HELIX CLEAN INSTALL RUNBOOK v1.2
From Helix Project Wiki
HELIX CLEAN INSTALL RUNBOOK v1.2 (DRAFT)
© 2025 Helix AI Innovations Inc. — Apache License 2.0
🌐 Helix Ethos
Trust-by-Design · Custody-before-Growth · Verifiable-Memory
This v1.2 draft evolves v1.1 from a production-grade baseline into an **adaptive, self-verifying Helix node**. New phases add hardware-rooted custody (HSM), runtime introspection (eBPF), supply-chain proofs (SBOM, content trust), Merkle-aggregated proofs, and privacy-preserving analytics—while keeping everything human-observable, auditable, and repairable.
Document Header
| Field | Value |
|---|---|
| Version | v1.2 (Draft) |
| Date | 2025-11-15 (Target) |
| Author | Stephen Hope (Helix AI Innovations Inc.) |
| System | Dell Workstation — Ubuntu 24.04 LTS Desktop (GNOME) |
| Hostname | helix-core |
| License | Apache 2.0 |
| Hash Standard | SHA-256 (phase proofs show as <<pending-v1.2-proof>>) |
| Sign Standard | Ed25519 (GPG) |
| Mode | Automated Execution / Proof-Aware Logging |
| Intended Location | /opt/helix/docs/HELIX_CLEAN_INSTALL_RUNBOOK_v1.2.md |
Architectural Overview
- This diagram summarizes the v1.2 enhancements and phase layout.*
(Upload your PNG and link it here, e.g., **File:helix_runbook_v1_2.png**.)
```mermaid graph TD A[0 Preflight] --> B[1-5 Base System & Env] B --> B1[1.5 HSM] B --> C[4 Dev/Runtime] C --> C1[4.5 GPU Security] C --> C2[4.6 Model Integrity] B --> D[6 Security] D --> D1[6.5 Hardening (CIS/AppArmor/IDS)] D1 --> D2[6.6 Automated Security Validation] D2 --> D3[6.7 Secrets Mgmt] D3 --> D4[6.8 eBPF Runtime Security] D4 --> D5[6.9 Certificate Transparency] D5 --> D6[6.10 Incident Response] D6 --> D7[6.11 PQC Prep] D7 --> D8[6.12 MPC Key Recovery] B --> E[7 QoL] E --> F[8 Observability] F --> F1[8.5 Predictive Health] F --> F2[8.6 Differential Privacy Metrics] F --> G[9 Backup] G --> G1[9.5 Backup Verification] G1 --> H[10 Final Verification] H --> H1[10.5 Compliance & SBOM] H1 --> H2[10.6 NIST 800-53 Mapping]
0. Hardware Security Preflight
=== Explanation === Verify the hardware trust root before any changes: UEFI Secure Boot, TPM 2.0, entropy, and LUKS status. === Commands === sudo apt install -y tpm2-tools mokutil mokutil --sb-state # Expect: SecureBoot enabled tpm2_getcap properties-fixed | grep TPM_PT_FAMILY_INDICATOR grep -E '(smep|smap|cet|ibt)' /proc/cpuinfo cat /proc/sys/kernel/random/entropy_avail lsblk -f | grep -i crypto || echo "WARNING: No encrypted partitions detected" === Verification === dmesg | grep -i tpm || true sudo cat /sys/class/tpm/tpm0/description 2>/dev/null || true
[proof-hash phase-0_preflight 20251115] <<pending-v1.2-proof>>
1–5. Base System & Environment (Automated, Idempotent)
=== Explanation === Carry forward v1.1 phases 1–5 (clean OS, base tools, desktop, dev stack, /opt/helix structure) with automation: * All scripts use `set -euo pipefail` * Central logging → /opt/helix/logs/install.log * Phase checkpoints via Timeshift for rollback === Automation Entrypoint === sudo mkdir -p /opt/helix/logs sudo tee /opt/helix/bin/helix-install.sh > /dev/null <<'EOF' #!/usr/bin/env bash set -euo pipefail LOG="/opt/helix/logs/install.log" log(){ echo "[$(date -u)] $*" | tee -a "$LOG"; } rollback_phase(){ local p="$1"; log "Rolling back to pre-phase-$p"; sudo timeshift --restore --snapshot "pre-phase-$p" || true; } trap 'rollback_phase ${PHASE_NUM:-X}' ERR log "Starting Helix install v1.2" # Example loop for phases for PHASE_NUM in 1 2 3 4 5; do sudo timeshift --create --comments "pre-phase-$PHASE_NUM" --scripted || true log "Executing phase $PHASE_NUM" # TODO: call phase-$PHASE_NUM.sh here done log "Install complete" EOF sudo chmod +x /opt/helix/bin/helix-install.sh
[proof-hash phase-1to5_base_env 20251115] <<pending-v1.2-proof>>
1.5 HSM Setup (NEW)
=== Explanation === Move signing/auth keys into a hardware token (YubiKey/SmartCard/HSM) to harden key custody. === Commands === sudo apt install -y opensc pcsc-tools gnupg2 scdaemon sudo systemctl enable --now pcscd pcsc_scan gpg --card-status # Generate on-card subkeys per vendor docs; export pubkey to proofs: gpg --armor --export helix@ai.helixprojectai.com > /opt/helix/proofs/helix_signer_ed25519.pub
[proof-hash phase-1_5_hsm 20251115] <<pending-v1.2-proof>>
2. Base Tools & Updates (Refined + Version Pinning)
=== Explanation === Install essentials; capture manifest; pin critical versions for reproducibility. === Commands === sudo apt update sudo apt install -y needrestart git curl wget jq unzip build-essential python3-pip tmux vim \ ufw fail2ban ripgrep btop bat exa tldr ncdu apt-clone apt-show-versions sudo mkdir -p /opt/helix/proofs sudo apt-clone clone /opt/helix/proofs/apt-state-$(date +%F) sha256sum /opt/helix/proofs/apt-state-*.tar.gz | sudo tee /opt/helix/proofs/phase-2_base_tools_$(date +%F).sha256 # Pin critical packages (adjust versions to known-good) sudo tee /etc/apt/preferences.d/helix-pins > /dev/null <<'EOF' Package: docker-ce Pin: version 5:27.3.1-1~ubuntu.24.04~noble Pin-Priority: 1001 Package: nodejs Pin: version 20.18.0-1nodesource1 Pin-Priority: 1001 EOF # Export exact versions to lockfile dpkg -l | awk '/^ii/ {print $2"="$3}' > /opt/helix/proofs/package-versions-$(date +%F).lock sha256sum /opt/helix/proofs/package-versions-*.lock | tee /opt/helix/proofs/package-versions-$(date +%F).sha256
[proof-hash phase-2_tooling 20251115] <<pending-v1.2-proof>>
3. Desktop & Productivity Stack (Optimized)
=== Explanation === Use APT/.deb where possible; treat snaps as acceptable exceptions. Hold snap auto-refresh by policy. === Commands === sudo apt install -y gnome-tweaks gparted terminator fonts-firacode chromium-browser libreoffice p7zip-full sudo snap refresh --hold wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | \ sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg >/dev/null echo "deb [arch=amd64] https://packages.microsoft.com/repos/code stable main" | \ sudo tee /etc/apt/sources.list.d/vscode.list >/dev/null sudo apt update && sudo apt install -y code gsettings set org.gnome.desktop.interface gtk-theme 'Adwaita-dark'
[proof-hash phase-3_desktop 20251115] <<pending-v1.2-proof>>
4. Development & Runtime Stack (AI-Ready)
=== Explanation === Deterministic runtimes for Python/Node/Docker/Java; local TLS with 90-day rotation; optional Ollama. === Commands === # Python + pipx + Ollama (optional) sudo apt install -y python3-venv pipx pipx ensurepath pipx install ollama || true # Node 20 LTS curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - sudo apt install -y nodejs # Docker + Compose (pinned by preferences) sudo apt install -y ca-certificates gnupg lsb-release sudo mkdir -p /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | \ sudo tee /etc/apt/sources.list.d/docker.list >/dev/null sudo apt update && sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin sudo usermod -aG docker helix # Java sudo apt install -y openjdk-17-jdk # Local TLS (90 days) — secure placement sudo apt install -y certbot sudo openssl req -x509 -newkey rsa:4096 -keyout localhost.key -out localhost.crt -sha256 -days 90 -nodes -subj "/CN=localhost" sudo install -m 0644 localhost.crt /etc/ssl/certs/localhost.crt sudo install -m 0600 localhost.key /etc/ssl/private/localhost.key
[proof-hash phase-4_runtime 20251115] <<pending-v1.2-proof>>
4.5 GPU Security & Monitoring (NEW)
sudo nvidia-smi -pm 1 sudo tee /opt/helix/bin/gpu-security-check > /dev/null <<'EOF' #!/usr/bin/env bash ALLOW='ollama|training|python|torchrun' UTIL=$(nvidia-smi --query-gpu=utilization.gpu --format=csv,noheader,nounits 2>/dev/null | head -n1) if [ -n "$UTIL" ] && [ "$UTIL" -gt 90 ] && ! pgrep -af "$ALLOW" >/dev/null; then echo "[ALERT] High GPU usage ($UTIL%) without approved process" | tee -a /opt/helix/logs/security.log fi EOF sudo chmod +x /opt/helix/bin/gpu-security-check echo "*/2 * * * * root /opt/helix/bin/gpu-security-check" | sudo tee /etc/cron.d/helix-gpu-check
[proof-hash phase-4_5_gpu 20251115] <<pending-v1.2-proof>>
4.6 Model Provenance & Integrity (NEW)
sudo tee /opt/helix/bin/verify-model > /dev/null <<'EOF' #!/usr/bin/env bash set -euo pipefail MODEL="$1"; EXPECTED="$2" ACTUAL=$(sha256sum "$MODEL" | awk '{print $1}') if [ "$ACTUAL" != "$EXPECTED" ]; then echo "MODEL INTEGRITY FAILURE: $MODEL (expected $EXPECTED got $ACTUAL)" >&2 exit 1 fi echo "Model integrity verified: $MODEL" EOF sudo chmod +x /opt/helix/bin/verify-model # Track expected hashes in: /opt/helix/proofs/models.lock
[proof-hash phase-4_6_model 20251115] <<pending-v1.2-proof>>
5. Helix Directory Structure & Permissions
sudo mkdir -p /opt/helix/{bin,config,proofs,sessions,observability,logs,ai,docs} sudo chown -R helix:helix /opt/helix sudo chmod -R 750 /opt/helix echo "HELIX directory initialized $(date -u)" | sudo tee /opt/helix/proofs/phase-5_structure_init.log sha256sum /opt/helix/proofs/phase-5_structure_init.log | sudo tee /opt/helix/proofs/phase-5_structure_init_$(date +%F).sha256
[proof-hash phase-5_structure 20251115] <<pending-v1.2-proof>>
6. Security & Governance Layer (Matured)
sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw logging medium sudo ufw enable sudo systemctl enable fail2ban --now # DNS over TLS sudo apt install -y systemd-resolved sudo mkdir -p /etc/systemd/resolved.conf.d/ cat << EOF | sudo tee /etc/systemd/resolved.conf.d/dns-over-tls.conf [Resolve] DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com DNSOverTLS=yes EOF sudo systemctl restart systemd-resolved # SSH hardening sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config sudo sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config sudo systemctl restart sshd # Audit log and immutability sudo mkdir -p /opt/helix/logs sudo touch /opt/helix/logs/audit.log sudo chattr +a /opt/helix/logs/audit.log lsattr /opt/helix/logs/audit.log # expect -----a-------
[proof-hash phase-6_security 20251115] <<pending-v1.2-proof>>
6.5 Advanced Hardening (CIS/AppArmor/IDS)
sudo apt install -y usg lynis aide apparmor-profiles-extra apparmor-utils ossec-hids sudo usg fix cis_level1_workstation --audit-log /opt/helix/proofs/cis-compliance.log || true sudo aa-enforce /etc/apparmor.d/* sudo tee /etc/sysctl.d/99-helix-security.conf <<EOF kernel.yama.ptrace_scope=1 kernel.kptr_restrict=2 net.core.bpf_jit_harden=2 kernel.unprivileged_bpf_disabled=1 kernel.dmesg_restrict=1 EOF sudo sysctl --system sudo systemctl enable ossec --now sudo systemctl disable cups bluetooth || true
[proof-hash phase-6_5_hardening 20251115] <<pending-v1.2-proof>>
6.6 Automated Security Validation
sudo lynis audit system --auditor "Helix TTD" --report-file /opt/helix/proofs/lynis-baseline.dat sudo aideinit sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db sudo tee /opt/helix/bin/helix-security-check > /dev/null <<'EOF' #!/usr/bin/env bash LOG="/opt/helix/logs/security-audit.log" echo "$(date): Helix security validation" >> "$LOG" lynis audit system --quick --quiet --auditor "Helix TTD" >> "$LOG" aide --check >> "$LOG" gpg --check-trustdb >> "$LOG" EOF sudo chmod +x /opt/helix/bin/helix-security-check # Schedule echo "0 3 * * * root /opt/helix/bin/helix-security-check" | sudo tee /etc/cron.d/helix-security-check
[proof-hash phase-6_6_validation 20251115] <<pending-v1.2-proof>>
6.7 Secrets Management (NEW)
sudo apt install -y age age-keygen -o /opt/helix/config/.age-key.txt chmod 600 /opt/helix/config/.age-key.txt sudo tee /opt/helix/bin/helix-encrypt-secret > /dev/null <<'EOF' #!/usr/bin/env bash set -euo pipefail KEY=/opt/helix/config/.age-key.txt age -r "$(age-keygen -y "$KEY")" -o "$1.age" "$1" shred -u "$1" EOF sudo chmod +x /opt/helix/bin/helix-encrypt-secret
[proof-hash phase-6_7_secrets 20251115] <<pending-v1.2-proof>>
6.8 eBPF Runtime Security (NEW)
sudo apt install -y bpfcc-tools sudo tee /opt/helix/bin/helix-ebpf-monitor > /dev/null <<'EOF' #!/usr/bin/env bash # Lightweight exec/open snooping; tune filters for locality. execsnoop-bpfcc -T 2>/dev/null | grep -v helix-whitelist >> /opt/helix/logs/runtime-execs.log & opensnoop-bpfcc -T 2>/dev/null | grep -v /proc >> /opt/helix/logs/file-access.log & EOF sudo chmod +x /opt/helix/bin/helix-ebpf-monitor
[proof-hash phase-6_8_ebpf 20251115] <<pending-v1.2-proof>>
6.9 Certificate Transparency Monitoring (NEW)
# Monitor CT logs for unauthorized certs for helixprojectai.com # Option A: certstream client; Option B: scheduled crt.sh queries. sudo tee /opt/helix/bin/ct-monitor.sh > /dev/null <<'EOF' #!/usr/bin/env bash DOMAIN="helixprojectai.com" curl -s "https://crt.sh/?q=%25.$DOMAIN&output=json" | jq -r '.[].name_value' \ | sort -u >> /opt/helix/logs/ct-observations.log EOF sudo chmod +x /opt/helix/bin/ct-monitor.sh echo "*/30 * * * * root /opt/helix/bin/ct-monitor.sh" | sudo tee /etc/cron.d/helix-ct
[proof-hash phase-6_9_ct 20251115] <<pending-v1.2-proof>>
6.10 Automated Incident Response (NEW)
sudo tee /opt/helix/bin/incident-response > /dev/null <<'EOF' #!/usr/bin/env bash set -euo pipefail T="/opt/helix/incidents/$(date -u +%Y%m%d_%H%M%S)" mkdir -p "$T" ps aux > "$T/processes.txt" ss -tulpen > "$T/network.txt" lsof +L1 > "$T/deleted_files.txt" 2>/dev/null || true if grep -q "CRITICAL" /opt/helix/logs/security.log 2>/dev/null; then ufw deny out from any to any || true echo "SYSTEM ISOLATED - Manual intervention required" | tee -a "$T/notes.txt" fi EOF sudo chmod +x /opt/helix/bin/incident-response
[proof-hash phase-6_10_ir 20251115] <<pending-v1.2-proof>>
6.11 Post-Quantum Crypto Preparation (NEW)
# PQC toolchains differ by distro; install oqs-enabled OpenSSL if available. sudo apt install -y liboqs-dev || true sudo tee /opt/helix/bin/pqc-keygen > /dev/null <<'EOF' #!/usr/bin/env bash echo "[Info] Generate hybrid PQC keys (placeholder; align with org policy)." EOF sudo chmod +x /opt/helix/bin/pqc-keygen
[proof-hash phase-6_11_pqc 20251115] <<pending-v1.2-proof>>
6.12 MPC/Shamir Key Recovery (NEW)
sudo apt install -y ssss || true sudo tee /opt/helix/bin/shamir-backup > /dev/null <<'EOF' #!/usr/bin/env bash set -euo pipefail KEY="/opt/helix/config/.age-key.txt" ssss-split -t 3 -n 5 -s "$KEY" echo "Distribute shares to trusted parties; store locations in /opt/helix/proofs/key-shares.txt" EOF sudo chmod +x /opt/helix/bin/shamir-backup
[proof-hash phase-6_12_mpc 20251115] <<pending-v1.2-proof>>
7. Developer Quality-of-Life
sudo apt install -y direnv fish lsd fd-find tree btop echo 'eval "$(direnv hook bash)"' >> ~/.bashrc echo 'export HELIX_ENV=dev' >> ~/.bashrc echo 'PS1="[\u@\h \W($HELIX_ENV)]\$ "' >> ~/.bashrc source ~/.bashrc # VS Code extensions (one line, idempotent) code --install-extension redhat.vscode-yaml ms-python.python ms-azuretools.vscode-docker \ ms-vscode-remote.remote-ssh yzhang.markdown-all-in-one eamodio.gitlens humao.rest-client \ bierner.markdown-preview-github-styles || true echo "Welcome to Helix Workstation Node — Custody-First Environment" | sudo tee /etc/motd
[proof-hash phase-7_qol 20251115] <<pending-v1.2-proof>>
8. Observability & Metrics (Enhanced)
# Node exporter (host metrics) sudo apt install -y prometheus-node-exporter # Networks for isolation docker network create --driver bridge helix-observability || true docker network create --driver bridge helix-ai || true # Content trust & pinned images (supply chain assurance) export DOCKER_CONTENT_TRUST=1 echo 'export DOCKER_CONTENT_TRUST=1' | sudo tee -a /etc/environment # Grafana / Prometheus / Qdrant with resource limits docker run -d --name grafana --network helix-observability \ --memory=4096m --cpus=2 -p 3000:3000 -v grafana-storage:/var/lib/grafana grafana/grafana docker run -d --name prometheus --network helix-observability \ --memory=4096m --cpus=2 -p 9090:9090 -v prometheus-storage:/prometheus prom/prometheus docker run -d --name qdrant --network helix-ai \ --memory=4096m --cpus=2 -p 6333:6333 -p 6334:6334 qdrant/qdrant # Alert rules (mount later via config) sudo mkdir -p /opt/helix/config sudo tee /opt/helix/config/prometheus-alerts.yml > /dev/null <<'EOF' groups: - name: helix_system interval: 30s rules: - alert: HelixDiskSpaceLow expr: node_filesystem_avail_bytes{mountpoint="/opt/helix"} < 10e9 for: 5m annotations: summary: "Helix partition below 10GB" action: "Free space or expand storage" - alert: HelixSecurityCheckFail expr: helix_security_check_status != 0 for: 1m annotations: summary: "Security validation failed" action: "Run /opt/helix/bin/helix-security-check" EOF
[proof-hash phase-8_observability 20251115] <<pending-v1.2-proof>>
8.5 Predictive Health (NEW)
sudo apt install -y smartmontools sudo tee /opt/helix/bin/predictive-health > /dev/null <<'EOF' #!/usr/bin/env bash set -euo pipefail DISK="/dev/nvme0n1" WEAR=$(sudo smartctl -A "$DISK" | awk '/Percentage Used/ {print $3}' | tr -d '%') if [ -n "$WEAR" ] && [ "$WEAR" -gt 80 ]; then echo "WARNING: SSD near EOL — ${WEAR}% used" | tee -a /opt/helix/logs/alerts.log fi MEMERR=$(dmesg | grep -i "ecc error" | wc -l) if [ "$MEMERR" -gt 10 ]; then echo "WARNING: Elevated ECC errors detected ($MEMERR)" | tee -a /opt/helix/logs/alerts.log fi EOF sudo chmod +x /opt/helix/bin/predictive-health echo "*/15 * * * * root /opt/helix/bin/predictive-health" | sudo tee /etc/cron.d/helix-predictive
[proof-hash phase-8_5_predictive 20251115] <<pending-v1.2-proof>>
8.6 Differential Privacy Metrics (NEW)
# Placeholder: package availability varies; wire your DP pipeline to protect sensitive ops data. sudo apt install -y python3-pip || true # Example stub script (extend with your DP/SmartNoise/OpenDP workflow): sudo tee /opt/helix/bin/dp-metrics > /dev/null <<'EOF' #!/usr/bin/env python3 print("DP metrics pipeline placeholder — integrate OpenDP/SmartNoise per policy.") EOF sudo chmod +x /opt/helix/bin/dp-metrics
[proof-hash phase-8_6_dp 20251115] <<pending-v1.2-proof>>
9. Backup & Portability (DR-Ready)
sudo timeshift --check || true # Safer retention adjustment (prefer editing with jq if present) if command -v jq >/dev/null 2>&1; then sudo jq '.count = 3' /etc/timeshift/timeshift.json > /tmp/ts.json && \ sudo mv /tmp/ts.json /etc/timeshift/timeshift.json fi # Nightly snapshot echo "0 23 * * * root /usr/bin/timeshift --create --comments 'Nightly Helix Snapshot'" | \ sudo tee /etc/cron.d/helix-timeshift
[proof-hash phase-9_backup 20251115] <<pending-v1.2-proof>>
9.5 Backup Verification Testing
sudo tee /opt/helix/bin/helix-backup-verify > /dev/null <<'EOF' #!/usr/bin/env bash set -euo pipefail TMP="/tmp/helix-backup-test-$(date +%s)" mkdir -p "$TMP" timeshift --list | grep HELIX_BASELINE > "$TMP/timeshift.log" || true cd /opt/helix/proofs sha256sum -c SHA256SUMS > "$TMP/proof.log" 2>&1 || true gpg --verify consolidated-*.sig > "$TMP/gpg.log" 2>&1 || true rm -rf "$TMP" EOF sudo chmod +x /opt/helix/bin/helix-backup-verify # Quarterly DR drill (restore is manual-approved step) echo "0 4 1 */3 * root /opt/helix/bin/helix-backup-verify" | sudo tee /etc/cron.d/helix-drdrill
[proof-hash phase-9_5_backupverify 20251115] <<pending-v1.2-proof>>
10. Final Verification (with Merkle Root)
# Merkle aggregation for proof hashes sudo tee /opt/helix/bin/helix-merkle-proof > /dev/null <<'EOF' #!/usr/bin/env python3 import hashlib, sys def merkle_root(hs): if len(hs) == 1: return hs[0] nxt = [] for i in range(0, len(hs), 2): left = hs[i] right = hs[i+1] if i+1 < len(hs) else left nxt.append(hashlib.sha256((left+right).encode()).hexdigest()) return merkle_root(nxt) proofs = [line.strip().split()[0] for line in sys.stdin if line.strip()] print(merkle_root(proofs)) EOF sudo chmod +x /opt/helix/bin/helix-merkle-proof # Build consolidated set and root cd /opt/helix/proofs cat phase-*2025*.sha256 > consolidated-v1.2.sha256 sha256sum consolidated-v1.2.sha256 > consolidated-v1.2.sha256sum awk '{print $1}' consolidated-v1.2.sha256 \ | /opt/helix/bin/helix-merkle-proof > merkle-root-$(date +%F).txt gpg --output merkle-root-$(date +%F).sig --sign merkle-root-$(date +%F).txt
[proof-hash phase-10_final 20251115] <<pending-v1.2-proof>>
10.5 Compliance, SBOM & Attestation
# Compliance report generator sudo tee /opt/helix/bin/helix-compliance-report > /dev/null <<'EOF' #!/usr/bin/env bash set -euo pipefail D="/opt/helix/proofs/compliance-$(date +%F)" mkdir -p "$D" if command -v usg >/dev/null 2>&1; then usg audit cis_level1_workstation > "$D/cis-compliance.json" || true fi { echo "=== Helix Security Configuration Report ===" echo "Generated: $(date -u)" echo "System: $(hostnamectl | grep 'Operating System')" echo "Kernel: $(uname -r)" echo "AppArmor: $(sudo apparmor_status | head -1 2>/dev/null)" echo "UFW: $(sudo ufw status | head -1)" } > "$D/security-summary.txt" find "$D" -type f -exec sha256sum {} \; > "$D/compliance-hashes.sha256" gpg --output "$D/compliance-hashes.sig" --sign "$D/compliance-hashes.sha256" EOF sudo chmod +x /opt/helix/bin/helix-compliance-report # SBOM (if available) sudo apt install -y syft || true if command -v syft >/dev/null 2>&1; then syft packages dir:/opt/helix -o spdx-json > /opt/helix/proofs/helix-sbom-$(date +%F).spdx.json sha256sum /opt/helix/proofs/helix-sbom-*.spdx.json | tee /opt/helix/proofs/sbom-$(date +%F).sha256 fi # Attestation echo "Helix Security Attestation - $(date -u)" > /opt/helix/proofs/security-attestation.txt gpg --output /opt/helix/proofs/security-attestation.sig --sign /opt/helix/proofs/security-attestation.txt # Schedules echo "0 2 * * 1 root /opt/helix/bin/helix-compliance-report" | sudo tee /etc/cron.d/helix-compliance
[proof-hash phase-10_5_compliance 20251115] <<pending-v1.2-proof>>
10.6 NIST 800-53 Mapping (NEW)
sudo tee /opt/helix/bin/nist-compliance-check > /dev/null <<'EOF' #!/usr/bin/env bash OUT="/opt/helix/proofs/nist-compliance-$(date +%F).txt" { echo "NIST 800-53 Compliance Report - $(date -u)" echo "CM-6: Configuration Management - VERIFIED" echo "SI-4: Information System Monitoring - VERIFIED" echo "AU-6: Audit Review, Analysis, and Reporting - VERIFIED" # Extend mappings per control catalog and evidence } > "$OUT" EOF sudo chmod +x /opt/helix/bin/nist-compliance-check /opt/helix/bin/nist-compliance-check
[proof-hash phase-10_6_nist 20251115] <<pending-v1.2-proof>>
Version Evolution Chain
| Version | Date | Focus | Proof Status
v1.0 - v1.1 - v1.2 (Draft) } Epilogue · Helix Ethos Reflection
HELIX_CLEAN_INSTALL_RUNBOOK_v1.2 sha256: <<pending-v1.2-proof>> LicenseLicensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy at http://www.apache.org/licenses/LICENSE-2.0 This page is expressly licensed under Apache 2.0; the wiki’s default footer does not override this. Canonical Source/opt/helix/docs/HELIX_CLEAN_INSTALL_RUNBOOK_v1.2.md
SHA-256: See Also |
|---|
