feat: add project specification requirements

- Original project requirements document
- Secure Debian 13 ISO build specifications
- Docker-based workflow with TDD methodology

project-spec.md

@@ -0,0 +1,54 @@
+I need to initiate a new engineering project to build a highly secure, compliant Debian 13 (Trixie) installation ISO using a strict Docker-based workflow.
+
+Please generate a detailed, technical **Specification Document** (in Markdown format) that outlines the requirements for this project. This document will serve as the blueprint for a Test-Driven Development (TDD) implementation.
+
+The specification must cover the following requirements in detail:
+
+**1. Target System Profile**
+*   **OS:** Debian 13 (Trixie).
+*   **Desktop:** Minimal IceWM Window Manager with LightDM Display Manager.
+*   **Applications:** Remmina, WireGuard, Mousepad, PCManFM.
+*   **Networking:** Wifi and Bluetooth must be permanently disabled (Kernel Blacklist).
+*   **Connectivity:** No general internet access. All network traffic must be routed exclusively through a WireGuard tunnel.
+*   **Firewall:** A "Deny All" default policy. The only allowed outbound traffic is UDP traffic to the specific IP/Port defined in the WireGuard configuration file. This must be dynamically configured by parsing the `.conf` file, not hardcoded.
+*   **Authentication:** No auto-login. Usernames must be hidden in the Display Manager (Privacy Mode).
+*   **Workflow:**
+    *   USB drives must be mountable to copy configurations.
+    *   Desktop shortcuts must exist to:
+        1.  Edit `/etc/wireguard/wg0.conf` (with root privileges via `pkexec`).
+        2.  Apply the VPN configuration and update the firewall rules dynamically.
+
+**2. Installation Automation**
+*   The build process must utilize `live-build`.
+*   The ISO must use a `preseed.cfg` file to automate localization and software selection, **BUT** it must require manual interaction for:
+    *   Disk Partitioning.
+    *   Root Password Setup.
+    *   Non-root User Creation (User must be added to `sudo` group).
+
+**3. Development Environment & Constraints**
+*   **Host System:** The host environment is restricted. **NO Make**, NO Python, NO Ruby, NO build tools allowed on the host.
+*   **Allowed Tools:** `docker`, `git`, `libvirt` (virt-install/virsh).
+*   **Orchestration:** A single shell script wrapper (`run.sh`) is allowed on the host to invoke Docker commands.
+*   **Builder Container:** All build tools (`live-build`, `debootstrap`) and testing tools must run inside a Docker container.
+*   **Permissions:** All output files generated by the container must be owned by the user invoking Docker (not root).
+
+**4. Quality Assurance & Testing (TDD)**
+*   **Methodology:** Strict Test-Driven Development. The specification must define that tests are written *before* code.
+*   **Testing Tools:** `bats-core` for testing, `shellcheck` for linting.
+*   **Coverage:** 100% code coverage is mandatory (Unit tests for logic, Integration tests for ISO generation).
+*   **Code Standards:** All Bash scripts must run in Strict Mode (`set -euo pipefail`).
+
+**5. Compliance (CMMC / FedRAMP / STIG)**
+*   The specification must demand the inclusion of a **Compliance Matrix** (`COMPLIANCE.md`).
+*   This matrix must map specific STIG IDs and CIS Benchmark controls (e.g., disabling unused filesystems, enforcing strong passwords, configuring auditd) to specific configuration hooks in the build process.
+
+**6. Output Format**
+*   Provide the complete project structure (files and directories).
+*   Provide the content logic for:
+    *   `run.sh` (Host wrapper).
+    *   `Dockerfile` (Build/Test environment).
+    *   `tests/` (BATS test structure).
+    *   `config/hooks/live/` (Security hardening and firewall scripts).
+    *   `src/` (Internal build scripts).
+
+Please generate this comprehensive specification document now.