DEPLOY BOT: 🔁 Auto-Generate PDFs from *.rfc.xml. [skip ci]

X-CI-Metadata: master@47b20f7 at 2025-06-06T17:04:41Z on be9158e29fc7

Generated at: 2025-06-06T17:04:41Z
Runner Host : be9158e29fc7
Workflow ID : 🔁 Render RFCXML to PDF.
Git Commit  : 47b20f7 HEAD → master

.gitea/TODO/render-md-to-html.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: draft-weidner-catalog-rr-ext
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V1.00.128.2025.06.03
+### Version Master V1.01.192.2025.06.06
 
 name: Render README.md to README.html.
 
@@ -150,6 +150,15 @@ jobs:
               -o "${out}"
           done
 
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
       - name: 🔄 Sync with remote before commit using merge strategy.
         shell: bash
         env:
@@ -168,6 +177,15 @@ jobs:
           git status
           git log --oneline -n 5
 
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
       - name: 📦 Stage generated files.
         shell: bash
         env:

.gitea/trigger/t_generate_dns.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 0
-  version: Master V1.00.128.2025.06.03
+  version: Master V1.01.192.2025.06.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/linter_char_scripts.yaml

@@ -0,0 +1,371 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V1.01.192.2025.06.06
+
+# Gitea Workflow: Shell-Script Linting
+#
+# This workflow scans all '*.sh', '*.zsh', '*.chroot' and all files with Shebang (#!) for:
+# 1. Windows CRLF line endings
+# 2. unauthorized control characters (C0 control characters except \t, \n)
+# 3. non-ASCII (ambiguous UTF) characters
+#
+# Findings are collected and at the end of the run with file, line number,
+# and the respective character in the Runner output.
+
+name: 🛡️ Shell Script Linting
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  shell-script-linter:
+    name: 🛡️ Shell Script Linting
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        shell: bash
+        run: |
+          set -euo pipefail
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        shell: bash
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/draft-weidner-catalog-rr-ext.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: 🛠️ Cleaning the workspace.
+        shell: bash
+        run: |
+          set -euo pipefail
+          git reset --hard
+          git clean -fd
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        shell: bash
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        shell: bash
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Convert APT sources to HTTPS.
+        shell: bash
+        run: |
+          set -euo pipefail
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
+
+      - name: 🛠️ Install dependencies.
+        shell: bash
+        run: |
+          ### Install grep with Perl-regex support, falls noch nicht vorhanden
+          apt-get update
+          apt-get upgrade -y
+          apt-get install -y grep
+
+      - name: 🔍 Lint shell scripts
+        shell: bash
+        run: |
+          # -------------------------------
+          # STEP 1: Find target files.
+          #
+          # We capture:
+          # - All files '*.sh', '*.rfc.xml'
+          # - All files whose first line begins with "#!" (shebang)
+          # -------------------------------
+          mapfile -t files_to_check < <(
+            find . \
+              -path './.git' -prune -o \
+              -type f \( \
+                -iname '*.sh' -o \
+                -iname '*.rfc.xml' -o \
+                -exec grep -Iq '^#!' {} \; \
+              \) -print
+          )
+
+          # -------------------------------
+          # STEP 2: Regex definitions
+          #
+          # - CRLF_REGEX             Carriage Return (\r) for Windows CRLF
+          # - CTRL_REGEX             C0 control characters except Tab (\x09) and Newline (\x0A)
+          #                          Range: [\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]
+          # - NON_ASCII_REGEX        All bytes > 0x7F
+          # - EMOJI_REGEX            Emoji characters in the ranges:
+          #   - \x{1F300}-\x{1F5FF}  Miscellaneous Symbols & Pictographs
+          #   - \x{1F600}-\x{1F64F}  Emoticons
+          #   - \x{1F680}-\x{1F6FF}  Transport & Map Symbols
+          #   - \x{1F900}-\x{1F9FF}  Supplemental Symbols & Pictographs
+          #   - \x{2600}-\x{26FF}    Miscellaneous Symbols
+          #   - \x{2700}-\x{27BF}    Dingbats
+          # - BAD_WHITESPACE_REGEX   All whitespace characters except ASCII space (U+0020)
+          #   - Tab (\x09)
+          #   - No-Break Space (\xA0)
+          #   - U+1680, U+2000–U+200A, U+202F, U+205F, U+3000
+          # -------------------------------
+          CRLF_REGEX=$'\r'
+          CTRL_REGEX='[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]'
+          NON_ASCII_REGEX='[^\x00-\x7F]'
+          EMOJI_REGEX='[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}]'
+          BAD_WHITESPACE_REGEX='[\x09\xA0\x{1680}\x{2000}-\x{200A}\x{202F}\x{205F}\x{3000}]'
+
+          # -------------------------------
+          # STEP 3: Accumulator for findings
+          # -------------------------------
+          findings=""
+
+          # -------------------------------
+          # STEP 4: Perform all checks for each file
+          # -------------------------------
+          for file in "${files_to_check[@]}"; do
+            #
+            # 4.1: CRLF detection
+            #      grep -nP returns "lineno:<Line-with-CRLF>"
+            # -------------------------------
+            while IFS=: read -r lineno _rest; do
+              findings+="${file}: CRLF-found at line ${lineno}: <CR>"$'\n'
+            done < <(grep -nP "${CRLF_REGEX}" "${file}" || true)
+
+            #
+            # 4.2: Unauthorized control characters
+            #      grep -nP -o returns "lineno:<matched-char>"
+            # -------------------------------
+            while IFS=: read -r lineno char; do
+              findings+="${file}: control-char at line ${lineno}: ${char}"$'\n'
+            done < <(grep -nP -o "${CTRL_REGEX}" "${file}" || true)
+
+            #
+            # 4.3: Non-ASCII-characters
+            #      grep -nP -o returns "lineno:<matched-char>"
+            # -------------------------------
+            while IFS=: read -r lineno char; do
+              findings+="${file}: non-ascii at line ${lineno}: ${char}"$'\n'
+            done < <(grep -nP -o "${NON_ASCII_REGEX}" "${file}" || true)
+
+            #
+            # 4.4: emoji recognition
+            #      grep -nP -o returns "lineno:<matched-char>"
+            # -------------------------------
+            while IFS=: read -r lineno char; do
+              findings+="${file}: emoji-found at line ${lineno}: ${char}"$'\n'
+            done < <(grep -nP -o "${EMOJI_REGEX}" "${file}" || true)
+
+            #
+            # 4.5: Unauthorized spaces (whitespace except ASCII space)
+            #      grep -nP -o returns "lineno:<matched-char>"
+            # -------------------------------
+            while IFS=: read -r lineno char; do
+              # Make visible: Tab -> <TAB>, NBSP -> <NBSP>, other U+xxxx -> <U+xxxx>
+              # We are creating a simple representation here by replacing unprintable
+              # characters with their Unicode code points.
+              # Example: ${char} could be "\t", we convert it to "<TAB>".
+              if [[ "${char}" == $'\t' ]]; then
+                display="<TAB>"
+              elif [[ "${char}" == $'\xA0' ]]; then
+                display="<NBSP>"
+              else
+                # Convert other Unicode whitespace to <U+XXXX>
+                hex=$(printf '%04X' "'${char}")
+                display="<U+${hex}>"
+              fi
+              findings+="${file}: bad-whitespace at line ${lineno}: ${display}"$'\n'
+            done < <(grep -nP -o "${BAD_WHITESPACE_REGEX}" "${file}" || true)
+          done
+
+          # -------------------------------
+          # STEP 5: Output results
+          # -------------------------------
+          if [[ -n "${findings}" ]]; then
+            echo -e "⚠️ Linting issues detected:\n"
+            echo -e "${findings}"
+            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            PRIVATE_FILE="LINTER_RESULTS.txt"
+            touch "${PRIVATE_FILE}"
+            cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: 2025-06-06; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+
+          ⚠️ The last linter check was NOT successful. ⚠️
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+          else
+            echo "✅ No issues found in shell scripts or 'rfc.xml'."
+            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            PRIVATE_FILE="LINTER_RESULTS.txt"
+            touch "${PRIVATE_FILE}"
+            cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+
+          ✅ The last linter check was successful. ✅
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+          fi
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LINTER_RESULTS.txt"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT: 🛡️ Shell Script Linting [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at: ${TIMESTAMP_UTC}
+          Runner Host : ${HOSTNAME}
+          Workflow ID : ${WORKFLOW_ID}
+          Git Commit  : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/render-dnssec-status.yaml

@@ -9,9 +9,9 @@
 # SPDX-PackageName: draft-weidner-catalog-rr-ext
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V1.00.128.2025.06.03
+### Version Master V1.01.192.2025.06.06
 
-name: Retrieve DNSSEC status of coresecret.dev.
+name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 
 permissions:
   contents: write
@@ -25,7 +25,7 @@ on:
 
 jobs:
   build-dnssec-diagram:
-    name: Retrieve DNSSEC status of coresecret.dev.
+    name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
     runs-on: ubuntu-latest
 
     steps:
@@ -127,6 +127,15 @@ jobs:
           dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
           dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png
 
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
       - name: 🔄 Sync with remote before commit using merge strategy.
         shell: bash
         env:
@@ -145,6 +154,15 @@ jobs:
           git status
           git log --oneline -n 5
 
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
       - name: 📦 Stage generated files.
         shell: bash
         env:
@@ -174,7 +192,7 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT: Auto-Generate DNSSEC Status [skip ci]
+            COMMIT_MSG="DEPLOY BOT: 🛡️ Auto-Generate DNSSEC Status [skip ci]
 
           ${CI_HEADER}
 

.gitea/workflows/render-dot-to-png.yaml

@@ -9,9 +9,9 @@
 # SPDX-PackageName: draft-weidner-catalog-rr-ext
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V1.00.128.2025.06.03
+### Version Master V1.01.192.2025.06.06
 
-name: Render Graphviz Diagrams.
+name: 🔁 Render Graphviz Diagrams.
 
 permissions:
   contents: write
@@ -26,7 +26,7 @@ on:
 
 jobs:
   build-graphiz-diagrams:
-    name: Render Graphviz Diagrams.
+    name: 🔁 Render Graphviz Diagrams.
     runs-on: ubuntu-latest
 
     steps:
@@ -120,6 +120,15 @@ jobs:
             dot -Tpng "${file}" -o "${out}"
           done
 
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
       - name: 🔄 Sync with remote before commit using merge strategy.
         shell: bash
         env:
@@ -138,6 +147,15 @@ jobs:
           git status
           git log --oneline -n 5
 
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
       - name: 📦 Stage generated files.
         shell: bash
         env:
@@ -167,7 +185,7 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT: DEPLOY BOT: Auto-Generate PNG from *.dot. [skip ci]
+            COMMIT_MSG="DEPLOY BOT: 🔁 Auto-Generate PNG from *.dot. [skip ci]
 
           ${CI_HEADER}
 

.gitea/workflows/render-rfcxml-to-pdf.yaml

@@ -9,9 +9,9 @@
 # SPDX-PackageName: draft-weidner-catalog-rr-ext
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V1.00.128.2025.06.03
+### Version Master V1.01.192.2025.06.06
 
-name: Render RFCXML to PDF.
+name: 🔁 Render RFCXML to PDF.
 
 permissions:
   contents: write
@@ -25,7 +25,7 @@ on:
 
 jobs:
   render-rfcxml-to-pdf:
-    name: Render RFCXML to PDF.
+    name: 🔁 Render RFCXML to PDF.
     runs-on: ubuntu-latest
 
     steps:
@@ -121,6 +121,15 @@ jobs:
             xml2rfc "${file}" --pdf -o "${out}"
           done
 
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
       - name: 🔄 Sync with remote before commit using merge strategy.
         shell: bash
         env:
@@ -139,6 +148,15 @@ jobs:
           git status
           git log --oneline -n 5
 
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
       - name: 📦 Stage generated files.
         shell: bash
         env:
@@ -168,7 +186,7 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT: Auto-Generate PDFs from *.rfc.xml. [skip ci]
+            COMMIT_MSG="DEPLOY BOT: 🔁 Auto-Generate PDFs from *.rfc.xml. [skip ci]
 
           ${CI_HEADER}
 

.version.properties

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2"
 properties_SPDX-LicenseComment="This file is part of the draft-weidner-catalog-rr-ext framework."
 properties_SPDX-PackageName="draft-weidner-catalog-rr-ext"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V1.00.128.2025.06.03"
+properties_version="V1.01.192.2025.06.06"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

LINTER_RESULTS.txt

@@ -0,0 +1,16 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+This file was automatically generated by the DEPLOY BOT on: "2025-06-06T17:04:33Z".
+
+✅ The last linter check was successful. ✅
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

README.md

@@ -3,7 +3,7 @@ gitea: none
 include_toc: true
 ---
 
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V1.00.128.2025.06.03-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V1.01.192.2025.06.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -22,7 +22,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *RFC I-D draft-weidner-catalog-rr-ext*<br>
 **Master Version**: 1.00<br>
-**Build**: V1.00.128.2025.06.03<br>
+**Build**: V1.01.192.2025.06.06<br>
 
 The RFC I-D **draft-weidner-catalog-rr-ext** proposes an extension to the Certification Authority Authorization 
 (CAA) DNS Resource Record (RR) that enables the mandatory or optional binding of Certificate Transparency (CT) 
@@ -58,7 +58,7 @@ add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; prelo
 
 * Additionally, the entire zone is dual-signed with **DNSSEC**. See the current **DNSSEC** status at: **[DNSSEC Audit Report](/docs/AUDIT_DNSSEC.md)**
 * A comprehensive TLS audit of the **`git.coresecret.dev`** Gitea server is also available. See: **[TLS Audit Report](/docs/AUDIT_TLS.md)**
-* The infrastructure of the **`CISS.debian.live.builder`** building system is visualized here. See: **[Centurion Net](/docs/CNET.md)**
+* The infrastructure of the ``Centurion Net`` Developer Branch is visualized here. See: **[Centurion Net](/docs/CNET.md)**
 
 ### 1.1.3. Gitea Action Runner Hardening
 

docs/AUDIT_DNSSEC.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *RFC I-D draft-weidner-catalog-rr-ext*<br>
 **Master Version**: 1.00<br>
-**Build**: V1.00.128.2025.06.03<br>
+**Build**: V1.01.192.2025.06.06<br>
 
 # 2. DNSSEC Status
 

docs/AUDIT_TLS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *RFC I-D draft-weidner-catalog-rr-ext*<br>
 **Master Version**: 1.00<br>
-**Build**: V1.00.128.2025.06.03<br>
+**Build**: V1.01.192.2025.06.06<br>
 
 # 2. TLS Audit
 

docs/CHANGELOG.md

@@ -0,0 +1,45 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. RFC I-D draft-weidner-catalog-rr-ext
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*RFC I-D draft-weidner-catalog-rr-ext*<br>
+**Master Version**: 1.00<br>
+**Build**: V1.01.192.2025.06.06<br>
+
+# 2. Changelog
+
+## V1.01.192.2025.06.06
+
+* Updated workflows: 
+  1. ``git stash push``
+  2. ``git fetch origin master``
+  3. ``git merge --no-edit origin/master``
+  4. ``git stash pop``
+* Added basic linter checks for:
+  * **``*.sh``**,
+  * **``*.rfc.xml``**,
+  * all files with Shebang **``#``**! for:
+    * Carriage Return (\r) for Windows CRLF 
+    * C0 control characters except Tab (\x09) and Newline (\x0A) 
+    * Range: [\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]
+    * All bytes > 0x7F
+    * Emoji characters in the ranges:
+      * \x{1F300}-\x{1F5FF} Miscellaneous Symbols & Pictographs
+      * \x{1F600}-\x{1F64F} Emoticons
+      * \x{1F680}-\x{1F6FF} Transport & Map Symbols
+      * \x{1F900}-\x{1F9FF} Supplemental Symbols & Pictographs
+      * \x{2600}-\x{26FF}   Miscellaneous Symbols
+      * \x{2700}-\x{27BF}   Dingbats
+    * All whitespace characters except ASCII space (U+0020)
+    * Tab (\x09)
+    * No-Break Space (\xA0)
+    * U+1680, U+2000–U+200A, U+202F, U+205F, U+3000
+  * [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml)
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

docs/CNET.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *RFC I-D draft-weidner-catalog-rr-ext*<br>
 **Master Version**: 1.00<br>
-**Build**: V1.00.128.2025.06.03<br>
+**Build**: V1.01.192.2025.06.06<br>
 
 # 2. Centurion Net - Developer Branch Overview
 

docs/CONTRIBUTING.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *RFC I-D draft-weidner-catalog-rr-ext*<br>
 **Master Version**: 1.00<br>
-**Build**: V1.00.128.2025.06.03<br>
+**Build**: V1.01.192.2025.06.06<br>
 
 # 2. Contributing / participating
 

docs/CREDITS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *RFC I-D draft-weidner-catalog-rr-ext*<br>
 **Master Version**: 1.00<br>
-**Build**: V1.00.128.2025.06.03<br>
+**Build**: V1.01.192.2025.06.06<br>
 
 # 2. Credits
 

docs/graphviz/ciss.developer.branch.dot

@@ -138,15 +138,15 @@ digraph CISS_debian_live_builder {
     // Jump Host → Hidden-Master
     Jump_Host -> Hidden_Master [color=green];
 
-    // Hidden-Master → Name servers (each green with the label “HMAC SHA512”)
+    // Hidden-Master → Name servers (each green with the label "HMAC SHA512")
     Hidden_Master -> ns00 [color=green, label="HMAC SHA512"];
     Hidden_Master -> ns01 [color=green, label="HMAC SHA512"];
     Hidden_Master -> ns02 [color=green, label="HMAC SHA512"];
     Hidden_Master -> ns03 [color=green, label="HMAC SHA512"];
 
-    // Red arrows “DNSSEC” from name server cluster (ns_anchor) → B cluster (b_big_anchor)
+    // Red arrows "DNSSEC" from name server cluster (ns_anchor) → B cluster (b_big_anchor)
     ns_anchor -> b_big_anchor [color=red, label="DNSSEC"];
-    // Red arrow “DNSSEC” from nameserver cluster (ns_anchor) → cloud cluster (cloud_anchor)
+    // Red arrow "DNSSEC" from nameserver cluster (ns_anchor) → cloud cluster (cloud_anchor)
     ns_anchor -> cloud_anchor [color=red, label="DNSSEC"];
 
     // Red arrows from TLS Internet → B-Cluster and cloud

draft-weidner-catalog-rr-ext-00.rfc.xml

@@ -41,7 +41,7 @@
       </address>
     </author>
 
-    <date year="2025" month="06" day="03"/>
+    <date year="2025" month="06" day="06"/>
 
     <area>General</area>
     <workgroup>Internet Engineering Task Force</workgroup>
@@ -102,7 +102,7 @@
         <t>Certification Authority Authorization (CAA)
           <xref target="RFC8659"/>
           RRs empower domain owners
-          to specify, via DNS<xref target="RFC1035"/>, which Certificate Authorities (CAs) in a
+          to specify, via DNS <xref target="RFC1035"/>, which Certificate Authorities (CAs) in a
           Public Key Infrastructure
           <xref target="RFC5280"/>
           may or may not issue Certificates for their domains.
@@ -212,11 +212,11 @@
         </section>
         <section>
           <name>CAA Certificate Transparency Strict Transport Security (CAA-CT-STS)</name>
-          <t>CAA-CT-STS,<xref target="caa_ct_sts"/>, is a policy framework
+          <t>CAA-CT-STS, <xref target="caa_ct_sts"/>, is a policy framework
             that combines the mechanisms of CAA, CT, and MTA-STS
             by which a domain holder can publish Certificate-Transparency enforcement
             requirements alongside CA Authorization (CAA) over a second secured channel.
-            It mirrors the approach of SMTP MTA-STS<xref target="RFC8461"/>, using DNS TXT RR, a specific
+            It mirrors the approach of SMTP MTA-STS <xref target="RFC8461"/>, using DNS TXT RR, a specific
             subdomain and an HTTPS only served policy file.
             A special DNS TXT record <strong>"_caa-ct-sts"</strong>
             <xref target="caa_ct_sts_txt"/>
@@ -230,19 +230,19 @@
         </section>
         <section>
           <name>Operational discussions</name>
-          <t>Lastly, practical aspects such as a CA Processing Checklist,<xref target="caa_processing_checklist"/>,
+          <t>Lastly, practical aspects such as a CA Processing Checklist, <xref target="caa_processing_checklist"/>,
-            caching behavior<xref target="dns_ttl"/>, and fallback,<xref target="dnssec_fallback"/>,
+            caching behavior <xref target="dns_ttl"/>, and fallback, <xref target="dnssec_fallback"/>,
             strategies for non-DNSSEC zones are addressed.
             Throughout this document, the framework is referred to by the recursive acronym
             <strong>CATALOG</strong>
             (CATALOG Authorization Transparency And Log Overlay for Graph-based DNS).
           </t>
           <t>The following sections specify the complete syntax and semantics of both of the
-            CAA <strong>"issuect"</strong> Property Tag,<xref target="caa_property"/>, and
+            CAA <strong>"issuect"</strong> Property Tag, <xref target="caa_property"/>, and
-            CAA-CT-STS framework,<xref target="caa_ct_sts"/>,
+            CAA-CT-STS framework, <xref target="caa_ct_sts"/>,
             detail processing rules for CAs and resolvers for both of the
-            CAA <strong>"issuect"</strong> Property Tag,<xref target="issuect_processing"/>, and
+            CAA <strong>"issuect"</strong> Property Tag, <xref target="issuect_processing"/>, and
-            CAA-CT-STS,<xref target="caa_ct_sts_processing"/>, framework.
+            CAA-CT-STS, <xref target="caa_ct_sts_processing"/>, framework.
           </t>
         </section>
       </section>
@@ -258,7 +258,7 @@
           <strong>"RECOMMENDED"</strong>, <strong>"NOT RECOMMENDED"</strong>, <strong>"MAY"</strong>, and
           <strong>"OPTIONAL"</strong>
           in this document are to be interpreted as described in
-          BCP 14<xref target="RFC2119"/>,
+          BCP 14 <xref target="RFC2119"/>,
           <xref target="RFC8174"/>
           when, and only when,
           they appear in all capitals, as shown here.
@@ -281,7 +281,7 @@
               <td align="left">Certification Authority Authorization</td>
               <td align="left">Allows a DNS domain name holder to specify one or more CAs authorized to issue
                 Certificates for that domain name.
-                See:<xref target="RFC8657"/>,<xref target="RFC8659"/>.
+                See: <xref target="RFC8657"/>, <xref target="RFC8659"/>.
               </td>
             </tr>
             <tr>
@@ -289,7 +289,7 @@
               <td align="left">CAA Certificate Transparency Strict Transport Security</td>
               <td align="left">CAA-CT-STS is a policy framework, by which a domain holder can publish
                 Certificate-Transparency enforcement requirements alongside CA authorization (CAA).
-                See:<xref target="caa_ct_sts"/>.
+                See: <xref target="caa_ct_sts"/>.
               </td>
             </tr>
             <tr>
@@ -297,7 +297,7 @@
               <td align="left">CAA-CT-STS Policy File</td>
               <td align="left">The set of rules fetched via HTTPS from the Policy Domains
                 "/.well-known/caa-ct-sts.txt".
-                See:<xref target="caa_ct_sts_policy"/>.
+                See: <xref target="caa_ct_sts_policy"/>.
               </td>
             </tr>
             <tr>
@@ -305,7 +305,7 @@
               <td align="left">CATALOG Authorization Transparency And Log Overlay for Graph-based DNS</td>
               <td align="left">A Proposal to enrich DNS-based CAA RRs with Certificate Transparency URI
                 bindings.
-                This document:<xref target="URI1"/>.
+                This document: <xref target="URI1"/>.
               </td>
             </tr>
             <tr>
@@ -323,7 +323,7 @@
               <td align="left">CP</td>
               <td align="left">Certificate Policy</td>
               <td align="left">Specifies the criteria that a CA undertakes to meet in its issue of Certificates.
-                See:<xref target="RFC3647"/>.
+                See: <xref target="RFC3647"/>.
               </td>
             </tr>
             <tr>
@@ -331,7 +331,7 @@
               <td align="left">Certification Practices Statement</td>
               <td align="left">Specifies the means by which the criteria of the CP are met.
                 In most cases, this will be the document against which the operations of the CA are audited.
-                See:<xref target="RFC3647"/>.
+                See: <xref target="RFC3647"/>.
               </td>
             </tr>
             <tr>
@@ -339,7 +339,7 @@
               <td align="left">Certification Transparency</td>
               <td align="left">Certificate Transparency aims to mitigate the problem of misissued Certificates by
                 providing append-only logs of issued Certificates.
-                See:<xref target="RFC6962"/>,<xref target="RFC9162"/>.
+                See: <xref target="RFC6962"/>,<xref target="RFC9162"/>.
               </td>
             </tr>
             <tr>
@@ -362,14 +362,14 @@
                 <xref target="RFC5246"/>
                 or Datagram Transport Layer Security (DTLS)
                 <xref target="RFC6347"/>
-                transport endpoint. See:<xref target="RFC6698"/>,<xref target="RFC7671"/>.
+                transport endpoint. See: <xref target="RFC6698"/>,<xref target="RFC7671"/>.
               </td>
             </tr>
             <tr>
               <td align="left">DNS</td>
               <td align="left">Domain Name System</td>
               <td align="left">The Internet naming system specified in
-                <xref target="RFC1034"/>,<xref target="RFC1035"/>,<xref target="RFC9499"/>, and any
+                <xref target="RFC1034"/>, <xref target="RFC1035"/>, <xref target="RFC9499"/>, and any
                 revisions to these specifications.
               </td>
             </tr>
@@ -377,7 +377,7 @@
               <td align="left">DNSSEC</td>
               <td align="left">DNS Security Extensions</td>
               <td align="left">Extensions to the DNS that provide authentication services as specified in
-                <xref target="RFC4033"/>,<xref target="RFC4034"/>,<xref target="RFC4035"/>,
+                <xref target="RFC4033"/>, <xref target="RFC4034"/>, <xref target="RFC4035"/>,
                 <xref target="RFC5155"/>,
                 <xref target="RFC9364"/>, and any revisions to these specifications.
               </td>
@@ -407,7 +407,7 @@
               <td align="left">DNS Resource Record</td>
               <td align="left">A particular entry in the DNS, including the owner name, class, type, time to live,
                 and data, as defined in
-                <xref target="RFC1034"/>,<xref target="RFC2181"/>.
+                <xref target="RFC1034"/>, <xref target="RFC2181"/>.
               </td>
             </tr>
           </tbody>
@@ -456,7 +456,7 @@
           </t>
           <t>In addition, <strong>absolute-URI</strong> is defined in
             <eref target="https://www.rfc-editor.org/rfc/rfc3986.html#section-4.3">Section 4.3</eref>
-            of<xref target="RFC3986"/>.
+            of <xref target="RFC3986"/>.
           </t>
           <figure>
             <name>CAA "issuect" Property Tag ABNF Syntax</name>
@@ -545,7 +545,7 @@ b64-string         = 1*( b64-char / "=" )
             <dd>: The parameter name cturi, followed by "=", followed by an uri.</dd>
 
             <dt>uri</dt>
-            <dd>: An absolute URI as defined by<xref target="RFC3986"/>.
+            <dd>: An absolute URI as defined by <xref target="RFC3986"/>.
             </dd>
 
             <dt>logid-param</dt>
@@ -612,15 +612,15 @@ issuect "<issuer-domain>; <critical>; <description>; <validfrom>; <validtill>; <
           </ol>
           <t>Whereas</t>
           <ul spacing="normal" empty="false" indent="2" bare="false">
-            <li>Timestamps are according to<xref target="ISO-8601"/>.
+            <li>Timestamps are according to <xref target="ISO-8601"/>.
             </li>
-            <li>BASE64-encoding is according to<xref target="RFC4648"/>.
+            <li>BASE64-encoding is according to <xref target="RFC4648"/>.
             </li>
-            <li>SHA256-hash is according to<xref target="RFC6234"/>.
+            <li>SHA256-hash is according to <xref target="RFC6234"/>.
             </li>
-            <li>DER-encoding is according to<xref target="X.690"/>.
+            <li>DER-encoding is according to <xref target="X.690"/>.
             </li>
-            <li>ASN.1-format is according to<xref target="X.680"/>.
+            <li>ASN.1-format is according to <xref target="X.680"/>.
             </li>
           </ul>
         </section>
@@ -792,7 +792,7 @@ issuect ";"
             check for the publication of a relevant RRSet.
             Discovery of the relevant RRSet <strong>MUST</strong> be performed according to the algorithm specified in
             <eref target="https://www.rfc-editor.org/rfc/rfc8659#section-3">Section 3</eref>
-            of<xref target="RFC8659"/>.
+            of <xref target="RFC8659"/>.
 
             If the relevant RRSet is empty or does not contain any <strong>"issuect"</strong> Properties,
             it is interpreted that the domain owner has not requested any restrictions regarding the submission
@@ -804,7 +804,7 @@ issuect ";"
 
             The presence of an <strong>"issuect"</strong> Property <strong>MUST NOT</strong> replace or supersede
             the required validation of the domain name as specified by the "issue" or "issuewild" Properties in the
-            CAA RRSet, as outlined in the CAA specification<xref target="RFC8659"/>.
+            CAA RRSet, as outlined in the CAA specification <xref target="RFC8659"/>.
 
             Certification Authorities <strong>MUST</strong> still validate authorization according to the CAA
             "issue" and / or "issuewild" policies.
@@ -1068,7 +1068,7 @@ https://caa-ct-sts.<domain>.<tld>/.well-known/caa-ct-sts.txt
             After fetching, Certification Authorities parse the file as above.
 
             If the HTTP request fails for whatever reason,
-            (network error, invalid cert, status ≠ 200, or parse error),
+            (network error, invalid cert, status != 200, or parse error),
             the policy is considered unavailable or invalid, and Certification Authorities fall back to "no policy".
 
             HTTP 3xx redirects <strong>MUST NOT</strong> be followed, and HTTP caching
@@ -1277,19 +1277,19 @@ https://caa-ct-sts.<domain>.<tld>/.well-known/caa-ct-sts.txt
       <name>Security Considerations</name>
       <t>This extension inherits and adapts security considerations from:</t>
       <ul spacing="normal" empty="false" indent="2" bare="false">
-        <li>CAA framework<xref target="RFC8659"/>,
+        <li>CAA framework <xref target="RFC8659"/>,
         </li>
-        <li>CAA Record Extensions for Account URI and (ACME) Binding<xref target="RFC8657"/>,
+        <li>CAA Record Extensions for Account URI and (ACME) Binding <xref target="RFC8657"/>,
         </li>
-        <li>Certificate Transparency Version 2.0.<xref target="RFC9162"/>,
+        <li>Certificate Transparency Version 2.0. <xref target="RFC9162"/>,
         </li>
-        <li>ACME protocol<xref target="RFC8555"/>,
+        <li>ACME protocol <xref target="RFC8555"/>,
         </li>
-        <li>SMTP MTA Strict Transport Security (MTA-STS)<xref target="RFC8461"/>.
+        <li>SMTP MTA Strict Transport Security (MTA-STS) <xref target="RFC8461"/>.
         </li>
       </ul>
       <t>As an extension of the DNS-based CAA framework, this proposal generally falls within the
-        Internet threat model defined by<xref target="RFC3552"/>.
+        Internet threat model defined by <xref target="RFC3552"/>.
       </t>
       <section>
         <name>Global considerations</name>
@@ -1377,7 +1377,7 @@ https://caa-ct-sts.<domain>.<tld>/.well-known/caa-ct-sts.txt
         <name>Policy Redundancy Considerations</name>
         <t>Let c be the number of critical CT-Logs and w be the number of whitelisted (non-critical) CT-Logs,
           then the following expression is strongly <strong>RECOMMENDED</strong>:
-          |c| ≥ n + 1 ∧ |w| ≤ 2
+          |c| >= n + 1 ^ |w| &lt;= 2
         </t>
         <t>While the "critical=true" flag in the CAA <strong>"issuect"</strong> Parameter enforces that every
           Certificate issuance must be logged to all specified CT-Logs, this strict requirement can introduce
@@ -1399,7 +1399,7 @@ https://caa-ct-sts.<domain>.<tld>/.well-known/caa-ct-sts.txt
           <li>"+ 2" Whitelist of Non-Critical CT-Logs.
             In addition to the n + 1 critical logs, domain owners <strong>SHOULD</strong> nominate at least
             up to two further CT-Logs without the "critical=true" flag.
-            These “whitelisted” CT-Logs provide extra transparency channels,
+            These "whitelisted" CT-Logs provide extra transparency channels,
             enabling issuance to continue if a critical CT-Log fails,
             but do not block issuance if they are unreachable.
             They <strong>MUST NOT</strong> not carry "critical=true"; otherwise,
@@ -1459,10 +1459,10 @@ https://caa-ct-sts.<domain>.<tld>/.well-known/caa-ct-sts.txt
           <li>
             <t>TLSA Usage</t>
             <ul>
-              <li>3 1 1 — SHA-256 hash of the leaf certificate's SPKI</li>
+              <li>3 1 1 - SHA-256 hash of the leaf certificate's SPKI</li>
-              <li>3 1 2 — SHA-512 hash of the leaf certificate's SPKI</li>
+              <li>3 1 2 - SHA-512 hash of the leaf certificate's SPKI</li>
-              <li>2 1 1 — SHA-256 hash of the issuing intermediate certificate's SPKI</li>
+              <li>2 1 1 - SHA-256 hash of the issuing intermediate certificate's SPKI</li>
-              <li>2 1 2 — SHA-512 hash of the issuing intermediate certificate's SPKI</li>
+              <li>2 1 2 - SHA-512 hash of the issuing intermediate certificate's SPKI</li>
             </ul>
             <t>Here, TLSA-usage 3 (DANE-EE) and 2 (DANE-TA), selector 1 (SPKI), and matching
               types 1 (SHA-256) and 2 (SHA-512) ensure that CAs validate the exact certificates
@@ -1600,7 +1600,7 @@ ct_policy: ( "example.ca; \
         <name>Normative References</name>
         <reference anchor="ISO-8601" target="https://www.iso.org/standard/70907.html">
           <front>
-            <title>Date and time — Representations for information interchange</title>
+            <title>Date and time - Representations for information interchange</title>
             <author>
               <organization>International Organization for Standardization</organization>
             </author>
@@ -1659,7 +1659,7 @@ ct_policy: ( "example.ca; \
         <name>Informative References</name>
         <reference anchor="POSIX" target="https://pubs.opengroup.org/onlinepubs/9699919799.2018edition/">
           <front>
-            <title>Portable Operating System Interface (POSIX™) - Base Specifications</title>
+            <title>Portable Operating System Interface (POSIX) - Base Specifications</title>
             <author>
               <organization>The Institute of Electrical and Electronics Engineers; The Open Group</organization>
             </author>
@@ -1685,7 +1685,7 @@ ct_policy: ( "example.ca; \
       </references>
       <references>
         <name>URI</name>
-        <reference anchor="URI1" target="https://coresecret.dev/msw/draft-weidner-catalog-rr-ext.git">
+        <reference anchor="URI1" target="https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext">
           <front>
             <title>This document</title>
             <author/>
@@ -1863,7 +1863,7 @@ ct_policy: ( "example.ca; \
           Their BIND file notation format is defined in<xref target="RFC1035"/>.
           Parentheses are used to ignore a line break in DNS zone-file presentation format, as per
           <eref target="https://rfc-editor.org/rfc/rfc1035#section-5.1">Section 5.1</eref>
-          of<xref target="RFC1035"/>.
+          of <xref target="RFC1035"/>.
         </t>
       </section>
       <section anchor="comprehensive_example">