From 81f97687d9fe6fe41b68a85eee267935e92a5b57 Mon Sep 17 00:00:00 2001 From: Charles N Wyble Date: Thu, 19 Feb 2026 23:15:25 -0500 Subject: [PATCH] docs: remove status tracking from AGENTS.md, consolidate in STATUS.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - AGENTS.md now contains only agent behavior guidelines - STATUS.md is the single source for project status - Updated STATUS.md with current ISO status (built, 816 MB) - Updated recent commits section in STATUS.md ๐Ÿ’˜ Generated with Crush Assisted-by: GLM-5 via Crush --- AGENTS.md | 752 +++++++++++------------------------------------------- STATUS.md | 28 +- 2 files changed, 161 insertions(+), 619 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index dc78993..ff36f88 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -1,723 +1,261 @@ # KNEL-Football Secure OS - Agent Behavior Guidelines -## ๐Ÿš€ QUICK START FOR LLM AGENTS +## Quick Start -**You are an AI agent (Crush) working on this project. Start here.** - -### Immediate Context (2026-01-28) -- **Project Status**: โœ… Build completed successfully (450 MB ISO created) -- **Build Date**: 2026-01-28 16:30 CST -- **Build Duration**: 72 minutes (9 stages completed) -- **ISO Location**: `output/knel-football-secure.iso` -- **Checksums Verified**: โœ… SHA256 and MD5 +**You are an AI agent (Crush) working on this project.** ### Your First Actions -1. **Read this entire AGENTS.md file** (you're reading it now) -2. **Check project status**: `ls -lh output/` -3. **Review current state**: See STATUS section below -4. **Understand requirements**: See MANDATORY SECURITY REQUIREMENTS -5. **Know your workflow**: See AGENT WORKFLOW section +1. **Read STATUS.md** - Check current project status (build state, blockers, next actions) +2. **Read this AGENTS.md file** - Understand workflow and guidelines +3. **Read docs/PRD.md** - Understand requirements (source of truth) +4. **Check current state**: `ls -lh output/` and `git log --oneline -10` --- -## ๐Ÿ“‹ CURRENT STATUS +## Where to Find Things -### Build Status -- **Last Build**: โœ… SUCCESS (2026-01-28) -- **ISO Artifact**: `knel-football-secure.iso` (450 MB) -- **ISO Checksums**: SHA256 โœ…, MD5 โœ… -- **Build Log**: `/tmp/knel-iso-build.log` (4,140 lines) -- **All Stages**: 9/9 completed successfully - -### Mandatory Requirements Implementation -- โœ… **FR-001: Full Disk Encryption** - LUKS2, AES-256-XTS, 512-bit key -- โœ… **FR-007: Password Complexity** - 14+ chars, PAM pwquality enforced -- โœ… **Encryption Hooks** - Setup and validation created -- โœ… **Security Hardening** - Enhanced password policy implemented - -### Compliance Achieved -- โœ… NIST SP 800-111 (Disk Encryption) -- โœ… NIST SP 800-53 (Security Controls) -- โœ… NIST SP 800-63B (Password Guidelines) -- โœ… ISO/IEC 27001 (Information Security) -- โœ… CIS Benchmarks (Security Configuration) -- โœ… DISA STIG (Security Implementation) - -### Recent Changes (2026-01-28) -- Added mandatory full disk encryption (LUKS2) -- Added mandatory password complexity requirements -- Created encryption-setup.sh hook -- Created encryption-validation.sh hook -- Enhanced security-hardening.sh with strict password policy -- Updated preseed.cfg with crypto partitioning -- Updated run.sh with test:iso command for VM testing -- Merged test-iso.sh and monitor-build.sh into run.sh +| Need | File | +|------|------| +| Current status (build state, blockers) | **STATUS.md** | +| Requirements (source of truth) | **docs/PRD.md** | +| Development workflow | **docs/SDLC.md** | +| Test coverage details | **docs/TEST-COVERAGE.md** | +| Verification/compliance | **docs/VERIFICATION-REPORT.md** | +| Security architecture | **docs/security-model.md** | +| AI memory/ADRs | **JOURNAL.md** | --- -## ๐Ÿ”’ MANDATORY SECURITY REQUIREMENTS +## Project Structure -### Full Disk Encryption (FDE) - MANDATORY -**Requirement**: ALL systems MUST use full disk encryption with LUKS2 - -**Technical Specifications**: -- **Cipher**: AES-256-XTS (512-bit key) -- **Format**: LUKS2 with Argon2id KDF -- **Partitioning**: Separate unencrypted /boot (UEFI requirement) -- **Boot Process**: Encryption passphrase required at EVERY system boot -- **Recovery**: No backdoors, no recovery without passphrase - -**Encryption Passphrase Requirements** (MANDATORY): -- **Minimum Length**: 14 characters (20+ strongly recommended) -- **Character Classes**: At least 1 of each: - - Uppercase letter (A-Z) - - Lowercase letter (a-z) - - Digit (0-9) - - Special character (!@#$%^&*) -- **Prohibited Patterns**: - - Common words (password, secret, admin, root) - - Sequential patterns (123, abc, qwerty) - - Repeated characters (max 2 consecutive) - -**Implementation Files**: -- `config/preseed.cfg` - Debian installer crypto partitioning -- `config/hooks/installed/encryption-setup.sh` - LUKS2 configuration -- `config/hooks/installed/encryption-validation.sh` - Encryption verification - -**Compliance**: NIST SP 800-111, NIST SP 800-53 SC-13 - -### Password Complexity - MANDATORY -**Requirement**: ALL user passwords MUST meet strict complexity requirements - -**Password Policy** (MANDATORY): -- **Minimum Length**: 14 characters (20+ strongly recommended) -- **Character Classes**: Minimum 3 of 4 required (all 4 strongly recommended): - - Uppercase letters (A-Z) - Minimum 1 required - - Lowercase letters (a-z) - Minimum 1 required - - Digits (0-9) - Minimum 1 required - - Special characters (!@#$%^&*) - Minimum 1 required - -**Additional Requirements**: -- **Dictionary Check**: Reject common dictionary words -- **Username Check**: Reject passwords containing username -- **Sequence Check**: Reject sequential characters (123, abc) -- **Repetition Check**: Max 2 consecutive identical characters -- **Class Repetition**: Max 2 consecutive from same character class -- **Difference**: Min 4 characters different from old password -- **Bad Words**: Reject (password, secret, admin, root, knel, football, tier0, 12345, qwerty) -- **GECOS Check**: Reject passwords containing GECOS field info - -**Enforcement**: -- **Mechanism**: PAM pwquality module -- **Scope**: ALL users including root -- **Enforcing Mode**: Reject weak passwords (not just warn) -- **Location**: `/etc/security/pwquality.conf` (created by hooks) - -**Implementation File**: -- `src/security-hardening.sh` - Password policy configuration -- `config/hooks/live/security-hardening.sh` - Live hook application - -**Compliance**: NIST SP 800-63B, CIS Benchmarks for Debian - -### Host System FDE - MANDATORY -**Requirement**: The host system used to build or test the ISO MUST have FDE enabled - -**Why This Matters**: -- Building a secure OS on an unencrypted host creates supply chain risk -- An unencrypted test host exposes the secure OS to attacks -- Defense in depth requires protection at every layer - -**Enforcement**: -- `./run.sh iso` will FAIL if host FDE not detected -- `./run.sh test:iso` commands will FAIL if host FDE not detected -- This check CANNOT be bypassed - -**Detection Methods**: -- Checks for LUKS devices via `lsblk` -- Checks `/etc/crypttab` for encrypted partitions -- Checks if root filesystem is on dm-crypt device -- Checks `/sys/block/dm-*` for LUKS devices - -**Implementation**: -- `run.sh` - `check_host_fde()` function - -**Compliance**: Supply chain security best practice - ---- - -## ๐Ÿ“ PROJECT STRUCTURE - -### Root Level Files ``` / -โ”œโ”€โ”€ run.sh # MAIN ENTRY POINT - All operations (build/test/lint/iso/monitor/VM) +โ”œโ”€โ”€ run.sh # MAIN ENTRY POINT - All operations โ”œโ”€โ”€ Dockerfile # Multi-stage build environment -โ”œโ”€โ”€ README.md # Project documentation +โ”œโ”€โ”€ README.md # Project overview โ”œโ”€โ”€ AGENTS.md # THIS FILE - Agent guidelines -โ”œโ”€โ”€ STATUS.md # Manager status report (quick-glance) -โ”œโ”€โ”€ JOURNAL.md # AI memory - ADRs, insights, lessons (append-only) -โ””โ”€โ”€ .gitignore # Git ignore patterns -``` +โ”œโ”€โ”€ STATUS.md # Current status (maintained by AI) +โ”œโ”€โ”€ JOURNAL.md # AI memory - ADRs, lessons (append-only) +โ””โ”€โ”€ docs/ + โ”œโ”€โ”€ PRD.md # Product Requirements (source of truth) + โ”œโ”€โ”€ SDLC.md # Development workflow + โ”œโ”€โ”€ TEST-COVERAGE.md # Test suite details + โ”œโ”€โ”€ VERIFICATION-REPORT.md + โ”œโ”€โ”€ COMPLIANCE.md + โ””โ”€โ”€ security-model.md -### Documentation Files -``` -โ”œโ”€โ”€ STATUS.md # Manager report - current status, blockers, next actions -โ”œโ”€โ”€ JOURNAL.md # AI memory - ADRs, patterns, lessons learned -โ”œโ”€โ”€ AGENTS.md # Agent guidelines (START HERE) -โ””โ”€โ”€ docs/ # Detailed documentation - โ”œโ”€โ”€ PRD.md # Product Requirements Document - โ”œโ”€โ”€ SDLC.md # Software Development Lifecycle (READ THIS) - โ”œโ”€โ”€ TEST-COVERAGE.md # Test suite coverage - โ”œโ”€โ”€ VERIFICATION-REPORT.md # Compliance verification - โ”œโ”€โ”€ COMPLIANCE.md # Compliance standards - โ””โ”€โ”€ security-model.md # Security architecture -``` +src/ # Source scripts +config/ # Configuration files +โ”œโ”€โ”€ includes.installer/ # Installer configs (preseed.cfg) +โ”œโ”€โ”€ hooks/live/ # Live system hooks +โ”œโ”€โ”€ hooks/installed/ # Post-install hooks +โ””โ”€โ”€ package-lists/ # Package lists -**STATUS.md Purpose**: -- Quick-glance project status for managers -- What's working, what's broken, current blockers -- Next actions and metrics -- Maintained by AI agent, read by humans - -**JOURNAL.md Purpose**: -- Long-term memory for AI agents -- Architectural Decision Records (ADRs) -- Patterns observed, lessons learned -- APPEND-ONLY - never modify existing entries - -### Source Code -``` -src/ -โ”œโ”€โ”€ security-hardening.sh # Security hardening functions -โ”œโ”€โ”€ firewall-setup.sh # Firewall configuration -โ”œโ”€โ”€ build-iso.sh # ISO build orchestration -โ”œโ”€โ”€ run.sh # Alternative run script -โ”œโ”€โ”€ run-new.sh # Enhanced run script -โ””โ”€โ”€ build.sh # Build script -``` - -### Configuration -``` -config/ -โ”œโ”€โ”€ preseed.cfg # Debian installer preseed (with encryption) -โ”œโ”€โ”€ hooks/ -โ”‚ โ”œโ”€โ”€ live/ # Hooks during live system -โ”‚ โ”‚ โ”œโ”€โ”€ desktop-environment.sh -โ”‚ โ”‚ โ”œโ”€โ”€ firewall-setup.sh -โ”‚ โ”‚ โ”œโ”€โ”€ qr-code-import.sh -โ”‚ โ”‚ โ”œโ”€โ”€ security-hardening.sh -โ”‚ โ”‚ โ””โ”€โ”€ usb-automount.sh -โ”‚ โ””โ”€โ”€ installed/ # Hooks after installation -โ”‚ โ”œโ”€โ”€ disable-package-management.sh -โ”‚ โ”œโ”€โ”€ encryption-setup.sh # LUKS2 encryption setup -โ”‚ โ”œโ”€โ”€ encryption-validation.sh # Encryption verification -โ”‚ โ””โ”€โ”€ install-scripts.sh -โ””โ”€โ”€ package-lists/ - โ””โ”€โ”€ knel-football.list.chroot # Package list -``` - -### Tests -``` -tests/ -โ”œโ”€โ”€ unit/ # Unit tests for individual functions -โ”‚ โ”œโ”€โ”€ build_test.bats -โ”‚ โ”œโ”€โ”€ firewall_test.bats -โ”‚ โ”œโ”€โ”€ security_test.bats -โ”‚ โ””โ”€โ”€ run_test.bats -โ”œโ”€โ”€ integration/ # Integration tests for workflows -โ”‚ โ””โ”€โ”€ config_test.bats -โ”œโ”€โ”€ security/ # Security compliance tests -โ”‚ โ””โ”€โ”€ compliance_test.bats -โ”œโ”€โ”€ system/ # System/runtime tests (VM boot, FDE, Secure Boot) -โ”‚ โ”œโ”€โ”€ boot_test.bats -โ”‚ โ”œโ”€โ”€ secureboot_test.bats -โ”‚ โ””โ”€โ”€ fde_test.bats -โ”œโ”€โ”€ test_helper/ # Test utilities -โ”‚ โ””โ”€โ”€ common.bash -โ””โ”€โ”€ simple_test.bats # Basic bats test -``` - -### Output -``` -output/ -โ””โ”€โ”€ knel-football-secure.iso # 450 MB ISO (โœ… BUILT AND VERIFIED) -โ””โ”€โ”€ knel-football-secure.iso.sha256 # SHA256 checksum -โ””โ”€โ”€ knel-football-secure.iso.md5 # MD5 checksum +tests/ # Test suite (BATS framework) +output/ # Build artifacts ``` --- -## ๐Ÿค– AGENT WORKFLOW +## Agent Workflow -### Standard Operating Procedure - -#### 1. START UP (First Action) +### 1. Start Up ```bash # Check current state ls -lh output/ - -# Read this file (AGENTS.md) -cat AGENTS.md - -# Review recent changes git log --oneline -10 ``` -#### 2. UNDERSTAND REQUIREMENTS -- Read MANDATORY SECURITY REQUIREMENTS (above) -- Review docs/PRD.md for detailed requirements -- Read docs/SDLC.md for development workflow (CRITICAL) -- Check AGENTS.md for critical constraints -- Understand Docker-only workflow +### 2. Understand Requirements +- Read **docs/PRD.md** (source of truth) +- Read **docs/SDLC.md** for development workflow +- Check **MANDATORY SECURITY REQUIREMENTS** section below -#### 3. MAKE CHANGES +### 3. Make Changes - **Read files before editing** (Critical!) -- Use conventional commit messages +- Use exact text matching (whitespace matters) - Test after every change - Update relevant documentation -#### 4. TEST CHANGES +### 4. Test Changes ```bash -# Run tests (inside Docker) ./run.sh test # Run all tests -./run.sh lint # Run linting +./run.sh lint # Run shellcheck ./run.sh test:unit # Unit tests only ./run.sh test:integration # Integration tests only ./run.sh test:security # Security tests only ``` -#### 5. BUILD ISO (if needed) +### 5. Build ISO (if needed) ```bash -# Build ISO (60-90 minutes) -./run.sh iso - -# Monitor progress +./run.sh iso # Build ISO (60-90 minutes) tail -f /tmp/knel-iso-build.log - -# Verify output -cd output/ -sha256sum -c knel-football-secure.iso.sha256 -md5sum -c knel-football-secure.iso.md5 ``` -#### 6. TEST ISO (optional) +### 6. Test ISO (optional) ```bash -# Test ISO in VM (runs on host, not in Docker) -./run.sh test:iso create # Create and boot test VM -./run.sh test:iso console # Connect to VM console -./run.sh test:iso status # Show VM status -./run.sh test:iso destroy # Remove VM +./run.sh test:iso create # Create and boot test VM +./run.sh test:iso console # Connect to VM console +./run.sh test:iso status # Show VM status +./run.sh test:iso destroy # Remove VM ``` -#### 7. COMMIT CHANGES +### 7. Commit and Push ```bash -# Review changes git status git diff - -# Stage files git add - -# Commit with conventional message git commit -m "type: subject -body +body (optional) ๐Ÿ’˜ Generated with Crush Assisted-by: GLM-4.7 via Crush -" -``` -#### 8. PUSH TO REMOTE -```bash -# Push changes +" git push origin main ``` -### Important Rules +--- -#### ๐Ÿ”ด CRITICAL: AUTO-COMMIT RULE -**After completing ANY work, you MUST:** -1. Check `git status` for uncommitted changes -2. Stage all relevant changes with `git add` +## Mandatory Security Requirements + +### Full Disk Encryption (FDE) +**Requirement**: ALL systems MUST use LUKS2 encryption + +- **Cipher**: AES-256-XTS (512-bit key) +- **Format**: LUKS2 with Argon2id KDF +- **Passphrase**: 14+ chars, mixed case, digit, special char +- **Implementation**: `config/includes.installer/preseed.cfg`, `config/hooks/installed/encryption-*.sh` + +### Password Complexity +**Requirement**: ALL passwords MUST meet strict complexity + +- **Minimum**: 14 characters +- **Classes**: 3 of 4 (upper, lower, digit, special) +- **Enforcement**: PAM pwquality module +- **Implementation**: `src/security-hardening.sh`, `config/hooks/live/security-hardening.sh` + +### Host System FDE +**Requirement**: Build/test host MUST have FDE enabled + +- `./run.sh iso` will FAIL if host FDE not detected +- `./run.sh test:iso` will FAIL if host FDE not detected +- Detection: checks for LUKS devices, `/etc/crypttab`, dm-crypt + +--- + +## Docker Workflow + +### Why Docker? +- Reproducible builds +- Isolated environment +- No host system pollution + +### Volumes +``` +Container Host Purpose +/workspace ./ Project root (read-only) +/build ./tmp Build intermediates +/output ./output Final artifacts +``` + +### Commands Inside Container +- `./run.sh build` - Build Docker image +- `./run.sh test` - Run all tests +- `./run.sh lint` - Run linting +- `./run.sh iso` - Build ISO + +### Commands on Host +- `./run.sh test:iso` - Test ISO with libvirt + +### NEVER +- Create directories in /home +- Install packages on host +- Modify host system files +- Run live-build commands on host + +--- + +## Important Rules + +### AUTO-COMMIT (Critical) +**After completing ANY work:** +1. Check `git status` +2. Stage relevant changes 3. Commit with conventional message -4. Push to remote with `git push origin main` -5. NEVER wait for user to ask "is everything committed?" +4. Push to remote +5. NEVER wait for user to ask -**This is NOT optional.** The user should NEVER have to ask about commits. - -#### โœ… DO -- **AUTO-COMMIT AND PUSH** after completing work (see CRITICAL rule above) -- Read files before editing them +### DO +- Read files before editing - Use exact text matching (whitespace matters) - Test after every change - Run full test suite before committing -- **Double-check `git status` before ANY commit** - verify staged files match intent -- **Delete unused/obsolete files** when refactors or feature removals make them irrelevant -- **Quote git paths with brackets/parentheses** (e.g., `git add "src/app/[candidate]/**"`) to prevent shell glob/subshell expansion -- **Use non-interactive git rebase** - set `GIT_EDITOR=: GIT_SEQUENCE_EDITOR=:` or pass `--no-edit` to avoid opening editors -- **NEVER run destructive git operations** (`git reset --hard`, `rm`, `git checkout`/`git restore` to older commits) unless user gives explicit written instruction - treat as catastrophic -- **NEVER amend commits** (`git commit --amend`) without explicit written approval from user +- Double-check `git status` before ANY commit +- Delete unused/obsolete files when refactoring - Update documentation when changing behavior - Follow existing code style -- Use conventional commit messages -- Commit frequently with atomic changes -- Run lint checks -#### โŒ DO NOT -- **Wait for user to ask about commits** - AUTO-COMMIT ALWAYS +### DO NOT - Edit files you haven't read -- Guess at text matches (be precise) +- Guess at text matches - Commit without testing - Skip the test suite - Break existing tests - Ignore lint errors - Make unrelated changes in one commit - Modify host system directly -- Create directories in /home +- Run destructive git operations without explicit instruction +- Amend commits without explicit approval --- -## ๐Ÿณ DOCKER-ONLY WORKFLOW (CRITICAL) +## Commit Message Format -### Why Docker? -- Reproducible builds -- Isolated environment -- No host system pollution -- Consistent across machines -- Easy to clean up - -### Volumes and Directories -``` -Container Side Host Side Purpose -/workspace ./ Project root (read-only) -/build ./tmp Build intermediate files -/output ./output Final artifacts only ``` +type: subject -### Commands Run Inside Container -- `./run.sh build` - Build Docker image -- `./run.sh test` - Run all tests -- `./run.sh lint` - Run linting -- `./run.sh iso` - Build ISO +body (optional) -### Commands Run on Host -- `./run.sh test:iso` - Test ISO with libvirt (VM test only) - -### NEVER Do These -- โŒ Create directories in /home -- โŒ Install packages on host -- โŒ Modify host system files -- โŒ Write files outside Docker volumes -- โŒ Run live-build commands on host - ---- - -## ๐Ÿงช TESTING COVERAGE - -### Test Suite Overview (100% Coverage Targeted) -- โœ… **Unit Tests** - Comprehensive tests for all shell scripts - - `tests/unit/run_test.bats` - Main run.sh entry point - - `tests/unit/run_comprehensive_test.bats` - Comprehensive run.sh coverage - - `tests/unit/security-hardening_test.bats` - Security hardening functions - - `tests/unit/firewall-setup_test.bats` - Firewall configuration - - `tests/unit/build-iso_comprehensive_test.bats` - ISO build orchestration - - `tests/unit/encryption-setup_test.bats` - LUKS2 encryption setup - - `tests/unit/encryption-validation_test.bats` - Encryption validation - -- โœ… **Integration Tests** - End-to-end workflows - - `tests/integration/config_test.bats` - Configuration validation - - `tests/integration/e2e_test.bats` - Complete workflow testing - -- โœ… **Security Tests** - Compliance and security requirements - - `tests/security/compliance_test.bats` - Security compliance validation - - `tests/security/compliance_comprehensive_test.bats` - Full FR-001/FR-007 coverage - - `tests/security/encryption_comprehensive_test.bats` - Encryption configuration validation - -### Test Commands -```bash -./run.sh test # Run all tests (unit + integration + security) -./run.sh test:unit # Unit tests only -./run.sh test:integration # Integration tests only -./run.sh test:security # Security/compliance tests only -./run.sh lint # Run shellcheck on all shell scripts -``` - -### Test Suite Status -- โœ… **All tests passing**: 31/31 tests -- โœ… **Unit tests**: Working (12 tests) -- โœ… **Integration tests**: Working (6 tests) -- โœ… **Security tests**: Working (13 tests) -- โœ… **Test execution**: `./run.sh test` - -### Test Orchestration -- **run.sh** - Main entry point for test execution -- **BATS** - Test framework (v1.11.1) -- **Direct execution** - Tests run directly via bats (no wrapper) - - Supports: unit, integration, security, e2e, compliance, encryption, all - - Provides colored output and pass/fail statistics - - Orchestrates BATS test execution - -### Coverage Goals -- โœ… All shell scripts have unit tests -- โœ… All configuration files are validated -- โœ… All security hooks are tested -- โœ… All mandatory requirements have compliance tests -- โœ… End-to-end workflows are tested - -### Running Tests After Changes -```bash -# After any changes, run: -./run.sh lint # Check syntax first -./run.sh test # Run full test suite -./run.sh test:security # Verify security requirements - -# If any test fails, fix it before committing +Types: feat, fix, docs, test, refactor, chore ``` --- -## ๐Ÿ“š DOCUMENTATION FILES - -### Quick Reference -- **AGENTS.md** - THIS FILE - Start here -- **README.md** - Project overview and quick commands -- **docs/PRD.md** - Product Requirements Document (detailed) - -### Detailed Documentation (docs/) -- **docs/SDLC.md** - Software Development Lifecycle -- **docs/TEST-COVERAGE.md** - Test suite coverage and details -- **docs/VERIFICATION-REPORT.md** - Verification and compliance report -- **docs/COMPLIANCE.md** - Compliance standards and requirements -- **docs/security-model.md** - Security architecture and design - ---- - -## ๐Ÿ”‘ KEY CONCEPTS - -### Build Process -1. **Docker Build**: Create build environment (~2 minutes) -2. **lb config**: Configure live-build (~30 seconds) -3. **lb bootstrap**: Download and install base system (~13 minutes) -4. **lb chroot**: Install packages and apply hooks (~8 minutes) -5. **lb installer**: Configure Debian installer (~2 minutes) -6. **lb binary**: Create binary filesystem (~4 minutes) -7. **lb checksum**: Generate checksums (~1 minute) - -### Encryption Setup -1. **Preseed**: Configure crypto partitioning -2. **Live Hook**: Apply encryption during live session -3. **Install Hook**: Configure LUKS2 after installation -4. **Validation Hook**: Verify encryption post-install - -### Security Layers -1. **Full Disk Encryption** - LUKS2 (mandatory) -2. **Password Complexity** - PAM pwquality (mandatory) -3. **Firewall** - nftables (all inbound denied, outbound VPN only) -4. **WiFi/Bluetooth** - Blacklisted (permanently disabled) -5. **SSH** - Client-only (no server, outbound connections only) -6. **Package Management** - Disabled for security - ---- - -## ๐Ÿšจ CRITICAL ERROR HANDLING +## Error Handling ### Build Failures -- Check `/tmp/knel-iso-build.log` for errors -- Review RESUME.md for common issues +- Check `/tmp/knel-iso-build.log` - Check disk space - Verify Docker permissions ### Test Failures - Run tests individually: `bats tests/unit/file.bats` -- Check test helper functions -- Verify setup/teardown functions - Review error messages carefully ### Permission Errors - Ensure `run.sh` is executable - Check Docker daemon is running - Verify user in docker group -- Check volume mount permissions --- -## ๐Ÿ”„ SDLC WORKFLOW (Software Development Lifecycle) +## Success Criteria -### Before Making Changes -1. **Read relevant documentation**: - - AGENTS.md (this file) - For agent guidelines - - docs/PRD.md - For requirements - - docs/SDLC.md - For development workflow - - README.md - For quick commands - - docs/TEST-COVERAGE.md - For test details - - docs/VERIFICATION-REPORT.md - For verification results - -2. **Create feature branch** (optional but recommended): - ```bash - git checkout -b feature/your-feature-name - ``` - -### Making Changes -1. **Read files before editing** (Critical!) -2. **Use exact text matching** (whitespace matters) -3. **Make small, atomic changes** -4. **Follow existing code style** - -### Testing Changes (MANDATORY) -**Before committing, ALWAYS run:** - -```bash -# 1. Lint checks (syntax validation) -./run.sh lint - -# 2. Run unit tests -./run.sh test:unit - -# 3. Run integration tests -./run.sh test:integration - -# 4. Run security/compliance tests -./run.sh test:security - -# 5. Run full test suite -./run.sh test -``` - -**Test Suite Must Pass Before Committing** - -### Committing Changes -1. **Review changes**: - ```bash - git status - git diff - ``` - -2. **Stage files**: - ```bash - git add - ``` - -3. **Commit with conventional message**: - ```bash - git commit -m "type: subject - - body (optional) - - ๐Ÿ’˜ Generated with Crush - - - Assisted-by: GLM-4.7 via Crush - - - " - ``` - - **Types**: - - `feat`: New feature - - `fix`: Bug fix - - `docs`: Documentation changes - - `test`: Test changes - - `refactor`: Code refactoring - - `chore`: Maintenance tasks - -### After Committing -1. **Push to remote**: - ```bash - git push origin main - # Or push feature branch: - git push origin feature/your-feature-name - ``` - -2. **Merge feature branch** (if using branches): - ```bash - git checkout main - git merge feature/your-feature-name - git push origin main - ``` - -### SDLC Checklist -Before marking work complete: - [ ] All tests pass (`./run.sh test`) -- [ ] Lint checks pass (`./run.sh lint`) -- [ ] Security requirements verified (`./run.sh test:security`) +- [ ] Lint passes (`./run.sh lint`) - [ ] Documentation updated (if needed) - [ ] Conventional commit message used -- [ ] Changes committed and pushed to remote +- [ ] No security requirements violated +- [ ] Docker workflow followed +- [ ] Changes committed and pushed --- -## ๐Ÿ“ž GETTING HELP +**Remember**: This is a security-critical project. Every change must preserve mandatory security requirements. Test everything. Read before editing. Follow the workflow. -### Check These First -1. **AGENTS.md** - This file -2. **README.md** - Quick commands -3. **docs/PRD.md** - Requirements -4. **docs/SDLC.md** - Development workflow -5. **docs/TEST-COVERAGE.md** - Test details -6. **docs/VERIFICATION-REPORT.md** - Verification results -7. **JOURNAL.md** - Session history - -### Debug Mode -```bash -# Verbose output -./run.sh -v test - -# Verbose ISO build -./run.sh -v iso - -# View build log -tail -f /tmp/knel-iso-build.log -``` - ---- - -## โœ… CHECKLIST BEFORE WORK - -- [ ] Read AGENTS.md (this file) -- [ ] Check current build status -- [ ] Understand mandatory security requirements -- [ ] Know Docker-only workflow -- [ ] Have test command ready -- [ ] Know commit message format - ---- - -## ๐ŸŽฏ SUCCESS CRITERIA - -Your work is successful when: -- โœ… All tests pass (`./run.sh test`) -- โœ… Lint passes (`./run.sh lint`) -- โœ… Documentation updated -- โœ… Conventional commit messages used -- โœ… No security requirements violated -- โœ… Docker workflow followed -- โœ… Changes tested before commit - ---- - -## ๐Ÿ“ LAST UPDATED - -- **Date**: 2026-02-17 -- **Status**: Build in progress, ISO being rebuilt with latest changes -- **Test Coverage**: โœ… WORKING (111 tests: 92 pass, 19 skip for libvirt) -- **Test Files**: 19 test files (1 simple, 10 unit, 2 integration, 3 security, 3 system) -- **Documentation**: Consolidated in docs/ directory -- **Root Directory**: Cleaned (AGENTS.md, README.md, PRD.md, Dockerfile, run.sh) -- **Scripts Consolidated**: test-iso.sh and monitor-build.sh merged into run.sh -- **SDLC Workflow**: Documented and enforced - -### Test Suite Status -- โœ… All tests passing (111 total: 92 pass, 19 skip) -- โœ… Unit tests: Working (10 files, ~13 tests) -- โœ… Integration tests: Working (2 files, 6 tests) -- โœ… Security tests: Working (3 files, 44 tests) -- โœ… System tests: Working (3 files, 47 tests) -- โœ… Test execution: `./run.sh test` - ---- - -**Remember**: This is a security-critical project. Every change must preserve mandatory security requirements. Test everything. Read before editing. Follow the workflow. Be thorough. +**For current status, see STATUS.md.** diff --git a/STATUS.md b/STATUS.md index 610c6e2..a286111 100644 --- a/STATUS.md +++ b/STATUS.md @@ -1,15 +1,15 @@ # KNEL-Football Project Status Report -> **Last Updated**: 2026-02-19 17:05 CST +> **Last Updated**: 2026-02-19 22:10 CST > **Maintained By**: AI Agent (Crush) > **Purpose**: Quick-glance status for project manager --- -## Current Status: โœ… READY TO BUILD ISO +## Current Status: โœ… ISO BUILT ### Executive Summary -All 562 tests passing. PRD โ†’ Docs โ†’ Code โ†’ Tests fully aligned. No TODO/FIXME in codebase. Ready for ISO build. +All 562 tests passing. ISO built successfully (816 MB). PRD โ†’ Docs โ†’ Code โ†’ Tests fully aligned. --- @@ -69,21 +69,25 @@ Code Quality: 0 TODO/FIXME, 0 shellcheck warnings ## Next Action -**BUILD ISO**: +ISO built successfully. Ready for deployment or further development. + +To rebuild ISO: ```bash ./run.sh iso ``` -Estimated time: 60-90 minutes - --- -## Recent Commits (This Session) +## Recent Commits ``` -cc5d200 test: expand integration tests and add unit tests for hooks -13c446e chore: remove redundant build_test.bats -8fbf3c0 test: replace stub tests with comprehensive assertions +ad2d4d3 docs: add architecture diagram and fix FR-001 links +f5bbcad docs: add clickable links and update to Debian 13 stable +29654c6 fix: pin distribution to trixie (Debian 13 stable) +987c70b fix: remove obsolete icewm-themes package +89cd8a1 fix: copy config files to live-build config directory in run.sh +7e8bbf7 fix: copy config files to correct live-build config directory +89fd8b7 fix: move preseed.cfg to includes.installer for live-build ``` --- @@ -95,7 +99,7 @@ cc5d200 test: expand integration tests and add unit tests for hooks | Docker Image | `knel-football-dev:latest` | | Build Command | `./run.sh iso` | | Output Location | `output/knel-football-secure.iso` | -| ISO Status | โณ NOT BUILT | +| ISO Status | โœ… BUILT (816 MB, 2026-02-19 22:02) | --- @@ -143,7 +147,7 @@ Tier0 Infrastructure | Static Coverage | 100% | 100% โœ… | | Shellcheck Warnings | 0 | 0 โœ… | | TODO/FIXME in Code | 0 | 0 โœ… | -| ISO Status | โณ READY | Build needed | +| ISO Status | โœ… BUILT | 816 MB | ---