V1.00.128.2025.06.03

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-06-03 19:29:32 +02:00
parent 021c74e687
commit 1060269740
33 changed files with 6239 additions and 43 deletions
@@ -0,0 +1,53 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-03; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2
 # SPDX-LicenseComment: This file is part of the draft-weidner-catalog-rr-ext framework.
 # SPDX-PackageName: draft-weidner-catalog-rr-ext
 # SPDX-Security-Contact: security@coresecret.eu
 # EditorConfig is awesome: https://editorconfig.org
 root = true
 [*]
 indent_style = space
 indent_size = 2
 tab_width = 2
 max_line_length = 128
 [*.properties]
 end_of_line = lf
 charset = utf-8
 insert_final_newline = true
 trim_trailing_whitespace = true
 [*.md]
 end_of_line = lf
 # Markdown benefits from a final newline for POSIX tools
 insert_final_newline = true
 # Do not trim trailing whitespace: two spaces at end-of-line signal a hard line break in Markdown
 trim_trailing_whitespace = false
 #[*.toml]
 #end_of_line = lf
 #insert_final_newline = true
 ## TOML values can include strings where trailing spaces may matter; better not trim
 #trim_trailing_whitespace = false
 #charset = utf-8
 [*.{yaml,yml}]
 end_of_line = lf
 insert_final_newline = true
 # Trim trailing whitespace (safe, since YAML does not rely on trailing spaces)
 trim_trailing_whitespace = true
 [*.{sh,bash,zsh}]
 end_of_line = lf
 charset = utf-8
 insert_final_newline = true
 trim_trailing_whitespace = true
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -0,0 +1,60 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-03; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2
 # SPDX-Comment: This file is part of the draft-weidner-catalog-rr-ext framework.
 # SPDX-PackageName: draft-weidner-catalog-rr-ext
 # SPDX-Security-Contact: security@coresecret.eu
 ---
 name: "RFC I-D Feedback"
 about: "Submit feedback or change requests for the RFC Internet-Draft"
 title: "[RFC I-D Feedback]: "
 labels:
  - "RFC-ID"
  - "feedback"
 assignees: [msw]
 body:
  - type: markdown
    attributes:
      value: |
        _Please enter something like `draft-ietf-example-01`_
        _Where in the document does this issue occur?_
        _Section / Paragraph / Line_
  - type: input
    id: abstract
    attributes:
      label: "Abstract"
      description: "Briefly describe the problem or suggestion."
      placeholder: "MUST be provided"
    validations:
      required: true
  - type: input
    id: proposal
    attributes:
      label: "Proposal"
      description: "What exact change do you propose? Please include text snippets if possible."
      placeholder: "MUST be provided"
    validations:
      required: true
  - type: input
    id: rfc
    attributes:
      label: "RFC"
      description: "Link to related RFCs, specs or real-world examples."
      placeholder: "MAY be provided"
    validations:
      required: false
  - type: checkboxes
    id: pr-type
    attributes:
      label: "Feedback Type"
      options:
        - label: "Editorial (typos, formatting)"
        - label: "Technical"
        - label: "Security Consideration"
        - label: "Compatibility / Interoperability"
        - label: "Other (please specify)"
 # vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml:
@@ -0,0 +1,223 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-03; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2
 # SPDX-LicenseComment: This file is part of the draft-weidner-catalog-rr-ext framework.
 # SPDX-PackageName: draft-weidner-catalog-rr-ext
 # SPDX-Security-Contact: security@coresecret.eu
 ### Version Master V1.00.128.2025.06.03
 name: Render README.md to README.html.
 permissions:
  contents: write
 on:
  push:
    branches:
      - master
    paths:
      - "README.md"
      - '.gitea/properties/lua/linkfix.lua'
 jobs:
  render-md-to-html:
    name: Render README.md to README.html.
    runs-on: ubuntu-latest
    steps:
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set -euo pipefail
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
          chmod 600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/draft-weidner-catalog-rr-ext.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          set -euo pipefail
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
          export GNUPGHOME="$(pwd)/.gnupg"
          mkdir -m 700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
      - name: ⚙️ Convert APT sources to HTTPS.
        shell: bash
        run: |
          set -euo pipefail
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
      - name: 🛠️ Install Pandoc & Dependencies.
        shell: bash
        run: |
          set -euo pipefail
          sudo apt-get update
          sudo apt-get install -y pandoc
      #- name: ⚙️ Ensure .html/ directory exists.
      #  shell: bash
      #  run:
      #    mkdir -p .html
      #- name: 🛠️ Render *.md to full standalone HTML.
      #  shell: bash
      #  run: |
      #    set -euo pipefail
      #    find . \( -path "*/.*" -prune \) -o -type f -name "*.md" -print  | while read file; do
      #      out=$(basename "${file%.md}.html")
      #      pandoc -s "${file}" \
      #        --metadata title="${file}" \
      #        --metadata lang=en \
      #        -f gfm+footnotes \
      #        -t html5 \
      #        --no-highlight \
      #        --strip-comments \
      #        --wrap=none \
      #        --lua-filter=.gitea/properties/lua/linkfix.lua \
      #        -o .html/"${out}"
      #    done
      - name: 🛠️ Extract HTML fragment for Gitea for *.md.
        shell: bash
        run: |
          set -euo pipefail
          find . \( -path "*/.*" -prune \) -o -type f -name "README.md" -print | while read file; do
            out="${file%.md}.html"
            pandoc "${file}" \
              -f gfm+footnotes \
              -t html5 \
              --no-highlight \
              --strip-comments \
              --wrap=none \
              --lua-filter=.gitea/properties/lua/linkfix.lua \
              -o "${out}"
          done
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
          echo "🔁 Merging origin/master into current branch ..."
          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
          echo "📋 Post-merge status :"
          git status
          git log --oneline -n 5
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          git add *.html  || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT: Auto-Generate *.html from *.md [skip ci]
            ${CI_HEADER}
            Generated at: ${TIMESTAMP_UTC}
            Runner Host : ${HOSTNAME}
            Workflow ID : ${WORKFLOW_ID}
            Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
            "
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
          git push origin HEAD:${GITHUB_REF_NAME}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -0,0 +1,45 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "$id": "https://json.schemastore.org/gitea-issue-config.json",
  "$comment": "https://docs.gitea.com/usage/issue-pull-request-templates#syntax-for-issue-config",
  "properties": {
    "blank_issues_enabled": {
      "description": "Specify whether forms have to be used or blank issue are allowed\nhttps://docs.gitea.com/usage/issue-pull-request-templates#possible-options",
      "type": "boolean"
    },
    "contact_links": {
      "title": "contact links",
      "description": "Contact links\nhttps://docs.gitea.com/usage/issue-pull-request-templates#possible-options",
      "type": "array",
      "minItems": 1,
      "items": {
        "type": "object",
        "required": ["name", "url", "about"],
        "properties": {
          "name": {
            "description": "The name of your link\nhttps://docs.gitea.com/usage/issue-pull-request-templates#contact-link",
            "type": "string",
            "minLength": 1,
            "examples": ["Sample name"]
          },
          "url": {
            "description": "The URL of your Link\nhttps://docs.gitea.com/usage/issue-pull-request-templates#contact-link",
            "type": "string",
            "pattern": "^https?://",
            "examples": ["https://sample/url"]
          },
          "about": {
            "description": "A short description of your Link\nhttps://docs.gitea.com/usage/issue-pull-request-templates#contact-link",
            "type": "string",
            "minLength": 1,
            "examples": ["Sample description"]
          }
        },
        "additionalProperties": false
      }
    }
  },
  "additionalProperties": false,
  "title": "Gitea issue template chooser config file schema",
  "type": "object"
 }
@@ -0,0 +1,8 @@
 -- Linkfix.lua
 function Link (el)
    -- wenn Linkziel auf .md endet, ändere es zu .html
    if el.target:match('%.md$') then
        el.target = el.target:gsub('%.md$', '.html')
    end
    return el
 end
@@ -0,0 +1,15 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-03; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2
 # SPDX-LicenseComment: This file is part of the draft-weidner-catalog-rr-ext framework.
 # SPDX-PackageName: draft-weidner-catalog-rr-ext
 # SPDX-Security-Contact: security@coresecret.eu
 build:
  counter: 0
  version: Master V1.00.128.2025.06.03
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -0,0 +1,200 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-03; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2
 # SPDX-LicenseComment: This file is part of the draft-weidner-catalog-rr-ext framework.
 # SPDX-PackageName: draft-weidner-catalog-rr-ext
 # SPDX-Security-Contact: security@coresecret.eu
 ### Version Master V1.00.128.2025.06.03
 name: Retrieve DNSSEC status of coresecret.dev.
 permissions:
  contents: write
 on:
  push:
    branches:
      - master
    paths:
      - '.gitea/trigger/t_generate_dns.yaml'
 jobs:
  build-dnssec-diagram:
    name: Retrieve DNSSEC status of coresecret.dev.
    runs-on: ubuntu-latest
    steps:
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set -euo pipefail
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
          chmod 600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/draft-weidner-catalog-rr-ext.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          set -euo pipefail
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
          export GNUPGHOME="$(pwd)/.gnupg"
          mkdir -m 700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
      - name: ⚙️ Convert APT sources to HTTPS.
        shell: bash
        run: |
          set -euo pipefail
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
      - name: 🛠️ Install DNSViz.
        shell: bash
        run: |
          sudo apt-get update
          sudo apt-get install -y dnsviz
      - name: ⚙️ Ensure docs/SECURITY/ directory exists.
        shell: bash
        run: |
          mkdir -p docs/SECURITY/
          rm -f docs/SECURITY/coresecret.dev.png
      - name: 🛠️ Prepare DNS Cache.
        shell: bash
        run: |
          sudo apt-get install -y dnsutils
          dig +dnssec +multi coresecret.dev @8.8.8.8
      - name: 🛠️ Retrieve Zone Dump and generate .png Visualization.
        shell: bash
        run: |
          dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
          dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
          echo "🔁 Merging origin/master into current branch ..."
          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
          echo "📋 Post-merge status :"
          git status
          git log --oneline -n 5
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          git add docs/SECURITY/*.png || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT: Auto-Generate DNSSEC Status [skip ci]
          ${CI_HEADER}
          Generated at: ${TIMESTAMP_UTC}
          Runner Host : ${HOSTNAME}
          Workflow ID : ${WORKFLOW_ID}
          Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
          "
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
          git push origin HEAD:${GITHUB_REF_NAME}
      # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -0,0 +1,193 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-03; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2
 # SPDX-LicenseComment: This file is part of the draft-weidner-catalog-rr-ext framework.
 # SPDX-PackageName: draft-weidner-catalog-rr-ext
 # SPDX-Security-Contact: security@coresecret.eu
 ### Version Master V1.00.128.2025.06.03
 name: Render Graphviz Diagrams.
 permissions:
  contents: write
 on:
  push:
    branches:
      - master
    paths:
      - "**/*.gv"
      - "**/*.dot"
 jobs:
  build-graphiz-diagrams:
    name: Render Graphviz Diagrams.
    runs-on: ubuntu-latest
    steps:
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set -euo pipefail
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
          chmod 600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/draft-weidner-catalog-rr-ext.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          set -euo pipefail
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
          export GNUPGHOME="$(pwd)/.gnupg"
          mkdir -m 700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
      - name: ⚙️ Convert APT sources to HTTPS.
        shell: bash
        run: |
          set -euo pipefail
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
      - name: 🛠️ Install Graphviz.
        shell: bash
        run: |
          set -euo pipefail
          sudo apt-get update
          sudo apt-get install -y graphviz
      - name: 🛠️ Render all .dot / .gv to PNG.
        shell: bash
        run: |
          set -euo pipefail
          find . -type f \( -name "*.dot" -o -name "*.gv" \) | while read file; do
            out="${file%.*}.png"
            dot -Tpng "${file}" -o "${out}"
          done
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
          echo "🔁 Merging origin/master into current branch ..."
          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
          echo "📋 Post-merge status :"
          git status
          git log --oneline -n 5
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          git add *.png || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT: DEPLOY BOT: Auto-Generate PNG from *.dot. [skip ci]
          ${CI_HEADER}
          Generated at: ${TIMESTAMP_UTC}
          Runner Host : ${HOSTNAME}
          Workflow ID : ${WORKFLOW_ID}
          Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
          "
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
          git push origin HEAD:${GITHUB_REF_NAME}
      # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -0,0 +1,194 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-03; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2
 # SPDX-LicenseComment: This file is part of the draft-weidner-catalog-rr-ext framework.
 # SPDX-PackageName: draft-weidner-catalog-rr-ext
 # SPDX-Security-Contact: security@coresecret.eu
 ### Version Master V1.00.128.2025.06.03
 name: Render RFCXML to PDF.
 permissions:
  contents: write
 on:
  push:
    branches:
      - master
    paths:
      - "**/*.rfc.xml"
 jobs:
  render-rfcxml-to-pdf:
    name: Render RFCXML to PDF.
    runs-on: ubuntu-latest
    steps:
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set -euo pipefail
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
          chmod 600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/draft-weidner-catalog-rr-ext.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          set -euo pipefail
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
          export GNUPGHOME="$(pwd)/.gnupg"
          mkdir -m 700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
      - name: ⚙️ Convert APT sources to HTTPS.
        shell: bash
        run: |
          set -euo pipefail
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
      - name: 🛠️ Install Python, RFC2XML Utilities, Fonts, Libraries.
        run: |
          sudo apt-get update
          sudo apt-get install -y python3-pip libxml2-utils
          sudo apt-get install -y libpango-1.0-0 libcairo2 libgdk-pixbuf2.0-0 libffi-dev libfontconfig1 fonts-noto fonts-roboto wget unzip
      - name: 🛠️ Install Python "xml2rfc" and "xml2rfc[pdf]"
        run: |
          pip3 install xml2rfc --break-system-packages
          pip3 install "xml2rfc[pdf]" --break-system-packages
      - name: 🛠️ Convert all RFCXML to PDF.
        run: |
          find . -name "*.rfc.xml" | while read file; do
            out="${file%.rfc.xml}.pdf"
            xml2rfc "${file}" --pdf -o "${out}"
          done
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
          echo "🔁 Merging origin/master into current branch ..."
          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
          echo "📋 Post-merge status :"
          git status
          git log --oneline -n 5
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          git add *.pdf || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT: Auto-Generate PDFs from *.rfc.xml. [skip ci]
          ${CI_HEADER}
          Generated at: ${TIMESTAMP_UTC}
          Runner Host : ${HOSTNAME}
          Workflow ID : ${WORKFLOW_ID}
          Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
          "
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
          git push origin HEAD:${GITHUB_REF_NAME}
      # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -0,0 +1,20 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-03; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2
 # SPDX-LicenseComment: This file is part of the draft-weidner-catalog-rr-ext framework.
 # SPDX-PackageName: draft-weidner-catalog-rr-ext
 # SPDX-Security-Contact: security@coresecret.eu
 .checklist/
 .idea/
 build/
 out/
 target/
 *.DS_Store
 *.log
 *.ps1
 Thumbs.db
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -0,0 +1,12 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mEkFaDXW/RYAAAA/AytlcQHI0wBCQVlX/T1P1op2zxMcvSXsIO6Ry5dVxzJyWFkB
 SB0utYV5PVOcoparGuxuVV5h5q538FMowsAAtFZDZW50dXJpb24gSW50ZWxsaWdl
 bmNlIENvbnN1bHRpbmcgQWdlbmN5IDIwMjUgUm9vdCB4NDQ4IChNYXN0ZXIgU2ln
 bmluZyBLZXkgW09mZmxpbmVdKYjNBRMWCABNAhsBBQsJCAcCAiICBhUKCQgLAgQW
 AgMBAh4HAheAIiEFb9PDFk6t5GIBJKfozM13iXXLB7VAp8veRtbuNEidacIFAmg1
 4c0FCRezg7YAAJycAcdFA+KOZ0U3+AhnNJWm4SXCgzwfJ2Rg10uUt/iiKNtiagDG
 xifwXGd5fh2Om/oFdYkgf48GAVVDE4ABx1x6OmN6dt6GWHCKgienVOgKhu+Cl/04
 c3Sth4dGCosfFJNUaNmfja5GQ/wQKLVQ0C4TjuJXHCkEAA==
 =bk/i
 -----END PGP PUBLIC KEY BLOCK-----
@@ -0,0 +1,18 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mDMEaDcItBYJKwYBBAHaRw8BAQdAFyGLpFASTiK4vBgycV2wjb3ZaNqhjZ33E1ir
 MiU98Fu0LE1hcmMgUy4gV2VpZG5lciBCT1QgPG1zdytib3RAY29yZXNlY3JldC5k
 ZXY+iJkEExYIAEEWIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaDcItAIbAwUJCKVq
 fAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRA85KY4hzOwIVOoAQD9WXoh
 Isjs4q7RCAtCXXWO4y4p8Dmn1AjCRN07vBYskQEAu/LjJYpjC553SnLPEN2PjZBt
 pNkwp/fMg2oigxRkygyI1AUQFggAVCIhBW/TwxZOreRiASSn6MzNd4l1ywe1QKfL
 3kbW7jRInWnCBQJoNwjMBYMIpYaAJBSAAAAAAA0ADnJlbUBnbnVwZy5vcmdDZW50
 dXJpb24sQ0lDQQAA3TABxjNpYGUWhvt6x3h688F1KJfeWrrMetflFZBA3UzoIAAg
 SltgMYRnCzpZFGnQILKgj9jyakwckxFLAAHHY/I0Fxmc5ujfkGScUhUKPhruVT2x
 w4aHogEuE9Ebu94JuvBQX3+RlHjG+47qG7bmAT81E47Hih0AuDgEaDcItBIKKwYB
 BAGXVQEFAQEHQOKAnInWn3Wy1fUJJD7bycrXEx6SoLejW5/0jGIG2VdGAwEIB4h+
 BBgWCAAmFiEEqmJzzDShs+vWn8hwPOSmOIczsCEFAmg3CLQCGwwFCQilanwACgkQ
 POSmOIczsCHztAEA2AWCPQ8V8hNdEBvYHwRye8Q9FJO7IyciwwpjH1nOBLMBAJS2
 OSrjMYBFaumow950s7T2d7BEpnxJBtCwfuF+RwgI
 =QwhF
 -----END PGP PUBLIC KEY BLOCK-----
@@ -0,0 +1,13 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mDMEaCxYpRYJKwYBBAHaRw8BAQdAr9mRwJ44x3qirCRbE+qjgwBDzZLVkKXvC4UI
 AHxvyMK0JE1hcmMgUy4gV2VpZG5lciA8bXN3QGNvcmVzZWNyZXQuZGV2PoiZBBMW
 CABBFiEEh/wgoINpSv+4MwEbhAKZkeYuhPgFAmgsWKUCGwMFCQiwGosFCwkIBwIC
 IgIGFQoJCAsCBBYCAwECHgcCF4AACgkQhAKZkeYuhPhWnQEAulGegHfBva0ezN5/
 VVqLqDVTe+etr3crCcxKpj8gg7wA/3OfkCvgPht18OoIQbR1IA7jDBSOKvY8OfcR
 1632dZIIuDgEaCxYpRIKKwYBBAGXVQEFAQEHQP34OGSMdCMM8Ku/QY7NC81xbL0h
 kOFdDGlKlA865+kpAwEIB4h+BBgWCAAmFiEEh/wgoINpSv+4MwEbhAKZkeYuhPgF
 AmgsWKUCGwwFCQiwGosACgkQhAKZkeYuhPhnjgD+IHh9XhE+s3VB3ItDIgtT9gTA
 S8ET80dQcFmFGYfjs/oBALmXXxceE+aSd2VO6dumqhtzWCGE7S52/50hxRgLsi8G
 =C3ox
 -----END PGP PUBLIC KEY BLOCK-----
@@ -0,0 +1,52 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBGgKhAABEADKXAZwxkr4Wlo0KKjvvxUNycajqFLSEf8CNSkZCzE6/Ya5SlCy
 p/yO8bqMUiL6zFO3A7bt0HYZo3jjU7nyOap0nq2qKgSvLJPeiJF6wk3XQDvJbpCh
 NBi6vlKicWMyJqVtbqQZeX7q4MFrJPQX5JurSOsauAsJ8xz8vOnhesVwh44m7jTf
 Yvuelz0zh/LQkypTaeMA1CXhCtLhoS8V359azO0VHdVaFmxIjsiiU4wKUCNiUgC5
 Z/QhG3v1TlIS5R8tnPrke39TkjRVBXAnW5mVTxE7+hauDhefGlpIDkIr8ACCpgLf
 ZN0sEXH1+DNTvCwDsP9eoEuf5+2l+w0pQ5c0Rsi2RIbrE/Ct9PL9+cXDYOkNk4fa
 5pws7LzldacBB3XTHhSgTAkF+knk+RNxyrlJ42FAo6HiP+pM3ym/ElFGF0cS/qnU
 h6JR3SDUybI/89t3lPDHEj24+GLxHd/6d0WY0xYMwNElm7DK+BOgKpEQO/ZBqtRP
 crpx81IDInJYjck5z8BAYwnW+CPsAi1cSSFtGBGvem7iKvz7e1nvQcxn9i9HUbiM
 FjrfrFztkSE2ZINoTPUPYNEtLyAm/TQKBCS08uyYjSPaivN1yQ75dm6pIS1OJmGe
 i7SwhU6j4Y8CXdpo3OioemrUuccPbxu18Iw+PovLUvmkAhqFIY6EvYw9ZwARAQAB
 tCpNYXJjIFMuIFdlaWRuZXIgPHJmYy5lZGl0b3JAY29yZXNlY3JldC5ldT6JAlcE
 EwEIAEEWIQR6g0Hl8VcDGdgPRBihHohRmj2M9gUCaAqEAAIbAwUJCrMisAULCQgH
 AgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRChHohRmj2M9o5aD/0ceZqsJC98RyvN
 HM9+Ke+1yhwRGXJ3AdFPMdhhzajBdRpOx/N/xY9sqeWpm4S1/UsLBZsaGxASJvXq
 HXOzOXY+RPlOocBcm3yAzlrz+UU/NhvSnpMOU63mR3pvf6qwwfgqGbtxozNgbb2Y
 g+tV4sG+DhCWO4G0Pb2+qlitBY4vbY9W7TdA805bAWwf7E9Pb2x5kLj7uQUKi3dy
 2YCqgHYqQ9yS7UztiA39zmHh2IRl72ZUKGcBMWFfSpO0Mfgr+mCe+5sTymPfIRqk
 IrTmugCXgCV/xs3nE4lv8C/4eSJsLEmMaFELL7dBjn6dhl+0hEblKQYUgURZaG20
 hh/uaR0X1iwA4D9ipHXCr4CM9/fq5ny2uCihPxI/6xeNU9/rOCDZ+LMpJoe/cwTM
 9aY+toC4tyv4f8lm46XPWm+SujJOaVEI7NNKX/kJR9UZZBii8YYGQ1gSs4HX9PxZ
 G1Nf7qG5cfFBV77M9uQsrKnsXRMZjRtyxnclU9r8NKg4jfNvzqpqAVoynhG+YjKM
 krQreCr1LU9uT3O0ABf1s457C0oNr+YMva9PL5LdXEGHwAL93YgyerzEs1TIik80
 YLEVDeTunMWtb1v/h516q+fk1p2bdNflQUMD3X1Cmj6qRMe1f4ku1I3zcjK0kikI
 MGgOoag7efnNBDDsyhKUP/ZtNzOB9LkCDQRoCoQAARAAnoqlViizlICxSBmWkq3D
 dSBfyK98uY6uA8H/lUhsG/ZTUG0y3kqEZ6JoU2G+QwTMm0/8VutwFoc38142FhqQ
 Gs2imUN+sQRlKdyk8wtoq2Kv4G7XhXBGFsEfScHKQb8VTz8eoHAgtqAzJcLXDO0u
 gHHk5OoOqc93TsT9rimHNNNyKqU20rRe+AJ2Yjn92dIuSQ7B7R7O9U5OflZKrVMO
 e6KSXbbMx+Z/tOOoAC2EWpPE8Vcogs8CFlAUaCKaKcSTwYUZMKJg67voeIZHLKAE
 k4hth+1oGcawfuA7duJBVFlK2u6Vu14c26y7tgZQWge6e7DuXlp0qGyu349M10qF
 p+d0v1oN8h6cfYjDPPvTAdO20iB/c3KaDMNqcGBDUWd366YcLBAzHZO4YDjE4CF1
 7TnZQNMuelg83jl4OIcyDqzATDEY+amOgzvkxsgHw+tihSulGBeliph1n5pfpD3w
 wjrtMskCo4PaFWk8YofO3ZzpMCdIDXg0hR1PvThkXQQR6fccOYd8t5QEOdS9NS53
 fL3ayRvMt5fgwYeo9yfzl5ByTSXeT4BSpz596SG/BdcHxHky7lM8++LuRNrOiy9Q
 xLohwgPonceF4bjL944Ec13lneZunJN8nel8yrjd0cX0ZikWMWoRFk9GejNN6HLo
 /FrIKxSjf8h5UK5Gtn2OgtMAEQEAAYkCPAQYAQgAJhYhBHqDQeXxVwMZ2A9EGKEe
 iFGaPYz2BQJoCoQAAhsMBQkKsyKwAAoJEKEeiFGaPYz2SkMQALjeSyg8HzMLXwN4
 Trt7aW5ef/38J89cav0ouvlY1OggZDiHSXjck7wI0uc0oiB9uVjBj8VfJC4op3bJ
 FNlXANE2j9wDR2idQF6hFWVibznMiYOLdmAv3UPGEwm5mJw3h3oGTMqMxKllOKYk
 sjRD4PwMOz9x43385PO1q0UQO69kQfnLcRm1gR5w8UHM6j1Mp6HcBapnOluf4PZj
 o+5etx3MZBQtDEN5Q80ou3sS2FY23ydmpbn1AGQverr7wUH0ofAgC/xAQ/QJaxWE
 ISVm+6F6gC67UU/DMtw2iq9G/CsBKOglC6anU75UEAQnhkiCaFXlghCX0LGWyVbM
 OQzjlfBgswTQ4lvYV2I8FHbvgKCYuRvEeAqrIgnpK4BfoBZOXhrsanbtXth4Cl82
 euveI/dbSnEa0iXucP39VbvDrzfNmpUlE9HTpiad10YmrYWIR0yEv4TGPnvtWzgj
 ldqhMToXTbuz4bcIEfLLNBEVOXOpEehhpwiXPBmWjCbiSTdt9wcmMXTzjzGyVWoF
 N37P3BcodQWrsIJD5rlBN+mlga2JBfaJndOoYDLTuCNp63O3QO+/B+37hOYHphyu
 Z1UsyA0biHQ2exoMtUn8VrfrVaVjqeKzD5E2C2w8jKh2bNFYjbNoEhmw/ld+wTC4
 h9Da4wsNzL2ADzBfxBgFgm0uI6+7
 =5Jh4
 -----END PGP PUBLIC KEY BLOCK-----
@@ -0,0 +1,19 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-03; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2
 # SPDX-LicenseComment: This file is part of the draft-weidner-catalog-rr-ext framework.
 # SPDX-PackageName: draft-weidner-catalog-rr-ext
 # SPDX-Security-Contact: security@coresecret.eu
 properties_SPDX-Version="3.0"
 properties_SPDX-ExternalRef="GIT https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git"
 properties_SPDX-FileCopyrightText="2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>"
 properties_SPDX-License-Identifier="EUPL-1.2"
 properties_SPDX-LicenseComment="This file is part of the draft-weidner-catalog-rr-ext framework."
 properties_SPDX-PackageName="draft-weidner-catalog-rr-ext"
 properties_SPDX-Security-Contact="security@coresecret.eu"
 properties_version="V1.00.128.2025.06.03"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -0,0 +1,69 @@
 #!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-03; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2
 # SPDX-LicenseComment: This file is part of the draft-weidner-catalog-rr-ext framework.
 # SPDX-PackageName: draft-weidner-catalog-rr-ext
 # SPDX-Security-Contact: security@coresecret.eu
 # Usage:
 #   sh build_caa-ct-sts.sh <OWN_DOMAIN> <CA_DOMAIN> <CRIT_FLAG>
 set -eu
 readonly OWN_DOMAIN="$1"
 readonly CAA_DOMAIN="$2"
 readonly CRIT__FLAG="$3"
 readonly CAA_CTS_TS="caa-ct-sts.${OWN_DOMAIN}.txt"
 case "${CRIT__FLAG}" in
  true|false) ;;
  *) echo "Error: CRIT_FLAG MUST be either 'true' or 'false'." >&2
    exit 1
    ;;
 esac
 :> "${CAA_CTS_TS}"
 { echo "### CAA-CT-STS Policy: $CAA_CTS_TS ###"
  echo "version: CAACTSTSv1"
  echo "max_age: 60"
 } > "${CAA_CTS_TS}"
 JSON=$(curl -fsSL https://www.gstatic.com/ct/log_list/v3/log_list.json)
 readonly JSON
 echo "${JSON}" | awk -v OWN="${OWN_DOMAIN}" -v CA="${CAA_DOMAIN}" -v CRIT="${CRIT__FLAG}" -v OUT="${CAA_CTS_TS}" '
  BEGIN { FS="\""; }
  /{[[:space:]]*"description"/ {
    desc=""; url=""; start=""; endt=""; logid=""; key="";
  }
  /"description":/ {
    desc = $4
    gsub(/\047/, "", desc)
  }
  /"url":/ {
    url = $4
  }
  /"start_inclusive":/ {
    start = $4
  }
  /"end_exclusive":/ {
    endt = $4
  }
  /"log_id":/ {
    logid = $4
  }
  /"key":/ {
    key = $4
    gsub(/\047/, "", key)
  }
  /"end_exclusive":/ {
    if (desc != "" && url != "" && start != "" && logid != "" && key != "") {
      printf "ct_policy: ( \"%s; critical=%s; desc='\''%s'\''; validfrom=%s; validtill=%s; cturi=%s; logid='\''%s'\''; pubkey='\''%s'\'';\" )\n", \
        CA, CRIT, desc, start, endt, url, logid, key \
      >> OUT
    }
  }
 '
 echo "CAA-CT-STS Policy File: '${CAA_CTS_TS}' written."
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -0,0 +1,65 @@
 #!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-03; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2
 # SPDX-LicenseComment: This file is part of the draft-weidner-catalog-rr-ext framework.
 # SPDX-PackageName: draft-weidner-catalog-rr-ext
 # SPDX-Security-Contact: security@coresecret.eu
 # Usage:
 #   sh build_caa_records.sh <OWN_DOMAIN> <CA_DOMAIN> <CRIT_FLAG>
 set -eu
 readonly OWN_DOMAIN="$1"
 readonly CAA_DOMAIN="$2"
 readonly CRIT__FLAG="$3"
 readonly ZONE__FILE="zone_${OWN_DOMAIN}_CAA.txt"
 case "${CRIT__FLAG}" in
  true|false) ;;
  *) echo "Error: CRIT_FLAG MUST be either 'true' or 'false'." >&2
    exit 1
    ;;
 esac
 :> "${ZONE__FILE}"
 JSON=$(curl -fsSL https://www.gstatic.com/ct/log_list/v3/log_list.json)
 readonly JSON
 echo "${JSON}" | awk -v OWN="${OWN_DOMAIN}" -v CA="${CAA_DOMAIN}" -v CRIT="${CRIT__FLAG}" -v OUT="${ZONE__FILE}" '
  BEGIN { FS="\""; }
  /{[[:space:]]*"description"/ {
    desc=""; url=""; start=""; endt=""; logid=""; key="";
  }
  /"description":/ {
    desc = $4
    gsub(/\047/, "", desc)
  }
  /"url":/ {
    url = $4
  }
  /"start_inclusive":/ {
    start = $4
  }
  /"end_exclusive":/ {
    endt = $4
  }
  /"log_id":/ {
    logid = $4
  }
  /"key":/ {
    key = $4
    gsub(/\047/, "", key)
  }
  /"end_exclusive":/ {
    if (desc != "" && url != "" && start != "" && logid != "" && key != "") {
      printf "%s. 60 IN CAA 0 issuect ( \"%s; critical=%s; desc='\''%s'\''; validfrom=%s; validtill=%s; cturi=%s; logid='\''%s'\''; pubkey='\''%s'\'';\" )\n", \
        OWN, CA, CRIT, desc, start, endt, url, logid, key \
      >> OUT
    }
  }
 '
 echo "Bind9 zone-file: '${ZONE__FILE}' written."
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -0,0 +1,19 @@
 SPDXVersion: SPDX-3.0
 DataLicense: CC0-1.0
 SPDX-DocumentName: draft-weidner-catalog-rr-ext.SPDX
 SPDX-DocumentNamespace: https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext
 Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-06-03T12:00:00Z
 Package: draft-weidner-catalog-rr-ext
 PackageName: draft-weidner-catalog-rr-ext
 PackageVersion: Master V8.01.128.2025.06.03
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext
 PackageHomePage: https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext
 PackageLicenseDeclared: EUPL-1.2
 PackageLicenseConcluded: EUPL-1.2
 License: EUPL-1.2
 LicenseID: EUPL-1.2
 LicenseName: European Union Public License 1.2
 LicenseCrossReference: https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -1,89 +1,121 @@
 # SPDX-License-Identifier: EUPL-1.2
 EUPL-1.2
 EUROPEAN UNION PUBLIC LICENCE v. 1.2
 EUPL © the European Union 2007, 2016
-This European Union Public Licence (the ‘EUPL’) applies to the Work (as defined below) which is provided under the
+This European Union Public Licence (the 'EUPL') applies to the Work (as defined below) which is provided under the
 terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such
-use is covered by a right of the copyright holder of the Work).
+a use is covered by a right of the copyright holder of the Work).
 The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following
 notice immediately following the copyright notice for the Work:
                          Licensed under the EUPL
 or has expressed by any other means his willingness to license under the EUPL.
 1.Definitions
 In this Licence, the following terms have the following meaning:
-— ‘The Licence’:this Licence.
+
-— ‘The Original Work’:the work or software distributed or communicated by the Licensor under this Licence, available
+— 'The Licence':this Licence.
 — 'The Original Work':the work or software distributed or communicated by the Licensor under this Licence, available
 as Source Code and also as Executable Code as the case may be.
-— ‘Derivative Works’:the works or software that could be created by the Licensee, based upon the Original Work or
+
 — 'Derivative Works':the works or software that could be created by the Licensee, based upon the Original Work or
 modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work
 required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
 the country mentioned in Article 15.
-— ‘The Work’:the Original Work or its Derivative Works.
+
-— ‘The Source Code’:the human-readable form of the Work which is the most convenient for people to study and
+— 'The Work':the Original Work or its Derivative Works.
 — 'The Source Code':the human-readable form of the Work, which is the most convenient for people to study and
 modify.
-— ‘The Executable Code’:any code which has generally been compiled and which is meant to be interpreted by
+
 — 'The Executable Code':any code, which has generally been compiled and, which is meant to be interpreted by
 a computer as a program.
-— ‘The Licensor’:the natural or legal person that distributes or communicates the Work under the Licence.
+
-— ‘Contributor(s)’:any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
+— 'The Licensor':the natural or legal person that distributes or communicates the Work under the Licence.
 — 'Contributor(s)':any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
 the creation of a Derivative Work.
-— ‘The Licensee’ or ‘You’:any natural or legal person who makes any usage of the Work under the terms of the
+
 — 'The Licensee' or 'You':any natural or legal person who makes any usage of the Work under the terms of the
 Licence.
-— ‘Distribution’ or ‘Communication’:any act of selling, giving, lending, renting, distributing, communicating,
+
-transmitting, or otherwise making available, online or offline, copies of the Work or providing access to its essential
+— 'Distribution' or 'Communication':any act of selling, giving, lending, renting, distributing, communicating,
 transmitting, or otherwise making available, online, or offline, copies of the Work or providing access to its essential
 functionalities at the disposal of any other natural or legal person.
 2.Scope of the rights granted by the Licence
 The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for
 the duration of copyright vested in the Original Work:
-— use the Work in any circumstance and for all usage,
+
 — use the Work in any circumstances and for all usage,
 — reproduce the Work,
-— modify the Work, and make Derivative Works based upon the Work,
+
 — modify the Work and make Derivative Works based upon the Work,
 — communicate to the public, including the right to make available or display the Work or copies thereof to the public
 and perform publicly, as the case may be, the Work,
 — distribute the Work or copies thereof,
 — lend and rent the Work or copies thereof,
 — sublicense rights in the Work or copies thereof.
-Those rights can be exercised on any media, supports and formats, whether now known or later invented, as far as the
+
 Those rights can be exercised on any media, supports, and formats, whether now known or later invented, as far as the
 applicable law permits so.
 In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed
 by law in order to make effective the licence of the economic rights here above listed.
 The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the
 extent necessary to make use of the rights granted on the Work under this Licence.
 3.Communication of the Source Code
-The Licensor may provide the Work either in its Source Code form, or as Executable Code. If the Work is provided as
+
 The Licensor may provide the Work either in its Source Code form or as Executable Code. If the Work is provided as
 Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with
 each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to
 the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to
 distribute or communicate the Work.
 4.Limitations on copyright
 Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the
-exclusive rights of the rights owners in the Work, of the exhaustion of those rights or of other applicable limitations
+exclusive rights of the rights owners in the Work, to the exhaustion of those rights or of other applicable limitations
 thereto.
 5.Obligations of the Licensee
 The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those
 obligations are the following:
 Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to
-the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices and a copy of the
+the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices, and a copy of the
 Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
 to carry prominent notices stating that the Work has been modified and the date of modification.
 Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this
 Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless
-the Original Work is expressly distributed only under this version of the Licence — for example by communicating
+the Original Work is expressly distributed only under this version of the Licence — for example, by communicating
-‘EUPL v. 1.2 only’. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
+'EUPL v. 1.2 only'. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
 Work or Derivative Work that alter or restrict the terms of the Licence.
 Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both
 the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done
-under the terms of this Compatible Licence. For the sake of this clause, ‘Compatible Licence’ refers to the licences listed
+under the terms of this Compatible Licence. For the sake of this clause, 'Compatible Licence' refers to the licences listed
 in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with
 his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
-Provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
+The provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
 a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available
 for as long as the Licensee continues to distribute or communicate the Work.
 Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names
@@ -91,100 +123,134 @@ of the Licensor, except as required for reasonable and customary use in describi
 reproducing the content of the copyright notice.
 6.Chain of Authorship
 The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or
 licensed to him/her and that he/she has the power and authority to grant the Licence.
-Each Contributor warrants that the copyright in the modifications he/she brings to the Work are owned by him/her or
+
 Each Contributor warrants that the copyright in the modifications he/she brings to the Work is owned by him/her or
 licensed to him/her and that he/she has the power and authority to grant the Licence.
 Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions
 to the Work, under the terms of this Licence.
 7.Disclaimer of Warranty
-The Work is a work in progress, which is continuously improved by numerous Contributors. It is not a finished work
+
-and may therefore contain defects or ‘bugs’ inherent to this type of development.
+The Work is a work in progress, which is continuously improved by numerous Contributors. It is not finished work
-For the above reason, the Work is provided under the Licence on an ‘as is’ basis and without warranties of any kind
+and may therefore contain defects or 'bugs' inherent to this type of development.
 For the above reason, the Work is provided under the Licence on an 'as is' basis and without warranties of any kind
 concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or
 errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this
 Licence.
 This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work.
 8.Disclaimer of Liability
 Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be
 liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the
 Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss
-of data or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
+of data, or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
-the Licensor will be liable under statutory product liability laws as far such laws apply to the Work.
+the Licensor will be liable under statutory product liability laws as far as such laws apply to the Work.
 9.Additional agreements
 While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services
 consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole
 responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify,
-defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such Contributor by
+defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such a Contributor by
 the fact You have accepted any warranty or additional liability.
 10.Acceptance of the Licence
-The provisions of this Licence can be accepted by clicking on an icon ‘I agree’ placed under the bottom of a window
+
 The provisions of this Licence can be accepted by clicking on an icon 'I agree' placed under the bottom of a window
 displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of
 applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms
 and conditions.
 Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You
 by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
 or Communication by You of the Work or copies thereof.
 11.Information to the public
 In case of any Distribution or Communication of the Work by means of electronic communication by You (for example,
 by offering to download the Work from a remote location) the distribution channel or media (for example, a website)
-must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence
+must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence,
-and the way it may be accessible, concluded, stored and reproduced by the Licensee.
+and the way it may be accessible, concluded, stored, and reproduced by the Licensee.
 12.Termination of the Licence
 The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
 of the Licence.
 Such a termination will not terminate the licences of any person who has received the Work from the Licensee under
 the Licence, provided such persons remain in full compliance with the Licence.
 13.Miscellaneous
 Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the
 Work.
 If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or
 enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid
 and enforceable.
 The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of
 the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence.
 New versions of the Licence will be published with a unique version number.
 All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take
 advantage of the linguistic version of their choice.
 14.Jurisdiction
 Without prejudice to specific agreement between parties,
 — any litigation resulting from the interpretation of this License, arising between the European Union institutions,
-bodies, offices or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
+bodies, offices, or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
 of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union,
-— any litigation arising between other parties and resulting from the interpretation of this License, will be subject to
+
 — any litigation arising between other parties and resulting from the interpretation of this License will be subject to
 the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business.
 15.Applicable Law
 Without prejudice to specific agreement between parties,
 — this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat,
-resides or has his registered office,
+resides, or has his registered office
-— this licence shall be governed by Belgian law if the Licensor has no seat, residence or registered office inside
+
 — this licence shall be governed by Belgian law if the Licensor has no seat, residence, or registered office inside
 a European Union Member State.
                                                         Appendix
-‘Compatible Licences’ according to Article 5 EUPL are:
+'Compatible Licences' according to Article 5 EUPL are:
 — GNU General Public License (GPL) v. 2, v. 3
 — GNU Affero General Public License (AGPL) v. 3
 — Open Software License (OSL) v. 2.1, v. 3.0
 — Eclipse Public License (EPL) v. 1.0
 — CeCILL v. 2.0, v. 2.1
 — Mozilla Public Licence (MPL) v. 2
 — GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3
 — Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software
 — European Union Public Licence (EUPL) v. 1.1, v. 1.2
 — Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).
 The European Commission may update this Appendix to later versions of the above licences without producing
 a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the
 covered Source Code from exclusive appropriation.
 All other changes or additions to this Appendix require the production of a new EUPL version.
@@ -1,5 +1,96 @@
-# draft-weidner-catalog-rr-ext
+---
 gitea: none
 include_toc: true
 ---
-This RFC I-D proposes an extension to the Certification Authority Authorization (CAA) DNS
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V1.00.128.2025.06.03-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git)
-Resource Record (RR) that enables the mandatory or optional binding of Certificate Transparency
+&nbsp;
-(CT) Log URIs directly within DNS.
+[![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.23.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.1.1-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&logo=x&logoColor=white&logoSize=auto&label=SocialMedia&color=%23000000)](https://x.com/coresecret_eu) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Donation-Donation-white?style=plastic&logo=sepa&logoColor=white&logoSize=auto&label=&color=%230F243E)](https://coresecret.eu/spenden/#sepa) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/bitcoin-Bitcoin-white?style=plastic&logo=bitcoin&logoColor=white&logoSize=auto&label=Donation&color=%23F7931A)](https://coresecret.eu/spenden/#bitcoin) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/simplex-Simplex-white?style=plastic&logo=simplex&logoColor=white&logoSize=auto&label=Contact&color=%23000000)](https://coresecret.eu/contact/#simplex) &nbsp;
 # 1. RFC I-D draft-weidner-catalog-rr-ext
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *RFC I-D draft-weidner-catalog-rr-ext*<br>
 **Master Version**: 1.00<br>
 **Build**: V1.00.128.2025.06.03<br>
 The RFC I-D **draft-weidner-catalog-rr-ext** proposes an extension to the Certification Authority Authorization 
 (CAA) DNS Resource Record (RR) that enables the mandatory or optional binding of Certificate Transparency (CT) 
 Log URIs directly within DNS. By embedding CT-Log endpoints in CAA RR, Certification Authorities (CAs) gain a 
 standardized, discoverable mechanism for retrieving preferred and permitted CT-Log endpoint information, thereby 
 enhancing the security and auditability of X.509 TLS certificate issuance.
 * The most recent working version of this document, open issues, and related resources are available here.
 * The author gratefully accepts pull requests.
 * The author's PGP keys are available at: ``/.pubkey``
 Check out more:
 * [CenturionNet Services](https://coresecret.eu/cnet/)
 * [CenturionDNS Resolver](https://dns.eddns.eu/)
 * [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt)
 * [CenturionNet Status](https://uptime.coresecret.eu/)
 * [CenturionMeet](https://talk.e2ee.li/)
 * [Contact the author](https://coresecret.eu/contact/)
 ## 1.1. Preliminary Remarks
 ### 1.1.1. HSM
 Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to
 move to a room-gapped environment. ^^
 ### 1.1.2. DNSSEC, HSTS, TLS
 Please note that `coresecret.dev` is included in the [(HSTS Preload List)](https://hstspreload.org/) and always serves the headers:
 ````nginx configuration pro
 add_header Expect-CT                 "max-age=86400, enforce"                       always;
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 ````
 * Additionally, the entire zone is dual-signed with **DNSSEC**. See the current **DNSSEC** status at: **[DNSSEC Audit Report](/docs/AUDIT_DNSSEC.md)**
 * A comprehensive TLS audit of the **`git.coresecret.dev`** Gitea server is also available. See: **[TLS Audit Report](/docs/AUDIT_TLS.md)**
 * The infrastructure of the **`CISS.debian.live.builder`** building system is visualized here. See: **[Centurion Net](/docs/CNET.md)**
 ### 1.1.3. Gitea Action Runner Hardening
 The CI runners operate on a dedicated host system located in a completely separate Autonomous System (AS). This host is solely
 dedicated to providing CI runners and does not perform any other tasks. Each runner is hermetically isolated from others using
 non-privileged, shell-less user accounts with no direct login capability. Additionally, each runner executes within its own
 separate directory tree, employs `DynamicUser` features, and adheres to strict systemd hardening policies (achieving a ``systemd-analyze security``
 rating of **``2.6``**). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use
 of both UFW software firewalls and dedicated hardware firewall appliances.
 ## 1.2. Versioning Schema
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 Example: `1.00.128.2025.06.03`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring
 reproducibility and traceability.
 # 3. Licensing & Compliance
 This repository is fully SPDX-compliant. All source files include appropriate SPDX license identifiers and headers to ensure
 clear and unambiguous licensing. You can verify compliance by reviewing the top of each file, which follows the SPDX
 standard for license expressions and metadata.
 # 4. Disclaimer
 This README is provided "as-is" without any warranty.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -0,0 +1,23 @@
 # Security Policy
 ## Reporting vulnerabilities
 Please send your vulnerability reports to `security@coresecret.eu`
 To make sure that your report reaches me, please:
 Include the words `draft-weidner-catalog-rr-ext` and `vulnerability` to the subject line as well as a short description of the vulnerability.
 Make sure that the message body contains a clear description of the vulnerability.
 If you have not received a reply to your email within seven days, please make sure to follow up with me again at `security@coresecret.eu`
 Once again, make sure that the word `vulnerability` is in the subject line.
 My security policy is available at:
 [https://coresecret.eu/security-policy/](https://coresecret.eu/security-policy/)
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -0,0 +1,21 @@
 ---
 gitea: none
 include_toc: true
 ---
 # 1. RFC I-D draft-weidner-catalog-rr-ext
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *RFC I-D draft-weidner-catalog-rr-ext*<br>
 **Master Version**: 1.00<br>
 **Build**: V1.00.128.2025.06.03<br>
 # 2. DNSSEC Status
 This is an auto-generated overview of the DNSSEC status of `coresecret.dev` at the time of the last human-initiated push event.
 ![DNSSEC Status](/docs/SECURITY/coresecret.dev.png)
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -0,0 +1,318 @@
 ---
 gitea: none
 include_toc: true
 ---
 # 1. RFC I-D draft-weidner-catalog-rr-ext
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *RFC I-D draft-weidner-catalog-rr-ext*<br>
 **Master Version**: 1.00<br>
 **Build**: V1.00.128.2025.06.03<br>
 # 2. TLS Audit
 This is a TLS Audit of the ``git.coresecret.dev`` Webserver.
 ````text
 #####################################################################
  testssl.sh version 3.2rc4 from https://testssl.sh/dev/
  (6746fa5 2025-04-18 13:17:50)
  This program is free software. Distribution and modification under
  GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
  Please file bugs @ https://testssl.sh/bugs/
 #####################################################################
  Using OpenSSL 1.0.2-bad (Mar 28 2025)  [~179 ciphers]
  on kali:./bin/openssl.Linux.x86_64
 Start 2025-06-02 18:04:19        -->> 152.53.110.40:443 (coresecret.dev) <<--
 Further IP addresses:   2a0a:4cc0:80:330f:152:53:110:40
 rDNS (152.53.110.40):   git.coresecret.dev.
 Service detected:       HTTP
 Testing protocols via sockets except NPN+ALPN
 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final
 NPN/SPDY   not offered
 ALPN/HTTP2 h2, http/1.1 (offered)
 Testing for server implementation bugs
 No bugs found.
 Testing cipher categories
 NULL ciphers (no encryption)                      not offered (OK)
 Anonymous NULL Ciphers (no authentication)        not offered (OK)
 Export ciphers (w/o ADH+NULL)                     not offered (OK)
 LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export)      not offered (OK)
 Triple DES Ciphers / IDEA                         not offered
 Obsoleted CBC ciphers (AES, ARIA etc.)            not offered
 Strong encryption (AEAD ciphers) with no FS       not offered
 Forward Secrecy strong encryption (AEAD ciphers)  offered (OK)
 Testing server's cipher preferences
 Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
 -----------------------------------------------------------------------------------------------------------------------------
 SSLv2
 -
 SSLv3
 -
 TLSv1
 -
 TLSv1.1
 -
 TLSv1.2 (server order)
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 448   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 448   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 TLSv1.3 (server order)
 x1302   TLS_AES_256_GCM_SHA384            ECDH 448   AESGCM      256      TLS_AES_256_GCM_SHA384
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 448   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
 Has server cipher order?     yes (OK) -- TLS 1.3 and below
 Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4
 FS is offered (OK) , ciphers follow (client/browser support is important here)
 Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
 -----------------------------------------------------------------------------------------------------------------------------
 x1302   TLS_AES_256_GCM_SHA384            ECDH 448   AESGCM      256      TLS_AES_256_GCM_SHA384                             available
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 448   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                       available
 xcc14   ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH       ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD  not a/v
 xcc13   ECDHE-RSA-CHACHA20-POLY1305-OLD   ECDH       ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD    not a/v
 xcc15   DHE-RSA-CHACHA20-POLY1305-OLD     DH         ChaCha20    256      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD      not a/v
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 521   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              available
 xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH       AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384            not a/v
 xc028   ECDHE-RSA-AES256-SHA384           ECDH       AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              not a/v
 xc024   ECDHE-ECDSA-AES256-SHA384         ECDH       AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384            not a/v
 xc014   ECDHE-RSA-AES256-SHA              ECDH       AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 not a/v
 xc00a   ECDHE-ECDSA-AES256-SHA            ECDH       AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA               not a/v
 xa3     DHE-DSS-AES256-GCM-SHA384         DH         AESGCM      256      TLS_DHE_DSS_WITH_AES_256_GCM_SHA384                not a/v
 x9f     DHE-RSA-AES256-GCM-SHA384         DH         AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384                not a/v
 xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH       ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256      not a/v
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 448   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        available
 xccaa   DHE-RSA-CHACHA20-POLY1305         DH         ChaCha20    256      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256          not a/v
 xc0af   ECDHE-ECDSA-AES256-CCM8           ECDH       AESCCM8     256      TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8                 not a/v
 xc0ad   ECDHE-ECDSA-AES256-CCM            ECDH       AESCCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_CCM                   not a/v
 xc0a3   DHE-RSA-AES256-CCM8               DH         AESCCM8     256      TLS_DHE_RSA_WITH_AES_256_CCM_8                     not a/v
 xc09f   DHE-RSA-AES256-CCM                DH         AESCCM      256      TLS_DHE_RSA_WITH_AES_256_CCM                       not a/v
 x6b     DHE-RSA-AES256-SHA256             DH         AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256                not a/v
 x6a     DHE-DSS-AES256-SHA256             DH         AES         256      TLS_DHE_DSS_WITH_AES_256_CBC_SHA256                not a/v
 x39     DHE-RSA-AES256-SHA                DH         AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA                   not a/v
 x38     DHE-DSS-AES256-SHA                DH         AES         256      TLS_DHE_DSS_WITH_AES_256_CBC_SHA                   not a/v
 xc077   ECDHE-RSA-CAMELLIA256-SHA384      ECDH       Camellia    256      TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384         not a/v
 xc073   ECDHE-ECDSA-CAMELLIA256-SHA384    ECDH       Camellia    256      TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384       not a/v
 xc4     DHE-RSA-CAMELLIA256-SHA256        DH         Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256           not a/v
 xc3     DHE-DSS-CAMELLIA256-SHA256        DH         Camellia    256      TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256           not a/v
 x88     DHE-RSA-CAMELLIA256-SHA           DH         Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA              not a/v
 x87     DHE-DSS-CAMELLIA256-SHA           DH         Camellia    256      TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA              not a/v
 xc043   DHE-DSS-ARIA256-CBC-SHA384        DH         ARIA        256      TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384               not a/v
 xc045   DHE-RSA-ARIA256-CBC-SHA384        DH         ARIA        256      TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384               not a/v
 xc049   ECDHE-ECDSA-ARIA256-CBC-SHA384    ECDH       ARIA        256      TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384           not a/v
 xc04d   ECDHE-RSA-ARIA256-CBC-SHA384      ECDH       ARIA        256      TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384             not a/v
 xc053   DHE-RSA-ARIA256-GCM-SHA384        DH         ARIAGCM     256      TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384               not a/v
 xc057   DHE-DSS-ARIA256-GCM-SHA384        DH         ARIAGCM     256      TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384               not a/v
 xc05d   ECDHE-ECDSA-ARIA256-GCM-SHA384    ECDH       ARIAGCM     256      TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384           not a/v
 xc061   ECDHE-ARIA256-GCM-SHA384          ECDH       ARIAGCM     256      TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384             not a/v
 xc07d   -                                 DH         CamelliaGCM 256      TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384           not a/v
 xc081   -                                 DH         CamelliaGCM 256      TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384           not a/v
 xc087   -                                 ECDH       CamelliaGCM 256      TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384       not a/v
 xc08b   -                                 ECDH       CamelliaGCM 256      TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384         not a/v
 x1301   TLS_AES_128_GCM_SHA256            any        AESGCM      128      TLS_AES_128_GCM_SHA256                             not a/v
 x1304   TLS_AES_128_CCM_SHA256            any        AESCCM      128      TLS_AES_128_CCM_SHA256                             not a/v
 x1305   TLS_AES_128_CCM_8_SHA256          any        AESCCM8     128      TLS_AES_128_CCM_8_SHA256                           not a/v
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH       AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              not a/v
 xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH       AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256            not a/v
 xc027   ECDHE-RSA-AES128-SHA256           ECDH       AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256              not a/v
 xc023   ECDHE-ECDSA-AES128-SHA256         ECDH       AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256            not a/v
 xc013   ECDHE-RSA-AES128-SHA              ECDH       AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 not a/v
 xc009   ECDHE-ECDSA-AES128-SHA            ECDH       AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA               not a/v
 xa2     DHE-DSS-AES128-GCM-SHA256         DH         AESGCM      128      TLS_DHE_DSS_WITH_AES_128_GCM_SHA256                not a/v
 x9e     DHE-RSA-AES128-GCM-SHA256         DH         AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256                not a/v
 xc0ae   ECDHE-ECDSA-AES128-CCM8           ECDH       AESCCM8     128      TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8                 not a/v
 xc0ac   ECDHE-ECDSA-AES128-CCM            ECDH       AESCCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_CCM                   not a/v
 xc0a2   DHE-RSA-AES128-CCM8               DH         AESCCM8     128      TLS_DHE_RSA_WITH_AES_128_CCM_8                     not a/v
 xc09e   DHE-RSA-AES128-CCM                DH         AESCCM      128      TLS_DHE_RSA_WITH_AES_128_CCM                       not a/v
 x67     DHE-RSA-AES128-SHA256             DH         AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256                not a/v
 x40     DHE-DSS-AES128-SHA256             DH         AES         128      TLS_DHE_DSS_WITH_AES_128_CBC_SHA256                not a/v
 x33     DHE-RSA-AES128-SHA                DH         AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA                   not a/v
 x32     DHE-DSS-AES128-SHA                DH         AES         128      TLS_DHE_DSS_WITH_AES_128_CBC_SHA                   not a/v
 xc076   ECDHE-RSA-CAMELLIA128-SHA256      ECDH       Camellia    128      TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256         not a/v
 xc072   ECDHE-ECDSA-CAMELLIA128-SHA256    ECDH       Camellia    128      TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256       not a/v
 xbe     DHE-RSA-CAMELLIA128-SHA256        DH         Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256           not a/v
 xbd     DHE-DSS-CAMELLIA128-SHA256        DH         Camellia    128      TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256           not a/v
 x9a     DHE-RSA-SEED-SHA                  DH         SEED        128      TLS_DHE_RSA_WITH_SEED_CBC_SHA                      not a/v
 x99     DHE-DSS-SEED-SHA                  DH         SEED        128      TLS_DHE_DSS_WITH_SEED_CBC_SHA                      not a/v
 x45     DHE-RSA-CAMELLIA128-SHA           DH         Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA              not a/v
 x44     DHE-DSS-CAMELLIA128-SHA           DH         Camellia    128      TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA              not a/v
 xc042   DHE-DSS-ARIA128-CBC-SHA256        DH         ARIA        128      TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256               not a/v
 xc044   DHE-RSA-ARIA128-CBC-SHA256        DH         ARIA        128      TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256               not a/v
 xc048   ECDHE-ECDSA-ARIA128-CBC-SHA256    ECDH       ARIA        128      TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256           not a/v
 xc04c   ECDHE-RSA-ARIA128-CBC-SHA256      ECDH       ARIA        128      TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256             not a/v
 xc052   DHE-RSA-ARIA128-GCM-SHA256        DH         ARIAGCM     128      TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256               not a/v
 xc056   DHE-DSS-ARIA128-GCM-SHA256        DH         ARIAGCM     128      TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256               not a/v
 xc05c   ECDHE-ECDSA-ARIA128-GCM-SHA256    ECDH       ARIAGCM     128      TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256           not a/v
 xc060   ECDHE-ARIA128-GCM-SHA256          ECDH       ARIAGCM     128      TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256             not a/v
 xc07c   -                                 DH         CamelliaGCM 128      TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256           not a/v
 xc080   -                                 DH         CamelliaGCM 128      TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256           not a/v
 xc086   -                                 ECDH       CamelliaGCM 128      TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256       not a/v
 xc08a   -                                 ECDH       CamelliaGCM 128      TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256         not a/v
 Elliptic curves offered:     secp384r1 secp521r1 X448
 TLS 1.2 sig_algs offered:    RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512 RSA+SHA224
 TLS 1.3 sig_algs offered:    RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512
 Testing server defaults (Server Hello)
 TLS extensions (standard)    "server name/#0" "max fragment length/#1" "status request/#5" "supported_groups/#10" "EC point formats/#11"
                              "application layer protocol negotiation/#16" "extended master secret/#23" "supported versions/#43" "key share/#51"
                              "renegotiation info/#65281"
 Session Ticket RFC 5077 hint no -- no lifetime advertised
 SSL Session ID support       yes
 Session Resumption           Tickets no, ID: yes
 TLS clock skew               Random values, no fingerprinting possible
 Certificate Compression      none
 Client Authentication        none
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 4096 bits (exponent is 65537)
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
 Serial                       1230B34459C6F27FA9BCD2 (OK: length 11)
 Fingerprints                 SHA1 1A8BD98862771602E7DD46B742FB66D6C03E622E
                              SHA256 76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC
 Common Name (CN)             coresecret.dev
 subjectAltName (SAN)         coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev
 Trust (hostname)             Ok via SAN and CN (same w/o SNI)
 Chain of trust               Ok
 EV cert (experimental)       no
 Certificate Validity (UTC)   174 >= 60 days (2025-05-28 09:56 --> 2025-11-23 22:59)
 ETS/"eTLS", visibility info  not present
 In pwnedkeys.com DB          not in database
 Certificate Revocation List  http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
 OCSP URI                     http://ocsp.buypass.com, not revoked
 OCSP stapling                offered, not revoked
 OCSP must staple extension   --
 DNS CAA RR (experimental)    not offered
 Certificate Transparency     yes (certificate extension)
 Certificates provided        2
 Issuer                       Buypass Class 2 CA 5 (Buypass AS-983163327 from NO)
 Intermediate cert validity   #1: ok > 40 days (2027-05-23 12:57). Buypass Class 2 CA 5 <-- Buypass Class 2 Root CA
 Intermediate Bad OCSP (exp.) Ok
 Testing HTTP header response @ "/"
 HTTP Status Code             301 Moved Permanently, redirecting to "https://git.coresecret.dev"
 HTTP clock skew              0 sec from localtime
 Strict Transport Security    730 days=63072000 s, includeSubDomains, preload
 Public Key Pinning           --
 Server banner                nginx
 Application banner           --
 Cookie(s)                    (none issued at "/") -- maybe better try target URL of 30x
 Security headers             X-Frame-Options: SAMEORIGIN
                              X-Content-Type-Options: nosniff
                              Expect-CT: max-age=86400, enforce
                              Permissions-Policy: interest-cohort=()
                              Cross-Origin-Opener-Policy: same-origin
                              Cross-Origin-Resource-Policy: same-origin
                              Cross-Origin-Embedder-Policy: require-corp
                              X-XSS-Protection: 1; mode=block
                              Permissions-Policy: interest-cohort=()
                              Referrer-Policy: same-origin
                              Cache-Control: no-cache
 Reverse Proxy banner         --
 Testing vulnerabilities
 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK), no session ticket extension
 ROBOT                                     Server does not support any cipher suites that use RSA key transport
 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no gzip/deflate/compress/br HTTP compression (OK)  - only supplied "/" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
 TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible (OK), no protocol below TLS 1.2 offered
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
 BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
 LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
 Winshock (CVE-2014-6321), experimental    not vulnerable (OK)
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)
 Running client simulations (HTTP) via sockets
 Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
 ------------------------------------------------------------------------------------------------
 Android 7.0 (native)         No connection
 Android 8.1 (native)         TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       384 bit ECDH (P-384)
 Android 9.0 (native)         TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Android 10.0 (native)        TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Android 11/12 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Android 13/14 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Chrome 101 (Win 10)          TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Chromium 137 (Win 11)        TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Firefox 100 (Win 10)         TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
 Firefox 137 (Win 11)         TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
 IE 8 Win 7                   No connection
 IE 11 Win 7                  No connection
 IE 11 Win 8.1                No connection
 IE 11 Win Phone 8.1          No connection
 IE 11 Win 10                 TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       384 bit ECDH (P-384)
 Edge 15 Win 10               TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       384 bit ECDH (P-384)
 Edge 101 Win 10 21H2         TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Edge 133 Win 11 23H2         TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Safari 18.4 (iOS 18.4)       TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
 Safari 15.4 (macOS 12.3.1)   TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
 Safari 18.4 (macOS 15.4)     TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
 Java 7u25                    No connection
 Java 8u442 (OpenJDK)         TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
 Java 11.0.2 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
 Java 17.0.3 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
 Java 21.0.6 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
 go 1.17.8                    TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
 LibreSSL 3.3.6 (macOS)       TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
 OpenSSL 1.0.2e               TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       521 bit ECDH (P-521)
 OpenSSL 1.1.1d (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
 OpenSSL 3.0.15 (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
 OpenSSL 3.5.0 (git)          TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
 Apple Mail (16.0)            TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       521 bit ECDH (P-521)
 Thunderbird (91.9)           TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
 Rating (experimental)
 Rating specs (not complete)  SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
 Specification documentation  https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
 Protocol Support (weighted)  100 (30)
 Key Exchange     (weighted)  100 (30)
 Cipher Strength  (weighted)  100 (40)
 Final Score                  100
 Overall Grade                A+
 Done 2025-06-02 18:05:51 [  95s] -->> 152.53.110.40:443 (coresecret.dev) <<--
 ````
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -0,0 +1,21 @@
 ---
 gitea: none
 include_toc: true
 ---
 # 1. RFC I-D draft-weidner-catalog-rr-ext
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *RFC I-D draft-weidner-catalog-rr-ext*<br>
 **Master Version**: 1.00<br>
 **Build**: V1.00.128.2025.06.03<br>
 # 2. Centurion Net - Developer Branch Overview
 This is an automatically generated overview of the secure ``Centurion Net`` Developer Branch.
 ![Centurion Net](/docs/graphviz/ciss.developer.branch.png)
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -0,0 +1,27 @@
 ---
 gitea: none
 include_toc: true
 ---
 # 1. RFC I-D draft-weidner-catalog-rr-ext
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *RFC I-D draft-weidner-catalog-rr-ext*<br>
 **Master Version**: 1.00<br>
 **Build**: V1.00.128.2025.06.03<br>
 # 2. Contributing / participating
 Contributing / participating is always welcome!
 Please note the following:
 * If you have something new and/or bigger that you like to contribute, better open an issue first before you get frustrated.
 * Please **one** pull request per feature or bug fix or improvement. Please do not mix issues.
 * Documentation pays off in the long run. So please document your code, and the pull request and/or commit message.
 For questions, open an issue. Thanks for reading this!
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -0,0 +1,29 @@
 ---
 gitea: none
 include_toc: true
 ---
 # 1. RFC I-D draft-weidner-catalog-rr-ext
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *RFC I-D draft-weidner-catalog-rr-ext*<br>
 **Master Version**: 1.00<br>
 **Build**: V1.00.128.2025.06.03<br>
 # 2. Credits
 ## 2.2. Authors
 ## 2.3. Contributors
 ### X
 I would like to express my sincere gratitude to Mr., Who-wants-to-live-forever, for his gracious support and insightful and profound criticism.
 ### Ζ
 * Zimnol, André H.; Private Contributor
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -0,0 +1,123 @@
 # SPDX-License-Identifier: CC0-1.0
 Creative Commons Legal Code
 CC0 1.0 Universal
    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
    HEREUNDER.
 Statement of Purpose
 The laws of most jurisdictions throughout the world automatically confer
 exclusive Copyright and Related Rights (defined below) upon the creator
 and subsequent owner(s) (each and all, an "owner") of an original work of
 authorship and/or a database (each, a "Work").
 Certain owners wish to permanently relinquish those rights to a Work for
 the purpose of contributing to a commons of creative, cultural and
 scientific works ("Commons") that the public can reliably and without fear
 of later claims of infringement build upon, modify, incorporate in other
 works, reuse and redistribute as freely as possible in any form whatsoever
 and for any purposes, including without limitation commercial purposes.
 These owners may contribute to the Commons to promote the ideal of a free
 culture and the further production of creative, cultural and scientific
 works, or to gain reputation or greater distribution for their Work in
 part through the use and efforts of others.
 For these and/or other purposes and motivations, and without any
 expectation of additional consideration or compensation, the person
 associating CC0 with a Work (the "Affirmer"), to the extent that he or she
 is an owner of Copyright and Related Rights in the Work, voluntarily
 elects to apply CC0 to the Work and publicly distribute the Work under its
 terms, with knowledge of his or her Copyright and Related Rights in the
 Work and the meaning and intended legal effect of CC0 on those rights.
 1. Copyright and Related Rights. A Work made available under CC0 may be
 protected by copyright and related or neighboring rights ("Copyright and
 Related Rights"). Copyright and Related Rights include, but are not
 limited to, the following:
  i. the right to reproduce, adapt, distribute, perform, display,
     communicate, and translate a Work;
 ii. moral rights retained by the original author(s) and/or performer(s);
 iii. publicity and privacy rights pertaining to a person's image or
     likeness depicted in a Work;
 iv. rights protecting against unfair competition in regards to a Work,
     subject to the limitations in paragraph 4(a), below;
  v. rights protecting the extraction, dissemination, use and reuse of data
     in a Work;
 vi. database rights (such as those arising under Directive 96/9/EC of the
     European Parliament and of the Council of 11 March 1996 on the legal
     protection of databases, and under any national implementation
     thereof, including any amended or successor version of such
     directive); and
 vii. other similar, equivalent or corresponding rights throughout the
     world based on applicable law or treaty, and any national
     implementations thereof.
 2. Waiver. To the greatest extent permitted by, but not in contravention
 of, applicable law, Affirmer hereby overtly, fully, permanently,
 irrevocably and unconditionally waives, abandons, and surrenders all of
 Affirmer's Copyright and Related Rights and associated claims and causes
 of action, whether now known or unknown (including existing as well as
 future claims and causes of action), in the Work (i) in all territories
 worldwide, (ii) for the maximum duration provided by applicable law or
 treaty (including future time extensions), (iii) in any current or future
 medium and for any number of copies, and (iv) for any purpose whatsoever,
 including without limitation commercial, advertising or promotional
 purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
 member of the public at large and to the detriment of Affirmer's heirs and
 successors, fully intending that such Waiver shall not be subject to
 revocation, rescission, cancellation, termination, or any other legal or
 equitable action to disrupt the quiet enjoyment of the Work by the public
 as contemplated by Affirmer's express Statement of Purpose.
 3. Public License Fallback. Should any part of the Waiver for any reason
 be judged legally invalid or ineffective under applicable law, then the
 Waiver shall be preserved to the maximum extent permitted taking into
 account Affirmer's express Statement of Purpose. In addition, to the
 extent the Waiver is so judged Affirmer hereby grants to each affected
 person a royalty-free, non transferable, non sublicensable, non exclusive,
 irrevocable and unconditional license to exercise Affirmer's Copyright and
 Related Rights in the Work (i) in all territories worldwide, (ii) for the
 maximum duration provided by applicable law or treaty (including future
 time extensions), (iii) in any current or future medium and for any number
 of copies, and (iv) for any purpose whatsoever, including without
 limitation commercial, advertising or promotional purposes (the
 "License"). The License shall be deemed effective as of the date CC0 was
 applied by Affirmer to the Work. Should any part of the License for any
 reason be judged legally invalid or ineffective under applicable law, such
 partial invalidity or ineffectiveness shall not invalidate the remainder
 of the License, and in such case Affirmer hereby affirms that he or she
 will not (i) exercise any of his or her remaining Copyright and Related
 Rights in the Work or (ii) assert any associated claims and causes of
 action with respect to the Work, in either case contrary to Affirmer's
 express Statement of Purpose.
 4. Limitations and Disclaimers.
 a. No trademark or patent rights held by Affirmer are waived, abandoned,
    surrendered, licensed or otherwise affected by this document.
 b. Affirmer offers the Work as-is and makes no representations or
    warranties of any kind concerning the Work, express, implied,
    statutory or otherwise, including without limitation warranties of
    title, merchantability, fitness for a particular purpose, non
    infringement, or the absence of latent or other defects, accuracy, or
    the present or absence of errors, whether or not discoverable, all to
    the greatest extent permissible under applicable law.
 c. Affirmer disclaims responsibility for clearing rights of other persons
    that may apply to the Work or any use thereof, including without
    limitation any person's Copyright and Related Rights in the Work.
    Further, Affirmer disclaims responsibility for obtaining any necessary
    consents, permissions or other rights required for any use of the
    Work.
 d. Affirmer understands and acknowledges that Creative Commons is not a
    party to this document and has no duty or obligation with respect to
    this CC0 or use of the Work.
@@ -0,0 +1,256 @@
 # SPDX-License-Identifier: EUPL-1.2
 EUPL-1.2
 EUROPEAN UNION PUBLIC LICENCE v. 1.2
 EUPL © the European Union 2007, 2016
 This European Union Public Licence (the 'EUPL') applies to the Work (as defined below) which is provided under the
 terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such
 a use is covered by a right of the copyright holder of the Work).
 The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following
 notice immediately following the copyright notice for the Work:
                          Licensed under the EUPL
 or has expressed by any other means his willingness to license under the EUPL.
 1.Definitions
 In this Licence, the following terms have the following meaning:
 — 'The Licence':this Licence.
 — 'The Original Work':the work or software distributed or communicated by the Licensor under this Licence, available
 as Source Code and also as Executable Code as the case may be.
 — 'Derivative Works':the works or software that could be created by the Licensee, based upon the Original Work or
 modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work
 required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
 the country mentioned in Article 15.
 — 'The Work':the Original Work or its Derivative Works.
 — 'The Source Code':the human-readable form of the Work, which is the most convenient for people to study and
 modify.
 — 'The Executable Code':any code, which has generally been compiled and, which is meant to be interpreted by
 a computer as a program.
 — 'The Licensor':the natural or legal person that distributes or communicates the Work under the Licence.
 — 'Contributor(s)':any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
 the creation of a Derivative Work.
 — 'The Licensee' or 'You':any natural or legal person who makes any usage of the Work under the terms of the
 Licence.
 — 'Distribution' or 'Communication':any act of selling, giving, lending, renting, distributing, communicating,
 transmitting, or otherwise making available, online, or offline, copies of the Work or providing access to its essential
 functionalities at the disposal of any other natural or legal person.
 2.Scope of the rights granted by the Licence
 The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for
 the duration of copyright vested in the Original Work:
 — use the Work in any circumstances and for all usage,
 — reproduce the Work,
 — modify the Work and make Derivative Works based upon the Work,
 — communicate to the public, including the right to make available or display the Work or copies thereof to the public
 and perform publicly, as the case may be, the Work,
 — distribute the Work or copies thereof,
 — lend and rent the Work or copies thereof,
 — sublicense rights in the Work or copies thereof.
 Those rights can be exercised on any media, supports, and formats, whether now known or later invented, as far as the
 applicable law permits so.
 In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed
 by law in order to make effective the licence of the economic rights here above listed.
 The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the
 extent necessary to make use of the rights granted on the Work under this Licence.
 3.Communication of the Source Code
 The Licensor may provide the Work either in its Source Code form or as Executable Code. If the Work is provided as
 Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with
 each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to
 the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to
 distribute or communicate the Work.
 4.Limitations on copyright
 Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the
 exclusive rights of the rights owners in the Work, to the exhaustion of those rights or of other applicable limitations
 thereto.
 5.Obligations of the Licensee
 The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those
 obligations are the following:
 Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to
 the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices, and a copy of the
 Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
 to carry prominent notices stating that the Work has been modified and the date of modification.
 Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this
 Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless
 the Original Work is expressly distributed only under this version of the Licence — for example, by communicating
 'EUPL v. 1.2 only'. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
 Work or Derivative Work that alter or restrict the terms of the Licence.
 Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both
 the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done
 under the terms of this Compatible Licence. For the sake of this clause, 'Compatible Licence' refers to the licences listed
 in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with
 his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
 The provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
 a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available
 for as long as the Licensee continues to distribute or communicate the Work.
 Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names
 of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
 reproducing the content of the copyright notice.
 6.Chain of Authorship
 The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or
 licensed to him/her and that he/she has the power and authority to grant the Licence.
 Each Contributor warrants that the copyright in the modifications he/she brings to the Work is owned by him/her or
 licensed to him/her and that he/she has the power and authority to grant the Licence.
 Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions
 to the Work, under the terms of this Licence.
 7.Disclaimer of Warranty
 The Work is a work in progress, which is continuously improved by numerous Contributors. It is not finished work
 and may therefore contain defects or 'bugs' inherent to this type of development.
 For the above reason, the Work is provided under the Licence on an 'as is' basis and without warranties of any kind
 concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or
 errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this
 Licence.
 This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work.
 8.Disclaimer of Liability
 Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be
 liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the
 Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss
 of data, or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
 the Licensor will be liable under statutory product liability laws as far as such laws apply to the Work.
 9.Additional agreements
 While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services
 consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole
 responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify,
 defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such a Contributor by
 the fact You have accepted any warranty or additional liability.
 10.Acceptance of the Licence
 The provisions of this Licence can be accepted by clicking on an icon 'I agree' placed under the bottom of a window
 displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of
 applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms
 and conditions.
 Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You
 by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
 or Communication by You of the Work or copies thereof.
 11.Information to the public
 In case of any Distribution or Communication of the Work by means of electronic communication by You (for example,
 by offering to download the Work from a remote location) the distribution channel or media (for example, a website)
 must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence,
 and the way it may be accessible, concluded, stored, and reproduced by the Licensee.
 12.Termination of the Licence
 The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
 of the Licence.
 Such a termination will not terminate the licences of any person who has received the Work from the Licensee under
 the Licence, provided such persons remain in full compliance with the Licence.
 13.Miscellaneous
 Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the
 Work.
 If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or
 enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid
 and enforceable.
 The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of
 the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence.
 New versions of the Licence will be published with a unique version number.
 All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take
 advantage of the linguistic version of their choice.
 14.Jurisdiction
 Without prejudice to specific agreement between parties,
 — any litigation resulting from the interpretation of this License, arising between the European Union institutions,
 bodies, offices, or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
 of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union,
 — any litigation arising between other parties and resulting from the interpretation of this License will be subject to
 the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business.
 15.Applicable Law
 Without prejudice to specific agreement between parties,
 — this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat,
 resides, or has his registered office
 — this licence shall be governed by Belgian law if the Licensor has no seat, residence, or registered office inside
 a European Union Member State.
                                                         Appendix
 'Compatible Licences' according to Article 5 EUPL are:
 — GNU General Public License (GPL) v. 2, v. 3
 — GNU Affero General Public License (AGPL) v. 3
 — Open Software License (OSL) v. 2.1, v. 3.0
 — Eclipse Public License (EPL) v. 1.0
 — CeCILL v. 2.0, v. 2.1
 — Mozilla Public Licence (MPL) v. 2
 — GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3
 — Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software
 — European Union Public Licence (EUPL) v. 1.1, v. 1.2
 — Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).
 The European Commission may update this Appendix to later versions of the above licences without producing
 a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the
 covered Source Code from exclusive appropriation.
 All other changes or additions to this Appendix require the production of a new EUPL version.
@@ -0,0 +1,155 @@
 // SPDX-Version: 3.0
 // SPDX-CreationInfo: 2025-06-03; WEIDNER, Marc S.; <msw@coresecret.dev>
 // SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 // SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 // SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 // SPDX-FileType: SOURCE
 // SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 // SPDX-Comment: This file is part of the CISS.debian.installer.secure framework.
 // SPDX-PackageName: CISS.debian.live.builder
 // SPDX-Security-Contact: security@coresecret.eu
 digraph CISS_debian_live_builder {
    // -----------------------------
    // General settings
    // -----------------------------
    graph [
        fontsize=10,
        splines=ortho,
        rankdir=LR,
        nodesep=0.6,
        ranksep=0.8
    ];
    node [fontname="Helvetica"];
    // -----------------------------
    // KNOTS: Internet clouds (NOT in a cluster)
    // -----------------------------
    InternetLeft [shape=oval, style=filled, fillcolor=lightblue, label="Internet"];
    InternetTLS  [shape=oval, style=filled, fillcolor=lightblue, label="TLS/HTTPS"];
    // -----------------------------
    // KNOTS: Jump Host (integrated into cluster_overall)
    // -----------------------------
    Jump_Host [shape=diamond, style=filled, fillcolor=green, label="Jump Host"];
    // -----------------------------
    // KNOTS: Hidden master (in cluster_hm)
    // -----------------------------
    Hidden_Master [shape=cylinder, style=filled, fillcolor=lavender, label="Hidden-Master"];
    // -----------------------------
    // KNOTS: Nameserver (in cluster_ns)
    // -----------------------------
    ns00 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns00.eddns.eu"];
    ns01 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns01.eddns.eu"];
    ns02 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns02.eddns.de"];
    ns03 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns03.eddns.de"];
    ns_anchor [shape=point, style=invis, width=0];  // unsichtbarer Anker für DNSSEC-Pfeile
    // -----------------------------
    // KNOTS: B-Server (in cluster_B_small & cluster_B_big)
    // -----------------------------
    git [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="git.coresecret.dev"];
    run [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="run.coresecret.dev"];
    lab [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="lab.coresecret.dev"];
    b_small_anchor [shape=point, style=invis, width=0];  // Anker für kleines B-Cluster
    b_big_anchor   [shape=point, style=invis, width=0];  // Anker für großes B-Cluster
    // -----------------------------
    // KNOTS: "cloud.e2ee.li" (in cluster_cloud)
    // -----------------------------
    cloud        [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="cloud.e2ee.li"];
    cloud_anchor [shape=point,    style=invis,  width=0];  // Anker für cloud-Cluster
    // -----------------------------
    // CLUSTER: Entire system (except Internet clouds)
    // -----------------------------
    subgraph cluster_overall {
        label="SSH-Pub-Key, 2FA, No-Root-Login, aes256-gcm@openssh.com, (No ChaCha) only";
        style=solid;
        color=red;
        // ---- Integrate jump host into outer rectangle ----
        Jump_Host;
        // ---- Cluster: name server group ----
        subgraph cluster_ns {
            label="";
            style=dashed;
            color=red;
            ns00;
            ns01;
            ns02;
            ns03;
            ns_anchor;
        }
        // ---- Cluster: Hidden-Master ----
        subgraph cluster_hm {
            label="";
            style=dashed;
            color=red;
            Hidden_Master;
        }
        // ---- Cluster: TLS/HTTPS group (contains B-Cluster and cloud) ----
        subgraph cluster_tls_group {
            label="TLSv1.2 || TLSv1.3 ECDHE-RSA-AES256-GCM-SHA384 ECDH 448 AESGCM 256 & ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256";
            style=dashed;
            color=red;
            // ---- Cluster: Outer rectangle around all B nodes (lab + small rectangle) ----
            subgraph cluster_B_big {
                label="";
                style=dashed;
                color=red;
                lab;
                b_big_anchor;
                // ---- Cluster: B a) and c) (small rectangle around git and run) ----
                subgraph cluster_B_small {
                    label="";
                    style=dashed;
                    color=red;
                    git;
                    run;
                    b_small_anchor;
                }
            }
            // ---- Cluster: "cloud.e2ee.li" ----
            subgraph cluster_cloud {
                label="HA: LVM on RAID6 on dm-crypt incl. dm-integrity";
                style=dashed;
                color=red;
                cloud;
                cloud_anchor;
            }
        }
    }
    // -----------------------------
    // EDGES
    // -----------------------------
    // Left: Internet → Jump Host
    InternetLeft -> Jump_Host [color=green];
    // Jump Host → Hidden-Master
    Jump_Host -> Hidden_Master [color=green];
    // Hidden-Master → Name servers (each green with the label “HMAC SHA512”)
    Hidden_Master -> ns00 [color=green, label="HMAC SHA512"];
    Hidden_Master -> ns01 [color=green, label="HMAC SHA512"];
    Hidden_Master -> ns02 [color=green, label="HMAC SHA512"];
    Hidden_Master -> ns03 [color=green, label="HMAC SHA512"];
    // Red arrows “DNSSEC” from name server cluster (ns_anchor) → B cluster (b_big_anchor)
    ns_anchor -> b_big_anchor [color=red, label="DNSSEC"];
    // Red arrow “DNSSEC” from nameserver cluster (ns_anchor) → cloud cluster (cloud_anchor)
    ns_anchor -> cloud_anchor [color=red, label="DNSSEC"];
    // Red arrows from TLS Internet → B-Cluster and cloud
    InternetTLS -> b_big_anchor [color=red];
    InternetTLS -> cloud_anchor [color=red];
 }