Status: v1.0 (iteration-1 deliverable, Gitea issue #8).
Authority: CLAUDE.md Public Repo Security + Distribution Workflow directives; R-06 (secret leak to squashfs/exFAT); R-07 (API keys in repo); sad-review-security.md required change.
Consumed by: scripts/prep-master.sh (automates every item that can be automated).
Images shipped to recipients are read-only in practice — by the time someone flashes and boots the USB, any secret on the image is essentially public. The maintainer's image goes to NFS first (trusted channel for v1.0), but iteration-2 signing + broader distribution demand that v1.0 images also be clean. This checklist is the definitive list of what must be removed / verified before create-image.sh runs.
MUST NOT be in the image:
- Anthropic
claudeauth (~/.claude/,~/.config/anthropic/) - OpenAI
codexauth (~/.config/openai/,~/.config/codex/) - GitHub Copilot /
ghauth (~/.config/gh/,~/.local/share/gh/) - AWS credentials (
~/.aws/credentials,~/.aws/config) - Generic
.envfiles anywhere ANTHROPIC_API_KEY,OPENAI_API_KEY, or similar env exports in any shell rc
Verification method: scripts/prep-master.sh scans for these paths inside the build-root chroot and refuses to proceed if any are non-empty. Pattern file at scripts/secret-patterns.txt.
MUST NOT be in the image:
- Any
id_ed25519,id_rsa,id_ecdsa, or derivative private-key file under~/.ssh/ - Fleet-host SSH host keys
- Kerberos tickets (
/tmp/krb5cc_*) - GPG secret keys (
~/.gnupg/private-keys-v1.d/)
MAY be in the image — but only via operator-provided, git-ignored local config, never committed to this public repo:
- Public
authorized_keyslists — operator-provided, scoped to internal network ranges /etc/hostsfleet entries — operator-provided viaconfig/includes.chroot/etc/kintsugi/fleet-hosts(git-ignored; seeconfig/fleet-hosts.example). The public toolkit bakes in no fleet topology.- SSH client configs (
/etc/ssh/ssh_config.d/kintsugi.conf) that reference public keys
Verification method: prep-master scans for private-key magic strings (-----BEGIN OPENSSH PRIVATE KEY-----, -----BEGIN RSA PRIVATE KEY-----, etc.) across the build root.
Nothing sensitive should live in shell history on a shipped image. Wipe:
~/.bash_history,~/.zsh_history,~/.python_history,~/.node_repl_history,~/.mysql_history,~/.psql_history~/.lesshst,~/.viminfo/root/.bash_historyetc. for the root user~/.cache/directories for any auth-bearing tool (selectively — see Rule 7 for what to keep)
Scope (ADR-008):
prep-master.shand these rules apply to the legacy/manual mastered-USB path. The remaster builder (make-remaster-iso.sh) builds from a clean stock ISO and is not in the wizard's auto-chain, so it accumulates no persistence scratch by construction. Run these checks only when sanitizing a manually-mastered USB or a mounted master partition.
Neither builder creates a persistence overlay; Ventoy does when a user plugs in the USB. But any on-master persistence scratch must be wiped:
/var/lib/kintsugi/persistence-test-*/data/(if populated at build time by accident)/home/<live-user>/.local/share/(the live session user's XDG data; casper's user on the remaster path)
/var/cache/apt/archives/*.deb→apt-get cleaninside chroot (the remaster provisionersapt-get cleanat end-of-run; verified by prep-master on the manual path)/var/lib/apt/lists/*→ optional (saves ~300 MB but recipients may want offline apt capability; default: KEEP)/root/.cache/pip/*→ wipe/tmp/*,/var/tmp/*→ wipe
/var/log/auth.log*,/var/log/syslog*,/var/log/messages*,/var/log/journal/*/root/.xsession-errors/home/live/.xsession-errors/var/log/kintsugi/start-ai.log(may contain model-selection output with filenames)/var/log/kintsugi/test-*/(test harness results from build-time runs)
Not everything is a secret. Explicit keep-list:
manifest/models-recommended.yamlat/opt/kintsugi-usb/manifest/— maintainer-signed starter listmanifest/agentic-frameworks-recommended.yamlat same path/etc/kintsugi/build-info.conf— metadata the test harness reads/etc/kintsugi/ollama-first-boot.conf— first-boot setup marker- Framework install artifacts (baked in via 07-hook):
/usr/bin/aider,/usr/local/bin/claude, etc. - Fleet
/etc/hostsentries (public-only)
Zero-filling free space compresses better and prevents accidental data exposure from deleted files:
dd if=/dev/zero of=/build-root/ZEROFILL bs=1M status=progress 2>/dev/null
rm /build-root/ZEROFILL
sync
prep-master.sh --zero-free-space runs this. Default: ON for release builds; OFF for quick-iteration builds (env KINTSUGI_SKIP_ZEROFILL=1).
Before calling the build done:
- Run
yq eval '.schema_version' manifest/models-recommended.yaml— must equal1 - Run
yq eval '.schema_version' manifest/agentic-frameworks-recommended.yaml— must equal1 - Run
ls /etc/kintsugi/build-info.conf— must exist - Run
test -x /usr/local/bin/start-ai.sh /usr/local/bin/kintsugi-models /usr/local/bin/kintsugi-frameworks— all must be executable
After all sanitization: compute sha256 of the final .iso or .img (done by create-image.sh, not by prep-master).
scripts/secret-patterns.txt (text file, one regex per line, searched recursively with grep):
-----BEGIN OPENSSH PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
-----BEGIN DSA PRIVATE KEY-----
-----BEGIN EC PRIVATE KEY-----
-----BEGIN PGP PRIVATE KEY BLOCK-----
^ANTHROPIC_API_KEY=
^OPENAI_API_KEY=
^AWS_SECRET_ACCESS_KEY=
^AWS_SESSION_TOKEN=
^GH_TOKEN=
^GITEA_TOKEN=
xoxb-[0-9]{10,}
sk-[a-zA-Z0-9]{20,}
- Do NOT run a build on a host where you have personal API keys set in
~/.config/ai-keys.envand then image it. Use a clean VM or setunset ANTHROPIC_API_KEY OPENAI_API_KEYbefore invokingkintsugi-build. - Review the
prep-master.shscan report before authorizingcreate-image.shto run. Any warnings should be investigated. - For distributed images (not just local testing): build on a dedicated VM with no personal credentials.
scripts/prep-master.sh— automated enforcementscripts/secret-patterns.txt— regex source for the scanner- ADR-005 §D2 (secret-boundary design)
- R-06, R-07 in
.aiwg/risks/risk-list.md - CLAUDE.md "Public Repo Security" section
sad-review-security.mdrequired change that drove prep-master.sh scope