PRD fixes:
- Remove duplicate 'Installation Behavior' section
- Fix malformed terminology table (missing pipe separator)
Documentation alignment with FR-006:
- README.md: Change SSH/firewall to client-only, no inbound access
- TEST-COVERAGE.md: Remove 'Firewall allows SSH inbound'
- VERIFICATION-REPORT.md: Fix password config docs to match preseed.cfg
- COMPLIANCE.md: Change 'SSH Hardening' to 'SSH Client-Only'
Test enhancements:
- Expand unit tests for encryption, firewall, security hardening
- Add comprehensive coverage for FR-001 through FR-009 requirements
All changes ensure documentation and tests align with PRD.md FR-006
which requires SSH client-only with no server or inbound access.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Consolidate all documentation files under docs/ directory.
Update AGENTS.md and README.md to reflect new file locations.
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
ISO now always named knel-football-secure.iso (no v1.0.0 suffix).
Updated all references in code, docs, and tests.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Update documentation to reflect new project structure
and files created for test coverage enhancement.
README.md:
- Add STATUS.md link to documentation table
- Add JOURNAL.md link to documentation table
- STATUS.md: Manager-facing status report
- JOURNAL.md: AI agent memory and ADRs
AGENTS.md:
- Document STATUS.md purpose and maintenance
- Document JOURNAL.md purpose (AI memory, ADRs)
- Add tests/system/ directory to project structure
- Clean up obsolete file references
- Update documentation structure section
These changes ensure all team members (human and AI)
understand the purpose and location of key files.
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
Add test:unit, test:integration, and test:security commands to quick reference. Add test-runner.sh to project files table. Update documentation to reflect comprehensive test suite coverage.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Remove test-iso.sh from project files table since ISO testing is now accessible through run.sh test:iso command. Streamline documentation to show single entry point for all operations.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Add ISO testing section with libvirt/virsh commands (create, console, status, stop, destroy, list). Update project files table to include test-iso.sh script.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
- Update all project references from 'Secure Debian' to 'KNEL-Football'
- Add AGPLv3 license with copyright to Known Element Enterprises LLC
- Create comprehensive README.md with project overview and features
- Update copyright notices in all files
- Add project badges and documentation structure
- Maintain AGPLv3 only licensing throughout
- Remove all project files and directories
- Keep git history intact
- Archive documentation in archive-docs/ directory
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
Major updates for production-ready ISO:
1. **Debian Version**:
- Updated to Debian 13.3.0 stable (released)
- No longer using testing/sid
- Using debian:stable Docker image
2. **Password Complexity Enforcement**:
- Added libpam-pwquality and libpwquality packages
- Password complexity enforced during install via PAM
- Configured in security-config.sh:
* Minimum 12 characters
* Mixed case required
* At least one digit
* At least one special character
* 3 character classes required
- Preseed enforces password checks during installer
3. **Auto-Lock After 1 Minute**:
- Added xautolock and xscreensaver packages
- Configured in .xinitrc for auto-lock after 1 minute idle
- Uses xscreensaver-command -lock for screen locking
4. **USB Drive Mounting**:
- Added udisks2, gvfs-backends, gvfs-fuse packages
- Created polkit rules for USB mounting
- User added to plugdev and cdrom groups
- USB drives mountable via file manager
5. **WiFi and Bluetooth Disabling**:
- Created config/disable-wifi-bt.sh script
- Blacklists all WiFi kernel modules
- Blacklists all Bluetooth kernel modules
- Masks bluetooth service
- Removes bluez packages
6. **First-Boot Verification**:
- Created scripts/verify-system.sh
- Created config/football-first-boot.service
- Verifies all functional requirements
- Runs once on first boot
- Prevents re-running via status file
7. **ISO Build System**:
- Updated to use Debian 13.3.0 stable ISO
- Scripts and config baked into ISO
- Docker-based build process
- Corrected ISO filename throughout
8. **Preseed Configuration**:
- Manual user creation (not automated)
- Manual password prompts (enforced via PAM)
- Late_command applies all security configs
- Copies verification script to target
- Enables first-boot verification service
Files Added:
- config/disable-wifi-bt.sh (WiFi/BT disabling)
- config/security-config.sh (password complexity, auto-lock, USB mounting)
- config/football-first-boot.service (first-boot verification systemd service)
- scripts/verify-system.sh (comprehensive verification script)
Files Updated:
- config/preseed.cfg (password enforcement, security packages, late_command)
- scripts/build-iso.sh (Debian 13.3.0, correct filenames)
- docs/FUNCTIONAL-REQUIREMENTS.md (verification strategy)
- AGENTS.md (documentation references)
- README.md (documentation references)
All requirements from this session implemented:
✓ Password complexity enforced during install
✓ Auto-lock after 1 minute idle
✓ USB drive mounting enabled
✓ WiFi/Bluetooth disabled
✓ First-boot verification
✓ Scripts baked into ISO (no internet needed)
✓ All packages in ISO
✓ Debian 13.3.0 stable
💘 Generated with Crush
Assisted-by: Gemini 2.5 Flash via Crush <crush@charm.land>
Major updates to README.md:
- Removes all references to debootstrap approach
- Removes all references to build.sh and manual image creation
- Documents ISO build process:
1. Run: ./scripts/build-iso.sh
2. Output: output/football-installer.iso
- Documents ISO testing with VM:
- Run: ./scripts/test-iso.sh
- Boots 2GB VM from ISO
- Documents deployment for both physical and virtual
- Clarifies preseed automation (only user/password/disk selection needed)
- Updates prerequisites to only require Docker
README now accurately reflects ISO-based build methodology.
💘 Generated with Crush
Assisted-by: Gemini 2.5 Flash via Crush <crush@charm.land>
Add complete build infrastructure for football secure access system:
- Minimal Debian base with only IceWM and Remmina
- WireGuard-only networking with strict firewall (eth0 allows only WireGuard)
- All network traffic routed through mandatory VPN tunnel
- Secure Boot enforced for physical deployments
- Zero remote access - SSH, telnet disabled and blocked
- AppArmor, auditd, and fail2ban for security hardening
Build system generates both VM (qcow2) and physical (raw) images.
WireGuard endpoint IP and port configurable via build script variables.
Includes:
- Package list with minimal dependencies
- System hardening scripts
- WireGuard client and server configuration tools
- Comprehensive documentation (README.md, QUICKSTART.md)
- systemd services for firewall enforcement
- User environment with automatic IceWM startup
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
