V9.14.022.2026.06.11: document and test audit safeguards

V9.14.022.2026.06.11: enforce secret and cleanup safeguards
V9.14.022.2026.06.11: add path security helpers
2026-06-11 05:08:18 +02:00 · 2026-06-11 05:08:01 +02:00 · 2026-06-11 05:07:33 +02:00 · 2026-06-10 18:57:46 +01:00 · 2026-06-10 17:57:31 +01:00 · 2026-06-09 18:11:15 +01:00
178 changed files with 5106 additions and 941 deletions
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 if [[ ! -d "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp ]]; then
@@ -107,7 +107,7 @@ options edns0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' successfully applied. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -296,7 +296,7 @@ ln -sf /etc/systemd/system/ciss-memwipe.service /etc/systemd/system/multi-user.t
 systemctl enable ciss-memwipe.service
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 mkdir -p /etc/systemd/system/clamav-daemon.service.d
 cat << 'EOF' >| /etc/systemd/system/clamav-daemon.service.d/override.conf
@@ -69,7 +69,7 @@ CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SYS_NICE
 EOF
 chmod 0644 /etc/systemd/system/clamav-freshclam.service.d/override.conf
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
@@ -63,7 +63,7 @@ EOF
 chmod 0644 /etc/network/interfaces
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.544.2025.12.05
+# Version Master V9.14.022.2026.06.10
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.544.2025.12.05
+# Version Master V9.14.022.2026.06.10
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.544.2025.12.05
+# Version Master V9.14.022.2026.06.10
 name: 💙 Generating a PUBLIC Live ISO.
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.544.2025.12.05"
+      placeholder: "e.g., Master V9.14.022.2026.06.10"
    validations:
      required: true
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.544.2025.12.05
+# Version Master V9.14.022.2026.06.10
 FROM debian:bookworm
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.544.2025.12.05
+# Version Master V9.14.022.2026.06.10
 name: 🔁 Render README.md to README.html.
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.13.544.2025.12.05
+  version: V9.14.022.2026.06.10
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.13.544.2025.12.05
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.13.544.2025.12.05
+  version: V9.14.022.2026.06.10
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.13.544.2025.12.05
+  version: V9.14.022.2026.06.10
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.544.2025.12.05
+# Version Master V9.14.022.2026.06.10
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -216,7 +216,6 @@ jobs:
            --cdi \
            --change-splash hexagon \
            --control "${timestamp}" \
            --debug \
            --dhcp-centurion \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
            --key_age=keys.txt \
@@ -233,7 +232,6 @@ jobs:
            --trixie
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
@@ -243,11 +241,8 @@ jobs:
          SHARE_SUBDIR=""
          echo "📥 Get directory listing via PROPFIND ..."
-          curl -s \
+
-          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -X PROPFIND \
          -H "Depth: 1" \
          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml
          echo "📥 Filter .iso files from the PROPFIND response ..."
@@ -255,46 +250,65 @@ jobs:
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
            echo "💡 Old ISO files found and deleted :"
            while IFS= read -r href; do
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
-              if curl -s \
+
-                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
-                  -X DELETE "${FILE_URL}"; then
+
                echo "    ✅ Successfully deleted: $(basename "${href}")"
              else
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
              fi
            done < public_iso_list.txt
          else
            echo "💡 No old ISO files found to delete."
          fi
      - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
        run: |
          set -euo pipefail
          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
          else
            echo "❌ Uploading the new ISO failed."
            exit 1
          fi
      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.544.2025.12.05
+# Version Master V9.14.022.2026.06.10
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -297,7 +297,7 @@ jobs:
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
-          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.544.2025.12.05
+# Version Master V9.14.022.2026.06.10
 name: 💙 Generating a PUBLIC Live ISO.
@@ -190,10 +190,8 @@ jobs:
            --architecture amd64 \
            --autobuild=6.17.8+deb13-amd64 \
            --build-directory /opt/cdlb \
            --cdi \
            --change-splash hexagon \
            --control "${timestamp}" \
            --debug \
            --root-password-file /dev/shm/cdlb_secrets/password.txt \
            --ssh-port 42137 \
            --ssh-pubkey /dev/shm/cdlb_secrets \
@@ -267,7 +265,7 @@ jobs:
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
-          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.544.2025.12.05
+# Version Master V9.14.022.2026.06.10
 # Gitea Workflow: Shell-Script Linting
 #
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.544.2025.12.05
+# Version Master V9.14.022.2026.06.10
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.544.2025.12.05
+# Version Master V9.14.022.2026.06.10
 name: 🔁 Render Graphviz Diagrams.
@@ -16,5 +16,11 @@ target/
 *.log
 *.ps1
 config.mk
 ciss.secureboot/private/*
 !ciss.secureboot/private/README.md
 ciss.secureboot/manifests/*
 !ciss.secureboot/manifests/.gitkeep
 ciss.secureboot/uki/*
 !ciss.secureboot/uki/.gitkeep
 Thumbs.db
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.544.2025.12.05"
+properties_version="V9.14.022.2026.06.10"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -0,0 +1,125 @@
 # AGENTS.md
 ## Purpose
 This repository builds and maintains the CISS Debian Live Builder for Debian 13 Trixie.
 Treat every change as security-sensitive and boot-chain-sensitive.
 Persistent coding details live in `docs/CODING_CONVENTION.md`.
 Review-only instructions live in `code_review.md`.
 ## Instruction precedence for this repository
 Use this order when instructions differ:
 1. The current user task prompt defines the immediate objective and task-specific acceptance criteria.
 2. This `AGENTS.md` defines repository-wide constraints and routing guidance.
 3. `docs/CODING_CONVENTION.md` defines detailed coding conventions.
 4. `code_review.md` applies when performing a review or final self-review.
 5. Personal/global Codex instructions apply only where they do not conflict with repository rules.
 When in doubt, choose the safer, smaller, more easily reviewable change and explain the uncertainty.
 ## Non-negotiable constraints
 - Target Debian 13 Trixie unless the task explicitly states otherwise.
 - Do not introduce Ubuntu-specific assumptions.
 - Do not invent live-build, live-boot, initramfs, cryptsetup, systemd, GRUB, Debian package, or upstream tool behavior.
 - Verify uncertain behavior against existing repository code or authoritative upstream documentation.
 - Do not add phase-argument gates to live-boot or initramfs scripts. Execution phase is controlled by Debian hook placement.
 - Preserve encrypted-root and encrypted-SquashFS architecture unless the task explicitly changes it.
 - Prefer simple, explicit, inspectable Bash over clever abstraction.
 - Do not use `eval`.
 - Do not print secrets, private keys, passphrases, tokens, or sensitive environment values.
 ## Repository map
 Common areas:
 - `ciss_live_builder.sh`, `lib/*.sh`: host-side orchestration and argument handling.
 - `makefile`: local wrapper for composing and executing builder invocations.
 - `config/hooks/live/*.chroot`: live-build chroot hooks.
 - `config/hooks/live/*.binary`: live-build binary-image hooks.
 - `config/includes.chroot/etc/initramfs-tools/hooks/*`: initramfs build hooks.
 - `config/includes.chroot/etc/initramfs-tools/scripts/*`: initramfs boot scripts.
 - `config/includes.chroot/usr/lib/live/boot/*`: live-boot runtime scripts.
 - `scripts/*`: helper scripts or files copied into the generated image.
 - `docs/*`: project documentation and conventions.
 ## Working method
 Before editing:
 1. Inspect the relevant scripts, hooks, configuration files, documentation, tests, and naming conventions.
 2. Identify the affected build or boot phase.
 3. Give a concise implementation plan and list the likely files to touch, unless the change is trivial.
 While editing:
 - Keep changes minimal and local to the task.
 - Preserve existing architecture, naming style, error handling, formatting, and security posture.
 - Do not perform unrelated cleanup or formatting churn.
 - Reuse existing helper functions for logging, fatal errors, validation, downloads, temporary files, and tool checks where available.
 - Do not introduce new runtime dependencies unless technically necessary and justified.
 After editing:
 - Run only the narrowest checks that prove the change.
 - Changed Bash files: run `bash -n <file>` and `shellcheck <file>` if ShellCheck is available.
 - Changed POSIX shell files, if any exist and must remain POSIX: run `sh -n <file>`.
 - Make wrapper or builder argument-composition changes: run the relevant dry-run or help/parser check, usually `make dry-run` if available.
 - Changed Python files: run the repository's relevant Python checks if present.
 - CLI or user-facing behavior changes: update `usage()` and relevant documentation.
 - Live-build, initramfs, or ISO behavior changes: state the required Debian Trixie validation command. Do not run a full live build unless requested or necessary.
 ## Bash conventions summary
 See `docs/CODING_CONVENTION.md` for detail.
 - Use Bash for new and modified project scripts unless an existing Debian interface file explicitly requires POSIX shell.
 - Prefer `set -Ceuo pipefail` where feasible.
 - Use `declare` for variables inside functions.
 - Quote expansions unless word splitting or globbing is explicitly required.
 - Prefer arrays where argument boundaries matter.
 - Use `[[ ... ]]` for Bash conditionals.
 - Use `case` for option dispatch and multi-branch string handling.
 - Avoid parsing `ls`.
 - Prefer `command -v` over `which`.
 - Keep functions small and readable.
 - End functions explicitly with `return 0` where consistent with surrounding code.
 - Code comments must be in English.
 ## Security-sensitive areas
 Before finalizing a change, check whether it affects:
 - boot trust
 - initramfs behavior
 - live-boot runtime behavior
 - cryptsetup/LUKS handling
 - encrypted SquashFS handling
 - key material
 - remote unlock
 - TLS, mTLS, signature, checksum, or provenance verification
 - package sources or remote downloads
 - network exposure
 - file permissions
 - persistence
 - logging of sensitive values
 If affected, document the concrete risk and mitigation in the final response.
 ## Final response
 Return a concise implementation report:
 - changed files
 - what changed
 - checks run and result
 - real remaining risks or follow-up steps
 Do not claim success for checks that were not run.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.544.2025.12.05
+PackageVersion: Master V9.14.022.2026.06.10
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-12-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-12-05T00:49:27Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T04:39:51Z"
 ✅ The last linter check was successful. ✅
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-11-08; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-11-08T19:46:24Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T03:44:29Z"
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_11_08T18_57_19Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_12_06T02_53_28Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  11065e6ed8f99b533352ad86bd5b4cc9b407652e79a34718da6aad46a5f603738553fde6fbcceaa3128bfbbfa4c1674c05552232d4620ea250bc029545600718
+  2bf967b902455fe1f4d3ba1cb0b3c5983c6812181ae95b10ce837c0aaae084207bf15c22add2709c21c45f4262db2a2f787b2c93f3a1c507289c020e70314707
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaQ+eEAAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaTOmnQAKCRA85KY4hzOw
-IcJaAP9FYAzawGRXQqt5mEL3SQy4cSDkc5/r/KDhy+ABdVNMvAEA1ReKZ7qXrESP
+IcItAQDvE6vEkbslGR5BLMVV+DKi2GDnIzIMVs7zROiPsKb3BgEA1Koqx7ccc+H2
-rgP2MsHaXHVBWGJUvFyMf6dUpbjEnA8=
+MmNv12w674dS2xmTZHOViYePe2KWLw0=
-=SkUY
+=I8w2
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-29; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-10-29T21:52:45Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T04:35:36Z"
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_10_29T20_59_34Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_12_06T03_45_41Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  c2b295aa3bd7ccfbe6c83aa27aeeace796251ad93ebfbf999bc6b1ae7c3c881efeeeda5e9235c5f5b7ad022ee465bc61e04c46906c6a7ca79214866ae62e160d
+  fe9481d92cf61554da92ff883a58d9aaa2ae5fe86d9c3dd634a1c3a79e1b6ca5e08693d4f9b0870077fc0bf2f840a3e678d9c9dc44f9b8dae5d474a6d39e16b2
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaQKMrQAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaTOymAAKCRA85KY4hzOw
-ISgMAQDy82Yr4/F3cI/ZzLQJyoFSY2qgPl8d84eJZFhhTFpD3AEAmMBws55fQAzz
+Ic1iAQDVxT891Nv+LHzQs3vL31/1wqeOjiGmZbEJR8XvBoRe4wEAjdmvUpEXyb1Y
-Q9DBRAvRYgMDLmqsog+m3FEH7cXtDAg=
+qhaFcxWDrRgiVKaitGkbNo2w6yICdgY=
-=o+0d
+=TQPs
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.544.2025.12.05-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.022.2026.06.10-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -11,10 +11,10 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.25.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.26.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Runner-0.2.13-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Runner-1.0.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2026.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.12-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&logo=x&logoColor=white&logoSize=auto&label=SocialMedia&color=%23000000)](https://x.com/coresecret_eu) &nbsp;
@@ -26,11 +26,11 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
+**Master Version**: 9.14<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V9.14.022.2026.06.10<br>
 **CISS.debian.live.builder — First of its own.**<br>
-**World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
+**World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
 Developed and maintained as a one-man, security-driven engineering effort since 2024, **CISS.debian.live.builder** is designed 
 to serve as a reference implementation for hardened, image-based Debian deployments.
@@ -60,12 +60,15 @@ and spoofing surfaces.
 Internally, the builder employs a dedicated secret-handling pipeline backed by a tmpfs-only secrets directory
 (`/dev/shm/cdlb_secrets`). Sensitive material such as root passwords, SSH keys, and signing keys never appears on the command
-line, is guarded by strict `0400 root:root` permissions, and any symlink inside the secret path is treated as a hard failure
+line, is guarded by a `0700 root:root` secret root and single-link regular `0400` or `0600` root-owned files, and any symlink
-that aborts the run. Critical code paths temporarily disable Bash xtrace so that credentials never leak into debug logs, and
+inside the secret path is treated as a hard failure that aborts the run. Filename-only secret arguments reject slashes and
-transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed. GNUPG homes used for signing are
+traversal.
-wiped, unencrypted chroot artifacts and includes are removed after `lb build`, and the final artifact is reduced to the
+Critical code paths temporarily disable Bash xtrace, and a final exact-value debug-log sanitisation pass provides additional
-encrypted SquashFS inside the LUKS2 container. At runtime, LUKS passphrases in the live ISO and installer are transported via
+defence in depth. Transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed, but this is only a
-named pipes inside the initramfs instead of process arguments, further minimizing exposure in process listings.
+best-effort cleanup on SSD, NVMe, copy-on-write, journaled, and virtualised storage. Use tmpfs for secrets and encrypted storage
 for build workspaces. Destructive build cleanup is restricted to the exact canonical directory carrying the
 `.ciss-live-builder-owned` marker. This private operator workflow still requires strict local path validation; it does not
 define public ISO release policy.
 Check out more leading world-class services powered by Centurion Intelligence Consulting Agency:
 * [CenturionDNS Resolver](https://eddns.eu/)
@@ -175,7 +178,7 @@ installer toolchain.
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.13.544.2025.12.05`
+Example: `V9.14.022.2026.06.10`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -221,7 +224,7 @@ The parameters fall into several categories.
 * The audit subsystem is configured to be always on ``audit=1`` and to tolerate heavy bursts without dropping events ``audit_backlog_limit=262144``. I treat the audit trail as an evidentiary artifact; truncation because of backlog limits is not acceptable in that model.
 * The debug surface of the kernel is reduced aggressively. ``debugfs=off`` avoids a traditional footgun that exposes kernel internals in a way that is friendly to attackers and rarely necessary in production.
 * Memory is hardened on several levels at allocation time and at free time. ``init_on_alloc=1`` and ``init_on_free=1`` provide deterministic zeroing, ``page_poison=1`` fills freed pages with a poison pattern, and ``page_alloc.shuffle=1`` shuffles the allocator so that a process can no longer rely on stable physical patterns. Together these measures raise the cost of use-after-free exploitation and other memory corruption attacks.
-* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough ``iommu.passthrough=0`` and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
+* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough, and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
 * ``kfence.sample_interval=100`` activates KFENCE with a sampling interval that is still usable in production but sensitive enough to catch a meaningful subset of memory safety bugs under real workloads.
 * Virtualization-specific knobs include ``kvm.nx_huge_pages=force``, to keep huge pages non-executable, and ``l1d_flush=on`` so that context switches flush the L1 data cache where needed.
 * ``lockdown=integrity`` places the kernel into lockdown mode with an emphasis on integrity. In this project I consider the integrity of the system more critical than the ability to introspect a running kernel from userspace.
@@ -237,7 +240,7 @@ deliberate design decision.
 ### 2.1.2. CPU Vulnerability Mitigations
-I build the kernels with the relevant mitigations for Spectre, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. 
+I build the kernels with the relevant mitigations for Specter, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. 
 The ``mitigations=auto,nosmt`` flag ensures that new mitigations integrated into the mainline kernel become effective as they 
 are added, instead of requiring that I micromanage every single toggle. The residual performance cost is acceptable in the 
 context I am targeting; stale mitigations can be revisited, but missing mitigations will not be.
@@ -286,6 +289,8 @@ For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-cis
 * **Description**: Disables and blacklists non-essential or insecure kernel modules.
 * **Rationale**: Minimizes attack surface by preventing loads of drivers or modules not required by the live environment.
 For further details see: **[30-ciss-hardening.conf.md](docs/documentation/30-ciss-hardening.conf.md)**
 ## 2.3. Network Hardening
 At the kernel level classical ``sysctl`` settings are applied that defend against spoofing and sloppy network behavior. Reverse path 
@@ -363,6 +368,11 @@ For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-cis
 ## 2.9. UFW Hardening
 * **Description**: Defaults to `deny incoming` and (optionally) `deny outgoing`; automatically opens only whitelisted ports.
 * **Primordial SSH exception**: `--primordial-url <https-git-url>`, `--primordial-key <ssh-identity-filename>` and
  `--primordial-ssh <port>` configure the CDI Primordial overlay clone. `--primordial-ssh` also adds an outgoing-only UFW TCP
  exception for a bootstrap/recovery SSH port when the live system's UFW outgoing policy is `deny`. It adds no incoming firewall
  rule and does not replace `--ssh-port`. If the requested port already matches an existing outgoing SSH exception, the current
  hook still emits the requested labelled rule because this repository has no separate UFW rule deduplication layer.
 * **Rationale**: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after
  deployment.
@@ -486,10 +496,14 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
 2. Preparation:
   1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
+   2. Create the empty build directory with `install -d -m 0700 -o root -g root /opt/cdlb`.
-   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
+   3. Create the tmpfs secret root with `install -d -m 0700 -o root -g root /dev/shm/cdlb_secrets`.
-   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
+   4. Place required secret files in the secret root as single-link regular, non-symlink, root-owned files with mode `0400`
-   5. Make any other changes you need to.
+      or `0600`.
   5. Place your desired SSH public key in `/dev/shm/cdlb_secrets/authorized_keys`.
   6. Place your desired root password in `/dev/shm/cdlb_secrets/password.txt`.
   7. Use filename-only values without slashes, `.` or `..` for `--key_age`, `--key_luks`, and signing-file arguments.
   8. Make any other changes you need to.
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
@@ -512,15 +526,29 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
     --reionice-priority 1 2 \
     --renice-priority "-19" \
     --root-password-file /dev/shm/cdlb_secrets/password.txt \
     --secure-boot-profile debian-shim \
     --sops-version 3.13.1 \
     --signing_key_fpr=98089A472CCF4601CD51D7C7095D36535296EA14B8DE92198723C4DC606E8F76 \
     --signing_key_pass=signing_key_pass.txt \
     --signing_key=signing_key.asc \
     --ssh-port 4242 \
     --primordial-url https://git.coresecret.dev/ahz/PhysNet.primordial.git \
     --primordial-key id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10 \
     --primordial-ssh 42842 \
     --ssh-pubkey /dev/shm/cdlb_secrets \
     --sshfp \
     --trixie
   ````
   `--sops-version` selects the upstream SOPS release installed into the live system. If omitted, the builder uses
   `VAR_SOPS_VERSION` from `var/global.var.sh`. The SOPS hook verifies the upstream checksums file with Cosign and supports
   both the newer Sigstore bundle asset, and the legacy-split certificate/signature assets before checking the downloaded
   SOPS binary with `sha256sum -c --ignore-missing`.
   On the first run, the builder creates `.ciss-live-builder-owned` in a new or empty build directory whose canonical parent
   already exists. A populated directory without that marker is rejected and is never adopted automatically. Cleanup remains
   intentionally destructive inside the exact validated marker-owned directory.
 4. Locate your ISO in the `--build-directory`.
 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
 6. Type `sysp` for the final kernel hardening features.
@@ -542,7 +570,8 @@ preview it or run it.
 2. Preparation:
   1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
+   2. Create the empty build directory and tmpfs secret root with restrictive ownership and permissions:
      `install -d -m 0700 -o root -g root /opt/cdlb /dev/shm/cdlb_secrets`.
   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
   5. Copy and edit the sample and set your options (no spaces around commas in lists): 
@@ -554,10 +583,15 @@ preview it or run it.
    ````bash
    BUILD_DIR=/opt/cdlb
    ROOT_PASSWORD_FILE=/dev/shm/cdlb_secrets/password.txt
    SECURE_BOOT_PROFILE=debian-shim
    SOPS_VERSION=3.13.1
    SSH_PORT=4242
    SSH_PUBKEY=/dev/shm/cdlb_secrets
    # Optional
    PRIMORDIAL_URL=https://git.coresecret.dev/ahz/PhysNet.primordial.git
    PRIMORDIAL_KEY=id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10
    PRIMORDIAL_SSH_PORT=42842
    PROVIDER_NETCUP_IPV6=2001:cdb::1
    # comma-separated; IPv6 in [] is fine
    JUMP_HOSTS=[2001:db8::1],[2001:db8::2]     
@@ -567,7 +601,31 @@ preview it or run it.
 4. Execute the build: ````make live````
-## 5.3. CI/CD Gitea Runner Workflow Example
+## 5.3. Secure Boot Profiles
 The default build profile is ``--secure-boot-profile debian-shim``. It keeps the ISO broadly portable: ``lb config`` uses an
 ``iso-hybrid`` image with both ``grub-pc`` and ``grub-efi`` bootloaders, and UEFI Secure Boot remains delegated to live-build's
 standard Microsoft-signed Debian shim plus Debian-signed GRUB path.
 The custom profile is ``--secure-boot-profile ciss-uki``. It is intended for amd64 systems whose firmware trusts the CISS Secure
 Boot key material through the platform Secure Boot database, or a custom PK/KEK/db model. In this profile a late binary hook
 builds a Unified Kernel Image from the final ``binary/live/vmlinuz-*`` and ``binary/live/initrd.img-*`` artifacts, signs it with
 ``ciss.secureboot/private/ciss-efi-image.key`` and ``ciss.secureboot/public/ciss-efi-image.crt``, rebuilds
 ``binary/boot/grub/efi.img``, installs the signed UKI as ``EFI/BOOT/BOOTX64.EFI``, and mirrors it into the ISO EFI tree when
 live-build created one.
 Required files for ``ciss-uki``:
 ````text
 ciss.secureboot/private/ciss-efi-image.key
 ciss.secureboot/public/ciss-efi-image.crt
 ````
 The private directory is ignored by Git. The hooks fail if the CISS EFI image signing key or module signing key appears below
 ``binary/``, ``chroot/`` or ``config/includes.*``. Build-time UKI manifests are written below the build directory in
 ``ciss.secureboot/manifests`` and can be checked with ``ukify inspect`` and ``sbverify``.
 ## 5.4. CI/CD Gitea Runner Workflow Example
 1. Clone the repository:
@@ -610,10 +668,10 @@ preview it or run it.
  #...
        - name: Preparing the build environment.
          run: |
-            mkdir -p /opt/config
+            install -d -m 0700 -o root -g root /opt/livebuild /dev/shm/cdlb_secrets
-            mkdir -p /opt/livebuild
+            umask 0077
-            echo "${{ secrets.CHANGE_ME }}" >| /opt/config/password.txt
+            printf '%s\n' "${{ secrets.CHANGE_ME }}" >| /dev/shm/cdlb_secrets/password.txt
-            echo "${{ secrets.CHANGE_ME }}" >| /opt/config/authorized_keys
+            printf '%s\n' "${{ secrets.CHANGE_ME }}" >| /dev/shm/cdlb_secrets/authorized_keys
  #...
        - name: Starting CISS.debian.live.builder. This may take a while ...
          run: |
@@ -626,9 +684,9 @@ preview it or run it.
              --build-directory /opt/livebuild \
              --control "${timestamp}" \
              --jump-host "${{ secrets.CHANGE_ME }}" \
-              --root-password-file /opt/config/password.txt \
+              --root-password-file /dev/shm/cdlb_secrets/password.txt \
              --ssh-port CHANGE_ME \
-              --ssh-pubkey /opt/config
+              --ssh-pubkey /dev/shm/cdlb_secrets
  #...
        ### SKIP OR CHANGE ALL REMAINING STEPS
  ```
@@ -7,16 +7,16 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
+**Master Version**: 9.14<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V9.14.022.2026.06.10<br>
-# 2.1. Repository Structure
+# 2. Repository Structure
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.544.2025.12.05** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.022.2026.06.10** (as of 2025-10-11)
-## 2.2. Top-Level Layout
+## 3.1. Top-Level Layout
 ````text
 CISS.debian.live.builder/
@@ -59,15 +59,15 @@ CISS.debian.live.builder/
 > **Note:** The ISO marker files (`LIVE_ISO.*`) are produced by CI workflows for convenient retrieval of generated images.
-## 2.3. Directory Semantics
+## 3.2. Directory Semantics
-### 2.3.1. `.gitea/` — CI/CD Orchestration
+### 3.2.1. `.gitea/` — CI/CD Orchestration
 - **`workflows/`**: Declarative Gitea Actions to lint shell scripts, render Graphviz/DNSSEC status, and generate **PUBLIC**/**PRIVATE (TRIXIE)** ISOs reproducibly.
 - **`trigger/`**: Manual/auxiliary trigger manifests (`t_generate_PUBLIC.yaml`, `t_generate_PRIVATE_trixie_{0,1}.yaml`, `t_generate_dns.yaml`) to drive pipeline variants.
 - **`ISSUE_TEMPLATE/`**: Issue and pull request templates to standardize change management.
 - **`properties/`** and **`TODO/`**: Auxiliary config fragments (JSON/Lua) and maintenance utilities (e.g., `render-md-to-html.yaml`).
-### 2.3.2. `config/` — Live-Build Configuration
+### 3.2.2. `config/` — Live-Build Configuration
 - **`bootloaders/`**: Boot assets for GRUB in EFI and PC modes, incl. a branded splash image.
 - **`hooks/live/`**: **Ordered** `*.chroot` hooks implementing system configuration and hardening during image creation; the numeric prefixes dictate execution (e.g., `0000_basic_chroot_setup.chroot`, `0810_chrony_setup.chroot`, `0900_ufw_setup.chroot`, `9930_hardening_ssh.chroot`, `9950_hardening_fail2ban.chroot`).
 - **`includes.binary/boot/grub/`**: Static GRUB configuration embedded in the binary image (`config.cfg`).
@@ -77,40 +77,40 @@ CISS.debian.live.builder/
  - `root/` (administrator dotfiles and keys).
 - **`package-lists/`**: Architecture-specific and common package manifests (`amd64`, `arm64`, `common`) used by `live-build`.
-### 2.3.3. `docs/` — Documentation Corpus
+### 3.2.3. `docs/` — Documentation Corpus
 Audit reports (DNSSEC, Lynis, SSH, TLS, Haveged), **BOOTPARAMS**, **CHANGELOG**, **CODING_CONVENTION**, **CONTRIBUTING**, **REFERENCES**; plus `SECURITY/`, `LICENSES/`, architecture diagrams under `graphviz/`, and illustrative `screenshots/`.
-### 2.3.4. `lib/` — Shell Library Modules
+### 3.2.4. `lib/` — Shell Library Modules
 Composable, single-purpose modules used by the wrapper and CI steps (argument parsing and validation, kernel/CPU mitigation checks, provider support, `lb config/build` scaffolding, usage/version banners, sanitization and traps, SSH/root-password hardening, ultra-hardening profile, etc.).
-### 2.3.5. `scripts/` — Operational Helpers
+### 3.2.5. `scripts/` — Operational Helpers
 Ancillary scripts for DHCP supersedes, resolver bootstrapping, and live-boot verification; targeted paths such as `scripts/etc/network/` and `scripts/live-boot/` encapsulate deploy-time adjustments and integrity checks.
-### 2.3.6. `var/` — Variables & Defaults
+### 3.2.6. `var/` — Variables & Defaults
 Layered variable sets (`early.var.sh`, `global.var.sh`, `bash.var.sh`, `color.var.sh`) providing early-boot defaults, global tuning, and TTY/UI niceties.
-## 2.4. Key Files
+## 3.3. Key Files
 - **`ciss_live_builder.sh`** — Primary entrypoint; orchestrates argument parsing, environment preparation, `lb config`/`lb build` execution and post-processing.
 - **`makefile`** & **`config.mk.sample`** — Make-based convenience wrapper and a sample configuration surface.
 - **`README.md`, `SECURITY.md`, `LICENSE`, `CISS.debian.live.builder.spdx`** — Project overview, security policy, licensing, and SPDX manifest for compliance.
 - **ISO markers**: `LIVE_ISO.public`, `LIVE_ISO_TRIXIE_{0,1}.private` reflect CI pipeline outputs.
-## 2.5. Conventions & Build Logic
+## 3.4. Conventions & Build Logic
 - **Hook Ordering**: Numeric prefixes (`0000_…` → `99xx_…`) strictly determine execution sequencing within `config/hooks/live/`. Early hooks establish base state (initramfs modules, checksums), mid-range hooks integrate security services (AppArmor, Chrony/NTPsec, Lynis, UFW, Fail2Ban, SSH auditing), late hooks enforce hardening and cleanup (SSH tightening, memory-dump policies, service disablement).
 - **Binary vs. Chroot Includes**: Assets under `includes.binary/` affect the ISO’s bootloader stage; `includes.chroot/` become part of the runtime filesystem.
 - **Architecture Scoping**: Package lists are split into `*amd64*`, `*arm64*`, and `*common*` to keep images minimal and deterministic.
 - **CI/CD**: Reproducible ISO builds are executed via Gitea workflows; dedicated `trigger/` manifests parameterize public vs. private images and auxiliary rendering jobs (e.g., DNSSEC status, Graphviz diagrams).
-## 2.6. Cross-References (Documentation)
+## 3.5. Cross-References (Documentation)
 - **Boot Parameters**: see `docs/BOOTPARAMS.md`.
 - **Audits**: `docs/AUDIT_*.md` (DNSSEC, Lynis, SSH, TLS, Haveged).
 - **Coding & Contribution**: `docs/CODING_CONVENTION.md`, `docs/CONTRIBUTING.md`.
 - **Change Log & References**: `docs/CHANGELOG.md`, `docs/REFERENCES.md`.
-## 2.7. Licensing & Compliance
+## 3.6. Licensing & Compliance
 The repository is **SPDX-compliant**; source files carry SPDX identifiers. See `CISS.debian.live.builder.spdx` and `LICENSE` for details.
@@ -0,0 +1,33 @@
                                          .-=+*###%%###*+=-:.
                                      :=*%%@@@@@@@@@@@@@@@@@%#*-.
                                   :+%@@@@%%%%@@@@@@@@%%%%%%@@@@@%*:
                                 -#@@@%%%%@@@@%#****#%%@@@%%@@%#+=-:.
                               .#@@%%%%%@@#+:..:::-::::-=#@@%=.
                              -%@%%%%%%@#: .=*%@@@@@@%#+-.:=
                             =@%%%%%%%@= .*@@@@%%%%%%%@@@%=
                            :@%%%%%%%@+ :%@%%%%%%%%%%%%%%@@#%+
                            #%%%%%%%%%  #@%%%%%%%%%%%%%%%%%@@%.
                           -@%%%%%%%@#  %%%%%%%%%%%%%%%%%@@@%@*
                           *%%%%%%%%@%  *@%%%%%%%%%%%%%%%#*#%%@:
                           *@%%%%%%%%@- :@%%%%%%%%%%%%%%%%-   ..
                           *%%%%%%%%%%#. +@%%%%%%%%%%%%%%@@*.
                           -@%%%%%%%%%@-  #%%%%%%%%@@@@@%%%@@%%%+
                            %%%%%%%%%%:   -@%%%%%@@%**#%@%%%%@%@%
                            -@%%%%%%@+    :@%%%@@*:     =@%%%%%%:
                             +@%%%%%@.    +@%%@#:        #@%%%@-
                              *@%%@@=    :%%@@+          *%%%@#
                               =@%#-    :%@@#-          :@@%%%-
                                ..     =@%*-            .+#%@%.
                                      :+-.                 .=*
  ____ ___ ____ ____      _      _     _               _ _             _           _ _     _
 / ___|_ _/ ___/ ___|  __| | ___| |__ (_) __ _ _ __   | (_)_   _____  | |__  _   _(_) | __| | ___ _ __
 | |    | |\___ \___ \ / _` |/ _ \ '_ \| |/ _` | '_ \  | | \ \ / / _ \ | '_ \| | | | | |/ _` |/ _ \ '__|
 | |___ | | ___) |__) | (_| |  __/ |_) | | (_| | | | |_| | |\ V /  __/_| |_) | |_| | | | (_| |  __/ |
 \____|___|____/____(_)__,_|\___|_.__/|_|\__,_|_| |_(_)_|_| \_/ \___(_)_.__/ \__,_|_|_|\__,_|\___|_|
 Debian Trixie | Hardened Live ISO Builder | Encrypted Root Path | Verified Boot Chain | LUKS Integrity
 Preparing Builder...
 Please wait...
@@ -0,0 +1,37 @@
                              .:-=++***#####***+==-:.
                        .-=*#%%@@@@@@@@@@@@@@@@@@@@@%%#*=-.
                    .=*#@@@@@@@%%%%%%%%%%%%%%%%%%%%%@@@@@@@%*=:
                 :+#@@@@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@%*=.
              .+#@@@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@#=:
            :*%@@%%%%%%%%%%%%%%%%@@@@@@@@@@@@@%%%%%%%%%%%%%%%%@@@@%%%*=
          :*@@%%%%%%%%%%%%%%@@@@@%%#*******#%%@@@@%%%%%%%%%@@%#+-:.
        .+@@%%%%%%%%%%%%%%@@%#+-.             .-+#%@@%%%%@@#=.
       -%@%%%%%%%%%%%%%@@%*-.    :-+**####**+-:   .-*%@@@*:
      +@@%%%%%%%%%%%%%@%+.   :+#%@@@@@@@@@@@@@@%#+:  .+#:
     *@%%%%%%%%%%%%%%@*.   =#@@@@%%%%%%%%%%%%%%@@@@#-
    *@%%%%%%%%%%%%%%@-   -%@@%%%%%%%%%%%%%%%%%%%%%%@@#-
   +@%%%%%%%%%%%%%%@-   +@@%%%%%%%%%%%%%%%%%%%%%%%%%%@@+-*#
  -@%%%%%%%%%%%%%%@+   +@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@-
  %%%%%%%%%%%%%%%%%   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 -@%%%%%%%%%%%%%%@*   +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@=
 #%%%%%%%%%%%%%%%@=   *@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 .%%%%%%%%%%%%%%%%@+   +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@%%%%%%%=
 -@%%%%%%%%%%%%%%%@*   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@@@@@.
 =@%%%%%%%%%%%%%%%%%.   #@%%%%%%%%%%%%%%%%%%%%%%%%%%%*..:--==+*-
 =@%%%%%%%%%%%%%%%%@=   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%@#:
 =@%%%%%%%%%%%%%%%%%%.   +@%%%%%%%%%%%%%%%%%%%%%%%%%%%@@+
 :@%%%%%%%%%%%%%%%%%@#    #%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@#::::.
 %@%%%%%%%%%%%%%%%%%@=   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@@@%#:
 *%%%%%%%%%%%%%%%%%%-     *@%%%%%%%%%%%%%%%@@@@%%%%%%%%%%%%%%%@@@.
 :@%%%%%%%%%%%%%%%@-      -@%%%%%%%%%%%%@@@%%%%%@@%%%%%%%%%%%%%%%.
  *@%%%%%%%%%%%%%@+       .%%%%%%%%%%%@@*=:.   .-*@%%%%%%%%%%%%@=
  .%%%%%%%%%%%%%%%.       .%%%%%%%%%@@*:          :%%%%%%%%%%%@+
   =@%%%%%%%%%%%@*        -@%%%%%%%@#:             =@%%%%%%%%@*
    +@%%%%%%%%%%@.        *@%%%%%@@+               .@%%%%%%%%%.
     *@%%%%%%%%@+        -@%%%%%@%-                .@%%%%%%%@=
      +@%%%%%@@*        :%%%%%@@*.                 -@%%%%%%%%
       =@@@@@#-        :%%%%@@%-                   #%%%%%%%@+
        :#*+:         :%%%@@%+                    -@@@%%%%%@:
                     =@@@@#=.                      :+#@@@@%%.
                   .*%#*=.                            .=*%@%
                   ::.                                   .-+
@@ -0,0 +1 @@
@@ -0,0 +1,26 @@
 ---
 gitea: none
 include_toc: true
 ---
 # 1. CISS.debian.live.builder
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
 **Build**: V9.14.022.2026.06.10<br>
 # 2. CISS Secure Boot Private Material
 This directory is intentionally ignored except for this README.
 On the air-gapped build host, place the private EFI image signing key here:
 * `ciss-efi-image.key`
 Do not commit private keys. The custom UKI hooks fail if this key is copied into `binary/`, `chroot/`, or
 `config/includes.*`.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -0,0 +1,26 @@
 ---
 gitea: none
 include_toc: true
 ---
 # 1. CISS.debian.live.builder
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
 **Build**: V9.14.022.2026.06.10<br>
 # 2. CISS Secure Boot Public Material
 Place public CISS Secure Boot certificates here on the air-gapped build host.
 Expected file for the `ciss-uki` build profile:
 * `ciss-efi-image.crt`
 Public CA and module-signing certificates may also live here, for example `ciss-secureboot-ca.crt` and
 `ciss-module-signing.crt`, but they are not copied into the ISO by the current UKI hooks.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -0,0 +1 @@
@@ -15,7 +15,7 @@
 ### WHY BASH?
 # Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
 # and straightforward output interpretation. Built-in power. Pattern matching, line processing, and regular expression support
-# are available natively, no external binaries required. Cross-platform consistency. '/bin/bash' is the default shell on most
+# are available natively; no external binaries are required. Cross-platform consistency. '/bin/bash' is the default shell on most
 # Linux distributions, ensuring scripts run unmodified across systems. macOS compatibility. Since macOS Catalina (10.15), the
 # default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
 # or Cygwin on Windows systems.
@@ -111,29 +111,41 @@ source_guard "./var/bash.var.sh"
 ### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG.
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh   ; contact; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh     ; usage  ; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -l|--logo)    . ./lib/lib_logo.sh      ; logo   ; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh   ; version; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
 ### ALL CHECKS DONE. READY TO START THE SCRIPT.
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+clear
 printf '\033[95m'
 cat bootscreen.txt
 printf '\033[0m\n'
 sleep 4
 printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
 declare -grx VAR_SETUP="true"
 ### SECURING SECRETS ARTIFACTS.
 test ! -L "${VAR_TMP_SECRET}" || {
  . ./var/global.var.sh
  printf "\e[91m❌ Refusing symlink: '%s'! Bye... \e[0m\n" "${VAR_TMP_SECRET}" >&2
  exit "${ERR_SECRETSSYM}"
 }
 find "${VAR_TMP_SECRET}" -type f -exec chmod 0400 {} +
 find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
 ### SOURCING VARIABLES.
 [[ "${VAR_SETUP}" == true ]] && {
  source_guard "./var/color.var.sh"
  source_guard "./var/global.var.sh"
 }
-### SOURCING LIBRARIES.
+### SOURCE THE MINIMUM REQUIRED FOR EARLY EXIT CLEANUP COVERAGE.
 [[ "${VAR_SETUP}" == true ]] && {
  source_guard "./lib/lib_secret_validation.sh"
  source_guard "./lib/lib_build_directory.sh"
  source_guard "./lib/lib_debug_sanitizer.sh"
  source_guard "./lib/lib_clean_up.sh"
  source_guard "./lib/lib_trap_on_err.sh"
  source_guard "./lib/lib_trap_on_exit.sh"
 }
 trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
 ### Validate the fixed tmpfs secret staging area without modifying operator-provided files.
 validate_secret_staging_area
 ### SOURCING REMAINING LIBRARIES.
 [[ "${VAR_SETUP}" == true ]] && {
  source_guard "./lib/lib_arg_parser.sh"
  source_guard "./lib/lib_arg_priority_check.sh"
@@ -152,7 +164,6 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
  source_guard "./lib/lib_ciss_upgrades_boot.sh"
  source_guard "./lib/lib_ciss_upgrades_build.sh"
  source_guard "./lib/lib_clean_screen.sh"
  source_guard "./lib/lib_clean_up.sh"
  source_guard "./lib/lib_copy_integrity.sh"
  source_guard "./lib/lib_gnupg.sh"
  source_guard "./lib/lib_hardening_root_pw.sh"
@@ -167,12 +178,30 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
  source_guard "./lib/lib_provider_netcup.sh"
  source_guard "./lib/lib_run_analysis.sh"
  source_guard "./lib/lib_sanitizer.sh"
-  source_guard "./lib/lib_trap_on_err.sh"
+  source_guard "./lib/lib_secureboot_profile.sh"
  source_guard "./lib/lib_trap_on_exit.sh"
  source_guard "./lib/lib_update_microcode.sh"
  source_guard "./lib/lib_usage.sh"
 }
 ### Add ERR handling after all remaining libraries are available.
 trap 'trap_on_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
 ### PRE-SCAN SECURE BOOT PROFILE FOR BUILD-HOST PACKAGE CHECKS.
 ### Formal validation still happens in arg_parser().
 for ((idx=0; idx<${#ARY_PARAM_ARRAY[@]}; idx++)); do
  case "${ARY_PARAM_ARRAY[idx],,}" in
    --secure-boot-profile=*)
      declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx]#*=}"
      ;;
    --secure-boot-profile)
      if [[ -n "${ARY_PARAM_ARRAY[idx + 1]:-}" ]]; then
        declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx + 1]}"
      fi
      ;;
  esac
 done
 unset idx
 ### CHECKING REQUIRED PACKAGES.
 check_pkgs
@@ -199,9 +228,6 @@ if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n
 ### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
 ### Following the CISS Bash naming and ordering scheme:
 trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
 trap 'trap_on_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
 ### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
@@ -248,6 +274,7 @@ init_primordial
 ### Integrate the CISS.debian.live.builder repository into the build directory.
 ### Modifications from this point onwards must be placed under 'VAR_HANDLER_BUILD_DIR'.
 hardening_ultra
 secureboot_profile_apply
 ### CISS.debian.installer 'GRUB' and 'autostart' generator.
 cdi
@@ -0,0 +1,78 @@
 # code_review.md
 Use this file for explicit review tasks and final self-review after implementation.
 Do not treat it as a mandate for an unlimited audit unless the user asks for one.
 ## Review priorities
 Review findings in this order:
 1. Correctness
 2. Security regressions
 3. Boot/build reproducibility
 4. Data loss risk
 5. Error handling
 6. Test or validation coverage
 7. Maintainability
 8. Minimality of diff
 9. Style consistency
 ## Finding classes
 - `BLOCKER`: proven correctness bug, security regression, build break, boot break, or data loss risk that must be fixed before merge.
 - `RISK`: plausible issue or security concern that is not fully proven from the available context.
 - `CLEANUP`: maintainability, readability, or consistency improvement that is not required for correctness.
 - `NOTE`: observation only; no change requested.
 ## Review output format
 List findings first, ordered by severity.
 For each finding include:
 - class
 - file path and line number where possible
 - observation
 - concrete impact
 - smallest reasonable fix
 Then include:
 - missing checks or validation gaps
 - residual risks
 - concise final recommendation
 If there are no findings, say so explicitly and still mention relevant validation gaps.
 ## Scope control
 - Do not nitpick formatting when automated tooling exists.
 - Do not invent requirements not present in the task, repository, or documentation.
 - Do not expand a small implementation task into a broad quality-management audit.
 - Do not request a full live build unless the changed code path affects image generation in a way that cannot be checked narrowly.
 - Prefer a small actionable finding over a broad speculative warning.
 ## Security-sensitive checklist
 Check whether the change affects:
 - boot trust
 - initramfs behavior
 - live-boot runtime behavior
 - cryptsetup/LUKS handling
 - encrypted SquashFS handling
 - key material
 - remote unlock
 - TLS or mTLS verification
 - signature, checksum, or provenance verification
 - package sources or remote downloads
 - network exposure
 - file permissions
 - persistence
 - logging of sensitive values
 For affected areas, separate observation, inference, and recommendation.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -10,8 +10,19 @@
 # SPDX-Security-Contact: security@coresecret.eu
 BUILD_DIR            ?=
 ### Optional Dropbear source override; empty uses VAR_DROPBEAR_VERSION from var/global.var.sh:
 DROPBEAR_VERSION     ?=
 ### Optional SOPS release override; empty uses VAR_SOPS_VERSION from var/global.var.sh:
 SOPS_VERSION         ?=
 ### Optional Primordial CDI overlay settings; all three values are required for automatic overlay bootstrap:
 PRIMORDIAL_URL       ?=
 PRIMORDIAL_KEY       ?=
 PRIMORDIAL_SSH_PORT  ?=
 PROVIDER_NETCUP_IPV6 ?=
 ROOT_PASSWORD_FILE   ?=
 ### Secure Boot profile; debian-shim or ciss-uki:
 SECURE_BOOT_PROFILE  ?= debian-shim
 SSH_PORT             ?=
 SSH_PUBKEY           ?=
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 # shellcheck disable=SC2155
 declare -gx VAR_DATE="$(date +%F)"
@@ -284,7 +284,7 @@ LLMNR=no
 MulticastDNS=no
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 #######################################
 # Get all NIC drivers of the current Host machine.
@@ -345,7 +345,7 @@ chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
 chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
 chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 VAR_DATE="$(date +%F)"
@@ -45,8 +45,10 @@ EOF
 mkdir -p /etc/systemd/system/tmp.mount.d
 cat << EOF >| /etc/systemd/system/tmp.mount.d/override.conf
 # The live ISO runs CISS.debian.installer and must support at least 12 raw plus encrypted LUKS header backups in the installer
 # scratch path.
 [Mount]
-Options=mode=1777,strictatime,nosuid,nodev,noexec,size=1%
+Options=mode=1777,strictatime,nosuid,nodev,noexec,size=2G
 EOF
 mkdir -p /etc/systemd/system/dev-shm.mount.d
@@ -57,7 +59,7 @@ EOF
 systemctl enable ciss-remount-root.service
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 if [[ -f /root/.cdi ]]; then
@@ -48,7 +48,7 @@ EOF
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -72,7 +72,7 @@ include /etc/logrotate.d
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -30,7 +30,7 @@ EOF
 install -d -m 0755 /var/cache/apparmor
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,21 +11,40 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 ### Declare Arrays, HashMaps, and Variables.
-declare var_dropbear_version="2025.88"
+declare var_dropbear_env="/root/dropbear.env"
 [[ -r "${var_dropbear_env}" ]] || {
  printf "\e[91m❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
  exit 43
 }
 # shellcheck disable=SC1090
 . "${var_dropbear_env}"
 declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
 [[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
  printf "\e[91m❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
  exit 43
 }
 declare var_tar="/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
 declare var_build_dir="/root/build/dropbear-${var_dropbear_version}"
 declare var_logfile="/root/.ciss/cdlb/log/0020_dropbear_build.log"
 mkdir -p "/root/build"
 [[ -r "${var_tar}" ]] || {
  printf "\e[91m❌ ERROR: Missing Dropbear tarball: [%s] \e[0m\n" "${var_tar}" >&2
  exit 43
 }
 cp "${var_tar}" "/root/build"
-tar xjf "/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2" -C "/root/build"
+tar xjf "${var_tar}" -C "/root/build"
 cp "/root/dropbear/localoptions.h" "${var_build_dir}"
 cd "${var_build_dir}"
@@ -67,7 +86,7 @@ if ! setsid bash -c '
  ' >| "${var_logfile}" 2>&1
 then
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2
+  printf "\e[91m❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2
  tail -n 42 "${var_logfile}" >&2 || true
  exit 42
@@ -75,7 +94,7 @@ fi
  rm -rf /root/dropbear
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,15 +11,30 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 ### Declare Arrays, HashMaps, and Variables.
 declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 ### Declare Arrays, HashMaps, and Variables.
 declare var_dropbear_env="/root/dropbear.env"
 [[ -r "${var_dropbear_env}" ]] || {
  printf "\e[91m❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
  exit 43
 }
 # shellcheck disable=SC1090
 . "${var_dropbear_env}"
 declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
 [[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
  printf "\e[91m❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
  exit 43
 }
 declare var_dropbear_build_dir="/root/build/dropbear-${var_dropbear_version}"
 declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
 apt-get install -y --no-install-recommends --no-install-suggests cryptsetup-initramfs dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
 apt-get purge -y dropbear 2>&1 | tee -a "${var_logfile}" || true
 apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a "${var_logfile}"
@@ -32,16 +47,18 @@ rm -f /root/dropbear.file
 mkdir -p /root/.ciss/cdlb/backup/usr/sbin
 mv /usr/sbin/dropbear /root/.ciss/cdlb/backup/usr/sbin/dropbear.trixie
-install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/
+install -m 0755 -o root -g root "${var_dropbear_build_dir}/dropbear" /usr/sbin/
 mkdir -p /root/.ciss/cdlb/backup/usr/bin
 for var_file in dbclient dropbearconvert dropbearkey; do
  mv "/usr/bin/${var_file}" "/root/.ciss/cdlb/backup/usr/bin/${var_file}.trixie"
-  install -m 0755 -o root -g root "/root/build/dropbear-2025.88/${var_file}" /usr/bin/
+  install -m 0755 -o root -g root "${var_dropbear_build_dir}/${var_file}" /usr/bin/
 done
 rm -f "${var_dropbear_env}"
 mkdir -p /etc/initramfs-tools/scripts/init-bottom
 cat << 'EOF' >| /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
@@ -126,7 +143,7 @@ EOF
 systemctl mask dropbear.service dropbear.socket
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -154,7 +154,7 @@ readonly -f write_dropbear_conf
 dropbear_setup
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cat << EOF >> /etc/ssh/ssh_config.d/10-sshfp.conf
 # SPDX-Version: 3.0
@@ -38,7 +38,7 @@ Host git.coresecret.dev
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,13 +11,13 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 if [[ ! -f /root/.pwd ]]; then
-  printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n"
+  printf "\e[92m❌ /root/.pwd NOT found. \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n"
+  printf "\e[92m❌ Exiting Hook ... \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
+  printf "\e[92m✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
  exit 0
 fi
@@ -39,15 +39,15 @@ unset hashed_pwd safe_hashed_pwd
 if shred -fzu -n 5 /root/.pwd; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"
+  printf "\e[92m✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"
 else
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2
+  printf "\e[91m❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cat << 'EOF' >| /etc/default/keyboard
 XKBMODEL="pc105"
@@ -26,7 +26,7 @@ export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 dpkg-reconfigure -f noninteractive keyboard-configuration
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -28,7 +28,7 @@ ExecStart=
 ExecStart=/usr/sbin/jitterentropy-rngd --osr=2
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 mv /etc/hostname /root/.ciss/cdlb/backup/hostname.bak
 mv /etc/mailname /root/.ciss/cdlb/backup/mailname.bak
@@ -26,7 +26,7 @@ localhost.local
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root
 if [[ -f /var/lib/dbus/machine-id ]]; then
@@ -32,7 +32,7 @@ b08dfa6083e7567a1921a715000001fb
 EOF
 chmod 644 /etc/machine-id
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root
@@ -147,7 +147,7 @@ unzip /tmp/nerd/Hack.zip -d /root/.local/share/fonts
 fc-cache -fv
 rm -rf /tmp/nerd
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
 echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
@@ -463,7 +463,7 @@ upload-options=
 #EOF
 EOF_LYNIS
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 mkdir -p /var/log/chrony
@@ -114,7 +114,7 @@ fi
 chronyd -Q -f /etc/chrony/chrony.conf 2>&1
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root/git
 git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 mkdir -p /etc/systemd/system/ssh.service.d
@@ -24,7 +24,7 @@ Wants=network-online.target
 ExecStartPre=/bin/sleep 5
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root/git
 git clone --depth 1 -b master https://github.com/major/MySQLTuner-perl.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
 chmod +x /usr/bin/yq
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root/git
 git clone https://github.com/testssl/testssl.sh.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -22,7 +22,7 @@ apt-get install -y nodejs
 cd /root/git
 git clone https://github.com/sefinek/UFW-AbuseIPDB-Reporter.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root/git
 git clone https://github.com/hardenedlinux/harbian-audit.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root/git
 git clone https://github.com/jtesta/ssh-audit.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root/git
 git clone https://github.com/dnsviz/dnsviz.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,47 +11,307 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
-SOPS_VER="v3.11.0"
+declare SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP="https://github.com/getsops"
-ARCH="$(dpkg --print-architecture)"
+declare SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER="https://token.actions.githubusercontent.com"
 case "${ARCH}" in
  amd64)  SOPS_FILE="sops-${SOPS_VER}.linux.amd64" ;;
  arm64)  SOPS_FILE="sops-${SOPS_VER}.linux.arm64" ;;
  *)  echo "Unsupported arch: ${ARCH}" >&2; exit 1 ;;
 esac
-cd /tmp
+#######################################
 # Print a fatal error and abort the hook.
 # Globals:
 #   None
 # Arguments:
 #   1: Message string
 # Returns:
 #   None
 #######################################
 die() {
  declare message="$1"
  printf "\e[91m❌ ERROR: %s \e[0m\n" "${message}" >&2
  exit 43
 }
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/${SOPS_FILE}"
+#######################################
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.txt"
+# Require an executable tool.
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.pem"
+# Globals:
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.sig"
+#   None
 # Arguments:
 #   1: Tool name
 # Returns:
 #   0: on success
 #######################################
 require_tool() {
  declare tool_name="$1"
-cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \
+  command -v "${tool_name}" >/dev/null 2>&1 || die "Required tool not found: ${tool_name}"
  --certificate    "sops-${SOPS_VER}.checksums.pem" \
  --signature      "sops-${SOPS_VER}.checksums.sig" \
  --certificate-identity-regexp="https://github.com/getsops" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
-sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing
+  return 0
 }
-install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops
+#######################################
-sops --version --check-for-updates >| /root/.ciss/cdlb/log/sops.log
+# Validate and normalize a SOPS semantic version.
-age --version                      >| /root/.ciss/cdlb/log/age.log
+# Globals:
 #   None
 # Arguments:
 #   1: SOPS version string
 # Outputs:
 #   Normalized bare semantic version
 # Returns:
 #   0: on success
 #######################################
 normalize_sops_version() {
  declare sops_version="${1#v}"
-rm -f "/tmp/${SOPS_FILE}"
+  [[ "${sops_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] || \
-rm -f "/tmp/sops-${SOPS_VER}.checksums.txt"
+    die "Invalid SOPS version '${1}'. Expected '<MAJOR>.<MINOR>.<PATCH>' without prerelease metadata."
 rm -f "/tmp/sops-${SOPS_VER}.checksums.pem"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"
-chmod 0400 /root/.config/sops/age/keys.txt
+  printf '%s' "${sops_version}"
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+  return 0
 }
 #######################################
 # Download a mandatory release asset.
 # Globals:
 #   None
 # Arguments:
 #   1: Asset URL
 #   2: Target filename
 # Returns:
 #   0: on success
 #######################################
 download_required_asset() {
  declare asset_url="$1"
  declare target_file="$2"
  if ! curl -fsSLo "${target_file}" "${asset_url}"; then
    die "Failed to download required SOPS asset '${target_file}' from '${asset_url}'."
  fi
  [[ -s "${target_file}" ]] || die "Downloaded SOPS asset is empty: ${target_file}"
  return 0
 }
 #######################################
 # Download an optional release asset and distinguish absence from download errors.
 # Globals:
 #   None
 # Arguments:
 #   1: Asset URL
 #   2: Target filename
 # Returns:
 #   0: asset was downloaded
 #   1: asset is absent upstream
 #######################################
 download_optional_asset() {
  declare asset_url="$1"
  declare target_file="$2"
  declare http_code=""
  if ! http_code=$(curl -sSLo "${target_file}" -w '%{http_code}' "${asset_url}"); then
    rm -f -- "${target_file}"
    die "Failed to query optional SOPS asset '${target_file}' from '${asset_url}'."
  fi
  case "${http_code}" in
    200)
      [[ -s "${target_file}" ]] || die "Optional SOPS asset is empty after HTTP 200: ${target_file}"
      return 0
      ;;
    404)
      rm -f -- "${target_file}"
      return 1
      ;;
    *)
      rm -f -- "${target_file}"
      die "Unexpected HTTP status ${http_code} for optional SOPS asset '${target_file}' from '${asset_url}'."
      ;;
  esac
 }
 #######################################
 # Verify the SOPS checksums file with Cosign.
 # Globals:
 #   SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP
 #   SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER
 # Arguments:
 #   1: Checksums filename
 #   2: Bundle filename
 #   3: Certificate filename
 #   4: Signature filename
 # Returns:
 #   0: on success
 #######################################
 verify_sops_checksums_signature() {
  declare checksums_file="$1"
  declare bundle_file="$2"
  declare certificate_file="$3"
  declare signature_file="$4"
  if [[ -f "${bundle_file}" ]]; then
    printf "\e[95m[INFO] Verifying SOPS checksums with Cosign bundle: %s \e[0m\n" "${bundle_file}"
    cosign verify-blob "${checksums_file}" \
      --bundle "${bundle_file}" \
      --certificate-identity-regexp="${SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP}" \
      --certificate-oidc-issuer="${SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER}" || \
      die "SOPS checksum signature verification failed in bundle mode for '${checksums_file}' using '${bundle_file}'."
    return 0
  fi
  if [[ -f "${certificate_file}" && -f "${signature_file}" ]]; then
    printf "\e[95m[INFO] Verifying SOPS checksums with Cosign split certificate/signature: %s %s \e[0m\n" "${certificate_file}" "${signature_file}"
    cosign verify-blob "${checksums_file}" \
      --certificate "${certificate_file}" \
      --signature "${signature_file}" \
      --certificate-identity-regexp="${SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP}" \
      --certificate-oidc-issuer="${SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER}" || \
      die "SOPS checksum signature verification failed in legacy split mode for '${checksums_file}' using '${certificate_file}' and '${signature_file}'."
    return 0
  fi
  if [[ -f "${certificate_file}" || -f "${signature_file}" ]]; then
    die "Incomplete legacy SOPS signature layout for '${checksums_file}'. Expected both '${certificate_file}' and '${signature_file}'."
  fi
  die "No supported SOPS checksum signature layout found for '${checksums_file}'. Expected bundle or split certificate/signature assets."
 }
 #######################################
 # Verify the SOPS artifact checksum and ensure the expected artifact was covered.
 # Globals:
 #   None
 # Arguments:
 #   1: Checksums filename
 #   2: Artifact filename
 # Returns:
 #   0: on success
 #######################################
 verify_sops_artifact_checksum() {
  declare checksums_file="$1"
  declare artifact_file="$2"
  declare checksum_output=""
  if ! checksum_output=$(sha256sum -c "${checksums_file}" --ignore-missing 2>&1); then
    printf '%s\n' "${checksum_output}" >&2
    die "SOPS artifact checksum verification failed for '${artifact_file}' using '${checksums_file}'."
  fi
  printf '%s\n' "${checksum_output}"
  if ! grep -Fxq "${artifact_file}: OK" <<< "${checksum_output}" && \
     ! grep -Fxq "./${artifact_file}: OK" <<< "${checksum_output}"; then
    die "SOPS checksum verification did not cover expected artifact '${artifact_file}' from '${checksums_file}'."
  fi
  return 0
 }
 #######################################
 # Install SOPS from an upstream GitHub release after signature and checksum verification.
 # Globals:
 #   CISS_SOPS_VERSION
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 main() {
  require_tool curl
  require_tool cosign
  require_tool sha256sum
  declare sops_env="/root/sops.env"
  [[ -r "${sops_env}" ]] || die "Missing SOPS environment file: ${sops_env}"
  # shellcheck disable=SC1090
  . "${sops_env}"
  declare ciss_sops_version
  ciss_sops_version=$(normalize_sops_version "${CISS_SOPS_VERSION:?CISS_SOPS_VERSION is not set}")
  declare architecture
  architecture="$(dpkg --print-architecture)"
  declare sops_tag="v${ciss_sops_version}"
  declare sops_file=""
  case "${architecture}" in
    amd64)
      sops_file="sops-${sops_tag}.linux.amd64"
      ;;
    arm64)
      sops_file="sops-${sops_tag}.linux.arm64"
      ;;
    *)
      die "Unsupported architecture '${architecture}' for SOPS version '${ciss_sops_version}'. Expected amd64 or arm64."
      ;;
  esac
  declare release_base_url="https://github.com/getsops/sops/releases/download/${sops_tag}"
  declare checksums_file="sops-${sops_tag}.checksums.txt"
  declare bundle_file="sops-${sops_tag}.checksums.sigstore.json"
  declare certificate_file="sops-${sops_tag}.checksums.pem"
  declare signature_file="sops-${sops_tag}.checksums.sig"
  declare bundle_available="false"
  declare certificate_available="false"
  declare signature_available="false"
  cd /tmp
  printf "\e[95m[INFO] Downloading SOPS %s asset: %s \e[0m\n" "${ciss_sops_version}" "${sops_file}"
  download_required_asset "${release_base_url}/${sops_file}" "${sops_file}"
  download_required_asset "${release_base_url}/${checksums_file}" "${checksums_file}"
  # shellcheck disable=SC2310
  if download_optional_asset "${release_base_url}/${bundle_file}" "${bundle_file}"; then
    bundle_available="true"
  fi
  if [[ "${bundle_available}" == "false" ]]; then
    # shellcheck disable=SC2310
    if download_optional_asset "${release_base_url}/${certificate_file}" "${certificate_file}"; then
      certificate_available="true"
    fi
    # shellcheck disable=SC2310
    if download_optional_asset "${release_base_url}/${signature_file}" "${signature_file}"; then
      signature_available="true"
    fi
    if [[ "${certificate_available}" != "${signature_available}" ]]; then
      die "Incomplete legacy SOPS signature assets for version '${ciss_sops_version}'. Expected both '${certificate_file}' and '${signature_file}'."
    fi
  fi
  verify_sops_checksums_signature "${checksums_file}" "${bundle_file}" "${certificate_file}" "${signature_file}"
  verify_sops_artifact_checksum "${checksums_file}" "${sops_file}"
  install -m 0755 "${sops_file}" /usr/local/bin/sops
  sops --version >| /root/.ciss/cdlb/log/sops.log
  age --version  >| /root/.ciss/cdlb/log/age.log
  rm -f -- "/tmp/${sops_file}"
  rm -f -- "/tmp/${checksums_file}"
  rm -f -- "/tmp/${bundle_file}"
  rm -f -- "/tmp/${certificate_file}"
  rm -f -- "/tmp/${signature_file}"
  if [[ -f /root/.config/sops/age/keys.txt ]]; then
    chmod 0400 /root/.config/sops/age/keys.txt
  fi
  printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
  return 0
 }
 if [[ "${CISS_SOPS_TEST_MODE:-false}" != "true" ]]; then
  main "$@"
  exit 0
 fi
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -21,7 +21,7 @@ wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O
 yq --version
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 umask 0077
@@ -31,7 +31,7 @@ apt-get purge -y texinfo
 apt-get autoremove --purge -y
 apt-get autoclean -y
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,10 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 declare -r UFW_OUT_POLICY="deny"
 declare -r SSHPORT="SSHPORT_MUST_BE_SET"
 # PRIMORDIAL_SSH_PORT_DECLARATION_MUST_BE_SET
 ufw --force reset
@@ -44,7 +45,8 @@ if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
  ufw allow out  853/tcp comment 'Outgoing DoT'
  ufw allow out  993/tcp comment 'Outgoing IMAPS'
  ufw allow out 4460/tcp comment 'Outgoing NTS'
-  ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH (Custom-Port)'
+  ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH Custom-Port'
  # PRIMORDIAL_SSH_RULE_MUST_BE_SET
  ufw allow out   53/udp comment 'Outgoing DNS'
  ufw allow out  123/udp comment 'Outgoing NTP'
  ufw allow out  443/udp comment 'Outgoing QUIC'
@@ -61,7 +63,7 @@ sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type
 sed -i 's/^ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf
 ln -sf /lib/systemd/system/ufw.service /etc/systemd/system/multi-user.target.wants/ufw.service
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -26,15 +26,15 @@ fi
 if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'Process Accounting' enabled successful. \e[0m\n"
+  printf "\e[92m✅ 'Process Accounting' enabled successful. \e[0m\n"
 else
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'Process Accounting' already enabled. \e[0m\n" >&2
+  printf "\e[91m❌ 'Process Accounting' already enabled. \e[0m\n" >&2
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 mkdir -p /root/.ciss/cdlb/backup/update-motd.d
 cp -af /etc/update-motd.d/* /root/.ciss/cdlb/backup/update-motd.d
@@ -23,7 +23,7 @@ EOF
 chmod 0755 /etc/update-motd.d/10-uname
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
 declare backup_dir="/root/.ciss/cdlb/backup/certificates"
@@ -29,7 +29,7 @@ declare -ax expired_certificates=()
 #   None
 #######################################
 create_backup() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"
+  printf "\e[95m🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"
  mkdir -p "${backup_dir}"
  declare dir=""
@@ -44,7 +44,7 @@ create_backup() {
  done
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
+  printf "\e[92m✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
 }
 #######################################
@@ -104,7 +104,7 @@ delete_expired_from_all_bundles() {
    if [[ -f ${bundle} ]]; then
-      printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
+      printf "\e[95m🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
      declare tmp_bundle="${bundle}.tmp"
      declare -a block=()
      declare expired=0
@@ -149,7 +149,7 @@ delete_expired_from_all_bundles() {
          else
-            printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅  Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"
+            printf "\e[92m✅  Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"
          fi
@@ -161,29 +161,29 @@ delete_expired_from_all_bundles() {
      mv -f "${tmp_bundle}" "${bundle}"
-      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"
+      printf "\e[92m✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"
    fi
  done
 }
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Check certificates in: '%s'.\e[0m\n" "${search_dirs[*]}"
+printf "\e[95m🧪 Check certificates in: '%s'.\e[0m\n" "${search_dirs[*]}"
 create_backup
 delete_expired_from_all_bundles
 check_certificates
 if [[ ${#expired_certificates[@]} -eq 0 ]]; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No expired certificates found.\e[0m\n"
+  printf "\e[92m✅ No expired certificates found.\e[0m\n"
 else
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Expired certificates found:\e[0m\n"
+  printf "\e[95m🧪 Expired certificates found:\e[0m\n"
  for exp_cert in "${expired_certificates[@]}"; do
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ '%s'. \e[0m\n" "${exp_cert}"
+    printf "\e[92m'%s'. \e[0m\n" "${exp_cert}"
  done
@@ -191,7 +191,7 @@ else
    rm -f "${exp_cert}"
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
+    printf "\e[92m✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
    basename=$(basename "${exp_cert}")
    mozilla_entry="mozilla/${basename%.pem}.crt"
    mozilla_entry="${mozilla_entry%.crt}.crt"
@@ -200,19 +200,19 @@ else
    if grep -Fxq "${mozilla_entry}" "${ca_conf}"; then
      sed -i "s|^${mozilla_entry}$|#${mozilla_entry}|" "${ca_conf}"
-      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"
+      printf "\e[92m✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"
    fi
  done
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache ... \e[0m\n"
+  printf "\e[95m✅ Updating the certificate cache ... \e[0m\n"
  update-ca-certificates --fresh
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache done.\e[0m\n"
+  printf "\e[92m✅ Updating the certificate cache done.\e[0m\n"
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 declare _key=""
 cd /etc/ssh
@@ -115,7 +115,7 @@ fi
 /usr/sbin/sshd -t || exit 42
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 mkdir -p /root/.ciss/cdlb/backup/etc/ssl
@@ -122,7 +122,7 @@ x509_extensions	= usr_cert		# The extensions to add to the cert
 name_opt 	= ca_default		# Subject Name options
 cert_opt 	= ca_default		# Certificate field options
-# Extension copying option: use with caution.
+# Extension copying option: use it with caution.
 # copy_extensions = copy
 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
@@ -232,7 +232,7 @@ basicConstraints=CA:FALSE
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-# PKIX recommendations harmless if included in all certificates.
+# PKIX recommendations are harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
@@ -282,7 +282,7 @@ basicConstraints = critical,CA:true
 # DER hex encoding of an extension: beware experts only!
 # obj=DER:02:03
-# Where 'obj' is a standard or added object
+# Where 'obj' is a standard or added object.
 # You can even override a supported extension:
 # basicConstraints= critical, DER:30:03:01:01:FF
@@ -305,7 +305,7 @@ basicConstraints=CA:FALSE
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-# PKIX recommendations harmless if included in all certificates.
+# PKIX recommendations are harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
@@ -418,37 +418,28 @@ ssl_conf = ssl_sect
 system_default = system_default_sect
 [system_default_sect]
 # Protocol floor / ceiling:
 # - only TLS 1.2 and 1.3.
 # - TLS 1.3 is FS by design;
 # - TLS 1.2 FS enforced via the cipher list.
 MinProtocol = TLSv1.2
 MaxProtocol = TLSv1.3
-# TLS 1.2 cipher policy:
+# TLS 1.2: FS only, AEAD only, no AES128, no static RSA negotiation, no DHE negotiation.
-# - Forward secrecy only: ECDHE or DHE (no static RSA kx);
+CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:!AES128:!kRSA:!DHE:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2
 # - AES-256 *GCM* only (no DHE (dheatattack), no AES-128, no CBC);
 # - Keep distro default SECLEVEL=2 explicitly.
 CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:ECDHE+ARIA256-GCM:ECDHE+CAMELLIA256-GCM:!kRSA:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2
-# TLS 1.3 cipher policy: AES-256 and ChaCha20-Poly1305 only:
+# TLS 1.3: only AES-256-GCM and ChaCha20-Poly1305.
 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
-# Prefer strong, widely supported ECDHE groups (first = most preferred):
+# Preferred ECDHE groups.
 Groups = X448:P-521:P-384
-SignatureAlgorithms = rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
+# Flags: Tickets off, servers order, renegotiation off.
 # Operational flags:
 # -SessionTicket  : disable TLS session tickets (TLS 1.2 + 1.3)
 # ServerPreference: honor server cipher order (TLS 1.2)
 # NoRenegotiation : disallow TLS 1.2 renegotiation
 Options = -SessionTicket,ServerPreference,NoRenegotiation
 # Permitted signature algorithms.
 SignatureAlgorithms = ecdsa_secp521r1_sha512:ecdsa_secp384r1_sha384:ed448:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cp -u /etc/security/limits.conf /root/.ciss/cdlb/backup/limits.conf.bak
 chmod 0644 /root/.ciss/cdlb/backup/limits.conf.bak
@@ -82,7 +82,7 @@ KeepFree=0
 EOF
 chmod 0644 /etc/systemd/coredump.conf.d/9999-ciss-coredump-disable.conf
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root
@@ -235,7 +235,7 @@ EOF
 touch /var/log/fail2ban/fail2ban.log
 chmod 0640 /var/log/fail2ban/fail2ban.log
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 ###########################################################################################
 # Remarks: Turn off Energy saving mode and ctrl-alt-del                                   #
@@ -23,7 +23,7 @@ done
 unset target
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -33,7 +33,7 @@ if [[ -d /etc/exim4 ]]; then
  rm -rf /etc/exim4
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -41,7 +41,7 @@ cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/cdlb/backup/usbguard-daemon
 rm -f /tmp/rules.conf
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
@@ -29,7 +29,7 @@ dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
 if [[ -s /tmp/deinstall.log ]]; then
  printf "\n"
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Packages to purge ... \e[0m\n"
+  printf "\e[95m🧪 Packages to purge ... \e[0m\n"
  sed -i 's!deinstall!!' /tmp/deinstall.log
  while IFS= read -r line; do
@@ -37,16 +37,16 @@ if [[ -s /tmp/deinstall.log ]]; then
    declare trimmed_string
    trimmed_string=$(echo "${line}" | awk '{$1=$1};1')
    echo "y" | apt-get purge "${trimmed_string}"
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"
+    printf "\e[92m✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"
  done < /tmp/deinstall.log
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Packages to purge done. \e[0m\n"
+  printf "\e[92m✅ Packages to purge done. \e[0m\n"
 else
  printf "\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Packages to purge, proceeding with clean up. \e[0m\n"
+  printf "\e[92m✅ No Packages to purge, proceeding with clean up. \e[0m\n"
 fi
@@ -60,7 +60,7 @@ apt-get autopurge -y
 updatedb
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 chmod 0644 /etc/banner
 chmod 0644 /etc/issue
@@ -26,8 +26,8 @@ fi
 touch /etc/motd
 cat << EOF >| /etc/motd
-      (c) Marc S. Weidner, 2018 - 2025
+      (c) Marc S. Weidner, 2018 - 2026
-      (p) Centurion Press, 2018 - 2025
+      (p) Centurion Press, 2018 - 2026
          Centurion Intelligence Consulting Agency (tm)
          https://coresecret.eu/
          Please consider making a donation:
@@ -109,7 +109,7 @@ find /root -xdev -exec chown -h root:root {} +
 rm -f /etc/tmpfiles.d/legacy.conf
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -10,6 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 #######################################
 # Iterates all '/etc/shadow' entries and sets:
 #   4=min age=0, 5=max age=16384, 6=warn=128, 7=inactive=42, 8=expire=17.09.2102
@@ -92,12 +93,12 @@ update_shadow() {
 # shellcheck disable=SC2034
 readonly -f update_shadow
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 if ! command -v chage &>/dev/null; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
+  printf "\e[92m✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+  printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
  exit 0
@@ -111,8 +112,8 @@ mapfile -t users_to_update < <(
 if [[ ${#users_to_update[@]} -eq 0 ]]; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
+  printf "\e[92m✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+  printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
  exit 0
@@ -120,7 +121,7 @@ fi
 declare user
 for user in "${users_to_update[@]}"; do
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
+  printf "\e[92m✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
  chage --maxdays "${max_days}" "${user}"
 done
@@ -128,11 +129,11 @@ unset max_days user users_to_update
 awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ All applicable accounts have been updated. \e[0m\n"
+printf "\e[92m✅ All applicable accounts have been updated. \e[0m\n"
 update_shadow
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -23,15 +23,15 @@ sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
 if aideinit > /dev/null 2>&1; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'aideinit' successful. \e[0m\n"
+  printf "\e[92m✅ 'aideinit' successful. \e[0m\n"
 else
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2
+  printf "\e[91m❌ 'aideinit' NOT successful. \e[0m\n" >&2
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -15,7 +15,7 @@
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
@@ -130,7 +130,7 @@ local_users_only
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,11 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -21,7 +21,7 @@ set -Ceuo pipefail
 #######################################
 log() { printf '[auditd-build] %s\n' "${*}" >&2; }
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root
@@ -42,13 +42,13 @@ cat << EOF >| /etc/audit/rules.d/00-base-config.rules
 ## Increase the buffers to survive stress events.
 ## Make this bigger for busy systems.
-b 16384
+-b 262144
 ## Rate Limit. Cap kernel->userspace message rate (0 = unlimited).
 -r 200
 ## This determine how long to wait in burst of events. How long to wait in bursts (us).
--backlog_wait_time 1024
+--backlog_wait_time 16384
 ## Set failure mode to syslog.
 -f 1
@@ -374,7 +374,7 @@ ExecStart=/usr/sbin/augenrules --load
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root
@@ -26,16 +26,16 @@ sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
 if debsums -g > /dev/null 2>&1; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n"
+  printf "\e[92m✅ 'debsums -g' successful. \e[0m\n"
 else
  # Omit false negative error output to stdout and stderr, as no problematic errors occur on startup.
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'debsums -g' NOT successful. \e[0m\n"  > /dev/null 2>&1
+  printf "\e[91m❌ 'debsums -g' NOT successful. \e[0m\n"  > /dev/null 2>&1
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -130,7 +130,7 @@ apt-get dist-upgrade -y        # (= apt full-upgrade) allow installs/replacement
 apt-get autoremove --purge -y  # 'autopurge' == 'autoremove --purge'.
 apt-get clean -y               # Stronger than autoclean: removes the entire '.deb'-cache.
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 ### Declare Arrays, HashMaps, and Variables.
 declare -ar ary_logrotate=(
@@ -53,15 +53,15 @@ done
 if ! logrotate -d /etc/logrotate.conf; then
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' failed. \e[0m\n"
+  printf "\e[91m✅ 'logrotate -d /etc/logrotate.conf' failed. \e[0m\n"
 else
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' successful. \e[0m\n"
+  printf "\e[92m✅ 'logrotate -d /etc/logrotate.conf' successful. \e[0m\n"
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+# Final live-build chroot cleanup hook. Removes transient build artifacts, tightens permissions on CISS root/key material,
 # regenerates initramfs images, prepares systemd-resolved DNS configuration, and forces the live system to boot into
 # multi-user.target by masking common display managers.
 printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target"
@@ -92,7 +96,7 @@ for var_dm in "${ary_dm_units[@]}"; do
 done
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+# Final live-build binary hook for encrypted root filesystem packaging. Preallocate a LUKS2 container, formats it with the
 # generated build secret, copies the generated filesystem.squashfs into the opened encrypted mapping, then closes the container,
 # shreds the temporary LUKS secret, and removes the plaintext SquashFS from the ISO payload.
 printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 __umask=$(umask)
 umask 0077
@@ -34,23 +38,23 @@ preallocate() {
  if fallocate -l "${size}" -- "${file}" 2>/dev/null; then
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [fallocate -l %s -- %s] successful. \e[0m\n" "${size}" "${file}"
+    printf "\e[92m✅ [fallocate -l %s -- %s] successful. \e[0m\n" "${size}" "${file}"
    return 0
  else
-    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [fallocate -l %s -- %s] NOT successful. \e[0m\n" "${size}" "${file}"
+    printf "\e[91m❌ [fallocate -l %s -- %s] NOT successful. \e[0m\n" "${size}" "${file}"
  fi
  if dd if=/dev/zero of="${file}" bs="${blocksize}" count="${blockcounter}" status=progress conv=fsync; then
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync ] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
+    printf "\e[92m✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
    return 0
  else
-    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync ] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
+    printf "\e[91m❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
    return 42
  fi
@@ -62,6 +66,49 @@ readonly -f preallocate
 declare ROOTFS="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs"
 declare LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt"
 declare KEYFD=""
 declare LUKS_KEY_FILE=""
 declare LUKS_KEY_FILENAME="${VAR_LUKS_KEY:-luks.txt}"
 declare LUKS_KEY_LINK_COUNT=""
 declare LUKS_KEY_MODE=""
 declare LUKS_KEY_OWNER=""
 declare SECRET_ROOT_FS=""
 declare SECRET_ROOT_MODE=""
 declare SECRET_ROOT_OWNER=""
 if [[ -L "${VAR_TMP_SECRET}" || ! -d "${VAR_TMP_SECRET}" ]]; then
  printf "\e[91m❌ Unsafe secret root rejected. \e[0m\n" >&2
  exit 42
 fi
 SECRET_ROOT_OWNER="$(stat -c '%u' "${VAR_TMP_SECRET}")"
 SECRET_ROOT_MODE="$(stat -c '%a' "${VAR_TMP_SECRET}")"
 SECRET_ROOT_FS="$(stat -f -c '%T' "${VAR_TMP_SECRET}")"
 if [[ "${SECRET_ROOT_OWNER}" != "${EUID}" || "${SECRET_ROOT_MODE}" != "700" \
  || ( "${SECRET_ROOT_FS}" != "tmpfs" && "${SECRET_ROOT_FS}" != "ramfs" ) ]]; then
  printf "\e[91m❌ Unsafe secret-root ownership, permissions, or filesystem rejected. \e[0m\n" >&2
  exit 42
 fi
 if [[ -z "${LUKS_KEY_FILENAME}" || "${LUKS_KEY_FILENAME}" == "." || "${LUKS_KEY_FILENAME}" == ".." \
  || "${LUKS_KEY_FILENAME}" == */* || ! "${LUKS_KEY_FILENAME}" =~ ^[A-Za-z0-9._@%+=:,~-]+$ ]]; then
  printf "\e[91m❌ Unsafe LUKS key filename rejected. \e[0m\n" >&2
  exit 42
 fi
 LUKS_KEY_FILE="${VAR_TMP_SECRET}/${LUKS_KEY_FILENAME}"
 if [[ -L "${LUKS_KEY_FILE}" || ! -f "${LUKS_KEY_FILE}" ]]; then
  printf "\e[91m❌ Unsafe LUKS key file rejected. \e[0m\n" >&2
  exit 42
 fi
 LUKS_KEY_OWNER="$(stat -c '%u' "${LUKS_KEY_FILE}")"
 LUKS_KEY_MODE="$(stat -c '%a' "${LUKS_KEY_FILE}")"
 LUKS_KEY_LINK_COUNT="$(stat -c '%h' "${LUKS_KEY_FILE}")"
 if [[ "${LUKS_KEY_OWNER}" != "${EUID}" || "${LUKS_KEY_LINK_COUNT}" != "1" \
  || ( "${LUKS_KEY_MODE}" != "400" && "${LUKS_KEY_MODE}" != "600" ) ]]; then
  printf "\e[91m❌ Unsafe LUKS key ownership, permissions, or link count rejected. \e[0m\n" >&2
  exit 42
 fi
 # shellcheck disable=SC2155
 declare -i VAR_ROOTFS_SIZE=$(stat -c%s -- "${ROOTFS}")
@@ -71,16 +118,18 @@ declare -i VAR_ROOTFS_SIZE=$(stat -c%s -- "${ROOTFS}")
 #   - dm-integrity Overhead (Tags and Journal)
 #   - Filesystem-Slack
 declare -i OVERHEAD_FIXED=$((64 * 1024 * 1024))
-declare -i OVERHEAD_PCT=1
+declare -i OVERHEAD_PCT=2
-declare -i ALIGN_BYTES=$(( 2048 * 1024 ))
+declare -i ALIGN_BYTES=$(( 4096 * 1024 ))
 declare -i BASE_SIZE=$(( VAR_ROOTFS_SIZE + OVERHEAD_FIXED + (VAR_ROOTFS_SIZE * OVERHEAD_PCT / 100) ))
 declare -i VAR_LUKSFS_SIZE=$(( ( (BASE_SIZE + ALIGN_BYTES - 1) / ALIGN_BYTES ) * ALIGN_BYTES ))
 preallocate "${LUKSFS}" "${VAR_LUKSFS_SIZE}"
-exec {KEYFD}<"${VAR_TMP_SECRET}/luks.txt"
+exec {KEYFD}<"${LUKS_KEY_FILE}"
-cryptsetup luksFormat \
+if [[ "${VAR_CDLB_INSIDE_RUNNER}" == "false" ]]; then
  cryptsetup luksFormat \
    --batch-mode \
    --cipher aes-xts-plain64 \
    --integrity hmac-sha512 \
@@ -97,6 +146,26 @@ cryptsetup luksFormat \
    --verbose \
    "${LUKSFS}"
 elif [[ "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
  cryptsetup luksFormat \
    --batch-mode \
    --cipher aes-xts-plain64 \
    --iter-time 1000 \
    --key-file "/proc/$$/fd/${KEYFD}" \
    --key-size 512 \
    --label crypt_liveiso \
    --luks2-keyslots-size 16777216 \
    --luks2-metadata-size 4194304 \
    --pbkdf argon2id \
    --sector-size 4096 \
    --type luks2 \
    --use-random \
    --verbose \
    "${LUKSFS}"
 fi
 cryptsetup open --key-file "/proc/$$/fd/${KEYFD}" "${LUKSFS}" crypt_liveiso
 # shellcheck disable=SC2155
@@ -105,11 +174,11 @@ declare -i SQUASH_FS="${VAR_ROOTFS_SIZE}"
 if (( LUKS_FREE >= SQUASH_FS )); then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}"
+  printf "\e[92m✅ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}"
 else
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2
+  printf "\e[91m❌ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2
  exit 42
 fi
@@ -120,14 +189,14 @@ cryptsetup close crypt_liveiso
 exec {KEYFD}<&-
-shred -fzu -n 5 -- "${VAR_TMP_SECRET}/luks.txt"
+shred -fzu -n 5 -- "${LUKS_KEY_FILE}"
 rm -f -- "${ROOTFS}"
 umask "${__umask}"
 __umask=""
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -0,0 +1,396 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2026-06-04; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # shellcheck disable=SC2312
 set -Ceuo pipefail
 # Final live-build binary hook for the CISS UKI build. When the ciss-uki Secure Boot profile is active, this hook selects the
 # complete kernel/initrd pair, reads the live kernel command line, optionally embeds separate early microcode, creates unsigned
 # and signed Unified Kernel Images with ukify, verifies the signed UKI with 'sbverify', writes a manifest, and refuses private
 # Secure Boot key material in build artifact paths.
 #######################################
 # Prints a fatal error message and terminates the hook.
 # Globals:
 #   None
 # Arguments:
 #   1: Error message
 # Returns:
 #   42: always exits with failure
 #######################################
 die() {
  declare message="${1}"
  printf "\e[91m❌ %s \e[0m\n" "${message}" >&2
  exit 42
 }
 #######################################
 # Checks whether a required command exists.
 # Globals:
 #   None
 # Arguments:
 #   1: Command name
 # Returns:
 #   0: on success
 #   42: if the command is missing
 #######################################
 require_command() {
  declare command_name="${1}"
  command -v "${command_name}" >/dev/null 2>&1 || die "Required command not found: '${command_name}'."
  return 0
 }
 #######################################
 # Checks whether a required file exists.
 # Globals:
 #   None
 # Arguments:
 #   1: File path
 #   2: Human-readable file description
 # Returns:
 #   0: on success
 #   42: if the file is missing
 #######################################
 require_file() {
  declare file_path="${1}"
  declare description="${2}"
  [[ -f "${file_path}" ]] || die "Missing ${description}: '${file_path}'."
  return 0
 }
 #######################################
 # Reads the single LB_BOOTAPPEND_LIVE value from a live-build binary configuration file.
 # Globals:
 #   None
 # Arguments:
 #   1: live-build binary configuration file
 #   2: Output variable name for the kernel command line
 # Returns:
 #   0: on success
 #   42: if the file is missing, the entry is ambiguous, or the value is empty
 #######################################
 read_bootappend_live() {
  declare config_file="${1}"
  declare output_var="${2}"
  declare -a matches=()
  declare value=""
  require_file "${config_file}" "live-build binary configuration"
  mapfile -t matches < <(grep -E '^LB_BOOTAPPEND_LIVE=' "${config_file}" || true)
  if (( ${#matches[@]} != 1 )); then
    die "Expected exactly one LB_BOOTAPPEND_LIVE entry in '${config_file}', found '${#matches[@]}'."
  fi
  value="${matches[0]#LB_BOOTAPPEND_LIVE=}"
  if [[ "${value}" == \"*\" ]]; then
    value="${value#\"}"
    value="${value%\"}"
  fi
  [[ -n "${value}" ]] || die "LB_BOOTAPPEND_LIVE in '${config_file}' is empty."
  printf -v "${output_var}" "%s" "${value}"
  return 0
 }
 #######################################
 # Collects kernel and initrd candidates from one artifact directory.
 # Globals:
 #   None
 # Arguments:
 #   1: Artifact directory
 #   2: Output variable name for the selected kernel path
 #   3: Output variable name for the selected initrd path
 # Returns:
 #   0: on success, including when the directory does not exist
 #   42: if more than one kernel or initrd candidate exists
 #######################################
 collect_artifacts_from_dir() {
  declare artifact_dir="${1}"
  declare kernel_output_var="${2}"
  declare initrd_output_var="${3}"
  declare -a kernels=()
  declare -a initrds=()
  if [[ ! -d "${artifact_dir}" ]]; then
    printf -v "${kernel_output_var}" "%s" ""
    printf -v "${initrd_output_var}" "%s" ""
    return 0
  fi
  mapfile -d '' -t kernels < <(find "${artifact_dir}" -maxdepth 1 -type f -name "vmlinuz-*" -print0 | LC_ALL=C sort -z)
  mapfile -d '' -t initrds < <(find "${artifact_dir}" -maxdepth 1 -type f -name "initrd.img-*" -print0 | LC_ALL=C sort -z)
  if (( ${#kernels[@]} > 1 )); then
    die "Ambiguous kernel candidates in '${artifact_dir}'. Refusing to select automatically."
  fi
  if (( ${#initrds[@]} > 1 )); then
    die "Ambiguous initrd candidates in '${artifact_dir}'. Refusing to select automatically."
  fi
  printf -v "${kernel_output_var}" "%s" "${kernels[0]:-}"
  printf -v "${initrd_output_var}" "%s" "${initrds[0]:-}"
  return 0
 }
 #######################################
 # Selects the kernel/initrd pair used to build the UKI.
 # Globals:
 #   None
 # Arguments:
 #   1: Output variable name for the selected kernel path
 #   2: Output variable name for the selected initrd path
 # Returns:
 #   0: on success
 #   42: if no complete pair exists, the final pair is incomplete, or candidates are ambiguous
 #######################################
 select_kernel_initrd_pair() {
  declare kernel_output_var="$1"
  declare initrd_output_var="$2"
  declare binary_kernel=""
  declare binary_initrd=""
  declare fallback_kernel=""
  declare fallback_initrd=""
  collect_artifacts_from_dir "binary/live" binary_kernel binary_initrd
  if [[ -n "${binary_kernel}" && -n "${binary_initrd}" ]]; then
    printf "\e[92m✅ Using final binary/live kernel and initrd artifacts. \e[0m\n"
    printf -v "${kernel_output_var}" "%s" "${binary_kernel}"
    printf -v "${initrd_output_var}" "%s" "${binary_initrd}"
    return 0
  fi
  if [[ -n "${binary_kernel}" || -n "${binary_initrd}" ]]; then
    die "Incomplete binary/live kernel/initrd pair. Refusing to mix final and fallback artifacts."
  fi
  printf "\e[93m❌ No complete binary/live kernel/initrd pair found; checking chroot/boot fallback. \e[0m\n"
  collect_artifacts_from_dir "chroot/boot" fallback_kernel fallback_initrd
  if [[ -n "${fallback_kernel}" && -n "${fallback_initrd}" ]]; then
    printf "\e[93m❌ Using chroot/boot fallback artifacts because binary/live has no complete pair. \e[0m\n"
    printf -v "${kernel_output_var}" "%s" "${fallback_kernel}"
    printf -v "${initrd_output_var}" "%s" "${fallback_initrd}"
    return 0
  fi
  die "No complete kernel/initrd pair found in binary/live or chroot/boot."
 }
 #######################################
 # Finds an optional separate early microcode cpio next to the selected initrd.
 # Globals:
 #   None
 # Arguments:
 #   1: Artifact directory
 #   2: Output variable name for the selected microcode cpio path
 # Returns:
 #   0: on success, including when no separate microcode cpio exists
 #   42: if more than one separate microcode cpio candidate exists
 #######################################
 collect_optional_microcode() {
  declare artifact_dir="${1}"
  declare output_var="${2}"
  declare -a microcode_candidates=()
  mapfile -d '' -t microcode_candidates < <(
    find "${artifact_dir}" -maxdepth 1 -type f \( -name "*microcode*.cpio" -o -name "*ucode*.cpio" \) -print0 | LC_ALL=C sort -z
  )
  if (( ${#microcode_candidates[@]} > 1 )); then
    die "Ambiguous separate early microcode cpio candidates in '${artifact_dir}'. Refusing to select automatically."
  fi
  printf -v "${output_var}" "%s" "${microcode_candidates[0]:-}"
  return 0
 }
 #######################################
 # Refuses private Secure Boot key material in generated artifact paths.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #   42: if a private Secure Boot key is found below a guarded path
 #######################################
 guard_private_key_leaks() {
  declare -a guard_roots=(binary chroot config/includes.binary config/includes.chroot config/includes.installer)
  declare guard_root=""
  declare private_file=""
  for guard_root in "${guard_roots[@]}"; do
    if [[ ! -d "${guard_root}" ]]; then
      continue
    fi
    while IFS= read -r -d '' private_file; do
      die "Refusing private Secure Boot key inside build artifact path: '${private_file}'."
    done < <(find "${guard_root}" -xdev -type f \( -name "ciss-efi-image.key" -o -name "ciss-module-signing.key" \) -print0)
  done
  return 0
 }
 #######################################
 # Builds unsigned and signed CISS UKIs for the ciss-uki Secure Boot profile.
 # Globals:
 #   PWD
 #   VAR_CISS_SECUREBOOT_DIR
 #   VAR_CISS_SECUREBOOT_EFI_CERT
 #   VAR_CISS_SECUREBOOT_EFI_KEY
 #   VAR_CISS_SECUREBOOT_PROFILE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_WORKDIR
 # Arguments:
 #   None
 # Returns:
 #   0: on success or when the active Secure Boot profile does not require a CISS UKI
 #   42: on validation, artifact selection, UKI build, signing, or verification failure
 #######################################
 main() {
  declare profile="${VAR_CISS_SECUREBOOT_PROFILE:-debian-shim}"
  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
  declare secureboot_dir="${VAR_CISS_SECUREBOOT_DIR:-${VAR_WORKDIR:-${build_dir}}/ciss.secureboot}"
  declare secureboot_key="${VAR_CISS_SECUREBOOT_EFI_KEY:-${secureboot_dir}/private/ciss-efi-image.key}"
  declare secureboot_cert="${VAR_CISS_SECUREBOOT_EFI_CERT:-${secureboot_dir}/public/ciss-efi-image.crt}"
  declare stub="/usr/lib/systemd/boot/efi/linuxx64.efi.stub"
  declare os_release="chroot/usr/lib/os-release"
  declare kernel_path=""
  declare initrd_path=""
  declare kernel_base=""
  declare initrd_base=""
  declare kernel_version=""
  declare initrd_version=""
  declare cmdline=""
  declare microcode_initrd=""
  declare output_root=""
  declare uki_dir=""
  declare manifest_dir=""
  declare unsigned_uki=""
  declare signed_uki=""
  declare manifest=""
  declare -a ukify_args=()
  if [[ "${profile}" != "ciss-uki" ]]; then
    printf "\e[92m✅ Secure Boot profile '%s'; skipping CISS UKI build. \e[0m\n" "${profile}"
    return 0
  fi
  printf "\e[95m🧪 Building CISS Secure Boot UKI ... \e[0m\n"
  cd "${build_dir}"
  require_command ukify
  require_command sbverify
  require_command sha512sum
  require_file "${stub}" "systemd EFI stub"
  require_file "${secureboot_key}" "CISS EFI image signing key"
  require_file "${secureboot_cert}" "CISS EFI image signing certificate"
  require_file "${os_release}" "target os-release metadata"
  guard_private_key_leaks
  select_kernel_initrd_pair kernel_path initrd_path
  kernel_base="${kernel_path##*/}"
  initrd_base="${initrd_path##*/}"
  kernel_version="${kernel_base#vmlinuz-}"
  initrd_version="${initrd_base#initrd.img-}"
  [[ -n "${kernel_version}" && "${kernel_base}" != "${kernel_version}" ]] || die "Kernel artifact name does not match vmlinuz-<version>: '${kernel_path}'."
  [[ -n "${initrd_version}" && "${initrd_base}" != "${initrd_version}" ]] || die "Initrd artifact name does not match initrd.img-<version>: '${initrd_path}'."
  if [[ "${kernel_version}" != "${initrd_version}" ]]; then
    die "Kernel/initrd version mismatch: kernel='${kernel_version}', initrd='${initrd_version}'."
  fi
  read_bootappend_live "config/binary" cmdline
  collect_optional_microcode "${initrd_path%/*}" microcode_initrd
  output_root="${build_dir}/ciss.secureboot"
  uki_dir="${output_root}/uki"
  manifest_dir="${output_root}/manifests"
  unsigned_uki="${uki_dir}/CISS-LIVE-${kernel_version}.unsigned.efi"
  signed_uki="${uki_dir}/CISS-LIVE-${kernel_version}.signed.efi"
  manifest="${manifest_dir}/CISS-LIVE-${kernel_version}.uki-build.txt"
  install -d -m 0755 "${uki_dir}" "${manifest_dir}"
  rm -f -- "${unsigned_uki}" "${signed_uki}" "${manifest}"
  ukify_args=(
    build
    --stub="${stub}"
    --linux="${kernel_path}"
    --cmdline="${cmdline}"
    --os-release="@${os_release}"
    --uname="${kernel_version}"
  )
  if [[ -n "${microcode_initrd}" ]]; then
    printf "\e[92m✅ Embedding separate early microcode cpio before normal initrd: '%s'. \e[0m\n" "${microcode_initrd}"
    ukify_args+=(--initrd="${microcode_initrd}")
  else
    printf "\e[92m✅ No separate early microcode cpio found; using normal initrd only. \e[0m\n"
  fi
  ukify_args+=(--initrd="${initrd_path}")
  printf "\e[95m🧪 Creating unsigned UKI: '%s'. \e[0m\n" "${unsigned_uki}"
  ukify "${ukify_args[@]}" --output="${unsigned_uki}"
  printf "\e[95m🧪 Creating signed UKI: '%s'. \e[0m\n" "${signed_uki}"
  ukify "${ukify_args[@]}" \
    --secureboot-private-key="${secureboot_key}" \
    --secureboot-certificate="${secureboot_cert}" \
    --output="${signed_uki}"
  require_file "${unsigned_uki}" "unsigned CISS UKI"
  require_file "${signed_uki}" "signed CISS UKI"
  {
    printf "CISS Secure Boot UKI build manifest\n"
    printf "Kernel: %s\n" "${kernel_path}"
    printf "Initrd: %s\n" "${initrd_path}"
    printf "Microcode initrd: %s\n" "${microcode_initrd:-none}"
    printf "Uname: %s\n" "${kernel_version}"
    printf "OS release: %s\n" "${os_release}"
    printf "Command line: %s\n" "${cmdline}"
    printf "\nSHA512:\n"
    sha512sum "${unsigned_uki}" "${signed_uki}"
    printf "\nukify inspect:\n"
    ukify inspect "${signed_uki}"
    printf "\nsbverify:\n"
    sbverify --cert "${secureboot_cert}" "${signed_uki}"
  } >| "${manifest}" 2>&1
  printf "\e[92m✅ UKI inspection and signature verification written to '%s'. \e[0m\n" "${manifest}"
  printf "\e[92m✅ CISS Secure Boot UKI build completed. \e[0m\n"
  return 0
 }
 main "$@"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -0,0 +1,347 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2026-06-04; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # shellcheck disable=SC2312
 set -Ceuo pipefail
 # Final live-build binary hook for CISS UKI installation. When the ciss-uki Secure Boot profile is active, this hook selects
 # the single signed CISS UKI, rebuilds the FAT EFI boot image with it as EFI/BOOT/BOOTX64.EFI, verifies the installed copy,
 # mirrors it into the ISO EFI tree when available, writes an installation manifest, and refuses private Secure Boot key
 # material in build artifact paths.
 declare TMP_DIR=""
 #######################################
 # Removes the temporary EFI image work directory if it is inside the expected Secure Boot output tree.
 # Globals:
 #   PWD
 #   TMP_DIR
 #   VAR_HANDLER_BUILD_DIR
 # Arguments:
 #   None
 # Returns:
 #   0: on success or when no temporary directory exists
 #   42: if the temporary directory is outside the expected cleanup root
 #   non-zero: if removal of the expected temporary directory fails under strict mode
 #######################################
 cleanup() {
  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
  if [[ -n "${TMP_DIR}" && -d "${TMP_DIR}" ]]; then
    case "${TMP_DIR}" in
      "${build_dir}/ciss.secureboot/"*)
        rm -rf -- "${TMP_DIR}"
        ;;
      *)
        printf "\e[91m❌ Refusing to clean unexpected temporary path: '%s'. \e[0m\n" "${TMP_DIR}" >&2
        return 42
        ;;
    esac
  fi
  return 0
 }
 #######################################
 # Prints a fatal error message and terminates the hook.
 # Globals:
 #   None
 # Arguments:
 #   1: Error message
 # Returns:
 #   42: always exits with failure
 #######################################
 die() {
  declare message="$1"
  printf "\e[91m❌ %s \e[0m\n" "${message}" >&2
  exit 42
 }
 #######################################
 # Checks whether a required command exists.
 # Globals:
 #   None
 # Arguments:
 #   1: Command name
 # Returns:
 #   0: on success
 #   42: if the command is missing
 #######################################
 require_command() {
  declare command_name="$1"
  command -v "${command_name}" >/dev/null 2>&1 || die "Required command not found: '${command_name}'."
  return 0
 }
 #######################################
 # Checks whether a required file exists.
 # Globals:
 #   None
 # Arguments:
 #   1: File path
 #   2: Human-readable file description
 # Returns:
 #   0: on success
 #   42: if the file is missing
 #######################################
 require_file() {
  declare file_path="$1"
  declare description="$2"
  [[ -f "${file_path}" ]] || die "Missing ${description}: '${file_path}'."
  return 0
 }
 #######################################
 # Selects the single signed CISS UKI generated by the CISS UKI build hook.
 # Globals:
 #   None
 # Arguments:
 #   1: CISS UKI output directory
 #   2: Output variable name for the selected signed UKI path
 # Returns:
 #   0: on success
 #   42: if the UKI directory is missing or does not contain exactly one signed UKI
 #######################################
 select_signed_uki() {
  declare uki_dir="$1"
  declare output_var="$2"
  declare -a signed_ukis=()
  [[ -d "${uki_dir}" ]] || die "Missing CISS UKI output directory: '${uki_dir}'."
  mapfile -d '' -t signed_ukis < <(find "${uki_dir}" -maxdepth 1 -type f -name "CISS-LIVE-*.signed.efi" -print0 | LC_ALL=C sort -z)
  if (( ${#signed_ukis[@]} != 1 )); then
    die "Expected exactly one signed CISS UKI in '${uki_dir}', found '${#signed_ukis[@]}'."
  fi
  printf -v "${output_var}" "%s" "${signed_ukis[0]}"
  return 0
 }
 #######################################
 # Refuses private Secure Boot key material in generated artifact paths.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #   42: if a private Secure Boot key is found below a guarded path
 #######################################
 guard_private_key_leaks() {
  declare -a guard_roots=(binary chroot config/includes.binary config/includes.chroot config/includes.installer)
  declare guard_root=""
  declare private_file=""
  for guard_root in "${guard_roots[@]}"; do
    if [[ ! -d "${guard_root}" ]]; then
      continue
    fi
    while IFS= read -r -d '' private_file; do
      die "Refusing private Secure Boot key inside build artifact path: '${private_file}'."
    done < <(find "${guard_root}" -xdev -type f \( -name "ciss-efi-image.key" -o -name "ciss-module-signing.key" \) -print0)
  done
  return 0
 }
 #######################################
 # Mirrors the signed UKI into the ISO EFI tree as the removable-media bootloader when that tree exists.
 # Globals:
 #   None
 # Arguments:
 #   1: Signed UKI path
 #   2: Output variable name for the ISO EFI tree BOOTX64 path, or an empty value when no tree exists
 # Returns:
 #   0: on success, including when no ISO EFI tree exists
 #   non-zero: if directory creation or file installation fails under strict mode
 #######################################
 install_iso_tree_bootx64() {
  declare signed_uki="$1"
  declare output_var="$2"
  declare iso_tree_bootx64=""
  if [[ -d "binary/EFI/boot" ]]; then
    iso_tree_bootx64="binary/EFI/boot/bootx64.efi"
  elif [[ -d "binary/EFI/BOOT" ]]; then
    iso_tree_bootx64="binary/EFI/BOOT/BOOTX64.EFI"
  elif [[ -d "binary/EFI" ]]; then
    install -d -m 0755 "binary/EFI/BOOT"
    iso_tree_bootx64="binary/EFI/BOOT/BOOTX64.EFI"
  fi
  if [[ -n "${iso_tree_bootx64}" ]]; then
    install -m 0644 "${signed_uki}" "${iso_tree_bootx64}"
    printf "\e[92m✅ Mirrored signed UKI into ISO EFI tree: '%s'. \e[0m\n" "${iso_tree_bootx64}"
  else
    printf "\e[93m❌ No binary/EFI tree found; only EFI boot image was updated. \e[0m\n"
  fi
  printf -v "${output_var}" "%s" "${iso_tree_bootx64}"
  return 0
 }
 #######################################
 # Installs the signed CISS UKI into the EFI boot image for the ciss-uki Secure Boot profile.
 # Globals:
 #   PWD
 #   SOURCE_DATE_EPOCH
 #   TMP_DIR
 #   VAR_CISS_SECUREBOOT_DIR
 #   VAR_CISS_SECUREBOOT_EFI_CERT
 #   VAR_CISS_SECUREBOOT_PROFILE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_WORKDIR
 # Arguments:
 #   None
 # Returns:
 #   0: on success or when the active Secure Boot profile does not require CISS UKI installation
 #   42: on explicit validation, comparison, or signature verification failure
 #   non-zero: if an external tool, installation command, or manifest write fails under strict mode
 #######################################
 main() {
  declare profile="${VAR_CISS_SECUREBOOT_PROFILE:-debian-shim}"
  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
  declare secureboot_dir="${VAR_CISS_SECUREBOOT_DIR:-${VAR_WORKDIR:-${build_dir}}/ciss.secureboot}"
  declare secureboot_cert="${VAR_CISS_SECUREBOOT_EFI_CERT:-${secureboot_dir}/public/ciss-efi-image.crt}"
  declare output_root=""
  declare uki_dir=""
  declare manifest_dir=""
  declare signed_uki=""
  declare efi_img="binary/boot/grub/efi.img"
  declare uki_name=""
  declare kernel_version=""
  declare manifest=""
  declare tmp_img=""
  declare extracted_uki=""
  declare iso_tree_bootx64=""
  declare uki_size=""
  declare -i uki_kib=0
  declare -i blocks=0
  declare source_epoch="${SOURCE_DATE_EPOCH:-0}"
  declare volid=""
  if [[ "${profile}" != "ciss-uki" ]]; then
    printf "\e[92m✅ Secure Boot profile '%s'; skipping CISS UKI EFI installation. \e[0m\n" "${profile}"
    return 0
  fi
  printf "\e[95m🧪 Installing CISS signed UKI into EFI boot image ... \e[0m\n"
  cd "${build_dir}"
  require_command cmp
  require_command mcopy
  require_command mdir
  require_command mkfs.msdos
  require_command sbverify
  require_command sha512sum
  require_command stat
  require_command ukify
  require_file "${secureboot_cert}" "CISS EFI image signing certificate"
  require_file "${efi_img}" "live-build EFI boot image"
  guard_private_key_leaks
  output_root="${build_dir}/ciss.secureboot"
  uki_dir="${output_root}/uki"
  manifest_dir="${output_root}/manifests"
  select_signed_uki "${uki_dir}" signed_uki
  uki_name="${signed_uki##*/}"
  kernel_version="${uki_name#CISS-LIVE-}"
  kernel_version="${kernel_version%.signed.efi}"
  [[ -n "${kernel_version}" && "${kernel_version}" != "${uki_name}" ]] || die "Signed UKI name does not match CISS-LIVE-<version>.signed.efi: '${signed_uki}'."
  install -d -m 0755 "${manifest_dir}"
  TMP_DIR="$(mktemp -d -p "${output_root}" "efi-img.XXXXXXXX")"
  tmp_img="${TMP_DIR}/efi.img"
  extracted_uki="${TMP_DIR}/BOOTX64.EFI"
  manifest="${manifest_dir}/CISS-LIVE-${kernel_version}.efi-install.txt"
  rm -f -- "${manifest}"
  uki_size="$(stat -c %s -- "${signed_uki}")"
  uki_kib=$(( (uki_size + 1023) / 1024 ))
  blocks=$(( (uki_kib + 8192 + 31) / 32 * 32 ))
  if (( blocks < 32768 )); then
    blocks=32768
  fi
  if [[ ! "${source_epoch}" =~ ^[0-9]+$ ]]; then
    source_epoch="0"
  fi
  printf -v volid "%08x" "$((source_epoch % 4294967296))"
  printf "\e[95m🧪 Rebuilding EFI boot image with signed UKI as EFI/BOOT/BOOTX64.EFI. \e[0m\n"
  mkfs.msdos -C "${tmp_img}" "${blocks}" -i "${volid}" >/dev/null
  mmd -i "${tmp_img}" "::EFI"
  mmd -i "${tmp_img}" "::EFI/BOOT"
  mcopy -m -o -i "${tmp_img}" "${signed_uki}" "::EFI/BOOT/BOOTX64.EFI"
  mcopy -o -i "${tmp_img}" "::EFI/BOOT/BOOTX64.EFI" "${extracted_uki}"
  cmp -s "${signed_uki}" "${extracted_uki}" || die "Extracted BOOTX64.EFI differs from signed UKI before EFI image installation."
  sbverify --cert "${secureboot_cert}" "${extracted_uki}" >/dev/null
  install -m 0644 "${tmp_img}" "${efi_img}"
  rm -f -- "${extracted_uki}"
  mcopy -o -i "${efi_img}" "::EFI/BOOT/BOOTX64.EFI" "${extracted_uki}"
  cmp -s "${signed_uki}" "${extracted_uki}" || die "Installed EFI/BOOT/BOOTX64.EFI differs from signed UKI."
  sbverify --cert "${secureboot_cert}" "${extracted_uki}" >/dev/null
  install_iso_tree_bootx64 "${signed_uki}" iso_tree_bootx64
  if [[ -n "${iso_tree_bootx64}" ]]; then
    cmp -s "${signed_uki}" "${iso_tree_bootx64}" || die "ISO EFI tree BOOTX64.EFI differs from signed UKI."
    sbverify --cert "${secureboot_cert}" "${iso_tree_bootx64}" >/dev/null
  fi
  guard_private_key_leaks
  {
    printf "CISS Secure Boot EFI image installation manifest\n"
    printf "EFI image: %s\n" "${efi_img}"
    printf "Installed path: EFI/BOOT/BOOTX64.EFI\n"
    printf "ISO EFI tree mirror: %s\n" "${iso_tree_bootx64:-none}"
    printf "Signed UKI: %s\n" "${signed_uki}"
    printf "FAT image blocks KiB: %s\n" "${blocks}"
    printf "FAT volume id: %s\n" "${volid}"
    printf "\nSHA512:\n"
    sha512sum "${efi_img}" "${signed_uki}" "${extracted_uki}"
    if [[ -n "${iso_tree_bootx64}" ]]; then
      sha512sum "${iso_tree_bootx64}"
    fi
    printf "\nEFI directory:\n"
    mdir -i "${efi_img}" "::EFI/BOOT"
    printf "\nukify inspect installed BOOTX64.EFI:\n"
    ukify inspect "${extracted_uki}"
    printf "\nsbverify installed BOOTX64.EFI:\n"
    sbverify --cert "${secureboot_cert}" "${extracted_uki}"
  } >| "${manifest}" 2>&1
  printf "\e[92m✅ EFI image installation verification written to '%s'. \e[0m\n" "${manifest}"
  printf "\e[92m✅ CISS signed UKI installed as EFI/BOOT/BOOTX64.EFI. \e[0m\n"
  return 0
 }
 main "$@"
 cleanup
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.544.2025.12.05
+# Version Master V9.14.022.2026.06.10
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.544.2025.12.05
+# Version Master V9.14.022.2026.06.10
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.544.2025.12.05
+# Version Master V9.14.022.2026.06.10
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.13.544.2025.12.05"
+declare -gr VERSION="Master V9.14.022.2026.06.10"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.544.2025.12.05 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.022.2026.06.10 at: 10:18:37.9542
@@ -25,8 +25,8 @@ cat << 'EOF'
 EOF
 echo ""
-echo -e "\e[97m      (c) Marc S. Weidner, 2018 - 2025 \e[0m"
+echo -e "\e[97m      (c) Marc S. Weidner, 2018 - 2026 \e[0m"
-echo -e "\e[97m      (p) Centurion Press, 2018 - 2025 \e[0m"
+echo -e "\e[97m      (p) Centurion Press, 2018 - 2026 \e[0m"
 echo -e "\e[97m          Centurion Intelligence Consulting Agency (tm) \e[0m"
 echo -e "\e[97m          https://coresecret.eu/ \e[0m"
 echo -e "\e[95m          Please consider making a donation: \e[0m"
@@ -14,8 +14,10 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
+# Module summary:
-# Phase  : premount (executed by live-boot inside the initramfs).
+# - Reserve a dedicated /run/live/overlay tmpfs with a configurable size limit.
 # - Mount it with restrictive flags and permissions before OverlayFS uses it.
 # - Prepare the upper and work directories required by the later live-boot overlay setup.
 _SAVED_SET_OPTS="$(set +o)"
--- a/Show More
+++ b/Show More