Three issues caused by the rebase onto origin/main:
1. encryption-setup.sh: restore aes_xts, xts, sha512 initramfs modules
that were lost when resolving whitespace conflict
2. security-hardening.sh: add missing configure_ssh() function that
creates hardened sshd_config as defense-in-depth (FR-006 client-only)
3. AGENTS.md: fix section headings to match test expectations
(MANDATORY SECURITY REQUIREMENTS, DOCKER-ONLY WORKFLOW, AGENT WORKFLOW)
All 830 tests now pass (was 815 pass / 15 fail).
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
This commit addresses every shellcheck warning (severity: warning and
above) across the project's shell scripts. Only SC1091 info-level
notices remain (sourced files not available during static analysis),
which is expected and unavoidable in the Docker build workflow.
Changes by file:
src/build-iso.sh
- Replace Unicode checkmark/cross characters (✓, ✗) with ASCII
equivalents (PASS:, FAIL:) to eliminate commitBuffer encoding errors
- Replace useless `cat | cut` pipeline with direct file redirect
(`cut -d' ' -f1 < file`), resolving SC2002
src/security-hardening.sh
- Pass optional arguments through the function call chain in
apply_security_hardening() to resolve SC2119/SC2120 (functions
reference $1 but are called without arguments)
src/firewall-setup.sh
- Pass optional arguments through apply_firewall() in main() to
resolve SC2119/SC2120
config/hooks/installed/encryption-setup.sh
- Consolidate four individual `echo >> file` redirects into a single
`{ cmd1; cmd2; } >> file` block, resolving SC2129
- Add shellcheck disable directive for intentional SC2016 in sed
command (single quotes are required by sed, not a mistake)
config/hooks/installed/encryption-validation.sh
- Replace remaining Unicode checkmark characters with ASCII
Verification:
shellcheck --severity=warning src/*.sh config/hooks/**/*.sh
=> zero warnings, zero errors
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Improve code quality by addressing shellcheck warnings
across security-critical scripts.
src/security-hardening.sh:
- Add shellcheck directive for SC2120/SC2119
- Function configure_password_policy() accepts optional args
- Directive documents intentional usage pattern
src/firewall-setup.sh:
- Fix function argument passing in main()
- Properly pass arguments to configure_firewall()
config/hooks/installed/encryption-setup.sh:
- Consolidate echo commands to fix SC2129
- Use single redirect for multiple writes
Remaining warnings are non-critical:
- SC1091: Source files exist at runtime in Docker container
- SC2016: Intentional single quotes for sed pattern
No functional changes - purely code quality improvements.
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
Enforce 14+ character minimum, require all character classes (uppercase, lowercase, digit, special), prevent common patterns, check against dictionary and bad words, and apply to all users including root.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
- Add build-iso.sh with validation and build functions
- Add firewall-setup.sh with dynamic nftables configuration
- Add security-hardening.sh with comprehensive hardening functions
- All scripts follow strict mode and are executable
These provide the core functionality for the secure ISO build process.
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
