Debian partman-crypto does not support preseed configuration for KDF
type, defaulting to PBKDF2. PRD requires Argon2id for its superior
resistance to GPU-based attacks.
Solution: Post-install hook that creates:
- /usr/local/bin/convert-luks-kdf.sh: User-runnable script to convert
PBKDF2 to Argon2id with proper parameters (memory=1GB, parallelism=4)
- /etc/profile.d/knel-kdf-reminder.sh: Login reminder until conversion
- Updated /var/backups/keys/README.txt with conversion instructions
Tests added (3 new):
- Argon2id KDF configuration hook or script exists
- KDF conversion helper script is created
- User receives notification about KDF optimization
Reference: docs/PRD.md encryption requirements
Audit: FINDING-005 (2026-02-20)
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
The preseed.cfg creates user 'football' but hooks referenced 'kneluser'.
This inconsistency would cause runtime failures during installation.
Changes:
- config/hooks/installed/encryption-validation.sh: s/kneluser/football/g
- config/hooks/live/usb-automount.sh: s/kneluser/football/g
- config/hooks/installed/install-scripts.sh: s/kneluser/football/g
- tests/unit/encryption-validation_test.bats: Add 5 tests for username consistency
Fixes: FINDING-008 (User account inconsistency)
Reference: PRD.md user account requirements
💘 Generated with Crush
Assisted-by: Claude via Crush <crush@charm.land>
Firewall OUTPUT DROP policy confirmed as intentional for immutable
system security model:
- Zero traffic leakage (no DNS poisoning, NTP spoofing, C2 exfil)
- Immutable system with no in-place updates
- WireGuard endpoint loaded via USB disk
- Time synchronized from host/hypervisor
Updated risk summary: 1 HIGH (Secure Boot), 4 MEDIUM, 3 LOW, 2 INFO
Remaining findings (001, 005, 006, 007, 008) to be addressed by
software team per audit recommendations.
💘 Generated with Crush
Assisted-by: GLM-4 via Crush <crush@charm.land>
- Changed from qemu:///session to qemu:///system so VMs appear in virt-manager
- Store disk and ISO in /tmp (user-writable, no sudo needed)
- User is in libvirt group so can access system libvirt without sudo
- Updated test to expect system URI
This fixes the regression where VMs were not visible in virt-manager.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Added requirement for AI agents to use standard Linux command-line
tools (sed, awk, grep, patch, cut, etc.) instead of internal text
editing functions.
Rationale:
- Internal editing tools fail frequently with whitespace/encoding issues
- Command-line tools are deterministic and well-tested
- Better error messages and easier verification workflow
Changes:
- AGENTS.md: Added "File Editing Requirements" section with tool usage
- SDLC.md: Added "File Editing Standards" section with patterns
Reference: User feedback that internal editing tools "fail way too much"
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Added JOURNAL.md to mandatory documentation synchronization:
- AGENTS.md: Added JOURNAL.md to documentation step and success criteria
- SDLC.md: Added JOURNAL.md to doc sync requirements and references
- pre-commit hook: Check for JOURNAL.md updates on new functions
Strengthened auto-commit/push requirements:
- Commit early and often (after each logical unit of work)
- Atomic commits (one commit per logical change)
- Verbose conventional commit messages (WHAT, WHY, context)
- Push immediately after every commit
Reference: User request for JOURNAL.md sync and auto-commit policy
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Add complete Secure Boot implementation:
- Generate PK/KEK/db keys during ISO build
- Build Unified Kernel Image (UKI) bundling kernel+initramfs+cmdline
- Sign UKI with db key for Secure Boot verification
- Include kernel lockdown mode in cmdline (lockdown=confidentiality)
- Copy .auth files to ISO for UEFI key enrollment
All Secure Boot logic is embedded in run.sh as an inline binary hook
created during the Docker build process - no separate scripts.
Required packages added: efitools, sbsigntools, systemd-boot, binutils
VM template updated with TPM v2.0 for Secure Boot measurements.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
- Remove $defaultignore{ } from LVM partitions (was preventing root FS detection)
- Fix swap minimum size from 100% to 1024
- Use -1 for root max size to fill available space
- Ensure LVM logical volumes are properly recognized inside LUKS container
Fixes: "No root file system is defined" error during installation
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
- Add EFI System Partition (ESP) for UEFI boot support
- Add $defaultignore{ } to LVM partitions for proper crypto handling
- Add in_vg{ knel_vg } and lv_name{ } for explicit volume placement
- Change debconf priority from critical to high to allow user password prompts
- Update documentation dates to 2026-02-19
- Update ISO size references from 450 MB to 816 MB
- Update checksums to current values
Fixes installer error "No root file system is defined"
Fixes missing non-root user password prompt
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
- AGENTS.md now contains only agent behavior guidelines
- STATUS.md is the single source for project status
- Updated STATUS.md with current ISO status (built, 816 MB)
- Updated recent commits section in STATUS.md
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
Debian 13 (trixie) is now stable. Using --distribution testing
causes kernel module mismatch as testing now points to the next
release. Pin to trixie for stability.
Fixes kernel modules error during installation.
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
Package icewm-themes is no longer available in Debian testing.
icewm-common provides the necessary themes as a dependency.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
The build commands in run.sh were copying to ./ instead of ./config/.
After lb config runs, the config directory is created at ./config/,
so config files must be copied there.
fix: copy config files to correct live-build config directory
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Changed cp destination from ./ to ./config/ to ensure includes.installer
and other config files are placed in the correct location for live-build
to process them. This fixes preseed.cfg not being embedded in the installer
initrd.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
The preseed file needs to be in config/includes.installer/ for live-build
to embed it into the Debian installer. Previously it was in config/ which
doesn't get picked up by lb build.
- Moved config/preseed.cfg -> config/includes.installer/preseed.cfg
- Updated all test files to reference new path
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
- Add check_host_fde() function to run.sh that detects LUKS encryption
- Block ./run.sh iso if host lacks full disk encryption
- Block ./run.sh test:iso commands if host lacks FDE
- Add FR-011 to PRD.md documenting the host FDE requirement
- Update AGENTS.md with new mandatory requirement
- Add 9 tests for host FDE check in run_comprehensive_test.bats
Rationale: Building a secure OS on an unencrypted host creates supply
chain risk. The host must have LUKS encryption to ensure the entire
build pipeline is secure.
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
PRD fixes:
- Remove duplicate 'Installation Behavior' section
- Fix malformed terminology table (missing pipe separator)
Documentation alignment with FR-006:
- README.md: Change SSH/firewall to client-only, no inbound access
- TEST-COVERAGE.md: Remove 'Firewall allows SSH inbound'
- VERIFICATION-REPORT.md: Fix password config docs to match preseed.cfg
- COMPLIANCE.md: Change 'SSH Hardening' to 'SSH Client-Only'
Test enhancements:
- Expand unit tests for encryption, firewall, security hardening
- Add comprehensive coverage for FR-001 through FR-009 requirements
All changes ensure documentation and tests align with PRD.md FR-006
which requires SSH client-only with no server or inbound access.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Consolidate all documentation files under docs/ directory.
Update AGENTS.md and README.md to reflect new file locations.
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
- Changed domain from local to knel.net
- Changed username from kneluser to football
- Removed sudo from user groups (football user not a sudoer)
- Added debconf priority critical to suppress non-essential questions
- Added console-setup/layoutcode and variantcode
- Added popularity-contest participation = false
- Added apt-setup options to skip contrib/non-free/backports prompts
- Added base-installer/kernel/image selection
- Added netcfg/confirm_static
Installation should now only prompt for:
1. Root password
2. User password (football)
3. Encryption passphrase
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
virt-install requires storage pool driver which is not available on this
system. Switched to direct virsh define using XML template which works
without storage pools.
Changes:
- Replaced virt-install with virsh define + start
- Pre-create disk with qemu-img before VM definition
- Copy ISO to /var/lib/libvirt/images with proper ownership
- Use XML template with variable substitution
- VM now appears in virt-manager under QEMU/KVM connection
VM knel-football-test is now running and visible in virt-manager.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
- All virsh commands now use qemu:///session explicitly
- Removed direct QEMU fallback (libvirt only)
- Added VM XML template in vm/template.xml with variable substitution
- Template generates UUID and MAC address dynamically
- VM is now properly defined AND started in libvirt
- Fixed vm_destroy, vm_console, vm_status, vm_is_running, vm_capture_screen
- Added UUID fallback using /proc/sys/kernel/random/uuid
Fixes issue where VMs were created but not visible/running in virt-manager.
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
ISO built successfully 2026-02-19 10:07
- Size: 449MB
- SHA256: 9d4238cd0a5d8b3118023ea099874f15aa50938a23c7ba2df54e644672a54eec
- All bug fixes included
💵 Generated with Crush
Assisted-by: GLM-4 via Crush <crush@charm.land>
Capture plan for fully automated VM testing using test-specific ISO
variant with hardcoded credentials and automated test runner. Includes
safety rails to prevent test artifacts from leaking to production builds.
💵 Generated with Crush
Assisted-by: GLM-4 via Crush <crush@charm.land>
- Add JOURNAL entry for critical hook bug fixes
- Update STATUS.md to reflect ISO rebuild in progress
- Fix test count (110 not 111)
- Update metrics with correct commit count
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
- Fix function name: configure_ssh → configure_ssh_client (matches src/)
- Add missing configure_fim call for AIDE File Integrity Monitoring
These functions exist in src/security-hardening.sh but the hook was
calling the wrong name or missing the FIM call entirely.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
ISO now always named knel-football-secure.iso (no v1.0.0 suffix).
Updated all references in code, docs, and tests.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Agent must automatically commit and push after completing work.
User should NEVER have to ask about commit status.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
- Add ADR-009 for script consolidation (run.sh as single entry point)
- Update STATUS.md to reflect complete state (ISO built, VM framework merged)
- Document lessons learned from libvirt group requirement
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
- Replace libvirt group check with actual virsh access test
- Add QEMU direct execution fallback when virt-install fails
- Handle both virsh and QEMU pidfile for VM status
- Update STATUS.md: ISO verified, VM boot test passed
- Runtime coverage now ~50% (boot verified)
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
- STATUS.md: ISO rebuild in progress, updated next actions
- JOURNAL.md: Added session 2 entry for FIM/audit/SSH work, ADRs 005-007
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
- Test SSH password authentication is disabled
- Test SSH root login is disabled
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
- Never run destructive ops (reset --hard, rm, checkout/restore) without explicit user instruction
- Never amend commits without explicit written approval
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
- Quote paths with brackets/parentheses to prevent shell expansion
- Use GIT_EDITOR=: GIT_SEQUENCE_EDITOR=: for non-interactive rebase
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
- Double-check git status before any commit
- Delete unused/obsolete files when refactoring
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
Update STATUS.md to reflect completed work:
Changes:
- Status changed to "READY FOR TESTING"
- All 7 commits from session listed
- Test coverage updated to 78 tests
- Secure Boot packages marked as added
- VM test framework marked as created
- Shellcheck warnings marked as fixed
- Next actions clarified (user logout/login required)
Blockers clearly identified:
- User not in libvirt group
- ISO not built
Metrics updated to reflect session progress.
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
