docs: complete PreFlightDiscussion-03.md with final resolution

- All pre-flight discussions now resolved
- Package management implementation: installed hooks, chmod + chattr
- Ready for implementation phase
- Specification updated with all decisions

.gitignore

@@ -0,0 +1,43 @@
+# .gitignore for Secure Debian ISO Project
+
+# Output directory
+output/
+
+# Generated ISO files
+*.iso
+*.iso.sha256
+*.iso.asc
+
+# Build artifacts
+config/binary
+config/cache
+config/chroot
+config/.build
+
+# Live-build temporary files
+binary-hybrid.iso
+live-build.log
+
+# Virtual machine images
+*.qcow2
+*.vmdk
+*.img
+
+# Test artifacts
+test-reports/
+coverage/
+
+# IDE and editor files
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS specific files
+.DS_Store
+Thumbs.db
+
+# Temporary files
+tmp/
+temp/

PreFlightDiscussion-01.md

@@ -0,0 +1,118 @@
+# Pre-Flight Discussion - Questions, Comments, and Concerns
+
+## Questions:
+
+### 1. Debian 13 Availability ✅ RESOLVED
+- **Original**: Debian 13 (Trixie) is currently in testing
+- **Status**: RESOLVED - Debian 13.3.0 is released and stable
+- **Action**: Updated spec to use debian-13.3.0-amd64-netinst.iso
+
+### 2. USB Automounting and Package Inclusion ✅ RESOLVED
+- **Original**: How will the system access USB mounting utilities without network access?
+- **Status**: RESOLVED - All packages must be pre-included in ISO
+- **Action**: Updated spec to clarify all utilities pre-installed
+
+### 3. Compliance Specificity
+- **Question**: Which specific CMMC levels, FedRAMP authorization levels, or STIG IDs should we target?
+- **Concern**: Without specific controls, we may implement security measures that don't meet actual requirements
+- **Options**: 
+  - CMMC Level 3, 4, or 5?
+  - FedRAMP Moderate or High?
+  - Specific DISA STIG for Debian 13?
+
+### 4. WireGuard Configuration Management
+- **Question**: Should we assume WireGuard config will be provided via USB, or include a default template?
+- **Concern**: Without a config, the system will have no network connectivity at all
+- **Options**: 
+  - Include sample/template configuration
+  - Include QR code import capability
+  - Assume user provides complete config via USB
+
+## Technical Concerns:
+
+### 5. Docker Build Context and Package Availability
+- **Concern**: The current Dockerfile may not have all required packages for Debian 13.3.0
+- **Issue**: Package names or availability may differ between Debian versions
+- **Need**: Verify all packages in Dockerfile exist in Debian 13.3.0
+
+### 6. Test Environment Privileges
+- **Concern**: Some tests (firewall, system services) require elevated privileges
+- **Issue**: Container environment may not support all required test scenarios
+- **Need**: Determine how to test privileged operations in containers
+
+### 7. ISO Size Management
+- **Concern**: Including all security tools, applications, and utilities may create a large ISO
+- **Issue**: Large ISO may be impractical for distribution or booting on older hardware
+- **Need**: Define acceptable ISO size limits and optimization strategies
+
+## Missing Details:
+
+### 8. Complete Package List
+- **Missing**: Exact package list for base system and applications
+- **Need**: Define all packages to include in the ISO (not just applications like Remmina, etc.)
+- **Examples**: Which kernel packages? Which security tools? Which system utilities?
+
+### 9. Live-build Configuration Details
+- **Missing**: Specific live-build configuration parameters
+- **Need**: Kernel parameters, boot options, system settings
+- **Examples**: Security kernel parameters, initrd options, bootloader security
+
+### 10. Error Handling and Recovery
+- **Missing**: Comprehensive error handling strategy
+- **Need**: How to handle build failures, configuration errors, system boot issues
+- **Examples**: Build failures, corrupted configs, boot problems
+
+### 11. Boot Security
+- **Missing**: Boot loader security requirements
+- **Need**: Secure boot configuration, bootloader password, boot parameters
+- **Examples**: GRUB security, kernel lockdown, initramfs security
+
+## Additional Considerations:
+
+### 12. User Experience and Documentation
+- **Concern**: Security-focused system may be difficult for users
+- **Need**: Clear documentation for secure workflows
+- **Question**: Should we include user guides in the ISO?
+
+### 13. System Updates and Maintenance
+- **Question**: How will the system receive security updates without general internet access?
+- **Options**: 
+  - Air-gapped update process
+  - USB-based update distribution
+  - No updates after initial deployment
+
+### 14. Hardware Compatibility
+- **Concern**: Minimal desktop may have hardware compatibility issues
+- **Need**: Define supported hardware scope
+- **Question**: Should we include additional drivers or keep it minimal?
+
+### 15. Testing Strategy for Air-Gapped Environment
+- **Challenge**: How to test an ISO designed for air-gapped use
+- **Need**: Testing methodology that doesn't require internet
+- **Question**: Should we simulate air-gapped environment during testing?
+
+---
+
+## Priority Assessment:
+
+**High Priority (Blockers):**
+- Q3: Compliance specificity
+- Q4: WireGuard configuration approach
+- M8: Complete package list
+- M9: Live-build configuration details
+
+**Medium Priority (Implementation Challenges):**
+- TC5: Docker package availability
+- TC6: Test environment privileges
+- TC7: ISO size management
+
+**Low Priority (Nice to Have):**
+- M10: Error handling strategy
+- M11: Boot security details
+- A12-A15: Additional considerations
+
+---
+
+**Status**: Awaiting your feedback on the above questions and concerns
+**Next Action**: Review your inline edits and address any additional points
+**Ready for Implementation**: NO - Need to resolve high priority items first

PreFlightDiscussion-02.md

@@ -0,0 +1,77 @@
+# Pre-Flight Discussion - Round 2
+
+## Follow-up Questions Based on Your Feedback:
+
+### 1. Compliance Framework Clarification
+- **Your Feedback**: Entry point to tier0 infrastructure supporting ITAR/SECRET systems, CMMC Level 2/3 downstream, LI-SaaS for RackRental.net
+- **Questions**:
+  - Should we target CMMC Level 3 for this system since it supports Level 2/3 downstream?
+  - For STIG vs CIS: DISA STIGs are military requirements, CIS Benchmarks are industry best practices. Given your use case (tier0, ITAR/SECRET), I recommend DISA STIGs. Do you agree?
+  - Should we implement the "Debian 13 STIG" or the more comprehensive "General Operating System STIG"?
+
+### 2. QR Code Import Implementation
+- **Your Feedback**: Want QR code import capability using webcam
+- **Questions**:
+  - Which QR code library should we use? (qrencode for generation, zbar for scanning)
+  - Should we create a desktop shortcut for QR scanning, or integrate it into the WireGuard config management?
+  - What QR code format should we support? (Standard WireGuard QR format?)
+
+### 3. Testing Strategy Clarification
+- **Your Feedback**: Test suite runs on installed system, not in build environment
+- **Questions**:
+  - Should we include the test suite in the ISO itself for post-install validation?
+  - Or keep tests separate for QA/validation before deployment?
+  - How should the tests be triggered on the installed system? (Desktop shortcut, command line?)
+
+### 4. Package Management Strategy
+- **Your Feedback**: Very minimal packages, re-image quarterly rather than update
+- **Questions**:
+  - Should we remove apt/apt-get entirely to prevent accidental updates?
+  - Or keep it but disable network access?
+  - What's your preference for package management tools on the final system?
+
+### 5. Preseed Configuration Details
+- **Your Feedback**: Only install target, root password, non-root user/password are manual
+- **Questions**:
+  - What timezone should we default to?
+  - What keyboard layout should we default to?
+  - Should we enforce password complexity in the preseed itself, or handle that post-install?
+
+### 6. Secure Boot Implementation
+- **Your Feedback**: Must use secure boot, refuse to boot if altered
+- **Questions**:
+  - Should we include Secure Boot keys in the ISO or use standard Microsoft keys?
+  - Do you want UEFI-only boot, or support Legacy BIOS as well?
+  - Should we implement measured boot or just standard Secure Boot?
+
+### 7. Documentation Approach
+- **Your Feedback**: No user guides in ISO
+- **Questions**:
+  - Should we create minimal inline help for the desktop shortcuts?
+  - Or assume users are trained and don't need any documentation?
+  - Where should we store technical documentation? (Project repo only?)
+
+## Clarifications Received:
+
+### ✅ Test Environment: Keep tests separate from build environment, use shellcheck/shellfmt only in build
+### ✅ ISO Size: Not a concern, add to .gitignore
+### ✅ Updates: Re-image quarterly, no internet updates
+### ✅ Hardware: Standard Debian 13 kernel works on target hardware
+### ✅ User Experience: No user guides needed
+### ✅ Minimal Packages: Start minimal and iterate
+
+## Remaining High Priority Items to Resolve:
+
+1. **Compliance Framework**: CMMC level + STIG vs CIS decision
+2. **QR Code Implementation**: Library choice and integration approach
+3. **Testing Strategy**: In-ISO tests vs separate validation
+4. **Package Management**: Remove or disable apt?
+5. **Preseed Details**: Timezone, keyboard, password enforcement
+6. **Secure Boot**: Key management and boot mode
+7. **Documentation**: Minimal help vs none
+
+---
+
+**Status**: Awaiting your responses to the above questions
+**Next Action**: Update specification based on your decisions
+**Ready for Implementation**: Getting closer - need to resolve these remaining items

PreFlightDiscussion-03.md

@@ -0,0 +1,73 @@
+# Pre-Flight Discussion - Round 3
+
+## Final Clarification Needed:
+
+### Package Management Implementation Details
+- **Your Feedback**: Remove apt execution permissions, use chattr +i, concerned about core system packages
+- **Question**: How should we handle this in the live-build hooks?
+
+**Implementation Options:**
+1. **In `config/hooks/live/`** - Modify the live system during build
+2. **In `config/hooks/installed/`** - Modify after installation but before reboot
+3. **Both** - Ensure comprehensive removal/disable
+
+
+**Specific Questions:**
+- Should we attempt to remove `apt` and `dpkg` entirely (if possible)?
+- Or just remove execute permissions and make immutable with `chattr +i`?
+- What about package management metadata in `/var/lib/apt/` and `/var/lib/dpkg/`?
+- Should we also remove package management tools like `aptitude`, `synaptic`, etc.?
+
+Lets remove the permissions and make immutable after install before reboot.
+Yes remove synaptic aptitude etc (or better yet dont install them at all)
+
+## All Other Items ✅ RESOLVED:
+
+### Compliance Framework
+- ✅ CMMC Level 3
+- ✅ CIS Benchmark for Debian Linux + Debian STIG (last for Debian 11)
+- ✅ Adapt Debian 11 STIG for Debian 13
+
+### QR Code Implementation  
+- ✅ zbar for scanning (no generation needed)
+- ✅ Shell script for scan and config update
+- ✅ Standard WireGuard QR format
+
+### Testing Strategy
+- ✅ Include test suite in ISO
+- ✅ Command line execution
+
+### Package Management
+- ✅ Remove execute permissions
+- ✅ Use `chattr +i` for immutability
+- ? Need clarification on implementation approach
+
+### Preseed Configuration
+- ✅ Timezone: US/Chicago
+- ✅ Keyboard: Standard US English
+- ✅ Password complexity in preseed
+
+### Secure Boot
+- ✅ Include secure boot keys in ISO
+- ✅ UEFI only (no Legacy BIOS)
+- ✅ Measured boot
+
+### Documentation
+- ✅ No user guides in ISO
+- ✅ No inline help for shortcuts
+- ✅ Technical documentation in repo only
+
+---
+
+### Package Management Implementation ✅ RESOLVED
+- ✅ Use `config/hooks/installed/` - modify after installation before reboot
+- ✅ Remove execute permissions from apt, dpkg, and package management tools
+- ✅ Make immutable with `chattr +i`
+- ✅ Don't install synaptic, aptitude, etc. in the first place
+- ✅ Handle package management metadata in `/var/lib/apt/` and `/var/lib/dpkg/`
+
+---
+
+**Status**: All items resolved - ready to update specification
+**Next Action**: Update football-spec.md with all decisions from pre-flight discussions
+**Ready for Implementation**: YES - all questions and concerns resolved

football-spec.md

@@ -18,20 +18,23 @@ This project aims to build a highly secure, compliant Debian 13 (Trixie) install
 ## Target System Profile
 
 ### Operating System
-- **Base OS**: Debian 13 (Trixie)
+- **Base OS**: Debian 13.3.0 (Trixie) stable release
 - **Architecture**: amd64
 - **Kernel**: Latest stable kernel with security patches
+- **Secure Boot**: UEFI only with measured boot, custom keys included
 
 ### Desktop Environment
 - **Window Manager**: IceWM (minimal configuration)
-- **Display Manager**: LightDM with privacy enhancements
+- **Display Manager**: LightDM with privacy enhancements, usernames hidden
 - **Theme**: Minimal, secure default configuration
+- **Boot Mode**: UEFI only, no Legacy BIOS support
 
 ### Core Applications
 - **Remote Desktop**: Remmina
-- **VPN**: WireGuard tools
+- **VPN**: WireGuard tools with zbar for QR code scanning
 - **Text Editor**: Mousepad
-- **File Manager**: PCManFM
+- **Test Suite**: In-ISO validation tests (command line execution)
+- **No Package Management**: apt, dpkg, aptitude, synaptic disabled/removed
 
 ### Security Configuration
 
@@ -72,6 +75,11 @@ This project aims to build a highly secure, compliant Debian 13 (Trixie) install
    - Execution: `pkexec /usr/local/bin/apply-vpn-config.sh`
    - Icon: Network/VPN branded icon
 
+3. **QR Code Import**
+   - Target: Scan WireGuard QR code and update config
+   - Execution: `pkexec /usr/local/bin/scan-wireguard-qr.sh`
+   - Icon: Camera/QR branded icon
+
 ## Installation Automation
 
 ### Build Process
@@ -83,8 +91,9 @@ This project aims to build a highly secure, compliant Debian 13 (Trixie) install
 ### Preseed Configuration
 - **File**: `config/preseed.cfg`
 - **Automated Items**:
-  - Localization settings
+  - Localization settings (US/Chicago timezone, US English keyboard)
   - Software package selection
+  - Password complexity enforcement
   - Timezone configuration
   - Keyboard layout
 - **Manual Items**:
@@ -119,6 +128,8 @@ This project aims to build a highly secure, compliant Debian 13 (Trixie) install
 - All generated files owned by invoking user
 - Docker volume mounts with proper UID/GID mapping
 - No root-owned output files
+- Package management tools disabled with `chmod -x` and `chattr +i`
+- Test suite included in ISO for post-install validation
 
 ## Quality Assurance & Testing
 
@@ -147,10 +158,10 @@ tests/
 ## Compliance Requirements
 
 ### Standards Framework
-- **CMMC** (Cybersecurity Maturity Model Certification)
+- **CMMC Level 3** - Entry point to tier0 infrastructure supporting ITAR/SECRET systems
-- **FedRAMP** (Federal Risk and Authorization Management Program)
+- **FedRAMP LI-SaaS** - For RackRental.net federal government product
-- **STIG** (Security Technical Implementation Guide)
+- **STIG** - DISA STIG for Debian (adapt Debian 11 STIG for Debian 13)
-- **CIS Benchmarks** (Center for Internet Security)
+- **CIS Benchmarks** - CIS Benchmark for Debian Linux (baseline security controls)
 
 ### Compliance Documentation
 - **Matrix Document**: `COMPLIANCE.md`
@@ -158,12 +169,13 @@ tests/
 - **Validation**: Automated compliance verification tests
 
 ### Key Compliance Areas
-- Filesystem hardening
+- Filesystem hardening (CIS + STIG)
-- Password policy enforcement
+- Password policy enforcement (CIS + STIG)
-- Audit daemon configuration
+- Audit daemon configuration (STIG)
-- Service hardening
+- Service hardening (CIS + STIG)
-- Network security implementation
+- Network security implementation (STIG)
-- Logging and monitoring
+- Logging and monitoring (STIG)
+- Package management disabling (custom requirement)
 
 ## Project Structure
 
@@ -175,6 +187,7 @@ secure-debian-iso/
 ├── run.sh                      # Host wrapper script
 ├── Dockerfile                  # Build/test container
 ├── .dockerignore              # Docker ignore rules
+├── .gitignore                  # Git ignore rules (exclude ISO files)
 ├── config/                    # live-build configuration
 │   ├── preseed.cfg            # Installation automation
 │   ├── package-lists/         # Software package selections
@@ -345,6 +358,36 @@ USER builder
 CMD ["/bin/bash"]
 ```
 
+### Package Management Security
+
+#### config/hooks/installed/disable-package-management.sh
+```bash
+#!/bin/bash
+# Disable package management after installation
+set -euo pipefail
+
+echo "Disabling package management..."
+
+# Remove execute permissions from package management tools
+chmod -x /usr/bin/apt /usr/bin/apt-get /usr/bin/dpkg
+chmod -x /usr/bin/apt-cache /usr/bin/apt-key /usr/bin/dpkg-deb
+chmod -x /usr/bin/dpkg-query /usr/bin/dpkg-split /usr/bin/dpkg-trigger
+
+# Make immutable
+chattr +i /usr/bin/apt /usr/bin/apt-get /usr/bin/dpkg
+chattr +i /usr/bin/apt-cache /usr/bin/apt-key /usr/bin/dpkg-deb
+chattr +i /usr/bin/dpkg-query /usr/bin/dpkg-split /usr/bin/dpkg-trigger
+
+# Remove package metadata directories
+rm -rf /var/lib/apt/* /var/lib/dpkg/*
+
+# Create immutable empty directories to prevent recreation
+mkdir -p /var/lib/apt /var/lib/dpkg
+chattr +i /var/lib/apt /var/lib/dpkg
+
+echo "Package management disabled successfully."
+```
+
 ### Tests Structure
 
 #### tests/unit/firewall_test.bats
@@ -431,6 +474,114 @@ load 'test_helper/bats-assert/load'
 }
 ```
 
+### config/hooks/live/qr-code-import.sh
+```bash
+#!/bin/bash
+# Install QR code scanning tools for WireGuard
+set -euo pipefail
+
+echo "Installing QR code scanning tools..."
+
+# Install zbar for QR code scanning
+apt-get update
+apt-get install -y zbar-tools python3-pil
+apt-get clean
+
+# Create QR code scanning script
+cat > /usr/local/bin/scan-wireguard-qr.sh << 'EOF'
+#!/bin/bash
+# Scan WireGuard QR code and update configuration
+set -euo pipefail
+
+# Check if webcam is available
+if ! ls /dev/video* >/dev/null 2>&1; then
+    echo "Error: No webcam device found"
+    exit 1
+fi
+
+# Create temporary file for QR data
+qr_data=$(mktemp)
+trap "rm -f $qr_data" EXIT
+
+# Scan QR code
+echo "Scanning QR code..."
+zbarcam --raw --prescale=320x240 /dev/video0 > "$qr_data" &
+zbar_pid=$!
+
+# Wait for user to stop scanning
+echo "Press Enter to stop scanning..."
+read -r
+kill $zbar_pid 2>/dev/null || true
+
+# Parse QR data and update WireGuard config
+if [[ -s "$qr_data" ]]; then
+    # Validate QR data format (basic WireGuard format)
+    if grep -q "private_key\|endpoint\|allowed_ips" "$qr_data"; then
+        # Backup existing config
+        if [[ -f "/etc/wireguard/wg0.conf" ]]; then
+            cp /etc/wireguard/wg0.conf "/etc/wireguard/wg0.conf.bak.$(date +%Y%m%d_%H%M%S)"
+        fi
+        
+        # Convert QR data to WireGuard config format
+        python3 << 'PYTHON_EOF' "$qr_data"
+import sys
+import re
+
+qr_data = sys.argv[1]
+
+# Simple QR to WireGuard config conversion
+config_lines = ["[Interface]"]
+private_key = ""
+address = ""
+
+for line in open(qr_data):
+    if "private_key=" in line.lower():
+        private_key = line.strip()
+    elif "address=" in line.lower():
+        address = line.strip()
+
+if private_key:
+    config_lines.append(f"PrivateKey = {private_key.split('=')[1].strip()}")
+if address:
+    config_lines.append(f"Address = {address.split('=')[1].strip()}")
+
+# Add basic peer template
+config_lines.append("")
+config_lines.append("[Peer]")
+config_lines.append("# Add PublicKey, Endpoint, and AllowedIPs manually")
+
+print("\n".join(config_lines))
+PYTHON_EOF
+        
+        echo "QR code scanned successfully. Please edit /etc/wireguard/wg0.conf to complete configuration."
+    else
+        echo "Error: Invalid WireGuard QR code format"
+        exit 1
+    fi
+else
+    echo "Error: No QR code data captured"
+    exit 1
+fi
+EOF
+
+chmod +x /usr/local/bin/scan-wireguard-qr.sh
+
+# Create desktop shortcut
+mkdir -p /usr/share/applications
+cat > /usr/share/applications/scan-wireguard-qr.desktop << EOF
+[Desktop Entry]
+Name=Import WireGuard QR Code
+Comment=Scan QR code to import WireGuard configuration
+Exec=pkexec /usr/local/bin/scan-wireguard-qr.sh
+Icon=camera-web
+Terminal=true
+Type=Application
+Categories=Network;System;
+EOF
+
+echo "QR code scanning tools installed successfully."
+```
+
 ### config/hooks/live/security-hardening.sh
 
 ```bash