football/AGENTS.md

KNEL-Football Secure OS - Agent Behavior Guidelines

⚡ CURRENT STATUS (2026-01-24 19:00 CST)

Build Running in Background

• Status: Active build (3rd attempt, minimal configuration)
• Current Stage: lb binary_chroot (creating binary filesystem for ISO)
• Started: 2026-01-24 18:04 CST
• Expected Completion: 19:00-19:15 CST (~15 min remaining)
• Build Log: /tmp/knel-iso-build.log
• Output Directory: output/ (ISO will appear here when complete)

First Actions When Starting

1. Check if ISO is ready: ls -lh output/
2. If ISO ready: Verify with sha256sum -c output/*.sha256
3. If ISO not ready: Monitor build with tail -f /tmp/knel-iso-build.log

⚠️ READ THIS FIRST: RESUME.md

Current Status and Resumption Guide: See RESUME.md for complete details on:

• Build status and current stage
• Working configuration (Attempt 7, minimal flags)
• Issues encountered and solutions (7 build attempts)
• Commands to monitor or restart build
• Expected output files
• Next steps after build completes

RESUME.md is your STARTING POINT when returning to this project.

Quick Reference

# Check ISO status
cd /home/tsys/Projects/KNEL/football
ls -lh output/

# Monitor build if needed
tail -f /tmp/knel-iso-build.log

# Read full resumption guide
cat RESUME.md

---

MANDATORY SECURITY REQUIREMENTS

Full Disk Encryption (FDE) - MANDATORY

• ALL systems MUST use full disk encryption with LUKS2
• Cipher: AES-256-XTS (512-bit key)
• Format: LUKS2 with Argon2id KDF
• Boot: Passphrase required at every system boot
• Security: No backdoors, no recovery without passphrase
• Compliance: NIST SP 800-111, NIST SP 800-53 SC-13

Password Complexity - MANDATORY

• Minimum Length: 14 characters (20+ strongly recommended)
• Character Classes: Minimum 3 of 4 required
  • Uppercase letters (A-Z) - Minimum 1 required
  • Lowercase letters (a-z) - Minimum 1 required
  • Digits (0-9) - Minimum 1 required
  • Special characters (!@#$%^&*) - Minimum 1 required
• Additional Requirements:
  • No common words (password, secret, admin, root, etc.)
  • No sequential characters (123, abc, qwerty)
  • No repeated characters (max 2 consecutive)
  • At least 4 characters different from previous password
• Enforcement: PAM pwquality module, enforced for ALL users
• Compliance: NIST SP 800-63B, CIS Benchmarks

---

CRITICAL REQUIREMENTS

DOCKER CONTAINER USAGE

• ALL operations MUST be performed inside Docker containers
• ONLY use Docker volumes for file operations
• NEVER create directories in user home directory (/home)
• NEVER modify host system files directly
• ONLY final artifacts may be copied to host system

WORKSPACE MANAGEMENT

• Use /workspace (Docker volume) for all build operations
• Use /tmp for temporary files
• Use /build for intermediate build files
• ONLY final ISO and checksum files may be copied out of container

PROHIBITED ACTIONS

• ❌ Creating directories in /home
• ❌ Modifying host system files
• ❌ Installing packages on host system
• ❌ Writing files outside Docker volumes
• ❌ Modifying user home directory structure

REQUIRED WORKFLOW

1. Start Docker container with volumes
2. Perform ALL work inside container
3. Use only mounted volumes for file I/O
4. Copy ONLY final artifacts to host system
5. Clean up container after completion

DOCKER VOLUME STRUCTURE

/workspace/  # All build operations
/build/      # Intermediate files
/tmp/         # Temporary files
/output/      # Final artifacts only

EXCEPTIONS

Only these files may be copied to host system:

• *.iso (final ISO files)
• *.sha256 (checksum files)
• *.md5 (checksum files)
• BUILD-REPORT.txt (build documentation)

VIOLATIONS

Any violation of these requirements is CRITICAL and must be immediately corrected.