moved docs

Switching to using vendored shell framework
moved SafeDownload to vendored shell framework repo

ProjectDocs/Claude-Review.md

@@ -0,0 +1,93 @@
+# Claude Code Review - TSYS FetchApply Infrastructure
+
+**Review Date:** July 14, 2025 (Updated)  
+**Reviewed by:** Claude (Anthropic)  
+**Repository:** TSYS Group Infrastructure Provisioning Scripts  
+**Previous Review:** July 12, 2025  
+
+## Project Overview
+
+This repository contains infrastructure-as-code for provisioning Linux servers in the TSYS Group environment. The codebase includes 32 shell scripts (~2,800 lines) organized into a modular framework for system hardening, security configuration, and operational tooling deployment.
+
+## Strengths ✅
+
+### Security Hardening
+- **SSH Security:** Comprehensive SSH hardening with key-only authentication, disabled password login, and secure cipher configurations
+- **Security Agents:** Automated deployment of Wazuh SIEM agents, audit tools, and SCAP-STIG compliance checking
+- **File Permissions:** Proper restrictive permissions (400 for SSH keys, 644 for configs)
+- **Network Security:** Firewall configuration, network discovery tools (LLDP), and monitoring agents
+
+### Code Quality
+- **Error Handling:** Robust bash strict mode implementation (`set -euo pipefail`) with custom error trapping and line number reporting
+- **Modular Design:** Well-organized structure separating framework components, configuration files, and functional modules
+- **Environment Awareness:** Intelligent detection of physical vs virtual hosts, distribution-specific logic, and hardware-specific optimizations
+- **Logging:** Centralized logging with timestamp-based log files and colored output for debugging
+
+### Operational Excellence
+- **Package Management:** Automated repository setup for security tools (Lynis, Webmin, Tailscale, Wazuh)
+- **System Tuning:** Performance optimizations for physical hosts, virtualization-aware configurations
+- **Monitoring Integration:** LibreNMS agents, SNMP configuration, and system metrics collection
+
+## Security Concerns ⚠️
+
+### Critical Issues
+1. **~~Insecure Deployment Method~~** ✅ **RESOLVED:** Now uses `git clone` + local script execution instead of `curl | bash`
+2. **No Integrity Verification:** Downloaded scripts lack checksum validation or cryptographic signatures
+3. **~~HTTP Downloads~~** ✅ **RESOLVED:** All HTTP URLs converted to HTTPS (Dell OMSA, Proxmox, Apache sources)
+
+### Moderate Risks
+4. **Exposed SSH Keys:** Public SSH keys committed directly to repository without rotation mechanism
+5. **Hard-coded Credentials:** Server hostnames and domain names embedded in scripts
+6. **Missing Secrets Management:** No current implementation of Bitwarden/Vault integration (noted in TODO comments)
+
+## Improvement Recommendations 🔧
+
+### High Priority (Security Critical)
+1. **~~Secure Deployment Pipeline~~** ✅ **RESOLVED:** Now uses git clone-based deployment
+2. **~~HTTPS Enforcement~~** ✅ **RESOLVED:** All HTTP downloads converted to HTTPS
+3. **Script Integrity:** Implement SHA256 checksum verification for all downloaded components
+4. **Secrets Management:** Deploy proper secrets handling for SSH keys and sensitive configurations
+
+### Medium Priority (Operational)
+5. **Testing Framework:** Add integration tests for provisioning workflows
+6. **Documentation Enhancement:** Expand security considerations and deployment procedures
+7. **Configuration Validation:** Add pre-deployment validation of system requirements
+8. **Rollback Capability:** Implement configuration backup and rollback mechanisms
+
+### Low Priority (Quality of Life)
+9. **Error Recovery:** Enhanced error recovery and partial deployment resumption
+10. **Monitoring Integration:** Centralized logging and deployment status reporting
+11. **User Interface:** Consider web-based deployment dashboard for non-technical users
+
+## Risk Assessment 📊
+
+**Overall Risk Level:** Low-Medium ⬇️ (Reduced from Medium-Low)
+
+The repository contains well-architected defensive security tools with strong error handling and modular design. **Major security improvement:** The insecure `curl | bash` deployment method has been replaced with git-based deployment. Remaining concerns are primarily around hardening the provisioning scripts themselves rather than the deployment method.
+
+**Recommendation:** Continue addressing remaining security issues (HTTPS enforcement, secrets management) but the critical deployment risk has been mitigated. The codebase is much safer for production use.
+
+## Update Summary (July 14, 2025)
+
+**✅ Resolved Issues:**
+- Insecure deployment method replaced with git clone approach
+- README.md updated with project management and community links
+- Deployment security risk significantly reduced
+- All HTTP URLs converted to HTTPS (Dell OMSA, Proxmox, Apache sources)
+
+**🔄 Remaining Priorities:**
+1. ~~HTTPS enforcement for internal downloads~~ ✅ **RESOLVED:** All HTTP URLs converted to HTTPS
+2. Secrets management implementation
+3. Script integrity verification
+4. SSH key rotation from repository
+
+## Files Reviewed
+
+- 32 shell scripts across Framework-Includes, Project-Includes, and ProjectCode directories
+- Configuration files for SSH, SNMP, logging, and system services
+- Security modules for hardening, authentication, and monitoring
+- Documentation and framework configuration files
+
+## Next Steps
+
+See `charles-todo.md` and `claude-todo.md` for detailed action items prioritized for human operators and AI assistants respectively.