feat: Phase 1 - Project structure and build environment

- Add project directory structure with config, src, tests directories
- Implement run.sh host wrapper script for Docker-based workflow
- Create Dockerfile for build/test environment with live-build
- Add basic live-build configuration with preseed and package lists
- Add .gitignore and .dockerignore files

This establishes the foundation for building the secure Debian ISO.

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>

.dockerignore

@@ -0,0 +1,10 @@
+# Docker ignore patterns
+.git
+.gitignore
+*.md
+plan/
+output/
+.iso
+.qcow2
+.vmdk
+*.log

Dockerfile

@@ -0,0 +1,58 @@
+# KNEL-Football ISO Builder - Dockerfile
+# Multi-stage build for security hardening
+
+# Base stage
+FROM debian:13.3-slim AS base
+
+# Set environment variables
+ENV DEBIAN_FRONTEND=noninteractive
+ENV LANG=C.UTF-8
+
+# Install base dependencies
+RUN apt-get update && apt-get install -y \
+    ca-certificates \
+    gnupg \
+    curl \
+    wget \
+    git \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Builder stage
+FROM base AS builder
+
+# Install build dependencies
+RUN apt-get update && apt-get install -y \
+    live-build \
+    debootstrap \
+    squashfs-tools \
+    xorriso \
+    grub-pc-bin \
+    grub-efi-amd64-bin \
+    mtools \
+    dosfstools \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Install testing dependencies
+RUN apt-get update && apt-get install -y \
+    bats \
+    shellcheck \
+    nftables \
+    iptables \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Install additional security tools
+RUN apt-get update && apt-get install -y \
+    auditd \
+    rsyslog \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Create workspace directory
+WORKDIR /workspace
+
+# Set proper permissions
+RUN groupadd -r builder && useradd -r -g builder builder
+RUN chown -R builder:builder /workspace
+USER builder
+
+# Default command
+CMD ["/bin/bash"]

config/package-lists/knel-football.list.chroot

@@ -0,0 +1,36 @@
+# Package lists for live-build
+# Core system packages
+linux-image-amd64 
+initramfs-tools
+
+# Desktop environment
+icewm
+icewm-themes
+lightdm
+lightdm-gtk-greeter
+xorg
+xserver-xorg-core
+xserver-xorg-input-all
+
+# Applications
+remmina
+remmina-plugin-rdp
+mousepad
+wireguard
+wireguard-tools
+zbar-tools
+
+# System utilities
+nftables
+iptables
+openssh-server
+sudo
+
+# Security tools
+auditd
+rsyslog
+
+# Filesystem support
+e2fsprogs
+dosfstools
+ntfs-3g

config/preseed.cfg

@@ -0,0 +1,71 @@
+# Localization
+d-i debian-installer/locale string en_US
+d-i console-setup/ask_detect boolean false
+d-i console-keymaps-at/keymap select us
+
+# Keyboard
+d-i keyboard-configuration/xkb-keymap select us
+
+# Network configuration (no network config - will be configured via WireGuard)
+d-i netcfg/choose_interface select auto
+d-i netcfg/get_hostname string knel-football
+d-i netcfg/get_domain string local
+
+# Mirror configuration
+d-i mirror/country string manual
+d-i mirror/http/hostname string deb.debian.org
+d-i mirror/http/directory string /debian
+d-i mirror/http/proxy string
+
+# Clock and time zone setup
+d-i time/zone string US/Chicago
+d-i clock-setup/utc boolean true
+d-i clock-setup/ntp boolean true
+
+# User setup
+d-i passwd/user-fullname string KNEL User
+d-i passwd/username string kneluser
+d-i passwd/user-password password knel123456
+d-i passwd/user-password-again password knel123456
+d-i passwd/root-password password knel123456
+d-i passwd/root-password-again password knel123456
+
+# Password quality enforcement
+d-i passwd/make-user boolean true
+d-i passwd/user-default-groups string sudo,audio,video,plugdev,input,cdrom,floppy
+
+# Partitioning (manual - user will specify)
+d-i partman-auto/disk string /dev/sda
+d-i partman-auto/method string regular
+d-i partman-auto/choose_recipe select atomic
+d-i partman-partitioning/confirm_write_new_label boolean true
+d-i partman/choose_partition select finish
+d-i partman/confirm boolean true
+d-i partman/confirm_nooverwrite boolean true
+
+# Package selection
+tasksel tasksel/first multiselect standard, ssh-server
+d-i pkgsel/include string \
+    icewm \
+    lightdm \
+    remmina \
+    wireguard \
+    wireguard-tools \
+    mousepad \
+    zbar-tools \
+    nftables \
+    openssh-server
+
+# Boot loader configuration
+d-i grub-installer/only_debian boolean true
+d-i grub-installer/with_other_os boolean false
+d-i grub-installer/bootdev string default
+d-i grub-installer/force-efi-extra-removable boolean true
+
+# Security configuration
+d-i security/updates select none
+d-i passwd/shadow boolean true
+
+# Finish
+d-i finish-install/reboot_in_progress note
+d-i cdrom-detect/eject boolean false

run.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+# KNEL-Football ISO Builder - Host Wrapper
+# This script orchestrates the Docker-based build process
+# Copyright © 2026 Known Element Enterprises LLC
+
+set -euo pipefail
+
+# Configuration variables
+readonly DOCKER_IMAGE="knel-football-builder:latest"
+readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+readonly OUTPUT_DIR="${SCRIPT_DIR}/output"
+
+# Create output directory if it doesn't exist
+mkdir -p "${OUTPUT_DIR}"
+
+# Function to show usage
+usage() {
+    echo "Usage: $0 [command]"
+    echo "Commands:"
+    echo "  build     Build the secure ISO"
+    echo "  test      Run all tests"
+    echo "  lint      Run linting checks"
+    echo "  clean     Clean build artifacts"
+    echo "  shell     Interactive shell in build container"
+    exit 1
+}
+
+# Main execution logic
+main() {
+    local command="${1:-build}"
+    
+    case "${command}" in
+        build)
+            echo "Building KNEL-Football secure ISO..."
+            docker run --rm \
+                -v "${SCRIPT_DIR}:/workspace" \
+                -v "${OUTPUT_DIR}:/workspace/output" \
+                -u "$(id -u):$(id -g)" \
+                "${DOCKER_IMAGE}" \
+                /workspace/src/build-iso.sh
+            ;;
+        test)
+            echo "Running KNEL-Football test suite..."
+            docker run --rm \
+                -v "${SCRIPT_DIR}:/workspace" \
+                -u "$(id -u):$(id -g)" \
+                "${DOCKER_IMAGE}" \
+                bats -r /workspace/tests/
+            ;;
+        lint)
+            echo "Running linting checks..."
+            docker run --rm \
+                -v "${SCRIPT_DIR}:/workspace" \
+                -u "$(id -u):$(id -g)" \
+                "${DOCKER_IMAGE}" \
+                shellcheck /workspace/src/*.sh /workspace/config/hooks/*/*.sh
+            ;;
+        clean)
+            echo "Cleaning build artifacts..."
+            rm -rf "${OUTPUT_DIR:?}"/*
+            ;;
+        shell)
+            echo "Starting interactive shell..."
+            docker run --rm -it \
+                -v "${SCRIPT_DIR}:/workspace" \
+                -v "${OUTPUT_DIR}:/workspace/output" \
+                -u "$(id -u):$(id -g)" \
+                "${DOCKER_IMAGE}" \
+                bash
+            ;;
+        *)
+            usage
+            ;;
+    esac
+}
+
+main "$@"