1 files changed, 93 insertions, 100 deletions
diff --git a/docs/session-context.org b/docs/session-context.org
index ce2abd1..c547200 100644
--- a/docs/session-context.org
+++ b/docs/session-context.org
@@ -1,112 +1,105 @@
 #+TITLE: Session Context - Active Session
 #+DATE: 2026-01-25
 
-* Session: Saturday 2026-01-24 @ 18:09 CST (continued to ~00:10 Sunday)
+* Session: Sunday 2026-01-25 @ 00:15 CST (continued to ~05:45)
 
-** Current Task: Phase 4.3 Validation Checks - Reboot Test Debugging
+** Current Task: LUKS Automated Testing - Almost Working
 
 *** Summary
-We're implementing automated reboot survival and rollback tests for btrfs
-installations. The installation itself works, but the reboot test is failing
-because GRUB drops to grub> prompt after reboot.
-
-*** Root Cause Identified
-The grub.cfg file is EMPTY (0 bytes) after the VM is killed, even though it
-was 5652 bytes when checked inside the running VM. This is a FAT32 filesystem
-sync issue - data wasn't flushed before the VM was terminated.
-
-*** Fixes Applied (committed)
-1. GRUB modules stored on EFI partition (FAT32) with --boot-directory=/efi
-2. Symlink /boot/grub -> /efi/grub created BEFORE grub-mkconfig
-3. Added sync after grub-mkconfig (ensure FAT32 write completes)
-4. Added sync before unmounting EFI in cleanup
-5. Test framework now uses correct password (ROOT_PASSWORD from config) for
-   post-reboot SSH instead of ISO password (archzfs)
-
-*** Commits Made This Session
-- 7bb88b9 Fix GRUB boot for btrfs with subvolumes
-- 36d429e Add reboot survival and rollback verification tests
-- 79b4522 Update test config and documentation
-
-*** Files Modified
-- custom/lib/btrfs.sh - GRUB on EFI, sync calls
-- scripts/test-install.sh - reboot/rollback test infrastructure, password handling
-- scripts/test-configs/btrfs-single.conf - added NO_ENCRYPT=yes
-- custom/RESCUE-GUIDE.txt - offline Arch Wiki section
-- todo.org - updated completed tasks
-
-*** Test Infrastructure Added to test-install.sh
+Implementing automated LUKS passphrase handling for reboot tests. Using hybrid
+approach: sendkey for GRUB prompt + keyfile for initramfs.
+
+*** What's Working
+1. sendkey for GRUB passphrase - WORKING
+   - Monitor socket added to VM
+   - handle_luks_passphrase() detects prompt and sends keystrokes
+   - GRUB successfully decrypts (serial shows "Slot 0 opened")
+   - Kernel and initramfs load successfully
+
+2. Keyfile setup - WORKING
+   - setup_luks_testing_keyfile() creates keyfile
+   - Adds keyfile to LUKS slot 1
+   - Embeds in initramfs via FILES=
+   - Updates crypttab to use keyfile
+
+*** Bug Just Fixed
+configure_btrfs_initramfs() was overwriting HOOKS and removing the encrypt hook.
+Just fixed by checking if LUKS is enabled and including encrypt hook.
+
+The fix (in btrfs.sh line ~815-825):
 #+begin_src bash
-# New functions:
-start_vm_from_disk()     # Boot VM from installed disk (no ISO)
-stop_vm() keep_vars      # Optional param to preserve EFI boot entries
-wait_for_ssh() password  # Optional password param (for installed system)
-ssh_cmd()                # Uses INSTALLED_PASSWORD when set
-verify_reboot_survival() # Checks system boots, filesystem healthy
-verify_rollback()        # Tests snapshot create/rollback
-
-# Flow in run_test():
-# 1. Boot ISO, install system
-# 2. Verify installation
-# 3. stop_vm with keep_vars=true (preserve OVMF_VARS)
-# 4. start_vm_from_disk (no ISO, boot from disk)
-# 5. wait_for_ssh using ROOT_PASSWORD from config
-# 6. verify_reboot_survival
-# 7. verify_rollback
-# 8. Cleanup
+local encrypt_hook=""
+[[ "$NO_ENCRYPT" != "yes" && -n "$LUKS_PASSPHRASE" ]] && encrypt_hook="encrypt "
+# Then include ${encrypt_hook} in HOOKS sed command
 #+end_src
 
-*** Current Test Status
-- Installation: PASSES (verified manually and in tests)
-- Post-install verification: PASSES
-- Reboot test: FAILS - grub.cfg is empty after VM killed
-
-The sync fix was just committed but NOT yet tested. Need to:
-1. Rebuild ISO with the sync fixes
-2. Run btrfs-single test
-3. Verify grub.cfg is not empty after reboot
-
-*** Key Technical Details
-- GRUB prefix is (,gpt1)/grub when using --boot-directory=/efi
-- grub.cfg must be at /efi/grub/grub.cfg (EFI partition)
-- Symlink /boot/grub -> /efi/grub makes grub-btrfs work
-- FAT32 needs explicit sync before VM termination
-- OVMF_VARS.fd stores EFI boot entries - must preserve between VM stop/start
-- Test uses port 2222 for SSH forwarding
-
-*** Debug Commands Used
-#+begin_src bash
-# Check EFI partition from inside VM:
-ls -la /mnt/efi/grub/
-cat /mnt/efi/grub/grub.cfg
+*** Next Step
+Run the test again to verify the fix works:
+./scripts/test-install.sh btrfs-luks
 
-# Mount installed disk from host:
-sudo qemu-nbd -c /dev/nbd0 vm/disk.qcow2
-sudo mount /dev/nbd0p1 /tmp/efi-check
-cat /tmp/efi-check/grub/grub.cfg
+*** Files Modified This Session
+- custom/lib/btrfs.sh
+  - Added setup_luks_testing_keyfile() function
+  - Modified configure_crypttab() for keyfile support
+  - Modified configure_luks_initramfs() for keyfile in FILES=
+  - Fixed configure_btrfs_initramfs() to preserve encrypt hook
 
-# Check serial log for GRUB output:
-cat test-logs/btrfs-single-reboot-serial.log
-#+end_src
+- custom/archangel
+  - Added call to setup_luks_testing_keyfile() in LUKS flow
 
-** Remaining Btrfs Plan Phases
-- Phase 4.3: Validation checks - IN PROGRESS (sync fix needs testing)
-- Phase 5: CLI tools (archangel-snapshot, archangel-rollback, archangel-list)
-- Phase 6: Documentation (README, RESCUE-GUIDE, BTRFS.org)
-
-** Test Status Before Reboot Test Additions
-All btrfs tests were passing:
-- btrfs-single, btrfs-luks, btrfs-mirror, btrfs-stripe, btrfs-mirror-luks
-- ZFS: single-disk, mirror, raidz1
-
-** Next Steps
-1. Rebuild ISO (includes sync fixes)
-2. Run: ./scripts/test-install.sh btrfs-single
-3. If still failing, check serial log and verify grub.cfg has content
-4. Once passing, run full btrfs test suite
-5. Continue to Phase 5 or 6
-
-** Open Questions / Potential Issues
-- Multi-disk btrfs GRUB functions also updated but not tested after sync fix
-- grub-btrfsd service might need config for non-standard grub.cfg location
-- Rollback test not yet validated (system needs to boot first)
+- scripts/test-install.sh
+  - Added monitor socket to start_vm_from_disk()
+  - Added handle_luks_passphrase() function
+  - Added send_key_to_monitor() function
+  - Integrated LUKS handling into reboot test flow
+
+- scripts/test-configs/btrfs-luks.conf - Added TESTING=yes
+- scripts/test-configs/btrfs-mirror-luks.conf - Added TESTING=yes
+- docs/TESTING-STRATEGY.org - New file documenting approach
+
+*** Commits Made This Session
+- a099f50: Add ISO naming task, update session context
+
+*** Test Results Before Fix
+- btrfs-single: PASS
+- btrfs-mirror: PASS
+- btrfs-stripe: PASS
+- btrfs-luks: FAIL (encrypt hook missing - just fixed)
+- btrfs-mirror-luks: FAIL (same issue)
+
+*** Technical Details
+
+LUKS Boot Flow:
+1. GRUB decrypts /boot with GRUB_ENABLE_CRYPTODISK (sendkey provides passphrase)
+2. GRUB loads kernel and initramfs
+3. Initramfs encrypt hook decrypts root (keyfile provides passphrase)
+4. Root mounted, boot continues
+
+sendkey Implementation:
+- QEMU monitor socket: -monitor unix:$VM_DIR/monitor-${test_name}.sock,server,nowait
+- Watch serial log for "Enter passphrase for"
+- Send passphrase char-by-char via "sendkey" monitor command
+- Character mapping (a-z, 0-9, special chars to QEMU key names)
+
+Keyfile Implementation:
+- Random 2KB keyfile at /etc/cryptroot.key
+- Added to LUKS slot 1 (passphrase stays in slot 0)
+- Embedded in initramfs via mkinitcpio FILES=()
+- crypttab uses keyfile path instead of "none"
+
+*** Decision Rationale
+Chose hybrid approach (sendkey + keyfile) over:
+- Option A (unencrypted /boot): Tests different code path than production
+- Option B (accept limitation): Would miss integration bugs like empty grub.cfg
+
+Documented in docs/TESTING-STRATEGY.org.
+
+*** ISO on Ventoy
+archzfs-vmlinuz-6.12.66-lts-2026-01-25-x86_64.iso (2.1G)
+Updated on Ventoy flash drive.
+
+*** Remaining Work
+1. Verify encrypt hook fix works
+2. Run full btrfs test suite including LUKS configs
+3. If passing, commit all changes
+4. Continue to Phase 5 (CLI tools) or Phase 6 (documentation)