=
+                             =@%%%%%%%@= .*@@@@%%%%%%%@@@%=
+                            :@%%%%%%%@+ :%@%%%%%%%%%%%%%%@@#%+
+                            #%%%%%%%%%  #@%%%%%%%%%%%%%%%%%@@%.
+                           -@%%%%%%%@#  %%%%%%%%%%%%%%%%%@@@%@*
+                           *%%%%%%%%@%  *@%%%%%%%%%%%%%%%#*#%%@:
+                           *@%%%%%%%%@- :@%%%%%%%%%%%%%%%%-   ..
+                           *%%%%%%%%%%#. +@%%%%%%%%%%%%%%@@*.
+                           -@%%%%%%%%%@-  #%%%%%%%%@@@@@%%%@@%%%+
+                            %%%%%%%%%%:   -@%%%%%@@%**#%@%%%%@%@%
+                            -@%%%%%%@+    :@%%%@@*:     =@%%%%%%:
+                             +@%%%%%@.    +@%%@#:        #@%%%@-
+                              *@%%@@=    :%%@@+          *%%%@#
+                               =@%#-    :%@@#-          :@@%%%-
+                                ..     =@%*-            .+#%@%.
+                                      :+-.                 .=*
+
+  ____ ___ ____ ____      _      _     _               _ _             _           _ _     _
+ / ___|_ _/ ___/ ___|  __| | ___| |__ (_) __ _ _ __   | (_)_   _____  | |__  _   _(_) | __| | ___ _ __
+| |    | |\___ \___ \ / _` |/ _ \ '_ \| |/ _` | '_ \  | | \ \ / / _ \ | '_ \| | | | | |/ _` |/ _ \ '__|
+| |___ | | ___) |__) | (_| |  __/ |_) | | (_| | | | |_| | |\ V /  __/_| |_) | |_| | | | (_| |  __/ |
+ \____|___|____/____(_)__,_|\___|_.__/|_|\__,_|_| |_(_)_|_| \_/ \___(_)_.__/ \__,_|_|_|\__,_|\___|_|
+
+Debian Trixie | Hardened Live ISO Builder | Encrypted Root Path | Verified Boot Chain | LUKS Integrity
+
+Preparing Builder...
+
+Please wait...
@@ -0,0 +1,37 @@
+                              .:-=++***#####***+==-:.
+                        .-=*#%%@@@@@@@@@@@@@@@@@@@@@%%#*=-.
+                    .=*#@@@@@@@%%%%%%%%%%%%%%%%%%%%%@@@@@@@%*=:
+                 :+#@@@@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@%*=.
+              .+#@@@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@#=:
+            :*%@@%%%%%%%%%%%%%%%%@@@@@@@@@@@@@%%%%%%%%%%%%%%%%@@@@%%%*=
+          :*@@%%%%%%%%%%%%%%@@@@@%%#*******#%%@@@@%%%%%%%%%@@%#+-:.
+        .+@@%%%%%%%%%%%%%%@@%#+-.             .-+#%@@%%%%@@#=.
+       -%@%%%%%%%%%%%%%@@%*-.    :-+**####**+-:   .-*%@@@*:
+      +@@%%%%%%%%%%%%%@%+.   :+#%@@@@@@@@@@@@@@%#+:  .+#:
+     *@%%%%%%%%%%%%%%@*.   =#@@@@%%%%%%%%%%%%%%@@@@#-
+    *@%%%%%%%%%%%%%%@-   -%@@%%%%%%%%%%%%%%%%%%%%%%@@#-
+   +@%%%%%%%%%%%%%%@-   +@@%%%%%%%%%%%%%%%%%%%%%%%%%%@@+-*#
+  -@%%%%%%%%%%%%%%@+   +@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@-
+  %%%%%%%%%%%%%%%%%   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ -@%%%%%%%%%%%%%%@*   +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@=
+ #%%%%%%%%%%%%%%%@=   *@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+.%%%%%%%%%%%%%%%%@+   +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@%%%%%%%=
+-@%%%%%%%%%%%%%%%@*   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@@@@@.
+=@%%%%%%%%%%%%%%%%%.   #@%%%%%%%%%%%%%%%%%%%%%%%%%%%*..:--==+*-
+=@%%%%%%%%%%%%%%%%@=   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%@#:
+=@%%%%%%%%%%%%%%%%%%.   +@%%%%%%%%%%%%%%%%%%%%%%%%%%%@@+
+:@%%%%%%%%%%%%%%%%%@#    #%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@#::::.
+ %@%%%%%%%%%%%%%%%%%@=   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@@@%#:
+ *%%%%%%%%%%%%%%%%%%-     *@%%%%%%%%%%%%%%%@@@@%%%%%%%%%%%%%%%@@@.
+ :@%%%%%%%%%%%%%%%@-      -@%%%%%%%%%%%%@@@%%%%%@@%%%%%%%%%%%%%%%.
+  *@%%%%%%%%%%%%%@+       .%%%%%%%%%%%@@*=:.   .-*@%%%%%%%%%%%%@=
+  .%%%%%%%%%%%%%%%.       .%%%%%%%%%@@*:          :%%%%%%%%%%%@+
+   =@%%%%%%%%%%%@*        -@%%%%%%%@#:             =@%%%%%%%%@*
+    +@%%%%%%%%%%@.        *@%%%%%@@+               .@%%%%%%%%%.
+     *@%%%%%%%%@+        -@%%%%%@%-                .@%%%%%%%@=
+      +@%%%%%@@*        :%%%%%@@*.                 -@%%%%%%%%
+       =@@@@@#-        :%%%%@@%-                   #%%%%%%%@+
+        :#*+:         :%%%@@%+                    -@@@%%%%%@:
+                     =@@@@#=.                      :+#@@@@%%.
+                   .*%#*=.                            .=*%@%
+                   ::.                                   .-+
@@ -0,0 +1 @@
+
@@ -0,0 +1,26 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.022.2026.06.10<br>
+
+# 2. CISS Secure Boot Private Material
+
+This directory is intentionally ignored except for this README.
+
+On the air-gapped build host, place the private EFI image signing key here:
+
+* `ciss-efi-image.key`
+
+Do not commit private keys. The custom UKI hooks fail if this key is copied into `binary/`, `chroot/`, or
+`config/includes.*`.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -0,0 +1,26 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.022.2026.06.10<br>
+
+# 2. CISS Secure Boot Public Material
+
+Place public CISS Secure Boot certificates here on the air-gapped build host.
+
+Expected file for the `ciss-uki` build profile:
+
+* `ciss-efi-image.crt`
+
+Public CA and module-signing certificates may also live here, for example `ciss-secureboot-ca.crt` and
+`ciss-module-signing.crt`, but they are not copied into the ISO by the current UKI hooks.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -0,0 +1 @@
+
@@ -15,7 +15,7 @@
 ### WHY BASH?
 # Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
 # and straightforward output interpretation. Built-in power. Pattern matching, line processing, and regular expression support
-# are available natively, no external binaries required. Cross-platform consistency. '/bin/bash' is the default shell on most
+# are available natively; no external binaries are required. Cross-platform consistency. '/bin/bash' is the default shell on most
 # Linux distributions, ensuring scripts run unmodified across systems. macOS compatibility. Since macOS Catalina (10.15), the
 # default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
 # or Cygwin on Windows systems.
@@ -111,29 +111,41 @@ source_guard "./var/bash.var.sh"
 ### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG.
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh   ; contact; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh     ; usage  ; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -l|--logo)    . ./lib/lib_logo.sh      ; logo   ; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh   ; version; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done

 ### ALL CHECKS DONE. READY TO START THE SCRIPT.
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+clear
+printf '\033[95m'
+cat bootscreen.txt
+printf '\033[0m\n'
+sleep 4
+printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
 declare -grx VAR_SETUP="true"

-### SECURING SECRETS ARTIFACTS.
-test ! -L "${VAR_TMP_SECRET}" || {
-  . ./var/global.var.sh
-  printf "\e[91m❌ Refusing symlink: '%s'! Bye... \e[0m\n" "${VAR_TMP_SECRET}" >&2
-  exit "${ERR_SECRETSSYM}"
-}
-find "${VAR_TMP_SECRET}" -type f -exec chmod 0400 {} +
-find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
-
 ### SOURCING VARIABLES.
 [[ "${VAR_SETUP}" == true ]] && {
  source_guard "./var/color.var.sh"
  source_guard "./var/global.var.sh"
 }

-### SOURCING LIBRARIES.
+### SOURCE THE MINIMUM REQUIRED FOR EARLY EXIT CLEANUP COVERAGE.
+[[ "${VAR_SETUP}" == true ]] && {
+  source_guard "./lib/lib_secret_validation.sh"
+  source_guard "./lib/lib_build_directory.sh"
+  source_guard "./lib/lib_debug_sanitizer.sh"
+  source_guard "./lib/lib_clean_up.sh"
+  source_guard "./lib/lib_trap_on_err.sh"
+  source_guard "./lib/lib_trap_on_exit.sh"
+}
+
+trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
+
+### Validate the fixed tmpfs secret staging area without modifying operator-provided files.
+validate_secret_staging_area
+
+### SOURCING REMAINING LIBRARIES.
 [[ "${VAR_SETUP}" == true ]] && {
  source_guard "./lib/lib_arg_parser.sh"
  source_guard "./lib/lib_arg_priority_check.sh"
@@ -152,7 +164,6 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
  source_guard "./lib/lib_ciss_upgrades_boot.sh"
  source_guard "./lib/lib_ciss_upgrades_build.sh"
  source_guard "./lib/lib_clean_screen.sh"
-  source_guard "./lib/lib_clean_up.sh"
  source_guard "./lib/lib_copy_integrity.sh"
  source_guard "./lib/lib_gnupg.sh"
  source_guard "./lib/lib_hardening_root_pw.sh"
@@ -167,12 +178,30 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
  source_guard "./lib/lib_provider_netcup.sh"
  source_guard "./lib/lib_run_analysis.sh"
  source_guard "./lib/lib_sanitizer.sh"
-  source_guard "./lib/lib_trap_on_err.sh"
-  source_guard "./lib/lib_trap_on_exit.sh"
+  source_guard "./lib/lib_secureboot_profile.sh"
  source_guard "./lib/lib_update_microcode.sh"
  source_guard "./lib/lib_usage.sh"
 }

+### Add ERR handling after all remaining libraries are available.
+trap 'trap_on_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
+
+### PRE-SCAN SECURE BOOT PROFILE FOR BUILD-HOST PACKAGE CHECKS.
+### Formal validation still happens in arg_parser().
+for ((idx=0; idx<${#ARY_PARAM_ARRAY[@]}; idx++)); do
+  case "${ARY_PARAM_ARRAY[idx],,}" in
+    --secure-boot-profile=*)
+      declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx]#*=}"
+      ;;
+    --secure-boot-profile)
+      if [[ -n "${ARY_PARAM_ARRAY[idx + 1]:-}" ]]; then
+        declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx + 1]}"
+      fi
+      ;;
+  esac
+done
+unset idx
+
 ### CHECKING REQUIRED PACKAGES.
 check_pkgs

@@ -199,9 +228,6 @@ if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n

 ### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
-### Following the CISS Bash naming and ordering scheme:
-trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
-trap 'trap_on_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR

 ### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
@@ -248,6 +274,7 @@ init_primordial
 ### Integrate the CISS.debian.live.builder repository into the build directory.
 ### Modifications from this point onwards must be placed under 'VAR_HANDLER_BUILD_DIR'.
 hardening_ultra
+secureboot_profile_apply

 ### CISS.debian.installer 'GRUB' and 'autostart' generator.
 cdi
@@ -0,0 +1,78 @@
+# code_review.md
+
+Use this file for explicit review tasks and final self-review after implementation.
+Do not treat it as a mandate for an unlimited audit unless the user asks for one.
+
+## Review priorities
+
+Review findings in this order:
+
+1. Correctness
+2. Security regressions
+3. Boot/build reproducibility
+4. Data loss risk
+5. Error handling
+6. Test or validation coverage
+7. Maintainability
+8. Minimality of diff
+9. Style consistency
+
+## Finding classes
+
+- `BLOCKER`: proven correctness bug, security regression, build break, boot break, or data loss risk that must be fixed before merge.
+- `RISK`: plausible issue or security concern that is not fully proven from the available context.
+- `CLEANUP`: maintainability, readability, or consistency improvement that is not required for correctness.
+- `NOTE`: observation only; no change requested.
+
+## Review output format
+
+List findings first, ordered by severity.
+
+For each finding include:
+
+- class
+- file path and line number where possible
+- observation
+- concrete impact
+- smallest reasonable fix
+
+Then include:
+
+- missing checks or validation gaps
+- residual risks
+- concise final recommendation
+
+If there are no findings, say so explicitly and still mention relevant validation gaps.
+
+## Scope control
+
+- Do not nitpick formatting when automated tooling exists.
+- Do not invent requirements not present in the task, repository, or documentation.
+- Do not expand a small implementation task into a broad quality-management audit.
+- Do not request a full live build unless the changed code path affects image generation in a way that cannot be checked narrowly.
+- Prefer a small actionable finding over a broad speculative warning.
+
+## Security-sensitive checklist
+
+Check whether the change affects:
+
+- boot trust
+- initramfs behavior
+- live-boot runtime behavior
+- cryptsetup/LUKS handling
+- encrypted SquashFS handling
+- key material
+- remote unlock
+- TLS or mTLS verification
+- signature, checksum, or provenance verification
+- package sources or remote downloads
+- network exposure
+- file permissions
+- persistence
+- logging of sensitive values
+
+For affected areas, separate observation, inference, and recommendation.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -10,8 +10,19 @@
 # SPDX-Security-Contact: security@coresecret.eu

 BUILD_DIR            ?=
+
+### Optional Dropbear source override; empty uses VAR_DROPBEAR_VERSION from var/global.var.sh:
+DROPBEAR_VERSION     ?=
+### Optional SOPS release override; empty uses VAR_SOPS_VERSION from var/global.var.sh:
+SOPS_VERSION         ?=
+### Optional Primordial CDI overlay settings; all three values are required for automatic overlay bootstrap:
+PRIMORDIAL_URL       ?=
+PRIMORDIAL_KEY       ?=
+PRIMORDIAL_SSH_PORT  ?=
 PROVIDER_NETCUP_IPV6 ?=
 ROOT_PASSWORD_FILE   ?=
+### Secure Boot profile; debian-shim or ciss-uki:
+SECURE_BOOT_PROFILE  ?= debian-shim
 SSH_PORT             ?=
 SSH_PUBKEY           ?=

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 # shellcheck disable=SC2155
 declare -gx VAR_DATE="$(date +%F)"
@@ -284,7 +284,7 @@ LLMNR=no
 MulticastDNS=no
 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 #######################################
 # Get all NIC drivers of the current Host machine.
@@ -345,7 +345,7 @@ chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
 chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
 chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 VAR_DATE="$(date +%F)"

@@ -45,8 +45,10 @@ EOF

 mkdir -p /etc/systemd/system/tmp.mount.d
 cat << EOF >| /etc/systemd/system/tmp.mount.d/override.conf
+# The live ISO runs CISS.debian.installer and must support at least 12 raw plus encrypted LUKS header backups in the installer
+# scratch path.
 [Mount]
-Options=mode=1777,strictatime,nosuid,nodev,noexec,size=1%
+Options=mode=1777,strictatime,nosuid,nodev,noexec,size=2G
 EOF

 mkdir -p /etc/systemd/system/dev-shm.mount.d
@@ -57,7 +59,7 @@ EOF

 systemctl enable ciss-remount-root.service

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 if [[ -f /root/.cdi ]]; then

@@ -48,7 +48,7 @@ EOF

 fi

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -72,7 +72,7 @@ include /etc/logrotate.d
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -30,7 +30,7 @@ EOF

 install -d -m 0755 /var/cache/apparmor

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,21 +11,40 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"

 ### Declare Arrays, HashMaps, and Variables.
-declare var_dropbear_version="2025.88"
+declare var_dropbear_env="/root/dropbear.env"
+[[ -r "${var_dropbear_env}" ]] || {
+  printf "\e[91m❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
+  exit 43
+}
+
+# shellcheck disable=SC1090
+. "${var_dropbear_env}"
+declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
+[[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
+  printf "\e[91m❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+  exit 43
+}
+
 declare var_tar="/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
 declare var_build_dir="/root/build/dropbear-${var_dropbear_version}"
 declare var_logfile="/root/.ciss/cdlb/log/0020_dropbear_build.log"

 mkdir -p "/root/build"
+
+[[ -r "${var_tar}" ]] || {
+  printf "\e[91m❌ ERROR: Missing Dropbear tarball: [%s] \e[0m\n" "${var_tar}" >&2
+  exit 43
+}
+
 cp "${var_tar}" "/root/build"
-tar xjf "/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2" -C "/root/build"
+tar xjf "${var_tar}" -C "/root/build"
 cp "/root/dropbear/localoptions.h" "${var_build_dir}"
 cd "${var_build_dir}"

@@ -67,7 +86,7 @@ if ! setsid bash -c '
  ' >| "${var_logfile}" 2>&1
 then

-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2
+  printf "\e[91m❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2
  tail -n 42 "${var_logfile}" >&2 || true
  exit 42

@@ -75,7 +94,7 @@ fi

  rm -rf /root/dropbear

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,15 +11,30 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-
-### Declare Arrays, HashMaps, and Variables.
-declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"

+### Declare Arrays, HashMaps, and Variables.
+declare var_dropbear_env="/root/dropbear.env"
+[[ -r "${var_dropbear_env}" ]] || {
+  printf "\e[91m❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
+  exit 43
+}
+
+# shellcheck disable=SC1090
+. "${var_dropbear_env}"
+declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
+[[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
+  printf "\e[91m❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+  exit 43
+}
+
+declare var_dropbear_build_dir="/root/build/dropbear-${var_dropbear_version}"
+declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
+
 apt-get install -y --no-install-recommends --no-install-suggests cryptsetup-initramfs dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
 apt-get purge -y dropbear 2>&1 | tee -a "${var_logfile}" || true
 apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a "${var_logfile}"
@@ -32,16 +47,18 @@ rm -f /root/dropbear.file

 mkdir -p /root/.ciss/cdlb/backup/usr/sbin
 mv /usr/sbin/dropbear /root/.ciss/cdlb/backup/usr/sbin/dropbear.trixie
-install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/
+install -m 0755 -o root -g root "${var_dropbear_build_dir}/dropbear" /usr/sbin/

 mkdir -p /root/.ciss/cdlb/backup/usr/bin
 for var_file in dbclient dropbearconvert dropbearkey; do

  mv "/usr/bin/${var_file}" "/root/.ciss/cdlb/backup/usr/bin/${var_file}.trixie"
-  install -m 0755 -o root -g root "/root/build/dropbear-2025.88/${var_file}" /usr/bin/
+  install -m 0755 -o root -g root "${var_dropbear_build_dir}/${var_file}" /usr/bin/

 done

+rm -f "${var_dropbear_env}"
+
 mkdir -p /etc/initramfs-tools/scripts/init-bottom

 cat << 'EOF' >| /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
@@ -126,7 +143,7 @@ EOF

 systemctl mask dropbear.service dropbear.socket

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -154,7 +154,7 @@ readonly -f write_dropbear_conf

 dropbear_setup

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cat << EOF >> /etc/ssh/ssh_config.d/10-sshfp.conf
 # SPDX-Version: 3.0
@@ -38,7 +38,7 @@ Host git.coresecret.dev
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,13 +11,13 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 if [[ ! -f /root/.pwd ]]; then

-  printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
+  printf "\e[92m❌ /root/.pwd NOT found. \e[0m\n"
+  printf "\e[92m❌ Exiting Hook ... \e[0m\n"
+  printf "\e[92m✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
  exit 0

 fi
@@ -39,15 +39,15 @@ unset hashed_pwd safe_hashed_pwd

 if shred -fzu -n 5 /root/.pwd; then

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"
+  printf "\e[92m✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"

 else

-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2
+  printf "\e[91m❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2

 fi

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cat << 'EOF' >| /etc/default/keyboard
 XKBMODEL="pc105"
@@ -26,7 +26,7 @@ export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 dpkg-reconfigure -f noninteractive keyboard-configuration

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -28,7 +28,7 @@ ExecStart=
 ExecStart=/usr/sbin/jitterentropy-rngd --osr=2
 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 mv /etc/hostname /root/.ciss/cdlb/backup/hostname.bak
 mv /etc/mailname /root/.ciss/cdlb/backup/mailname.bak
@@ -26,7 +26,7 @@ localhost.local

 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root
 if [[ -f /var/lib/dbus/machine-id ]]; then
@@ -32,7 +32,7 @@ b08dfa6083e7567a1921a715000001fb
 EOF
 chmod 644 /etc/machine-id

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root

@@ -147,7 +147,7 @@ unzip /tmp/nerd/Hack.zip -d /root/.local/share/fonts
 fc-cache -fv
 rm -rf /tmp/nerd

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
 echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
@@ -463,7 +463,7 @@ upload-options=
 #EOF
 EOF_LYNIS

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 mkdir -p /var/log/chrony

@@ -114,7 +114,7 @@ fi

 chronyd -Q -f /etc/chrony/chrony.conf 2>&1

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root/git
 git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 mkdir -p /etc/systemd/system/ssh.service.d

@@ -24,7 +24,7 @@ Wants=network-online.target
 ExecStartPre=/bin/sleep 5
 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root/git
 git clone --depth 1 -b master https://github.com/major/MySQLTuner-perl.git

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
 chmod +x /usr/bin/yq

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root/git
 git clone https://github.com/testssl/testssl.sh.git

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -22,7 +22,7 @@ apt-get install -y nodejs
 cd /root/git
 git clone https://github.com/sefinek/UFW-AbuseIPDB-Reporter.git

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root/git
 git clone https://github.com/hardenedlinux/harbian-audit.git

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root/git
 git clone https://github.com/jtesta/ssh-audit.git

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root/git
 git clone https://github.com/dnsviz/dnsviz.git

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,47 +11,307 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"

-SOPS_VER="v3.11.0"
-ARCH="$(dpkg --print-architecture)"
-case "${ARCH}" in
-  amd64)  SOPS_FILE="sops-${SOPS_VER}.linux.amd64" ;;
-  arm64)  SOPS_FILE="sops-${SOPS_VER}.linux.arm64" ;;
-  *)  echo "Unsupported arch: ${ARCH}" >&2; exit 1 ;;
+declare SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP="https://github.com/getsops"
+declare SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER="https://token.actions.githubusercontent.com"
+
+#######################################
+# Print a fatal error and abort the hook.
+# Globals:
+#   None
+# Arguments:
+#   1: Message string
+# Returns:
+#   None
+#######################################
+die() {
+  declare message="$1"
+  printf "\e[91m❌ ERROR: %s \e[0m\n" "${message}" >&2
+  exit 43
+}
+
+#######################################
+# Require an executable tool.
+# Globals:
+#   None
+# Arguments:
+#   1: Tool name
+# Returns:
+#   0: on success
+#######################################
+require_tool() {
+  declare tool_name="$1"
+
+  command -v "${tool_name}" >/dev/null 2>&1 || die "Required tool not found: ${tool_name}"
+
+  return 0
+}
+
+#######################################
+# Validate and normalize a SOPS semantic version.
+# Globals:
+#   None
+# Arguments:
+#   1: SOPS version string
+# Outputs:
+#   Normalized bare semantic version
+# Returns:
+#   0: on success
+#######################################
+normalize_sops_version() {
+  declare sops_version="${1#v}"
+
+  [[ "${sops_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] || \
+    die "Invalid SOPS version '${1}'. Expected '<MAJOR>.<MINOR>.<PATCH>' without prerelease metadata."
+
+  printf '%s' "${sops_version}"
+
+  return 0
+}
+
+#######################################
+# Download a mandatory release asset.
+# Globals:
+#   None
+# Arguments:
+#   1: Asset URL
+#   2: Target filename
+# Returns:
+#   0: on success
+#######################################
+download_required_asset() {
+  declare asset_url="$1"
+  declare target_file="$2"
+
+  if ! curl -fsSLo "${target_file}" "${asset_url}"; then
+    die "Failed to download required SOPS asset '${target_file}' from '${asset_url}'."
+  fi
+
+  [[ -s "${target_file}" ]] || die "Downloaded SOPS asset is empty: ${target_file}"
+
+  return 0
+}
+
+#######################################
+# Download an optional release asset and distinguish absence from download errors.
+# Globals:
+#   None
+# Arguments:
+#   1: Asset URL
+#   2: Target filename
+# Returns:
+#   0: asset was downloaded
+#   1: asset is absent upstream
+#######################################
+download_optional_asset() {
+  declare asset_url="$1"
+  declare target_file="$2"
+  declare http_code=""
+
+  if ! http_code=$(curl -sSLo "${target_file}" -w '%{http_code}' "${asset_url}"); then
+    rm -f -- "${target_file}"
+    die "Failed to query optional SOPS asset '${target_file}' from '${asset_url}'."
+  fi
+
+  case "${http_code}" in
+    200)
+      [[ -s "${target_file}" ]] || die "Optional SOPS asset is empty after HTTP 200: ${target_file}"
+      return 0
+      ;;
+    404)
+      rm -f -- "${target_file}"
+      return 1
+      ;;
+    *)
+      rm -f -- "${target_file}"
+      die "Unexpected HTTP status ${http_code} for optional SOPS asset '${target_file}' from '${asset_url}'."
+      ;;
  esac
+}
+
+#######################################
+# Verify the SOPS checksums file with Cosign.
+# Globals:
+#   SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP
+#   SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER
+# Arguments:
+#   1: Checksums filename
+#   2: Bundle filename
+#   3: Certificate filename
+#   4: Signature filename
+# Returns:
+#   0: on success
+#######################################
+verify_sops_checksums_signature() {
+  declare checksums_file="$1"
+  declare bundle_file="$2"
+  declare certificate_file="$3"
+  declare signature_file="$4"
+
+  if [[ -f "${bundle_file}" ]]; then
+    printf "\e[95m[INFO] Verifying SOPS checksums with Cosign bundle: %s \e[0m\n" "${bundle_file}"
+    cosign verify-blob "${checksums_file}" \
+      --bundle "${bundle_file}" \
+      --certificate-identity-regexp="${SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP}" \
+      --certificate-oidc-issuer="${SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER}" || \
+      die "SOPS checksum signature verification failed in bundle mode for '${checksums_file}' using '${bundle_file}'."
+    return 0
+  fi
+
+  if [[ -f "${certificate_file}" && -f "${signature_file}" ]]; then
+    printf "\e[95m[INFO] Verifying SOPS checksums with Cosign split certificate/signature: %s %s \e[0m\n" "${certificate_file}" "${signature_file}"
+    cosign verify-blob "${checksums_file}" \
+      --certificate "${certificate_file}" \
+      --signature "${signature_file}" \
+      --certificate-identity-regexp="${SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP}" \
+      --certificate-oidc-issuer="${SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER}" || \
+      die "SOPS checksum signature verification failed in legacy split mode for '${checksums_file}' using '${certificate_file}' and '${signature_file}'."
+    return 0
+  fi
+
+  if [[ -f "${certificate_file}" || -f "${signature_file}" ]]; then
+    die "Incomplete legacy SOPS signature layout for '${checksums_file}'. Expected both '${certificate_file}' and '${signature_file}'."
+  fi
+
+  die "No supported SOPS checksum signature layout found for '${checksums_file}'. Expected bundle or split certificate/signature assets."
+}
+
+#######################################
+# Verify the SOPS artifact checksum and ensure the expected artifact was covered.
+# Globals:
+#   None
+# Arguments:
+#   1: Checksums filename
+#   2: Artifact filename
+# Returns:
+#   0: on success
+#######################################
+verify_sops_artifact_checksum() {
+  declare checksums_file="$1"
+  declare artifact_file="$2"
+  declare checksum_output=""
+
+  if ! checksum_output=$(sha256sum -c "${checksums_file}" --ignore-missing 2>&1); then
+    printf '%s\n' "${checksum_output}" >&2
+    die "SOPS artifact checksum verification failed for '${artifact_file}' using '${checksums_file}'."
+  fi
+
+  printf '%s\n' "${checksum_output}"
+
+  if ! grep -Fxq "${artifact_file}: OK" <<< "${checksum_output}" && \
+     ! grep -Fxq "./${artifact_file}: OK" <<< "${checksum_output}"; then
+    die "SOPS checksum verification did not cover expected artifact '${artifact_file}' from '${checksums_file}'."
+  fi
+
+  return 0
+}
+
+#######################################
+# Install SOPS from an upstream GitHub release after signature and checksum verification.
+# Globals:
+#   CISS_SOPS_VERSION
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+main() {
+  require_tool curl
+  require_tool cosign
+  require_tool sha256sum
+
+  declare sops_env="/root/sops.env"
+  [[ -r "${sops_env}" ]] || die "Missing SOPS environment file: ${sops_env}"
+
+  # shellcheck disable=SC1090
+  . "${sops_env}"
+
+  declare ciss_sops_version
+  ciss_sops_version=$(normalize_sops_version "${CISS_SOPS_VERSION:?CISS_SOPS_VERSION is not set}")
+
+  declare architecture
+  architecture="$(dpkg --print-architecture)"
+
+  declare sops_tag="v${ciss_sops_version}"
+  declare sops_file=""
+  case "${architecture}" in
+    amd64)
+      sops_file="sops-${sops_tag}.linux.amd64"
+      ;;
+    arm64)
+      sops_file="sops-${sops_tag}.linux.arm64"
+      ;;
+    *)
+      die "Unsupported architecture '${architecture}' for SOPS version '${ciss_sops_version}'. Expected amd64 or arm64."
+      ;;
+  esac
+
+  declare release_base_url="https://github.com/getsops/sops/releases/download/${sops_tag}"
+  declare checksums_file="sops-${sops_tag}.checksums.txt"
+  declare bundle_file="sops-${sops_tag}.checksums.sigstore.json"
+  declare certificate_file="sops-${sops_tag}.checksums.pem"
+  declare signature_file="sops-${sops_tag}.checksums.sig"
+  declare bundle_available="false"
+  declare certificate_available="false"
+  declare signature_available="false"

  cd /tmp

-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/${SOPS_FILE}"
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.txt"
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.pem"
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.sig"
+  printf "\e[95m[INFO] Downloading SOPS %s asset: %s \e[0m\n" "${ciss_sops_version}" "${sops_file}"
+  download_required_asset "${release_base_url}/${sops_file}" "${sops_file}"
+  download_required_asset "${release_base_url}/${checksums_file}" "${checksums_file}"

-cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \
-  --certificate    "sops-${SOPS_VER}.checksums.pem" \
-  --signature      "sops-${SOPS_VER}.checksums.sig" \
-  --certificate-identity-regexp="https://github.com/getsops" \
-  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
+  # shellcheck disable=SC2310
+  if download_optional_asset "${release_base_url}/${bundle_file}" "${bundle_file}"; then
+    bundle_available="true"
+  fi

-sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing
+  if [[ "${bundle_available}" == "false" ]]; then
+    # shellcheck disable=SC2310
+    if download_optional_asset "${release_base_url}/${certificate_file}" "${certificate_file}"; then
+      certificate_available="true"
+    fi

-install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops
-sops --version --check-for-updates >| /root/.ciss/cdlb/log/sops.log
+    # shellcheck disable=SC2310
+    if download_optional_asset "${release_base_url}/${signature_file}" "${signature_file}"; then
+      signature_available="true"
+    fi
+
+    if [[ "${certificate_available}" != "${signature_available}" ]]; then
+      die "Incomplete legacy SOPS signature assets for version '${ciss_sops_version}'. Expected both '${certificate_file}' and '${signature_file}'."
+    fi
+  fi
+
+  verify_sops_checksums_signature "${checksums_file}" "${bundle_file}" "${certificate_file}" "${signature_file}"
+  verify_sops_artifact_checksum "${checksums_file}" "${sops_file}"
+
+  install -m 0755 "${sops_file}" /usr/local/bin/sops
+  sops --version >| /root/.ciss/cdlb/log/sops.log
  age --version  >| /root/.ciss/cdlb/log/age.log

-rm -f "/tmp/${SOPS_FILE}"
-rm -f "/tmp/sops-${SOPS_VER}.checksums.txt"
-rm -f "/tmp/sops-${SOPS_VER}.checksums.pem"
-rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"
+  rm -f -- "/tmp/${sops_file}"
+  rm -f -- "/tmp/${checksums_file}"
+  rm -f -- "/tmp/${bundle_file}"
+  rm -f -- "/tmp/${certificate_file}"
+  rm -f -- "/tmp/${signature_file}"

+  if [[ -f /root/.config/sops/age/keys.txt ]]; then
    chmod 0400 /root/.config/sops/age/keys.txt
+  fi

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+  printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

+  return 0
+}
+
+if [[ "${CISS_SOPS_TEST_MODE:-false}" != "true" ]]; then
+  main "$@"
  exit 0
+fi
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -21,7 +21,7 @@ wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O

 yq --version

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 umask 0077

@@ -31,7 +31,7 @@ apt-get purge -y texinfo
 apt-get autoremove --purge -y
 apt-get autoclean -y

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,10 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 declare -r UFW_OUT_POLICY="deny"
 declare -r SSHPORT="SSHPORT_MUST_BE_SET"
+# PRIMORDIAL_SSH_PORT_DECLARATION_MUST_BE_SET

 ufw --force reset

@@ -44,7 +45,8 @@ if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
  ufw allow out  853/tcp comment 'Outgoing DoT'
  ufw allow out  993/tcp comment 'Outgoing IMAPS'
  ufw allow out 4460/tcp comment 'Outgoing NTS'
-  ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH (Custom-Port)'
+  ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH Custom-Port'
+  # PRIMORDIAL_SSH_RULE_MUST_BE_SET
  ufw allow out   53/udp comment 'Outgoing DNS'
  ufw allow out  123/udp comment 'Outgoing NTP'
  ufw allow out  443/udp comment 'Outgoing QUIC'
@@ -61,7 +63,7 @@ sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type
 sed -i 's/^ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf
 ln -sf /lib/systemd/system/ufw.service /etc/systemd/system/multi-user.target.wants/ufw.service

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -26,15 +26,15 @@ fi

 if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'Process Accounting' enabled successful. \e[0m\n"
+  printf "\e[92m✅ 'Process Accounting' enabled successful. \e[0m\n"

 else

-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'Process Accounting' already enabled. \e[0m\n" >&2
+  printf "\e[91m❌ 'Process Accounting' already enabled. \e[0m\n" >&2

 fi

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 mkdir -p /root/.ciss/cdlb/backup/update-motd.d
 cp -af /etc/update-motd.d/* /root/.ciss/cdlb/backup/update-motd.d
@@ -23,7 +23,7 @@ EOF

 chmod 0755 /etc/update-motd.d/10-uname

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
 declare backup_dir="/root/.ciss/cdlb/backup/certificates"
@@ -29,7 +29,7 @@ declare -ax expired_certificates=()
 #   None
 #######################################
 create_backup() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"
+  printf "\e[95m🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"

  mkdir -p "${backup_dir}"
  declare dir=""
@@ -44,7 +44,7 @@ create_backup() {

  done

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
+  printf "\e[92m✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
 }

 #######################################
@@ -104,7 +104,7 @@ delete_expired_from_all_bundles() {

    if [[ -f ${bundle} ]]; then

-      printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
+      printf "\e[95m🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
      declare tmp_bundle="${bundle}.tmp"
      declare -a block=()
      declare expired=0
@@ -149,7 +149,7 @@ delete_expired_from_all_bundles() {

          else

-            printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅  Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"
+            printf "\e[92m✅  Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"

          fi

@@ -161,29 +161,29 @@ delete_expired_from_all_bundles() {

      mv -f "${tmp_bundle}" "${bundle}"

-      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"
+      printf "\e[92m✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"

    fi

  done
 }

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Check certificates in: '%s'.\e[0m\n" "${search_dirs[*]}"
+printf "\e[95m🧪 Check certificates in: '%s'.\e[0m\n" "${search_dirs[*]}"
 create_backup
 delete_expired_from_all_bundles
 check_certificates

 if [[ ${#expired_certificates[@]} -eq 0 ]]; then

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No expired certificates found.\e[0m\n"
+  printf "\e[92m✅ No expired certificates found.\e[0m\n"

 else

-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Expired certificates found:\e[0m\n"
+  printf "\e[95m🧪 Expired certificates found:\e[0m\n"

  for exp_cert in "${expired_certificates[@]}"; do

-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ '%s'. \e[0m\n" "${exp_cert}"
+    printf "\e[92m'%s'. \e[0m\n" "${exp_cert}"

  done

@@ -191,7 +191,7 @@ else

    rm -f "${exp_cert}"

-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
+    printf "\e[92m✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
    basename=$(basename "${exp_cert}")
    mozilla_entry="mozilla/${basename%.pem}.crt"
    mozilla_entry="${mozilla_entry%.crt}.crt"
@@ -200,19 +200,19 @@ else
    if grep -Fxq "${mozilla_entry}" "${ca_conf}"; then

      sed -i "s|^${mozilla_entry}$|#${mozilla_entry}|" "${ca_conf}"
-      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"
+      printf "\e[92m✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"

    fi

  done

-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache ... \e[0m\n"
+  printf "\e[95m✅ Updating the certificate cache ... \e[0m\n"
  update-ca-certificates --fresh
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache done.\e[0m\n"
+  printf "\e[92m✅ Updating the certificate cache done.\e[0m\n"

 fi

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"


 exit 0
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 declare _key=""

 cd /etc/ssh
@@ -115,7 +115,7 @@ fi

 /usr/sbin/sshd -t || exit 42

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 mkdir -p /root/.ciss/cdlb/backup/etc/ssl

@@ -122,7 +122,7 @@ x509_extensions	= usr_cert		# The extensions to add to the cert
 name_opt 	= ca_default		# Subject Name options
 cert_opt 	= ca_default		# Certificate field options

-# Extension copying option: use with caution.
+# Extension copying option: use it with caution.
 # copy_extensions = copy

 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
@@ -232,7 +232,7 @@ basicConstraints=CA:FALSE
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment

-# PKIX recommendations harmless if included in all certificates.
+# PKIX recommendations are harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer

@@ -282,7 +282,7 @@ basicConstraints = critical,CA:true

 # DER hex encoding of an extension: beware experts only!
 # obj=DER:02:03
-# Where 'obj' is a standard or added object
+# Where 'obj' is a standard or added object.
 # You can even override a supported extension:
 # basicConstraints= critical, DER:30:03:01:01:FF

@@ -305,7 +305,7 @@ basicConstraints=CA:FALSE
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment

-# PKIX recommendations harmless if included in all certificates.
+# PKIX recommendations are harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer

@@ -418,37 +418,28 @@ ssl_conf = ssl_sect
 system_default = system_default_sect

 [system_default_sect]
-# Protocol floor / ceiling:
-# - only TLS 1.2 and 1.3.
-# - TLS 1.3 is FS by design;
-# - TLS 1.2 FS enforced via the cipher list.
 MinProtocol = TLSv1.2
 MaxProtocol = TLSv1.3

-# TLS 1.2 cipher policy:
-# - Forward secrecy only: ECDHE or DHE (no static RSA kx);
-# - AES-256 *GCM* only (no DHE (dheatattack), no AES-128, no CBC);
-# - Keep distro default SECLEVEL=2 explicitly.
-CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:ECDHE+ARIA256-GCM:ECDHE+CAMELLIA256-GCM:!kRSA:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2
+# TLS 1.2: FS only, AEAD only, no AES128, no static RSA negotiation, no DHE negotiation.
+CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:!AES128:!kRSA:!DHE:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2

-# TLS 1.3 cipher policy: AES-256 and ChaCha20-Poly1305 only:
+# TLS 1.3: only AES-256-GCM and ChaCha20-Poly1305.
 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

-# Prefer strong, widely supported ECDHE groups (first = most preferred):
+# Preferred ECDHE groups.
 Groups = X448:P-521:P-384

-SignatureAlgorithms = rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
-
-# Operational flags:
-# -SessionTicket  : disable TLS session tickets (TLS 1.2 + 1.3)
-# ServerPreference: honor server cipher order (TLS 1.2)
-# NoRenegotiation : disallow TLS 1.2 renegotiation
+# Flags: Tickets off, servers order, renegotiation off.
 Options = -SessionTicket,ServerPreference,NoRenegotiation

+# Permitted signature algorithms.
+SignatureAlgorithms = ecdsa_secp521r1_sha512:ecdsa_secp384r1_sha384:ed448:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cp -u /etc/security/limits.conf /root/.ciss/cdlb/backup/limits.conf.bak
 chmod 0644 /root/.ciss/cdlb/backup/limits.conf.bak
@@ -82,7 +82,7 @@ KeepFree=0
 EOF
 chmod 0644 /etc/systemd/coredump.conf.d/9999-ciss-coredump-disable.conf

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root

@@ -235,7 +235,7 @@ EOF
 touch /var/log/fail2ban/fail2ban.log
 chmod 0640 /var/log/fail2ban/fail2ban.log

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 ###########################################################################################
 # Remarks: Turn off Energy saving mode and ctrl-alt-del                                   #
@@ -23,7 +23,7 @@ done

 unset target

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -33,7 +33,7 @@ if [[ -d /etc/exim4 ]]; then
  rm -rf /etc/exim4
 fi

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -41,7 +41,7 @@ cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/cdlb/backup/usbguard-daemon

 rm -f /tmp/rules.conf

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh

@@ -29,7 +29,7 @@ dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
 if [[ -s /tmp/deinstall.log ]]; then

  printf "\n"
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Packages to purge ... \e[0m\n"
+  printf "\e[95m🧪 Packages to purge ... \e[0m\n"
  sed -i 's!deinstall!!' /tmp/deinstall.log

  while IFS= read -r line; do
@@ -37,16 +37,16 @@ if [[ -s /tmp/deinstall.log ]]; then
    declare trimmed_string
    trimmed_string=$(echo "${line}" | awk '{$1=$1};1')
    echo "y" | apt-get purge "${trimmed_string}"
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"
+    printf "\e[92m✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"

  done < /tmp/deinstall.log

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Packages to purge done. \e[0m\n"
+  printf "\e[92m✅ Packages to purge done. \e[0m\n"

 else

  printf "\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Packages to purge, proceeding with clean up. \e[0m\n"
+  printf "\e[92m✅ No Packages to purge, proceeding with clean up. \e[0m\n"

 fi

@@ -60,7 +60,7 @@ apt-get autopurge -y

 updatedb

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 chmod 0644 /etc/banner
 chmod 0644 /etc/issue
@@ -26,8 +26,8 @@ fi
 touch /etc/motd
 cat << EOF >| /etc/motd

-      (c) Marc S. Weidner, 2018 - 2025
-      (p) Centurion Press, 2018 - 2025
+      (c) Marc S. Weidner, 2018 - 2026
+      (p) Centurion Press, 2018 - 2026
          Centurion Intelligence Consulting Agency (tm)
          https://coresecret.eu/
          Please consider making a donation:
@@ -109,7 +109,7 @@ find /root -xdev -exec chown -h root:root {} +

 rm -f /etc/tmpfiles.d/legacy.conf

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -10,6 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
+
 #######################################
 # Iterates all '/etc/shadow' entries and sets:
 #   4=min age=0, 5=max age=16384, 6=warn=128, 7=inactive=42, 8=expire=17.09.2102
@@ -92,12 +93,12 @@ update_shadow() {
 # shellcheck disable=SC2034
 readonly -f update_shadow

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 if ! command -v chage &>/dev/null; then

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+  printf "\e[92m✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
+  printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

  exit 0

@@ -111,8 +112,8 @@ mapfile -t users_to_update < <(

 if [[ ${#users_to_update[@]} -eq 0 ]]; then

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+  printf "\e[92m✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
+  printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

  exit 0

@@ -120,7 +121,7 @@ fi

 declare user
 for user in "${users_to_update[@]}"; do
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
+  printf "\e[92m✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
  chage --maxdays "${max_days}" "${user}"
 done

@@ -128,11 +129,11 @@ unset max_days user users_to_update

 awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ All applicable accounts have been updated. \e[0m\n"
+printf "\e[92m✅ All applicable accounts have been updated. \e[0m\n"

 update_shadow

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -23,15 +23,15 @@ sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf

 if aideinit > /dev/null 2>&1; then

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'aideinit' successful. \e[0m\n"
+  printf "\e[92m✅ 'aideinit' successful. \e[0m\n"

 else

-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2
+  printf "\e[91m❌ 'aideinit' NOT successful. \e[0m\n" >&2

 fi

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -15,7 +15,7 @@

 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
@@ -130,7 +130,7 @@ local_users_only

 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,11 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -21,7 +21,7 @@ set -Ceuo pipefail
 #######################################
 log() { printf '[auditd-build] %s\n' "${*}" >&2; }

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root

@@ -42,13 +42,13 @@ cat << EOF >| /etc/audit/rules.d/00-base-config.rules

 ## Increase the buffers to survive stress events.
 ## Make this bigger for busy systems.
-b 16384
+-b 262144

 ## Rate Limit. Cap kernel->userspace message rate (0 = unlimited).
 -r 200

 ## This determine how long to wait in burst of events. How long to wait in bursts (us).
--backlog_wait_time 1024
+--backlog_wait_time 16384

 ## Set failure mode to syslog.
 -f 1
@@ -374,7 +374,7 @@ ExecStart=/usr/sbin/augenrules --load

 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root

@@ -26,16 +26,16 @@ sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums

 if debsums -g > /dev/null 2>&1; then

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n"
+  printf "\e[92m✅ 'debsums -g' successful. \e[0m\n"

 else

  # Omit false negative error output to stdout and stderr, as no problematic errors occur on startup.
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'debsums -g' NOT successful. \e[0m\n"  > /dev/null 2>&1
+  printf "\e[91m❌ 'debsums -g' NOT successful. \e[0m\n"  > /dev/null 2>&1

 fi

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -130,7 +130,7 @@ apt-get dist-upgrade -y        # (= apt full-upgrade) allow installs/replacement
 apt-get autoremove --purge -y  # 'autopurge' == 'autoremove --purge'.
 apt-get clean -y               # Stronger than autoclean: removes the entire '.deb'-cache.

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 ### Declare Arrays, HashMaps, and Variables.
 declare -ar ary_logrotate=(
@@ -53,15 +53,15 @@ done

 if ! logrotate -d /etc/logrotate.conf; then

-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' failed. \e[0m\n"
+  printf "\e[91m✅ 'logrotate -d /etc/logrotate.conf' failed. \e[0m\n"

 else

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' successful. \e[0m\n"
+  printf "\e[92m✅ 'logrotate -d /etc/logrotate.conf' successful. \e[0m\n"

 fi

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+# Final live-build chroot cleanup hook. Removes transient build artifacts, tightens permissions on CISS root/key material,
+# regenerates initramfs images, prepares systemd-resolved DNS configuration, and forces the live system to boot into
+# multi-user.target by masking common display managers.
+
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target"

@@ -92,7 +96,7 @@ for var_dm in "${ary_dm_units[@]}"; do

 done

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+# Final live-build binary hook for encrypted root filesystem packaging. Preallocate a LUKS2 container, formats it with the
+# generated build secret, copies the generated filesystem.squashfs into the opened encrypted mapping, then closes the container,
+# shreds the temporary LUKS secret, and removes the plaintext SquashFS from the ISO payload.
+
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 __umask=$(umask)
 umask 0077
@@ -34,23 +38,23 @@ preallocate() {

  if fallocate -l "${size}" -- "${file}" 2>/dev/null; then

-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [fallocate -l %s -- %s] successful. \e[0m\n" "${size}" "${file}"
+    printf "\e[92m✅ [fallocate -l %s -- %s] successful. \e[0m\n" "${size}" "${file}"
    return 0

  else

-    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [fallocate -l %s -- %s] NOT successful. \e[0m\n" "${size}" "${file}"
+    printf "\e[91m❌ [fallocate -l %s -- %s] NOT successful. \e[0m\n" "${size}" "${file}"

  fi

  if dd if=/dev/zero of="${file}" bs="${blocksize}" count="${blockcounter}" status=progress conv=fsync; then

-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
+    printf "\e[92m✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
    return 0

  else

-    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
+    printf "\e[91m❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
    return 42

  fi
@@ -62,6 +66,49 @@ readonly -f preallocate
 declare ROOTFS="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs"
 declare LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt"
 declare KEYFD=""
+declare LUKS_KEY_FILE=""
+declare LUKS_KEY_FILENAME="${VAR_LUKS_KEY:-luks.txt}"
+declare LUKS_KEY_LINK_COUNT=""
+declare LUKS_KEY_MODE=""
+declare LUKS_KEY_OWNER=""
+declare SECRET_ROOT_FS=""
+declare SECRET_ROOT_MODE=""
+declare SECRET_ROOT_OWNER=""
+
+if [[ -L "${VAR_TMP_SECRET}" || ! -d "${VAR_TMP_SECRET}" ]]; then
+  printf "\e[91m❌ Unsafe secret root rejected. \e[0m\n" >&2
+  exit 42
+fi
+
+SECRET_ROOT_OWNER="$(stat -c '%u' "${VAR_TMP_SECRET}")"
+SECRET_ROOT_MODE="$(stat -c '%a' "${VAR_TMP_SECRET}")"
+SECRET_ROOT_FS="$(stat -f -c '%T' "${VAR_TMP_SECRET}")"
+if [[ "${SECRET_ROOT_OWNER}" != "${EUID}" || "${SECRET_ROOT_MODE}" != "700" \
+  || ( "${SECRET_ROOT_FS}" != "tmpfs" && "${SECRET_ROOT_FS}" != "ramfs" ) ]]; then
+  printf "\e[91m❌ Unsafe secret-root ownership, permissions, or filesystem rejected. \e[0m\n" >&2
+  exit 42
+fi
+
+if [[ -z "${LUKS_KEY_FILENAME}" || "${LUKS_KEY_FILENAME}" == "." || "${LUKS_KEY_FILENAME}" == ".." \
+  || "${LUKS_KEY_FILENAME}" == */* || ! "${LUKS_KEY_FILENAME}" =~ ^[A-Za-z0-9._@%+=:,~-]+$ ]]; then
+  printf "\e[91m❌ Unsafe LUKS key filename rejected. \e[0m\n" >&2
+  exit 42
+fi
+
+LUKS_KEY_FILE="${VAR_TMP_SECRET}/${LUKS_KEY_FILENAME}"
+if [[ -L "${LUKS_KEY_FILE}" || ! -f "${LUKS_KEY_FILE}" ]]; then
+  printf "\e[91m❌ Unsafe LUKS key file rejected. \e[0m\n" >&2
+  exit 42
+fi
+
+LUKS_KEY_OWNER="$(stat -c '%u' "${LUKS_KEY_FILE}")"
+LUKS_KEY_MODE="$(stat -c '%a' "${LUKS_KEY_FILE}")"
+LUKS_KEY_LINK_COUNT="$(stat -c '%h' "${LUKS_KEY_FILE}")"
+if [[ "${LUKS_KEY_OWNER}" != "${EUID}" || "${LUKS_KEY_LINK_COUNT}" != "1" \
+  || ( "${LUKS_KEY_MODE}" != "400" && "${LUKS_KEY_MODE}" != "600" ) ]]; then
+  printf "\e[91m❌ Unsafe LUKS key ownership, permissions, or link count rejected. \e[0m\n" >&2
+  exit 42
+fi

 # shellcheck disable=SC2155
 declare -i VAR_ROOTFS_SIZE=$(stat -c%s -- "${ROOTFS}")
@@ -78,7 +125,7 @@ declare -i VAR_LUKSFS_SIZE=$(( ( (BASE_SIZE + ALIGN_BYTES - 1) / ALIGN_BYTES ) *

 preallocate "${LUKSFS}" "${VAR_LUKSFS_SIZE}"

-exec {KEYFD}<"${VAR_TMP_SECRET}/luks.txt"
+exec {KEYFD}<"${LUKS_KEY_FILE}"

 if [[ "${VAR_CDLB_INSIDE_RUNNER}" == "false" ]]; then

@@ -127,11 +174,11 @@ declare -i SQUASH_FS="${VAR_ROOTFS_SIZE}"

 if (( LUKS_FREE >= SQUASH_FS )); then

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}"
+  printf "\e[92m✅ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}"

 else

-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2
+  printf "\e[91m❌ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2
  exit 42

 fi
@@ -142,14 +189,14 @@ cryptsetup close crypt_liveiso

 exec {KEYFD}<&-

-shred -fzu -n 5 -- "${VAR_TMP_SECRET}/luks.txt"
+shred -fzu -n 5 -- "${LUKS_KEY_FILE}"

 rm -f -- "${ROOTFS}"

 umask "${__umask}"
 __umask=""

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -0,0 +1,396 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2026-06-04; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+# shellcheck disable=SC2312
+set -Ceuo pipefail
+
+# Final live-build binary hook for the CISS UKI build. When the ciss-uki Secure Boot profile is active, this hook selects the
+# complete kernel/initrd pair, reads the live kernel command line, optionally embeds separate early microcode, creates unsigned
+# and signed Unified Kernel Images with ukify, verifies the signed UKI with 'sbverify', writes a manifest, and refuses private
+# Secure Boot key material in build artifact paths.
+
+#######################################
+# Prints a fatal error message and terminates the hook.
+# Globals:
+#   None
+# Arguments:
+#   1: Error message
+# Returns:
+#   42: always exits with failure
+#######################################
+die() {
+  declare message="${1}"
+  printf "\e[91m❌ %s \e[0m\n" "${message}" >&2
+  exit 42
+}
+
+#######################################
+# Checks whether a required command exists.
+# Globals:
+#   None
+# Arguments:
+#   1: Command name
+# Returns:
+#   0: on success
+#   42: if the command is missing
+#######################################
+require_command() {
+  declare command_name="${1}"
+
+  command -v "${command_name}" >/dev/null 2>&1 || die "Required command not found: '${command_name}'."
+
+  return 0
+}
+
+#######################################
+# Checks whether a required file exists.
+# Globals:
+#   None
+# Arguments:
+#   1: File path
+#   2: Human-readable file description
+# Returns:
+#   0: on success
+#   42: if the file is missing
+#######################################
+require_file() {
+  declare file_path="${1}"
+  declare description="${2}"
+
+  [[ -f "${file_path}" ]] || die "Missing ${description}: '${file_path}'."
+
+  return 0
+}
+
+#######################################
+# Reads the single LB_BOOTAPPEND_LIVE value from a live-build binary configuration file.
+# Globals:
+#   None
+# Arguments:
+#   1: live-build binary configuration file
+#   2: Output variable name for the kernel command line
+# Returns:
+#   0: on success
+#   42: if the file is missing, the entry is ambiguous, or the value is empty
+#######################################
+read_bootappend_live() {
+  declare config_file="${1}"
+  declare output_var="${2}"
+  declare -a matches=()
+  declare value=""
+
+  require_file "${config_file}" "live-build binary configuration"
+
+  mapfile -t matches < <(grep -E '^LB_BOOTAPPEND_LIVE=' "${config_file}" || true)
+
+  if (( ${#matches[@]} != 1 )); then
+    die "Expected exactly one LB_BOOTAPPEND_LIVE entry in '${config_file}', found '${#matches[@]}'."
+  fi
+
+  value="${matches[0]#LB_BOOTAPPEND_LIVE=}"
+  if [[ "${value}" == \"*\" ]]; then
+    value="${value#\"}"
+    value="${value%\"}"
+  fi
+
+  [[ -n "${value}" ]] || die "LB_BOOTAPPEND_LIVE in '${config_file}' is empty."
+
+  printf -v "${output_var}" "%s" "${value}"
+
+  return 0
+}
+
+#######################################
+# Collects kernel and initrd candidates from one artifact directory.
+# Globals:
+#   None
+# Arguments:
+#   1: Artifact directory
+#   2: Output variable name for the selected kernel path
+#   3: Output variable name for the selected initrd path
+# Returns:
+#   0: on success, including when the directory does not exist
+#   42: if more than one kernel or initrd candidate exists
+#######################################
+collect_artifacts_from_dir() {
+  declare artifact_dir="${1}"
+  declare kernel_output_var="${2}"
+  declare initrd_output_var="${3}"
+  declare -a kernels=()
+  declare -a initrds=()
+
+  if [[ ! -d "${artifact_dir}" ]]; then
+    printf -v "${kernel_output_var}" "%s" ""
+    printf -v "${initrd_output_var}" "%s" ""
+    return 0
+  fi
+
+  mapfile -d '' -t kernels < <(find "${artifact_dir}" -maxdepth 1 -type f -name "vmlinuz-*" -print0 | LC_ALL=C sort -z)
+  mapfile -d '' -t initrds < <(find "${artifact_dir}" -maxdepth 1 -type f -name "initrd.img-*" -print0 | LC_ALL=C sort -z)
+
+  if (( ${#kernels[@]} > 1 )); then
+    die "Ambiguous kernel candidates in '${artifact_dir}'. Refusing to select automatically."
+  fi
+
+  if (( ${#initrds[@]} > 1 )); then
+    die "Ambiguous initrd candidates in '${artifact_dir}'. Refusing to select automatically."
+  fi
+
+  printf -v "${kernel_output_var}" "%s" "${kernels[0]:-}"
+  printf -v "${initrd_output_var}" "%s" "${initrds[0]:-}"
+
+  return 0
+}
+
+#######################################
+# Selects the kernel/initrd pair used to build the UKI.
+# Globals:
+#   None
+# Arguments:
+#   1: Output variable name for the selected kernel path
+#   2: Output variable name for the selected initrd path
+# Returns:
+#   0: on success
+#   42: if no complete pair exists, the final pair is incomplete, or candidates are ambiguous
+#######################################
+select_kernel_initrd_pair() {
+  declare kernel_output_var="$1"
+  declare initrd_output_var="$2"
+  declare binary_kernel=""
+  declare binary_initrd=""
+  declare fallback_kernel=""
+  declare fallback_initrd=""
+
+  collect_artifacts_from_dir "binary/live" binary_kernel binary_initrd
+
+  if [[ -n "${binary_kernel}" && -n "${binary_initrd}" ]]; then
+    printf "\e[92m✅ Using final binary/live kernel and initrd artifacts. \e[0m\n"
+    printf -v "${kernel_output_var}" "%s" "${binary_kernel}"
+    printf -v "${initrd_output_var}" "%s" "${binary_initrd}"
+    return 0
+  fi
+
+  if [[ -n "${binary_kernel}" || -n "${binary_initrd}" ]]; then
+    die "Incomplete binary/live kernel/initrd pair. Refusing to mix final and fallback artifacts."
+  fi
+
+  printf "\e[93m❌ No complete binary/live kernel/initrd pair found; checking chroot/boot fallback. \e[0m\n"
+  collect_artifacts_from_dir "chroot/boot" fallback_kernel fallback_initrd
+
+  if [[ -n "${fallback_kernel}" && -n "${fallback_initrd}" ]]; then
+    printf "\e[93m❌ Using chroot/boot fallback artifacts because binary/live has no complete pair. \e[0m\n"
+    printf -v "${kernel_output_var}" "%s" "${fallback_kernel}"
+    printf -v "${initrd_output_var}" "%s" "${fallback_initrd}"
+    return 0
+  fi
+
+  die "No complete kernel/initrd pair found in binary/live or chroot/boot."
+}
+
+#######################################
+# Finds an optional separate early microcode cpio next to the selected initrd.
+# Globals:
+#   None
+# Arguments:
+#   1: Artifact directory
+#   2: Output variable name for the selected microcode cpio path
+# Returns:
+#   0: on success, including when no separate microcode cpio exists
+#   42: if more than one separate microcode cpio candidate exists
+#######################################
+collect_optional_microcode() {
+  declare artifact_dir="${1}"
+  declare output_var="${2}"
+  declare -a microcode_candidates=()
+
+  mapfile -d '' -t microcode_candidates < <(
+    find "${artifact_dir}" -maxdepth 1 -type f \( -name "*microcode*.cpio" -o -name "*ucode*.cpio" \) -print0 | LC_ALL=C sort -z
+  )
+
+  if (( ${#microcode_candidates[@]} > 1 )); then
+    die "Ambiguous separate early microcode cpio candidates in '${artifact_dir}'. Refusing to select automatically."
+  fi
+
+  printf -v "${output_var}" "%s" "${microcode_candidates[0]:-}"
+
+  return 0
+}
+
+#######################################
+# Refuses private Secure Boot key material in generated artifact paths.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   42: if a private Secure Boot key is found below a guarded path
+#######################################
+guard_private_key_leaks() {
+  declare -a guard_roots=(binary chroot config/includes.binary config/includes.chroot config/includes.installer)
+  declare guard_root=""
+  declare private_file=""
+
+  for guard_root in "${guard_roots[@]}"; do
+
+    if [[ ! -d "${guard_root}" ]]; then
+      continue
+    fi
+
+    while IFS= read -r -d '' private_file; do
+      die "Refusing private Secure Boot key inside build artifact path: '${private_file}'."
+    done < <(find "${guard_root}" -xdev -type f \( -name "ciss-efi-image.key" -o -name "ciss-module-signing.key" \) -print0)
+
+  done
+
+  return 0
+}
+
+#######################################
+# Builds unsigned and signed CISS UKIs for the ciss-uki Secure Boot profile.
+# Globals:
+#   PWD
+#   VAR_CISS_SECUREBOOT_DIR
+#   VAR_CISS_SECUREBOOT_EFI_CERT
+#   VAR_CISS_SECUREBOOT_EFI_KEY
+#   VAR_CISS_SECUREBOOT_PROFILE
+#   VAR_HANDLER_BUILD_DIR
+#   VAR_WORKDIR
+# Arguments:
+#   None
+# Returns:
+#   0: on success or when the active Secure Boot profile does not require a CISS UKI
+#   42: on validation, artifact selection, UKI build, signing, or verification failure
+#######################################
+main() {
+  declare profile="${VAR_CISS_SECUREBOOT_PROFILE:-debian-shim}"
+  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
+  declare secureboot_dir="${VAR_CISS_SECUREBOOT_DIR:-${VAR_WORKDIR:-${build_dir}}/ciss.secureboot}"
+  declare secureboot_key="${VAR_CISS_SECUREBOOT_EFI_KEY:-${secureboot_dir}/private/ciss-efi-image.key}"
+  declare secureboot_cert="${VAR_CISS_SECUREBOOT_EFI_CERT:-${secureboot_dir}/public/ciss-efi-image.crt}"
+  declare stub="/usr/lib/systemd/boot/efi/linuxx64.efi.stub"
+  declare os_release="chroot/usr/lib/os-release"
+  declare kernel_path=""
+  declare initrd_path=""
+  declare kernel_base=""
+  declare initrd_base=""
+  declare kernel_version=""
+  declare initrd_version=""
+  declare cmdline=""
+  declare microcode_initrd=""
+  declare output_root=""
+  declare uki_dir=""
+  declare manifest_dir=""
+  declare unsigned_uki=""
+  declare signed_uki=""
+  declare manifest=""
+  declare -a ukify_args=()
+
+  if [[ "${profile}" != "ciss-uki" ]]; then
+    printf "\e[92m✅ Secure Boot profile '%s'; skipping CISS UKI build. \e[0m\n" "${profile}"
+    return 0
+  fi
+
+  printf "\e[95m🧪 Building CISS Secure Boot UKI ... \e[0m\n"
+
+  cd "${build_dir}"
+
+  require_command ukify
+  require_command sbverify
+  require_command sha512sum
+  require_file "${stub}" "systemd EFI stub"
+  require_file "${secureboot_key}" "CISS EFI image signing key"
+  require_file "${secureboot_cert}" "CISS EFI image signing certificate"
+  require_file "${os_release}" "target os-release metadata"
+  guard_private_key_leaks
+
+  select_kernel_initrd_pair kernel_path initrd_path
+
+  kernel_base="${kernel_path##*/}"
+  initrd_base="${initrd_path##*/}"
+  kernel_version="${kernel_base#vmlinuz-}"
+  initrd_version="${initrd_base#initrd.img-}"
+
+  [[ -n "${kernel_version}" && "${kernel_base}" != "${kernel_version}" ]] || die "Kernel artifact name does not match vmlinuz-<version>: '${kernel_path}'."
+  [[ -n "${initrd_version}" && "${initrd_base}" != "${initrd_version}" ]] || die "Initrd artifact name does not match initrd.img-<version>: '${initrd_path}'."
+
+  if [[ "${kernel_version}" != "${initrd_version}" ]]; then
+    die "Kernel/initrd version mismatch: kernel='${kernel_version}', initrd='${initrd_version}'."
+  fi
+
+  read_bootappend_live "config/binary" cmdline
+  collect_optional_microcode "${initrd_path%/*}" microcode_initrd
+
+  output_root="${build_dir}/ciss.secureboot"
+  uki_dir="${output_root}/uki"
+  manifest_dir="${output_root}/manifests"
+  unsigned_uki="${uki_dir}/CISS-LIVE-${kernel_version}.unsigned.efi"
+  signed_uki="${uki_dir}/CISS-LIVE-${kernel_version}.signed.efi"
+  manifest="${manifest_dir}/CISS-LIVE-${kernel_version}.uki-build.txt"
+
+  install -d -m 0755 "${uki_dir}" "${manifest_dir}"
+  rm -f -- "${unsigned_uki}" "${signed_uki}" "${manifest}"
+
+  ukify_args=(
+    build
+    --stub="${stub}"
+    --linux="${kernel_path}"
+    --cmdline="${cmdline}"
+    --os-release="@${os_release}"
+    --uname="${kernel_version}"
+  )
+
+  if [[ -n "${microcode_initrd}" ]]; then
+    printf "\e[92m✅ Embedding separate early microcode cpio before normal initrd: '%s'. \e[0m\n" "${microcode_initrd}"
+    ukify_args+=(--initrd="${microcode_initrd}")
+  else
+    printf "\e[92m✅ No separate early microcode cpio found; using normal initrd only. \e[0m\n"
+  fi
+
+  ukify_args+=(--initrd="${initrd_path}")
+
+  printf "\e[95m🧪 Creating unsigned UKI: '%s'. \e[0m\n" "${unsigned_uki}"
+  ukify "${ukify_args[@]}" --output="${unsigned_uki}"
+
+  printf "\e[95m🧪 Creating signed UKI: '%s'. \e[0m\n" "${signed_uki}"
+  ukify "${ukify_args[@]}" \
+    --secureboot-private-key="${secureboot_key}" \
+    --secureboot-certificate="${secureboot_cert}" \
+    --output="${signed_uki}"
+
+  require_file "${unsigned_uki}" "unsigned CISS UKI"
+  require_file "${signed_uki}" "signed CISS UKI"
+
+  {
+    printf "CISS Secure Boot UKI build manifest\n"
+    printf "Kernel: %s\n" "${kernel_path}"
+    printf "Initrd: %s\n" "${initrd_path}"
+    printf "Microcode initrd: %s\n" "${microcode_initrd:-none}"
+    printf "Uname: %s\n" "${kernel_version}"
+    printf "OS release: %s\n" "${os_release}"
+    printf "Command line: %s\n" "${cmdline}"
+    printf "\nSHA512:\n"
+    sha512sum "${unsigned_uki}" "${signed_uki}"
+    printf "\nukify inspect:\n"
+    ukify inspect "${signed_uki}"
+    printf "\nsbverify:\n"
+    sbverify --cert "${secureboot_cert}" "${signed_uki}"
+  } >| "${manifest}" 2>&1
+
+  printf "\e[92m✅ UKI inspection and signature verification written to '%s'. \e[0m\n" "${manifest}"
+  printf "\e[92m✅ CISS Secure Boot UKI build completed. \e[0m\n"
+
+  return 0
+}
+
+main "$@"
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -0,0 +1,347 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2026-06-04; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+# shellcheck disable=SC2312
+set -Ceuo pipefail
+
+# Final live-build binary hook for CISS UKI installation. When the ciss-uki Secure Boot profile is active, this hook selects
+# the single signed CISS UKI, rebuilds the FAT EFI boot image with it as EFI/BOOT/BOOTX64.EFI, verifies the installed copy,
+# mirrors it into the ISO EFI tree when available, writes an installation manifest, and refuses private Secure Boot key
+# material in build artifact paths.
+
+declare TMP_DIR=""
+
+#######################################
+# Removes the temporary EFI image work directory if it is inside the expected Secure Boot output tree.
+# Globals:
+#   PWD
+#   TMP_DIR
+#   VAR_HANDLER_BUILD_DIR
+# Arguments:
+#   None
+# Returns:
+#   0: on success or when no temporary directory exists
+#   42: if the temporary directory is outside the expected cleanup root
+#   non-zero: if removal of the expected temporary directory fails under strict mode
+#######################################
+cleanup() {
+  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
+
+  if [[ -n "${TMP_DIR}" && -d "${TMP_DIR}" ]]; then
+    case "${TMP_DIR}" in
+      "${build_dir}/ciss.secureboot/"*)
+        rm -rf -- "${TMP_DIR}"
+        ;;
+      *)
+        printf "\e[91m❌ Refusing to clean unexpected temporary path: '%s'. \e[0m\n" "${TMP_DIR}" >&2
+        return 42
+        ;;
+    esac
+  fi
+
+  return 0
+}
+
+#######################################
+# Prints a fatal error message and terminates the hook.
+# Globals:
+#   None
+# Arguments:
+#   1: Error message
+# Returns:
+#   42: always exits with failure
+#######################################
+die() {
+  declare message="$1"
+  printf "\e[91m❌ %s \e[0m\n" "${message}" >&2
+  exit 42
+}
+
+#######################################
+# Checks whether a required command exists.
+# Globals:
+#   None
+# Arguments:
+#   1: Command name
+# Returns:
+#   0: on success
+#   42: if the command is missing
+#######################################
+require_command() {
+  declare command_name="$1"
+
+  command -v "${command_name}" >/dev/null 2>&1 || die "Required command not found: '${command_name}'."
+
+  return 0
+}
+
+#######################################
+# Checks whether a required file exists.
+# Globals:
+#   None
+# Arguments:
+#   1: File path
+#   2: Human-readable file description
+# Returns:
+#   0: on success
+#   42: if the file is missing
+#######################################
+require_file() {
+  declare file_path="$1"
+  declare description="$2"
+
+  [[ -f "${file_path}" ]] || die "Missing ${description}: '${file_path}'."
+
+  return 0
+}
+
+#######################################
+# Selects the single signed CISS UKI generated by the CISS UKI build hook.
+# Globals:
+#   None
+# Arguments:
+#   1: CISS UKI output directory
+#   2: Output variable name for the selected signed UKI path
+# Returns:
+#   0: on success
+#   42: if the UKI directory is missing or does not contain exactly one signed UKI
+#######################################
+select_signed_uki() {
+  declare uki_dir="$1"
+  declare output_var="$2"
+  declare -a signed_ukis=()
+
+  [[ -d "${uki_dir}" ]] || die "Missing CISS UKI output directory: '${uki_dir}'."
+
+  mapfile -d '' -t signed_ukis < <(find "${uki_dir}" -maxdepth 1 -type f -name "CISS-LIVE-*.signed.efi" -print0 | LC_ALL=C sort -z)
+
+  if (( ${#signed_ukis[@]} != 1 )); then
+    die "Expected exactly one signed CISS UKI in '${uki_dir}', found '${#signed_ukis[@]}'."
+  fi
+
+  printf -v "${output_var}" "%s" "${signed_ukis[0]}"
+
+  return 0
+}
+
+#######################################
+# Refuses private Secure Boot key material in generated artifact paths.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   42: if a private Secure Boot key is found below a guarded path
+#######################################
+guard_private_key_leaks() {
+  declare -a guard_roots=(binary chroot config/includes.binary config/includes.chroot config/includes.installer)
+  declare guard_root=""
+  declare private_file=""
+
+  for guard_root in "${guard_roots[@]}"; do
+
+    if [[ ! -d "${guard_root}" ]]; then
+      continue
+    fi
+
+    while IFS= read -r -d '' private_file; do
+      die "Refusing private Secure Boot key inside build artifact path: '${private_file}'."
+    done < <(find "${guard_root}" -xdev -type f \( -name "ciss-efi-image.key" -o -name "ciss-module-signing.key" \) -print0)
+
+  done
+
+  return 0
+}
+
+#######################################
+# Mirrors the signed UKI into the ISO EFI tree as the removable-media bootloader when that tree exists.
+# Globals:
+#   None
+# Arguments:
+#   1: Signed UKI path
+#   2: Output variable name for the ISO EFI tree BOOTX64 path, or an empty value when no tree exists
+# Returns:
+#   0: on success, including when no ISO EFI tree exists
+#   non-zero: if directory creation or file installation fails under strict mode
+#######################################
+install_iso_tree_bootx64() {
+  declare signed_uki="$1"
+  declare output_var="$2"
+  declare iso_tree_bootx64=""
+
+  if [[ -d "binary/EFI/boot" ]]; then
+    iso_tree_bootx64="binary/EFI/boot/bootx64.efi"
+  elif [[ -d "binary/EFI/BOOT" ]]; then
+    iso_tree_bootx64="binary/EFI/BOOT/BOOTX64.EFI"
+  elif [[ -d "binary/EFI" ]]; then
+    install -d -m 0755 "binary/EFI/BOOT"
+    iso_tree_bootx64="binary/EFI/BOOT/BOOTX64.EFI"
+  fi
+
+  if [[ -n "${iso_tree_bootx64}" ]]; then
+    install -m 0644 "${signed_uki}" "${iso_tree_bootx64}"
+    printf "\e[92m✅ Mirrored signed UKI into ISO EFI tree: '%s'. \e[0m\n" "${iso_tree_bootx64}"
+  else
+    printf "\e[93m❌ No binary/EFI tree found; only EFI boot image was updated. \e[0m\n"
+  fi
+
+  printf -v "${output_var}" "%s" "${iso_tree_bootx64}"
+
+  return 0
+}
+
+#######################################
+# Installs the signed CISS UKI into the EFI boot image for the ciss-uki Secure Boot profile.
+# Globals:
+#   PWD
+#   SOURCE_DATE_EPOCH
+#   TMP_DIR
+#   VAR_CISS_SECUREBOOT_DIR
+#   VAR_CISS_SECUREBOOT_EFI_CERT
+#   VAR_CISS_SECUREBOOT_PROFILE
+#   VAR_HANDLER_BUILD_DIR
+#   VAR_WORKDIR
+# Arguments:
+#   None
+# Returns:
+#   0: on success or when the active Secure Boot profile does not require CISS UKI installation
+#   42: on explicit validation, comparison, or signature verification failure
+#   non-zero: if an external tool, installation command, or manifest write fails under strict mode
+#######################################
+main() {
+  declare profile="${VAR_CISS_SECUREBOOT_PROFILE:-debian-shim}"
+  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
+  declare secureboot_dir="${VAR_CISS_SECUREBOOT_DIR:-${VAR_WORKDIR:-${build_dir}}/ciss.secureboot}"
+  declare secureboot_cert="${VAR_CISS_SECUREBOOT_EFI_CERT:-${secureboot_dir}/public/ciss-efi-image.crt}"
+  declare output_root=""
+  declare uki_dir=""
+  declare manifest_dir=""
+  declare signed_uki=""
+  declare efi_img="binary/boot/grub/efi.img"
+  declare uki_name=""
+  declare kernel_version=""
+  declare manifest=""
+  declare tmp_img=""
+  declare extracted_uki=""
+  declare iso_tree_bootx64=""
+  declare uki_size=""
+  declare -i uki_kib=0
+  declare -i blocks=0
+  declare source_epoch="${SOURCE_DATE_EPOCH:-0}"
+  declare volid=""
+
+  if [[ "${profile}" != "ciss-uki" ]]; then
+    printf "\e[92m✅ Secure Boot profile '%s'; skipping CISS UKI EFI installation. \e[0m\n" "${profile}"
+    return 0
+  fi
+
+  printf "\e[95m🧪 Installing CISS signed UKI into EFI boot image ... \e[0m\n"
+
+  cd "${build_dir}"
+
+  require_command cmp
+  require_command mcopy
+  require_command mdir
+  require_command mkfs.msdos
+  require_command sbverify
+  require_command sha512sum
+  require_command stat
+  require_command ukify
+  require_file "${secureboot_cert}" "CISS EFI image signing certificate"
+  require_file "${efi_img}" "live-build EFI boot image"
+  guard_private_key_leaks
+
+  output_root="${build_dir}/ciss.secureboot"
+  uki_dir="${output_root}/uki"
+  manifest_dir="${output_root}/manifests"
+  select_signed_uki "${uki_dir}" signed_uki
+
+  uki_name="${signed_uki##*/}"
+  kernel_version="${uki_name#CISS-LIVE-}"
+  kernel_version="${kernel_version%.signed.efi}"
+  [[ -n "${kernel_version}" && "${kernel_version}" != "${uki_name}" ]] || die "Signed UKI name does not match CISS-LIVE-<version>.signed.efi: '${signed_uki}'."
+
+  install -d -m 0755 "${manifest_dir}"
+  TMP_DIR="$(mktemp -d -p "${output_root}" "efi-img.XXXXXXXX")"
+  tmp_img="${TMP_DIR}/efi.img"
+  extracted_uki="${TMP_DIR}/BOOTX64.EFI"
+  manifest="${manifest_dir}/CISS-LIVE-${kernel_version}.efi-install.txt"
+  rm -f -- "${manifest}"
+
+  uki_size="$(stat -c %s -- "${signed_uki}")"
+  uki_kib=$(( (uki_size + 1023) / 1024 ))
+  blocks=$(( (uki_kib + 8192 + 31) / 32 * 32 ))
+  if (( blocks < 32768 )); then
+    blocks=32768
+  fi
+
+  if [[ ! "${source_epoch}" =~ ^[0-9]+$ ]]; then
+    source_epoch="0"
+  fi
+  printf -v volid "%08x" "$((source_epoch % 4294967296))"
+
+  printf "\e[95m🧪 Rebuilding EFI boot image with signed UKI as EFI/BOOT/BOOTX64.EFI. \e[0m\n"
+  mkfs.msdos -C "${tmp_img}" "${blocks}" -i "${volid}" >/dev/null
+  mmd -i "${tmp_img}" "::EFI"
+  mmd -i "${tmp_img}" "::EFI/BOOT"
+  mcopy -m -o -i "${tmp_img}" "${signed_uki}" "::EFI/BOOT/BOOTX64.EFI"
+  mcopy -o -i "${tmp_img}" "::EFI/BOOT/BOOTX64.EFI" "${extracted_uki}"
+
+  cmp -s "${signed_uki}" "${extracted_uki}" || die "Extracted BOOTX64.EFI differs from signed UKI before EFI image installation."
+  sbverify --cert "${secureboot_cert}" "${extracted_uki}" >/dev/null
+
+  install -m 0644 "${tmp_img}" "${efi_img}"
+
+  rm -f -- "${extracted_uki}"
+  mcopy -o -i "${efi_img}" "::EFI/BOOT/BOOTX64.EFI" "${extracted_uki}"
+  cmp -s "${signed_uki}" "${extracted_uki}" || die "Installed EFI/BOOT/BOOTX64.EFI differs from signed UKI."
+  sbverify --cert "${secureboot_cert}" "${extracted_uki}" >/dev/null
+
+  install_iso_tree_bootx64 "${signed_uki}" iso_tree_bootx64
+  if [[ -n "${iso_tree_bootx64}" ]]; then
+    cmp -s "${signed_uki}" "${iso_tree_bootx64}" || die "ISO EFI tree BOOTX64.EFI differs from signed UKI."
+    sbverify --cert "${secureboot_cert}" "${iso_tree_bootx64}" >/dev/null
+  fi
+
+  guard_private_key_leaks
+
+  {
+    printf "CISS Secure Boot EFI image installation manifest\n"
+    printf "EFI image: %s\n" "${efi_img}"
+    printf "Installed path: EFI/BOOT/BOOTX64.EFI\n"
+    printf "ISO EFI tree mirror: %s\n" "${iso_tree_bootx64:-none}"
+    printf "Signed UKI: %s\n" "${signed_uki}"
+    printf "FAT image blocks KiB: %s\n" "${blocks}"
+    printf "FAT volume id: %s\n" "${volid}"
+    printf "\nSHA512:\n"
+    sha512sum "${efi_img}" "${signed_uki}" "${extracted_uki}"
+    if [[ -n "${iso_tree_bootx64}" ]]; then
+      sha512sum "${iso_tree_bootx64}"
+    fi
+    printf "\nEFI directory:\n"
+    mdir -i "${efi_img}" "::EFI/BOOT"
+    printf "\nukify inspect installed BOOTX64.EFI:\n"
+    ukify inspect "${extracted_uki}"
+    printf "\nsbverify installed BOOTX64.EFI:\n"
+    sbverify --cert "${secureboot_cert}" "${extracted_uki}"
+  } >| "${manifest}" 2>&1
+
+  printf "\e[92m✅ EFI image installation verification written to '%s'. \e[0m\n" "${manifest}"
+  printf "\e[92m✅ CISS signed UKI installed as EFI/BOOT/BOOTX64.EFI. \e[0m\n"
+
+  return 0
+}
+
+main "$@"
+cleanup
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10

 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10

 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10

 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-declare -gr VERSION="Master V8.13.768.2025.12.06"
+declare -gr VERSION="Master V9.14.022.2026.06.10"

 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh

 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.768.2025.12.06 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.022.2026.06.10 at: 10:18:37.9542
@@ -25,8 +25,8 @@ cat << 'EOF'
 EOF

 echo ""
-echo -e "\e[97m      (c) Marc S. Weidner, 2018 - 2025 \e[0m"
-echo -e "\e[97m      (p) Centurion Press, 2018 - 2025 \e[0m"
+echo -e "\e[97m      (c) Marc S. Weidner, 2018 - 2026 \e[0m"
+echo -e "\e[97m      (p) Centurion Press, 2018 - 2026 \e[0m"
 echo -e "\e[97m          Centurion Intelligence Consulting Agency (tm) \e[0m"
 echo -e "\e[97m          https://coresecret.eu/ \e[0m"
 echo -e "\e[95m          Please consider making a donation: \e[0m"
@@ -14,8 +14,10 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
-# Phase  : premount (executed by live-boot inside the initramfs).
+# Module summary:
+# - Reserve a dedicated /run/live/overlay tmpfs with a configurable size limit.
+# - Mount it with restrictive flags and permissions before OverlayFS uses it.
+# - Prepare the upper and work directories required by the later live-boot overlay setup.

 _SAVED_SET_OPTS="$(set +o)"

@@ -14,13 +14,171 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Purpose: Open /live/ciss_rootfs.crypt (LUKS) for final processing in '9990-overlay.sh'
-# Phase  : premount (executed by live-boot inside the initramfs)
+# Module summary:
+# - Read CISS boot parameters for the encrypted root path and live ISO label.
+# - Mount the live medium read-only and locate the encrypted SquashFS container.
+# - Attach the encrypted container through a read-only loop device.
+# - Accept a LUKS passphrase from the local console or remotely unlock FIFO.
+# - Open the decrypted root mapper and expose the handoff state for later live-boot overlay processing.

 _SAVED_SET_OPTS="$(set +o)"

 set -eu

+#######################################
+# Ensure the minimal device nodes required by this early boot script exist.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: Always. Device-node setup is best-effort only
+#######################################
+ensure_minimal_dev_nodes() {
+  mknod_cmd=""
+  busybox_cmd=""
+
+  [ -d /dev ] || mkdir -p /dev || return 0
+
+  if [ -c /dev/null ] && [ -c /dev/console ]; then
+
+    return 0
+
+  fi
+
+  mknod_cmd="$(command -v mknod 2>&- || printf '')"
+  if [ -z "${mknod_cmd}" ]; then
+
+    busybox_cmd="$(command -v busybox 2>&- || printf '')"
+
+  fi
+
+  if [ ! -c /dev/null ]; then
+
+    rm -f /dev/null || true
+    if [ -n "${mknod_cmd}" ]; then
+
+      "${mknod_cmd}" -m 666 /dev/null c 1 3 || true
+
+    elif [ -n "${busybox_cmd}" ]; then
+
+      "${busybox_cmd}" mknod -m 666 /dev/null c 1 3 || true
+
+    fi
+
+  fi
+
+  if [ ! -c /dev/console ]; then
+
+    rm -f /dev/console || true
+    if [ -n "${mknod_cmd}" ]; then
+
+      "${mknod_cmd}" -m 600 /dev/console c 5 1 || true
+
+    elif [ -n "${busybox_cmd}" ]; then
+
+      "${busybox_cmd}" mknod -m 600 /dev/console c 5 1 || true
+
+    fi
+
+  fi
+
+  return 0
+}
+
+#######################################
+# Console logging helper that does not assume /dev/console is always present.
+# Globals:
+#   None
+# Arguments:
+#   1: printf format
+#   *: printf arguments
+# Returns:
+#   0: always, logging failure is not fatal
+#######################################
+console_printf() {
+  console_format="$1"
+  shift
+
+  if [ -c /dev/console ]; then
+
+    # shellcheck disable=SC2059
+    printf "${console_format}" "$@" > /dev/console || :
+
+  elif [ -e /proc/1/fd/1 ]; then
+
+    # shellcheck disable=SC2059
+    printf "${console_format}" "$@" > /proc/1/fd/1 || :
+
+  fi
+
+  return 0
+}
+
+#######################################
+# Clear the current console line without making cleanup fatal.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: Always. Console cleanup failure is not fatal.
+#######################################
+console_clear_line() {
+  console_printf '\r\033[K'
+
+  return 0
+}
+
+#######################################
+# Wait for an explicit local-console unlock activation.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: local console activation was requested
+#   1: console unavailable or activation read failed
+#######################################
+wait_for_local_unlock_activation() {
+  LOCAL_UNLOCK_SAVED_STTY=""
+  LOCAL_UNLOCK_READ_STATUS=0
+
+  ensure_minimal_dev_nodes
+
+  [ -c /dev/console ] || return 1
+  exec 9<>/dev/console || return 1
+
+  LOCAL_UNLOCK_SAVED_STTY=$(stty -g <&9 2>&- || printf '')
+  trap 'if [ -n "${LOCAL_UNLOCK_SAVED_STTY}" ]; then stty "${LOCAL_UNLOCK_SAVED_STTY}" <&9 2>&- || :; fi; printf "\r\033[K" >&9 2>&- || :; exec 9>&-; exit 143' TERM INT HUP
+
+  if [ -n "${LOCAL_UNLOCK_SAVED_STTY}" ]; then
+
+    stty -echo <&9 2>&- || :
+
+  fi
+
+  printf '\e[93m[INFO] CISS LUKS decryption : Press Enter for local unlock: \n\e[0m' >&9 || :
+  IFS= read -r _ <&9
+  LOCAL_UNLOCK_READ_STATUS="$?"
+
+  if [ -n "${LOCAL_UNLOCK_SAVED_STTY}" ]; then
+
+    stty "${LOCAL_UNLOCK_SAVED_STTY}" <&9 2>&- || :
+
+  fi
+
+  printf '\r\033[K' >&9 || :
+  exec 9>&-
+  trap - TERM INT HUP
+
+  [ "${LOCAL_UNLOCK_READ_STATUS}" -eq 0 ] || return 1
+
+  return 0
+}
+
+ensure_minimal_dev_nodes
+
 printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"

 #######################################
@@ -37,11 +195,21 @@ ask_pass_console() {
  PASSPHRASE=""
  SAVED_STTY=""

+  ensure_minimal_dev_nodes
+
+  [ -c /dev/console ] || return 1
+  exec 8<>/dev/console || return 1
+
  ### Save current console settings.
-  SAVED_STTY=$(stty -g </dev/console 2>/dev/null || printf '')
+  SAVED_STTY=$(stty -g <&8 2>&- || printf '')

  ### Non-canonical mode, no echo, 1 byte at a time.
-  stty -echo -icanon time 0 min 1 </dev/console 2>/dev/null || return 1
+  if ! stty -echo -icanon time 0 min 1 <&8 2>&-; then
+
+    exec 8>&-
+    return 1
+
+  fi

  cr=$(printf '\r')
  bs=$(printf '\b')
@@ -50,11 +218,11 @@ ask_pass_console() {
  while :; do

    ### Read exactly one byte from the console.
-    c=$(dd bs=1 count=1 2>/dev/null </dev/console)
+    c=$(dd bs=1 count=1 2>&- <&8)

    if [ -z "${c}" ]; then

-      printf '\n' > /dev/console
+      printf '\n' >&8
      break

    fi
@@ -66,7 +234,7 @@ ask_pass_console() {

      "${cr}")
      ### Enter: finish input.
-        printf '\n' > /dev/console
+        printf '\n' >&8
        break
        ;;

@@ -75,7 +243,7 @@ ask_pass_console() {
        if [ -n "${PASSPHRASE}" ]; then

          PASSPHRASE=${PASSPHRASE%?}
-          printf '\b \b' > /dev/console
+          printf '\b \b' >&8

        fi
        ;;
@@ -83,14 +251,20 @@ ask_pass_console() {
      *)
      ### Normal character: append and mask output.
        PASSPHRASE="${PASSPHRASE}${c}"
-        printf '*' > /dev/console
+        printf '*' >&8
        ;;

    esac

  done

-  [ -n "${SAVED_STTY}" ] && stty "${SAVED_STTY}" </dev/console 2>/dev/null || :
+  if [ -n "${SAVED_STTY}" ]; then
+
+    stty "${SAVED_STTY}" <&8 2>&- || :
+
+  fi
+
+  exec 8>&-

  printf '%s' "${PASSPHRASE}"

@@ -126,7 +300,7 @@ _PARAMETER=""
 _dev=""

 ### Read the kernel cmdline once. ----------------------------------------------------------------------------------------------
-CMDLINE="$(cat /proc/cmdline 2>/dev/null || printf '')"
+CMDLINE="$(cat /proc/cmdline 2>&- || printf '')"

 for _PARAMETER in ${CMDLINE}; do

@@ -149,8 +323,8 @@ if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then

  if [ -n "${CDLB_ISO_LABEL}" ] && [ -e "/dev/disk/by-label/${CDLB_ISO_LABEL}" ]; then

-    mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>/dev/null \
-      || mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>/dev/null \
+    mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>&- \
+      || mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>&- \
      || log "could not mount label=${CDLB_ISO_LABEL} (iso9660/udf)"

  fi
@@ -166,13 +340,13 @@ if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then
    [ -b "${_dev}" ] || continue

    ### Try ISO9660 first, then UDF; only unmount on failure.
-    if mount -r -t iso9660 "${_dev}" "${CDLB_MNT_MEDIUM}" 2>/dev/null || mount -r -t udf   "${_dev}" "${CDLB_MNT_MEDIUM}" 2>/dev/null; then
+    if mount -r -t iso9660 "${_dev}" "${CDLB_MNT_MEDIUM}" 2>&- || mount -r -t udf   "${_dev}" "${CDLB_MNT_MEDIUM}" 2>&-; then

-      mountpoint -q "${CDLB_MNT_MEDIUM}" 2>/dev/null && break
+      mountpoint -q "${CDLB_MNT_MEDIUM}" 2>&- && break

    else

-      umount "${CDLB_MNT_MEDIUM}" 2>/dev/null || true
+      umount "${CDLB_MNT_MEDIUM}" 2>&- || true

    fi

@@ -216,24 +390,24 @@ fi
 printf "\e[92m[INFO] Loop device          : [%s] \n\e[0m" "${LOOP}"

 ### Expose the loop device for unlock-wrapper.sh, dropbear forced-command. -----------------------------------------------------
-mkdir -p /run 2>/dev/null || true
+mkdir -p /run 2>&- || true

-echo "${LOOP}" > /run/ciss-loopdev 2>/dev/null || true
+echo "${LOOP}" > /run/ciss-loopdev 2>&- || true

-chmod 0600 /run/ciss-loopdev 2>/dev/null || true
+chmod 0600 /run/ciss-loopdev 2>&- || true

 printf "\e[92m[INFO] Exposed LOOP         : [/run/ciss-loopdev] -> [%s]\n\e[0m" "${LOOP}"

 ### Prepare fifo for passphrase. -----------------------------------------------------------------------------------------------
-mkdir -p /lib/cryptsetup 2>/dev/null || true
+mkdir -p /lib/cryptsetup 2>&- || true

 if [ -p /lib/cryptsetup/passfifo ]; then

-  rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
+  rm -f /lib/cryptsetup/passfifo 2>&- || true

 fi

-if ! mkfifo /lib/cryptsetup/passfifo 2>/dev/null; then
+if ! mkfifo /lib/cryptsetup/passfifo 2>&-; then

  printf "\e[92m[WARN] Boot failure         : Failed to create [/lib/cryptsetup/passfifo] \n\e[0m"
  sleep 60
@@ -242,7 +416,7 @@ if ! mkfifo /lib/cryptsetup/passfifo 2>/dev/null; then

 fi

-chmod 0600 /lib/cryptsetup/passfifo 2>/dev/null || true
+chmod 0600 /lib/cryptsetup/passfifo 2>&- || true

 ### Background broker: read FIFO, try cryptsetup per line. ---------------------------------------------------------------------
 (
@@ -267,18 +441,29 @@ chmod 0600 /lib/cryptsetup/passfifo 2>/dev/null || true

    [ -n "${PASS}" ] || continue

-    printf "\e[93m[INFO] CISS LUKS decryption : LUKS mapper [%s] trying to unlock via cryptsetup ... \n\e[0m" "${CDLB_MAPPER_DEV}" >/dev/console 2>/dev/null || true
+    console_printf "\e[93m[INFO] CISS LUKS decryption : LUKS mapper [%s] trying to unlock via cryptsetup ... \n\e[0m" "${CDLB_MAPPER_DEV}"

    KEYLEN=${#PASS}

+    if [ -c /dev/console ]; then
+
      printf '%s' "${PASS}" | cryptsetup open --tries 1 \
        --type luks \
        --keyfile-size="${KEYLEN}" \
        --readonly "${LOOP}" "${CDLB_MAPPER_NAME}" --key-file - 2>/dev/console

+    else
+
+      printf '%s' "${PASS}" | cryptsetup open --tries 1 \
+        --type luks \
+        --keyfile-size="${KEYLEN}" \
+        --readonly "${LOOP}" "${CDLB_MAPPER_NAME}" --key-file - 2>&-
+
+    fi
+
    if [ -b "${CDLB_MAPPER_DEV}" ]; then

-      printf "\e[92m[INFO] CISS LUKS decryption : LUKS mapper [%s] successfully opened. \n\e[0m" "${CDLB_MAPPER_DEV}" >/dev/console 2>/dev/null || true
+      console_printf "\e[92m[INFO] CISS LUKS decryption : LUKS mapper [%s] successfully opened. \n\e[0m" "${CDLB_MAPPER_DEV}"
      break

    fi
@@ -305,12 +490,15 @@ PID_BROKER="$!"

    if [ "${PASS_SENT}" -eq 0 ]; then

-      printf '\e[93m[INFO] Enter LUKS passphrase: \n\e[0m' > /dev/console
+      # shellcheck disable=SC2310
+      wait_for_local_unlock_activation || continue
+
+      console_printf '\e[93m[INFO] Enter LUKS passphrase: \n\e[0m'

      # shellcheck disable=SC2310
      PASS="$(ask_pass_console)" || continue

-      printf '%s\n' "${PASS}" >| /lib/cryptsetup/passfifo 2>/dev/null || :
+      printf '%s\n' "${PASS}" >| /lib/cryptsetup/passfifo 2>&- || :

      PASS_SENT=1
      WAIT_LOOP=0
@@ -321,7 +509,7 @@ PID_BROKER="$!"

      if [ "${WAIT_LOOP}" -ge 160 ]; then

-        printf '\e[91m[WARN] Please try again     : \n\e[0m' > /dev/console
+        console_printf '\e[91m[WARN] Please try again     : \n\e[0m'

        PASS_SENT=0
        WAIT_LOOP=0
@@ -365,12 +553,13 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then

  printf "\e[91m[WARN] CISS LUKS decryption : Timeout LUKS mapper [%s] not present after %s seconds. \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_REMOTE_WAIT_SECS}"

-  kill "${PID_PROMPT}" 2>/dev/null || true
-  kill "${PID_BROKER}" 2>/dev/null || true
-  wait "${PID_PROMPT}" 2>/dev/null || true
-  wait "${PID_BROKER}" 2>/dev/null || true
+  kill "${PID_PROMPT}" 2>&- || true
+  kill "${PID_BROKER}" 2>&- || true
+  wait "${PID_PROMPT}" 2>&- || true
+  wait "${PID_BROKER}" 2>&- || true
+  console_clear_line

-  rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
+  rm -f /lib/cryptsetup/passfifo 2>&- || true

  sleep 60

@@ -379,12 +568,13 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then

 fi

-kill "${PID_PROMPT}" 2>/dev/null || true
-kill "${PID_BROKER}" 2>/dev/null || true
-wait "${PID_PROMPT}" 2>/dev/null || true
-wait "${PID_BROKER}" 2>/dev/null || true
+kill "${PID_PROMPT}" 2>&- || true
+kill "${PID_BROKER}" 2>&- || true
+wait "${PID_PROMPT}" 2>&- || true
+wait "${PID_BROKER}" 2>&- || true
+console_clear_line

-rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
+rm -f /lib/cryptsetup/passfifo 2>&- || true

 printf "\e[92m[INFO] CISS LUKS decryption : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}"

@@ -399,7 +589,7 @@ export CDLB_MNT_MEDIUM=${CDLB_MNT_MEDIUM}
 export CDLB_MNT_ROOTFS=${CDLB_MNT_ROOTFS}
 export CDLB_REMOTE_WAIT_SECS=${CDLB_REMOTE_WAIT_SECS}
 EOF
-chmod 0444 /run/ciss-rootdev 2>/dev/null || true
+chmod 0444 /run/ciss-rootdev 2>&- || true

 ### Override '9990-main.sh' behavior to ensure 'Verify_checksums()' functions properly. ----------------------------------------
 if [ ! -e /conf/param.conf ]; then
@@ -409,21 +599,29 @@ if [ ! -e /conf/param.conf ]; then

 fi

-if ! grep -q '^PLAIN_ROOT=' /conf/param.conf 2>/dev/null; then
+if ! grep -q '^PLAIN_ROOT=' /conf/param.conf 2>&-; then

  printf 'PLAIN_ROOT=1\n' >> /conf/param.conf

 fi

-if ! grep -q '^livefs_root=' /conf/param.conf 2>/dev/null; then
+if ! grep -q '^livefs_root=' /conf/param.conf 2>&-; then

  printf 'livefs_root=%s\n' "/run/live/medium" >> /conf/param.conf

 fi

 printf "\e[92m[INFO] CISS LUKS decryption : Final state [/conf/param.conf] \n\e[0m"
+if [ -c /dev/console ]; then
+
  cat /conf/param.conf >/dev/console 2>&1 || :

+elif [ -e /proc/1/fd/1 ]; then
+
+  cat /conf/param.conf >/proc/1/fd/1 2>&1 || :
+
+fi
+
 log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]"
 printf "\e[92m[INFO] CISS LUKS decryption : Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}"

@@ -14,8 +14,11 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Purpose: Enforce early sysctls before services start.
-# Phase  : premount (executed by live-boot inside the initramfs).
+# Module summary:
+# - Runs during live-boot premount while the system is still inside the initramfs.
+# - Applies early kernel hardening before the real root and regular services are active.
+# - Restricts ptrace, unprivileged BPF, core dumps, kexec, unsafe link handling, regular-file protections, and kernel pointer
+#   exposure where supported.

 _SAVED_SET_OPTS="$(set +o)"

@@ -14,6 +14,14 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+# Module summary:
+# This live-boot component implements the verify-checksums mode for the mounted live medium.
+# It reads the live-boot command line to decide whether checksum verification is enabled and which digests to accept.
+# It locates the pinned CISS GPG key material on the live medium, optionally verifies this script's signed hash,
+# optionally verifies signed checksum files, and checks the first matching checksum manifest with the matching digest tool. It
+# writes detailed checksum output to the verification TTY. It panics instead of continuing boot when integrity or
+# authenticity verification fails.
+
 ### Modified Version of the original file:
 ### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums'
 ### If the offered checksum is successfully verified, proceed with booting. Otherwise, panic.
@@ -77,6 +85,8 @@ Verify_checksums() {

  LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"

+  _CHECKSUM_LOG=""
+
  _KEYFILE=""

  _MP=""
@@ -249,7 +259,7 @@ Verify_checksums() {
            if /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"; then

              _RETURN_PGP="${?}"
-              log_in "Checking signature of: [${_CHECKSUM}] successful."
+              log_ok "Checking signature of: [${_CHECKSUM}] successful."

            else

@@ -265,15 +275,22 @@ Verify_checksums() {
          fi

          # shellcheck disable=SC2312
-          if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then
+          _CHECKSUM_LOG="/run/ciss-${_DIGEST}sum-check.log"
+          if grep -v '^#' "${_CHECKSUM}" | LC_ALL=C /usr/bin/"${_DIGEST}"sum -c > "${_CHECKSUM_LOG}" 2>&1; then

            _RETURN_SHA="${?}"
+            cat "${_CHECKSUM_LOG}" > "${_TTY}"
            log_ok "Found: [/usr/bin/${_DIGEST}sum] successful verified: [${_CHECKSUM}]"

          else

            _RETURN_SHA="${?}"
+            cat "${_CHECKSUM_LOG}" > "${_TTY}"
            log_er "Found: [/usr/bin/${_DIGEST}sum] unsuccessful verified: [${_CHECKSUM}]"
+            log_er "Checksum verification failed. Failed entries:"
+            if ! grep -E ': FAILED$|FAILED open or read|No such file or directory|WARNING:' "${_CHECKSUM_LOG}" >&2; then
+              cat "${_CHECKSUM_LOG}" >&2
+            fi

          fi

@@ -14,8 +14,13 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Purpose: Late rootfs attestation and dmsetup health checking.
-# Phase  : executed by live-boot inside the 9990-main.sh.
+# Module summary:
+# - Runs after the encrypted live root filesystem has been decrypted.
+# - Requires the pinned public key, attestation hash file, and detached signature to exist as readable, non-empty regular files
+#   inside the decrypted rootfs.
+# - Verifies the attestation signature with gpgv against the pinned key material.
+# - Confirms that the signature fingerprint matches the build-time expected rootfs fingerprint and panics on missing, malformed,
+#   or mismatched evidence.

 _SAVED_SET_OPTS="$(set +o)"

@@ -30,7 +35,7 @@ export CDLB_EXP_FPR="@EXP_FPR@"
 export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"

 ### Name of the top-level dm-crypt mapping (e.g., cryptsetup --label): zzzz_ciss_crypt_squash.hook.binary ----------------------
-CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}"
+export CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}"

 ### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------
 CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/root/root/.ciss/attestation/${CDLB_EXP_FPR}.gpg.sha512sum.txt}"
@@ -66,33 +71,83 @@ log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
 #######################################
 log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }

+#######################################
+# Validate a boot-time attestation input file.
+# Globals:
+#   None
+# Arguments:
+#   1: Human-readable artifact label
+#   2: Absolute artifact path
+# Returns:
+#   0: on success
+#######################################
+require_attestation_file() {
+  artifact_label="${1}"
+  artifact_path="${2}"
+
+  if [ ! -e "${artifact_path}" ]; then
+
+    if [ -L "${artifact_path}" ]; then
+
+      log_er "0042()              : ${artifact_label} is a broken symlink, not a regular file: [${artifact_path}]"
+      panic  "0042()              : ${artifact_label} is a broken symlink, not a regular file: [${artifact_path}]"
+
+    fi
+
+    log_er "0042()              : ${artifact_label} missing: [${artifact_path}]"
+    panic  "0042()              : ${artifact_label} missing: [${artifact_path}]"
+
+  fi
+
+  if [ -L "${artifact_path}" ] || [ ! -f "${artifact_path}" ]; then
+
+    log_er "0042()              : ${artifact_label} is not a regular file: [${artifact_path}]"
+    panic  "0042()              : ${artifact_label} is not a regular file: [${artifact_path}]"
+
+  fi
+
+  if [ ! -s "${artifact_path}" ]; then
+
+    log_er "0042()              : ${artifact_label} is empty: [${artifact_path}]"
+    panic  "0042()              : ${artifact_label} is empty: [${artifact_path}]"
+
+  fi
+
+  if [ ! -r "${artifact_path}" ]; then
+
+    log_er "0042()              : ${artifact_label} is not readable: [${artifact_path}]"
+    panic  "0042()              : ${artifact_label} is not readable: [${artifact_path}]"
+
+  fi
+
+  return 0
+}
+
 HASH_FILE="${CDLB_ATTEST_FPR_SHA}"
 SIGN_FILE="${CDLB_ATTEST_FPR_SIG}"
 KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"

-if [ -s "${KEYFILE}" ]; then
-
-  log_er "0042()              : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"
-  panic  "0042()              : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"
-
-fi
-
-if [ -s "${HASH_FILE}" ]; then
-
-  log_er "0042()              : Attestation data missing: [${HASH_FILE}]"
-  panic  "0042()              : Attestation data missing: [${HASH_FILE}]"
-
-fi
-
-if [ -s "${SIGN_FILE}" ]; then
-
-  log_er "0042()              : Attestation signature missing: [${SIGN_FILE}]"
-  panic  "0042()              : Attestation signature missing: [${SIGN_FILE}]"
-
-fi
+require_attestation_file "Public key"            "${KEYFILE}"
+require_attestation_file "Attestation data"      "${HASH_FILE}"
+require_attestation_file "Attestation signature" "${SIGN_FILE}"

 log_in "0042()               : Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR."
-_STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}")"
+
+if ! _STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}" 2>&1)"; then
+
+  log_er "0042()              : gpgv verification failed for signature: [${SIGN_FILE}]"
+
+  if [ -n "${_STATUS}" ]; then
+
+    printf '%s\n' "${_STATUS}" >&2
+
+  fi
+
+  sleep 8
+  panic  "0042()              : gpgv verification failed for signature: [${SIGN_FILE}]"
+
+fi
+
 _CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"

 ### Compare against pinned and expected fingerprint. ---------------------------------------------------------------------------
--- a/Show More
+++ b/Show More
Author	SHA256	Message	Date
ahz	85ff080b40	V9.14.022.2026.06.11: document and test audit safeguards	2026-06-11 05:08:18 +02:00
ahz	9d3f283297	V9.14.022.2026.06.11: enforce secret and cleanup safeguards	2026-06-11 05:08:01 +02:00
ahz	74897d85b1	V9.14.022.2026.06.11: add path security helpers	2026-06-11 05:07:33 +02:00
msw	9ef535554a	V9.14.022.2026.06.10 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-10 18:57:46 +01:00
msw	800cd175fc	V9.14.022.2026.06.10 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-10 17:57:31 +01:00
msw	ae87d7ac54	V9.14.020.2026.06.08 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-09 18:11:15 +01:00
msw	0b1bfe2978	V9.14.020.2026.06.08 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-09 18:07:45 +01:00
msw	314c1178c3	V9.14.020.2026.06.08 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-09 18:04:02 +01:00
msw	9179031a80	V9.14.020.2026.06.08 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-09 16:41:50 +01:00
msw	7956e5861d	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 20:02:23 +01:00
msw	8c37efcff6	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 19:58:06 +01:00
msw	a53d52bf38	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 17:06:05 +01:00
msw	250f1700cf	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 15:43:24 +01:00
msw	574411d9b0	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 15:23:19 +01:00
msw	a469dbf595	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 11:44:48 +01:00
msw	a37a16d86e	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 11:42:19 +01:00
msw	421589285f	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 10:59:37 +01:00
msw	0a091fb9a6	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 10:54:44 +01:00
msw	3fc5003676	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 09:11:26 +01:00
msw	9cdcc0a9ec	V9.14.018.2026.06.07 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 07:24:22 +01:00
msw	8b6731f1be	V9.14.016.2026.06.06 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-06 18:37:43 +01:00
msw	fa1a31ef64	V9.14.016.2026.06.06 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-06 15:40:02 +01:00
msw	e42fdff89b	V9.14.016.2026.06.06 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-06 14:39:12 +01:00
msw	83f6f8488c	V9.14.008.2026.06.04 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-04 20:14:02 +01:00
msw	ec3aca7fc8	V9.14.008.2026.06.04 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-04 18:19:09 +01:00
msw	c80b45417f	V9.14.004.2026.05.17 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-05-17 14:28:12 +01:00
msw	6307bc2b7c	V9.14.002.2026.05.13 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-05-17 13:34:00 +01:00