From bcd6c5d87b809cfef944e2e134567f071e5f757e Mon Sep 17 00:00:00 2001
From: claude-veilor-bot <279801990+s8n-ru@users.noreply.github.com>
Date: Wed, 6 May 2026 17:15:54 +0100
Subject: [PATCH] bluebuild: switch base to
 ghcr.io/secureblue/kinoite-main-hardened

The 'securecore-kinoite-hardened-userns' image we'd been targeting
does not exist in the secureblue org's package list. Their KDE
Plasma (Kinoite) hardened variant is published as
'kinoite-main-hardened' (or 'kinoite-nvidia-hardened' for NV boxes).
Switch the recipe + all doc references.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/build-bluebuild.yml | 2 +-
 README.md                             | 2 +-
 bluebuild/README.md                   | 2 +-
 bluebuild/recipe.yml                  | 2 +-
 docs/INSTALL-V07.md                   | 2 +-
 docs/PROOF-OF-WORK.md                 | 4 ++--
 docs/ROADMAP.md                       | 4 ++--
 docs/STRATEGY.md                      | 8 ++++----
 8 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml
index a8c41e4..1138c8f 100644
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@@ -111,7 +111,7 @@ jobs:
           else
             echo "[WARN] GHCR_PULL_TOKEN secret empty; trying anonymous pull"
           fi
-          podman pull ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest
+          podman pull ghcr.io/secureblue/kinoite-main-hardened:latest
 
       - name: Build OCI image with BlueBuild CLI container
         id: bluebuild
diff --git a/README.md b/README.md
index 0c422fd..1f6b43f 100644
--- a/README.md
+++ b/README.md
@@ -167,7 +167,7 @@ clean, locked down, with no manual post-install hardening required.
 [secureblue](https://github.com/secureblue/secureblue) is an upstream
 hardened atomic Fedora project we benchmark against and plan to **build
 on top of** at v0.7. The v0.7 BlueBuild spike uses their
-`securecore-kinoite-hardened-userns` OCI image as its base — we don't
+`kinoite-main-hardened` OCI image as its base — we don't
 ship their source code in this repo, we layer veilor branding,
 theming, the gum installer, and the kickstart bootstrap on top of
 their already-signed image.
diff --git a/bluebuild/README.md b/bluebuild/README.md
index 9d1c10b..8ececc0 100644
--- a/bluebuild/README.md
+++ b/bluebuild/README.md
@@ -18,7 +18,7 @@ bluebuild/
 ```
 
 The recipe extends
-`ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest`. We
+`ghcr.io/secureblue/kinoite-main-hardened:latest`. We
 inherit secureblue's hardening (sysctl + kargs + custom SELinux
 policy + USBGuard + hardened-malloc + Unbound DoT + chronyd NTS +
 Trivalent browser + cosign-signed image chain). On top, we layer:
diff --git a/bluebuild/recipe.yml b/bluebuild/recipe.yml
index 64d0fff..8fe3550 100644
--- a/bluebuild/recipe.yml
+++ b/bluebuild/recipe.yml
@@ -18,7 +18,7 @@ description: Hardened security-branded Fedora KDE on top of secureblue.
 # Base image: secureblue's hardened Kinoite variant with userns sandboxing.
 # That brings in: sysctl + kargs + custom SELinux policy + USBGuard +
 # hardened-malloc + Unbound DoT + chronyd NTS + Trivalent browser.
-base-image: ghcr.io/secureblue/securecore-kinoite-hardened-userns
+base-image: ghcr.io/secureblue/kinoite-main-hardened
 image-version: latest
 
 modules:
diff --git a/docs/INSTALL-V07.md b/docs/INSTALL-V07.md
index fd0808e..2b628bd 100644
--- a/docs/INSTALL-V07.md
+++ b/docs/INSTALL-V07.md
@@ -126,7 +126,7 @@ bootc status
 The image is built by `.github/workflows/build-bluebuild.yml` on the
 self-hosted Forgejo runner (label `nullstone`). Build inputs:
 
-- Base: `ghcr.io/secureblue/securecore-kinoite-hardened-userns`
+- Base: `ghcr.io/secureblue/kinoite-main-hardened`
 - Recipe: [`bluebuild/recipe.yml`](../bluebuild/recipe.yml)
 - Veilor overlay: stamped via BlueBuild `type: files` modules
 - Layered RPMs: `sudo`, `xorg-x11-server-Xwayland`, `mullvad-browser`,
diff --git a/docs/PROOF-OF-WORK.md b/docs/PROOF-OF-WORK.md
index 4faff56..e1627a0 100644
--- a/docs/PROOF-OF-WORK.md
+++ b/docs/PROOF-OF-WORK.md
@@ -30,7 +30,7 @@
 | Project | Role in veilor-os |
 |---|---|
 | Fedora 43 KDE | Base OS for v0.5.x kickstart-installed flat builds |
-| [secureblue](https://github.com/secureblue/secureblue) | Upstream hardened atomic Fedora; v0.7 BlueBuild spike layers our overlay on top of `securecore-kinoite-hardened-userns` |
+| [secureblue](https://github.com/secureblue/secureblue) | Upstream hardened atomic Fedora; v0.7 BlueBuild spike layers our overlay on top of `kinoite-main-hardened` |
 | Kicksecure / Whonix | Reference for AppArmor + apt-transport-tor model (we don't ship Tor; we did read their docs) |
 | Bluefin / Bazzite (uBlue) | Reference for BlueBuild recipe shape and OCI publishing pattern |
 | Tails | Reference for live-only install model — explicitly **not** veilor's path |
@@ -194,7 +194,7 @@ The repo carries more than just an ISO recipe:
 | `scripts/selinux/veilor-systemd.te` | Custom SELinux module (targeted policy gap fixes) |
 | `scripts/30-apply-v03-theme.sh` | Plymouth + SDDM + Konsole + wallpaper apply |
 | `scripts/40-apparmor.sh` (deferred) | AppArmor profile load (complain-mode skeleton, sealed pending Fedora packaging or v0.7 secureblue) |
-| `bluebuild/recipe.yml` | v0.7 OCI recipe (base = secureblue securecore-kinoite-hardened-userns) |
+| `bluebuild/recipe.yml` | v0.7 OCI recipe (base = secureblue kinoite-main-hardened) |
 | `kickstart/install-ostreecontainer.ks` | v0.7 install ks: 10 lines, just `ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry` |
 | `assets/installer/{banner.txt,colors.gum}` | Pure-block VEILOR OS wordmark + branded gum colour palette |
 | `assets/branding/` | Logo, wallpapers, plymouth theme assets |
diff --git a/docs/ROADMAP.md b/docs/ROADMAP.md
index 457f654..f1c8026 100644
--- a/docs/ROADMAP.md
+++ b/docs/ROADMAP.md
@@ -252,7 +252,7 @@ ergonomic work and becomes the next ship target.
 
 Scope:
 - BlueBuild recipe (`bluebuild/recipe.yml`) layering on
-  `ghcr.io/secureblue/securecore-kinoite-hardened-userns`
+  `ghcr.io/secureblue/kinoite-main-hardened`
 - `kickstart/install-ostreecontainer.ks` — 10-line kickstart that calls
   `ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry`
   and lets Anaconda's LUKS UX drive the install
@@ -292,7 +292,7 @@ spike on `quay.io/fedora/fedora-bootc:43`. Research on 2026-05-05
 `docs/research/2026-05-05-agent-wave/`), then a parent-operator
 refinement same day, locked the path: **layer veilor's branding +
 threat model + UX on top of secureblue's already-shipping
-`securecore-kinoite-hardened-userns` OCI image** via a BlueBuild
+`kinoite-main-hardened` OCI image** via a BlueBuild
 recipe, and install it directly during the Anaconda pass via the
 `ostreecontainer` kickstart directive (no first-boot rebase).
 
diff --git a/docs/STRATEGY.md b/docs/STRATEGY.md
index 76dd724..4db8c61 100644
--- a/docs/STRATEGY.md
+++ b/docs/STRATEGY.md
@@ -12,7 +12,7 @@ Locked at: **v0.5.31 → v0.7 spike → v1.0**
   works).
 - Anaconda's `ostreecontainer` directive populates the root filesystem
   directly from a **veilor-os OCI image** (built via BlueBuild on top
-  of secureblue's `securecore-kinoite-hardened-userns`) **during the
+  of secureblue's `kinoite-main-hardened`) **during the
   install pass — no first-boot rebase, no mutable→atomic transition**.
 - All future updates flow through `bootc upgrade` — atomic A/B,
   instant rollback, cosign-signed.
@@ -236,7 +236,7 @@ distro: **honest, scoped, public threat model**.
 The Containerfile-from-scratch spike plan (Agent 3 of 2026-05-05
 wave) is **superseded** by this hybrid: don't build a Containerfile
 from scratch on `fedora-bootc:43`. Instead, write a BlueBuild recipe
-on `securecore-kinoite-hardened-userns`. With `ostreecontainer`
+on `kinoite-main-hardened`. With `ostreecontainer`
 swap, spike compresses 1 week → 1 day.
 
 ## Next concrete steps
@@ -254,7 +254,7 @@ in the v0.7 spike branch only.
 ### v0.7-spike (1 day, separate branch)
 
 1. New repo dir: `bluebuild/recipe.yml`.
-2. `from`: `ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest`.
+2. `from`: `ghcr.io/secureblue/kinoite-main-hardened:latest`.
 3. Override modules:
    - `type: files` — stamp our `overlay/*` tree (branding, themes,
      veilor scripts, sddm theme, plymouth theme).
@@ -350,7 +350,7 @@ The hybrid strategy locked at v0.5 is now in execution.
   ROADMAP.md as historical reference.
 - **v0.7 BlueBuild OCI is the active mainline.** The
   `v0.7-bluebuild-spike` branch carries the BlueBuild recipe layered
-  on `ghcr.io/secureblue/securecore-kinoite-hardened-userns`, the
+  on `ghcr.io/secureblue/kinoite-main-hardened`, the
   `ostreecontainer` kickstart bootstrap, and the new `bootc upgrade`-
   driven update channel.
 - **v0.6 ergonomic CLIs ported, not rewritten.** `veilor-update`