Firewall OUTPUT DROP policy confirmed as intentional for immutable
system security model:
- Zero traffic leakage (no DNS poisoning, NTP spoofing, C2 exfil)
- Immutable system with no in-place updates
- WireGuard endpoint loaded via USB disk
- Time synchronized from host/hypervisor
Updated risk summary: 1 HIGH (Secure Boot), 4 MEDIUM, 3 LOW, 2 INFO
Remaining findings (001, 005, 006, 007, 008) to be addressed by
software team per audit recommendations.
💘 Generated with Crush
Assisted-by: GLM-4 via Crush <crush@charm.land>
- Changed from qemu:///session to qemu:///system so VMs appear in virt-manager
- Store disk and ISO in /tmp (user-writable, no sudo needed)
- User is in libvirt group so can access system libvirt without sudo
- Updated test to expect system URI
This fixes the regression where VMs were not visible in virt-manager.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Added requirement for AI agents to use standard Linux command-line
tools (sed, awk, grep, patch, cut, etc.) instead of internal text
editing functions.
Rationale:
- Internal editing tools fail frequently with whitespace/encoding issues
- Command-line tools are deterministic and well-tested
- Better error messages and easier verification workflow
Changes:
- AGENTS.md: Added "File Editing Requirements" section with tool usage
- SDLC.md: Added "File Editing Standards" section with patterns
Reference: User feedback that internal editing tools "fail way too much"
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Added JOURNAL.md to mandatory documentation synchronization:
- AGENTS.md: Added JOURNAL.md to documentation step and success criteria
- SDLC.md: Added JOURNAL.md to doc sync requirements and references
- pre-commit hook: Check for JOURNAL.md updates on new functions
Strengthened auto-commit/push requirements:
- Commit early and often (after each logical unit of work)
- Atomic commits (one commit per logical change)
- Verbose conventional commit messages (WHAT, WHY, context)
- Push immediately after every commit
Reference: User request for JOURNAL.md sync and auto-commit policy
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
- Add EFI System Partition (ESP) for UEFI boot support
- Add $defaultignore{ } to LVM partitions for proper crypto handling
- Add in_vg{ knel_vg } and lv_name{ } for explicit volume placement
- Change debconf priority from critical to high to allow user password prompts
- Update documentation dates to 2026-02-19
- Update ISO size references from 450 MB to 816 MB
- Update checksums to current values
Fixes installer error "No root file system is defined"
Fixes missing non-root user password prompt
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
- Add check_host_fde() function to run.sh that detects LUKS encryption
- Block ./run.sh iso if host lacks full disk encryption
- Block ./run.sh test:iso commands if host lacks FDE
- Add FR-011 to PRD.md documenting the host FDE requirement
- Update AGENTS.md with new mandatory requirement
- Add 9 tests for host FDE check in run_comprehensive_test.bats
Rationale: Building a secure OS on an unencrypted host creates supply
chain risk. The host must have LUKS encryption to ensure the entire
build pipeline is secure.
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
PRD fixes:
- Remove duplicate 'Installation Behavior' section
- Fix malformed terminology table (missing pipe separator)
Documentation alignment with FR-006:
- README.md: Change SSH/firewall to client-only, no inbound access
- TEST-COVERAGE.md: Remove 'Firewall allows SSH inbound'
- VERIFICATION-REPORT.md: Fix password config docs to match preseed.cfg
- COMPLIANCE.md: Change 'SSH Hardening' to 'SSH Client-Only'
Test enhancements:
- Expand unit tests for encryption, firewall, security hardening
- Add comprehensive coverage for FR-001 through FR-009 requirements
All changes ensure documentation and tests align with PRD.md FR-006
which requires SSH client-only with no server or inbound access.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Consolidate all documentation files under docs/ directory.
Update AGENTS.md and README.md to reflect new file locations.
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
ISO now always named knel-football-secure.iso (no v1.0.0 suffix).
Updated all references in code, docs, and tests.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
- Add architecture.md with system architecture details
- Add COMPLIANCE.md with compliance matrix
- Add security-model.md with security specifications
- Add prompts-cache.md for AI prompt history
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
- Move football-spec.md to docs/football-spec.md
- Move project-spec.md to docs/project-spec.md
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
- Remove all project files and directories
- Keep git history intact
- Archive documentation in archive-docs/ directory
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
Major updates for production-ready ISO:
1. **Debian Version**:
- Updated to Debian 13.3.0 stable (released)
- No longer using testing/sid
- Using debian:stable Docker image
2. **Password Complexity Enforcement**:
- Added libpam-pwquality and libpwquality packages
- Password complexity enforced during install via PAM
- Configured in security-config.sh:
* Minimum 12 characters
* Mixed case required
* At least one digit
* At least one special character
* 3 character classes required
- Preseed enforces password checks during installer
3. **Auto-Lock After 1 Minute**:
- Added xautolock and xscreensaver packages
- Configured in .xinitrc for auto-lock after 1 minute idle
- Uses xscreensaver-command -lock for screen locking
4. **USB Drive Mounting**:
- Added udisks2, gvfs-backends, gvfs-fuse packages
- Created polkit rules for USB mounting
- User added to plugdev and cdrom groups
- USB drives mountable via file manager
5. **WiFi and Bluetooth Disabling**:
- Created config/disable-wifi-bt.sh script
- Blacklists all WiFi kernel modules
- Blacklists all Bluetooth kernel modules
- Masks bluetooth service
- Removes bluez packages
6. **First-Boot Verification**:
- Created scripts/verify-system.sh
- Created config/football-first-boot.service
- Verifies all functional requirements
- Runs once on first boot
- Prevents re-running via status file
7. **ISO Build System**:
- Updated to use Debian 13.3.0 stable ISO
- Scripts and config baked into ISO
- Docker-based build process
- Corrected ISO filename throughout
8. **Preseed Configuration**:
- Manual user creation (not automated)
- Manual password prompts (enforced via PAM)
- Late_command applies all security configs
- Copies verification script to target
- Enables first-boot verification service
Files Added:
- config/disable-wifi-bt.sh (WiFi/BT disabling)
- config/security-config.sh (password complexity, auto-lock, USB mounting)
- config/football-first-boot.service (first-boot verification systemd service)
- scripts/verify-system.sh (comprehensive verification script)
Files Updated:
- config/preseed.cfg (password enforcement, security packages, late_command)
- scripts/build-iso.sh (Debian 13.3.0, correct filenames)
- docs/FUNCTIONAL-REQUIREMENTS.md (verification strategy)
- AGENTS.md (documentation references)
- README.md (documentation references)
All requirements from this session implemented:
✓ Password complexity enforced during install
✓ Auto-lock after 1 minute idle
✓ USB drive mounting enabled
✓ WiFi/Bluetooth disabled
✓ First-boot verification
✓ Scripts baked into ISO (no internet needed)
✓ All packages in ISO
✓ Debian 13.3.0 stable
💘 Generated with Crush
Assisted-by: Gemini 2.5 Flash via Crush <crush@charm.land>
Adds docs/FUNCTIONAL-REQUIREMENTS.md documenting:
- Core functionality (FR-1 to FR-12)
- Artifact properties (9 properties covering ISO, installed system, deployment)
- Non-functional requirements (performance, reliability, usability, security)
- User inputs required (username, passwords, disk selection)
- System components (OS, desktop, network, security)
- Compliance requirements (CIS Benchmarks, NIST SP 800-53)
- Testing requirements (installation, security, functional)
- Acceptance criteria (5 criteria for production readiness)
- Glossary and related documents
This document captures all functional requirements discussed
in previous sessions and serves as single source of truth for
system behavior, properties, and requirements.
💘 Generated with Crush
Assisted-by: Gemini 2.5 Flash via Crush <crush@charm.land>
Adds docs/CLEANUP-SUMMARY.md documenting:
- All cleanup and refactoring completed
- Directory structure changes (before/after)
- Files moved/archived/deleted
- Documentation updates made
- Build approach migration details
- Git commit history (11 commits)
- Current state (ready to build)
- Next steps for production
This provides complete reference for all refactoring work
and ensures future contributors understand changes made.
💘 Generated with Crush
Assisted-by: Gemini 2.5 Flash via Crush <crush@charm.land>
Adds docs/BUILD-DOCUMENTATION.md explaining:
- Directory structure (clean and organized)
- Complete build process (5 steps)
- Preseed configuration details
- ISO deployment procedures (bare metal and VM)
- Docker container usage (dev and test)
- Security features applied during installation
- Troubleshooting guide
- Next steps for deployment
This replaces all scattered old documentation with a single,
comprehensive reference for the ISO-based build system.
💘 Generated with Crush
Assisted-by: Gemini 2.5 Flash via Crush <crush@charm.land>
