DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]

X-CI-Metadata: master@22d6c9a at 2025-08-22T17:41:17Z on 9441b3c6beee Generated at : 2025-08-22T17:41:17Z Runner Host : 9441b3c6beee Workflow ID : 🔐 Generating a Private Live ISO TRIXIE. Git Commit : 22d6c9a HEAD -> master
DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
2025-08-22 17:41:17 +00:00 · 2025-08-22 17:26:01 +00:00 · 2025-08-22 19:23:56 +02:00 · 2025-08-22 17:10:47 +00:00 · 2025-08-22 19:08:33 +02:00 · 2025-08-22 17:08:10 +00:00
108 changed files with 1740 additions and 822 deletions
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -21,7 +21,7 @@ usage() {
  clear
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.03.864.2025.07.15\e[0m")
+$(echo -e "\e[92mMaster V8.13.008.2025.08.22\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")

 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
--- a/config/hooks/live/0003_install_backports.chroot
+++ b/config/hooks/live/0003_install_backports.chroot
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
--- a/.archive/icon.lib
+++ b/.archive/icon.lib
@@ -5,7 +5,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ✅
@@ -52,4 +52,4 @@
 ☢️
 ☣️
 •
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.editorconfig
+++ b/.editorconfig
@@ -25,6 +25,10 @@ charset = utf-8
 insert_final_newline = true
 trim_trailing_whitespace = true

+[{makefile,*.mk}]
+indent_style = tab
+tab_width    = 8
+
 [*.md]
 end_of_line = lf
 # Markdown benefits from a final newline for POSIX tools
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.03.864.2025.07.15"
+      placeholder: "e.g., Master V8.13.008.2025.08.22"
    validations:
      required: true

--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.008.2025.08.22

 FROM debian:bookworm

--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -5,11 +5,11 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.008.2025.08.22

 name: 🔁 Render README.md to README.html.

--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.03.864.2025.07.15
+  version: V8.13.008.2025.08.22
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.03.864.2025.07.15
+  version: V8.13.008.2025.08.22
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.03.864.2025.07.15
+  version: V8.13.008.2025.08.22
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.03.864.2025.07.15
+  version: V8.13.008.2025.08.22
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,9 +9,13 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.008.2025.08.22

-name: 🔐 Generating a Private Live ISO FLV 0.
+name: 🔐 Generating a Private Live ISO TRIXIE.
+
+defaults:
+  run:
+    shell: bash

 permissions:
  contents: write
@@ -21,164 +25,34 @@ on:
    branches:
      - master
    paths:
-      - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml'
+      - '.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml'

 jobs:
-  generate-private-ciss-debian-live-iso:
-    name: 🔐 Generating a Private Live ISO FLV 0.
-    runs-on: ciss.debian.live.builder.iso.generator
+  generate-private-cdlb-trixie:
+    name: 🔐 Generating a Private Live ISO TRIXIE.
+    runs-on: cdlb.trixie

-    ### Run all steps inside Debian Bookworm
    container:
-      image: debian:bookworm
+      image: debian:trixie

    steps:
-      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
-        run: |
-          apt-get update -y
-          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
-          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
-            >| /etc/apt/sources.list.d/bookworm-backports.list
-          apt-get update -y
-          apt-get upgrade -y
-
-      - name: 🛠️ Installing Build Tools.
+      - name: 🛠️ Basic Image Setup.
        shell: bash
        run: |
-          apt-get update -y
-          apt-get install -y \
-            autoconf \
-            automake \
-            build-essential \
-            cryptsetup \
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update
+          apt-get upgrade -y
+          apt-get install -y --no-install-recommends \
+            apt-utils \
+            bash \
+            ca-certificates \
            curl \
-            debootstrap \
-            dosfstools \
-            efibootmgr \
-            gettext \
            git \
            gnupg \
-            haveged \
-            libbz2-dev \
-            zlib1g-dev \
-            liblzma-dev \
-            libtool \
-            live-build \
-            parted \
-            pkg-config \
-            ssh \
-            ssl-cert \
+            openssh-client \
+            openssl \
            sudo \
-            texinfo \
-            wget \
-            whois \
-
-      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
-        shell: bash
-        run: |
-          urls=(
-            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
-          )
-
-          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
-          gpg --batch --import signature_key.asc
-
-          for url in "${urls[@]}"; do
-            archive_name="${url##*/}"
-            pkg_name="${archive_name%.tar.bz2}"
-            echo "🔄 Processing ${pkg_name}"
-            if [[ ! -f "${archive_name}" ]]; then
-              echo "📥 Downloading: '${archive_name}'."
-              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
-                echo "✅ Download successful: '${archive_name}'."
-              else
-                echo "❌ Download NOT successful: '${archive_name}'."
-                exit 1
-              fi
-            else
-              echo "💡 Skipping download, package already exists: '${archive_name}'."
-            fi
-
-            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
-
-            if [[ ! -d "${pkg_name}" ]]; then
-              echo "📂 Extracting: '${archive_name}'."
-              if tar -xjf "${archive_name}"; then
-                echo "✅ Extraction successful: '${archive_name}'."
-              else
-                echo "❌ Extraction not successful: '${archive_name}'."
-                exit 1
-              fi
-            else
-              echo "💡 Skipping directory, already exists: '${pkg_name}'."
-            fi
-
-            echo "🏗️ Build and install the package: '${pkg_name}'."
-            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
-            mkdir -p build
-            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
-
-            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
-            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
-            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
-
-            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
-
-            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
-            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
-            echo "✅ Successful build and installation of '${pkg_name}'."
-            echo "-------------------------------------------------------------------------------------"
-
-          done
-
-          rm -f signature_key.asc
-
-          echo "✅ All packages were built and installed successfully."
-
-          mv_bin=(
-            "/usr/bin/gpg"
-            "/usr/bin/gpg-agent"
-            "/usr/bin/gpgconf"
-            "/usr/bin/gpg-connect-agent"
-            "/usr/bin/gpg-wks-client"
-            "/usr/bin/gpg-preset-passphrase"
-          )
-
-          for bin in "${mv_bin[@]}"; do
-            name="${bin##*/}"
-            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
-              if mv "${bin}" "${bin}.debian-backup"; then
-                echo "✅ Moved successfully: '${bin}'."
-              else
-                echo "❌ Moved NOT successfully: '${bin}'."
-              fi
-            else
-              echo "💡 Does not exist as build binary: '${bin}'."
-            fi
-          done
-
-          for bin in "${mv_bin[@]}"; do
-            name="${bin##*/}"
-            if [[ -f "/usr/local/bin/${name}" ]]; then
-              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
-                echo "✅ 'update-alternatives' successfully: '${bin}'."
-              else
-                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
-              fi
-            else
-              echo "💡 Does not exist: '/usr/local/bin/${name}'."
-            fi
-          done
-
-          sudo ldconfig
-
-          gpgconf --kill all
-          /usr/local/bin/gpg-agent --daemon
+            util-linux

      - name: ⚙️ Check GnuPG Version.
        shell: bash
@@ -268,9 +142,9 @@ jobs:
          set -euo pipefail
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'.
          ./ciss_live_builder.sh \
-            --autobuild=6.12.30+bpo-amd64 \
+            --autobuild=6.12.41+deb13-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --control "${timestamp}" \
@@ -280,7 +154,8 @@ jobs:
            --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
            --root-password-file /opt/config/password.txt \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
-            --ssh-pubkey /opt/config
+            --ssh-pubkey /opt/config \
+            --trixie

      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
@@ -367,11 +242,12 @@ jobs:
          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"

          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
+          VAR_DATE="$(date +%F)"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -381,7 +257,7 @@ jobs:
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu

-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"

          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
@@ -435,7 +311,7 @@ jobs:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."

      - name: 🔑 Commit and sign changes with CI metadata.
@@ -459,7 +335,7 @@ jobs:
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"

-            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]

          ${CI_HEADER}

--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,9 +9,13 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.008.2025.08.22

-name: 🔐 Generating a Private Live ISO FLV 1.
+name: 🔐 Generating a Private Live ISO TRIXIE.
+
+defaults:
+  run:
+    shell: bash

 permissions:
  contents: write
@@ -21,164 +25,34 @@ on:
    branches:
      - master
    paths:
-      - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml'
+      - '.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml'

 jobs:
-  generate-private-ciss-debian-live-iso:
-    name: 🔐 Generating a Private Live ISO FLV 1.
-    runs-on: ciss.debian.live.builder.iso.generator
+  generate-private-cdlb-trixie:
+    name: 🔐 Generating a Private Live ISO TRIXIE.
+    runs-on: cdlb.trixie

-    ### Run all steps inside Debian Bookworm
    container:
-      image: debian:bookworm
+      image: debian:trixie

    steps:
-      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
-        run: |
-          apt-get update -y
-          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
-          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
-            >| /etc/apt/sources.list.d/bookworm-backports.list
-          apt-get update -y
-          apt-get upgrade -y
-
-      - name: 🛠️ Installing Build Tools.
+      - name: 🛠️ Basic Image Setup.
        shell: bash
        run: |
-          apt-get update -y
-          apt-get install -y \
-            autoconf \
-            automake \
-            build-essential \
-            cryptsetup \
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update
+          apt-get upgrade -y
+          apt-get install -y --no-install-recommends \
+            apt-utils \
+            bash \
+            ca-certificates \
            curl \
-            debootstrap \
-            dosfstools \
-            efibootmgr \
-            gettext \
            git \
            gnupg \
-            haveged \
-            libbz2-dev \
-            zlib1g-dev \
-            liblzma-dev \
-            libtool \
-            live-build \
-            parted \
-            pkg-config \
-            ssh \
-            ssl-cert \
+            openssh-client \
+            openssl \
            sudo \
-            texinfo \
-            wget \
-            whois \
-
-      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
-        shell: bash
-        run: |
-          urls=(
-            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
-          )
-
-          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
-          gpg --batch --import signature_key.asc
-
-          for url in "${urls[@]}"; do
-            archive_name="${url##*/}"
-            pkg_name="${archive_name%.tar.bz2}"
-            echo "🔄 Processing ${pkg_name}"
-            if [[ ! -f "${archive_name}" ]]; then
-              echo "📥 Downloading: '${archive_name}'."
-              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
-                echo "✅ Download successful: '${archive_name}'."
-              else
-                echo "❌ Download NOT successful: '${archive_name}'."
-                exit 1
-              fi
-            else
-              echo "💡 Skipping download, package already exists: '${archive_name}'."
-            fi
-
-            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
-
-            if [[ ! -d "${pkg_name}" ]]; then
-              echo "📂 Extracting: '${archive_name}'."
-              if tar -xjf "${archive_name}"; then
-                echo "✅ Extraction successful: '${archive_name}'."
-              else
-                echo "❌ Extraction not successful: '${archive_name}'."
-                exit 1
-              fi
-            else
-              echo "💡 Skipping directory, already exists: '${pkg_name}'."
-            fi
-
-            echo "🏗️ Build and install the package: '${pkg_name}'."
-            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
-            mkdir -p build
-            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
-
-            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
-            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
-            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
-
-            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
-
-            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
-            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
-            echo "✅ Successful build and installation of '${pkg_name}'."
-            echo "-------------------------------------------------------------------------------------"
-
-          done
-
-          rm -f signature_key.asc
-
-          echo "✅ All packages were built and installed successfully."
-
-          mv_bin=(
-            "/usr/bin/gpg"
-            "/usr/bin/gpg-agent"
-            "/usr/bin/gpgconf"
-            "/usr/bin/gpg-connect-agent"
-            "/usr/bin/gpg-wks-client"
-            "/usr/bin/gpg-preset-passphrase"
-          )
-
-          for bin in "${mv_bin[@]}"; do
-            name="${bin##*/}"
-            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
-              if mv "${bin}" "${bin}.debian-backup"; then
-                echo "✅ Moved successfully: '${bin}'."
-              else
-                echo "❌ Moved NOT successfully: '${bin}'."
-              fi
-            else
-              echo "💡 Does not exist as build binary: '${bin}'."
-            fi
-          done
-
-          for bin in "${mv_bin[@]}"; do
-            name="${bin##*/}"
-            if [[ -f "/usr/local/bin/${name}" ]]; then
-              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
-                echo "✅ 'update-alternatives' successfully: '${bin}'."
-              else
-                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
-              fi
-            else
-              echo "💡 Does not exist: '/usr/local/bin/${name}'."
-            fi
-          done
-
-          sudo ldconfig
-
-          gpgconf --kill all
-          /usr/local/bin/gpg-agent --daemon
+            util-linux

      - name: ⚙️ Check GnuPG Version.
        shell: bash
@@ -268,16 +142,17 @@ jobs:
          set -euo pipefail
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'.
          ./ciss_live_builder.sh \
-            --autobuild=6.12.30+bpo-amd64 \
+            --autobuild=6.12.41+deb13-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --control "${timestamp}" \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
            --root-password-file /opt/config/password.txt \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
-            --ssh-pubkey /opt/config
+            --ssh-pubkey /opt/config \
+            --trixie

      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
@@ -364,11 +239,12 @@ jobs:
          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"

          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-          PRIVATE_FILE="LIVE_ISO_FLV_1.private"
+          VAR_DATE="$(date +%F)"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -378,7 +254,7 @@ jobs:
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu

-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"

          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
@@ -432,7 +308,7 @@ jobs:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          PRIVATE_FILE="LIVE_ISO_FLV_1.private"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."

      - name: 🔑 Commit and sign changes with CI metadata.
@@ -456,7 +332,7 @@ jobs:
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"

-            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]

          ${CI_HEADER}

--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.008.2025.08.22

 name: 💙 Generating a PUBLIC Live ISO.

@@ -271,7 +271,7 @@ jobs:
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
          ./ciss_live_builder.sh \
-            --autobuild=6.12.30+bpo-amd64 \
+            --autobuild=6.1.0-37-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --control "${timestamp}" \
@@ -378,7 +378,7 @@ jobs:
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu

-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"

          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.008.2025.08.22

 # Gitea Workflow: Shell-Script Linting
 #
@@ -202,11 +202,12 @@ jobs:
            echo -e "⚠️ Linting issues detected:\n"
            echo -e "${findings}"
            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            VAR_DATE="$(date +%F)"
            PRIVATE_FILE="LINTER_RESULTS.txt"
            touch "${PRIVATE_FILE}"
            cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -216,7 +217,7 @@ jobs:
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu

-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"

          ⚠️ The last linter check was NOT successful. ⚠️

@@ -225,11 +226,12 @@ jobs:
          else
            echo "✅ No issues found in shell scripts."
            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            VAR_DATE="$(date +%F)"
            PRIVATE_FILE="LINTER_RESULTS.txt"
            touch "${PRIVATE_FILE}"
            cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -239,7 +241,7 @@ jobs:
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu

-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"

          ✅ The last linter check was successful. ✅

--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.008.2025.08.22

 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.008.2025.08.22

 name: 🔁 Render Graphviz Diagrams.

--- a/.gitignore
+++ b/.gitignore
@@ -16,5 +16,6 @@ target/
 *.DS_Store
 *.log
 *.ps1
+config.mk
 Thumbs.db
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/.shellcheckrc
+++ b/.shellcheckrc
@@ -0,0 +1,28 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+encoding=utf-8
+external-sources=true
+shell=bash
+source-path=~/lib
+source-path=~/scripts
+source-path=~/var
+
+enable=avoid-nullary-conditions
+enable=check-extra-masked-returns
+enable=check-set-e-suppressed
+enable=check-unassigned-uppercase
+enable=deprecate-which
+enable=quote-safe-variables
+enable=require-double-brackets
+enable=require-variable-braces
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.03.864.2025.07.15"
+properties_version="V8.13.008.2025.08.22"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.03.864.2025.07.15
+PackageVersion: Master V8.13.008.2025.08.22
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/LINTER_RESULTS.txt
+++ b/LINTER_RESULTS.txt
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-This file was automatically generated by the DEPLOY BOT on: "2025-07-15T17:55:19Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:25:58Z"

 ✅ The last linter check was successful. ✅

--- a/LIVE_ISO.public
+++ b/LIVE_ISO.public
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-This file was automatically generated by the DEPLOY BOT on: "2025-07-15T13:01:05Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-08-11T22:40:21Z".

 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_07_15T12_12_23Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_08_11T21_49_56Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  e94f1f698fb6d6a078d3aed785302ffcad25221c92439e84bb505a39d7b4da50674063cc2f7957cca655afdcdb55871ed4990aebbb096f964336af682891aed0
+  4aa02673b9a8d5b974014eca4371d1ed69b05eaea9e92203cf7c092880833e18812bf31ab053399eda98b7a3da0b76b8dcdaaba892e9f52f836ea9d2b0e09e38
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----

-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaHZREQAKCRA85KY4hzOw
-IQE/APsGY1Q8yonOxKTBUxgPPIA7ugHTfub9yWbPLcisC7J+sQEA17e8hmjJSX+O
-NpAtnhF4dfZheybcyfJwsscrNtOieAM=
-=V2i8
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJpxVQAKCRA85KY4hzOw
+IZWOAQDJriUoDvDNSQiHbFfW4KVV1E1wqe12eS7GyfVFr9bISwEAoDKhQ85+RiGr
+pCdWqvU8wcfzEIlKIpAgAZVrhX/xRw8=
+=wNVV
 -----END PGP SIGNATURE-----

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_TRIXIE_0.private
+++ b/LIVE_ISO_TRIXIE_0.private
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-This file was automatically generated by the DEPLOY BOT on: "2025-07-15T11:05:11Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-08-22T16:55:09Z"

 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_07_15T10_13_20Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_08_22T16_11_02Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  b18d79055f12e6f61a1d0b46f8648f8097da419701f3366ba127b0eff1bb0d9ef4794b1a59b66ad8d48c3e3812a1fbc81f948a66b913b036cf2b740a778a88cd
+  35c288d96239804e244cbe99c8ce3895aec39104a7200c2ef7326d38e1ec4eea3bf60b895eaa4d981cb718ae4d27d2d4166f16252b88606a870d14c3db096a37
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----

-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaHY15wAKCRA85KY4hzOw
-Idw3AQDzmYnaCI3OADP+DB+u805S8F+QUmVIcfmUGnM0sDz78gD+I+m+BHte8lzp
-rwudtbEBn9wZvy2KyFWcxlSCn3go2gU=
-=nGnJ
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKig7QAKCRA85KY4hzOw
+IWKWAP0Wlqbi3ArURSGW5m+E+OstdsU7qHjf+e1SVRJ3BGUzaAEAr3ceyHiiA2/7
+RlXsvZxNgVDaEVSdjmt99dMrZK7DRws=
+=4Oh3
 -----END PGP SIGNATURE-----

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_TRIXIE_1.private
+++ b/LIVE_ISO_TRIXIE_1.private
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-This file was automatically generated by the DEPLOY BOT on: "2025-07-15T12:03:16Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:41:13Z"

 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_07_15T11_14_23Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_08_22T16_56_12Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  a022fe082d5d06db05e4c53f09b59ee57f483a3d2a2a143403d93c27a2d454ec8982ccaeb957f654c0879276befc7d9ab2333f407c8089306348c7a10fd39a20
+  4925332b61dbd91f0c444624bbe7de586dbd911fbb27b080a99e44ae312c5139afc502d0415d0bef7dfbd1e5461c07e0a0700f7206e746a91cbcb5403ef003e3
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----

-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaHZDhAAKCRA85KY4hzOw
-IV0hAQCl7xeM8Art2obImFmhUBKDOLcLifegqY/jKY9729EM/wEAzJTRuLts9Jzy
-PXje4fYxZiNOoFv3hz7Xwt5q9rPn/AE=
-=S0vW
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKiruQAKCRA85KY4hzOw
+IdoTAQDqyOBkGA0xDoLsDvjFSaf3tmzz8mD/5qvsDtF6y/rEWwD/dAXzMOdQjxg8
+IcK+GK6u4k5/HT5bYlCvTy/WxRb5ggQ=
+=boDM
 -----END PGP SIGNATURE-----

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.864.2025.07.15-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.008.2025.08.22-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -11,8 +11,8 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.2-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.5-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
@@ -25,8 +25,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.008.2025.08.22<br>

 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -70,7 +70,16 @@ separate directory tree, employs `DynamicUser` features, and adheres to strict s
 rating of **``2.6``**). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use 
 of both UFW software firewalls and dedicated hardware firewall appliances.

-## 1.2. Immutable Source-of-Truth System
+## 1.2. Match Host and Target Versions
+
+Build, for example, a Debian Trixie live image only on a Debian Trixie host. The build toolchain and boot artifacts are 
+release-specific: ``live-build``, ``live-boot``, ``live-config``, ``debootstrap``, ``kernel/initramfs`` tools, ``mksquashfs``, 
+``GRUB/ISOLINUX``, and even ``dpkg/apt`` often change defaults and formats between releases (e.g., compression modes, SquashFS 
+options, hook ordering, systemd/udev behavior). Building on a different host release commonly yields non-reproducible or even 
+unbootable ISOs (missing modules/firmware, ABI mismatches, divergent paths). Keeping host and target on the same version ensures
+reproducible builds, matching dependencies, and compatible boot artifacts.
+
+## 1.3. Immutable Source-of-Truth System

 This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static
 source-code definitions. All configurations, system components, and installation routines are embedded during build time and 
@@ -89,7 +98,7 @@ or shell-access, also via the forthcoming `CISS.debian.installer`. Such a versio
 provisions the target device from embedded source artifacts, and reboots into a fully encrypted system image. The system then 
 awaits the decryption passphrase input via an embedded Dropbear SSH server (SSH PubKey only) in the initramfs, exposing no ports
 without cryptographic hardened access, while also the `/boot` partition could be encrypted via the built-in support of 
-`grub2 (2.12-1~bpo12+1)`.<br>
+`grub2 (2.12-9)`.<br>

 This approach provides a fully reproducible, audit-friendly, and tamper-resistant provisioning workflow rooted entirely in 
 source-defined infrastructure logic.<br>
@@ -103,11 +112,11 @@ After build and configuration, the following audit reports can be generated:
 * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
  Type `ssh-audit <IP>:<PORT>`. See example report: **[SSH Audit Report](/docs/AUDIT_SSH.md)**

-## 1.3. Preview
+## 1.4. Preview

 ![CISS.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_preview.jpeg)

-## 1.4. Caution. Significant information for those considering using D-I.
+## 1.5. Caution. Significant information for those considering using D-I.

 **The Debian Installer (d-i) will ALWAYS boot a new system.**<br>

@@ -138,18 +147,18 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 * Logging (rsyslog, journald) ✘ not active,
 * preseed control over the network is possible (but without any protection).

-## 1.5. Versioning Schema
+## 1.6. Versioning Schema

 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.

-Example: `V8.03.864.2025.07.15`
+Example: `V8.13.008.2025.08.22`

 `x.y.z` represents major (x), minor (y), and patch (z) version increments.

 Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring 
 reproducibility and traceability.

-## 1.6. Keywords
+## 1.7. Keywords

 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
 "MAY", and "OPTIONAL" in this Repo are to be interpreted as described in [[BCP 14](https://www.rfc-editor.org/info/bcp14)], 
@@ -389,35 +398,52 @@ apply or revert these controls.
 set -o errexit   # Exit script when a command exits with non-zero status (same as "set -e").
 set -o errtrace  # Inherit ERR traps in subshells (same as "set -E").
 set -o functrace # Inherit DEBUG and RETURN traps in subshells (same as "set -T").
+set -o ignoreeof # An interactive shell will not exit upon reading EOF.
 set -o nounset   # Exit script on use of an undefined variable (same as "set -u").
 set -o pipefail  # Return the exit status of the last failed command in a pipeline.
 set -o noclobber # Prevent overwriting files via redirection (same as "set -C").
 ```
+
+* The following `shopt` options are applied at the beginning of the script (see
+  [Bash Manual, The Shopt Builtin](https://www.gnu.org/software/bash/manual/bash.html#The-Shopt-Builtin)):
+````bash
+shopt -s failglob        # If set, patterns that fail to match filenames during filename expansion result in an expansion error.
+shopt -s inherit_errexit # If set, command substitution inherits the value of the errexit option instead of unsetting it in the
+                         # subshell environment.
+shopt -s lastpipe        # If set, and job control is not active, the shell runs the last command of a pipeline not executed in
+                         # the background in the current shell environment.
+shopt -u expand_aliases  # If set, aliases are expanded as described. This option is enabled by default for interactive shells.
+shopt -u dotglob         # If set, Bash includes filenames beginning with a '.' in the results of filename expansion.
+shopt -u extglob         # If set, enable the extended pattern matching features.
+shopt -u nullglob        # If set, filename expansion patterns that match no files expand to nothing and are removed.
+````
+
 * **Rationale**: These options enforce strict error checking and handling, reducing silent failures and ensuring 
 predictable script behavior.

 # 4. Prerequisites

-* **Host**: Debian Bookworm or newer with `live-build` package installed.
+* **Host**: Debian Trixie with `live-build` and ``debootstrap`` packages installed.
 * **Privileges**: Root or sudo access to execute `ciss_live_builder.sh` and related scripts.
 * **Network**: Outbound access to Debian repositories and PTB NTPsec pool.

 # 5. Installation & Usage

-# 5.1. Interactive CLI / Dialog Wrapper
+## 5.1. Interactive CLI / Dialog Wrapper

 1. Clone the repository:
-
   ```bash
   git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
   cd CISS.debian.live.builder
   ```
+   
 2. Preparation:
   1. Ensure you are root.
   2. Create the build directory `mkdir /opt/livebuild`.
   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
   4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
   5. Make any other changes you need to.
+
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):

   ````bash
@@ -435,8 +461,10 @@ predictable script behavior.
                          --reionice-priority 1 2 \
                          --root-password-file /opt/gitea/CISS.debian.live.builder/password.txt \
                          --ssh-port 4242 \
-                          --ssh-pubkey /opt/gitea/CISS.debian.live.builder
+                          --ssh-pubkey /opt/gitea/CISS.debian.live.builder \
+                          --trixie
   ````
+
 4. Locate your ISO in the `--build-directory`.
 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
 6. Type `sysp` for the final kernel hardening features.
@@ -444,7 +472,46 @@ predictable script behavior.
 8. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
 9. Type `celp` for some shortcuts.

-# 5.2. CI/CD Gitea Runner Workflow Example
+## 5.2. Make Wrapper, Quick Usage
+
+This repo ships a thin make wrapper around ``./ciss_live_builder.sh``, so you can compose a correctly quoted command and either 
+preview it or run it.
+
+1. Clone the repository:
+
+   ```bash
+   git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+   cd CISS.debian.live.builder
+   ```
+
+2. Preparation:
+   1. Ensure you are root.
+   2. Create the build directory `mkdir /opt/livebuild`.
+   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   5. Copy and edit the sample and set your options (no spaces around commas in lists): 
+
+    ````bash
+    cp config.mk.sample config.mk
+    ````
+
+    ````bash
+    BUILD_DIR=/opt/livebuild
+    ROOT_PASSWORD_FILE=/opt/gitea/CISS.debian.live.builder/password.txt
+    SSH_PORT=4242
+    SSH_PUBKEY=/root/.ssh
+
+    # Optional
+    PROVIDER_NETCUP_IPV6=2001:cdb::1
+    # comma-separated; IPv6 in [] is fine
+    JUMP_HOSTS=[2001:db8::1],[2001:db8::2]     
+    ````
+
+3. Dry-run first (prints the exact command): ````make dry-run````
+
+4. Execute the build: ````make live````
+
+## 5.3. CI/CD Gitea Runner Workflow Example

 1. Clone the repository:

--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -13,85 +13,142 @@
 ### Contributions so far see ./docs/CREDITS.md

 ### WHY BASH?
-# Ease of installation.
-# No compiling or installing gems, CPAN modules, pip packages, etc.
-# Simple to use and read. Clear syntax and straightforward output interpretation.
-# Built-in power.
-# Pattern matching, line processing, and regular expression support are available natively,
-# no external binaries required.
-# Cross-platform consistency.
-# '/bin/bash' is the default shell on most Linux distributions, ensuring scripts run unmodified across systems.
-# macOS compatibility.
-# Since macOS Catalina (10.15), the default login shell has been zsh, but bash remains available at '/bin/bash'.
-# Windows support.
-# You can use bash via WSL, MSYS2, or Cygwin on Windows systems.
+# Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
+# and straightforward output interpretation. Built-in power. Pattern matching, line processing, and regular expression support
+# are available natively, no external binaries required. Cross-platform consistency. '/bin/bash' is the default shell on most
+# Linux distributions, ensuring scripts run unmodified across systems. macOS compatibility. Since macOS Catalina (10.15), the
+# default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
+# or Cygwin on Windows systems.

-### Preliminary checks
+### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES.
+# shellcheck disable=SC2155
+declare -girx VAR_START_TIME="${SECONDS}"                                # Start time of script execution.
+declare -grx  VAR_PARAM_COUNT="$#"                                       # Arguments passed to script.
+declare -grx  VAR_PARAM_STRNG="$*"                                       # Arguments passed to script as string.
+declare -ag   ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
+declare -grx  VAR_SETUP_FILE="${0##*/}"                                  # 'ciss_debian_live_builder.sh'
+declare -grx  VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)"          # '/opt/git/CISS.debian.live.builder'
+declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
+# shellcheck disable=SC2155
+declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
+# shellcheck disable=SC2155
+declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
+# shellcheck disable=SC2155
+declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
+
+### PRELIMINARY CHECKS.
+### No ash, dash, ksh, sh.
+# shellcheck disable=2292
 [ -z "${BASH_VERSINFO[0]}" ] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
+  printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2
+  exit "${ERR_UNSPPTBASH}"
+}
+
+### No zsh.
+[[ -n "${ZSH_VERSION:-}" ]] && {
+  . ./var/global.var.sh
+  printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2
+  exit "${ERR_UNSPPTBASH}"
+}
+
+### Not root.
 [[ ${EUID} -ne 0 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2; exit "${ERR_NOT_USER_0}"; }
+  . ./var/global.var.sh
+  printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2
+  exit "${ERR_NOT_USER_0}"
+}
+
+### Check to be not called by sh.
+# shellcheck disable=2312
 [[ $(kill -l | grep -c SIG) -eq 0 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
+  printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2
+  exit "${ERR_UNSPPTBASH}"
+}
+
+### Check to be not sourced.
+[[ "${BASH_SOURCE[0]}" != "$0" ]] && {
+  . ./var/global.var.sh
+  printf "\e[91m❌ This script must be executed, not sourced. Please run '%s' directly! Bye... \e[0m\n" "$0" >&2
+  exit "${ERR_UNSPPTBASH}"
+}
+
+### Minimum Bash version 5.
 [[ ${BASH_VERSINFO[0]} -lt 5 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
+  printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2
+  exit "${ERR_UNSPPTBASH}"
+}
+
+### Minimum Bash version 5.1.
 [[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
+  printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2
+  exit "${ERR_UNSPPTBASH}"
+}
+
+### No arguments.
 [[ ${#} -eq 0 ]] && {
-  . ./lib/lib_usage.sh; usage; exit 1; }
+  . ./lib/lib_usage.sh
+  usage
+  exit 1
+}

 ### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT()
 . ./var/early.var.sh
 . ./lib/lib_guard_sourcing.sh
-. ./lib/lib_git_var.sh
+. ./lib/lib_source_guard.sh
+source_guard "./lib/lib_git_var.sh"

 ### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh; usage; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh  ; usage  ; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh; version; exit 0;; esac; done

 ### ALL CHECKS DONE. READY TO START THE SCRIPT
+source_guard "./var/bash.var.sh"
 check_git
-for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
+for arg in "$@"; do case "${arg,,}" in -d|--debug) . ./meta_sources_debug.sh; debugger "${@}";; esac; done
 declare -gx VAR_SETUP="true"

 ### SOURCING VARIABLES
 [[ "${VAR_SETUP}" == true ]] && {
-  . ./var/bash.var.sh
-  . ./var/color.var.sh
-  . ./var/global.var.sh
+  source_guard "./var/color.var.sh"
+  source_guard "./var/global.var.sh"
 }

 ### SOURCING LIBRARIES
 [[ "${VAR_SETUP}" == true ]] && {
-  . ./lib/lib_arg_parser.sh
-  . ./lib/lib_arg_priority_check.sh
-  . ./lib/lib_boot_screen.sh
-  . ./lib/lib_cdi.sh
-  . ./lib/lib_change_splash.sh
-  . ./lib/lib_check_dhcp.sh
-  . ./lib/lib_check_hooks.sh
-  . ./lib/lib_check_kernel.sh
-  . ./lib/lib_check_pkgs.sh
-  . ./lib/lib_check_provider.sh
-  . ./lib/lib_check_stats.sh
-  . ./lib/lib_check_var.sh
-  . ./lib/lib_clean_screen.sh
-  . ./lib/lib_clean_up.sh
-  . ./lib/lib_copy_integrity.sh
-  . ./lib/lib_hardening_root_pw.sh
-  . ./lib/lib_hardening_ssh.sh
-  . ./lib/lib_hardening_ultra.sh
-  . ./lib/lib_helper_ip.sh
-  . ./lib/lib_lb_build_start.sh
-  . ./lib/lib_lb_config_start.sh
-  . ./lib/lib_lb_config_write.sh
-  . ./lib/lib_provider_netcup.sh
-  . ./lib/lib_run_analysis.sh
-  . ./lib/lib_sanitizer.sh
-  . ./lib/lib_trap_on_err.sh
-  . ./lib/lib_trap_on_exit.sh
-  . ./lib/lib_usage.sh
+  source_guard "./lib/lib_arg_parser.sh"
+  source_guard "./lib/lib_arg_priority_check.sh"
+  source_guard "./lib/lib_boot_screen.sh"
+  source_guard "./lib/lib_cdi.sh"
+  source_guard "./lib/lib_change_splash.sh"
+  source_guard "./lib/lib_check_dhcp.sh"
+  source_guard "./lib/lib_check_hooks.sh"
+  source_guard "./lib/lib_check_kernel.sh"
+  source_guard "./lib/lib_check_pkgs.sh"
+  source_guard "./lib/lib_check_provider.sh"
+  source_guard "./lib/lib_check_stats.sh"
+  source_guard "./lib/lib_check_var.sh"
+  source_guard "./lib/lib_clean_screen.sh"
+  source_guard "./lib/lib_clean_up.sh"
+  source_guard "./lib/lib_copy_integrity.sh"
+  source_guard "./lib/lib_hardening_root_pw.sh"
+  source_guard "./lib/lib_hardening_ssh.sh"
+  source_guard "./lib/lib_hardening_ultra.sh"
+  source_guard "./lib/lib_helper_ip.sh"
+  source_guard "./lib/lib_lb_build_start.sh"
+  source_guard "./lib/lib_lb_config_start.sh"
+  source_guard "./lib/lib_lb_config_write.sh"
+  source_guard "./lib/lib_lb_config_write_trixie.sh"
+  source_guard "./lib/lib_provider_netcup.sh"
+  source_guard "./lib/lib_run_analysis.sh"
+  source_guard "./lib/lib_sanitizer.sh"
+  source_guard "./lib/lib_trap_on_err.sh"
+  source_guard "./lib/lib_trap_on_exit.sh"
+  source_guard "./lib/lib_usage.sh"
 }

 ### ADVISORY LOCK
@@ -113,61 +170,66 @@ for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *)
 check_pkgs

 ### DIALOG OUTPUT FOR INITIALIZATION
-if ! $VAR_HANDLER_AUTOBUILD; then boot_screen; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen; fi

 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi

 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
-### Initialization
-declare -gr ARGUMENTS_COUNT="$#"
-declare -gr ARG_STR_ORG_INPUT="$*"
-#declare -ar ARG_ARY_ORG_INPUT=("$@")
-# shellcheck disable=SC2155
-declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
-# shellcheck disable=SC2155
-declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
-# shellcheck disable=SC2155
-declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi

 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
 ### Following the CISS Bash naming and ordering scheme:
 trap 'trap_on_exit "$?"' EXIT
 trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR

 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
 arg_check "$@"
 declare -ar ARY_ARG_SANITIZED=("$@")
 declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"

 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
 arg_parser "$@"

 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
 clean_ip

 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi

 ### Turn off Dialog Wrapper
-if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi

 ### MAIN Program
 arg_priority_check
 check_stats
-if ! $VAR_HANDLER_AUTOBUILD; then check_provider; fi
-if ! $VAR_HANDLER_AUTOBUILD; then check_kernel; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then check_provider; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then check_kernel; fi
 check_hooks
 hardening_ssh
 lb_config_start
-lb_config_write

+if [[ "${VAR_SUITE}" == "bookworm" ]]; then
+
+  lb_config_write
+  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_trixie.chroot"
+  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/etc/login.defs"
+
+else
+
+  lb_config_write_trixie
+  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/0003_install_backports.chroot"
+  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_bookworm.chroot"
+
+fi
+
+# shellcheck disable=SC2164
 cd "${VAR_WORKDIR}"
+
 hardening_ultra
 hardening_root_pw
 change_splash
--- a/config.mk.sample
+++ b/config.mk.sample
@@ -0,0 +1,21 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-21; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+BUILD_DIR            ?=
+PROVIDER_NETCUP_IPV6 ?=
+ROOT_PASSWORD_FILE   ?=
+SSH_PORT             ?=
+SSH_PUBKEY           ?=
+
+### Comma-separated jump hosts (can be empty):
+JUMP_HOSTS           ?=
+
+# vim: set ft=make noet ts=8 sw=8
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
@@ -21,7 +21,9 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 #######################################
 grep_nic_driver_modules() {
  declare _mods
-  # Gather all Driver and sort unique
+
+  ### Gather all Driver and sort unique.
+  # shellcheck disable=SC2312
  readarray -t _mods < <(
    lspci -k \
      | grep -A2 -i ethernet \
@@ -51,7 +53,7 @@ cat << EOF >| /etc/initramfs-tools/modules
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

@@ -67,35 +69,45 @@ cat << EOF >| /etc/initramfs-tools/modules
 # raid1
 # sd_mod

-### QEMU Bochs-compatible virtual machine support
-bochs
-
-### Device-mapper core module (required for all dm_* features)
-dm_mod
-
-### Device-mapper integrity target (provides integrity checking)
-dm-integrity
-
-### Device-mapper crypt target (provides disk encryption)
-dm-crypt
-
-### Generic AES block cipher implementation (used by dm-crypt)
-aes_generic
-
-### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets)
-sha256_generic
-
-### Generic CRC32C checksum implementation (used by btrfs and other filesystems)
-crc32c_generic
-
-### Main btrfs filesystem module
+### Main btrfs-Stack
 btrfs
-
-### Zstandard compression support for btrfs
+lzo
+xor
+xxhash
+zstd
 zstd_compress

-### XOR parity implementation for RAID functionality
-xor
+### Main ext4-Stack
+ext4
+jbd2
+libcrc32c
+
+### Main VFAT/ESP/FAT/UEFI-Stack
+exfat
+fat
+nls_ascii
+nls_cp437
+nls_iso8859-1
+nls_iso8859-15
+nls_utf8
+vfat
+
+### Device mapper, encryption & integrity
+dm_mod
+dm_crypt
+dm_integrity
+dm_verity
+
+### Main cryptography-Stack
+aes_generic
+blake2b_generic
+crc32c_generic
+libcrc32c
+sha256_generic
+sha512_generic
+
+### QEMU Bochs-compatible virtual machine support
+bochs

 ### RAID6 parity generation module
 raid6_pq
@@ -103,6 +115,37 @@ raid6_pq
 ### Combined RAID4/5/6 support module
 raid456

+### SCSI/SATA-Stack
+sd_mod
+sr_mod
+sg
+ahci
+libahci
+ata_generic
+libata
+scsi_mod
+scsi_dh_alua
+
+### NVMe-Stack
+nvme
+nvme_core
+
+### USB-Stack
+xhci_pci
+xhci_hcd
+ehci_pci
+ohci_pci
+uhci_hcd
+usb_storage
+uas
+
+### Virtual-Machines-Stack
+virtio_pci
+virtio_blk
+virtio_scsi
+virtio_rng
+virtio_console
+
 ### Network Driver Host-machine
 "${nic_driver}"

@@ -116,7 +159,7 @@ cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

@@ -151,7 +194,7 @@ cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

@@ -256,7 +299,7 @@ cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

--- a/config/hooks/live/0002_verify_checksums.chroot
+++ b/config/hooks/live/0002_verify_checksums.chroot
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
@@ -30,7 +30,7 @@ cat << 'EOF' >| "${src}"
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

--- a/config/hooks/live/0050_activate_root.chroot
+++ b/config/hooks/live/0050_activate_root.chroot
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
--- a/config/hooks/live/0810_chrony_setup.chroot
+++ b/config/hooks/live/0810_chrony_setup.chroot
@@ -39,14 +39,13 @@ authselectmode require
 server ptbtime1.ptb.de iburst nts minpoll 5 maxpoll 9
 server ptbtime2.ptb.de iburst nts minpoll 5 maxpoll 9
 server ptbtime3.ptb.de iburst nts minpoll 5 maxpoll 9
-server ptbtime4.ptb.de iburst nts noselect minpoll 5 maxpoll 9
-# server nts.netnod.se iburst nts minpoll 5 maxpoll 9
-
+server ptbtime4.ptb.de iburst nts minpoll 5 maxpoll 9
+server sth1.ntp.se iburst nts minpoll 5 maxpoll 9
+server ntp0.fau.de iburst nts minpoll 5 maxpoll 9
+server ntp13.metas.ch iburst nts minpoll 5 maxpoll 9
 # server ntp.ripe.net iburst nts minpoll 5 maxpoll 9
-# server ntp12.metas.ch iburst nts minpoll 5 maxpoll 9
 # server ntp2.tecnico.ulisboa.pt iburst nts minpoll 5 maxpoll 9
 # server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
-server ntp0.fau.de iburst nts minpoll 5 maxpoll 9

 leapsectz right/UTC

--- a/config/hooks/live/0850_ssh_audit.chroot
+++ b/config/hooks/live/0850_ssh_audit.chroot
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
--- a/config/hooks/live/0855_dnsviz.chroot
+++ b/config/hooks/live/0855_dnsviz.chroot
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
--- a/config/hooks/live/9900_process_accounting.chroot
+++ b/config/hooks/live/9900_process_accounting.chroot
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
--- a/config/hooks/live/9910_motd.chroot
+++ b/config/hooks/live/9910_motd.chroot
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
--- a/config/hooks/live/9950_fail2ban_hardening.chroot
+++ b/config/hooks/live/9950_fail2ban_hardening.chroot
@@ -33,8 +33,8 @@ cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
-# SPDX-PackageName: CISS.2025.debian.live.builder
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

 [DEFAULT]
--- a/config/hooks/live/9992_password_expiration.chroot
+++ b/config/hooks/live/9992_password_expiration.chroot
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
--- a/config/hooks/live/9993_aide.chroot
+++ b/config/hooks/live/9993_aide.chroot
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
--- a/config/hooks/live/9994_password_policy.chroot
+++ b/config/hooks/live/9994_password_policy.chroot
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

@@ -29,7 +29,7 @@ cat << 'EOF' >| /etc/security/pwquality.conf
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

--- a/config/hooks/live/9995_sysstat.chroot
+++ b/config/hooks/live/9995_sysstat.chroot
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

@@ -50,13 +50,18 @@ EOF
 ############################################################### /etc/audit/rules.d/20-dont-audit.rules
 cat << EOF >| /etc/audit/rules.d/20-dont-audit.rules
 ## This is for don't audit rules. We put these early because audit
-### is a first match wins system. Uncomment the rules you want.
+## is a first match wins system. Uncomment the rules you want.

 ## Cron jobs fill the logs with stuff we normally don't want
-a never,user -F subj_type=crond_t
+-a never,user

 ## This prevents chrony from overwhelming the logs
-a never,exit -F arch=x86_64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
+-a never,exit -F arch=b64 -S adjtimex -F exe=/usr/sbin/chronyd
+-a never,exit -F arch=b32 -S adjtimex -F exe=/usr/sbin/chronyd
+
+## Human-attributable time changes
+-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
+-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change

 ### This is not very interesting and wastes a lot of space if
 ### the server is public facing
@@ -75,8 +80,8 @@ EOF
 ############################################################### /etc/audit/rules.d/22-ignore-chrony.rules
 cat << EOF >| /etc/audit/rules.d/22-ignore-chrony.rules
 ## This rule suppresses the time-change event when chrony does time updates
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
+-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=_chrony
+-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
 EOF

 ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
--- a/config/hooks/live/9998_sources_list_bookworm.chroot
+++ b/config/hooks/live/9998_sources_list_bookworm.chroot
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
@@ -28,8 +28,8 @@ cat << 'EOF' >| /etc/apt/sources.list
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
-# SPDX-PackageName: CISS.2025.debian.live.builder
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #-----------------------------------------------------------------------------------------#
 #                                  OFFICIAL DEBIAN REPOS
@@ -56,4 +56,4 @@ printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e
 # sleep 1

 exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9998_sources_list_trixie.chroot
+++ b/config/hooks/live/9998_sources_list_trixie.chroot
@@ -0,0 +1,126 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -C -e -u -o pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+# sleep 1
+
+cd /root
+
+mkdir -p /etc/apt/apt.conf.d
+
+cat << EOF >| /etc/apt/apt.conf.d/00-deb822-prefer
+// Make APT ignore the classic /etc/apt/sources.list entirely.
+Dir::Etc {
+  sourcelist  "/dev/null";                // classic list is ignored
+  sourceparts "/etc/apt/sources.list.d";  // deb822 *.sources remain authoritative
+}
+EOF
+
+if [[ ! -f /etc/apt/sources.list.d/trixie.sources ]]; then
+  cat << EOF >| /etc/apt/sources.list.d/trixie.sources
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Types: deb deb-src
+URIs: https://deb.debian.org/debian/
+Suites: trixie
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+fi
+
+if [[ ! -f /etc/apt/sources.list.d/trixie-security.sources ]]; then
+  cat << EOF >| /etc/apt/sources.list.d/trixie-security.sources
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Types: deb deb-src
+URIs: https://security.debian.org/debian-security/
+Suites: trixie-security
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+fi
+
+if [[ ! -f /etc/apt/sources.list.d/trixie-updates.sources ]]; then
+ cat << EOF >| /etc/apt/sources.list.d/trixie-updates.sources
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Types: deb deb-src
+URIs: https://deb.debian.org/debian/
+Suites: trixie-updates
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+fi
+
+
+if [[ ! -f /etc/apt/sources.list.d/trixie-backports.sources ]]; then
+  cat << EOF >| /etc/apt/sources.list.d/trixie-backports.sources
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Types: deb deb-src
+URIs: https://deb.debian.org/debian/
+Suites: trixie-backports
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+fi
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+# sleep 1
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.binary/boot/grub/config.cfg
+++ b/config/includes.binary/boot/grub/config.cfg
@@ -5,7 +5,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

--- a/config/includes.chroot/etc/apt/sources.list
+++ b/config/includes.chroot/etc/apt/sources.list
@@ -0,0 +1,15 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# File: /etc/apt/sources.list
+# Intentionally empty, disable classic sources.list generation (deb822 in use).
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/apt/sources.list.d/trixie-backports.sources
+++ b/config/includes.chroot/etc/apt/sources.list.d/trixie-backports.sources
@@ -0,0 +1,18 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Types: deb deb-src
+URIs: https://deb.debian.org/debian/
+Suites: trixie-backports
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/apt/sources.list.d/trixie-security.sources
+++ b/config/includes.chroot/etc/apt/sources.list.d/trixie-security.sources
@@ -0,0 +1,18 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Types: deb deb-src
+URIs: https://security.debian.org/debian-security/
+Suites: trixie-security
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/apt/sources.list.d/trixie-updates.sources
+++ b/config/includes.chroot/etc/apt/sources.list.d/trixie-updates.sources
@@ -0,0 +1,18 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Types: deb deb-src
+URIs: https://deb.debian.org/debian/
+Suites: trixie-updates
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/apt/sources.list.d/trixie.sources
+++ b/config/includes.chroot/etc/apt/sources.list.d/trixie.sources
@@ -0,0 +1,18 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Types: deb deb-src
+URIs: https://deb.debian.org/debian/
+Suites: trixie
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/login.defs
+++ b/config/includes.chroot/etc/login.defs
@@ -0,0 +1,209 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#
+# /etc/login.defs - Configuration control definitions for the shadow package.
+#
+
+# REQUIRED for useradd/userdel/usermod
+#   Directory where mailboxes reside, _or_ name of file, relative to the
+#   home directory.  If you _do_ define MAIL_DIR and MAIL_FILE,
+#   MAIL_DIR takes precedence.
+#
+#   Essentially:
+#      - MAIL_DIR defines the location of users mail spool files
+#        (for mbox use) by appending the username to MAIL_DIR as defined
+#        below.
+#      - MAIL_FILE defines the location of the users mail spool files as the
+#        fully-qualified filename obtained by prepending the user home
+#        directory before $MAIL_FILE
+#
+# NOTE: This is no more used for setting up users MAIL environment variable
+#       which is, starting from shadow 4.0.12-1 in Debian, entirely the
+#       job of the pam_mail PAM modules
+#       See default PAM configuration files provided for
+#       login, su, etc.
+#
+# This is a temporary situation: setting these variables will soon
+# move to /etc/default/useradd and the variables will then be
+# no more supported
+MAIL_DIR        /var/mail
+#MAIL_FILE      .mail
+
+#
+# Enable display of unknown usernames when login(1) failures are recorded.
+#
+# WARNING: Unknown usernames may become world readable.
+# See #290803 and #298773 for details about how this could become a security
+# concern
+LOG_UNKFAIL_ENAB	no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS		yes
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format similar to "vt100  tty01".
+#
+#TTYTYPE_FILE	/etc/ttytype
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence.  If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file.  If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE	.hushlogin
+#HUSHLOGIN_FILE	/etc/hushlogins
+
+#
+# *REQUIRED*  The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
+
+#
+# Terminal permissions for terminals after login(1).
+# These settings are ignored for remote and other logins.
+#
+#	TTYGROUP	Login tty will be assigned this group ownership.
+#	TTYPERM		Login tty will be set to this permission.
+#
+#TTYGROUP	tty
+TTYPERM		0600
+
+#
+# Login configuration initializations:
+#
+#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
+#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+#
+ERASECHAR	0177
+KILLCHAR	025
+
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+HOME_MODE	0700
+
+#
+# Password aging controls:
+#
+#	PASS_MAX_DAYS	Maximum number of days a password may be used.
+#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+#	PASS_WARN_AGE	Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS	16384
+PASS_MIN_DAYS	1
+PASS_WARN_AGE	128
+
+#
+# Min/max values for automatic uid selection in useradd(8)
+#
+UID_MIN			 1000
+UID_MAX			60000
+# System accounts
+#SYS_UID_MIN		  101
+#SYS_UID_MAX		  999
+# Extra per user uids
+SUB_UID_MIN		   100000
+SUB_UID_MAX		600100000
+SUB_UID_COUNT		    65536
+
+#
+# Min/max values for automatic gid selection in groupadd(8)
+#
+GID_MIN			 1000
+GID_MAX			60000
+# System accounts
+#SYS_GID_MIN		  101
+#SYS_GID_MAX		  999
+# Extra per user group ids
+SUB_GID_MIN		   100000
+SUB_GID_MAX		600100000
+SUB_GID_COUNT		    65536
+
+#
+# Max number of login(1) retries if password is bad
+# This will most likely be overriden by PAM, since the default pam_unix module
+# has it's own built in of 3 retries. However, this is a safe fallback in case
+# you are using an authentication module that does not enforce PAM_MAXTRIES.
+#
+LOGIN_RETRIES		5
+
+#
+# Max time in seconds for login(1)
+#
+LOGIN_TIMEOUT		180
+
+#
+# Which fields may be changed by regular users using chfn(1) - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone).  If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+#
+CHFN_RESTRICT		rwh
+
+#
+# If set to MD5, MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
+# Overrides the MD5_CRYPT_ENAB option
+#
+# Note: It is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+ENCRYPT_METHOD YESCRYPT
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default is no.
+#
+DEFAULT_HOME	yes
+
+#
+# The pwck(8) utility emits a warning for any system account with a home
+# directory that does not exist.  Some system accounts intentionally do
+# not have a home directory.  Such accounts may have this string as
+# their home directory in /etc/passwd to avoid a spurious warning.
+#
+NONEXISTENT	/nonexistent
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD	/usr/sbin/userdel_local
+
+#
+# If set to yes, userdel(8) will remove the user's group if it contains no more
+# members, and useradd(8) will create by default a group with the name of the
+# user.
+#
+# Other former uses of this variable are not used in PAM environments, such as
+# Debian.
+#
+USERGROUPS_ENAB yes
+
+#
+# Added by CISS.debian.live.builder for redundance
+umask 077
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.008.2025.08.22

 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -31,12 +31,12 @@ ListenAddress                ::
 Port MUST_BE_CHANGED
 AllowUsers                   root
 UseDNS                       no
-### Force a key exchange after transferring 1 GiB of data or 1 hour of session time,
-### whichever occurs first.
+### Force a key exchange after transferring 1 GiB of data or 1 hour of session time, whichever occurs first.
 RekeyLimit                   1G 1h

 HostKey                      /etc/ssh/ssh_host_ed25519_key
 HostKey                      /etc/ssh/ssh_host_rsa_key
+TrustedUserCAKeys            none

 PubkeyAuthentication         yes
 PermitRootLogin              prohibit-password
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.008.2025.08.22

 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-declare -gr VERSION="Master V8.03.864.2025.07.15"
+declare -gr VERSION="Master V8.13.008.2025.08.22"

 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/.lib/sshd_config.lib
+++ b/config/includes.chroot/preseed/.lib/sshd_config.lib
@@ -5,8 +5,8 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
-# SPDX-PackageName: CISS.2025.debian.live.builder
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

 Include /etc/ssh/sshd_config.d/*.conf
@@ -115,4 +115,4 @@ HostbasedAuthentication no
 # PermitUserEnvironment no
 # IgnoreUserKnownHosts no

-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh

 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.03.864.2025.07.15 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.008.2025.08.22 at: 10:18:37.9542
--- a/config/includes.chroot/root/.bashrc
+++ b/config/includes.chroot/root/.bashrc
@@ -1,4 +1,3 @@
-#!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
@@ -10,33 +9,20 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# ~/.bashrc: executed by bash(1) for non-login shells.
-
-# Note: PS1 and umask are already set in /etc/profile. You should not
-# need this unless you want different defaults for root.
-# PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ '
-# umask 022
-
-# You may uncomment the following lines if you want `ls' to be colorized:
-# export LS_OPTIONS='--color=auto'
-# eval "$(dircolors)"
-# alias ls='ls $LS_OPTIONS'
-# alias ll='ls $LS_OPTIONS -l'
-# alias l='ls $LS_OPTIONS -lA'
-#
-# Some more alias to avoid making mistakes:
-# alias rm='rm -i'
-# alias cp='cp -i'
-# alias mv='mv -i'
-
 [[ $- != *i* ]] && return

-trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' 0
+### Never use errexit/pipefail in interactive shells
+set +o errexit +o pipefail
+
+trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' EXIT
 source /root/.ciss/alias
 source /root/.ciss/f2bchk.sh
 source /root/.ciss/shortcuts
 source /root/.ciss/scan_libwrap

+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
+set +o errexit +o nounset +o pipefail
+
 ### History
 touch /tmp/.bash_history
 chmod 0660 /tmp/.bash_history
@@ -55,27 +41,20 @@ export CMAG='\033[1;95m'
 export CCYA='\033[1;96m'
 export CWHI='\033[1;97m'
 export CRES='\033[0m'
-
-#if [[ "${UID}" -eq 0 ]]; then
-#  export user_color="${CRED}"
-#else
-#  export user_color="${CGRE}"
-#fi
+export NL='\n'

 ### Define bash colorful prompt
-# PS1="${user_color}\d${CRES}|${user_color}\u${CRES}@${CMAG}\h${CRES}:${CCYA}\w${CRES}/>>\$(if [[ \$? -eq 0 ]]; then echo -e \"${CGRE}\$?${CRES}\"; else echo -e \"${CRED}\$?${CRES}\"; fi)|~\$ "
-PS1="\
-\[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\
+export PS1="\
+\[\033[1;91m\]\d\[\033[0m\]|\
+\[\033[1;91m\]\u\[\033[0m\]@\
 \[\033[1;95m\]\h\[\033[0m\]:\
 \[\033[1;96m\]\w\[\033[0m\]/>>\
 \$(if [[ \$? -eq 0 ]]; then \
-    # Show exit status in green if zero
    echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
  else \
-    # Show exit status in red otherwise
    echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
  fi)\
-|~\$ "
+\$(if [[ \$(id -u) -eq 0 ]]; then echo -e \" \[\033[1;91m\]#\[\033[0m\] \"; else echo -e \" \[\033[1;92m\]\\\$\[\033[0m\] \"; fi)"

 ### Overwrite Protection
 set -o noclobber
@@ -83,11 +62,23 @@ alias cp="cp -iv"
 alias mv='mv -iv'
 alias rm='rm -iv'

-# Welcome message after login
+### Welcome message after login
 printf "\n"
 printf "\e[91m🔐 Coresecret Channel Established. \e[0m\n"
-printf "\e[92m✅ Welcome back\e[0m"; printf "\e[95m '%s' \e[0m" "${USER}"; printf "\e[92m! Type\e[0m"; printf "\e[95m 'celp'\e[0m"; printf "\e[92m for shortcuts. \e[0m\n"
+printf "\e[92m✅ Welcome back\e[0m"
+printf "\e[95m '%s' \e[0m" "${USER}"; printf "\e[92m! Type\e[0m"; printf "\e[95m 'celp'\e[0m"; printf "\e[92m for shortcuts. \e[0m\n"
 printf "\n"
 printf "\n"

+### Welcome message after login.
+#printf "\n"
+#printf "%s🔐 Coresecret Channel Established. %s%s" "${CRED}" "${CRES}" "${NL}"
+#printf "%s✅ Welcome back %s " "${CGRE}" "${CRES}"
+#printf "%s'%s'%s" "${CMAG}" "${USER}" "${CRES}"
+#printf "%s! Type%s " "${CGRE}" "${CRES}"
+#printf "%s'celp'%s " "${CMAG}" "${CRES}"
+#printf "%sfor shortcuts. %s%s" "${CGRE}" "${CRES}" "${NL}"
+#printf "\n"
+#printf "\n"
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/alias
+++ b/config/includes.chroot/root/.ciss/alias
@@ -11,16 +11,6 @@
 # SPDX-Security-Contact: security@coresecret.eu

 ########################################################################################### Alpha
-#######################################
-# Outputs a 16-character random printable string
-# Arguments:
-#  None
-#######################################
-genstring() {
-  (haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head
-}
-
-# Generates 1,048,576 random bytes into a timestamped file
 alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'

 ########################################################################################### Bash
@@ -60,6 +50,7 @@ alias aptupd='apt update'
 alias aptupg='apt upgrade'
 alias apti='apt install'
 alias aptp='apt purge'
+alias aptpp='dpkg --purge'
 alias aptr='apt remove'
 alias aptse='apt search'
 alias aptsh='apt show'
@@ -104,11 +95,11 @@ alias whatpurge='dpkg --get-selections | grep deinstall'

 ########################################################################################### Functions

-###########################################################################################
+#######################################
 # Generates Secure (/dev/random) Passwords
 # Arguments:
-#  Length of Password, e.g., 32, and --base64 in case of encoding in BASE64.
-###########################################################################################
+#    Length of Password, e.g., 32, and --base64 in case of encoding in BASE64.
+#######################################
 # shellcheck disable=SC2317
 genpasswd() {
  declare -i length=32
@@ -128,6 +119,7 @@ genpasswd() {
  done

  declare passwd
+  # shellcheck disable=SC2312
  passwd=$(tr -dc 'A-Za-z0-9_' < /dev/random | head -c "${length}")

  if [[ ${usebase64} -eq 1 ]]; then
@@ -137,23 +129,38 @@ genpasswd() {
  fi
 }

-###########################################################################################
-# Generates Secure (/dev/random) Passwords
+#######################################
+# Generates Secure (/dev/random) Passwords.
 # Arguments:
-#  none
-###########################################################################################
+#   none
+#######################################
 # shellcheck disable=SC2317
 genpasswdhash() {
  declare salt
+  # shellcheck disable=SC2312
  salt=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16)
  mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608
 }

 #######################################
-# Wrapper for secure curl
+# Outputs a 16-character random printable string
 # Arguments:
-#  $1: URL from which to download a specific file
-#  $2: /path/to/file to be saved to
+#   None
+#######################################
+genstring() {
+  # shellcheck disable=SC2312
+  (haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head
+}
+
+#######################################
+# Wrapper for secure curl
+# Globals:
+#   CRED
+#   CRES
+#   NL
+# Arguments:
+#   1: URL from which to download a specific file
+#   2: /path/to/file to be saved to
 # Returns:
 #   0: Download successful
 #   1: Usage error
@@ -161,7 +168,7 @@ genpasswdhash() {
 #######################################
 scurl() {
  if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>.\e[0m\n" >&2
+    printf "%s❌ Error: Usage: scurl <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
    return 1
  fi
  declare url="$1"
@@ -173,7 +180,7 @@ scurl() {
            -o "${output_path}" \
            "${url}"
  then
-    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "${url}" >&2
+    printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
    return 2
  fi
  return 0
@@ -181,9 +188,13 @@ scurl() {

 #######################################
 # Wrapper for secure wget
+# Globals:
+#   CRED
+#   CRES
+#   NL
 # Arguments:
-#  $1: URL from which to download a specific file
-#  $2: /path/to/file to be saved to
+#   1: URL from which to download a specific file
+#   2: /path/to/file to be saved to
 # Returns:
 #   0: Download successful
 #   1: Usage error
@@ -191,7 +202,7 @@ scurl() {
 #######################################
 swget() {
  if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>.\e[0m\n" >&2
+    printf "%s❌ Error: Usage: swget <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
    return 1
  fi
  declare url="$1"
@@ -204,30 +215,57 @@ swget() {
            -qO "${output_path}" \
            "${url}"
  then
-    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "$url" >&2
+    printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
    return 2
  fi
  return 0
 }

 #######################################
-# Wrapper for loading CISS.2025 hardened Kernel Parameters
+# Wrapper for loading CISS.2025 hardened Kernel Parameters.
 # Arguments:
-#  None
+#   None
 #######################################
 sysp() {
  sysctl -p /etc/sysctl.d/99_local.hardened
  # sleep 1
-  sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
+  # shellcheck disable=SC2312
+  sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }

 #######################################
 # Wrapper for tree
 # Arguments:
-#  $1: Depth of Directory Listing
+#   1: Depth of Directory Listing
 #######################################
 trel() {
  declare depth=${1:-3}
  tree -C -h --dirsfirst -L "${depth}"
 }
+
+#######################################
+# Wrapper for package and path to bin.
+# Arguments:
+#   1: Program
+#######################################
+whichpackage() {
+  if ! command -v "$1" >/dev/null 2>&1; then
+    printf '%s❌ Error: Program '%s' not found. %s%s' "${CRED}" "$1" "${CRES}" "${NL}" >&2
+    exit 1
+  fi
+  # shellcheck disable=SC2230,SC2312
+  dpkg -S "$(which "$1")"
+}
+
+#######################################
+# Wrapper for Diskspace used in Path.
+# Arguments:
+#   1: Path (defaults /var)
+#   2: Depth (defaults 1)
+#   3: Number of Entries (defaults 16)
+#######################################
+whichused() {
+  # shellcheck disable=SC2312
+  du -h --max-depth="${2:-1}" "${1:-/var}" | sort -hr | head -n "${3:-16}"
+}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/clean_logout.sh
+++ b/config/includes.chroot/root/.ciss/clean_logout.sh
@@ -36,4 +36,5 @@ echo -e "\e[92m          All done" "\e[95m'${USER}'" "\e[92m! \e[0m"
 echo -e "\e[92m          Close shell with 'ENTER' to exit" "\e[95m'${HOSTNAME}'" "\e[92m! \e[0m"
 # shellcheck disable=SC2162
 read
+[[ -x /usr/bin/clear_console ]] && /usr/bin/clear_console -q
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/f2bchk.sh
+++ b/config/includes.chroot/root/.ciss/f2bchk.sh
@@ -17,16 +17,18 @@
 #               --log=/var/log/ufw.log \
 #               --output=/tmp/f2bchk.log
 # Globals:
-#   DEFAULT_FILTER
-#   DEFAULT_LOG
-#   DEFAULT_MODE
+#   CGRE
+#   CRED
+#   CRES
+#   NL
 # Arguments:
-#  None
+#   None
 # Returns:
-#   1 In case of any errors
+#   0: on success
+#   1: In case of any errors
 #######################################
 f2bchk(){
-  # Declare default values (readonly)
+  ### Declare default values (readonly)
  declare -r DEFAULT_MODE="matched"
  declare -r DEFAULT_FILTER="/etc/fail2ban/filter.d/ufw.aggressive.conf"
  declare -r DEFAULT_LOG="/var/log/ufw.log"
@@ -44,7 +46,7 @@ f2bchk(){
      --log=*)    log="${arg#--log=}";;
      --output=*) output="${arg#--output=}";;
      *)
-        printf "\e[31m[ERROR]\e[0m Unknown argument: %s\n" "${arg}"
+        printf "%s[ERROR]%s Unknown argument: '%s' %s" "${CRED}" "${CRES}" "${arg}" "${CRED}"
        return 1
        ;;
    esac
@@ -56,7 +58,7 @@ f2bchk(){
    matched) flag="--print-all-matched"; suffix="all.matched";;
    missed)  flag="--print-all-missed";  suffix="all.missed";;
    *)
-      printf "\e[31m[ERROR]\e[0m Invalid mode: %s\n" "${mode}"
+      printf "%s[ERROR]%s Invalid mode: '%s' %s" "${CRED}" "${CRES}" "${mode}" "${NL}"
      return 1
      ;;
  esac
@@ -66,22 +68,30 @@ f2bchk(){
    filter_name="${filter_name%.conf}"
    output="/tmp/${filter_name}.${suffix}.log"
  fi
+
  if [[ ! -r "${log}" ]]; then
-    printf "\e[31m[ERROR]\e[0m Log file '%s' not found or not readable.\n" "${log}"
-    return 1
-  fi
-  if [[ ! -r "${filter}" ]]; then
-    printf "\e[31m[ERROR]\e[0m Filter file '%s' not found or not readable.\n" "${filter}"
+    printf "%s[ERROR]%s Log file '%s' not found or not readable. %s" "${CRED}" "${CRES}" "${log}" "${NL}"
    return 1
  fi

-  printf "\e[33m[INFO]\e[0m Running: fail2ban-regex %s %s %s\n" "${log}" "${filter}" "${flag}"
-  if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
-    printf "\e[32m[SUCCESS]\e[0m Saved log to %s\n" "$output"
-    printf "You can view it with: cat %s\n" "$output"
-  else
-    printf "\e[31m[ERROR]\e[0m fail2ban-regex execution failed.\n"
+  if [[ ! -r "${filter}" ]]; then
+    printf "%s[ERROR]%s Filter file '%s' not found or not readable. %s" "${CRED}" "${CRES}" "${filter}" "${NL}"
    return 1
  fi
+
+  printf "%s[INFO]%s Running: fail2ban-regex '%s %s %s' %s" "${CGRE}" "${CRES}" "${log}" "${filter}" "${flag}" "${NL}"
+
+  if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
+
+    printf "%s[SUCCESS]%s Saved log to: '%s' %s" "${CGRE}" "${CRES}" "${output}" "${NL}"
+    printf "You can view it with: cat %s%s" "${output}" "${NL}"
+  else
+
+    printf "%s[ERROR]%s fail2ban-regex execution failed. %s" "${CRED}" "${CRES}" "${NL}"
+    return 1
+
+  fi
+
+  exit 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/scan_libwrap
+++ b/config/includes.chroot/root/.ciss/scan_libwrap
@@ -6,36 +6,44 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

 #######################################
 # Scanner for 'libwrap' usage.
+# Globals:
+#   CGRE
+#   CRES
+#   NL
 # Arguments:
-#  None
+#   None
 #######################################
 scanlw() {
-  printf "\e[92m🔍 Scanning all running processes for 'libwrap' usage ... \e[0m\n"
+  printf "%s🔍 Scanning all running processes for 'libwrap' usage ... %s%s" "${CGRE}" "${CRES}" "${NL}"
  printf "\n"

-  # Collect binaries from all running PIDs
+  ### Collect binaries from all running PIDs.
  declare pid exe_path comm user

  for pid in $(ps -e -o pid=); do
    exe_path=$(readlink -f "/proc/${pid}/exe" 2>/dev/null)

-    # Skip if not a regular executable
+    ### Skip if not a regular executable.
    [[ -x "${exe_path}" ]] || continue

-    # Check if the binary is linked with libwrap
-    if ldd "$exe_path" 2>/dev/null | grep -q "libwrap"; then
-      comm=$(ps -p "$pid" -o comm=)
-      user=$(ps -p "$pid" -o user=)
-      printf "\e[92m✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. \e[0m\n" "${pid}" "${comm}" "${user}"
+    ### Check if the binary is linked with libwrap.
+    # shellcheck disable=SC2312
+    if ldd "${exe_path}" 2>/dev/null | grep -q "libwrap"; then
+      comm=$(ps -p "${pid}" -o comm=)
+      user=$(ps -p "${pid}" -o user=)
+      printf "%s✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. %s%s" "${CGRE}" "${pid}" "${comm}" "${user}" "${CRES}" "${NL}"
    fi
  done
+
  printf "\n"
-  printf "\e[92m✅ Scan complete. \e[0m\n"
+  printf "%s✅ Scan complete. %s%s" "${CGRE}" "${CRES}" "${NL}"
+
+  exit 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/shortcuts
+++ b/config/includes.chroot/root/.ciss/shortcuts
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

@@ -21,6 +21,7 @@ declare -ga shortcuts=(
  "apti: apt install"
  "aptimage: get Kernel Img"
  "aptp: apt purge"
+  "aptpp: dpkg --purge"
  "aptr: apt remove"
  "aptse: apt search"
  "aptsh: apt show"
@@ -83,6 +84,8 @@ declare -ga shortcuts=(
  "whatdelete: lsof | grep deleted"
  "whatimage: dpkg --list | grep linux"
  "whatpurge: dpkg --get-selections"
+  "whichpackage <PROGRAM>"
+  "whichused <PATH> <DEPTH> <ENTRIES>"
 )

 #######################################
@@ -101,7 +104,7 @@ celp() {
  declare i=0
  declare entry
  for entry in "${arr[@]}"; do
-    # Print entry left-aligned in fixed width, colored
+    ### Print entry left-aligned in fixed width, colored.
    printf "${CMAG}%-${col_width}s${CRES}" "${entry}"
    ((i++))
    if ((i % cols == 0)); then
--- a/config/package-lists/live.list.common.chroot
+++ b/config/package-lists/live.list.common.chroot
@@ -15,12 +15,15 @@ apt-file
 apt-mirror
 apt-show-versions
 apt-transport-https
+autoconf
+automake
 bash-completion
 bat
 bc
 bind9-dnsutils
 bsdmainutils
 btrfs-progs
+build-essential
 bzip2
 ca-certificates
 clamav
@@ -69,6 +72,9 @@ knot-dnsutils
 libpam-google-authenticator
 libpam-pwquality
 libpwquality-tools
+libtomcrypt-dev
+libtommath-dev
+libtool
 linux-doc-6.12
 linux-source
 live-boot
@@ -78,7 +84,6 @@ locate
 logrotate
 lsb-release
 lvm2
-makedev
 makepasswd
 man
 man-db
@@ -86,9 +91,10 @@ manpages
 manpages-dev
 mdadm
 mtr
+musl-tools
 nano
 ncat
-neofetch
+ncdu
 neovim
 net-tools
 netselect-apt
@@ -107,7 +113,6 @@ rsync
 rsyslog
 screen
 shellcheck
-software-properties-common
 spectre-meltdown-checker
 speedtest-cli
 squashfs-tools
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.008.2025.08.22<br>

 # 2. DNSSEC Status

--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.008.2025.08.22<br>

 # 2. Haveged Audit on Netcup RS 2000 G11

--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.008.2025.08.22<br>

 # 2. Lynis Audit:

--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.008.2025.08.22<br>

 # 2. SSH Audit by ssh-audit.com

--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.008.2025.08.22<br>

 # 2. TLS Audit:

--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.008.2025.08.22<br>

 # 2. Hardened Kernel Boot Parameters

--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -7,74 +7,123 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.008.2025.08.22<br>

 # 2. Changelog

+## V8.13.008.2025.08.22
+* **Removed**: [0003_install_backports.chroot](../.archive/0003_install_backports.chroot)
+
+## V8.13.004.2025.08.21
+* **Added**: [makefile](../makefile)
+
+## V8.13.002.2025.08.11
+* **Added**: [lib_source_guard.sh](../lib/lib_source_guard.sh)
+* **Added**: [sources.list](../config/includes.chroot/etc/apt/sources.list)
+* **Added**: [trixie.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie.sources)
+* **Added**: [trixie-backports.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie-backports.sources)
+* **Added**: [trixie-security.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie-security.sources)
+* **Added**: [trixie-updates.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie-updates.sources)
+* **Added**: [login.defs](../config/includes.chroot/etc/login.defs)
+* **Bugfixes**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot)
+* **Bugfixes**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot)
+* **Updated**: [bash.var.sh](../var/bash.var.sh)
+* **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
+* **Updated**: Support for Debian Trixie via Argument ``--trixie``
+* **Updated**: Debian 12 LIVE ISO workflows to use Kernel: ``linux-image-6.1.0-37-amd64``
+
+## V8.03.920.2025.08.07
+
+* **Updated**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh)
+* **Updated**: [ciss_live_builder.sh](../ciss_live_builder.sh)
+* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
+
+## V8.03.912.2025.07.23
+
+* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias)
+* **Updated**: [clean_logout.sh](../config/includes.chroot/root/.ciss/clean_logout.sh)
+* **Updated**: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
+* **Updated**: [scan_libwrap](../config/includes.chroot/root/.ciss/scan_libwrap)
+* **Updated**: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts)
+* **Updated**: [.bashrc](../config/includes.chroot/root/.bashrc)
+
+## V8.03.896.2025.07.22
+
+* **Added**: [.shellcheckrc](../.shellcheckrc)
+* **Bugfixes**: [ciss_live_builder.sh](../ciss_live_builder.sh)
+* **Updated**: [0810_chrony_setup.chroot](../config/hooks/live/0810_chrony_setup.chroot)
+
+## V8.03.880.2025.07.19
+
+* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias)
+* **Updated**: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts)
+* **Added**: Package ``ncdu``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
+* **Added**: ``TrustedUserCAKeys none``: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config)
+
 ## V8.03.864.2025.07.15

-* Updated: [0010_dhcp_supersede.sh](../scripts/0010_dhcp_supersede.sh)
-* Added: [BOOTPARAMS.md](BOOTPARAMS.md)
-* Added: Package ``cpuid``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
+* **Updated**: [0010_dhcp_supersede.sh](../scripts/0010_dhcp_supersede.sh)
+* **Added**: [BOOTPARAMS.md](BOOTPARAMS.md)
+* **Added**: Package ``cpuid``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)

 ## V8.03.832.2025.06.25

-* Added: [lib_version.sh](../lib/lib_version.sh)
-* Updated:
+* **Added**: [lib_version.sh](../lib/lib_version.sh)
+* **Updated**:
  * [lib_contact.sh](../lib/lib_contact.sh)
  * [lib_usage.sh](../lib/lib_usage.sh)
-* Packages added:
+* **Packages added**:
  * https://packages.debian.org/bookworm/fio
  * https://packages.debian.org/bookworm/stress 
-* Timezone changed to ``Etc/UTC``
+* **Updated**: Timezone changed to ``Etc/UTC``

 ## V8.03.832.2025.06.24

-* Updated:
+* **Updated**:
  * [lib_check_provider.sh](../lib/lib_check_provider.sh)
  * [lib_debug_header.sh](../lib/lib_debug_header.sh)
  * [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh)
-* The Debian package ``bat`` will be installed to enable smooth log reading.
+* **Added**: The Debian package ``bat`` will be installed to enable smooth log reading.

 ## V8.03.768.2025.06.23

-* Updated [lib_clean_up.sh](../lib/lib_clean_up.sh): Removal of Lock FD and Artifacts.
+* **Updated**: [lib_clean_up.sh](../lib/lib_clean_up.sh): Removal of Lock FD and Artifacts.
 * Rearranged VARs sourcing: [early.var.sh](../var/early.var.sh)
 * Rearranged DEBUG XTRACE sourcing: [meta_sources_debug.sh](../meta_sources_debug.sh)
-* Added Git Repo specific VARs: [lib_debug_var_git.sh](../lib/lib_git_var.sh)
-* Added ``guard_sourcing()``: [lib_guard_sourcing.sh](../lib/lib_guard_sourcing.sh)
-  * to prevent the caller LIB-file from being sourced twice.
+* **Added**: Git Repo specific VARs: [lib_debug_var_git.sh](../lib/lib_git_var.sh)
+* **Added**: ``guard_sourcing()``: [lib_guard_sourcing.sh](../lib/lib_guard_sourcing.sh)
+  to prevent the caller LIB-file from being sourced twice.

 ## V8.03.768.2025.06.19

 * Minor main script improvements.
-* Updated [lib_usage.sh](../lib/lib_usage.sh) output.
+* **Updated**: [lib_usage.sh](../lib/lib_usage.sh) output.

 ## V8.03.768.2025.06.18

 * Minor main script improvements.
-* Updated contact section.
+* **Updated**: Contact section.
 * Integrated third ``dns03.eddns.eu`` Centurion DNS Resolver.

 ## V8.03.768.2025.06.17

-* Updated LIVE ISO workflows to use Kernel: ``linux-image-6.12.30+bpo-amd64``
+* **Updated**: LIVE ISO workflows to use Kernel: ``linux-image-6.12.30+bpo-amd64``

 ## V8.03.768.2025.06.11

-* Updated LIVE ISO workflows to use Kernel: ``linux-image-6.12.27+bpo-amd64``
+* **Updated**: LIVE ISO workflows to use Kernel: ``linux-image-6.12.27+bpo-amd64``

 ## V8.03.768.2025.06.09

-* Added: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
-* Updated: [alias](../config/includes.chroot/root/.ciss/alias)
+* **Added**: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
+* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias)
  * ``scurl()``
  * ``swget()``

 ## V8.03.644.2025.06.07

-* Updated workflows ISO Generators Runners. 
+* **Updated**: Workflows ISO Generators Runners. 
 * Installing ``bookworm-backports`` Versions of:
  * ``btrfs-progs``
  * ``curl``
@@ -90,12 +139,12 @@ include_toc: true
 * LIVE ISO generated by workflow tested against:
  * Netcup Root Server
  * Proxmox 
-* LIVE ISO generated by script tested against:
+* LIVE ISO generated by the script tested against:
  * Netcup Root Server

 ## V8.03.512.2025.06.06

-* Updated workflows: 
+* **Updated**: Workflows: 
  1. ``git stash push``
  2. ``git fetch origin master``
  3. ``git merge --no-edit origin/master``
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.008.2025.08.22<br>

 # 2. Centurion Net - Developer Branch Overview

--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.008.2025.08.22<br>

 # 2. Coding Style

--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.008.2025.08.22<br>

 # 2. Contributing / participating

--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.008.2025.08.22<br>

 # 2. Credits

--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.008.2025.08.22<br>

 # 2. Download the latest PUBLIC CISS.debian.live.ISO

--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -7,13 +7,13 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.008.2025.08.22<br>

 # 2.1. Usage
 ````text
 CISS.debian.live.builder
-Master V8.03.864.2025.07.15
+Master V8.13.008.2025.08.22
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.

 (c) Marc S. Weidner, 2018 - 2025
@@ -120,6 +120,9 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
    Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
    specified PATH into the Live ISO. MUST be provided.

+  --trixie
+    Create a Debian Trixie Live ISO.
+
  --version, -v
    Displays version of ./ciss_live_builder.sh.

@@ -133,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
 # 2.2. Contact
 ````text
 CISS.debian.live.builder
-Master V8.03.864.2025.07.15
+Master V8.13.008.2025.08.22
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.

 (c) Marc S. Weidner, 2018 - 2025
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.008.2025.08.22<br>

 # 2. Resources

--- a/docs/SECURITY/coresecret.dev.png
+++ b/docs/SECURITY/coresecret.dev.png
--- a/lib/lib_arg_parser.sh
+++ b/lib/lib_arg_parser.sh
@@ -64,8 +64,8 @@ arg_parser() {
          ;;

        -c | --contact)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --contact MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -74,8 +74,8 @@ arg_parser() {
          ;;

        -h | --help)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --help MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -84,8 +84,8 @@ arg_parser() {
          ;;

        -v | --version)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --version MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -98,7 +98,7 @@ arg_parser() {
            declare -gx VAR_ARCHITECTURE="${2}"
            shift 2
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --architecture MUST be 'amd64' or 'arm64'.\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -109,7 +109,7 @@ arg_parser() {
        --build-directory)
          declare -gx VAR_HANDLER_BUILD_DIR="${2}"
          if [[ ! "${VAR_HANDLER_BUILD_DIR}" =~ ^/ ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --build-directory MUST be an absolute path. Got: '%s'\n" "${VAR_HANDLER_BUILD_DIR}" >&2
            exit "${ERR_NOTABSPATH}"
          fi
@@ -118,8 +118,8 @@ arg_parser() {
          ;;

        --cdi)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --cdi MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -133,7 +133,7 @@ arg_parser() {
            declare -g VAR_HANDLER_SPLASH="${2}"
            shift 2
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --change-splash MUST be 'club' or 'hexagon'.\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -142,11 +142,11 @@ arg_parser() {
          ;;

        --control)
-          if [[ -n "${2}" ]]; then
+          if [[ -n "${2-}" ]]; then
            declare -g VAR_HANDLER_ISO_COUNTER="${2}"
            shift 2
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --control MUST be provided with a Parameter.\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -155,8 +155,8 @@ arg_parser() {
          ;;

        --debug)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --debug MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -165,8 +165,8 @@ arg_parser() {
          ;;

        --dhcp-centurion)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --dhcp-centurion MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -176,7 +176,7 @@ arg_parser() {
          ;;

        --jump-host)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
            declare -i count=0
            shift
            while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 10 ]]; do
@@ -188,7 +188,7 @@ arg_parser() {
              shift
            done
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --jump-host MUST contain one or up to ten IPs.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -196,8 +196,8 @@ arg_parser() {
          ;;

        --log-statistics-only)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --log-statistics-only MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -207,7 +207,7 @@ arg_parser() {
          ;;

        --provider-netcup-ipv6)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
            declare -i count=0
            declare -g VAR_HANDLER_NETCUP_IPV6=true
            shift
@@ -221,7 +221,7 @@ arg_parser() {
              shift
            done
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --provider-netcup-ipv6 MUST provide one IPv6.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -229,11 +229,11 @@ arg_parser() {
          ;;

        --renice-priority)
-          if [[ -n ${2} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
-            declare -gi VAR_HANDLER_PRIORITY="$2"
+          if [[ -n ${2-} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
+            VAR_HANDLER_PRIORITY="$2"
            shift 2
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --renice-priority MUST an integer between '-19' and '19'.\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -242,28 +242,28 @@ arg_parser() {
          ;;

        --reionice-priority)
-          if [[ -z "${2}" ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+          if [[ -z "${2-}" ]]; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --reionice-priority no values provided.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_REIONICE_P}"
          else
            if [[ "${2}" =~ ^[1-3]$ ]]; then
-              declare -gi VAR_REIONICE_CLASS="${2}"
-              if [[ -z "${3}" ]]; then
+              VAR_REIONICE_CLASS="${2}"
+              if [[ -z "${3-}" ]]; then
                :
              else
                if [[ "${3}" =~ ^[0-7]$ ]]; then
-                  declare -gi VAR_REIONICE_PRIORITY="${3}"
+                  VAR_REIONICE_PRIORITY="${3}"
                else
-                  if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+                  if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
                  printf "\e[91m❌ Error: --reionice-priority PRIORITY MUST be an integer between '0' and '7'.\e[0m\n" >&2
                  read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
                  exit "${ERR_REIO_P_VAL}"
                fi
              fi
            else
-              if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+              if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
              printf "\e[91m❌ Error: --reionice-priority CLASS MUST be an integer between '1' and '3'.\e[0m\n" >&2
              read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
              exit "${ERR_REIO_C_VAL}"
@@ -279,7 +279,7 @@ arg_parser() {
        --root-password-file)
          declare pw_file="${2}"
          if [[ -z "${pw_file}" ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --root-password-file missing password file path argument.\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -287,7 +287,7 @@ arg_parser() {
          fi

          if [[ ! -f "${pw_file}" ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --root-password-file password file '%s' does not exist.\e[0m\n" "${pw_file}" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -298,7 +298,7 @@ arg_parser() {
          owner=$(stat -c '%U:%G' "${pw_file}")
          if [[ "${owner}" != "root:root" ]]; then
            chown root:root "${pw_file}" || {
-              if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+              if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
              printf "\e[91m❌ Error: --root-password-file failed to set owner root:root on '%s'.\e[0m\n" "${pw_file}" >&2
              # shellcheck disable=SC2162
              read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -310,7 +310,7 @@ arg_parser() {
          perms=$(stat -c '%a' "${pw_file}")
          if [[ "${perms}" -ne 400 ]]; then
            chmod 400 "${pw_file}" || {
-              if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+              if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
              printf "\e[91m❌ Error: --root-password-file failed to set permissions 0400 on '%s'.\e[0m\n" "${pw_file}" >&2
              # shellcheck disable=SC2162
              read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -328,7 +328,7 @@ arg_parser() {
          declare pw_length
          pw_length=${#plaintext_pw}
          if (( pw_length < 20 || pw_length > 64 )); then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --root-password-file password MUST be between 20 and 64 characters (got %d).\e[0m\n" "${pw_length}" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -338,7 +338,7 @@ arg_parser() {
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
          if [[ "${plaintext_pw}" == *\"* ]]; then
            [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --root-password-file password MUST NOT contain double quotes (\").\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -374,11 +374,11 @@ arg_parser() {
          ;;

        --ssh-port)
-          if [[ -n "${2}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
+          if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
            declare -gi VAR_SSHPORT="${2}"
            shift 2
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --ssh-port MUST be an integer between '1' and '65535'.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR__SSH__PORT}"
@@ -390,8 +390,13 @@ arg_parser() {
          shift 2
          ;;

+        --trixie)
+          declare -g VAR_SUITE="trixie"
+          shift 1
+          ;;
+
        *)
-          if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+          if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
          usage
          ;;
    esac
--- a/lib/lib_arg_priority_check.sh
+++ b/lib/lib_arg_priority_check.sh
@@ -23,22 +23,30 @@ guard_sourcing
 #######################################
 arg_priority_check() {
  declare var
-  # Check if nice PRIORITY is set and adjust nice priority.
-  if [[ -n ${VAR_HANDLER_PRIORITY} ]]; then
-    renice "${VAR_HANDLER_PRIORITY}" -p "$$"
-    var=$(ps -o ni= -p $$) > /dev/null 2>&1
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New renice value: %s\e[0m\n" "${var}"
-    # sleep 1
-    unset var
+  ### Check if nice PRIORITY is set and adjust nice priority.
+  if [[  "${VAR_HANDLER_PRIORITY:-}" -ne 0 ]]; then
+    if command -v renice >/dev/null; then
+      renice "${VAR_HANDLER_PRIORITY}" -p "$$"
+      var=$(ps -o ni= -p $$) > /dev/null 2>&1
+      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New renice value: %s\e[0m\n" "${var}"
+      # sleep 1
+      unset var
+    else
+      printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ renice not installed (util-linux) \e[0m\n"
+    fi
  fi

-  # Check if ionice PRIORITY is set and adjust ionice priority.
-  if [[ -n ${VAR_REIONICE_CLASS} ]]; then
-    ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
-    var=$(ionice -p $$) > /dev/null 2>&1
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New ionice value: %s\e[0m\n" "${var}"
-    # sleep 1
-    unset var
+  ### Check if ionice PRIORITY is set and adjust ionice priority.
+  if [[ "${VAR_REIONICE_CLASS:-}" -ne 2 ]]; then
+    if command -v ionice >/dev/null; then
+      ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
+      var=$(ionice -p $$) > /dev/null 2>&1
+      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New ionice value: %s\e[0m\n" "${var}"
+      # sleep 1
+      unset var
+    else
+      printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ionice not installed (util-linux) \e[0m\n"
+    fi
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_boot_screen.sh
+++ b/lib/lib_boot_screen.sh
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

--- a/lib/lib_cdi.sh
+++ b/lib/lib_cdi.sh
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

--- a/lib/lib_check_hooks.sh
+++ b/lib/lib_check_hooks.sh
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

--- a/lib/lib_check_var.sh
+++ b/lib/lib_check_var.sh
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

--- a/lib/lib_clean_screen.sh
+++ b/lib/lib_clean_screen.sh
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

--- a/lib/lib_copy_integrity.sh
+++ b/lib/lib_copy_integrity.sh
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

--- a/lib/lib_debug.sh
+++ b/lib/lib_debug.sh
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

--- a/lib/lib_debug_header.sh
+++ b/lib/lib_debug_header.sh
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

--- a/lib/lib_git_var.sh
+++ b/lib/lib_git_var.sh
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

--- a/lib/lib_guard_sourcing.sh
+++ b/lib/lib_guard_sourcing.sh
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

@@ -23,7 +23,7 @@
 guard_sourcing() {
  ### Determine the caller script (the library being sourced).
  declare var_src="${1:-${BASH_SOURCE[1]}}"
-  ### Strip path, keep only filename
+  ### Strip path, keep only the filename
  declare var_file_name="${var_src##*/}"
  ### Sanitize to valid var name.
  declare var_safe_name="${var_file_name//[^a-zA-Z0-9_]/_}"
--- a/lib/lib_hardening_ultra.sh
+++ b/lib/lib_hardening_ultra.sh
@@ -23,59 +23,103 @@ guard_sourcing
 #   VAR_SSHPUBKEY
 #   VAR_WORKDIR
 # Arguments:
-#  None
+#   None
 #######################################
 hardening_ultra() {
  # shellcheck disable=SC2164
  cd "${VAR_WORKDIR}"

+
+  ### ./config/bootloaders
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n"
+
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
+
    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/bootloaders"
    cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
+
  else
+
    cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
+
  fi
+
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n"

+
+  ### ./config/includes.binary
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n"
+
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then
+
    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub"
    cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
+
  else
+
    cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
+
  fi
+
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n"

-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
-  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
-    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/live"
-    cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
-  else
-    cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
-  fi
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
-
-  if [[ -d "${VAR_WORKDIR}/config/hooks/early" ]]; then
-    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/early ... \e[0m\n"
-    if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/early" ]]; then
-      mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/early"
-      cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
-    else
-      cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
-    fi
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/early done.\e[0m\n"
-  fi

+  ### ./config/includes.chroot
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n"
+
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
+
    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
    cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
+
  else
+
    cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
+
  fi
+
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n"

+
+  ### ./config/hooks/early
+  if [[ -d "${VAR_WORKDIR}/config/hooks/early" ]]; then
+
+    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/early ... \e[0m\n"
+
+    if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/early" ]]; then
+
+      mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/early"
+      cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
+
+    else
+
+      cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
+
+    fi
+
+    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/early done.\e[0m\n"
+
+  fi
+
+
+  ### ./config/hooks/live
+  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
+
+  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
+
+    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/live"
+    cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
+
+  else
+
+    cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
+
+  fi
+
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
+
+
+
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n"
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then
    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists"
@@ -98,6 +142,7 @@ hardening_ultra() {
  esac

  declare pkgs
+    # shellcheck disable=SC2312
    mapfile -t pkgs < <(
    grep -v '^\s*#' "${arch_list}" | sed '/^\s*$/d'
  )
@@ -140,6 +185,7 @@ hardening_ultra() {
      declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
      sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
      declare line
+      # shellcheck disable=SC2312
      line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)

      if [[ -z "${line}" ]]; then
@@ -150,7 +196,7 @@ hardening_ultra() {
      declare host
      for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
        ((line++))
-        sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
+        sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
      done
    fi

@@ -163,7 +209,7 @@ hardening_ultra() {
    declare -r sshport="${VAR_SSHPORT:-22}"

    sed -i "s|^port      = MUST_BE_SET|port      = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
-    sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"$sshport\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
+    sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
    sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"

    if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then
@@ -171,6 +217,7 @@ hardening_ultra() {
      declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
      sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
      declare line
+      # shellcheck disable=SC2312
      line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)

      if [[ -z "${line}" ]]; then
@@ -181,7 +228,7 @@ hardening_ultra() {
      declare host
      for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
        ((line++))
-        sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
+        sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
      done
    fi
  fi
@@ -204,6 +251,7 @@ hardening_ultra() {
    declare ips="${ARY_HANDLER_JUMPHOST[*]}"
    # Flatten to a single line and strip literal brackets []
    declare flat_ips
+    # shellcheck disable=SC2312
    flat_ips=$(printf "%s" "${ips}" | tr '\n' ' ' | tr -d '[]')
    # flat_ips now contains e.g., "123.128.111.42 2a03:ffff:0815:4711:... 2a03:.../64"

--- a/lib/lib_helper_ip.sh
+++ b/lib/lib_helper_ip.sh
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

--- a/lib/lib_lb_config_write_trixie.sh
+++ b/lib/lib_lb_config_write_trixie.sh
@@ -0,0 +1,115 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Wrapper to write a new 'lb config' environment.
+# Globals:
+#   VAR_ARCHITECTURE
+#   VAR_HANDLER_BUILD_DIR
+#   VAR_HANDLER_ISO_COUNTER
+#   VAR_KERNEL
+#   VAR_VERSION
+#   VAR_WORKDIR
+# Arguments:
+#  None
+#######################################
+lb_config_write_trixie() {
+  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Writing new config ... \e[0m\n"
+
+  lb config \
+    --apt apt \
+    --apt-indices true \
+    --apt-recommends true \
+    --apt-secure true \
+    --apt-source-archives true \
+    --architecture "${VAR_ARCHITECTURE}" \
+    --archive-areas main contrib non-free non-free-firmware \
+    --backports true \
+    --binary-filesystem fat32 \
+    --binary-image iso-hybrid \
+    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
+    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 nocomponents=cdi-starter noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force,nosmt nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
+    --bootloaders grub-efi \
+    --cache true \
+    --checksums sha512 sha256 md5 \
+    --chroot-filesystem squashfs \
+    --chroot-squashfs-compression-level 22 \
+    --chroot-squashfs-compression-type zstd \
+    --color \
+    --compression bzip2 \
+    --debconf-frontend noninteractive \
+    --debconf-priority critical \
+    --debian-installer cdrom \
+    --debian-installer-distribution trixie \
+    --debian-installer-gui true \
+    --debian-installer-preseedfile "preseed.cfg" \
+    --debug \
+    --distribution trixie \
+    --distribution-binary trixie \
+    --distribution-chroot trixie \
+    --firmware-binary true \
+    --firmware-chroot true \
+    --hdd-label "CENTURIONLIVE" \
+    --image-name "ciss-debian-live-${VAR_HANDLER_ISO_COUNTER}" \
+    --initramfs "live-boot" \
+    --initramfs-compression gzip \
+    --initsystem systemd \
+    --iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20250505 - Debian-Installer: trixie" \
+    --iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
+    --iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
+    --iso-volume 'CISS.debian.live' \
+    --linux-flavours "${VAR_KERNEL}" \
+    --linux-packages linux-image \
+    --loadlin true \
+    --memtest memtest86+ \
+    --mirror-binary 'https://deb/debian.org/debian/' \
+    --mirror-binary-security 'https://security.debian.org/' \
+    --mirror-bootstrap 'https://deb.debian.org/debian/' \
+    --mirror-chroot 'https://deb.debian.org/debian/' \
+    --mirror-chroot-security 'https://security.debian.org/' \
+    --mirror-debian-installer 'https://deb.debian.org/debian/' \
+    --mode debian \
+    --parent-archive-areas main contrib non-free non-free-firmware \
+    --parent-debian-installer-distribution trixie \
+    --parent-distribution trixie \
+    --parent-distribution-binary trixie \
+    --parent-distribution-chroot trixie \
+    --parent-mirror-binary 'https://deb.debian.org/debian/' \
+    --parent-mirror-binary-security 'https://security.debian.org/' \
+    --parent-mirror-bootstrap 'https://deb.debian.org/debian/' \
+    --parent-mirror-chroot 'https://deb.debian.org/debian/' \
+    --parent-mirror-chroot-security 'https://security.debian.org/' \
+    --parent-mirror-debian-installer 'https://deb.debian.org/debian/' \
+    --security true \
+    --system live \
+    --source false \
+    --source-images tar \
+    --uefi-secure-boot auto \
+    --updates true \
+    --utc-time true \
+    --verbose
+
+  sleep 1
+
+  sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary
+  sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary
+
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot
+  cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
+  chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
+  chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
+
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_provider_netcup.sh
+++ b/lib/lib_provider_netcup.sh
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

--- a/lib/lib_sanitizer.sh
+++ b/lib/lib_sanitizer.sh
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

--- a/lib/lib_source_guard.sh
+++ b/lib/lib_source_guard.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Prevent the file to be sourced twice.
+# Arguments:
+#   1: File to source.
+#######################################
+source_guard() {
+  declare var_file="${1}"
+  declare var_name="${var_file##*/}"
+  declare var_guard="_${var_name//[^a-zA-Z0-9_]/_}_LOADED"
+
+  if ! declare -p "${var_guard}" &>/dev/null; then
+    # shellcheck disable=SC1090
+    . "${var_file}"
+  fi
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_trap_on_err.sh
+++ b/lib/lib_trap_on_err.sh
@@ -15,8 +15,8 @@ guard_sourcing
 #######################################
 # Print Error Message for Trap on 'ERR' in ${ERROR_LOG}
 # Globals:
-#   ARGUMENTS_COUNT
-#   ARG_STR_ORG_INPUT
+#   VAR_PARAM_COUNT
+#   VAR_PARAM_STRNG
 #   VAR_ARG_SANITIZED
 #   LOG_DEBUG
 #   ERRCMMD
@@ -45,8 +45,8 @@ print_file_err() {
    printf "❌ Function               : %s \n" "${ERRFUNC}"
    printf "❌ Command                : %s \n" "${ERRCMMD}"
    printf "❌ Script Runtime         : %s \n" "${SECONDS}"
-    printf "❌ Arguments Counter      : %s \n" "${ARGUMENTS_COUNT}"
-    printf "❌ Arguments Original     : %s \n" "${ARG_STR_ORG_INPUT}"
+    printf "❌ Arguments Counter      : %s \n" "${VAR_PARAM_COUNT}"
+    printf "❌ Arguments Original     : %s \n" "${VAR_PARAM_STRNG}"
    printf "❌ Arguments Sanitized    : %s \n" "${VAR_ARG_SANITIZED}"
    if "${VAR_EARLY_DEBUG}"; then
      printf "❌ Vars Dump saved at     : %s \n" "${LOG_VAR}"
@@ -60,8 +60,8 @@ print_file_err() {
 #######################################
 # Print Error Message for Trap on 'ERR' on Terminal
 # Globals:
-#   ARGUMENTS_COUNT
-#   ARG_STR_ORG_INPUT
+#   VAR_PARAM_COUNT
+#   VAR_PARAM_STRNG
 #   VAR_ARG_SANITIZED
 #   LOG_DEBUG
 #   ERRCMMD
@@ -89,8 +89,8 @@ print_scr_err() {
  printf "\e[91m❌ Function               : %s \e[0m\n" "${ERRFUNC}" >&2
  printf "\e[91m❌ Command                : %s \e[0m\n" "${ERRCMMD}" >&2
  printf "\e[91m❌ Script Runtime         : %s \e[0m\n" "${SECONDS}" >&2
-  printf "\e[91m❌ Arguments Counter      : %s \e[0m\n" "${ARGUMENTS_COUNT}" >&2
-  printf "\e[91m❌ Arguments Original     : %s \e[0m\n" "${ARG_STR_ORG_INPUT}" >&2
+  printf "\e[91m❌ Arguments Counter      : %s \e[0m\n" "${VAR_PARAM_COUNT}" >&2
+  printf "\e[91m❌ Arguments Original     : %s \e[0m\n" "${VAR_PARAM_STRNG}" >&2
  printf "\e[91m❌ Arguments Sanitized    : %s \e[0m\n" "${VAR_ARG_SANITIZED}" >&2
  printf "\e[91m❌ Error Log saved at     : %s \e[0m\n" "${LOG_ERROR}" >&2
  printf "\e[91m❌ batcat --pager='less -r' %s \e[0m\n" "${LOG_ERROR}" >&2
@@ -119,15 +119,18 @@ print_scr_err() {
 #   $5: ${BASH_COMMAND}
 #######################################
 trap_on_err() {
-  trap - ERR
+  trap - DEBUG ERR INT TERM
  declare -g ERRCODE="$1"
  declare -g ERRSCRT="$2"
  declare -g ERRLINE="$3"
  declare -g ERRFUNC="$4"
  declare -g ERRCMMD="$5"
+  # shellcheck disable=SC2034
+  declare -g ERRTRAP="true"
+
  if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
  clean_up "${ERRCODE}"
-  if ! $VAR_HANDLER_AUTOBUILD; then clean_screen; fi
+  if ! "${VAR_HANDLER_AUTOBUILD}"; then clean_screen; fi
  print_file_err
  print_scr_err
 }
@@ -148,6 +151,7 @@ dump_user_vars() {
  set +x
  {
    declare var
+    # shellcheck disable=SC2312
    while IFS= read -r var; do
      declare -p "${var}" 2>/dev/null
    done < <(compgen -v | grep -Ev '^(BASH|_).*')
--- a/lib/lib_trap_on_exit.sh
+++ b/lib/lib_trap_on_exit.sh
@@ -20,7 +20,7 @@ guard_sourcing
 #   $1: $?
 #######################################
 trap_on_exit() {
-  trap - EXIT
+  trap - DEBUG ERR EXIT INT TERM
  declare -r var_trap_on_exit_code="$1"
  if (( var_trap_on_exit_code == 0 )); then
    if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -20,7 +20,7 @@ usage() {
  declare var_cols=$(tput cols 2>/dev/null || echo 80)

  #######################################
-  # Header, Footer wrapper for dynamically output.
+  # Header, Footer wrapper for dynamical output.
  # Arguments:
  #   $1: Text.
  #   $2: Width of Terminal.
@@ -33,15 +33,15 @@ usage() {
  }

  # shellcheck disable=SC2155
-  declare var_header=$(center "CLB(1)        CISS.debian.live.builder        CLB(1)" "${var_cols}")
+  declare var_header=$(center "CLB(1)                        CISS.debian.live.builder                        CLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.03.864.2025.07.15        2025-06-25        CLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.13.008.2025.08.22                        2025-08-11                        CLB(1)" "${var_cols}")

  {
    echo -e "\e[1;97m${var_header}\e[0m"
    echo
    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.03.864.2025.07.15\e[0m"
+    echo -e "\e[92mMaster V8.13.008.2025.08.22\e[0m"
    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
    echo
    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
@@ -148,6 +148,9 @@ usage() {
    echo "    Imports the SSH Public Key from the FILE 'authorized_keys' of the"
    echo "    specified PATH into the Live ISO. MUST be provided."
    echo
+    echo -e "\e[97m  --trixie \e[0m"
+    echo "    Create a Debian Trixie Live ISO."
+    echo
    echo -e "\e[97m  --version, -v \e[0m"
    echo "    Show version of ${0}."
    echo
--- a/107
+++ b/107
@@ -0,0 +1,107 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-21; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Use Bash for recipe shells (not /bin/sh)
+SHELL                := /usr/bin/bash
+.SHELLFLAGS          := -CEeuTo pipefail -O failglob -c
+.ONESHELL            :
+.DELETE_ON_ERROR     :
+.RECIPEPREFIX        :=	### Tabstopp
+.DEFAULT_GOAL        := live
+
+### Local, unversioned overrides (optional):
+-include config.mk
+
+### Timestamp at parse time (UTC); can be overridden:
+TIMESTAMP            ?= $(shell date -u +%Y-%m-%dT%H-%M-%S)
+
+### Core parameters (safe defaults; override in config.mk, rename config.mk.sample to config.mk and apply the remaining values):
+ARCH                 ?= amd64
+AUTOBUILD            ?= 6.12.41+deb13-amd64
+CONTROL              ?= $(TIMESTAMP)
+
+### Nice/ionice settings:
+RENICE               ?= -19
+REIONICE_CLASS       ?= 1
+REIONICE_PRIO        ?= 2
+
+### Feature flags (set to empty to disable):
+FLAG_CDI             ?= 1
+FLAG_DEBUG           ?= 1
+FLAG_DHCP_CENTURION  ?= 1
+FLAG_TRIXIE          ?= 1
+
+### Reusable canned recipe:
+### Usage: $(call COMPOSE_AND,print) -> prints the fully quoted command
+###        $(call COMPOSE_AND,exec)  -> execs the command
+define COMPOSE_AND
+	### Build command as a robust array to avoid word-splitting and globbing issues:
+	cmd=( ./ciss_live_builder.sh )
+	cmd+=( --architecture '$(ARCH)' )
+	cmd+=( --build-directory '$(BUILD_DIR)' )
+	cmd+=( --control '$(CONTROL)' )
+	cmd+=( --root-password-file '$(ROOT_PASSWORD_FILE)' )
+	cmd+=( --ssh-port '$(SSH_PORT)' )
+	cmd+=( --ssh-pubkey '$(SSH_PUBKEY)' )
+	### Optional flags:
+	[[ -n '$(AUTOBUILD)'            ]] && cmd+=( --autobuild=$(AUTOBUILD) )
+	[[ -n '$(FLAG_CDI)'             ]] && cmd+=( --cdi )
+	[[ -n '$(FLAG_DEBUG)'           ]] && cmd+=( --debug )
+	[[ -n '$(FLAG_DHCP_CENTURION)'  ]] && cmd+=( --dhcp-centurion )
+	[[ -n '$(FLAG_TRIXIE)'          ]] && cmd+=( --trixie )
+	[[ -n '$(PROVIDER_NETCUP_IPV6)' ]] && cmd+=( --provider-netcup-ipv6 '$(PROVIDER_NETCUP_IPV6)' )
+	[[ -n '$(RENICE)'               ]] && cmd+=( --renice-priority '$(RENICE)' )
+	if [[ -n '$(REIONICE_CLASS)' && -n '$(REIONICE_PRIO)' ]]; then
+	                                      cmd+=( --reionice-priority '$(REIONICE_CLASS)' '$(REIONICE_PRIO)' )
+	fi
+	### Only add the flag if there is actually at least one host:
+	jh_csv='$(strip $(JUMP_HOSTS))'
+	if [[ -n "$$jh_csv" ]]; then
+	 	### Disable globbing so [fe80::1] isn't treated as a pattern:
+	 	set -f
+	 	IFS=',' read -r -a jh <<< "$$jh_csv"
+		set +f
+		### Emit a single --jump-host followed by N addresses:
+		cmd+=( --jump-host )
+		for h in "$${jh[@]}"; do
+			[[ -n "$$h" ]] && cmd+=( "$$h" )
+		done
+	fi
+	## Act according to the requested mode ($(1) = print|exec):
+	 case "$(1)" in
+		print)
+			printf '\e[92mCommand to run:\e[0m\n'
+			printf '\e[95m%s ' "$${cmd[@]@Q}"; printf '\e[0m\n'
+			;;
+		exec|"")
+			printf '\e[92mThe following command is executed: \e[0m\n'
+			printf '\n'
+			printf '\e[95m%s ' "$${cmd[@]@Q}"; printf '\e[0m\n'
+			printf '\n'
+			printf '\e[92mScript is loading ... \e[0m\n'
+			exec "$${cmd[@]}"
+			;;
+		*)
+			printf 'Unknown mode: %s\n' "$(1)" >&2; exit 2
+			;;
+	esac
+endef
+
+### Targets that reuse the block:
+.PHONY: dry-run live
+
+dry-run:
+	@$(call COMPOSE_AND,print)
+
+live:
+	@$(call COMPOSE_AND,exec)
+
+# vim: set ft=make noet ts=8 sw=8
--- a/Show More
+++ b/Show More