- src/build-iso.sh: Replace undefined $VERSION with correct filename.
The success check referenced $PROJECT_NAME-v$VERSION.iso but $VERSION
was never defined, causing the build to always report failure.
- scripts/validate-iso.sh: Replace deprecated `-net nic -net user` with
modern `-nic user` QEMU networking syntax.
💘 Generated with Crush
Assisted-by: GLM-5.1 via Crush <crush@charm.land>
Three issues caused by the rebase onto origin/main:
1. encryption-setup.sh: restore aes_xts, xts, sha512 initramfs modules
that were lost when resolving whitespace conflict
2. security-hardening.sh: add missing configure_ssh() function that
creates hardened sshd_config as defense-in-depth (FR-006 client-only)
3. AGENTS.md: fix section headings to match test expectations
(MANDATORY SECURITY REQUIREMENTS, DOCKER-ONLY WORKFLOW, AGENT WORKFLOW)
All 830 tests now pass (was 815 pass / 15 fail).
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
This commit addresses every shellcheck warning (severity: warning and
above) across the project's shell scripts. Only SC1091 info-level
notices remain (sourced files not available during static analysis),
which is expected and unavoidable in the Docker build workflow.
Changes by file:
src/build-iso.sh
- Replace Unicode checkmark/cross characters (✓, ✗) with ASCII
equivalents (PASS:, FAIL:) to eliminate commitBuffer encoding errors
- Replace useless `cat | cut` pipeline with direct file redirect
(`cut -d' ' -f1 < file`), resolving SC2002
src/security-hardening.sh
- Pass optional arguments through the function call chain in
apply_security_hardening() to resolve SC2119/SC2120 (functions
reference $1 but are called without arguments)
src/firewall-setup.sh
- Pass optional arguments through apply_firewall() in main() to
resolve SC2119/SC2120
config/hooks/installed/encryption-setup.sh
- Consolidate four individual `echo >> file` redirects into a single
`{ cmd1; cmd2; } >> file` block, resolving SC2129
- Add shellcheck disable directive for intentional SC2016 in sed
command (single quotes are required by sed, not a mistake)
config/hooks/installed/encryption-validation.sh
- Replace remaining Unicode checkmark characters with ASCII
Verification:
shellcheck --severity=warning src/*.sh config/hooks/**/*.sh
=> zero warnings, zero errors
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Changed cp destination from ./ to ./config/ to ensure includes.installer
and other config files are placed in the correct location for live-build
to process them. This fixes preseed.cfg not being embedded in the installer
initrd.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
ISO now always named knel-football-secure.iso (no v1.0.0 suffix).
Updated all references in code, docs, and tests.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Improve code quality by addressing shellcheck warnings
across security-critical scripts.
src/security-hardening.sh:
- Add shellcheck directive for SC2120/SC2119
- Function configure_password_policy() accepts optional args
- Directive documents intentional usage pattern
src/firewall-setup.sh:
- Fix function argument passing in main()
- Properly pass arguments to configure_firewall()
config/hooks/installed/encryption-setup.sh:
- Consolidate echo commands to fix SC2129
- Use single redirect for multiple writes
Remaining warnings are non-critical:
- SC1091: Source files exist at runtime in Docker container
- SC2016: Intentional single quotes for sed pattern
No functional changes - purely code quality improvements.
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
Add --privileged flag (required for encryption support), --user root flag (required by live-build), build in /tmp container directory (not mounted volume), and remove problematic flags for successful build with encryption support.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Enforce 14+ character minimum, require all character classes (uppercase, lowercase, digit, special), prevent common patterns, check against dictionary and bad words, and apply to all users including root.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
- Add src/build.sh for Docker-based ISO building
- Add src/run-new.sh with enhanced container management
- Add src/run.sh as host wrapper for build process
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
- Add build-iso.sh with validation and build functions
- Add firewall-setup.sh with dynamic nftables configuration
- Add security-hardening.sh with comprehensive hardening functions
- All scripts follow strict mode and are executable
These provide the core functionality for the secure ISO build process.
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
