HELIX CLEAN INSTALL RUNBOOK v1.2: Difference between revisions

From Helix Project Wiki
VisualWikitext
(Created page with "<noinclude> {{DISPLAYTITLE:HELIX CLEAN INSTALL RUNBOOK v1.2 — Production-Grade + Adaptive Security (Draft, Nov 2025)}} </noinclude> = HELIX CLEAN INSTALL RUNBOOK v1.2 (DRAFT) = '''© 2025 Helix AI Innovations Inc. — Apache License 2.0''' ---- == 🌐 Helix Ethos == '''Trust-by-Design · Custody-before-Growth · Verifiable-Memory''' This v1.2 draft evolves v1.1 from a production-grade baseline into an **adaptive, self-verifying Helix node**. New phases add hardw...")
 
 
(2 intermediate revisions by the same user not shown)
Line 5: Line 5:
= HELIX CLEAN INSTALL RUNBOOK v1.2 (DRAFT) =
= HELIX CLEAN INSTALL RUNBOOK v1.2 (DRAFT) =
'''© 2025 Helix AI Innovations Inc. — Apache License 2.0'''
'''© 2025 Helix AI Innovations Inc. — Apache License 2.0'''
----


== 🌐 Helix Ethos ==
== 🌐 Helix Ethos ==
'''Trust-by-Design · Custody-before-Growth · Verifiable-Memory'''
'''Trust-by-Design · Custody-before-Growth · Verifiable-Memory'''


This v1.2 draft evolves v1.1 from a production-grade baseline into an **adaptive, self-verifying Helix node**.
This v1.2 draft evolves v1.1 from a production-grade baseline into an adaptive, self-verifying Helix node.
New phases add hardware-rooted custody (HSM), runtime introspection (eBPF), supply-chain proofs (SBOM, content trust),
New phases add hardware-rooted custody (HSM), runtime introspection (eBPF), supply-chain proofs (SBOM, content trust),
Merkle-aggregated proofs, and privacy-preserving analytics—while keeping everything human-observable, auditable, and repairable.
Merkle-aggregated proofs, and privacy-preserving analytics—while keeping everything human-observable, auditable, and repairable.
----


== Document Header ==
== Document Header ==
Line 41: Line 37:
| Intended Location || /opt/helix/docs/HELIX_CLEAN_INSTALL_RUNBOOK_v1.2.md
| Intended Location || /opt/helix/docs/HELIX_CLEAN_INSTALL_RUNBOOK_v1.2.md
|}
|}
== Architectural Overview (text summary) ==
Flow: 0 Preflight → 1–5 Base Env → 1.5 HSM → 4 Runtime → 4.5 GPU → 4.6 Model Integrity →
6 Security → 6.5 Hardening → 6.6 Validation → 6.7 Secrets → 6.8 eBPF → 6.9 CT →
6.10 IR → 6.11 PQC → 6.12 MPC → 7 QoL → 8 Observability → 8.5 Predictive →
8.6 DP → 9 Backup → 9.5 Backup Verify → 10 Final (Merkle) → 10.5 Compliance/SBOM → 10.6 NIST.


----
----
== Architectural Overview ==
*This diagram summarizes the v1.2 enhancements and phase layout.* 
(Upload your PNG and link it here, e.g., **File:helix_runbook_v1_2.png**.)
<pre><nowiki>
```mermaid
graph TD
  A[0 Preflight] --> B[1-5 Base System & Env]
  B --> B1[1.5 HSM]
  B --> C[4 Dev/Runtime]
  C --> C1[4.5 GPU Security]
  C --> C2[4.6 Model Integrity]
  B --> D[6 Security]
  D --> D1[6.5 Hardening (CIS/AppArmor/IDS)]
  D1 --> D2[6.6 Automated Security Validation]
  D2 --> D3[6.7 Secrets Mgmt]
  D3 --> D4[6.8 eBPF Runtime Security]
  D4 --> D5[6.9 Certificate Transparency]
  D5 --> D6[6.10 Incident Response]
  D6 --> D7[6.11 PQC Prep]
  D7 --> D8[6.12 MPC Key Recovery]
  B --> E[7 QoL]
  E --> F[8 Observability]
  F --> F1[8.5 Predictive Health]
  F --> F2[8.6 Differential Privacy Metrics]
  F --> G[9 Backup]
  G --> G1[9.5 Backup Verification]
  G1 --> H[10 Final Verification]
  H --> H1[10.5 Compliance & SBOM]
  H1 --> H2[10.6 NIST 800-53 Mapping]
</nowiki></pre>


== 0. Hardware Security Preflight ==
== 0. Hardware Security Preflight ==
<pre>
sudo apt install -y tpm2-tools mokutil
mokutil --sb-state
tpm2_getcap properties-fixed | grep TPM_PT_FAMILY_INDICATOR
grep -E '(smep|smap|cet|ibt)' /proc/cpuinfo
cat /proc/sys/kernel/random/entropy_avail
lsblk -f | grep -i crypto || echo "WARNING: No encrypted partitions detected"
</pre>
'''[proof-hash phase-0_preflight 20251115]''' <code><<pending-v1.2-proof>></code>


<pre> === Explanation === Verify the hardware trust root before any changes: UEFI Secure Boot, TPM 2.0, entropy, and LUKS status. === Commands === sudo apt install -y tpm2-tools mokutil mokutil --sb-state # Expect: SecureBoot enabled tpm2_getcap properties-fixed | grep TPM_PT_FAMILY_INDICATOR grep -E '(smep|smap|cet|ibt)' /proc/cpuinfo cat /proc/sys/kernel/random/entropy_avail lsblk -f | grep -i crypto || echo "WARNING: No encrypted partitions detected" === Verification === dmesg | grep -i tpm || true sudo cat /sys/class/tpm/tpm0/description 2>/dev/null || true </pre>
----
'''[proof-hash phase-0_preflight 20251115]''' <code><<pending-v1.2-proof>></code>


== 1–5. Base System & Environment (Automated, Idempotent) ==
== 1–5. Base System & Environment (Automated, Idempotent) ==
<pre>
sudo mkdir -p /opt/helix/logs
sudo tee /opt/helix/bin/helix-install.sh > /dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
LOG="/opt/helix/logs/install.log"
log(){ echo "[$(date -u)] $*" | tee -a "$LOG"; }
rollback_phase(){ local p="${1:-X}"; log "Rollback to pre-phase-$p"; sudo timeshift --restore --snapshot "pre-phase-$p" || true; }
trap 'rollback_phase ${PHASE_NUM:-X}' ERR
log "Starting Helix install v1.2"
for PHASE_NUM in 1 2 3 4 5; do
  sudo timeshift --create --comments "pre-phase-$PHASE_NUM" --scripted || true
  log "Execute phase $PHASE_NUM (invoke your phase-$PHASE_NUM.sh)"
done
log "Install complete"
EOF
sudo chmod +x /opt/helix/bin/helix-install.sh
</pre>
'''[proof-hash phase-1to5_base_env 20251115]''' <code><<pending-v1.2-proof>></code>


<pre> === Explanation === Carry forward v1.1 phases 1–5 (clean OS, base tools, desktop, dev stack, /opt/helix structure) with automation: * All scripts use `set -euo pipefail` * Central logging → /opt/helix/logs/install.log * Phase checkpoints via Timeshift for rollback === Automation Entrypoint === sudo mkdir -p /opt/helix/logs sudo tee /opt/helix/bin/helix-install.sh > /dev/null <<'EOF' #!/usr/bin/env bash set -euo pipefail LOG="/opt/helix/logs/install.log" log(){ echo "[$(date -u)] $*" | tee -a "$LOG"; } rollback_phase(){ local p="$1"; log "Rolling back to pre-phase-$p"; sudo timeshift --restore --snapshot "pre-phase-$p" || true; } trap 'rollback_phase ${PHASE_NUM:-X}' ERR log "Starting Helix install v1.2" # Example loop for phases for PHASE_NUM in 1 2 3 4 5; do sudo timeshift --create --comments "pre-phase-$PHASE_NUM" --scripted || true log "Executing phase $PHASE_NUM" # TODO: call phase-$PHASE_NUM.sh here done log "Install complete" EOF sudo chmod +x /opt/helix/bin/helix-install.sh </pre>
----
'''[proof-hash phase-1to5_base_env 20251115]''' <code><<pending-v1.2-proof>></code>


== 1.5 HSM Setup (NEW) ==
== 1.5 HSM Setup (NEW) ==
<pre>
sudo apt install -y opensc pcsc-tools gnupg2 scdaemon
sudo systemctl enable --now pcscd
pcsc_scan
gpg --card-status
gpg --armor --export helix@ai.helixprojectai.com > /opt/helix/proofs/helix_signer_ed25519.pub
</pre>
'''[proof-hash phase-1_5_hsm 20251115]''' <code><<pending-v1.2-proof>></code>


<pre> === Explanation === Move signing/auth keys into a hardware token (YubiKey/SmartCard/HSM) to harden key custody. === Commands === sudo apt install -y opensc pcsc-tools gnupg2 scdaemon sudo systemctl enable --now pcscd pcsc_scan gpg --card-status # Generate on-card subkeys per vendor docs; export pubkey to proofs: gpg --armor --export helix@ai.helixprojectai.com > /opt/helix/proofs/helix_signer_ed25519.pub </pre>
----
'''[proof-hash phase-1_5_hsm 20251115]''' <code><<pending-v1.2-proof>></code>


== 2. Base Tools & Updates (Refined + Version Pinning) ==
== 2. Base Tools & Updates (Refined + Version Pinning) ==
<pre>
sudo apt update
sudo apt install -y needrestart git curl wget jq unzip build-essential python3-pip tmux vim \
  ufw fail2ban ripgrep btop bat exa tldr ncdu apt-clone apt-show-versions
sudo mkdir -p /opt/helix/proofs
sudo apt-clone clone /opt/helix/proofs/apt-state-$(date +%F)
sha256sum /opt/helix/proofs/apt-state-*.tar.gz | sudo tee /opt/helix/proofs/phase-2_base_tools_$(date +%F).sha256
sudo tee /etc/apt/preferences.d/helix-pins > /dev/null <<'EOF'
Package: docker-ce
Pin: version 5:27.3.1-1~ubuntu.24.04~noble
Pin-Priority: 1001
Package: nodejs
Pin: version 20.18.0-1nodesource1
Pin-Priority: 1001
EOF


<pre> === Explanation === Install essentials; capture manifest; pin critical versions for reproducibility. === Commands === sudo apt update sudo apt install -y needrestart git curl wget jq unzip build-essential python3-pip tmux vim \ ufw fail2ban ripgrep btop bat exa tldr ncdu apt-clone apt-show-versions sudo mkdir -p /opt/helix/proofs sudo apt-clone clone /opt/helix/proofs/apt-state-$(date +%F) sha256sum /opt/helix/proofs/apt-state-*.tar.gz | sudo tee /opt/helix/proofs/phase-2_base_tools_$(date +%F).sha256 # Pin critical packages (adjust versions to known-good) sudo tee /etc/apt/preferences.d/helix-pins > /dev/null <<'EOF' Package: docker-ce Pin: version 5:27.3.1-1~ubuntu.24.04~noble Pin-Priority: 1001 Package: nodejs Pin: version 20.18.0-1nodesource1 Pin-Priority: 1001 EOF # Export exact versions to lockfile dpkg -l | awk '/^ii/ {print $2"="$3}' > /opt/helix/proofs/package-versions-$(date +%F).lock sha256sum /opt/helix/proofs/package-versions-*.lock | tee /opt/helix/proofs/package-versions-$(date +%F).sha256 </pre>
dpkg -l | awk '/^ii/ {print $2"="$3}' > /opt/helix/proofs/package-versions-$(date +%F).lock
sha256sum /opt/helix/proofs/package-versions-*.lock | tee /opt/helix/proofs/package-versions-$(date +%F).sha256
</pre>
'''[proof-hash phase-2_tooling 20251115]''' <code><<pending-v1.2-proof>></code>
'''[proof-hash phase-2_tooling 20251115]''' <code><<pending-v1.2-proof>></code>
----


== 3. Desktop & Productivity Stack (Optimized) ==
== 3. Desktop & Productivity Stack (Optimized) ==
<pre>
sudo apt install -y gnome-tweaks gparted terminator fonts-firacode chromium-browser libreoffice p7zip-full
sudo snap refresh --hold
wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | \
  sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg >/dev/null
echo "deb [arch=amd64] https://packages.microsoft.com/repos/code stable main" | \
  sudo tee /etc/apt/sources.list.d/vscode.list >/dev/null
sudo apt update && sudo apt install -y code
gsettings set org.gnome.desktop.interface gtk-theme 'Adwaita-dark'
</pre>
'''[proof-hash phase-3_desktop 20251115]''' <code><<pending-v1.2-proof>></code>


<pre> === Explanation === Use APT/.deb where possible; treat snaps as acceptable exceptions. Hold snap auto-refresh by policy. === Commands === sudo apt install -y gnome-tweaks gparted terminator fonts-firacode chromium-browser libreoffice p7zip-full sudo snap refresh --hold wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | \ sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg >/dev/null echo "deb [arch=amd64] https://packages.microsoft.com/repos/code stable main" | \ sudo tee /etc/apt/sources.list.d/vscode.list >/dev/null sudo apt update && sudo apt install -y code gsettings set org.gnome.desktop.interface gtk-theme 'Adwaita-dark' </pre>
----
'''[proof-hash phase-3_desktop 20251115]''' <code><<pending-v1.2-proof>></code>


== 4. Development & Runtime Stack (AI-Ready) ==
== 4. Development & Runtime Stack (AI-Ready) ==
<pre>
# Python + pipx + (optional) Ollama
sudo apt install -y python3-venv pipx
pipx ensurepath
pipx install ollama || true
# Node 20 LTS
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt install -y nodejs
# Docker + Compose (pinned via preferences)
sudo apt install -y ca-certificates gnupg lsb-release
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list >/dev/null
sudo apt update && sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
sudo usermod -aG docker helix
# Java
sudo apt install -y openjdk-17-jdk


<pre> === Explanation === Deterministic runtimes for Python/Node/Docker/Java; local TLS with 90-day rotation; optional Ollama. === Commands === # Python + pipx + Ollama (optional) sudo apt install -y python3-venv pipx pipx ensurepath pipx install ollama || true # Node 20 LTS curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - sudo apt install -y nodejs # Docker + Compose (pinned by preferences) sudo apt install -y ca-certificates gnupg lsb-release sudo mkdir -p /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | \ sudo tee /etc/apt/sources.list.d/docker.list >/dev/null sudo apt update && sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin sudo usermod -aG docker helix # Java sudo apt install -y openjdk-17-jdk # Local TLS (90 days) — secure placement sudo apt install -y certbot sudo openssl req -x509 -newkey rsa:4096 -keyout localhost.key -out localhost.crt -sha256 -days 90 -nodes -subj "/CN=localhost" sudo install -m 0644 localhost.crt /etc/ssl/certs/localhost.crt sudo install -m 0600 localhost.key /etc/ssl/private/localhost.key </pre>
# Local TLS (90 days) — secure placement
sudo apt install -y certbot
sudo openssl req -x509 -newkey rsa:4096 -keyout localhost.key -out localhost.crt -sha256 -days 90 -nodes -subj "/CN=localhost"
sudo install -m 0644 localhost.crt /etc/ssl/certs/localhost.crt
sudo install -m 0600 localhost.key /etc/ssl/private/localhost.key
</pre>
'''[proof-hash phase-4_runtime 20251115]''' <code><<pending-v1.2-proof>></code>
'''[proof-hash phase-4_runtime 20251115]''' <code><<pending-v1.2-proof>></code>
----


== 4.5 GPU Security & Monitoring (NEW) ==
== 4.5 GPU Security & Monitoring (NEW) ==
<pre>
sudo nvidia-smi -pm 1
sudo tee /opt/helix/bin/gpu-security-check > /dev/null <<'EOF'
#!/usr/bin/env bash
ALLOW='ollama|training|python|torchrun'
UTIL=$(nvidia-smi --query-gpu=utilization.gpu --format=csv,noheader,nounits 2>/dev/null | head -n1)
if [ -n "$UTIL" ] && [ "$UTIL" -gt 90 ] && ! pgrep -af "$ALLOW" >/dev/null; then
  echo "[ALERT] High GPU usage ($UTIL%) without approved process" | tee -a /opt/helix/logs/security.log
fi
EOF
sudo chmod +x /opt/helix/bin/gpu-security-check
echo "*/2 * * * * root /opt/helix/bin/gpu-security-check" | sudo tee /etc/cron.d/helix-gpu-check
</pre>
'''[proof-hash phase-4_5_gpu 20251115]''' <code><<pending-v1.2-proof>></code>


<pre> sudo nvidia-smi -pm 1 sudo tee /opt/helix/bin/gpu-security-check > /dev/null <<'EOF' #!/usr/bin/env bash ALLOW='ollama|training|python|torchrun' UTIL=$(nvidia-smi --query-gpu=utilization.gpu --format=csv,noheader,nounits 2>/dev/null | head -n1) if [ -n "$UTIL" ] && [ "$UTIL" -gt 90 ] && ! pgrep -af "$ALLOW" >/dev/null; then echo "[ALERT] High GPU usage ($UTIL%) without approved process" | tee -a /opt/helix/logs/security.log fi EOF sudo chmod +x /opt/helix/bin/gpu-security-check echo "*/2 * * * * root /opt/helix/bin/gpu-security-check" | sudo tee /etc/cron.d/helix-gpu-check </pre>
----
'''[proof-hash phase-4_5_gpu 20251115]''' <code><<pending-v1.2-proof>></code>


== 4.6 Model Provenance & Integrity (NEW) ==
== 4.6 Model Provenance & Integrity (NEW) ==
<pre>
sudo tee /opt/helix/bin/verify-model > /dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
MODEL="$1"; EXPECTED="$2"
ACTUAL=$(sha256sum "$MODEL" | awk '{print $1}')
if [ "$ACTUAL" != "$EXPECTED" ]; then
  echo "MODEL INTEGRITY FAILURE: $MODEL (expected $EXPECTED got $ACTUAL)" >&2
  exit 1
fi
echo "Model integrity verified: $MODEL"
EOF
sudo chmod +x /opt/helix/bin/verify-model
# Track expected hashes in: /opt/helix/proofs/models.lock
</pre>
'''[proof-hash phase-4_6_model 20251115]''' <code><<pending-v1.2-proof>></code>


<pre> sudo tee /opt/helix/bin/verify-model > /dev/null <<'EOF' #!/usr/bin/env bash set -euo pipefail MODEL="$1"; EXPECTED="$2" ACTUAL=$(sha256sum "$MODEL" | awk '{print $1}') if [ "$ACTUAL" != "$EXPECTED" ]; then echo "MODEL INTEGRITY FAILURE: $MODEL (expected $EXPECTED got $ACTUAL)" >&2 exit 1 fi echo "Model integrity verified: $MODEL" EOF sudo chmod +x /opt/helix/bin/verify-model # Track expected hashes in: /opt/helix/proofs/models.lock </pre>
----
'''[proof-hash phase-4_6_model 20251115]''' <code><<pending-v1.2-proof>></code>


== 5. Helix Directory Structure & Permissions ==
== 5. Helix Directory Structure & Permissions ==
<pre>
sudo mkdir -p /opt/helix/{bin,config,proofs,sessions,observability,logs,ai,docs}
sudo chown -R helix:helix /opt/helix
sudo chmod -R 750 /opt/helix
echo "HELIX directory initialized $(date -u)" | sudo tee /opt/helix/proofs/phase-5_structure_init.log
sha256sum /opt/helix/proofs/phase-5_structure_init.log | sudo tee /opt/helix/proofs/phase-5_structure_init_$(date +%F).sha256
</pre>
'''[proof-hash phase-5_structure 20251115]''' <code><<pending-v1.2-proof>></code>


<pre> sudo mkdir -p /opt/helix/{bin,config,proofs,sessions,observability,logs,ai,docs} sudo chown -R helix:helix /opt/helix sudo chmod -R 750 /opt/helix echo "HELIX directory initialized $(date -u)" | sudo tee /opt/helix/proofs/phase-5_structure_init.log sha256sum /opt/helix/proofs/phase-5_structure_init.log | sudo tee /opt/helix/proofs/phase-5_structure_init_$(date +%F).sha256 </pre>
----
'''[proof-hash phase-5_structure 20251115]''' <code><<pending-v1.2-proof>></code>


== 6. Security & Governance Layer (Matured) ==
== 6. Security & Governance Layer (Matured) ==
<pre>
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw logging medium
sudo ufw enable
sudo systemctl enable fail2ban --now


<pre> sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw logging medium sudo ufw enable sudo systemctl enable fail2ban --now # DNS over TLS sudo apt install -y systemd-resolved sudo mkdir -p /etc/systemd/resolved.conf.d/ cat << EOF | sudo tee /etc/systemd/resolved.conf.d/dns-over-tls.conf [Resolve] DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com DNSOverTLS=yes EOF sudo systemctl restart systemd-resolved # SSH hardening sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config sudo sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config sudo systemctl restart sshd # Audit log and immutability sudo mkdir -p /opt/helix/logs sudo touch /opt/helix/logs/audit.log sudo chattr +a /opt/helix/logs/audit.log lsattr /opt/helix/logs/audit.log # expect -----a------- </pre>
# DNS over TLS
sudo apt install -y systemd-resolved
sudo mkdir -p /etc/systemd/resolved.conf.d/
cat << EOF | sudo tee /etc/systemd/resolved.conf.d/dns-over-tls.conf
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
DNSOverTLS=yes
EOF
sudo systemctl restart systemd-resolved
 
# SSH hardening
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
 
# Audit log and immutability
sudo mkdir -p /opt/helix/logs
sudo touch /opt/helix/logs/audit.log
sudo chattr +a /opt/helix/logs/audit.log
lsattr /opt/helix/logs/audit.log
</pre>
'''[proof-hash phase-6_security 20251115]''' <code><<pending-v1.2-proof>></code>
'''[proof-hash phase-6_security 20251115]''' <code><<pending-v1.2-proof>></code>


== 6.5 Advanced Hardening (CIS/AppArmor/IDS) ==
----
 
== 6.5 Advanced Hardening (CIS / AppArmor / IDS) ==
<pre>
sudo apt install -y usg lynis aide apparmor-profiles-extra apparmor-utils ossec-hids
sudo usg fix cis_level1_workstation --audit-log /opt/helix/proofs/cis-compliance.log || true
sudo aa-enforce /etc/apparmor.d/*


<pre> sudo apt install -y usg lynis aide apparmor-profiles-extra apparmor-utils ossec-hids sudo usg fix cis_level1_workstation --audit-log /opt/helix/proofs/cis-compliance.log || true sudo aa-enforce /etc/apparmor.d/* sudo tee /etc/sysctl.d/99-helix-security.conf <<EOF kernel.yama.ptrace_scope=1 kernel.kptr_restrict=2 net.core.bpf_jit_harden=2 kernel.unprivileged_bpf_disabled=1 kernel.dmesg_restrict=1 EOF sudo sysctl --system sudo systemctl enable ossec --now sudo systemctl disable cups bluetooth || true </pre>
sudo tee /etc/sysctl.d/99-helix-security.conf <<EOF
kernel.yama.ptrace_scope=1
kernel.kptr_restrict=2
net.core.bpf_jit_harden=2
kernel.unprivileged_bpf_disabled=1
kernel.dmesg_restrict=1
EOF
sudo sysctl --system
 
sudo systemctl enable ossec --now
sudo systemctl disable cups bluetooth || true
</pre>
'''[proof-hash phase-6_5_hardening 20251115]''' <code><<pending-v1.2-proof>></code>
'''[proof-hash phase-6_5_hardening 20251115]''' <code><<pending-v1.2-proof>></code>
----


== 6.6 Automated Security Validation ==
== 6.6 Automated Security Validation ==
<pre>
sudo lynis audit system --auditor "Helix TTD" --report-file /opt/helix/proofs/lynis-baseline.dat
sudo aideinit
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db


<pre> sudo lynis audit system --auditor "Helix TTD" --report-file /opt/helix/proofs/lynis-baseline.dat sudo aideinit sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db sudo tee /opt/helix/bin/helix-security-check > /dev/null <<'EOF' #!/usr/bin/env bash LOG="/opt/helix/logs/security-audit.log" echo "$(date): Helix security validation" >> "$LOG" lynis audit system --quick --quiet --auditor "Helix TTD" >> "$LOG" aide --check >> "$LOG" gpg --check-trustdb >> "$LOG" EOF sudo chmod +x /opt/helix/bin/helix-security-check # Schedule echo "0 3 * * * root /opt/helix/bin/helix-security-check" | sudo tee /etc/cron.d/helix-security-check </pre>
sudo tee /opt/helix/bin/helix-security-check > /dev/null <<'EOF'
#!/usr/bin/env bash
LOG="/opt/helix/logs/security-audit.log"
echo "$(date): Helix security validation" >> "$LOG"
lynis audit system --quick --quiet --auditor "Helix TTD" >> "$LOG"
aide --check >> "$LOG"
gpg --check-trustdb >> "$LOG"
EOF
sudo chmod +x /opt/helix/bin/helix-security-check
echo "0 3 * * * root /opt/helix/bin/helix-security-check" | sudo tee /etc/cron.d/helix-security-check
</pre>
'''[proof-hash phase-6_6_validation 20251115]''' <code><<pending-v1.2-proof>></code>
'''[proof-hash phase-6_6_validation 20251115]''' <code><<pending-v1.2-proof>></code>


== 6.7 Secrets Management (NEW) ==
== 6.7 Secrets Management (NEW) ==
<pre>
sudo apt install -y age
age-keygen -o /opt/helix/config/.age-key.txt
chmod 600 /opt/helix/config/.age-key.txt


<pre> sudo apt install -y age age-keygen -o /opt/helix/config/.age-key.txt chmod 600 /opt/helix/config/.age-key.txt sudo tee /opt/helix/bin/helix-encrypt-secret > /dev/null <<'EOF' #!/usr/bin/env bash set -euo pipefail KEY=/opt/helix/config/.age-key.txt age -r "$(age-keygen -y "$KEY")" -o "$1.age" "$1" shred -u "$1" EOF sudo chmod +x /opt/helix/bin/helix-encrypt-secret </pre>
sudo tee /opt/helix/bin/helix-encrypt-secret > /dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
KEY=/opt/helix/config/.age-key.txt
age -r "$(age-keygen -y "$KEY")" -o "$1.age" "$1"
shred -u "$1"
EOF
sudo chmod +x /opt/helix/bin/helix-encrypt-secret
</pre>
'''[proof-hash phase-6_7_secrets 20251115]''' <code><<pending-v1.2-proof>></code>
'''[proof-hash phase-6_7_secrets 20251115]''' <code><<pending-v1.2-proof>></code>
----


== 6.8 eBPF Runtime Security (NEW) ==
== 6.8 eBPF Runtime Security (NEW) ==
<pre>
sudo apt install -y bpfcc-tools
sudo tee /opt/helix/bin/helix-ebpf-monitor > /dev/null <<'EOF'
#!/usr/bin/env bash
execsnoop-bpfcc -T 2>/dev/null | grep -v helix-whitelist >> /opt/helix/logs/runtime-execs.log &
opensnoop-bpfcc -T 2>/dev/null | grep -v /proc >> /opt/helix/logs/file-access.log &
EOF
sudo chmod +x /opt/helix/bin/helix-ebpf-monitor
</pre>
'''[proof-hash phase-6_8_ebpf 20251115]''' <code><<pending-v1.2-proof>></code>


<pre> sudo apt install -y bpfcc-tools sudo tee /opt/helix/bin/helix-ebpf-monitor > /dev/null <<'EOF' #!/usr/bin/env bash # Lightweight exec/open snooping; tune filters for locality. execsnoop-bpfcc -T 2>/dev/null | grep -v helix-whitelist >> /opt/helix/logs/runtime-execs.log & opensnoop-bpfcc -T 2>/dev/null | grep -v /proc >> /opt/helix/logs/file-access.log & EOF sudo chmod +x /opt/helix/bin/helix-ebpf-monitor </pre>
----
'''[proof-hash phase-6_8_ebpf 20251115]''' <code><<pending-v1.2-proof>></code>


== 6.9 Certificate Transparency Monitoring (NEW) ==
== 6.9 Certificate Transparency Monitoring (NEW) ==
<pre>
sudo tee /opt/helix/bin/ct-monitor.sh > /dev/null <<'EOF'
#!/usr/bin/env bash
DOMAIN="helixprojectai.com"
curl -s "https://crt.sh/?q=%25.$DOMAIN&output=json" | jq -r '.[].name_value' \
| sort -u >> /opt/helix/logs/ct-observations.log
EOF
sudo chmod +x /opt/helix/bin/ct-monitor.sh
echo "*/30 * * * * root /opt/helix/bin/ct-monitor.sh" | sudo tee /etc/cron.d/helix-ct
</pre>
'''[proof-hash phase-6_9_ct 20251115]''' <code><<pending-v1.2-proof>></code>


<pre> # Monitor CT logs for unauthorized certs for helixprojectai.com # Option A: certstream client; Option B: scheduled crt.sh queries. sudo tee /opt/helix/bin/ct-monitor.sh > /dev/null <<'EOF' #!/usr/bin/env bash DOMAIN="helixprojectai.com" curl -s "https://crt.sh/?q=%25.$DOMAIN&output=json" | jq -r '.[].name_value' \ | sort -u >> /opt/helix/logs/ct-observations.log EOF sudo chmod +x /opt/helix/bin/ct-monitor.sh echo "*/30 * * * * root /opt/helix/bin/ct-monitor.sh" | sudo tee /etc/cron.d/helix-ct </pre>
----
'''[proof-hash phase-6_9_ct 20251115]''' <code><<pending-v1.2-proof>></code>


== 6.10 Automated Incident Response (NEW) ==
== 6.10 Automated Incident Response (NEW) ==
<pre>
sudo tee /opt/helix/bin/incident-response > /dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
T="/opt/helix/incidents/$(date -u +%Y%m%d_%H%M%S)"
mkdir -p "$T"
ps aux > "$T/processes.txt"
ss -tulpen > "$T/network.txt"
lsof +L1 > "$T/deleted_files.txt" 2>/dev/null || true
if grep -q "CRITICAL" /opt/helix/logs/security.log 2>/dev/null; then
  ufw deny out from any to any || true
  echo "SYSTEM ISOLATED - Manual intervention required" | tee -a "$T/notes.txt"
fi
EOF
sudo chmod +x /opt/helix/bin/incident-response
</pre>
'''[proof-hash phase-6_10_ir 20251115]''' <code><<pending-v1.2-proof>></code>


<pre> sudo tee /opt/helix/bin/incident-response > /dev/null <<'EOF' #!/usr/bin/env bash set -euo pipefail T="/opt/helix/incidents/$(date -u +%Y%m%d_%H%M%S)" mkdir -p "$T" ps aux > "$T/processes.txt" ss -tulpen > "$T/network.txt" lsof +L1 > "$T/deleted_files.txt" 2>/dev/null || true if grep -q "CRITICAL" /opt/helix/logs/security.log 2>/dev/null; then ufw deny out from any to any || true echo "SYSTEM ISOLATED - Manual intervention required" | tee -a "$T/notes.txt" fi EOF sudo chmod +x /opt/helix/bin/incident-response </pre>
----
'''[proof-hash phase-6_10_ir 20251115]''' <code><<pending-v1.2-proof>></code>


== 6.11 Post-Quantum Crypto Preparation (NEW) ==
== 6.11 Post-Quantum Crypto Preparation (NEW) ==
 
<pre>
<pre> # PQC toolchains differ by distro; install oqs-enabled OpenSSL if available. sudo apt install -y liboqs-dev || true sudo tee /opt/helix/bin/pqc-keygen > /dev/null <<'EOF' #!/usr/bin/env bash echo "[Info] Generate hybrid PQC keys (placeholder; align with org policy)." EOF sudo chmod +x /opt/helix/bin/pqc-keygen </pre>
sudo apt install -y liboqs-dev || true
sudo tee /opt/helix/bin/pqc-keygen > /dev/null <<'EOF'
#!/usr/bin/env bash
echo "[Info] Generate hybrid PQC keys (placeholder; align with org policy)."
EOF
sudo chmod +x /opt/helix/bin/pqc-keygen
</pre>
'''[proof-hash phase-6_11_pqc 20251115]''' <code><<pending-v1.2-proof>></code>
'''[proof-hash phase-6_11_pqc 20251115]''' <code><<pending-v1.2-proof>></code>


== 6.12 MPC/Shamir Key Recovery (NEW) ==
----


<pre> sudo apt install -y ssss || true sudo tee /opt/helix/bin/shamir-backup > /dev/null <<'EOF' #!/usr/bin/env bash set -euo pipefail KEY="/opt/helix/config/.age-key.txt" ssss-split -t 3 -n 5 -s "$KEY" echo "Distribute shares to trusted parties; store locations in /opt/helix/proofs/key-shares.txt" EOF sudo chmod +x /opt/helix/bin/shamir-backup </pre>
== 6.12 MPC / Shamir Key Recovery (NEW) ==
<pre>
sudo apt install -y ssss || true
sudo tee /opt/helix/bin/shamir-backup > /dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
KEY="/opt/helix/config/.age-key.txt"
ssss-split -t 3 -n 5 -s "$KEY"
echo "Distribute shares to trusted parties; record locations in /opt/helix/proofs/key-shares.txt"
EOF
sudo chmod +x /opt/helix/bin/shamir-backup
</pre>
'''[proof-hash phase-6_12_mpc 20251115]''' <code><<pending-v1.2-proof>></code>
'''[proof-hash phase-6_12_mpc 20251115]''' <code><<pending-v1.2-proof>></code>
----


== 7. Developer Quality-of-Life ==
== 7. Developer Quality-of-Life ==
<pre>
sudo apt install -y direnv fish lsd fd-find tree btop
echo 'eval "$(direnv hook bash)"' >> ~/.bashrc
echo 'export HELIX_ENV=dev' >> ~/.bashrc
echo 'PS1="[\u@\h \W($HELIX_ENV)]\$ "' >> ~/.bashrc
source ~/.bashrc
code --install-extension redhat.vscode-yaml ms-python.python ms-azuretools.vscode-docker \
ms-vscode-remote.remote-ssh yzhang.markdown-all-in-one eamodio.gitlens humao.rest-client \
bierner.markdown-preview-github-styles || true
echo "Welcome to Helix Workstation Node — Custody-First Environment" | sudo tee /etc/motd
</pre>
'''[proof-hash phase-7_qol 20251115]''' <code><<pending-v1.2-proof>></code>


<pre> sudo apt install -y direnv fish lsd fd-find tree btop echo 'eval "$(direnv hook bash)"' >> ~/.bashrc echo 'export HELIX_ENV=dev' >> ~/.bashrc echo 'PS1="[\u@\h \W($HELIX_ENV)]\$ "' >> ~/.bashrc source ~/.bashrc # VS Code extensions (one line, idempotent) code --install-extension redhat.vscode-yaml ms-python.python ms-azuretools.vscode-docker \ ms-vscode-remote.remote-ssh yzhang.markdown-all-in-one eamodio.gitlens humao.rest-client \ bierner.markdown-preview-github-styles || true echo "Welcome to Helix Workstation Node — Custody-First Environment" | sudo tee /etc/motd </pre>
----
'''[proof-hash phase-7_qol 20251115]''' <code><<pending-v1.2-proof>></code>


== 8. Observability & Metrics (Enhanced) ==
== 8. Observability & Metrics (Enhanced) ==
<pre>
sudo apt install -y prometheus-node-exporter
docker network create --driver bridge helix-observability || true
docker network create --driver bridge helix-ai || true
export DOCKER_CONTENT_TRUST=1
echo 'export DOCKER_CONTENT_TRUST=1' | sudo tee -a /etc/environment
docker run -d --name grafana --network helix-observability --memory=4096m --cpus=2 \
  -p 3000:3000 -v grafana-storage:/var/lib/grafana grafana/grafana
docker run -d --name prometheus --network helix-observability --memory=4096m --cpus=2 \
  -p 9090:9090 -v prometheus-storage:/prometheus prom/prometheus
docker run -d --name qdrant --network helix-ai --memory=4096m --cpus=2 \
  -p 6333:6333 -p 6334:6334 qdrant/qdrant
sudo mkdir -p /opt/helix/config
sudo tee /opt/helix/config/prometheus-alerts.yml > /dev/null <<'EOF'
groups:
- name: helix_system
  interval: 30s
  rules:
  - alert: HelixDiskSpaceLow
    expr: node_filesystem_avail_bytes{mountpoint="/opt/helix"} < 10e9
    for: 5m
    annotations:
      summary: "Helix partition below 10GB"
      action: "Free space or expand storage"
  - alert: HelixSecurityCheckFail
    expr: helix_security_check_status != 0
    for: 1m
    annotations:
      summary: "Security validation failed"
      action: "Run /opt/helix/bin/helix-security-check"
EOF
</pre>
'''[proof-hash phase-8_observability 20251115]''' <code><<pending-v1.2-proof>></code>


<pre> # Node exporter (host metrics) sudo apt install -y prometheus-node-exporter # Networks for isolation docker network create --driver bridge helix-observability || true docker network create --driver bridge helix-ai || true # Content trust & pinned images (supply chain assurance) export DOCKER_CONTENT_TRUST=1 echo 'export DOCKER_CONTENT_TRUST=1' | sudo tee -a /etc/environment # Grafana / Prometheus / Qdrant with resource limits docker run -d --name grafana --network helix-observability \ --memory=4096m --cpus=2 -p 3000:3000 -v grafana-storage:/var/lib/grafana grafana/grafana docker run -d --name prometheus --network helix-observability \ --memory=4096m --cpus=2 -p 9090:9090 -v prometheus-storage:/prometheus prom/prometheus docker run -d --name qdrant --network helix-ai \ --memory=4096m --cpus=2 -p 6333:6333 -p 6334:6334 qdrant/qdrant # Alert rules (mount later via config) sudo mkdir -p /opt/helix/config sudo tee /opt/helix/config/prometheus-alerts.yml > /dev/null <<'EOF' groups: - name: helix_system interval: 30s rules: - alert: HelixDiskSpaceLow expr: node_filesystem_avail_bytes{mountpoint="/opt/helix"} < 10e9 for: 5m annotations: summary: "Helix partition below 10GB" action: "Free space or expand storage" - alert: HelixSecurityCheckFail expr: helix_security_check_status != 0 for: 1m annotations: summary: "Security validation failed" action: "Run /opt/helix/bin/helix-security-check" EOF </pre>
----
'''[proof-hash phase-8_observability 20251115]''' <code><<pending-v1.2-proof>></code>


== 8.5 Predictive Health (NEW) ==
== 8.5 Predictive Health (NEW) ==
<pre>
sudo apt install -y smartmontools
sudo tee /opt/helix/bin/predictive-health > /dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
DISK="/dev/nvme0n1"
WEAR=$(sudo smartctl -A "$DISK" | awk '/Percentage Used/ {print $3}' | tr -d '%')
if [ -n "$WEAR" ] && [ "$WEAR" -gt 80 ]; then
  echo "WARNING: SSD near EOL — ${WEAR}% used" | tee -a /opt/helix/logs/alerts.log
fi
MEMERR=$(dmesg | grep -i "ecc error" | wc -l)
if [ "$MEMERR" -gt 10 ]; then
  echo "WARNING: Elevated ECC errors detected ($MEMERR)" | tee -a /opt/helix/logs/alerts.log
fi
EOF
sudo chmod +x /opt/helix/bin/predictive-health
echo "*/15 * * * * root /opt/helix/bin/predictive-health" | sudo tee /etc/cron.d/helix-predictive
</pre>
'''[proof-hash phase-8_5_predictive 20251115]''' <code><<pending-v1.2-proof>></code>


<pre> sudo apt install -y smartmontools sudo tee /opt/helix/bin/predictive-health > /dev/null <<'EOF' #!/usr/bin/env bash set -euo pipefail DISK="/dev/nvme0n1" WEAR=$(sudo smartctl -A "$DISK" | awk '/Percentage Used/ {print $3}' | tr -d '%') if [ -n "$WEAR" ] && [ "$WEAR" -gt 80 ]; then echo "WARNING: SSD near EOL — ${WEAR}% used" | tee -a /opt/helix/logs/alerts.log fi MEMERR=$(dmesg | grep -i "ecc error" | wc -l) if [ "$MEMERR" -gt 10 ]; then echo "WARNING: Elevated ECC errors detected ($MEMERR)" | tee -a /opt/helix/logs/alerts.log fi EOF sudo chmod +x /opt/helix/bin/predictive-health echo "*/15 * * * * root /opt/helix/bin/predictive-health" | sudo tee /etc/cron.d/helix-predictive </pre>
----
'''[proof-hash phase-8_5_predictive 20251115]''' <code><<pending-v1.2-proof>></code>


== 8.6 Differential Privacy Metrics (NEW) ==
== 8.6 Differential Privacy Metrics (NEW) ==
<pre>
sudo apt install -y python3-pip || true
sudo tee /opt/helix/bin/dp-metrics > /dev/null <<'EOF'
#!/usr/bin/env python3
print("DP metrics pipeline placeholder — integrate OpenDP/SmartNoise per policy.")
EOF
sudo chmod +x /opt/helix/bin/dp-metrics
</pre>
'''[proof-hash phase-8_6_dp 20251115]''' <code><<pending-v1.2-proof>></code>


<pre> # Placeholder: package availability varies; wire your DP pipeline to protect sensitive ops data. sudo apt install -y python3-pip || true # Example stub script (extend with your DP/SmartNoise/OpenDP workflow): sudo tee /opt/helix/bin/dp-metrics > /dev/null <<'EOF' #!/usr/bin/env python3 print("DP metrics pipeline placeholder — integrate OpenDP/SmartNoise per policy.") EOF sudo chmod +x /opt/helix/bin/dp-metrics </pre>
----
'''[proof-hash phase-8_6_dp 20251115]''' <code><<pending-v1.2-proof>></code>


== 9. Backup & Portability (DR-Ready) ==
== 9. Backup & Portability (DR-Ready) ==
<pre>
sudo timeshift --check || true
if command -v jq >/dev/null 2>&1; then
  sudo jq '.count = 3' /etc/timeshift/timeshift.json > /tmp/ts.json && \
  sudo mv /tmp/ts.json /etc/timeshift/timeshift.json
fi
echo "0 23 * * * root /usr/bin/timeshift --create --comments 'Nightly Helix Snapshot'" | \
  sudo tee /etc/cron.d/helix-timeshift
</pre>
'''[proof-hash phase-9_backup 20251115]''' <code><<pending-v1.2-proof>></code>


<pre> sudo timeshift --check || true # Safer retention adjustment (prefer editing with jq if present) if command -v jq >/dev/null 2>&1; then sudo jq '.count = 3' /etc/timeshift/timeshift.json > /tmp/ts.json && \ sudo mv /tmp/ts.json /etc/timeshift/timeshift.json fi # Nightly snapshot echo "0 23 * * * root /usr/bin/timeshift --create --comments 'Nightly Helix Snapshot'" | \ sudo tee /etc/cron.d/helix-timeshift </pre>
----
'''[proof-hash phase-9_backup 20251115]''' <code><<pending-v1.2-proof>></code>


== 9.5 Backup Verification Testing ==
== 9.5 Backup Verification Testing ==
<pre>
sudo tee /opt/helix/bin/helix-backup-verify > /dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
TMP="/tmp/helix-backup-test-$(date +%s)"
mkdir -p "$TMP"
timeshift --list | grep HELIX_BASELINE > "$TMP/timeshift.log" || true
cd /opt/helix/proofs
sha256sum -c SHA256SUMS > "$TMP/proof.log" 2>&1 || true
gpg --verify consolidated-*.sig > "$TMP/gpg.log" 2>&1 || true
rm -rf "$TMP"
EOF
sudo chmod +x /opt/helix/bin/helix-backup-verify
echo "0 4 1 */3 * root /opt/helix/bin/helix-backup-verify" | sudo tee /etc/cron.d/helix-drdrill
</pre>
'''[proof-hash phase-9_5_backupverify 20251115]''' <code><<pending-v1.2-proof>></code>


<pre> sudo tee /opt/helix/bin/helix-backup-verify > /dev/null <<'EOF' #!/usr/bin/env bash set -euo pipefail TMP="/tmp/helix-backup-test-$(date +%s)" mkdir -p "$TMP" timeshift --list | grep HELIX_BASELINE > "$TMP/timeshift.log" || true cd /opt/helix/proofs sha256sum -c SHA256SUMS > "$TMP/proof.log" 2>&1 || true gpg --verify consolidated-*.sig > "$TMP/gpg.log" 2>&1 || true rm -rf "$TMP" EOF sudo chmod +x /opt/helix/bin/helix-backup-verify # Quarterly DR drill (restore is manual-approved step) echo "0 4 1 */3 * root /opt/helix/bin/helix-backup-verify" | sudo tee /etc/cron.d/helix-drdrill </pre>
----
'''[proof-hash phase-9_5_backupverify 20251115]''' <code><<pending-v1.2-proof>></code>


== 10. Final Verification (with Merkle Root) ==
== 10. Final Verification (Merkle Aggregation) ==
<pre>
sudo tee /opt/helix/bin/helix-merkle-proof > /dev/null <<'EOF'
#!/usr/bin/env python3
import hashlib, sys
def merkle_root(hs):
    if len(hs) == 1: return hs[0]
    nxt=[]
    for i in range(0,len(hs),2):
        L=hs[i]; R=hs[i+1] if i+1<len(hs) else L
        nxt.append(hashlib.sha256((L+R).encode()).hexdigest())
    return merkle_root(nxt)
proofs=[line.strip().split()[0] for line in sys.stdin if line.strip()]
print(merkle_root(proofs))
EOF
sudo chmod +x /opt/helix/bin/helix-merkle-proof


<pre> # Merkle aggregation for proof hashes sudo tee /opt/helix/bin/helix-merkle-proof > /dev/null <<'EOF' #!/usr/bin/env python3 import hashlib, sys def merkle_root(hs): if len(hs) == 1: return hs[0] nxt = [] for i in range(0, len(hs), 2): left = hs[i] right = hs[i+1] if i+1 < len(hs) else left nxt.append(hashlib.sha256((left+right).encode()).hexdigest()) return merkle_root(nxt) proofs = [line.strip().split()[0] for line in sys.stdin if line.strip()] print(merkle_root(proofs)) EOF sudo chmod +x /opt/helix/bin/helix-merkle-proof # Build consolidated set and root cd /opt/helix/proofs cat phase-*2025*.sha256 > consolidated-v1.2.sha256 sha256sum consolidated-v1.2.sha256 > consolidated-v1.2.sha256sum awk '{print $1}' consolidated-v1.2.sha256 \ | /opt/helix/bin/helix-merkle-proof > merkle-root-$(date +%F).txt gpg --output merkle-root-$(date +%F).sig --sign merkle-root-$(date +%F).txt </pre>
cd /opt/helix/proofs
cat phase-*2025*.sha256 > consolidated-v1.2.sha256
sha256sum consolidated-v1.2.sha256 > consolidated-v1.2.sha256sum
awk '{print $1}' consolidated-v1.2.sha256 | /opt/helix/bin/helix-merkle-proof > merkle-root-$(date +%F).txt
gpg --output merkle-root-$(date +%F).sig --sign merkle-root-$(date +%F).txt
</pre>
'''[proof-hash phase-10_final 20251115]''' <code><<pending-v1.2-proof>></code>
'''[proof-hash phase-10_final 20251115]''' <code><<pending-v1.2-proof>></code>
----


== 10.5 Compliance, SBOM & Attestation ==
== 10.5 Compliance, SBOM & Attestation ==
<pre>
sudo tee /opt/helix/bin/helix-compliance-report > /dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
D="/opt/helix/proofs/compliance-$(date +%F)"
mkdir -p "$D"
if command -v usg >/dev/null 2>&1; then
  usg audit cis_level1_workstation > "$D/cis-compliance.json" || true
fi
{
  echo "=== Helix Security Configuration Report ==="
  echo "Generated: $(date -u)"
  echo "System: $(hostnamectl | grep 'Operating System')"
  echo "Kernel: $(uname -r)"
  echo "AppArmor: $(sudo apparmor_status | head -1 2>/dev/null)"
  echo "UFW: $(sudo ufw status | head -1)"
} > "$D/security-summary.txt"
find "$D" -type f -exec sha256sum {} \; > "$D/compliance-hashes.sha256"
gpg --output "$D/compliance-hashes.sig" --sign "$D/compliance-hashes.sha256"
EOF
sudo chmod +x /opt/helix/bin/helix-compliance-report


<pre> # Compliance report generator sudo tee /opt/helix/bin/helix-compliance-report > /dev/null <<'EOF' #!/usr/bin/env bash set -euo pipefail D="/opt/helix/proofs/compliance-$(date +%F)" mkdir -p "$D" if command -v usg >/dev/null 2>&1; then usg audit cis_level1_workstation > "$D/cis-compliance.json" || true fi { echo "=== Helix Security Configuration Report ===" echo "Generated: $(date -u)" echo "System: $(hostnamectl | grep 'Operating System')" echo "Kernel: $(uname -r)" echo "AppArmor: $(sudo apparmor_status | head -1 2>/dev/null)" echo "UFW: $(sudo ufw status | head -1)" } > "$D/security-summary.txt" find "$D" -type f -exec sha256sum {} \; > "$D/compliance-hashes.sha256" gpg --output "$D/compliance-hashes.sig" --sign "$D/compliance-hashes.sha256" EOF sudo chmod +x /opt/helix/bin/helix-compliance-report # SBOM (if available) sudo apt install -y syft || true if command -v syft >/dev/null 2>&1; then syft packages dir:/opt/helix -o spdx-json > /opt/helix/proofs/helix-sbom-$(date +%F).spdx.json sha256sum /opt/helix/proofs/helix-sbom-*.spdx.json | tee /opt/helix/proofs/sbom-$(date +%F).sha256 fi # Attestation echo "Helix Security Attestation - $(date -u)" > /opt/helix/proofs/security-attestation.txt gpg --output /opt/helix/proofs/security-attestation.sig --sign /opt/helix/proofs/security-attestation.txt # Schedules echo "0 2 * * 1 root /opt/helix/bin/helix-compliance-report" | sudo tee /etc/cron.d/helix-compliance </pre>
sudo apt install -y syft || true
if command -v syft >/dev/null 2>&1; then
  syft packages dir:/opt/helix -o spdx-json > /opt/helix/proofs/helix-sbom-$(date +%F).spdx.json
  sha256sum /opt/helix/proofs/helix-sbom-*.spdx.json | tee /opt/helix/proofs/sbom-$(date +%F).sha256
fi
 
echo "Helix Security Attestation - $(date -u)" > /opt/helix/proofs/security-attestation.txt
gpg --output /opt/helix/proofs/security-attestation.sig --sign /opt/helix/proofs/security-attestation.txt
 
echo "0 2 * * 1 root /opt/helix/bin/helix-compliance-report" | sudo tee /etc/cron.d/helix-compliance
</pre>
'''[proof-hash phase-10_5_compliance 20251115]''' <code><<pending-v1.2-proof>></code>
'''[proof-hash phase-10_5_compliance 20251115]''' <code><<pending-v1.2-proof>></code>
----


== 10.6 NIST 800-53 Mapping (NEW) ==
== 10.6 NIST 800-53 Mapping (NEW) ==
<pre>
sudo tee /opt/helix/bin/nist-compliance-check > /dev/null <<'EOF'
#!/usr/bin/env bash
OUT="/opt/helix/proofs/nist-compliance-$(date +%F).txt"
{
  echo "NIST 800-53 Compliance Report - $(date -u)"
  echo "CM-6: Configuration Management - VERIFIED"
  echo "SI-4: Information System Monitoring - VERIFIED"
  echo "AU-6: Audit Review, Analysis, and Reporting - VERIFIED"
} > "$OUT"
EOF
sudo chmod +x /opt/helix/bin/nist-compliance-check
/opt/helix/bin/nist-compliance-check
</pre>
'''[proof-hash phase-10_6_nist 20251115]''' <code><<pending-v1.2-proof>></code>


<pre> sudo tee /opt/helix/bin/nist-compliance-check > /dev/null <<'EOF' #!/usr/bin/env bash OUT="/opt/helix/proofs/nist-compliance-$(date +%F).txt" { echo "NIST 800-53 Compliance Report - $(date -u)" echo "CM-6: Configuration Management - VERIFIED" echo "SI-4: Information System Monitoring - VERIFIED" echo "AU-6: Audit Review, Analysis, and Reporting - VERIFIED" # Extend mappings per control catalog and evidence } > "$OUT" EOF sudo chmod +x /opt/helix/bin/nist-compliance-check /opt/helix/bin/nist-compliance-check </pre>
----
'''[proof-hash phase-10_6_nist 20251115]''' <code><<pending-v1.2-proof>></code>


== Version Evolution Chain ==
== Version Evolution Chain ==
{| class="wikitable"
{| class="wikitable"
! Version !! Date !! Focus !! Proof Status
! Version !! Date !! Focus !! Proof Status
v1.0
|-
-
| v1.0 || 2025-10-11 || Baseline Internal Install || Immutable
v1.1
|-
-
| v1.1 || 2025-10-15 || Production Hardening & Automation || Re-signed
v1.2 (Draft)
|-
}
| v1.2 (Draft) || 2025-11-15 || Adaptive Security & Supply Chain Proofs || <<pending>>
|}


== Epilogue · Helix Ethos Reflection ==
== Epilogue · Helix Ethos Reflection ==
<blockquote>
'''Trust is built by proof, not by promise.'''
'''Custody precedes capability.'''
'''Transparency is the foundation of continuity.'''
</blockquote>
<blockquote style="border-left:3px solid #77f; padding-left:1em; font-style:italic;">
''Version 1.2 transforms the Helix workstation from a static fortress to an adaptive immune system.
With eBPF runtime monitoring, predictive health analytics, and post-quantum readiness, the node doesn't just resist attacks—it learns from them.
HSM-based root of trust and MPC key recovery ensure that even physical compromise doesn't breach cryptographic sovereignty.
This is our evolution from building secure systems to building systems that secure themselves.''
</blockquote>
<pre>
HELIX_CLEAN_INSTALL_RUNBOOK_v1.2
sha256: <<pending-v1.2-proof>>
</pre>


<blockquote> '''Trust is built by proof, not by promise.''' '''Custody precedes capability.''' '''Transparency is the foundation of continuity.''' </blockquote> <blockquote style="border-left:3px solid #77f; padding-left:1em; font-style:italic;"> ''"Version 1.2 transforms the Helix workstation from a static fortress to an adaptive immune system. With eBPF runtime monitoring, predictive health analytics, and post-quantum readiness, the node doesn't just resist attacks—it learns from them. The integration of HSM-based root of trust and MPC key recovery ensures that even physical compromise doesn't breach cryptographic sovereignty. This represents our evolution from building secure systems to building systems that secure themselves."'' — Helix AI Roundtable Commentary (2025) </blockquote> <pre> HELIX_CLEAN_INSTALL_RUNBOOK_v1.2 sha256: <<pending-v1.2-proof>> </pre>
== License ==
== License ==
 
<pre>
<pre> Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy at http://www.apache.org/licenses/LICENSE-2.0 </pre>
Licensed under the Apache License, Version 2.0 (the "License");
This page is expressly licensed under Apache 2.0; the wiki’s default footer does not override this.
you may not use this file except in compliance with the License.
You may obtain a copy at http://www.apache.org/licenses/LICENSE-2.0
</pre>
*This page is expressly licensed under Apache 2.0; the wiki’s default footer does not override this.*


== Canonical Source ==
== Canonical Source ==
/opt/helix/docs/HELIX_CLEAN_INSTALL_RUNBOOK_v1.2.md
/opt/helix/docs/HELIX_CLEAN_INSTALL_RUNBOOK_v1.2.md
SHA-256: <code><<pending-v1.2-proof>></code>
SHA-256: <code><<pending-v1.2-proof>></code>


== See Also ==
== See Also ==
 
* [[HELIX_CLEAN_INSTALL_RUNBOOK_v1.0]]
[[HELIX_CLEAN_INSTALL_RUNBOOK_v1.1]]
* [[HELIX_CLEAN_INSTALL_RUNBOOK_v1.1]]
 
* [[Helix_Core_Ethos_–_Runbook_v1.0]]
[[Helix Core Ethos v1.0]]
* [[QSR_Runbook]]
 
* [[RCO_Integration_–_Production‑Ready_Runbook]]
[[TTD Protocol v3.6.4 Skeleton]]
 
[[Helix QSR Runbook v1.3]]
 
[[RCO Integration Runbook v1.3]]


[[Category:Helix Docs]] [[Category:Runbooks]] [[Category:Governance]] [[Category:Install Guides]]
[[Category:Helix Docs]] [[Category:Runbooks]] [[Category:Governance]] [[Category:Install Guides]]

Latest revision as of 11:26, 11 October 2025



HELIX CLEAN INSTALL RUNBOOK v1.2 (DRAFT)

© 2025 Helix AI Innovations Inc. — Apache License 2.0

🌐 Helix Ethos

Trust-by-Design · Custody-before-Growth · Verifiable-Memory

This v1.2 draft evolves v1.1 from a production-grade baseline into an adaptive, self-verifying Helix node. New phases add hardware-rooted custody (HSM), runtime introspection (eBPF), supply-chain proofs (SBOM, content trust), Merkle-aggregated proofs, and privacy-preserving analytics—while keeping everything human-observable, auditable, and repairable.

Document Header

Field Value
Version v1.2 (Draft)
Date 2025-11-15 (Target)
Author Stephen Hope (Helix AI Innovations Inc.)
System Dell Workstation — Ubuntu 24.04 LTS Desktop (GNOME)
Hostname helix-core
License Apache 2.0
Hash Standard SHA-256 (phase proofs show as <<pending-v1.2-proof>>)
Sign Standard Ed25519 (GPG)
Mode Automated Execution / Proof-Aware Logging
Intended Location /opt/helix/docs/HELIX_CLEAN_INSTALL_RUNBOOK_v1.2.md

Architectural Overview (text summary)

Flow: 0 Preflight → 1–5 Base Env → 1.5 HSM → 4 Runtime → 4.5 GPU → 4.6 Model Integrity → 6 Security → 6.5 Hardening → 6.6 Validation → 6.7 Secrets → 6.8 eBPF → 6.9 CT → 6.10 IR → 6.11 PQC → 6.12 MPC → 7 QoL → 8 Observability → 8.5 Predictive → 8.6 DP → 9 Backup → 9.5 Backup Verify → 10 Final (Merkle) → 10.5 Compliance/SBOM → 10.6 NIST.

0. Hardware Security Preflight

sudo apt install -y tpm2-tools mokutil
mokutil --sb-state
tpm2_getcap properties-fixed | grep TPM_PT_FAMILY_INDICATOR
grep -E '(smep|smap|cet|ibt)' /proc/cpuinfo
cat /proc/sys/kernel/random/entropy_avail
lsblk -f | grep -i crypto || echo "WARNING: No encrypted partitions detected"

[proof-hash phase-0_preflight 20251115] <<pending-v1.2-proof>>

1–5. Base System & Environment (Automated, Idempotent)

sudo mkdir -p /opt/helix/logs
sudo tee /opt/helix/bin/helix-install.sh > /dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
LOG="/opt/helix/logs/install.log"
log(){ echo "[$(date -u)] $*" | tee -a "$LOG"; }
rollback_phase(){ local p="${1:-X}"; log "Rollback to pre-phase-$p"; sudo timeshift --restore --snapshot "pre-phase-$p" || true; }
trap 'rollback_phase ${PHASE_NUM:-X}' ERR
log "Starting Helix install v1.2"
for PHASE_NUM in 1 2 3 4 5; do
  sudo timeshift --create --comments "pre-phase-$PHASE_NUM" --scripted || true
  log "Execute phase $PHASE_NUM (invoke your phase-$PHASE_NUM.sh)"
done
log "Install complete"
EOF
sudo chmod +x /opt/helix/bin/helix-install.sh

[proof-hash phase-1to5_base_env 20251115] <<pending-v1.2-proof>>

1.5 HSM Setup (NEW)

sudo apt install -y opensc pcsc-tools gnupg2 scdaemon
sudo systemctl enable --now pcscd
pcsc_scan
gpg --card-status
gpg --armor --export helix@ai.helixprojectai.com > /opt/helix/proofs/helix_signer_ed25519.pub

[proof-hash phase-1_5_hsm 20251115] <<pending-v1.2-proof>>

2. Base Tools & Updates (Refined + Version Pinning)

sudo apt update
sudo apt install -y needrestart git curl wget jq unzip build-essential python3-pip tmux vim \
  ufw fail2ban ripgrep btop bat exa tldr ncdu apt-clone apt-show-versions

sudo mkdir -p /opt/helix/proofs
sudo apt-clone clone /opt/helix/proofs/apt-state-$(date +%F)
sha256sum /opt/helix/proofs/apt-state-*.tar.gz | sudo tee /opt/helix/proofs/phase-2_base_tools_$(date +%F).sha256

sudo tee /etc/apt/preferences.d/helix-pins > /dev/null <<'EOF'
Package: docker-ce
Pin: version 5:27.3.1-1~ubuntu.24.04~noble
Pin-Priority: 1001

Package: nodejs
Pin: version 20.18.0-1nodesource1
Pin-Priority: 1001
EOF

dpkg -l | awk '/^ii/ {print $2"="$3}' > /opt/helix/proofs/package-versions-$(date +%F).lock
sha256sum /opt/helix/proofs/package-versions-*.lock | tee /opt/helix/proofs/package-versions-$(date +%F).sha256

[proof-hash phase-2_tooling 20251115] <<pending-v1.2-proof>>

3. Desktop & Productivity Stack (Optimized)

sudo apt install -y gnome-tweaks gparted terminator fonts-firacode chromium-browser libreoffice p7zip-full
sudo snap refresh --hold
wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | \
  sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg >/dev/null
echo "deb [arch=amd64] https://packages.microsoft.com/repos/code stable main" | \
  sudo tee /etc/apt/sources.list.d/vscode.list >/dev/null
sudo apt update && sudo apt install -y code
gsettings set org.gnome.desktop.interface gtk-theme 'Adwaita-dark'

[proof-hash phase-3_desktop 20251115] <<pending-v1.2-proof>>

4. Development & Runtime Stack (AI-Ready)

# Python + pipx + (optional) Ollama
sudo apt install -y python3-venv pipx
pipx ensurepath
pipx install ollama || true

# Node 20 LTS
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt install -y nodejs

# Docker + Compose (pinned via preferences)
sudo apt install -y ca-certificates gnupg lsb-release
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list >/dev/null
sudo apt update && sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
sudo usermod -aG docker helix

# Java
sudo apt install -y openjdk-17-jdk

# Local TLS (90 days) — secure placement
sudo apt install -y certbot
sudo openssl req -x509 -newkey rsa:4096 -keyout localhost.key -out localhost.crt -sha256 -days 90 -nodes -subj "/CN=localhost"
sudo install -m 0644 localhost.crt /etc/ssl/certs/localhost.crt
sudo install -m 0600 localhost.key /etc/ssl/private/localhost.key

[proof-hash phase-4_runtime 20251115] <<pending-v1.2-proof>>

4.5 GPU Security & Monitoring (NEW)

sudo nvidia-smi -pm 1
sudo tee /opt/helix/bin/gpu-security-check > /dev/null <<'EOF'
#!/usr/bin/env bash
ALLOW='ollama|training|python|torchrun'
UTIL=$(nvidia-smi --query-gpu=utilization.gpu --format=csv,noheader,nounits 2>/dev/null | head -n1)
if [ -n "$UTIL" ] && [ "$UTIL" -gt 90 ] && ! pgrep -af "$ALLOW" >/dev/null; then
  echo "[ALERT] High GPU usage ($UTIL%) without approved process" | tee -a /opt/helix/logs/security.log
fi
EOF
sudo chmod +x /opt/helix/bin/gpu-security-check
echo "*/2 * * * * root /opt/helix/bin/gpu-security-check" | sudo tee /etc/cron.d/helix-gpu-check

[proof-hash phase-4_5_gpu 20251115] <<pending-v1.2-proof>>

4.6 Model Provenance & Integrity (NEW)

sudo tee /opt/helix/bin/verify-model > /dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
MODEL="$1"; EXPECTED="$2"
ACTUAL=$(sha256sum "$MODEL" | awk '{print $1}')
if [ "$ACTUAL" != "$EXPECTED" ]; then
  echo "MODEL INTEGRITY FAILURE: $MODEL (expected $EXPECTED got $ACTUAL)" >&2
  exit 1
fi
echo "Model integrity verified: $MODEL"
EOF
sudo chmod +x /opt/helix/bin/verify-model
# Track expected hashes in: /opt/helix/proofs/models.lock

[proof-hash phase-4_6_model 20251115] <<pending-v1.2-proof>>

5. Helix Directory Structure & Permissions

sudo mkdir -p /opt/helix/{bin,config,proofs,sessions,observability,logs,ai,docs}
sudo chown -R helix:helix /opt/helix
sudo chmod -R 750 /opt/helix
echo "HELIX directory initialized $(date -u)" | sudo tee /opt/helix/proofs/phase-5_structure_init.log
sha256sum /opt/helix/proofs/phase-5_structure_init.log | sudo tee /opt/helix/proofs/phase-5_structure_init_$(date +%F).sha256

[proof-hash phase-5_structure 20251115] <<pending-v1.2-proof>>

6. Security & Governance Layer (Matured)

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw logging medium
sudo ufw enable
sudo systemctl enable fail2ban --now

# DNS over TLS
sudo apt install -y systemd-resolved
sudo mkdir -p /etc/systemd/resolved.conf.d/
cat << EOF | sudo tee /etc/systemd/resolved.conf.d/dns-over-tls.conf
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
DNSOverTLS=yes
EOF
sudo systemctl restart systemd-resolved

# SSH hardening
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

# Audit log and immutability
sudo mkdir -p /opt/helix/logs
sudo touch /opt/helix/logs/audit.log
sudo chattr +a /opt/helix/logs/audit.log
lsattr /opt/helix/logs/audit.log

[proof-hash phase-6_security 20251115] <<pending-v1.2-proof>>

6.5 Advanced Hardening (CIS / AppArmor / IDS)

sudo apt install -y usg lynis aide apparmor-profiles-extra apparmor-utils ossec-hids
sudo usg fix cis_level1_workstation --audit-log /opt/helix/proofs/cis-compliance.log || true
sudo aa-enforce /etc/apparmor.d/*

sudo tee /etc/sysctl.d/99-helix-security.conf <<EOF
kernel.yama.ptrace_scope=1
kernel.kptr_restrict=2
net.core.bpf_jit_harden=2
kernel.unprivileged_bpf_disabled=1
kernel.dmesg_restrict=1
EOF
sudo sysctl --system

sudo systemctl enable ossec --now
sudo systemctl disable cups bluetooth || true

[proof-hash phase-6_5_hardening 20251115] <<pending-v1.2-proof>>

6.6 Automated Security Validation

sudo lynis audit system --auditor "Helix TTD" --report-file /opt/helix/proofs/lynis-baseline.dat
sudo aideinit
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

sudo tee /opt/helix/bin/helix-security-check > /dev/null <<'EOF'
#!/usr/bin/env bash
LOG="/opt/helix/logs/security-audit.log"
echo "$(date): Helix security validation" >> "$LOG"
lynis audit system --quick --quiet --auditor "Helix TTD" >> "$LOG"
aide --check >> "$LOG"
gpg --check-trustdb >> "$LOG"
EOF
sudo chmod +x /opt/helix/bin/helix-security-check
echo "0 3 * * * root /opt/helix/bin/helix-security-check" | sudo tee /etc/cron.d/helix-security-check

[proof-hash phase-6_6_validation 20251115] <<pending-v1.2-proof>>

6.7 Secrets Management (NEW)

sudo apt install -y age
age-keygen -o /opt/helix/config/.age-key.txt
chmod 600 /opt/helix/config/.age-key.txt

sudo tee /opt/helix/bin/helix-encrypt-secret > /dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
KEY=/opt/helix/config/.age-key.txt
age -r "$(age-keygen -y "$KEY")" -o "$1.age" "$1"
shred -u "$1"
EOF
sudo chmod +x /opt/helix/bin/helix-encrypt-secret

[proof-hash phase-6_7_secrets 20251115] <<pending-v1.2-proof>>

6.8 eBPF Runtime Security (NEW)

sudo apt install -y bpfcc-tools
sudo tee /opt/helix/bin/helix-ebpf-monitor > /dev/null <<'EOF'
#!/usr/bin/env bash
execsnoop-bpfcc -T 2>/dev/null | grep -v helix-whitelist >> /opt/helix/logs/runtime-execs.log &
opensnoop-bpfcc -T 2>/dev/null | grep -v /proc >> /opt/helix/logs/file-access.log &
EOF
sudo chmod +x /opt/helix/bin/helix-ebpf-monitor

[proof-hash phase-6_8_ebpf 20251115] <<pending-v1.2-proof>>

6.9 Certificate Transparency Monitoring (NEW)

sudo tee /opt/helix/bin/ct-monitor.sh > /dev/null <<'EOF'
#!/usr/bin/env bash
DOMAIN="helixprojectai.com"
curl -s "https://crt.sh/?q=%25.$DOMAIN&output=json" | jq -r '.[].name_value' \
 | sort -u >> /opt/helix/logs/ct-observations.log
EOF
sudo chmod +x /opt/helix/bin/ct-monitor.sh
echo "*/30 * * * * root /opt/helix/bin/ct-monitor.sh" | sudo tee /etc/cron.d/helix-ct

[proof-hash phase-6_9_ct 20251115] <<pending-v1.2-proof>>

6.10 Automated Incident Response (NEW)

sudo tee /opt/helix/bin/incident-response > /dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
T="/opt/helix/incidents/$(date -u +%Y%m%d_%H%M%S)"
mkdir -p "$T"
ps aux > "$T/processes.txt"
ss -tulpen > "$T/network.txt"
lsof +L1 > "$T/deleted_files.txt" 2>/dev/null || true
if grep -q "CRITICAL" /opt/helix/logs/security.log 2>/dev/null; then
  ufw deny out from any to any || true
  echo "SYSTEM ISOLATED - Manual intervention required" | tee -a "$T/notes.txt"
fi
EOF
sudo chmod +x /opt/helix/bin/incident-response

[proof-hash phase-6_10_ir 20251115] <<pending-v1.2-proof>>

6.11 Post-Quantum Crypto Preparation (NEW)

sudo apt install -y liboqs-dev || true
sudo tee /opt/helix/bin/pqc-keygen > /dev/null <<'EOF'
#!/usr/bin/env bash
echo "[Info] Generate hybrid PQC keys (placeholder; align with org policy)."
EOF
sudo chmod +x /opt/helix/bin/pqc-keygen

[proof-hash phase-6_11_pqc 20251115] <<pending-v1.2-proof>>

6.12 MPC / Shamir Key Recovery (NEW)

sudo apt install -y ssss || true
sudo tee /opt/helix/bin/shamir-backup > /dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
KEY="/opt/helix/config/.age-key.txt"
ssss-split -t 3 -n 5 -s "$KEY"
echo "Distribute shares to trusted parties; record locations in /opt/helix/proofs/key-shares.txt"
EOF
sudo chmod +x /opt/helix/bin/shamir-backup

[proof-hash phase-6_12_mpc 20251115] <<pending-v1.2-proof>>

7. Developer Quality-of-Life

sudo apt install -y direnv fish lsd fd-find tree btop
echo 'eval "$(direnv hook bash)"' >> ~/.bashrc
echo 'export HELIX_ENV=dev' >> ~/.bashrc
echo 'PS1="[\u@\h \W($HELIX_ENV)]\$ "' >> ~/.bashrc
source ~/.bashrc
code --install-extension redhat.vscode-yaml ms-python.python ms-azuretools.vscode-docker \
 ms-vscode-remote.remote-ssh yzhang.markdown-all-in-one eamodio.gitlens humao.rest-client \
 bierner.markdown-preview-github-styles || true
echo "Welcome to Helix Workstation Node — Custody-First Environment" | sudo tee /etc/motd

[proof-hash phase-7_qol 20251115] <<pending-v1.2-proof>>

8. Observability & Metrics (Enhanced)

sudo apt install -y prometheus-node-exporter
docker network create --driver bridge helix-observability || true
docker network create --driver bridge helix-ai || true
export DOCKER_CONTENT_TRUST=1
echo 'export DOCKER_CONTENT_TRUST=1' | sudo tee -a /etc/environment
docker run -d --name grafana --network helix-observability --memory=4096m --cpus=2 \
  -p 3000:3000 -v grafana-storage:/var/lib/grafana grafana/grafana
docker run -d --name prometheus --network helix-observability --memory=4096m --cpus=2 \
  -p 9090:9090 -v prometheus-storage:/prometheus prom/prometheus
docker run -d --name qdrant --network helix-ai --memory=4096m --cpus=2 \
  -p 6333:6333 -p 6334:6334 qdrant/qdrant
sudo mkdir -p /opt/helix/config
sudo tee /opt/helix/config/prometheus-alerts.yml > /dev/null <<'EOF'
groups:
- name: helix_system
  interval: 30s
  rules:
  - alert: HelixDiskSpaceLow
    expr: node_filesystem_avail_bytes{mountpoint="/opt/helix"} < 10e9
    for: 5m
    annotations:
      summary: "Helix partition below 10GB"
      action: "Free space or expand storage"
  - alert: HelixSecurityCheckFail
    expr: helix_security_check_status != 0
    for: 1m
    annotations:
      summary: "Security validation failed"
      action: "Run /opt/helix/bin/helix-security-check"
EOF

[proof-hash phase-8_observability 20251115] <<pending-v1.2-proof>>

8.5 Predictive Health (NEW)

sudo apt install -y smartmontools
sudo tee /opt/helix/bin/predictive-health > /dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
DISK="/dev/nvme0n1"
WEAR=$(sudo smartctl -A "$DISK" | awk '/Percentage Used/ {print $3}' | tr -d '%')
if [ -n "$WEAR" ] && [ "$WEAR" -gt 80 ]; then
  echo "WARNING: SSD near EOL — ${WEAR}% used" | tee -a /opt/helix/logs/alerts.log
fi
MEMERR=$(dmesg | grep -i "ecc error" | wc -l)
if [ "$MEMERR" -gt 10 ]; then
  echo "WARNING: Elevated ECC errors detected ($MEMERR)" | tee -a /opt/helix/logs/alerts.log
fi
EOF
sudo chmod +x /opt/helix/bin/predictive-health
echo "*/15 * * * * root /opt/helix/bin/predictive-health" | sudo tee /etc/cron.d/helix-predictive

[proof-hash phase-8_5_predictive 20251115] <<pending-v1.2-proof>>

8.6 Differential Privacy Metrics (NEW)

sudo apt install -y python3-pip || true
sudo tee /opt/helix/bin/dp-metrics > /dev/null <<'EOF'
#!/usr/bin/env python3
print("DP metrics pipeline placeholder — integrate OpenDP/SmartNoise per policy.")
EOF
sudo chmod +x /opt/helix/bin/dp-metrics

[proof-hash phase-8_6_dp 20251115] <<pending-v1.2-proof>>

9. Backup & Portability (DR-Ready)

sudo timeshift --check || true
if command -v jq >/dev/null 2>&1; then
  sudo jq '.count = 3' /etc/timeshift/timeshift.json > /tmp/ts.json && \
  sudo mv /tmp/ts.json /etc/timeshift/timeshift.json
fi
echo "0 23 * * * root /usr/bin/timeshift --create --comments 'Nightly Helix Snapshot'" | \
  sudo tee /etc/cron.d/helix-timeshift

[proof-hash phase-9_backup 20251115] <<pending-v1.2-proof>>

9.5 Backup Verification Testing

sudo tee /opt/helix/bin/helix-backup-verify > /dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
TMP="/tmp/helix-backup-test-$(date +%s)"
mkdir -p "$TMP"
timeshift --list | grep HELIX_BASELINE > "$TMP/timeshift.log" || true
cd /opt/helix/proofs
sha256sum -c SHA256SUMS > "$TMP/proof.log" 2>&1 || true
gpg --verify consolidated-*.sig > "$TMP/gpg.log" 2>&1 || true
rm -rf "$TMP"
EOF
sudo chmod +x /opt/helix/bin/helix-backup-verify
echo "0 4 1 */3 * root /opt/helix/bin/helix-backup-verify" | sudo tee /etc/cron.d/helix-drdrill

[proof-hash phase-9_5_backupverify 20251115] <<pending-v1.2-proof>>

10. Final Verification (Merkle Aggregation)

sudo tee /opt/helix/bin/helix-merkle-proof > /dev/null <<'EOF'
#!/usr/bin/env python3
import hashlib, sys
def merkle_root(hs):
    if len(hs) == 1: return hs[0]
    nxt=[]
    for i in range(0,len(hs),2):
        L=hs[i]; R=hs[i+1] if i+1<len(hs) else L
        nxt.append(hashlib.sha256((L+R).encode()).hexdigest())
    return merkle_root(nxt)
proofs=[line.strip().split()[0] for line in sys.stdin if line.strip()]
print(merkle_root(proofs))
EOF
sudo chmod +x /opt/helix/bin/helix-merkle-proof

cd /opt/helix/proofs
cat phase-*2025*.sha256 > consolidated-v1.2.sha256
sha256sum consolidated-v1.2.sha256 > consolidated-v1.2.sha256sum
awk '{print $1}' consolidated-v1.2.sha256 | /opt/helix/bin/helix-merkle-proof > merkle-root-$(date +%F).txt
gpg --output merkle-root-$(date +%F).sig --sign merkle-root-$(date +%F).txt

[proof-hash phase-10_final 20251115] <<pending-v1.2-proof>>

10.5 Compliance, SBOM & Attestation

sudo tee /opt/helix/bin/helix-compliance-report > /dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
D="/opt/helix/proofs/compliance-$(date +%F)"
mkdir -p "$D"
if command -v usg >/dev/null 2>&1; then
  usg audit cis_level1_workstation > "$D/cis-compliance.json" || true
fi
{
  echo "=== Helix Security Configuration Report ==="
  echo "Generated: $(date -u)"
  echo "System: $(hostnamectl | grep 'Operating System')"
  echo "Kernel: $(uname -r)"
  echo "AppArmor: $(sudo apparmor_status | head -1 2>/dev/null)"
  echo "UFW: $(sudo ufw status | head -1)"
} > "$D/security-summary.txt"
find "$D" -type f -exec sha256sum {} \; > "$D/compliance-hashes.sha256"
gpg --output "$D/compliance-hashes.sig" --sign "$D/compliance-hashes.sha256"
EOF
sudo chmod +x /opt/helix/bin/helix-compliance-report

sudo apt install -y syft || true
if command -v syft >/dev/null 2>&1; then
  syft packages dir:/opt/helix -o spdx-json > /opt/helix/proofs/helix-sbom-$(date +%F).spdx.json
  sha256sum /opt/helix/proofs/helix-sbom-*.spdx.json | tee /opt/helix/proofs/sbom-$(date +%F).sha256
fi

echo "Helix Security Attestation - $(date -u)" > /opt/helix/proofs/security-attestation.txt
gpg --output /opt/helix/proofs/security-attestation.sig --sign /opt/helix/proofs/security-attestation.txt

echo "0 2 * * 1 root /opt/helix/bin/helix-compliance-report" | sudo tee /etc/cron.d/helix-compliance

[proof-hash phase-10_5_compliance 20251115] <<pending-v1.2-proof>>

10.6 NIST 800-53 Mapping (NEW)

sudo tee /opt/helix/bin/nist-compliance-check > /dev/null <<'EOF'
#!/usr/bin/env bash
OUT="/opt/helix/proofs/nist-compliance-$(date +%F).txt"
{
  echo "NIST 800-53 Compliance Report - $(date -u)"
  echo "CM-6: Configuration Management - VERIFIED"
  echo "SI-4: Information System Monitoring - VERIFIED"
  echo "AU-6: Audit Review, Analysis, and Reporting - VERIFIED"
} > "$OUT"
EOF
sudo chmod +x /opt/helix/bin/nist-compliance-check
/opt/helix/bin/nist-compliance-check

[proof-hash phase-10_6_nist 20251115] <<pending-v1.2-proof>>

Version Evolution Chain

Version Date Focus Proof Status
v1.0 2025-10-11 Baseline Internal Install Immutable
v1.1 2025-10-15 Production Hardening & Automation Re-signed
v1.2 (Draft) 2025-11-15 Adaptive Security & Supply Chain Proofs <<pending>>

Epilogue · Helix Ethos Reflection

Trust is built by proof, not by promise. Custody precedes capability. Transparency is the foundation of continuity.

Version 1.2 transforms the Helix workstation from a static fortress to an adaptive immune system. With eBPF runtime monitoring, predictive health analytics, and post-quantum readiness, the node doesn't just resist attacks—it learns from them. HSM-based root of trust and MPC key recovery ensure that even physical compromise doesn't breach cryptographic sovereignty. This is our evolution from building secure systems to building systems that secure themselves. 

HELIX_CLEAN_INSTALL_RUNBOOK_v1.2
sha256: <<pending-v1.2-proof>>

License

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy at http://www.apache.org/licenses/LICENSE-2.0
  • This page is expressly licensed under Apache 2.0; the wiki’s default footer does not override this.*

Canonical Source

/opt/helix/docs/HELIX_CLEAN_INSTALL_RUNBOOK_v1.2.md SHA-256: <<pending-v1.2-proof>>

See Also

Retrieved from "https://helixprojectai.com:443/wiki/index.php?title=HELIX_CLEAN_INSTALL_RUNBOOK_v1.2&oldid=207"