football/AGENTS.md

# KNEL-Football Secure OS - Agent Behavior Guidelines

## ⚡ CURRENT STATUS (2026-01-24 19:00 CST)

### Build Running in Background
- **Status**: Active build (3rd attempt, minimal configuration)
- **Current Stage**: lb binary_chroot (creating binary filesystem for ISO)
- **Started**: 2026-01-24 18:04 CST
- **Expected Completion**: 19:00-19:15 CST (~15 min remaining)
- **Build Log**: `/tmp/knel-iso-build.log`
- **Output Directory**: `output/` (ISO will appear here when complete)

### First Actions When Starting
1. **Check if ISO is ready**: `ls -lh output/`
2. **If ISO ready**: Verify with `sha256sum -c output/*.sha256`
3. **If ISO not ready**: Monitor build with `tail -f /tmp/knel-iso-build.log`

### ⚠️ READ THIS FIRST: RESUME.md
**Current Status and Resumption Guide**: See `RESUME.md` for complete details on:
- Build status and current stage
- Working configuration (Attempt 7, minimal flags)
- Issues encountered and solutions (7 build attempts)
- Commands to monitor or restart build
- Expected output files
- Next steps after build completes

**RESUME.md is your STARTING POINT** when returning to this project.

### Quick Reference
```bash
# Check ISO status
cd /home/tsys/Projects/KNEL/football
ls -lh output/

# Monitor build if needed
tail -f /tmp/knel-iso-build.log

# Read full resumption guide
cat RESUME.md
```

---

## MANDATORY SECURITY REQUIREMENTS

### Full Disk Encryption (FDE) - MANDATORY
- **ALL systems MUST use full disk encryption with LUKS2**
- **Cipher**: AES-256-XTS (512-bit key)
- **Format**: LUKS2 with Argon2id KDF
- **Boot**: Passphrase required at every system boot
- **Security**: No backdoors, no recovery without passphrase
- **Compliance**: NIST SP 800-111, NIST SP 800-53 SC-13

### Password Complexity - MANDATORY
- **Minimum Length**: 14 characters (20+ strongly recommended)
- **Character Classes**: Minimum 3 of 4 required
  - Uppercase letters (A-Z) - Minimum 1 required
  - Lowercase letters (a-z) - Minimum 1 required
  - Digits (0-9) - Minimum 1 required
  - Special characters (!@#$%^&*) - Minimum 1 required
- **Additional Requirements**:
  - No common words (password, secret, admin, root, etc.)
  - No sequential characters (123, abc, qwerty)
  - No repeated characters (max 2 consecutive)
  - At least 4 characters different from previous password
- **Enforcement**: PAM pwquality module, enforced for ALL users
- **Compliance**: NIST SP 800-63B, CIS Benchmarks

---

## CRITICAL REQUIREMENTS

### DOCKER CONTAINER USAGE
- ALL operations MUST be performed inside Docker containers
- ONLY use Docker volumes for file operations
- NEVER create directories in user home directory (/home)
- NEVER modify host system files directly
- ONLY final artifacts may be copied to host system

### WORKSPACE MANAGEMENT
- Use /workspace (Docker volume) for all build operations
- Use /tmp for temporary files
- Use /build for intermediate build files
- ONLY final ISO and checksum files may be copied out of container

### PROHIBITED ACTIONS
- ❌ Creating directories in /home
- ❌ Modifying host system files
- ❌ Installing packages on host system
- ❌ Writing files outside Docker volumes
- ❌ Modifying user home directory structure

### REQUIRED WORKFLOW
1. Start Docker container with volumes
2. Perform ALL work inside container
3. Use only mounted volumes for file I/O
4. Copy ONLY final artifacts to host system
5. Clean up container after completion

### DOCKER VOLUME STRUCTURE
```
/workspace/  # All build operations
/build/      # Intermediate files
/tmp/         # Temporary files
/output/      # Final artifacts only
```

### EXCEPTIONS
Only these files may be copied to host system:
- *.iso (final ISO files)
- *.sha256 (checksum files)
- *.md5 (checksum files)
- BUILD-REPORT.txt (build documentation)

## VIOLATIONS
Any violation of these requirements is CRITICAL and must be immediately corrected.