P4X-ng · Copilot · Mar 1, 2026 · Mar 1, 2026 · Mar 1, 2026
diff --git a/bashpf/build-build.sh b/bashpf/build-build.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Build production artifacts from staging/
+bash scripts/build/build-production.sh
diff --git a/bashpf/build-package-esp-neg-attest.sh b/bashpf/build-package-esp-neg-attest.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Create negative attestation ESP (corrupted hash)
+bash scripts/esp-packaging/package-esp-neg-attest.sh
diff --git a/bashpf/build-package-esp.sh b/bashpf/build-package-esp.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Package bootable ESP image
+bash scripts/esp-packaging/esp-package.sh
diff --git a/bashpf/build-setup.sh b/bashpf/build-setup.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Bootstrap toolchain & environment
+bash scripts/maintenance/toolchain-check.sh
diff --git a/bashpf/cleanup.sh b/bashpf/cleanup.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Clean build artifacts (DEEP_CLEAN=1 for full ESP clean)
+bash scripts/maintenance/cleanup.sh
diff --git a/bashpf/esp.sh b/bashpf/esp.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Convenience: build + package ESP
+./pf.py build-build build-package-esp
diff --git a/bashpf/firmware-checksum-add.sh b/bashpf/firmware-checksum-add.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+# Add firmware to checksum database (set FIRMWARE_PATH, VENDOR, MODEL, VERSION)
+[ -n "${FIRMWARE_PATH:-}" ] || { echo "Usage: FIRMWARE_PATH=<file> VENDOR=<vendor> MODEL=<model> VERSION=<version> ./pf.py firmware-checksum-add"; exit 1; }
+[ -n "${VENDOR:-}" ] && [ -n "${MODEL:-}" ] && [ -n "${VERSION:-}" ] || { echo "Error: VENDOR, MODEL, and VERSION are required"; exit 1; }
+${PYTHON:-python3} utils/firmware_checksum_db.py --add "${FIRMWARE_PATH}" --vendor "${VENDOR}" --model "${MODEL}" --version "${VERSION}" --source "${SOURCE:-manual}" --confidence ${CONFIDENCE:-50}
diff --git a/bashpf/firmware-checksum-list.sh b/bashpf/firmware-checksum-list.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# List all firmware checksums in database
+${PYTHON:-python3} utils/firmware_checksum_db.py --list
diff --git a/bashpf/firmware-checksum-verify.sh b/bashpf/firmware-checksum-verify.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+# Verify firmware file against database (set FIRMWARE_PATH=<path>)
+[ -n "${FIRMWARE_PATH:-}" ] || { echo "Usage: FIRMWARE_PATH=<file> ./pf.py firmware-checksum-verify"; exit 1; }
+${PYTHON:-python3} utils/firmware_checksum_db.py --verify "${FIRMWARE_PATH}"
diff --git a/bashpf/kernel-config-diff.sh b/bashpf/kernel-config-diff.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Compare current kernel config against hardened baseline
+${PYTHON:-python3} utils/kernel_config_remediation.py --current /boot/config-$(uname -r) --diff
diff --git a/bashpf/kernel-config-remediate.sh b/bashpf/kernel-config-remediate.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+# Generate kernel config remediation script
+mkdir -p out/remediation
+${PYTHON:-python3} utils/kernel_config_remediation.py --current /boot/config-$(uname -r) --remediate --output out/remediation/kernel_remediation.sh
+echo "Remediation script generated: out/remediation/kernel_remediation.sh"
diff --git a/bashpf/kernel-hardening-baseline.sh b/bashpf/kernel-hardening-baseline.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+# Generate hardened kernel config baseline based on DISA STIG
+mkdir -p out/baselines
+${PYTHON:-python3} utils/kernel_hardening_analyzer.py --generate-baseline --output out/baselines/hardened_kernel.config
diff --git a/bashpf/kernel-hardening-check.sh b/bashpf/kernel-hardening-check.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Analyze kernel configuration against DISA STIG and hardening best practices
+${PYTHON:-python3} utils/kernel_hardening_analyzer.py --auto
diff --git a/bashpf/kernel-hardening-report.sh b/bashpf/kernel-hardening-report.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+# Generate detailed kernel hardening report (text and JSON)
+mkdir -p out/reports
+${PYTHON:-python3} utils/kernel_hardening_analyzer.py --auto --format text --output out/reports/kernel_hardening_report.txt
+${PYTHON:-python3} utils/kernel_hardening_analyzer.py --auto --format json --output out/reports/kernel_hardening_report.json
+echo "Reports saved to:"
+echo "  Text: out/reports/kernel_hardening_report.txt"
+echo "  JSON: out/reports/kernel_hardening_report.json"
diff --git a/bashpf/kernel-kexec-check.sh b/bashpf/kernel-kexec-check.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Check if kexec is available for kernel remediation
+${PYTHON:-python3} utils/kernel_config_remediation.py --check-kexec
diff --git a/bashpf/kernel-kexec-guide.sh b/bashpf/kernel-kexec-guide.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Show kexec double-jump remediation workflow guide
+${PYTHON:-python3} utils/kernel_config_remediation.py --kexec-guide
diff --git a/bashpf/kernel-profile-balanced.sh b/bashpf/kernel-profile-balanced.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+# Generate balanced kernel config (security + flexibility)
+mkdir -p out/kernel-profiles
+${PYTHON:-python3} utils/kernel_config_profiles.py --profile balanced --output out/kernel-profiles/balanced.config
+echo "Profile generated: out/kernel-profiles/balanced.config"
diff --git a/bashpf/kernel-profile-compare.sh b/bashpf/kernel-profile-compare.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+# Compare current kernel config with profile (set PROFILE=permissive/hardened/balanced)
+[ -n "${PROFILE:-}" ] || { echo "Usage: PROFILE=<profile> ./pf.py kernel-profile-compare"; exit 1; }
+${PYTHON:-python3} utils/kernel_config_profiles.py --profile "${PROFILE}" --compare /boot/config-$(uname -r)
diff --git a/bashpf/kernel-profile-hardened.sh b/bashpf/kernel-profile-hardened.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+# Generate hardened kernel config (maximum security)
+mkdir -p out/kernel-profiles
+${PYTHON:-python3} utils/kernel_config_profiles.py --profile hardened --output out/kernel-profiles/hardened.config
+echo "Profile generated: out/kernel-profiles/hardened.config"
diff --git a/bashpf/kernel-profile-list.sh b/bashpf/kernel-profile-list.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# List available kernel configuration profiles (permissive/hardened/balanced)
+${PYTHON:-python3} utils/kernel_config_profiles.py --list
diff --git a/bashpf/kernel-profile-permissive.sh b/bashpf/kernel-profile-permissive.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+# Generate permissive kernel config for BIOS flashing
+mkdir -p out/kernel-profiles
+${PYTHON:-python3} utils/kernel_config_profiles.py --profile permissive --output out/kernel-profiles/permissive.config
+echo "Profile generated: out/kernel-profiles/permissive.config"
diff --git a/bashpf/maint-clean.sh b/bashpf/maint-clean.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Clean build artifacts (DEEP_CLEAN=1 for full ESP clean)
+bash scripts/maintenance/cleanup.sh
diff --git a/bashpf/maint-docs.sh b/bashpf/maint-docs.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Update documentation
+echo "Documentation updated"
diff --git a/bashpf/maint-format.sh b/bashpf/maint-format.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Format source code
+bash scripts/maintenance/format.sh
diff --git a/bashpf/maint-install-git-hooks.sh b/bashpf/maint-install-git-hooks.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+# Install pre-push size guard hook
+mkdir -p .git/hooks && chmod 0755 .git/hooks
+cp scripts/git-hooks/pre-push .git/hooks/pre-push && chmod 0755 .git/hooks/pre-push
diff --git a/bashpf/maint-lint.sh b/bashpf/maint-lint.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Run static analysis
+bash scripts/maintenance/lint.sh
diff --git a/bashpf/maint-pre-push-check.sh b/bashpf/maint-pre-push-check.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+# Run the size guard check locally (no push)
+bash -lc 'scripts/git-hooks/pre-push <<EOF
+$(git rev-parse HEAD) 0000000000000000000000000000000000000000 refs/heads/main
+EOF'
diff --git a/bashpf/maint-regen-instructions.sh b/bashpf/maint-regen-instructions.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Generate copilot-instructions.md
+bash scripts/maintenance/regen-instructions.sh
diff --git a/bashpf/mok-flow.sh b/bashpf/mok-flow.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+# Full MOK workflow: generate keys, enroll MOK
+./pf.py secure-mok-new
+./pf.py os-mok-enroll
diff --git a/bashpf/os-boot-clean.sh b/bashpf/os-boot-clean.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Clean stale UEFI boot entries (set OS_BOOT_RM, OS_BOOT_ORDER, OS_BOOT_NEXT)
+bash scripts/maintenance/os-boot-clean.sh
diff --git a/bashpf/os-kmod-sign.sh b/bashpf/os-kmod-sign.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+# Sign one module file or recursively sign directory (set PATH, FORCE=1 optional)
+[ -n "${PATH:-}" ] || { echo "Usage: PATH=<file|dir> [FORCE=1] ./pf.py os-kmod-sign"; exit 1; }
+"${PYTHON:-python3}" utils/pgmodsign.py "${PATH}" $([ "${FORCE:-0}" = "1" ] && printf -- "--force" || true)
diff --git a/bashpf/os-mok-enroll.sh b/bashpf/os-mok-enroll.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Enroll host MOK for module signing
+bash -lc 'scripts/mok-management/enroll-mok.sh "${MOK_CERT_PEM:-out/keys/mok/PGMOK.crt}" "${MOK_CERT_DER:-out/keys/mok/PGMOK.der}" ${MOK_DRY_RUN:-0}'
diff --git a/bashpf/os-mok-list-keys.sh b/bashpf/os-mok-list-keys.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# List available MOK certs/keys and enrollment status
+bash scripts/mok-management/mok-list-keys.sh
diff --git a/bashpf/secure-der-extract.sh b/bashpf/secure-der-extract.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Convert DER/PKCS#12 bundle into PEM cert and key (set DER_PATH, OUT_DIR, NAME)
+bash -lc 'scripts/secure-boot/der-extract.sh "${DER_PATH:-}" "${OUT_DIR:-out/keys}" "${NAME:-PGMOK}"'
diff --git a/bashpf/secure-enroll-mok.sh b/bashpf/secure-enroll-mok.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Enroll PhoenixGuard MOK certificate
+bash -lc 'scripts/mok-management/enroll-mok.sh "${MOK_CERT_PEM:-out/keys/mok/PGMOK.crt}" "${MOK_CERT_DER:-out/keys/mok/PGMOK.der}" ${MOK_DRY_RUN:-0}'
diff --git a/bashpf/secure-enroll-secureboot.sh b/bashpf/secure-enroll-secureboot.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Auto-enroll custom SB keys in OVMF
+bash scripts/secure-boot/enroll-secureboot.sh
diff --git a/bashpf/secure-env.sh b/bashpf/secure-env.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Comprehensive security environment check - verify boot integrity, EFI vars, kernel security, and detect bootkits
+bash scripts/validation/secure-env-check.sh
diff --git a/bashpf/secure-keygen.sh b/bashpf/secure-keygen.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Generate Secure Boot keypairs (RSA-4096) and X.509 certs
+bash scripts/secure-boot/generate-sb-keys.sh
diff --git a/bashpf/secure-keys-centralize.sh b/bashpf/secure-keys-centralize.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Centralize keys into out/keys
+bash scripts/secure-boot/keys-centralize.sh
diff --git a/bashpf/secure-keys-prune.sh b/bashpf/secure-keys-prune.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Backup + remove legacy key locations
+bash scripts/secure-boot/keys-centralize.sh --prune
diff --git a/bashpf/secure-make-auth.sh b/bashpf/secure-make-auth.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Create ESL and AUTH for PK/KEK/db
+bash scripts/secure-boot/create-auth-files.sh
diff --git a/bashpf/secure-mok-enroll-new.sh b/bashpf/secure-mok-enroll-new.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+# Generate + enroll PhoenixGuard MOK (reboot to complete)
+bash -lc 'scripts/mok-management/mok-new.sh "${NAME:-PGMOK}" "${CN:-PhoenixGuard Module Key}"'
+bash -lc 'scripts/mok-management/enroll-mok.sh "out/keys/${NAME:-PGMOK}.crt" "out/keys/${NAME:-PGMOK}.der" ${MOK_DRY_RUN:-0}'
diff --git a/bashpf/secure-mok-find-enrolled.sh b/bashpf/secure-mok-find-enrolled.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Match local certs to enrolled MOKs
+bash scripts/mok-management/mok-find-enrolled.sh
diff --git a/bashpf/secure-mok-inventory.sh b/bashpf/secure-mok-inventory.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# JSON inventory of keys and enrollment
+bash scripts/mok-management/mok-list-keys.sh
diff --git a/bashpf/secure-mok-new.sh b/bashpf/secure-mok-new.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Generate new PhoenixGuard MOK keypair (use NAME and CN env)
+bash -lc 'scripts/mok-management/mok-new.sh "${NAME:-PGMOK}" "${CN:-PhoenixGuard Module Key}"'
diff --git a/bashpf/secure-mok-status.sh b/bashpf/secure-mok-status.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Show Secure Boot state and MOKs
+bash scripts/mok-management/mok-status.sh
diff --git a/bashpf/secure-mok-verify.sh b/bashpf/secure-mok-verify.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Verify MOK certificate details
+bash -lc 'scripts/mok-management/mok-verify.sh "${MOK_CERT_PEM:-out/keys/mok/PGMOK.crt}" "${MOK_CERT_DER:-out/keys/mok/PGMOK.der}"'
diff --git a/bashpf/secure-package-esp-enroll.sh b/bashpf/secure-package-esp-enroll.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Package enrollment ESP
+bash scripts/esp-packaging/esp-package-enroll.sh
diff --git a/bashpf/secure-qemu-enable-ui.sh b/bashpf/secure-qemu-enable-ui.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# [QEMU] Launch QEMU with GUI to enable Secure Boot in VM
+bash scripts/qemu/qemu-run-secure-ui.sh
diff --git a/bashpf/secure-unenroll-mok.sh b/bashpf/secure-unenroll-mok.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Remove PhoenixGuard MOK certificate
+bash -lc 'scripts/mok-management/unenroll-mok.sh "${MOK_CERT_DER:-out/keys/mok/PGMOK.der}"'
diff --git a/bashpf/secureboot-check.sh b/bashpf/secureboot-check.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Check Secure Boot status on host machine
+bash scripts/secure-boot/check-secureboot-status.sh
diff --git a/bashpf/secureboot-create-usb.sh b/bashpf/secureboot-create-usb.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Create SecureBoot USB and write directly (set ISO_PATH and USB_DEVICE)
+bash create-secureboot-bootable-media.sh --iso "${ISO_PATH}" --usb-device "${USB_DEVICE}"
diff --git a/bashpf/secureboot-create.sh b/bashpf/secureboot-create.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Create turnkey SecureBoot bootable media from ISO (set ISO_PATH=/path/to.iso)
+bash create-secureboot-bootable-media.sh --iso "${ISO_PATH}"
diff --git a/bashpf/secureboot-enable-host-kexec.sh b/bashpf/secureboot-enable-host-kexec.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# [HOST] Enable Secure Boot on physical machine via double kexec method (requires root)
+bash scripts/secure-boot/enable-secureboot-kexec.sh
diff --git a/bashpf/setup.sh b/bashpf/setup.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+# Complete project setup: build + package + verify
+./pf.py build-setup build-build build-package-esp
+./pf.py verify-esp-robust
diff --git a/bashpf/test-qemu-secure-negative-attest.sh b/bashpf/test-qemu-secure-negative-attest.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# NuclearBoot corruption detection test
+bash scripts/testing/qemu-test-secure-negative-attest.sh
diff --git a/bashpf/test-qemu-secure-positive.sh b/bashpf/test-qemu-secure-positive.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Secure Boot positive test
+bash scripts/testing/qemu-test-secure-positive.sh
diff --git a/bashpf/test-qemu-secure-strict.sh b/bashpf/test-qemu-secure-strict.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Secure Boot strict mode test
+bash scripts/testing/qemu-test-secure-strict.sh
diff --git a/bashpf/test-qemu-uuefi.sh b/bashpf/test-qemu-uuefi.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# UUEFI application test
+bash scripts/testing/qemu-test-uuefi.sh
diff --git a/bashpf/test-qemu.sh b/bashpf/test-qemu.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Main QEMU boot test
+bash scripts/testing/qemu-test.sh
diff --git a/bashpf/uuefi-apply.sh b/bashpf/uuefi-apply.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# UUEFI apply (set BootNext; optionally create entry)
+bash scripts/uefi-tools/uuefi-apply.sh
diff --git a/bashpf/uuefi-install.sh b/bashpf/uuefi-install.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Install UUEFI.efi to system ESP
+bash scripts/uefi-tools/uuefi-install.sh
diff --git a/bashpf/uuefi-report.sh b/bashpf/uuefi-report.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# UUEFI report (read-only)
+bash scripts/uefi-tools/uuefi-report.sh
diff --git a/bashpf/validate-all.sh b/bashpf/validate-all.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+# Run all validations
+bash scripts/validation/validate-keys.sh
+bash scripts/validation/validate-esp.sh
diff --git a/bashpf/verify-esp-robust.sh b/bashpf/verify-esp-robust.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Robust ESP verification
+bash scripts/validation/verify-esp-robust.sh
diff --git a/bashpf/verify.sh b/bashpf/verify.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+# Run validation (validate-all + verify-esp-robust)
+./pf.py validate-all
+./pf.py verify-esp-robust
diff --git a/bashpf/workflow-artifact-create.sh b/bashpf/workflow-artifact-create.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# Create all necessary artifacts for ESP and CD with secure boot support
+ARTIFACT_DIR=out/artifacts
+ESP_DIR=out/esp
+KEYS_DIR=out/keys
+mkdir -p "$ARTIFACT_DIR/esp" "$ARTIFACT_DIR/cd" "$ARTIFACT_DIR/docs" "$ESP_DIR" "$KEYS_DIR"
+
+if [ ! -f staging/boot/NuclearBootEdk2.efi ] || [ ! -f staging/boot/UUEFI.efi ]; then
+  ./pf.py build-build
+fi
+
+if [ ! -f "$KEYS_DIR/PK/PK.key" ]; then
+  ./pf.py secure-keygen
+fi
+
+if [ ! -f "$KEYS_DIR/PK/PK.auth" ]; then
+  ./pf.py secure-make-auth
+fi
+
+./pf.py build-package-esp
+
+if [ -f out/esp/esp.img ]; then
+  cp out/esp/esp.img "$ARTIFACT_DIR/esp/"
+fi
+
+cp staging/boot/NuclearBootEdk2.efi "$ARTIFACT_DIR/esp/"
+cp staging/boot/KeyEnrollEdk2.efi "$ARTIFACT_DIR/esp/"
+cp staging/boot/UUEFI.efi "$ARTIFACT_DIR/esp/"
+
+if [ -d "$KEYS_DIR" ]; then
+  cp -r "$KEYS_DIR" "$ARTIFACT_DIR/"
+fi
+
+echo '✅ Artifacts created in' "$ARTIFACT_DIR"
+ls -lh "$ARTIFACT_DIR/esp/"
diff --git a/bashpf/workflow-cd-prepare.sh b/bashpf/workflow-cd-prepare.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# Prepare bootable CD/ISO with ESP and secure boot artifacts
+ARTIFACT_DIR=out/artifacts
+if [ ! -d "$ARTIFACT_DIR/esp" ]; then
+  echo 'Run workflow-artifact-create first'
+  exit 1
+fi
+
+CD_BUILD_DIR=nuclear-cd-build
+mkdir -p "$CD_BUILD_DIR/boot" "$CD_BUILD_DIR/efi" "$CD_BUILD_DIR/keys"
+
+if [ -f "$ARTIFACT_DIR/esp/esp.img" ]; then
+  cp "$ARTIFACT_DIR/esp/esp.img" "$CD_BUILD_DIR/boot/"
+fi
+
+cp "$ARTIFACT_DIR/esp/"*.efi "$CD_BUILD_DIR/efi/" || true
+
+if [ -d "$ARTIFACT_DIR/keys" ]; then
+  cp -r "$ARTIFACT_DIR/keys/"* "$CD_BUILD_DIR/keys/" || true
+fi
+
+bash scripts/secure-boot/create-secureboot-instructions.sh
+
+echo '✅ CD structure prepared in' "$CD_BUILD_DIR"
+echo '   Next: Use ISO creation tool to burn to CD'
diff --git a/bashpf/workflow-complete-esp-cd.sh b/bashpf/workflow-complete-esp-cd.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+# Complete workflow: Create artifacts, prepare CD, generate instructions
+./pf.py workflow-artifact-create
+./pf.py workflow-cd-prepare
+./pf.py workflow-secureboot-instructions
+
+echo ""
+echo "✅ Complete ESP and CD workflow finished!"
+echo "   Artifacts: out/artifacts/"
+echo "   CD build:  nuclear-cd-build/"
+echo "   Docs:      out/artifacts/docs/SECURE_BOOT_SETUP.md"
diff --git a/bashpf/workflow-recovery-reboot-metal.sh b/bashpf/workflow-recovery-reboot-metal.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Reboot to normal metal boot (exit recovery environment)
+bash scripts/recovery/reboot-to-metal.sh
diff --git a/bashpf/workflow-recovery-reboot-vm.sh b/bashpf/workflow-recovery-reboot-vm.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Reboot to VM/recovery environment
+bash scripts/recovery/reboot-to-vm.sh
diff --git a/bashpf/workflow-secureboot-instructions.sh b/bashpf/workflow-secureboot-instructions.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Generate comprehensive secure boot setup instructions
+bash scripts/secure-boot/generate-secureboot-instructions.sh