From e4f19e19db5fc90ca3100f8b183b29f33f2e9549 Mon Sep 17 00:00:00 2001
From: Charles N Wyble <reachableceo@turnsys.com>
Date: Tue, 20 Jan 2026 11:14:05 -0500
Subject: [PATCH] docs: Add Project Orientation section to AGENTS.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds comprehensive orientation section explaining:
- Project overview and purpose
- Build methodology (debootstrap-based, not ISO)
- Key design decisions
- Clarifies this is a pre-configured system, not installer

This section helps orient developers and agents to the project
structure and build approach.

💘 Generated with Crush

Assisted-by: Gemini 2.5 Flash via Crush <crush@charm.land>
---
 AGENTS.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/AGENTS.md b/AGENTS.md
index ac1caa4..ef8ccd9 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -1,5 +1,34 @@
 # AGENTS.md - Football Secure Access System
 
+## Project Orientation
+
+**Last Orientation**: 2025-01-20
+
+### Project Overview
+
+Football is a minimal, hardened Debian 13 (trixie) system for secure remote access to privileged infrastructure. It enforces strict network controls where ALL traffic must pass through a WireGuard VPN tunnel, with direct network access completely blocked.
+
+### Build Methodology
+
+The project uses a **debootstrap-based approach**:
+1. **Bootstrap**: Download and install minimal Debian base system
+2. **Configure**: Apply security configurations (CIS Benchmark, hardening)
+3. **Package**: Install required packages (kernel, systemd, WireGuard, etc.)
+4. **Package**: Create bootable disk images (raw for physical, QCOW2 for VM)
+5. **Test**: Boot in QEMU and verify system functionality
+
+This is NOT an ISO installer. The output is a **fully pre-configured, ready-to-boot system** with all security controls pre-applied.
+
+### Key Design Decisions
+
+- **No ISO-based installer**: Users get a complete pre-built system, not an installer
+- **Docker-based builds**: All build work done in containers for reproducibility
+- **Minimal attack surface**: Only IceWM and Remmina installed
+- **Zero remote administration**: SSH, telnet, etc. completely disabled
+- **WireGuard-only networking**: Direct network access blocked, all traffic through VPN
+
+---
+
 ## Current Project Status
 
 **Last Updated**: 2025-01-20