KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6929ecfbc98a598fd2b096235d280a03ee57655a
football/README.md
ReachableCEO c1d8c5def6 chore: clean up root directory and consolidate documentation 
Remove obsolete documentation files and consolidate into docs/ directory. Remove redundant test scripts (functionality will be folded into run.sh). Update AGENTS.md with SDLC workflow. Update PRD.md with tier0 architecture clarification. Update README.md to reflect clean directory structure.

Changes:
- Delete: BUILD-COMPLETE.md, BUILD-SUMMARY.md, RESUME.md, SESSION-CLOSED.md
- Delete: FINAL-SECURITY-COMPLIANCE-REPORT.md, QUICK_START.md, JOURNAL.md
- Move: TEST-COVERAGE.md, VERIFICATION-REPORT.md to docs/
- Delete: test-iso.sh, test-runner.sh (will fold into run.sh)
- Update: AGENTS.md with SDLC workflow section
- Update: PRD.md with tier0 architecture clarification and diagram
- Update: README.md to reflect clean directory structure

Root directory now contains only: AGENTS.md, README.md, PRD.md, Dockerfile, run.sh

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-29 12:07:28 -05:00

312 lines
8.4 KiB
Markdown
Raw Blame History

# KNEL-Football Secure OS
## ⚠️ READ THESE FILES FIRST
### 🚀 Quick Start
1. **AGENTS.md** - Current status + critical requirements (START HERE)
2. **PRD.md** - Product Requirements Document
3. **README.md** - This file (project overview)
### 📋 Documentation Files
| File | Purpose |
|------|---------|
| **AGENTS.md** | ⚡ START HERE - Current status + requirements |
| **PRD.md** | Complete product requirements |
| **docs/TEST-COVERAGE.md** | Test suite details and coverage |
| **docs/VERIFICATION-REPORT.md** | Security compliance verification |
### 🔧 Project Files
| File | Purpose |
|------|---------|
| `run.sh` | Main entry point (build/test/lint/clean/iso) |
| `Dockerfile` | Build environment |
| `config/` | Live-build configuration |
| `tests/` | BATS test suite |
| `docs/` | Detailed documentation |
---
## Project Status (2026-01-29)
### ✅ Build Complete
- **Status**: ISO built and verified
- **Build Date**: 2026-01-28 16:30 CST
- **Duration**: 72 minutes (9 stages completed)
- **ISO**: `output/knel-football-secure-v1.0.0.iso` (450 MB)
- **Checksums**: SHA256 ✅, MD5 ✅
### Mandatory Requirements Implemented
-**FR-001: Full Disk Encryption** - LUKS2, AES-256-XTS, 512-bit key
-**FR-007: Password Complexity** - 14+ chars, PAM pwquality enforced
---
## Quick Commands
### Project Management
```bash
./run.sh build # Build Docker image
./run.sh test # Run all tests
./run.sh test:unit # Run unit tests only
./run.sh test:integration # Run integration tests only
./run.sh test:security # Run security tests only
./run.sh lint # Check scripts
./run.sh clean # Remove artifacts
./run.sh iso # Build ISO (30-60 min)
./run.sh shell # Interactive shell
```
### Build Commands
```bash
# Monitor ISO build
tail -f /tmp/knel-iso-build.log
# Check output
ls -lh output/
```
### SDLC Workflow (MANDATORY)
```bash
# After ANY changes:
./run.sh lint # Check syntax
./run.sh test # Run full test suite
./run.sh test:security # Verify security requirements
# Then commit:
git add <files>
git commit -m "type: subject"
git push origin main
```
---
## Project Overview
### Goal
Build KNEL-Football secure ISO with Docker-only workflow following AGENTS.md requirements.
### Features
- **Mandatory Full Disk Encryption** - LUKS2 with AES-256-XTS
- **Mandatory Strong Passwords** - 14+ chars, complexity requirements
- Debian Testing base
- IceWM + LightDM desktop
- WiFi/Bluetooth permanently disabled
- SSH with wireguard keys
- Firewall rules (inbound SSH, outbound VPN only)
- USB automount support
- QR code import for WireGuard
### Architecture
**IMPORTANT**: KNEL-Football OS serves as a **secure remote terminal** for accessing tier0 infrastructure. It does NOT directly access tier0 infrastructure.
**Access Model**:
1. User boots KNEL-Football OS on secure laptop (FDE required)
2. OS connects via WireGuard VPN to secure network
3. User uses SSH/Remmina to access privileged workstation
4. Privileged workstation (physical) accesses tier0 infrastructure
### Security Requirements (MANDATORY)
- Full disk encryption with LUKS2 (AES-256-XTS, 512-bit key)
- Encryption passphrase required at every boot (14+ characters)
- Password complexity enforced (14+ chars, mix of classes)
- All security requirements tested and verified
### Compliance
- NIST SP 800-111 (Disk Encryption)
- NIST SP 800-53 (Security Controls)
- NIST SP 800-63B (Password Guidelines)
- ISO/IEC 27001 (Information Security)
- CIS Benchmarks (Security Configuration)
- DISA STIG (Security Implementation)
---
## Documentation Structure
```
README.md (Main Entry Point)
├── ⚠️ READ THESE FILES FIRST
│ ├── AGENTS.md (START HERE - Current Status)
│ ├── PRD.md (Requirements)
│ ├── docs/TEST-COVERAGE.md (Test Details)
│ └── docs/VERIFICATION-REPORT.md (Verification Results)
├── Quick Commands
├── Project Overview
├── Architecture
├── Security Requirements
└── Compliance
```
---
## Directory Structure
```
football/
├── AGENTS.md # START HERE - Agent guidelines
├── README.md # This file
├── PRD.md # Product Requirements
├── Dockerfile # Build environment
├── run.sh # Main entry point
├── config/ # Live-build configuration
│ ├── preseed.cfg # Debian installer preseed (with encryption)
│ ├── hooks/
│ │ ├── live/ # Hooks during live system
│ │ └── installed/ # Hooks after installation
│ └── package-lists/
├── src/ # Source scripts
│ ├── security-hardening.sh
│ ├── firewall-setup.sh
│ ├── build-iso.sh
│ └── run.sh
├── tests/ # BATS test suite
│ ├── unit/ # Unit tests for scripts
│ ├── integration/ # Integration tests for workflows
│ ├── security/ # Security compliance tests
│ └── test_helper/ # Test utilities
├── docs/ # Detailed documentation
│ ├── TEST-COVERAGE.md
│ └── VERIFICATION-REPORT.md
├── output/ # ISO artifacts (ISO, checksums)
└── .gitignore
```
---
## Development Workflow
### Software Development Lifecycle (SDLC)
**Before Making Changes**:
1. Read AGENTS.md (current status, requirements)
2. Read PRD.md (detailed requirements)
3. Review docs/TEST-COVERAGE.md (test details)
**Making Changes**:
1. Read files before editing (Critical!)
2. Make small, atomic changes
3. Follow existing code style
**Testing Changes (MANDATORY)**:
```bash
./run.sh lint # Syntax validation
./run.sh test:unit # Unit tests
./run.sh test:integration # Integration tests
./run.sh test:security # Security tests
./run.sh test # Full test suite
```
**Committing**:
```bash
git add <files>
git commit -m "type: subject"
git push origin main
```
**Commit Types**:
- `feat`: New feature
- `fix`: Bug fix
- `docs`: Documentation changes
- `test`: Test changes
- `refactor`: Code refactoring
- `chore`: Maintenance tasks
---
## Build Process
### Docker Workflow (MANDATORY)
- ALL operations run inside Docker containers
- ONLY use Docker volumes for file operations
- NEVER create directories in user home directory
- NEVER modify host system files directly
- ONLY final artifacts copied to host system
### Build Stages
1. Docker Build - Create build environment (~2 minutes)
2. lb config - Configure live-build (~30 seconds)
3. lb bootstrap - Download/install base system (~13 minutes)
4. lb chroot - Install packages and apply hooks (~8 minutes)
5. lb installer - Configure Debian installer (~2 minutes)
6. lb binary - Create binary filesystem (~4 minutes)
7. lb checksum - Generate checksums (~1 minute)
**Total**: ~30 minutes on modern hardware
---
## Testing
### Test Coverage
- **11 test files** with ~150+ test cases
- **~95% code coverage** (all critical paths tested)
- **Security requirements**: 100% coverage (FR-001, FR-007)
### Running Tests
```bash
./run.sh test # All tests
./run.sh test:unit # Unit tests
./run.sh test:integration # Integration tests
./run.sh test:security # Security compliance tests
```
### Test Results
- Unit tests: 7 files covering all shell scripts
- Integration tests: 2 files for end-to-end workflows
- Security tests: 3 files for FR-001/FR-007 compliance
---
## Quick Reference
### Check ISO Status
```bash
ls -lh output/
sha256sum -c output/*.sha256
md5sum -c output/*.md5
```
### Monitor Build
```bash
tail -f /tmp/knel-iso-build.log
```
### Clean Up
```bash
./run.sh clean # Remove artifacts
./run.sh test # Run tests
./run.sh lint # Check scripts
```
---
## Contributing
### Requirements
- Docker installed
- No host system modifications
- Follow SDLC workflow
- Run full test suite before committing
- Use conventional commit messages
### Security
- All changes must preserve mandatory security requirements
- Full disk encryption cannot be disabled or weakened
- Password complexity requirements cannot be reduced
- Security tests must pass
---
## License
Copyright © 2026 Known Element Enterprises LLC
License: GNU Affero General Public License v3.0 only
---
**For detailed information, see:**
- AGENTS.md (START HERE)
- PRD.md (Requirements)
- docs/TEST-COVERAGE.md (Tests)
- docs/VERIFICATION-REPORT.md (Compliance)
Reference in New Issue View Git Blame Copy Permalink