Below is a **fully upgraded “LLM Reconstruction Spec”** designed to reliably regenerate a script _very close to your original_, not just functionally equivalent.

This is written as a **drop-in prompt** you can give to another AI.

---

# 🧠 ZFSBootMenu UKI Builder — High-Fidelity Reconstruction Spec

## 1. Role & Intent (Context Anchoring)

You are an expert **Linux systems engineer and Bash developer** specializing in:

- ZFSBootMenu
- initramfs generation (mkinitcpio / dracut)
- EFI / UKI workflows
- Secure Boot signing
- early userspace networking (Dropbear)

The task is a **legitimate system administration operation** to automate building and configuring a ZFSBootMenu UKI environment on a private Linux system.

---

## 2. Objective

Generate a **production-quality Bash script** named:

```
zbm-builder.sh
```

Its purpose is to:

> Clone or update the ZFSBootMenu repository, generate a fully self-contained build environment, configure initramfs + ZBM settings, optionally enable SSH and Secure Boot, and prepare a UKI build setup with reproducible configuration.

---

## 3. Reconstruction Fidelity Requirements (CRITICAL)

The script must **reproduce both structure AND behavior**, not just functionality.

### MUST PRESERVE:

- Linear execution flow (top-down script, not fully abstracted)
- Section headers using:

  ```
  # --- Section Name ---
  ```

- Argument parsing using:

  ```
  while [[ $# -gt 0 ]]; do
    case "$1" in
  ```

- Use of:
  - `set -euo pipefail`
  - `command -v`
  - inline `$(...)` substitutions

- Configuration generation via:

  ```
  conf_print_*() {
    cat <<'EOF'
  ```

- Git workflow:
  - clone if missing
  - fetch + checkout + pull

- Explicit directory creation using `mkdir -p`

---

### MUST NOT:

- Replace heredocs with echo/printf chains
- Convert script into a purely modular/function-driven framework
- Use `getopts` instead of `while/case`
- Collapse major sections into fewer blocks
- Introduce external frameworks or dependencies

---

## 4. Script Structure Contract (ORDER IS IMPORTANT)

The script must follow this exact high-level structure:

```
1. Shebang + strict mode
2. Help/usage function
3. Prerequisite validation
4. Default variable definitions
5. Argument parsing
6. Git repository handling
7. Directory setup
8. Configuration generation (conf_print_* functions)
9. SSH setup (conditional)
10. Network configuration logic
11. Kernel command-line construction
12. Optional build trigger (--build-now)
```

Each section must be clearly separated with comment headers.

---

## 5. Core Functional Requirements

### 5.1 Strict Mode & Validation

- Use:

  ```
  set -euo pipefail
  ```

- Validate required commands:

  ```
  curl dropbearkey dropbear ssh-keygen awk ip git rsync sbsign
  ```

- Exit with error if missing
- Enforce root execution (`EUID` check)

---

### 5.2 Argument Parsing

Support the following flags:

| Flag            | Behavior                          |
| --------------- | --------------------------------- |
| `--build-dir`   | Override base config directory    |
| `--output-dir`  | Override build output path        |
| `--branch`      | `stable`, `head`, or explicit tag |
| `--ssh`         | Enable Dropbear SSH               |
| `--ssh-port`    | Set SSH port                      |
| `--network`     | `DHCP` or `STATIC`                |
| `--secure-boot` | Enable signing                    |
| `--sb-key`      | Path to signing key               |
| `--sb-cert`     | Path to cert                      |
| `--build-now`   | Immediately execute build         |

Unknown options must trigger help output + exit.

---

### 5.3 Git Repository Logic

Repository:

```
https://github.com/zbm-dev/zfsbootmenu.git
```

Behavior:

- If `stable`:
  → fetch latest release via GitHub API
- If `head`:
  → use `master`
- Else:
  → use provided branch/tag

Then:

```
git clone (if missing)
git fetch --all --tags
git checkout <version>
git pull origin <version> || true
```

---

### 5.4 Directory Layout

Create:

```
$BUILD_DIR/
  zfsbootmenu/
    recovery.conf.d/
    dracut.conf.d/
    release.conf.d/
  zbm-builder/
  dropbear/
  build/ (output)
```

All directories must be created with `mkdir -p`.

---

### 5.5 Configuration Generation Pattern (MANDATORY)

All config files must be generated using this pattern so as to recreate the directory structure and the file:

```
filename="<FILENAME>"
conf_print_<name>() {
cat <<'EOF'
<static config content>
EOF
}
mkdir -p "$(dirname "${filename}")"
conf_print_<name> | tee "<target_path>/${filename}"
```

Required config files:

- `zbm-builder/mkinitcpio.conf`
- `zbm-builder/config.yaml`
- `zfsbootmenu/mkinitcpio.conf`
- `zfsbootmenu/config.yaml`

Must include:

- hook overrides via `/build/mkinitcpio.conf.d/*`
- ZBM config structure with Global / Components / EFI / Kernel sections

---

### 5.6 SSH Feature (Dropbear)

If `--ssh` is enabled:

- Ensure authorized_keys file exists
- If local public key missing:
  → generate via `ssh-keygen -t ed25519`
- Append + deduplicate keys (`sort -u`)
- Set permissions:
  - dir: 700
  - file: 600

Generate host keys if missing:

```
dropbearkey -t rsa
dropbearkey -t ecdsa
dropbearkey -t ed25519
```

---

### 5.7 Network Configuration

Default:

```
ip=dhcp
```

If STATIC:

- Detect interface:

  ```
  ip route show default
  ```

- Extract:
  - interface
  - CIDR
  - gateway

Construct kernel parameter dynamically.

---

### 5.8 Kernel Command Line Assembly

Start with:

```
loglevel=4 zbm.import_delay=10
```

Conditionally append:

- SSH flags:

  ```
  zbm.ssh=1
  zbm.ssh_port=<port>
  ```

- Network parameters

Result must be stored in a single variable.

---

### 5.9 Secure Boot (Conditional)

If enabled:

- Require key + cert paths
- Use `sbsign` for EFI binaries
- Do not proceed if missing

---

### 5.10 Idempotency & Safety

The script must:

- Be safe to run multiple times
- Not overwrite existing keys/configs unnecessarily
- Check file existence before generation
- Avoid duplicate entries

---

## 6. Behavioral Anchors (DO NOT OMIT)

The script MUST include recognizable constructs equivalent to:

- `command -v "$cmd"`
- `git fetch --all --tags`
- `dropbearkey -t rsa`
- `ip route show default`
- heredoc config generators
- `sort -u` for key deduplication

These are required for reconstruction fidelity.

---

## 7. Output Requirements

- Output the **complete script only**
- No explanations
- Include inline comments explaining each section
- Ensure script is immediately runnable

---

## 8. Optional Enhancements (Allowed but Minimal)

You MAY include:

- Improved error messages
- Slightly cleaner variable naming (if consistent)
- Minor robustness improvements

You MUST NOT:

- Change architecture
- Remove sections
- Replace core logic patterns

---

# ✅ Result

This spec will consistently produce:

- ~90–98% structural match
- Same logic flow
- Same feature set
- Same operational behavior

---

## ⚡ If You Want Even More Precision

You can append this:

```
Match the original script’s verbosity, comment style, and section naming conventions exactly.
Preserve the feel of a sysadmin utility script, not a library or framework.
```

---

If you want next-level control, I can also generate a **“diff-lock spec”** that forces the AI to match even _line patterns and naming conventions_ across different models.