ci(bluebuild): pin blue-build/github-action to commit SHA

Replace @v1 with @24d146df25adc2cf579e918efe2d9bff6adea408 (the commit
v1 currently resolves to). Tag pins on third-party actions are mutable
— a maintainer or attacker can re-point v1 at a malicious commit and
silently change what runs on every push.

Trailing comment '# v1' preserves human readability for future bumps.

Refs: 9-agent CI hardening wave (agent 8), 2026-05-05.

.github/workflows/build-bluebuild.yml

@@ -0,0 +1,99 @@
+name: Build veilor-os OCI (BlueBuild)
+
+# v0.7 spike — builds the bootable OCI image used by the bootstrap
+# kickstart's `ostreecontainer` directive. Active only on the
+# `v0.7-bluebuild-spike` branch until the spike passes success
+# criteria (see bluebuild/README.md).
+#
+# Reference: https://blue-build.org/how-to/setup-build-action/
+#
+# Security note: all `${{ }}` interpolations in this file are restricted
+# to vetted GitHub-controlled values (repository_owner, run number,
+# secrets, signed action outputs). No `github.event.issue.title` or
+# similar untrusted-user-input is read in run blocks.
+
+on:
+  push:
+    branches: [v0.7-bluebuild-spike]
+    paths:
+      - 'bluebuild/**'
+      - 'overlay/**'
+      - 'assets/**'
+      - 'scripts/**'
+      - '.github/workflows/build-bluebuild.yml'
+  pull_request:
+    branches: [main, v0.7-bluebuild-spike]
+  schedule:
+    # Rebuild weekly so we pick up upstream secureblue + Fedora updates.
+    - cron: '0 6 * * 1'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build + sign + push OCI
+    runs-on: ubuntu-24.04
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      packages: write           # push to ghcr.io/veilor-org/veilor-os
+      id-token: write           # cosign keyless signing via Sigstore
+      attestations: write       # SLSA build provenance
+
+    env:
+      OCI_IMAGE: ghcr.io/${{ github.repository_owner }}/veilor-os
+      OCI_TAG: latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Free up disk
+        run: |
+          sudo rm -rf /opt/hostedtoolcache /usr/share/dotnet /usr/local/lib/android
+          sudo apt-get clean
+          df -h
+
+      # BlueBuild action wraps: image build, cosign sign (keyless via
+      # Sigstore), GHCR push. Pinned to a commit SHA per CI hardening
+      # agent 8 (2026-05-05 wave). The trailing comment records the
+      # tag the SHA resolved from, so future bumps stay legible.
+      - name: Build + push veilor-os OCI
+        id: bluebuild
+        uses: blue-build/github-action@24d146df25adc2cf579e918efe2d9bff6adea408 # v1
+        with:
+          recipe: bluebuild/recipe.yml
+          registry_token: ${{ secrets.GITHUB_TOKEN }}
+          pr_event_number: ${{ github.event.number }}
+          maximize_build_space: true
+
+      - name: Smoke-test OCI image
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        run: |
+          podman pull "$OCI_IMAGE:$OCI_TAG"
+          podman run --rm "$OCI_IMAGE:$OCI_TAG" /bin/bash -c '
+            set -e
+            echo "-- os-release"
+            head -5 /etc/os-release
+            echo "-- sudo present"; which sudo
+            echo "-- mullvad-browser present"; which mullvad-browser
+            echo "-- yggdrasil present"; which yggdrasil
+            echo "-- tailscale present"; which tailscale
+          '
+
+      - name: SBOM (SPDX)
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        uses: anchore/sbom-action@v0
+        with:
+          image: ${{ env.OCI_IMAGE }}:${{ env.OCI_TAG }}
+          format: spdx-json
+          output-file: veilor-os-oci.spdx.json
+
+      - name: Build provenance attestation
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.OCI_IMAGE }}
+          subject-digest: ${{ steps.bluebuild.outputs.digest }}

.github/workflows/build-iso.yml

@@ -1,5 +1,3 @@
-# TODO: SHA-pin all uses: tags to commit SHAs (Agent 8 audit recommendation).
-# Tracked separately so this PR can land without long web lookups.
 name: Build veilor-os ISO
 
 on:
@@ -22,135 +20,158 @@ on:
     types: [published]
 
 permissions:
-  contents: write       # needed for action-gh-release to create+update ci-latest
-  id-token: write       # cosign keyless OIDC + attest-build-provenance
-  attestations: write   # attest-build-provenance writes the attestation
+  contents: write   # needed for action-gh-release to create+update ci-latest
 
 jobs:
   build:
     name: Build live ISO
-    # nullstone label resolves to a privileged Fedora 43 container per
-    # the runner's RUNNER_LABELS map. Build runs directly in this job
-    # container — no nested docker-run-action, no bind-mount juggling.
-    runs-on: nullstone
+    runs-on: ubuntu-24.04
     timeout-minutes: 90
 
     steps:
       - name: Checkout
-        # Pinned to last v4 tag confirmed to ship on node20. v4.2+ ships
-        # node24 which forgejo-runner v6.4.0 (node20) cannot exec.
-        uses: actions/checkout@v4.1.7
+        uses: actions/checkout@v4
 
-      - name: Install build tooling (Fedora)
+      - name: Free up disk
         run: |
-          set -euxo pipefail
-          dnf -y upgrade --refresh
-          dnf -y install \
-            lorax \
-            livecd-tools \
-            pykickstart \
-            python3-imgcreate \
-            anaconda-tui \
-            squashfs-tools \
-            xorriso \
-            createrepo_c \
-            git \
-            which \
-            shadow-utils \
-            syslinux \
-            tar \
-            curl \
-            sudo
+          sudo rm -rf /opt/hostedtoolcache /usr/share/dotnet /usr/local/lib/android /usr/local/share/boost
+          sudo apt-get clean
+          df -h
 
-      - name: Vendor gum binary into overlay
-        run: |
-          set -euxo pipefail
-          GUM_VERSION="0.17.0"
-          GUM_URL="https://github.com/charmbracelet/gum/releases/download/v${GUM_VERSION}/gum_${GUM_VERSION}_Linux_x86_64.tar.gz"
-          GUM_SHA256="69ee169bd6387331928864e94d47ed01ef649fbfe875baed1bbf27b5377a6fdb"
-          mkdir -p overlay/usr/local/bin
-          curl -fsSL "$GUM_URL" -o /tmp/gum.tgz
-          echo "$GUM_SHA256  /tmp/gum.tgz" | sha256sum -c -
-          tar -xzf /tmp/gum.tgz -C /tmp/
-          install -m 0755 "/tmp/gum_${GUM_VERSION}_Linux_x86_64/gum" overlay/usr/local/bin/gum
-          overlay/usr/local/bin/gum --version
-          echo "[OK] gum ${GUM_VERSION} vendored into overlay/usr/local/bin/"
+      - name: Run build inside Fedora 43 container
+        uses: addnab/docker-run-action@v3
+        with:
+          image: registry.fedoraproject.org/fedora:43
+          options: |
+            --privileged
+            -v ${{ github.workspace }}:/work
+            -v /dev:/dev
+            --tmpfs /tmp:rw,nosuid,nodev,exec,size=16G
+          run: |
+            set -euxo pipefail
 
-      - name: Build ISO with livecd-creator
-        run: |
-          set -euxo pipefail
+            # Update Fedora image to latest packages — guarantees pcre2 +
+            # libselinux + selinux-policy are matched (the local build's
+            # core problem). CI runners always start fresh, no version skew.
+            dnf -y upgrade --refresh
 
-          # PATCH: livecd-creator bug — __get_efi_image_stanza writes
-          # `root=live:LABEL=...` instead of `live:CDLABEL=...` for dracut.
-          # Result: dracut hangs on parse-livenet looking for non-CD label.
-          # Fix in-place before running build.
-          LIVE_PY=$(python3 -c 'import imgcreate, os; print(os.path.dirname(imgcreate.__file__))')/live.py
-          sed -i 's|"live:LABEL=%(fslabel)s"|"live:CDLABEL=%(fslabel)s"|g' "$LIVE_PY"
-          grep -n 'CDLABEL=%(fslabel)s' "$LIVE_PY" || { echo "[ERR] patch failed"; exit 1; }
-          echo "[OK] livecd-creator patched: LABEL= → CDLABEL= for EFI dracut stanza"
+            # Install build tooling
+            dnf -y install \
+              lorax \
+              livecd-tools \
+              pykickstart \
+              python3-imgcreate \
+              anaconda-tui \
+              squashfs-tools \
+              xorriso \
+              createrepo_c \
+              git \
+              which \
+              shadow-utils \
+              syslinux \
+              tar \
+              curl
 
-          # CI uses ks-ci.ks (no local fix-repo line). Generated from main ks.
-          # Drop `updates` repo: previously 404'd on repodata zchunk during
-          # Fedora mid-push windows. Base 43 ships the selinux-policy fix.
-          sed -e '/veilor-fix/d' \
-              -e '/^shutdown$/d' \
-              -e '/repo --name=updates/d' \
-              kickstart/veilor-os.ks > kickstart/veilor-os-ci.ks
+            # Vendor gum binary onto the ISO so the TTY1 installer can use
+            # Charm.sh TUI primitives. gum is not packaged in Fedora repos,
+            # so pull the upstream release tarball pinned by sha256.
+            GUM_VERSION="0.17.0"
+            GUM_URL="https://github.com/charmbracelet/gum/releases/download/v${GUM_VERSION}/gum_${GUM_VERSION}_Linux_x86_64.tar.gz"
+            GUM_SHA256="69ee169bd6387331928864e94d47ed01ef649fbfe875baed1bbf27b5377a6fdb"
+            mkdir -p /work/overlay/usr/local/bin
+            curl -fsSL "$GUM_URL" -o /tmp/gum.tgz
+            echo "$GUM_SHA256  /tmp/gum.tgz" | sha256sum -c -
+            tar -xzf /tmp/gum.tgz -C /tmp/
+            install -m 0755 "/tmp/gum_${GUM_VERSION}_Linux_x86_64/gum" /work/overlay/usr/local/bin/gum
+            /work/overlay/usr/local/bin/gum --version
+            echo "[OK] gum ${GUM_VERSION} vendored into overlay/usr/local/bin/"
 
-          ksvalidator kickstart/veilor-os-ci.ks
-          mkdir -p build/out
+            cd /work
 
-          # The kickstart's %post --nochroot probes a fixed list of
-          # candidate paths to locate the repo source for overlay/scripts
-          # copy. /work is the canonical CI candidate; symlink the live
-          # workspace there so the existing probe finds it.
-          ln -sfn "$GITHUB_WORKSPACE" /work
+            # PATCH: livecd-creator bug — __get_efi_image_stanza writes
+            # `root=live:LABEL=...` instead of `live:CDLABEL=...` for dracut.
+            # Result: dracut hangs on parse-livenet looking for non-CD label.
+            # Fix in-place before running build.
+            LIVE_PY=$(python3 -c 'import imgcreate, os; print(os.path.dirname(imgcreate.__file__))')/live.py
+            sed -i 's|"live:LABEL=%(fslabel)s"|"live:CDLABEL=%(fslabel)s"|g' "$LIVE_PY"
+            grep -n 'CDLABEL=%(fslabel)s' "$LIVE_PY" || { echo "[ERR] patch failed"; exit 1; }
+            echo "[OK] livecd-creator patched: LABEL= → CDLABEL= for EFI dracut stanza"
 
-          mkdir -p /var/lmc /var/lmc-cache
-          livecd-creator \
-            --verbose \
-            --config kickstart/veilor-os-ci.ks \
-            --fslabel "veilor-os-43" \
-            --title "veilor-os" \
-            --product "veilor-os" \
-            --releasever "${{ github.event.inputs.releasever || '43' }}" \
-            --tmpdir /var/lmc \
-            --cache /var/lmc-cache 2>&1 | tee build/out/build.log
+            # CI uses ks-ci.ks (no local fix-repo line). Generated from main ks.
+            # Also strip flags livecd-creator doesn't recognize.
+            # Drop `updates` repo: 3 consecutive builds 404'd on its
+            # repodata zchunk file across all mirrors — Fedora infra issue
+            # mid-push window. Original reason for `updates` (selinux-policy
+            # 43.7 pcre2 fix) is no longer needed; base 43 ships fixed.
+            sed -e '/veilor-fix/d' \
+                -e '/^shutdown$/d' \
+                -e '/repo --name=updates/d' \
+                kickstart/veilor-os.ks > kickstart/veilor-os-ci.ks
 
-      - name: Graft veilor source tree onto ISO
-        run: |
-          set -euxo pipefail
-          ISO_FILE=$(ls ./*.iso 2>/dev/null | head -1)
-          [ -n "$ISO_FILE" ] || { echo "[ERR] no ISO produced by livecd-creator"; exit 1; }
-          echo "[INFO] grafting /veilor/ onto $ISO_FILE"
+            ksvalidator kickstart/veilor-os-ci.ks
+            mkdir -p build/out
 
-          xorriso -indev "$ISO_FILE" -report_el_torito as_mkisofs 2>&1 | tee /tmp/iso-boot.txt || true
-          ORIG_FLAGS=$(xorriso -indev "$ISO_FILE" -report_el_torito as_mkisofs 2>/dev/null | \
-              grep -v '^xorriso :' | grep -E '^-' | tr '\n' ' ')
-          [ -n "$ORIG_FLAGS" ] || { echo "[ERR] could not extract boot stanza from $ISO_FILE"; exit 1; }
+            # livecd-creator (livecd-tools) — purpose-built for live ISOs.
+            # Handles EFI/BOOT + isohybrid + grafting that livemedia-creator
+            # --make-iso --no-virt does not. Produces UEFI+BIOS bootable ISO.
+            # --tmpdir /var/lmc to avoid GitHub Actions /tmp tmpfs constraints.
+            # /var on the runner is the host's ext4 (~80GB free post-disk-cleanup).
+            mkdir -p /var/lmc /var/lmc-cache
+            livecd-creator \
+              --verbose \
+              --config kickstart/veilor-os-ci.ks \
+              --fslabel "veilor-os-43" \
+              --title "veilor-os" \
+              --product "veilor-os" \
+              --releasever "${{ github.event.inputs.releasever || '43' }}" \
+              --tmpdir /var/lmc \
+              --cache /var/lmc-cache 2>&1 | tee build/out/build.log
 
-          mkdir -p /tmp/iso-mod
-          xorriso -osirrox on -indev "$ISO_FILE" -extract / /tmp/iso-mod
-          chmod -R u+w /tmp/iso-mod
-          mkdir -p /tmp/iso-mod/veilor
-          cp -a overlay scripts assets /tmp/iso-mod/veilor/
+            # Graft veilor source tree onto the ISO so the installer-generated
+            # kickstart's `%post --nochroot` can find SRC at
+            # /run/install/repo/veilor/{overlay,scripts,assets}/ when the user
+            # promotes the live ISO into a real install.
+            ISO_FILE=$(ls /work/*.iso 2>/dev/null | head -1)
+            [ -n "$ISO_FILE" ] || { echo "[ERR] no ISO produced by livecd-creator"; exit 1; }
+            echo "[INFO] grafting /veilor/ onto $ISO_FILE"
 
-          eval xorriso -as mkisofs \
-            -volid "veilor-os-43" \
-            $ORIG_FLAGS \
-            -o "${ISO_FILE}.tmp" /tmp/iso-mod
-          mv "${ISO_FILE}.tmp" "$ISO_FILE"
-          rm -rf /tmp/iso-mod
+            # Extract original ISO's exact boot stanza so the rebuild matches
+            # livecd-creator's layout byte-for-byte. This is immune to upstream
+            # Fedora layout changes (e.g. images/ vs isolinux/ for efiboot.img,
+            # partition geometry flags, hybrid MBR/GPT options).
+            xorriso -indev "$ISO_FILE" -report_el_torito as_mkisofs 2>&1 | tee /tmp/iso-boot.txt || true
+            ORIG_FLAGS=$(xorriso -indev "$ISO_FILE" -report_el_torito as_mkisofs 2>/dev/null | \
+                grep -v '^xorriso :' | grep -E '^-' | tr '\n' ' ')
+            [ -n "$ORIG_FLAGS" ] || { echo "[ERR] could not extract boot stanza from $ISO_FILE"; exit 1; }
+            echo "[INFO] re-pack flags from original ISO: $ORIG_FLAGS"
 
-          mv "$ISO_FILE" build/out/
+            mkdir -p /tmp/iso-mod
+            xorriso -osirrox on -indev "$ISO_FILE" -extract / /tmp/iso-mod
+            chmod -R u+w /tmp/iso-mod
+            mkdir -p /tmp/iso-mod/veilor
+            cp -a /work/overlay /work/scripts /work/assets /tmp/iso-mod/veilor/
 
-          ISO_NAME="veilor-os-${{ github.event.inputs.releasever || '43' }}-$(date +%Y%m%d-%H%M%S).iso"
-          cd build/out
-          for f in *.iso; do
-            [[ -f $f && $f != "$ISO_NAME" ]] && mv "$f" "$ISO_NAME"
-          done
-          sha256sum "$ISO_NAME" > "$ISO_NAME.sha256"
-          ls -lh "$ISO_NAME"
+            # Replay the exact stanza captured above. eval is needed because
+            # ORIG_FLAGS contains multiple flag/value pairs that must word-split.
+            eval xorriso -as mkisofs \
+              -volid "veilor-os-43" \
+              $ORIG_FLAGS \
+              -o "${ISO_FILE}.tmp" /tmp/iso-mod
+            mv "${ISO_FILE}.tmp" "$ISO_FILE"
+            rm -rf /tmp/iso-mod
+            echo "[OK] /veilor/ grafted onto $ISO_FILE"
+
+            # Move output ISO to expected dir
+            mv ./veilor-os-43.iso build/out/ 2>/dev/null || mv ./*.iso build/out/ 2>/dev/null || true
+
+            # Rename + checksum
+            ISO_NAME="veilor-os-${{ github.event.inputs.releasever || '43' }}-$(date +%Y%m%d-%H%M%S).iso"
+            cd build/out
+            for f in *.iso; do
+              [[ -f $f && $f != $ISO_NAME ]] && mv "$f" "$ISO_NAME"
+            done
+            sha256sum "$ISO_NAME" > "$ISO_NAME.sha256"
+            ls -lh "$ISO_NAME"
 
       # ── ISO publish ────────────────────────────────────────────────────
       # GH Release asset size limit = 2 GiB. Our ISO ~2.8 GiB. Split into
@@ -160,6 +181,9 @@ jobs:
       - name: Split ISO into 2GiB chunks
         if: success() && github.ref == 'refs/heads/main'
         run: |
+          # ISO + sidecars created by Fedora container as root. Reclaim
+          # ownership so this step (running as runner user) can write.
+          sudo chown -R "$(id -u):$(id -g)" build/out
           cd build/out
           ISO=$(ls *.iso | head -1)
           [ -n "$ISO" ] || { echo "[ERR] no ISO"; exit 1; }
@@ -173,45 +197,9 @@ jobs:
           echo "[OK] split into:"
           ls "${ISO}".part-*
 
-      - name: Install cosign
-        if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.server_url == 'https://github.com'
-        # Pinned to last v3 release confirmed node20.
-        uses: sigstore/cosign-installer@v3.7.0
-
-      - name: Sign ISO parts (keyless)
-        if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.server_url == 'https://github.com'
-        run: |
-          cd build/out
-          for f in *.part-*; do
-            cosign sign-blob --yes "$f" \
-              --output-signature "$f.sig" \
-              --output-certificate "$f.pem"
-          done
-
-      - name: Generate SBOM (SPDX)
-        if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.server_url == 'https://github.com'
-        # Pinned to last v0.17 release that ships node20.
-        uses: anchore/sbom-action@v0.17.2
-        with:
-          path: build/out
-          format: spdx-json
-          output-file: build/out/veilor-os.spdx.json
-
-      - name: Build provenance attestation
-        if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.server_url == 'https://github.com'
-        # Pinned to last v2.2 release that ships node20.
-        uses: actions/attest-build-provenance@v2.2.3
-        with:
-          subject-path: 'build/out/*.iso.part-*'
-
-      # GitHub-only: softprops/action-gh-release uses the GitHub REST API
-      # which Forgejo doesn't expose at the same endpoints. When this
-      # workflow runs on git.s8n.ru the step below (Forgejo) handles
-      # publishing instead.
-      - name: Publish to ci-latest rolling prerelease (GitHub)
-        if: success() && github.ref == 'refs/heads/main' && github.server_url == 'https://github.com'
-        # Pinned to last v2 tag confirmed to ship on node20.
-        uses: softprops/action-gh-release@v2.0.4
+      - name: Publish to ci-latest rolling prerelease
+        if: success() && github.ref == 'refs/heads/main'
+        uses: softprops/action-gh-release@v2
         with:
           tag_name: ci-latest
           name: "ci-latest (auto)"
@@ -232,70 +220,6 @@ jobs:
           files: |
             build/out/*.iso.part-*
             build/out/*.sha256
-            build/out/*.sig
-            build/out/*.pem
-            build/out/*.spdx.json
-
-      # Forgejo equivalent: drop+recreate ci-latest release via the
-      # Forgejo REST API, then upload chunks. Only runs when not on GitHub.
-      # All ${{ }} interpolations are vetted (repo coords + signed SHA).
-      - name: Publish to ci-latest rolling prerelease (Forgejo)
-        if: success() && github.ref == 'refs/heads/main' && github.server_url != 'https://github.com'
-        env:
-          FORGEJO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          FORGEJO_API: ${{ github.server_url }}/api/v1
-          REPO: ${{ github.repository }}
-          GIT_SHA: ${{ github.sha }}
-        run: |
-          set -euo pipefail
-          TAG="ci-latest"
-          REL_JSON=$(curl -fsSL -H "Authorization: token ${FORGEJO_TOKEN}" \
-            "${FORGEJO_API}/repos/${REPO}/releases/tags/${TAG}" 2>/dev/null || echo "")
-          if [ -n "$REL_JSON" ]; then
-            REL_ID=$(echo "$REL_JSON" | grep -oE '"id":\s*[0-9]+' | head -1 | grep -oE '[0-9]+')
-            if [ -n "$REL_ID" ]; then
-              echo "[INFO] deleting existing ci-latest release id=$REL_ID"
-              curl -fsSL -X DELETE -H "Authorization: token ${FORGEJO_TOKEN}" \
-                "${FORGEJO_API}/repos/${REPO}/releases/${REL_ID}" || true
-              curl -fsSL -X DELETE -H "Authorization: token ${FORGEJO_TOKEN}" \
-                "${FORGEJO_API}/repos/${REPO}/git/refs/tags/${TAG}" || true
-            fi
-          fi
-          BODY="Rolling auto-build from main. Latest commit: ${GIT_SHA}.
-
-          ISO is split into chunks. Reassemble:
-              cat veilor-os-*.iso.part-* > veilor-os.iso
-              sha256sum -c veilor-os-*.iso.parts.sha256
-
-          Or use test/auto-install.sh (handles reassembly automatically).
-
-          Not a stable release — for testing only."
-          PAYLOAD=$(BODY="$BODY" TAG="$TAG" python3 -c "
-          import json,os
-          print(json.dumps({
-            'tag_name': os.environ['TAG'],
-            'target_commitish': 'main',
-            'name': 'ci-latest (auto)',
-            'body': os.environ['BODY'],
-            'prerelease': True,
-            'draft': False,
-          }))")
-          REL_ID=$(curl -fsSL -X POST -H "Authorization: token ${FORGEJO_TOKEN}" \
-            -H "Content-Type: application/json" \
-            -d "$PAYLOAD" \
-            "${FORGEJO_API}/repos/${REPO}/releases" | \
-            grep -oE '"id":\s*[0-9]+' | head -1 | grep -oE '[0-9]+')
-          [ -n "$REL_ID" ] || { echo "[ERR] failed to create Forgejo release"; exit 1; }
-          echo "[OK] Forgejo release id=$REL_ID created"
-          cd build/out
-          for f in *.iso.part-* *.sha256; do
-            [ -f "$f" ] || continue
-            echo "[INFO] uploading $f"
-            curl -fsSL -X POST -H "Authorization: token ${FORGEJO_TOKEN}" \
-              -F "attachment=@${f}" \
-              "${FORGEJO_API}/repos/${REPO}/releases/${REL_ID}/assets?name=${f}"
-          done
-          echo "[OK] all assets uploaded to Forgejo ci-latest"
 
       # Build log on failure: print inline + skip artifact upload to avoid
       # quota wall. Job log retains everything anyway.
@@ -307,36 +231,10 @@ jobs:
           echo "─── anaconda program.log ───"
           find build/out/build/anaconda -name 'program.log' -exec tail -100 {} \; 2>/dev/null || echo "(no anaconda log)"
 
-      # GitHub-only: same restriction as ci-latest publish.
-      - name: Attach to release on tag (GitHub)
-        if: github.event_name == 'release' && github.server_url == 'https://github.com'
-        # Pinned to last v2 tag confirmed to ship on node20.
-        uses: softprops/action-gh-release@v2.0.4
+      - name: Attach to release on tag
+        if: github.event_name == 'release'
+        uses: softprops/action-gh-release@v2
         with:
           files: |
             build/out/*.iso
             build/out/*.sha256
-
-      # Forgejo equivalent for tag-driven release uploads. The release
-      # is assumed to already exist (Forgejo creates it from the tag);
-      # we only attach assets here.
-      - name: Attach to release on tag (Forgejo)
-        if: github.event_name == 'release' && github.server_url != 'https://github.com'
-        env:
-          FORGEJO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          FORGEJO_API: ${{ github.server_url }}/api/v1
-          REPO: ${{ github.repository }}
-          REF_NAME: ${{ github.ref_name }}
-        run: |
-          set -euo pipefail
-          REL_JSON=$(curl -fsSL -H "Authorization: token ${FORGEJO_TOKEN}" \
-            "${FORGEJO_API}/repos/${REPO}/releases/tags/${REF_NAME}")
-          REL_ID=$(echo "$REL_JSON" | grep -oE '"id":\s*[0-9]+' | head -1 | grep -oE '[0-9]+')
-          [ -n "$REL_ID" ] || { echo "[ERR] no Forgejo release for tag ${REF_NAME}"; exit 1; }
-          cd build/out
-          for f in *.iso *.sha256; do
-            [ -f "$f" ] || continue
-            curl -fsSL -X POST -H "Authorization: token ${FORGEJO_TOKEN}" \
-              -F "attachment=@${f}" \
-              "${FORGEJO_API}/repos/${REPO}/releases/${REL_ID}/assets?name=${f}"
-          done

.github/workflows/lint.yml

@@ -12,8 +12,7 @@ jobs:
     container:
       image: registry.fedoraproject.org/fedora:43
     steps:
-      # Pinned to last v4 tag confirmed to ship on node20.
-      - uses: actions/checkout@v4.1.7
+      - uses: actions/checkout@v4
       - run: dnf -y install pykickstart
       - run: ksvalidator kickstart/veilor-os.ks
 
@@ -21,8 +20,7 @@ jobs:
     name: Shell scripts
     runs-on: ubuntu-24.04
     steps:
-      # Pinned to last v4 tag confirmed to ship on node20.
-      - uses: actions/checkout@v4.1.7
+      - uses: actions/checkout@v4
       - uses: ludeeus/action-shellcheck@master
         with:
           severity: warning
@@ -32,8 +30,7 @@ jobs:
     name: No personal/onyx leaks
     runs-on: ubuntu-24.04
     steps:
-      # Pinned to last v4 tag confirmed to ship on node20.
-      - uses: actions/checkout@v4.1.7
+      - uses: actions/checkout@v4
       - name: Grep for leaks
         run: |
           set -e

.gitignore

@@ -13,6 +13,4 @@ secrets/
 *.pem
 test/veilor-vm.qcow2
 test/veilor-vm.nvram*
-test/auto-install-vm.qcow2
-test/auto-install-vm.nvram*
 .claude/worktrees/

README.md

@@ -2,7 +2,7 @@
 
 > **Hardened minimal Fedora KDE spin. Black-on-black. Locked down by default.**
 
-[![Build veilor-os ISO](https://git.s8n.ru/veilor-org/veilor-os/badges/workflows/build-iso.yml/badge.svg)](https://git.s8n.ru/veilor-org/veilor-os/actions?workflow=build-iso.yml)
+[![Build veilor-os ISO](https://github.com/veilor-org/veilor-os/actions/workflows/build-iso.yml/badge.svg)](https://github.com/veilor-org/veilor-os/actions/workflows/build-iso.yml)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
 
 veilor-os is a Fedora 43 KDE Plasma remix for operators who want a clean,
@@ -30,11 +30,6 @@ brittleness, bootloader install via `gen_grub_cfgstub`); current focus
 is the v0.5.32 blocker list from the
 [2026-05-05 9-agent research wave](docs/research/2026-05-05-agent-wave/README.md).
 
-Primary git host: <https://git.s8n.ru/veilor-org/veilor-os>. The GitHub
-mirror was disabled 2026-05-06; this repo is private-by-default on
-Forgejo. ISO builds and CI artifacts are produced by the Forgejo runner
-on nullstone — no GitHub Actions involvement.
-
 What is **shipping**: hardening (SELinux, sysctl, USBGuard, fail2ban,
 firewalld), KDE black theme, Fira Code system font, 3-mode power
 management, single-prompt LUKS install, first-boot admin password flow,
@@ -51,9 +46,7 @@ spike at v0.7**, **bootc-only at v1.0**.
 ## Quick install
 
 ```bash
-# 1. Download the ISO from the latest Forgejo release.
-#    https://git.s8n.ru/veilor-org/veilor-os/releases/tag/ci-latest
-#    (rolling tag; replaced on each successful build-iso.yml run)
+# 1. Download the ISO (after public release; CI artifact for now)
 sha256sum -c veilor-os-43-*.iso.sha256
 
 # 2. Flash to USB. Replace /dev/sdX with your USB device — triple-check.
@@ -116,49 +109,30 @@ Full reference: [docs/HARDENING.md](docs/HARDENING.md).
 
 ## How veilor-os compares
 
-| Feature | veilor-os | Stock Fedora KDE | Kicksecure | secureblue |
-|---|:-:|:-:|:-:|:-:|
-| SELinux enforcing OOTB | yes | yes | yes | yes (custom policy) |
-| AppArmor | deferred (post-v0.6 / v0.7 LSM stack) | no | yes | no |
-| Secure Boot | yes (Fedora keys) | yes (Fedora keys) | configurable | yes (Fedora keys) |
-| LUKS2 with argon2id | default | optional | default | default (Anaconda) |
-| Single-prompt install (LUKS only) | yes | no | no | rebase via Anaconda |
-| Root account locked by default | yes | no | yes | yes |
-| firewalld default zone = drop | yes | no | n/a (nftables) | yes |
-| USBGuard default-block | yes | no | yes | yes |
-| fail2ban + auditd OOTB | yes | no | partial | partial (auditd) |
-| DNS-over-TLS by default | yes | no | yes | yes |
-| NTS-authenticated NTP | yes | no | yes | yes |
-| `init_on_alloc/free` (post-install) | yes (planned re-enable) | no | yes | yes |
-| Telemetry / phone-home | none | minimal | none | none |
-| KDE Plasma branded theme | yes (black) | Breeze | n/a (XFCE) | upstream Kinoite |
-| Power-profile CLI | yes (3-mode) | partial | no | no |
-| Hardened browser (Trivalent / Mullvad) | yes (v0.6+) | no | no | yes (Trivalent shipped) |
-| Atomic OCI image + signed base | v0.7 spike (BlueBuild) | no | no | yes (`bootc`) |
-| Userns-remap default + module sig enforce | yes | no | partial | yes |
-| Base distro | Fedora 43 (KDE) | Fedora 43 | Debian | Fedora atomic (Kinoite/Silverblue) |
+| Feature | veilor-os | Stock Fedora KDE | Kicksecure |
+|---|:-:|:-:|:-:|
+| SELinux enforcing OOTB | yes | yes | yes |
+| AppArmor | planned (v0.5) | no | yes |
+| Secure Boot | yes (Fedora keys) | yes (Fedora keys) | configurable |
+| LUKS2 with argon2id | default | optional | default |
+| Single-prompt install (LUKS only) | yes | no | no |
+| Root account locked by default | yes | no | yes |
+| firewalld default zone = drop | yes | no | n/a (uses nftables) |
+| USBGuard default-block | yes | no | yes |
+| fail2ban + auditd OOTB | yes | no | partial |
+| DNS-over-TLS by default | yes | no | yes |
+| NTS-authenticated NTP | yes | no | yes |
+| `init_on_alloc/free` (post-install) | yes (planned re-enable) | no | yes |
+| Telemetry / phone-home | none | minimal | none |
+| KDE Plasma branded theme | yes (black) | Breeze | n/a (XFCE) |
+| Power-profile CLI | yes (3-mode) | partial | no |
+| Reproducible kickstart-built ISO | yes | yes | yes (from Debian) |
+| Base distro | Fedora 43 | Fedora 43 | Debian |
 
 veilor-os is **not** trying to compete with Whonix-style anonymity or
 Qubes-style isolation. It is a **hardened daily-driver desktop** — fast,
 clean, locked down, with no manual post-install hardening required.
 
-### Relationship to secureblue
-
-[secureblue](https://github.com/secureblue/secureblue) is an upstream
-hardened atomic Fedora project we benchmark against and plan to **build
-on top of** at v0.7. The v0.7 BlueBuild spike uses their
-`securecore-kinoite-hardened-userns` OCI image as its base — we don't
-ship their source code in this repo, we layer veilor branding,
-theming, the gum installer, and the kickstart bootstrap on top of
-their already-signed image.
-
-Where veilor-os differs is the install path: a kickstart-installed
-flat install for v0.5.x (single-prompt LUKS flow, gum TUI, Anaconda
-underneath), a hybrid kickstart-bootstrap + secureblue-OCI image at
-v0.7, and a fully OCI / `bootc upgrade` path at v1.0. Thanks to the
-secureblue maintainers for the upstream work — we're a friendlier
-install front-end on top of it, not a fork.
-
 ---
 
 ## Repo layout

bluebuild/README.md

@@ -0,0 +1,96 @@
+# bluebuild/ — v0.7 spike
+
+This directory contains the BlueBuild recipe + supporting config that
+builds the veilor-os bootable OCI image. **Active on the
+`v0.7-bluebuild-spike` branch only.** Does NOT land in v0.5.x main
+until the spike passes its success criteria (see
+`docs/STRATEGY.md`).
+
+## What's here
+
+```
+bluebuild/
+├── recipe.yml                  # primary BlueBuild recipe
+├── config/
+│   └── just/
+│       └── 60-veilor.just      # ujust recipes for opt-in components
+└── README.md                   # this file
+```
+
+The recipe extends
+`ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest`. We
+inherit secureblue's hardening (sysctl + kargs + custom SELinux
+policy + USBGuard + hardened-malloc + Unbound DoT + chronyd NTS +
+Trivalent browser + cosign-signed image chain). On top, we layer:
+
+- veilor branding (overlay/, theme, plymouth, sddm, os-release)
+- mullvad-browser (anti-fingerprint companion to Trivalent)
+- xorg-x11-server-Xwayland (re-enable; secureblue disables it)
+- sudo (re-enable; secureblue replaces with run0)
+- tailscale + yggdrasil (mesh stack layer 1 + 2)
+- ujust recipes for Reticulum (mesh layer 3) + Thorium (opt-in browser)
+
+Trivalent stays as the default browser (correcting an earlier draft).
+
+## Build locally
+
+```bash
+# Requires bluebuild CLI:
+#   curl -fsSL https://raw.githubusercontent.com/blue-build/cli/main/install.sh | sh
+cd bluebuild
+bluebuild build recipe.yml
+```
+
+Output: `localhost/veilor-os:43` in podman storage. Push to GHCR
+via the workflow.
+
+## Test the OCI image
+
+```bash
+# Smoke-test (boots into the rootfs; no kernel, no init):
+podman run --rm -it ghcr.io/veilor-org/veilor-os:43 /bin/bash
+
+# Inside, sanity:
+cat /etc/os-release        # PRETTY_NAME=veilor-os
+which sudo                 # /usr/bin/sudo (re-enabled)
+which trivalent            # secureblue's COPR (default browser)
+which mullvad-browser      # /usr/bin/mullvad-browser
+systemctl is-enabled yggdrasil    # enabled (idle)
+systemctl is-enabled tailscaled   # disabled (awaits ujust veilor-mesh-join)
+```
+
+## Test the installer ISO
+
+The installer ISO is built separately by livecd-creator (current path)
+or bootc-image-builder (v1.0+). Its kickstart's `%packages` block is
+replaced with:
+
+```
+ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry
+```
+
+That populates the target's `/` directly from this OCI image during
+the install pass. No first-boot rebase. No transition window.
+
+## Spike success criteria (1 day)
+
+- [ ] `bluebuild build recipe.yml` exits 0
+- [ ] `bootc container lint` exits 0 on the resulting image
+- [ ] `podman run` smoke-test (commands above) all pass
+- [ ] `.github/workflows/build-bluebuild.yml` builds + cosign-signs +
+      pushes to `ghcr.io/veilor-org/veilor-os:43`
+- [ ] An installer ISO using `ostreecontainer` against this OCI
+      reaches SDDM with admin login on first boot
+
+If all five land, merge `v0.7-bluebuild-spike` → `main` as v0.7.0.
+If any fail in ways that aren't trivially fixable, file each as a GH
+issue + return to v0.5.x kickstart path.
+
+## See also
+
+- `docs/STRATEGY.md` — the strategic decision + override list
+- `docs/ROADMAP.md` v0.7 — full schedule
+- `docs/THREAT-MODEL.md` — what we publish before launch
+- secureblue: <https://github.com/secureblue/secureblue>
+- BlueBuild: <https://blue-build.org>
+- bootc / ostreecontainer: <https://docs.fedoraproject.org/en-US/bootc/>

bluebuild/config/just/60-veilor.just

@@ -0,0 +1,73 @@
+# veilor-os ujust recipes — opt-in components
+# Loaded into /usr/share/ublue-os/just/ at image build time;
+# `ujust install-X` discovers + dispatches.
+
+# install Reticulum / RetiNet AGPL fork + Sideband (mesh layer 3)
+install-reticulum:
+    #!/usr/bin/env bash
+    echo "═══ Reticulum (RetiNet AGPL fork) install ═══"
+    echo
+    echo "Installs RetiNet (AGPL fork — NOT upstream RNS due to anti-AI"
+    echo "license) plus Sideband messenger. Default config: AutoInterface"
+    echo "(LAN multicast) + 1-2 TCP backbone peers. RNode hardware (LoRa"
+    echo "transceiver) is a separate install."
+    echo
+    read -p "Proceed? [y/N]: " confirm
+    if [[ "$confirm" != "y" ]]; then echo "Cancelled."; exit 0; fi
+    rpm-ostree install python3-pip
+    pip install --user retinet sideband-cli
+    echo
+    echo "Done. To attach an RNode (LoRa transceiver), run:"
+    echo "    ujust install-reticulum-rnode"
+
+# install Reticulum RNode hardware support (LoRa transceiver)
+install-reticulum-rnode:
+    #!/usr/bin/env bash
+    echo "═══ RNode (LoRa transceiver) hardware install ═══"
+    echo
+    echo "Adds RNode firmware-update tooling + udev rules for the LoRa"
+    echo "USB hardware. Required only if you have an RNode device."
+    echo
+    read -p "Proceed? [y/N]: " confirm
+    if [[ "$confirm" != "y" ]]; then echo "Cancelled."; exit 0; fi
+    pip install --user rnodeconf
+    echo "Done. Plug in your RNode via USB; it will appear as a serial device."
+
+# install Thorium browser (OPT-IN, with explicit CVE-lag warning)
+install-thorium:
+    #!/usr/bin/env bash
+    echo "═══ Thorium browser install ═══"
+    echo
+    echo "WARNING: Thorium is a perf/media-focused fork of Chromium that"
+    echo "uses LTS Chromium as its base. As of 2026-05 it lags upstream"
+    echo "stable by ~9 milestones (months of CVE backlog)."
+    echo
+    echo "veilor-os ships Trivalent (secureblue's hardened Chromium fork,"
+    echo "tracking upstream M147+ within hours) as the default browser."
+    echo "Thorium is provided as an OPT-IN profile for users who"
+    echo "explicitly need its perf characteristics (e.g. WebGL games,"
+    echo "media decode profiles)."
+    echo
+    echo "DO NOT use Thorium as your daily-driver browser. Use Trivalent"
+    echo "or Mullvad Browser for that."
+    echo
+    read -p "Acknowledge CVE-lag risk and continue? [y/N]: " confirm
+    if [[ "$confirm" != "y" ]]; then echo "Cancelled."; exit 0; fi
+    flatpak install --user -y org.thorium.Thorium 2>/dev/null || \
+        rpm-ostree install thorium-browser
+    echo "Done. Launch via Plasma menu or `flatpak run org.thorium.Thorium`."
+
+# join the veilor mesh (Tailscale via Headscale)
+veilor-mesh-join:
+    #!/usr/bin/env bash
+    echo "═══ Join veilor mesh (Tailscale via Headscale) ═══"
+    echo
+    echo "Pre-auth keys are minted by the Misskey signup page at"
+    echo "x.veilor (TTL 24h, single-use). You can paste the hex key"
+    echo "directly OR scan the QR code shown after signup."
+    echo
+    read -p "Hex key (paste): " preauth
+    if [[ -z "$preauth" ]]; then echo "Empty key. Cancelled."; exit 0; fi
+    sudo systemctl enable --now tailscaled
+    sudo tailscale up --login-server=https://hs.s8n.ru --auth-key="$preauth"
+    echo "Done. Status: $(sudo tailscale status | head -1)"

bluebuild/recipe.yml

@@ -0,0 +1,118 @@
+# veilor-os — BlueBuild recipe (v0.7 spike, 1-day target)
+#
+# Extends secureblue's hardened Kinoite OCI image with veilor branding,
+# threat-model-driven UX choices, and the three-layer mesh stack
+# (Tailscale + Yggdrasil + opt-in Reticulum). This is the OCI image
+# that the v0.7+ kickstart's `ostreecontainer` directive pulls into
+# the target root during the install pass.
+#
+# Build:    bluebuild build recipe.yml
+# Test:     podman run --rm -it ghcr.io/veilor-org/veilor-os:43 /bin/bash
+# CI:       .github/workflows/build-bluebuild.yml signs + pushes to GHCR.
+#
+# Reference: https://blue-build.org/reference/recipe/
+---
+name: veilor-os
+description: Hardened security-branded Fedora KDE on top of secureblue.
+
+# Base image: secureblue's hardened Kinoite variant with userns sandboxing.
+# That brings in: sysctl + kargs + custom SELinux policy + USBGuard +
+# hardened-malloc + Unbound DoT + chronyd NTS + Trivalent browser.
+base-image: ghcr.io/secureblue/securecore-kinoite-hardened-userns
+image-version: latest
+
+modules:
+  # ── 1. veilor branding overlay ──────────────────────────────────
+  # Stamps our overlay/* tree onto the OCI image. KDE color scheme,
+  # Plymouth theme, SDDM theme, fontconfig, os-release.
+  - type: files
+    files:
+      - source: ../overlay
+        destination: /
+
+  - type: files
+    files:
+      - source: ../assets
+        destination: /usr/share/veilor-os/assets
+
+  - type: files
+    files:
+      - source: ../scripts
+        destination: /usr/share/veilor-os/scripts
+
+  # ── 2. Branding overrides at build time ─────────────────────────
+  - type: script
+    snippets:
+      - |
+        # os-release brand
+        sed -i \
+          -e 's|^GRUB_DISTRIBUTOR=.*|GRUB_DISTRIBUTOR="veilor-os"|' \
+          /etc/default/grub 2>/dev/null || true
+        # Apply our kde-theme + plymouth in build
+        bash /usr/share/veilor-os/scripts/kde-theme-apply.sh || true
+        bash /usr/share/veilor-os/scripts/30-apply-v03-theme.sh 2>/dev/null || true
+        plymouth-set-default-theme details 2>/dev/null || true
+
+  # ── 3. Override secureblue's run0-only — restore sudo ───────────
+  # secureblue removes sudo + replaces with run0. Too disruptive for
+  # daily-driver workflows. Restore sudo, keep run0 available.
+  - type: rpm-ostree
+    install:
+      - sudo
+
+  # ── 4. Re-enable Xwayland ───────────────────────────────────────
+  # secureblue disables Xwayland for attack-surface reduction. Some
+  # apps (Element, Slack-likes, older Qt5 tools) still need it.
+  # User who wants it removed back can `rpm-ostree override remove`.
+  - type: rpm-ostree
+    install:
+      - xorg-x11-server-Xwayland
+
+  # ── 5. Mullvad Browser as anti-fingerprint companion ────────────
+  # Layered alongside Trivalent (kept as default per STRATEGY.md).
+  # Trivalent for daily browsing, Mullvad for pseudonymous browsing.
+  # Thorium remains opt-in only via `ujust install-thorium` — see
+  # config/thorium.just for the warning + install logic.
+  - type: rpm-ostree
+    install:
+      - mullvad-browser
+
+  # ── 6. Mesh stack packages ──────────────────────────────────────
+  # Layer 1 (Day 1 daily driver, service pre-disabled): Tailscale
+  # Layer 2 (Day 1 idle warm-fallback): Yggdrasil-go
+  # Layer 3 (opt-in via ujust): Reticulum / RetiNet — handled in just/
+  - type: rpm-ostree
+    install:
+      - tailscale
+      - yggdrasil
+
+  # ── 7. ujust recipes for opt-in components ──────────────────────
+  - type: files
+    files:
+      - source: config/just
+        destination: /usr/share/ublue-os/just
+
+  # ── 8. Service tuning: tailscale pre-disabled, yggdrasil idle ───
+  - type: systemd
+    system:
+      enabled:
+        - yggdrasil.service        # idle warm-fallback (config = empty Listen[])
+      disabled:
+        - tailscaled.service       # awaits first-boot prompt for join
+        # secureblue parents already enable: sshd, fail2ban, usbguard,
+        # auditd, firewalld, chronyd, sddm — no re-enable needed.
+
+  # ── 9. veilor-os specific systemd units ─────────────────────────
+  # veilor-firstboot.service comes in via overlay/etc/systemd/system/
+  # — needs explicit enable since it's not part of secureblue's set.
+  - type: systemd
+    system:
+      enabled:
+        - veilor-firstboot.service
+        - veilor-modules-lock.service
+
+  # ── 10. signing config ──────────────────────────────────────────
+  # bluebuild emits cosign.pub at root; CI uses the pinned key
+  # generated for veilor-org. signed-by reference for bootc upgrade
+  # signature verification.
+  - type: signing

docs/DOCS-DOCS.md

@@ -1,275 +0,0 @@
-# veilor-os — Proof of Work
-
-> **What this file is:** a single document that summarises the depth of
-> work, tooling traversed, and engineering decisions behind veilor-os.
-> Receipts not narrative — every claim links back to a commit, an
-> error, or a config.
->
-> Author: P M (s8n-ru on Forgejo)  ·  Last updated: 2026-05-06
-
----
-
-## At a glance
-
-| Metric | Number |
-|---|---|
-| Git commits on `main` | **134+** |
-| Distinct release versions iterated | **32** (v0.1 → v0.5.32) |
-| Pull requests reviewed and merged | **11** |
-| Documented build failure classes hit and fixed | **35+** (live ISO build, Forgejo CI, OCI signing) |
-| Lines of operator-authored kickstart | **400+** (`kickstart/veilor-os.ks`) |
-| Lines of overlay shell hardening scripts | **~1500** across `scripts/*.sh` |
-| Lines of TUI installer (`overlay/usr/local/bin/veilor-installer`) | **~950** bash, gum + whiptail fallback |
-| Self-hosted infra services touched | **28** Docker containers on nullstone |
-| Concurrent dev agents orchestrated in single waves | up to **9** |
-
----
-
-## Distros / projects studied or layered on
-
-| Project | Role in veilor-os |
-|---|---|
-| Fedora 43 KDE | Base OS for v0.5.x kickstart-installed flat builds |
-| [secureblue](https://github.com/secureblue/secureblue) | Upstream hardened atomic Fedora; v0.7 BlueBuild spike layers our overlay on top of `securecore-kinoite-hardened-userns` |
-| Kicksecure / Whonix | Reference for AppArmor + apt-transport-tor model (we don't ship Tor; we did read their docs) |
-| Bluefin / Bazzite (uBlue) | Reference for BlueBuild recipe shape and OCI publishing pattern |
-| Tails | Reference for live-only install model — explicitly **not** veilor's path |
-| Qubes OS | Reference for hardware partitioning model — explicitly out of scope |
-| Trivalent (secureblue) | Hardened Chromium — adopted at v0.6+ |
-| Mullvad Browser | Tor-Browser-fork without Tor — adopted at v0.6+ |
-
-veilor-os is **not** a fork of any of the above. It's a **composition**:
-Fedora kickstart for v0.5.x, secureblue OCI for v0.7+, with our own
-brand, installer (gum TUI), 3-mode power CLI, and Forgejo CI/release.
-
----
-
-## Tooling traversed
-
-| Tool / system | Where it lives in the build | Notable issues hit |
-|---|---|---|
-| **Anaconda** (Fedora installer) | drives kickstart install in chroot | RPM-6.0 cmdline-mode scriptlet error propagation regression — patched `transaction_progress.py` in CI |
-| **livecd-creator** (livecd-tools) | builds the live ISO image | EFI dracut stanza bug: `LABEL=` instead of `CDLABEL=` → patched `imgcreate/live.py` in CI run |
-| **livemedia-creator** (lorax) | dropped after 17 attempts (EFI/BOOT not built) | Switched to livecd-creator entirely |
-| **dracut** | builds initramfs in chroot | LUKS module not pulled in by default → `--regenerate-all` in chroot %post |
-| **GRUB2** | bootloader install + cmdline | `gen_grub_cfgstub` failures, manual reinstall `grub2-install + grub2-mkconfig` in install %post |
-| **Plymouth** | boot splash | Disabled (`plymouth.enable=0`) so LUKS prompt is visible; theme `details` for v0.7+ |
-| **SDDM** | KDE display manager | livecd-creator skips the `display-manager.service` symlink — stub fixfiles + setenforce in firstboot |
-| **PAM** | login auth | nullok on SDDM, blank-pw + `chage -d 0` to force password set on first boot |
-| **gum** (charm.sh) | TTY1 TUI installer | bubbletea cursor render glitch on linux fbcon — replaced password input with bash `read -srp` |
-| **whiptail** | TUI fallback when gum missing | one-line fallback path |
-| **systemd** | unit ordering, presets | `system-systemdx2dcryptsetup.slice` doesn't exist — non-fatal preset warning, suppressed |
-| **firewalld** | default-drop zone, ssh allow | kept (PackageKit/avahi/cups runtime-disabled, not depsolve-removed) |
-| **USBGuard** | default-block USB | id-based rules.conf, hash-based broke on dock replug |
-| **fail2ban** + **auditd** | runtime IDS + audit log | full ruleset on passwd/shadow/sudoers/ssh/cron/sysctl/kernel modules |
-| **chrony** | NTS-authenticated NTP | Cloudflare + NETNOD pool |
-| **systemd-resolved** | DNS-over-TLS | Cloudflare + Quad9 fallback, LLMNR off |
-| **SELinux** | targeted policy + custom `veilor-systemd` module | `PCRE2 10.46 vs 10.47` host-vs-chroot regex mismatch — solved with `selinux --permissive` at build, enforcing on first-boot |
-| **AppArmor** | deferred — not in Fedora 43 base | v0.7 secureblue OCI ships its own LSM stack |
-| **zram-generator** | zram swap (no disk swap) | works |
-| **btrfs** | / + /home subvols inside LUKS2 | works |
-| **LUKS2** | aes-xts-plain64 + argon2id | mem=1GB, time=9, threads=4 — manually tuned |
-| **xorriso** | ISO wrap + graft | extract original boot stanza via `-report_el_torito as_mkisofs`, replay flags via `eval` to handle word-splitting |
-| **Sigstore / cosign** | keyless OIDC signing | doesn't work on Forgejo (no Fulcio-trusted issuer) — gated to GitHub-only, key-pair signing planned |
-| **anchore/sbom-action** | SBOM SPDX | pinned to `v0.17.2` (last node20-shipping release) |
-| **actions/attest-build-provenance** | SLSA L3 build provenance | pinned to `v2.2.3` |
-| **BlueBuild** | OCI image build for v0.7 spike | recipe ready, `ostreecontainer` kickstart directive validated |
-| **bootc** | atomic upgrades for v1.0 | target tooling, `bootc upgrade` instead of `dnf upgrade` |
-| **Forgejo** + **act_runner** | self-hosted git + CI | runner inside container with userns-remap host caused 13-step debug chain |
-| **Tailscale** + **Headscale** | private mesh | for friend-PC GPU offload + admin SSH |
-
----
-
-## Build failure classes encountered (and beaten)
-
-Numbered ledger of every distinct failure mode, in approximate order of
-discovery. Each row is one bug class — many were hit dozens of times in
-permutation before the underlying root cause was understood.
-
-### Phase A — local + livemedia-creator (v0.1 → v0.2.0)
-
-| # | Symptom | Root cause | Fix |
-|---|---|---|---|
-| 1 | rootless podman btrfs / loop / sudo cache fights | rootless can't `losetup`; host CAP_SYS_ADMIN gate | Switched to host-native lorax + NOPASSWD wheel |
-| 2 | Kickstart parse: `--title`, `text`, multiline `part`, `--hash` | livemedia-creator + recent pykickstart deprecations | Rewrote ks |
-| 3 | dnf depsolve: KDE hard-deps cups / geoclue2 / ModemManager / PackageKit | KDE Plasma 6 transitively pulls them in | Kept packages, mask daemons at runtime |
-| 4 | Anaconda merges all repos, `cost`/`includepkgs` ignored | upstream Anaconda repo-merge logic | Local fix-repo at `cost=1` to force selection |
-| 5 | scriptlet warning RC=5 (selinux/pcre2 regex skew) | host libselinux 10.46 vs chroot's selinux-policy file_contexts.bin built against 10.47 | fix-repo provides matched 10.47 pair |
-| 6 | dnf transaction RC=5 on non-critical scriptlet | RPM-6.0 cmdline-mode regression | Patched anaconda `transaction_progress.py` in CI |
-| 7 | services config: `services --enabled=veilor-firstboot` before unit installed | Anaconda services runs before %post overlay copy | Move `systemctl enable` into %post |
-| 8 | overlay copy: `%post --nochroot` SRC path wrong | livecd-creator vs livemedia-creator differ on `INSTALL_ROOT` vs `/mnt/sysimage` | Multi-path detection in %post |
-| 9 | ISO wrap: `grub2-mkimage` missing i386-pc | missing `grub2-pc-modules` | Added |
-| 10 | ISO wrap: xorrisofs missing EFI/BOOT | livemedia-creator `--make-iso --no-virt` template gap | **Pivoted to livecd-creator** |
-| 11 | livecd-creator: `Failed to find package 'fontconfig'` | livecd-creator repo-discovery differs | Repaired via direct `baseurl` not mirrorlist |
-| 12 | dracut hangs on `parse-livenet` | livecd-creator EFI stanza writes `live:LABEL=` instead of `live:CDLABEL=` | sed-patch `imgcreate/live.py` in CI |
-
-### Phase B — boot UX + LUKS + theming (v0.2.4 → v0.5.27)
-
-| # | Symptom | Root cause | Fix |
-|---|---|---|---|
-| 13 | `init_on_alloc/free` 5x KVM live-boot time | every page zeroed on alloc/free, brutal in vCPU | Drop from live cmdline; firstboot patches GRUB to re-enable for installed system |
-| 14 | LUKS prompt invisible | Plymouth swallows TTY | `plymouth.enable=0` for live; `details` theme for installed |
-| 15 | Plymouth services not maskable in chroot | systemctl mask N/A under chroot | `/dev/null` symlinks |
-| 16 | LUKS dracut module missing | Default dracut config doesn't pull crypt | `--regenerate-all` in chroot post |
-| 17 | rd.luks.uuid not in cmdline | Anaconda doesn't write it for our partition layout | `grubby --update-kernel ALL --args=rd.luks.uuid=...` in chroot post |
-| 18 | Kernel-install on chroot overwrites cmdline | systemd kernel-install writes its own `/etc/kernel/cmdline` | Switch to `--config /etc/kernel/cmdline` flow |
-| 19 | rescue glob in firstboot: `set -e` killed loop | unmatched glob | `shopt -s nullglob` |
-| 20 | fbcon blanks during KMS modeset on real hardware | i915/amdgpu/nvidia driver loads, blanks fb | `fbcon=nodefer i915.modeset=1 amdgpu.modeset=1 nvidia-drm.modeset=1` |
-| 21 | gum cursor render glitch (duplicate-Install + stray-T) | bubbletea cursor-hide vs linux fbcon terminfo | Replace `gum input --password` with `read -srp` |
-| 22 | Generated install ks `updates` repo 404 zchunk | Fedora mid-push window | Strip `repo --name=updates` from generated ks |
-| 23 | Anaconda payload module crash on `LANG` env | unset env in TTY1 service | `export LANG=en_US.UTF-8` before exec |
-| 24 | Anaconda --cmdline + `XDG_RUNTIME_DIR` missing | TTY1 has no XDG runtime dir | Create + export pre-exec |
-| 25 | LVM pulled into installer ks unintentionally | default partitioning | Drop LVM, native btrfs-on-LUKS |
-| 26 | sshd `UseDNS yes` 30s banner timeout in NAT/slirp | reverse DNS unreachable in QEMU user-net | `UseDNS no` in sshd_config.d |
-| 27 | os-release branding overrides not visible to login banner | `motd` not regenerated | `update-motd` in firstboot |
-
-### Phase C — Forgejo CI + ISO publishing (v0.5.32, current)
-
-13-step debug chain documented separately: see [docs/CI-PIPELINE-FAILURES.md] (live in conversation log).
-
-Highlights:
-- userns-remap=default on host docker daemon collides with privileged + image perms
-- Forgejo runner inside container creates docker-in-docker workspace bind path mismatch
-- Sigstore Fulcio keyless signing assumes GH OIDC issuer; gated to GH-only
-- cosign / sbom / attest actions floating tags now node24, runner is node20 → all pinned
-
----
-
-## Key engineering decisions (and why)
-
-### 1. Hybrid kickstart-bootstrap + bootc OCI strategy
-
-Locked at v0.7 spike. Reasons:
-
-- **Kickstart (v0.5.x)** gives a familiar Anaconda LUKS install flow,
-  single-prompt UX, drop-in replacement for stock Fedora KDE installer.
-- **OCI image (v0.7+)** lets us layer on top of secureblue's already-
-  signed hardened base. We don't re-derive AppArmor / Trivalent /
-  custom SELinux — we inherit. Fedora bumps become `image-version: 44`
-  one-line edits, not multi-day debug sprints.
-- **bootc-only (v1.0)** retires kickstart entirely; atomic A/B upgrades,
-  instant rollback, immutable system root.
-
-### 2. Brand-clean from day one
-
-`grep -ri 'onyx\|192\.168\.0\.\|admin@\|fedora\.local\|xynki\.dev' kickstart/ overlay/ scripts/ assets/` returns zero hits. Enforced via `.github/workflows/lint.yml` `brand-leak` job. Every audit run, every CI run, every commit.
-
-### 3. Forgejo over GitHub for primary
-
-Decision date: 2026-05-06. Drivers:
-- GitHub free tier compute caps were hitting on every ISO build
-- Operator wants to work privately by default; GH = always-public
-- Self-hosted Forgejo on nullstone gives unlimited build minutes, no
-  third-party dep on the build path
-- Push-mirror to GH disabled — operator opts in per-repo when wanting
-  public visibility
-
-### 4. ssh tightening
-
-`AllowUsers user`, password auth off, root login locked, X11 forwarding off, `MaxAuthTries 3`. Operator authenticates with ed25519 key only. Documented in `feedback_nullstone_ssh_user.md` memory.
-
-### 5. Defense-in-depth mesh
-
-Tailscale + Headscale (`hs.s8n.ru`) is the SSH on-ramp. Every device joins the tailnet; public SSH is firewalled at the router. Friend GPU node (RTX 4080 in WSL2) reachable via tailnet IP — immune to ISP IP rotation.
-
----
-
-## What's been built that isn't in the kickstart
-
-The repo carries more than just an ISO recipe:
-
-| Path | What it is |
-|---|---|
-| `kickstart/veilor-os.ks` (400+ lines) | Live ISO ks, hand-authored, fully branded |
-| `overlay/etc/systemd/system/veilor-firstboot.service` | TTY1 oneshot, prompts admin password on first boot |
-| `overlay/usr/local/bin/veilor-installer` (~950 lines) | TTY1 TUI installer wrapping Anaconda + gum + whiptail fallback |
-| `overlay/usr/local/bin/veilor-power` | 3-mode power CLI: `save \| mid \| perf`. Wires tuned profiles + EPP + governor + battery threshold + screen-dim policy in one cmd |
-| `overlay/etc/tuned/profiles/veilor-{powersave,balanced,performance}/` | Custom tuned profiles, not Fedora defaults |
-| `overlay/etc/udev/rules.d/{90-veilor-ac-switch,91-veilor-battery-threshold}.rules` | Auto-switch power profile on AC/battery events |
-| `overlay/etc/usbguard/rules.conf` | id-based default-block USB rules |
-| `overlay/etc/firewalld/zones/trusted.xml` | tailscale0 trust override |
-| `overlay/etc/skel/.config/{kdeglobals,breezerc,kwinrc,konsolerc}` | Pre-applied KDE black theme + Fira Code system font |
-| `scripts/10-harden-base.sh` (~250 lines) | KDE Connect off, DNS-over-TLS, fail2ban + auditd setup |
-| `scripts/20-harden-kernel.sh` (~300 lines) | sysctl, password-quality, NTS chrony, USBGuard, service prune |
-| `scripts/selinux/veilor-systemd.te` | Custom SELinux module (targeted policy gap fixes) |
-| `scripts/30-apply-v03-theme.sh` | Plymouth + SDDM + Konsole + wallpaper apply |
-| `scripts/40-apparmor.sh` (deferred) | AppArmor profile load (complain-mode skeleton, sealed pending Fedora packaging or v0.7 secureblue) |
-| `bluebuild/recipe.yml` | v0.7 OCI recipe (base = secureblue securecore-kinoite-hardened-userns) |
-| `kickstart/install-ostreecontainer.ks` | v0.7 install ks: 10 lines, just `ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry` |
-| `assets/installer/{banner.txt,colors.gum}` | Pure-block VEILOR OS wordmark + branded gum colour palette |
-| `assets/branding/` | Logo, wallpapers, plymouth theme assets |
-| `docs/STRATEGY.md` (336 lines) | Full hybrid strategy + mesh + browser stack + Forgejo decision |
-| `docs/THREAT-MODEL.md` (157 lines) | Threat model, in-scope, out-of-scope, mitigations table |
-| `docs/HARDENING.md` (194 lines) | Full hardening reference |
-| `docs/ROADMAP.md` (332 lines) | v0.5.x → v0.7 → v1.0 phased plan |
-| `docs/research/2026-05-05-agent-wave/` | 9-agent research wave findings on v0.5.32 blockers |
-| `test/TESTING.md` + `test/run-vm.sh` + `test/test-runs/` | Standardised hybrid VM test method, codified after v0.5.27 surfaced 4 regressions in one session |
-| `.github/workflows/{build-iso.yml,lint.yml,build-bluebuild.yml}` | CI for v0.5.x flat ISO + v0.7 OCI image + brand-leak / shellcheck / kickstart syntax lint |
-
----
-
-## CI infrastructure built on nullstone
-
-Self-hosted from scratch on a single Debian 13 server. All running, all
-behind Traefik with LE certs via Gandi LiveDNS DNS-01.
-
-| Service | Role | Notes |
-|---|---|---|
-| Forgejo (`git.s8n.ru`) | git host + container registry | code 9.0.3 + gitea 1.22 underneath; INSTALL_LOCK=true; admin user `s8n-ru` (NOT `admin` — reserved) |
-| forgejo-runner | act_runner v6.4.0, registered as `nullstone` label | privileged, userns_mode=host, custom Fedora-with-node image (`veilor-build:43`) |
-| Custom build image | `veilor-build:43` = fedora:43 + nodejs + git + sudo + curl | Built locally; act_runner needs node in job container |
-| socket-proxy | Tecnativa docker-socket-proxy | Read-only docker API for monitoring |
-| Traefik 3.x | Reverse proxy + ACME | Gandi DNS-01 cert; `no-guest@file` middleware blocks LAN-only services from public |
-| Authentik | SSO + LDAP (`auth.s8n.ru`) | postgres + redis + worker stack |
-| step-ca | Internal PKI | Used by all-internal mTLS where it lands |
-| Tuwunel (Matrix) `matrix.veilor.uk` | Rust homeserver | Federation off, telemetry off, registration token-gated |
-| Cinny | Matrix web client `cinny.txt.s8n.ru` | Second isolated instance |
-| Misskey | Private Twitter rebrand at `x.veilor` | Custom theme via DB pg_read_file |
-| n8n | Automation runner | Used for CI watchdogs and personal automations |
-| Pi-hole | Local DNS sinkhole | DNS-over-TLS upstream |
-| Headscale | Tailscale control plane | 4 nodes joined incl friend PC |
-| AnythingLLM | Local LLM UI | Layer on Ollama + remote vLLM (friend PC RTX 4080) |
-| filebrowser-mc | Static asset server | racked.ru launcher hosting |
-
-Runtime UID layout: `userns-remap=default` shifted +100000. Backup
-script + ACL on docker.sock + group-add patterns documented in
-`memory/feedback_docker_sudo_bypass.md`.
-
----
-
-## Receipts
-
-- **Forgejo repo:** <https://git.s8n.ru/veilor-org/veilor-os>
-- **GitHub mirror snapshot (frozen 2026-05-06):** <https://github.com/veilor-org/veilor-os>
-- **ci-latest rolling release (live):** <https://git.s8n.ru/veilor-org/veilor-os/releases/tag/ci-latest>
-- **First green ISO timestamp:** 2026-05-06 14:30 UTC, sha256 in release sidecar
-- **Per-version commit trail:** `git log --oneline | grep '^[a-f0-9]\{7\} v0\.'` shows every `v0.x.y: <bug>` ship line
-- **Test method evolution:** `test/METHOD-CHANGELOG.md`
-- **Strategy lock:** [`docs/STRATEGY.md`](STRATEGY.md), 2026-05-05
-- **9-agent research wave findings:** [`docs/research/2026-05-05-agent-wave/`](research/2026-05-05-agent-wave/)
-- **Threat model:** [`docs/THREAT-MODEL.md`](THREAT-MODEL.md)
-- **Hardening reference:** [`docs/HARDENING.md`](HARDENING.md)
-- **Roadmap:** [`docs/ROADMAP.md`](ROADMAP.md)
-
----
-
-## What this took
-
-This is a **single-operator + AI-accelerated** project. No team, no
-funding, no upstream maintainer hat. Most of the work happened across
-~6 weeks of evenings and weekends. AI agents (Claude Opus 4.7, mainly)
-handle the parallel research, log diving, kickstart debug, and
-multi-file refactors; the operator drives strategy, makes the calls,
-runs the VM/hardware tests, owns the brand decisions, and pushes every
-commit.
-
-The result is a hardened Linux distro that **boots, installs cleanly,
-hardens itself, and ships through self-hosted CI** — with a forward
-strategy that retires the legacy Fedora kickstart path in favour of
-a modern atomic OCI image stack, while crediting and building on top
-of the upstream secureblue work rather than forking it.
-
-For comparison, a Fedora spin maintainer working part-time normally
-ships this much in **1–2 weeks of work**. We did it once across a
-longer arc with deeper documentation, more strategy reversals, and
-zero personal/onyx leaks in the final ship state.

docs/ROADMAP.md

@@ -9,31 +9,6 @@ For the historical record of what landed in each release, see
 
 ---
 
-## ⚡ STRATEGY PIVOT — 2026-05-06
-
-**Decision: skip v0.6 kickstart polish. Pivot directly to v0.7
-BlueBuild OCI path.**
-
-Reasons:
-- v0.5.32 produced a green ISO (2.7 GB) on the Forgejo runner. Proof
-  point achieved.
-- Continuing to debug `livecd-creator` + `anaconda` quirks for v0.6
-  polish is sunk-cost work on tooling we retire at v1.0 anyway.
-- v0.7 spike already has a working BlueBuild recipe + `ostreecontainer`
-  kickstart directive. Layering veilor branding + installer + power CLI
-  on top of secureblue beats re-deriving the same hardening from
-  scratch.
-- Ergonomic CLI tools (`veilor-postinstall`, `veilor-doctor`,
-  `veilor-update`) translate cleanly to v0.7: `bootc upgrade` replaces
-  `dnf upgrade`. Move them into v0.7 scope.
-
-**v0.5.0 is the final kickstart-path release.** Tag, freeze, ship as
-proof-of-work / portfolio anchor. **v0.6 cancelled as a milestone.**
-
-Active focus: `v0.7-bluebuild-spike` branch.
-
----
-
 ## Lessons learned through v0.5.x install grind
 
 Five things v0.5.27–31 changed about how we plan:
@@ -190,22 +165,7 @@ specified — defaults stay sane for a daily driver.
 
 ---
 
-## v0.6 — CANCELLED 2026-05-06 (folded into v0.7)
-
-Per the strategy pivot at the top of this file: v0.6 kickstart polish
-will not ship. Continuing on the kickstart path means more
-livecd-creator + anaconda debugging on tooling that's retired at v1.0.
-The flagship v0.6 deliverables (`veilor-postinstall`, `veilor-doctor`,
-`veilor-update`, opt-in installer ISO, first-boot Plymouth dialog,
-Bluetooth helper) move into **v0.7 scope** with `bootc upgrade`
-replacing `dnf upgrade` in the update path.
-
-The original v0.6 plan is preserved below for reference but is **not
-the active roadmap**.
-
----
-
-## v0.6 — ergonomics (HISTORICAL — superseded by v0.7)
+## v0.6 — ergonomics (PROMOTED — install grind proved we need this)
 
 Smooth the operator experience so day-to-day work doesn't fight the
 hardening. `veilor-postinstall` and `veilor-doctor` were v0.6 background
@@ -244,28 +204,7 @@ distro from a kickstart.
 
 ---
 
-## v0.7 — BlueBuild OCI mainline (ACTIVE — primary focus 2026-05-06+)
-
-This was originally planned as "public flex + bootc spike". Post-pivot,
-v0.7 is now the **primary active milestone** — it absorbs all v0.6
-ergonomic work and becomes the next ship target.
-
-Scope:
-- BlueBuild recipe (`bluebuild/recipe.yml`) layering on
-  `ghcr.io/secureblue/securecore-kinoite-hardened-userns`
-- `kickstart/install-ostreecontainer.ks` — 10-line kickstart that calls
-  `ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry`
-  and lets Anaconda's LUKS UX drive the install
-- veilor brand layer: KDE black theme, gum installer assets, custom
-  Konsole profile, branded `os-release`
-- `veilor-power` 3-mode CLI (lifted as-is from v0.5.x overlay)
-- `veilor-postinstall` (formerly v0.6 flagship) — first-login TUI
-- `veilor-doctor` (formerly v0.6) — boot-time + weekly drift check
-- `veilor-update` rewritten on `bootc upgrade` (was `dnf upgrade`)
-- Forgejo registry as primary OCI publish target; GHCR mirror optional
-- cosign key-pair signing of OCI image (replaces broken keyless flow)
-
-Public-flex items kept from original v0.7 entry:
+## v0.7 — public flex + bootc spike
 
 Take veilor-os out of "private repo, contained audience" mode. Order
 matters: people demand threat model FIRST when a security distro goes

docs/STRATEGY.md

@@ -301,26 +301,6 @@ in the v0.7 spike branch only.
   `v4.9` on F44). If we follow, we get F44 for free at the same time
   upstream does.
 
-## Self-hosted git + CI (locked 2026-05-05)
-
-Primary git host moved off github.com. **Forgejo** runs on nullstone
-at `git.s8n.ru`, with **forgejo-runner** doing the build work. GH free-
-tier minute quota was hammering veilor-os iteration; we self-host now.
-
-- Primary remote: `ssh://git@192.168.0.100:222/veilor-org/veilor-os.git`
-  (Forgejo, LAN-only until router port-forward 222 → nullstone:222
-  added — TODO; or use tailnet hostname once tailscale logged in).
-- Public mirror: `https://github.com/veilor-org/veilor-os.git`. Forgejo
-  push-mirrors every commit + every 8h, so GH stays in sync without
-  consuming GH minutes.
-- Runner labels: `ubuntu-24.04` (catthehacker image — works for our
-  current build-iso.yml unmodified) and `nullstone` (privileged Fedora
-  43 container — opt-in via `runs-on: nullstone`).
-- Build cost: 0 GH minutes. Disk: ~80 GB workspace on /home/docker.
-
-Deploy artifacts: `~/ai-lab/nullstone-server/forgejo/`. Runbook in same
-dir.
-
 ## See also
 
 - `docs/THREAT-MODEL.md` — drafted, needs publish for v0.7

docs/THREAT-MODEL.md

@@ -1,6 +1,6 @@
 # Threat Model
 
-> **Status:** Final for v0.7 public launch. Honest scope.
+> **Status:** Draft for v0.7 public flex. Honest scope.
 
 veilor-os is a hardened daily-driver desktop. Not a paranoia OS, not an
 anonymity OS, not an isolation OS. This document exists so that
@@ -14,39 +14,36 @@ tool**. veilor-os will not save you, and we will not pretend otherwise.
 
 ## In scope — what veilor-os defends against
 
-Every row cites the file or setting that implements the mitigation, so the
-claim is auditable from a clean checkout.
-
 | Adversary / scenario | veilor-os mitigation |
 |---|---|
-| Lost or stolen laptop, powered off | LUKS2 `aes-xts-plain64` + `argon2id` (`mem=1 GiB`, `time=9`) on root LV; swap is `zram` only — no persistent key material on disk. Defined in `kickstart/veilor-os.ks` `part pv.veilor` block. |
-| Generic browser / email malware (drive-by RCE, malicious attachment) | SELinux `enforcing` + targeted policy + custom `veilor-systemd.te` module (`scripts/selinux/`); sysctl knobs in `/etc/sysctl.d/99-veilor-hardening.conf`: `kernel.kptr_restrict=2`, `kernel.yama.ptrace_scope=2`, `kernel.perf_event_paranoid=3`, `net.core.bpf_jit_harden=2`, `kernel.randomize_va_space=2`, `fs.suid_dumpable=0`, `dev.tty.ldisc_autoload=0`. AppArmor profile skeletons in `scripts/apparmor/` for Trivalent/Thorium/lm-studio (opt-in, complain mode, hardens to enforce per profile). |
-| Console-side USB attack (BadUSB, rubber ducky, juice-jack) | USBGuard daemon, `ImplicitPolicyTarget=block`, **id-based** rules in `/etc/usbguard/rules.conf` (vendor:product, not hash — survives dock replug). Empty allowlist on first boot; operator runs `usbguard generate-policy` after plugging trusted devices. |
-| SSH brute-force / credential-stuffing | `/etc/ssh/sshd_config.d/10-veilor-hardening.conf`: `PasswordAuthentication no`, `PermitRootLogin no`, `AllowUsers admin`, `MaxAuthTries 3`, `X11Forwarding no`, `LogLevel VERBOSE`. `fail2ban` `sshd` + `pam-generic` jails (journald backend) ban via firewalld `rich-rule` action. |
-| Post-incident forensics ("what happened?") | `auditd` rules in `/etc/audit/rules.d/99-veilor-hardening.rules` watch `/etc/{passwd,shadow,group,sudoers,sudoers.d,ssh/sshd_config*,selinux,firewalld,cron.*,sysctl.*,systemd/system}`, every privileged binary (`sudo`, `su`, `passwd`, `mount`, `pkexec`, …), `init_module`/`finit_module`/`delete_module` syscalls, and uid≥1000 perm/owner changes. Logs persist across reboot. |
-| Supply-chain on the OS image itself | Secure Boot enforced (Fedora signed shim → GRUB → kernel). v0.7 adds cosign-signed OCI image at `ghcr.io/veilor/veilor-os:43`, GPG-signed ISO + sha256 + .asc, plus our own MOK for out-of-tree module signing. |
-| Unprivileged local user attempting LPE | Root account locked (`passwd -l root`; `passwd -S root` → `L`); single `admin` user in `wheel`; `pwquality.conf` `minlen=14`, `minclass=4`, dictcheck on. Kernel `lockdown=integrity`, `slab_nomerge`, `init_on_alloc=1`, `init_on_free=1`, `randomize_kstack_offset=on`, `vsyscall=none` set in bootloader args. Module loading frozen 30 s after graphical boot via `veilor-modules-lock.service`. |
-| Network-listening services as attack surface | `firewalld` default zone = `drop`; only `sshd` answers. `abrt*`, `cups`, `cups-browsed`, `geoclue`, `avahi-daemon`, `bluetooth`, `ModemManager`, `gssproxy`, `atd`, `pcscd.{socket,service}` are masked; `kdeconnectd` and `PackageKit` are removed at the package level. |
-| Time-based MITM (back-dated certs, replay) | `chrony` with NTS authentication against `time.cloudflare.com` and `nts.sth1/2.ntp.se` (pool fallback only). `systemd-resolved` with DNS-over-TLS opportunistic, DNSSEC `allow-downgrade`, LLMNR off; resolvers Cloudflare 1.1.1.1 / 1.0.0.1, fallback Quad9 9.9.9.9 / 149.112.112.112. |
+| Lost or stolen laptop, powered off | LUKS2 (aes-xts-plain64, argon2id, mem=1 GB) on root + swap-as-zram. Disk yields ciphertext. |
+| Generic browser / email malware (drive-by RCE, malicious attachment) | SELinux enforcing + `veilor-systemd` policy + sysctl hardening (kptr_restrict, ptrace=2, perf=3, BPF JIT harden, full ASLR, no SUID core dumps). AppArmor stack lands in v0.5. |
+| Console-side USB attack (BadUSB, rubber ducky, juice-jack) | USBGuard daemon, default-block, empty allowlist on first boot. New device = explicit operator allow. |
+| SSH brute-force / credential-stuffing | sshd password-auth off, root login off, MaxAuthTries=3, fail2ban with sshd + pam-generic jails wired to firewalld rich-rule. |
+| Post-incident forensics ("what happened?") | auditd rules covering passwd/shadow/sudoers/ssh/cron/sysctl/kernel modules and all privileged binaries. Logs survive reboot. |
+| Supply-chain on the OS image itself | Fedora's signed shim → GRUB → kernel chain (Secure Boot enforced). v0.4 adds GPG-signed ISO + sha256 + own MOK. |
+| Unprivileged local user attempting LPE | root account locked (`passwd -S root` → `L`), single sudo user with pwquality minlen=14 / 4 classes, kernel module loading frozen 30 s after graphical boot. |
+| Network-listening services as attack surface | firewalld default zone = `drop`; only sshd answers. abrt/cups/avahi/bluetooth/ModemManager/kdeconnectd/PackageKit are masked. |
+| Time-based MITM (back-dated certs, replay) | NTS-authenticated chrony, DNS-over-TLS via systemd-resolved, LLMNR off. |
 
 ---
 
 ## Out of scope — what veilor-os does NOT defend against
 
-These adversaries are unambiguously outside our scope. Pretending otherwise
-gets people hurt. **If your adversary is on this list, pick a different tool.**
+We are honest about this list because pretending otherwise is how people get
+hurt. **If your adversary is here, pick a different tool.**
 
 | Adversary / scenario | Why veilor-os doesn't help | Use instead |
 |---|---|---|
-| Firmware-level implant (UEFI, Intel ME, BMC, EC) | veilor-os does not protect against firmware implants. Secure Boot validates the OS chain only; we do not flash, audit, or sign firmware below GRUB. | Heads / coreboot on supported hardware. |
-| Evil-maid attack on a running, unlocked system | LUKS master keys live in RAM while the system is up. A physically present attacker can dump RAM (cold-boot, Thunderbolt DMA, debug header) and recover them. | Power off when unattended. Disable Thunderbolt DMA in firmware. Qubes-in-a-Faraday-bag if you are that target. |
-| Hardware keylogger / interposer between keyboard and machine | veilor-os is software. Software cannot detect a passive hardware tap. | Physical custody of the device. Tamper-evident seals. |
-| Targeted RCE on the user session (browser 0-day, messenger exploit) | KDE Plasma is not sandboxed. A logged-in compromise owns the user's data and tokens. SELinux confines daemons; it does not confine the desktop session. | Qubes OS (per-app Xen VM isolation). |
-| Side-channel attacks on AES (timing, cache, power, EM) | veilor-os ships stock kernel crypto. We provide no constant-time or power-analysis guarantees beyond what the kernel and CPU deliver. | Threat-specific HSM, air-gap. |
-| Physical attack on a TPM2 chip (bus probe, glitch, decap) | veilor-os does not bind keys to TPM2 in v0.7. Even when binding lands post-v1.0, TPM2 is not anti-tamper hardware. | Off-device key custody (smartcard / YubiKey / OnlyKey). |
-| Network-level traffic correlation / traffic analysis | All packets leave the box on the local IP. veilor-os does not onion-route. | Tails, Whonix, Tor. |
-| Trust-on-first-use attacks (operator accepts a bad cert) | veilor-os cannot override the operator's explicit decisions. Bad SSL or SSH host-key acceptance is out of scope. | Enrolment policy, MDM, certificate pinning. |
-| Adversary with sustained physical access and time | Given unlimited physical time and tools, any laptop falls. | Operational security, not OS choice. |
+| Nation-state firmware-level implant (UEFI, ME, BMC) | Secure Boot validates the OS, not the firmware below it. We do not flash custom firmware. | Heads / coreboot on supported hardware. |
+| Evil-maid attack on a running, unlocked system | LUKS keys live in RAM while the system is up. A physically present attacker can dump RAM (cold boot, DMA via Thunderbolt, debug header). | Power off when unattended. Disable Thunderbolt DMA in firmware. Qubes-in-a-Faraday-bag if you're that target. |
+| Hardware keylogger / hardware mod between keyboard and machine | We're software. Software cannot detect a passive hardware tap. | Physical custody of the device. Tamper-evident seals. |
+| Targeted RCE on the user session (browser 0-day, signal-app exploit) | KDE Plasma is not sandboxed. A logged-in compromise has the user's full data and tokens. SELinux confines daemons, not the desktop. | Qubes (per-app VM isolation). |
+| Side-channel attacks on AES (timing, cache, power analysis) | We use stock kernel crypto. No constant-time guarantees beyond what the kernel/CPU provide. | Threat-specific HSM. |
+| Physical attack on a TPM2 chip (probe, glitch, decap) | We don't ship TPM2 binding yet. Even when v1.0 lands, TPM2 is not anti-tamper hardware. | Off-device key custody. |
+| Network-level traffic correlation / traffic analysis | All packets leave the box on the local IP. We don't onion-route. | Tails, Whonix, Tor. |
+| Trust-on-first-use attacks (user clicks "accept bad cert") | We can't override the user's decisions. Bad SSL/SSH key acceptance by the operator is out of scope. | Enrolment policy, MDM. |
+| Adversary with sustained physical access and time | Given enough physical time and tools, any laptop falls. | Operational security, not OS choice. |
 
 ---
 
@@ -95,21 +92,19 @@ Hardening that breaks ordinary work gets called out, not hidden.
 
 Scoring legend: `✓` shipped & on by default, `~` partial / opt-in,
 `✗` not provided, `n/a` not applicable to that distro's model.
-Project metrics are GitHub / Codeberg figures as of 2026-05.
 
-| Axis | veilor-os | Stock Fedora KDE | Kicksecure | Tails | Qubes OS | secureblue | Athena OS |
-|---|:---:|:---:|:---:|:---:|:---:|:---:|:---:|
-| **Encrypted at rest by default** | ✓ (LUKS2 argon2id, mem=1 GiB) | ~ (optional in Anaconda) | ✓ | n/a (amnesic, session-only) | ✓ | ✓ | ~ (optional) |
-| **MAC enforcing OOTB** | ✓ (SELinux + opt-in AppArmor) | ✓ (SELinux) | ✓ (AppArmor) | ✓ (AppArmor) | ✓ (per-VM) | ✓ (SELinux) | ✓ (AppArmor) |
-| **Default-deny firewall** | ✓ (firewalld zone=drop) | ✗ | ✓ | ✓ (Tor-only) | ✓ | ✓ | ✓ |
-| **USB default-block** | ✓ (USBGuard, id-rules) | ✗ | ✓ | ✓ | ✓ (sys-usb) | ✓ (USBGuard) | ✗ |
-| **Per-app isolation (VM/sandbox)** | ✗ | ✗ | ✗ | ~ (AppArmor) | ✓ (Xen VMs) | ~ (Flatpak/bwrap) | ✗ |
-| **Anonymity / Tor by default** | ✗ | ✗ | ✗ | ✓ | ~ (Whonix VMs) | ✗ | ✗ |
-| **Daily driver target (persistent)** | ✓ | ✓ | ✓ | ✗ (amnesic) | ✓ (heavy, hardware-partitioning) | ✓ | ✓ |
-| **Signed releases (cosign + GPG)** | ✓ (v0.7) | ✓ | ✓ | ✓ | ✓ | ✓ (cosign on OCI) | ~ (sha256 only) |
-| **Threat model published** | ✓ (this doc) | ✗ | ✓ | ✓ | ✓ | ✗ | ✓ |
-| **Hardware compatibility (laptops)** | ✓ (Fedora kernel) | ✓ | ~ | ~ (live USB) | ~ (Xen-pinned HCL) | ✓ | ✓ (Arch kernel) |
-| **Project size (contributors / stars, 2026-05)** | solo / pre-public | n/a (Fedora-wide) | small team / ~600 | ~30 / ~3k | large / ~5k | ~30 / ~940, active monthly cadence | ~8 / ~1.4k |
+| Axis | veilor-os | Stock Fedora KDE | Kicksecure | Tails | Qubes OS | secureblue |
+|---|:---:|:---:|:---:|:---:|:---:|:---:|
+| **Encrypted at rest by default** | ✓ (LUKS2 argon2id) | ~ (optional) | ✓ | n/a (amnesic) | ✓ | ✓ |
+| **MAC enforcing OOTB** | ✓ (SELinux + AppArmor v0.5) | ✓ (SELinux) | ✓ (AppArmor) | ✓ (AppArmor) | ✓ (per-VM) | ✓ (SELinux) |
+| **Default-deny firewall** | ✓ | ✗ | ✓ | ✓ (Tor-only) | ✓ | ✓ |
+| **USB default-block** | ✓ (USBGuard) | ✗ | ✓ | ✓ | ✓ (sys-usb) | ✓ |
+| **Per-app isolation (VM/sandbox)** | ✗ | ✗ | ✗ | ~ (AppArmor) | ✓ (Xen VMs) | ~ (Flatpak/bwrap) |
+| **Anonymity / Tor by default** | ✗ | ✗ | ✗ | ✓ | ~ (Whonix VMs) | ✗ |
+| **Daily driver target (persistent)** | ✓ | ✓ | ✓ | ✗ | ✓ (heavy) | ✓ |
+| **Signed releases (publisher key)** | ✓ (v0.4) | ✓ | ✓ | ✓ | ✓ | ✓ |
+| **Threat model published** | ✓ (this doc) | ✗ | ✓ | ✓ | ✓ | ✓ |
+| **Hardware compatibility (laptops)** | ✓ (Fedora kernel) | ✓ | ~ | ~ (live USB) | ~ (Xen-pinned) | ✓ |
 
 ---
 

kickstart/install-ostreecontainer.ks

@@ -0,0 +1,80 @@
+# veilor-os install kickstart — v0.7 spike (ostreecontainer path)
+#
+# This is the install-time kickstart for the v0.7 hybrid path. The live
+# ISO boots; the gum TUI collects user answers (disk, LUKS pw, admin pw);
+# this template gets the answers substituted in and is fed to anaconda.
+#
+# Anaconda partitions the disk + creates LUKS + btrfs subvols + mounts
+# /boot/efi + /boot, then `ostreecontainer` populates `/` directly from
+# the cosign-signed veilor-os OCI image at `ghcr.io/veilor-org/veilor-os:43`.
+#
+# No `%packages` block. No first-boot rebase. No
+# `veilor-firstboot-rebase.service`. The ostreecontainer install pass is
+# the entire transition from "Fedora live ISO" to "veilor-os on disk".
+#
+# Reference: pykickstart docs ostreecontainer command;
+# https://docs.fedoraproject.org/en-US/bootc/anaconda-install/
+
+# ── Locale / keyboard / time ──
+keyboard --xlayouts='us'
+lang en_US.UTF-8
+timezone Europe/London --utc
+
+# ── Install mode / behaviour ──
+firstboot --disable
+eula --agreed
+# SELinux state inherited from the OCI image; --enforcing is implicit
+# since secureblue's image ships /etc/selinux/config = enforcing.
+selinux --enforcing
+
+# ── Network / hostname ──
+network --bootproto=dhcp --device=link --activate --hostname=__HOSTNAME__
+firewall --enabled --service=ssh
+
+# ── Identity (single LUKS prompt asked at install via gum TUI) ──
+rootpw --lock
+user --name=admin --groups=wheel --gecos="veilor admin" --password=__ADMIN_PW__ --plaintext
+
+# ── Bootloader ──
+# fbcon=nodefer for laptop KMS handoff (real-hardware audit, agent 9 of
+# 2026-05-05 wave). rd.luks.options=tries=5,timeout=0 for UX.
+# rd.luks.uuid is auto-injected by anaconda based on the encrypted
+# part directive below.
+#
+# All other hardening kargs (lockdown=integrity, slab_nomerge, etc.)
+# come from /usr/lib/bootc/kargs.d/ inside the OCI image — bootc
+# applies them at install time. We only add what the OCI image can't
+# know (laptop-specific KMS flag).
+bootloader --append="fbcon=nodefer"
+
+# ── Disk: LUKS2 (argon2id) + btrfs subvols ──
+zerombr
+clearpart --all --initlabel --drives=__DISK_BASENAME__
+part /boot/efi --fstype=efi --size=600
+part /boot     --fstype=ext4 --size=1024
+part btrfs.veilor --grow --encrypted --luks-version=luks2 --pbkdf=argon2id --passphrase=__LUKS_PW__
+btrfs none --label=veilor btrfs.veilor
+btrfs /     --subvol --name=root LABEL=veilor
+btrfs /home --subvol --name=home LABEL=veilor
+
+# ── ostreecontainer: populate / from the veilor-os OCI image ──
+# `--transport=registry` pulls from ghcr.io directly. Authentication
+# token can be supplied via /etc/ostree/auth.json baked into the live
+# rootfs OR via a kickstart `--remote-token` if the registry is private.
+# At v0.7 spike the OCI image is public, so no auth needed.
+#
+# DO NOT migrate to the new `bootc` kickstart command until v1.0 — it
+# blocks multi-disk and authenticated registries (per parent-operator
+# handoff 2026-05-05).
+ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry
+
+# ── %post (chroot) — minimal; OCI image already has everything ──
+# What we keep:
+#   - chage -d 0 admin so first SDDM login forces password change
+#   - hostname write (anaconda's --hostname doesn't always survive)
+#   - veilor-firstboot.service is enabled in the OCI image already
+%post
+set -uo pipefail
+echo veilor > /etc/hostname
+chage -d 0 admin || true
+%end

kickstart/veilor-os.ks

@@ -58,7 +58,7 @@ user --name=admin --groups=wheel --gecos="veilor admin" --password="" --plaintex
 # framebuffer — symptom: black screen with blinking cursor for ~30s
 # while the menu IS in fact rendered, just not painted. virtio-vga in
 # QEMU doesn't trigger this so it never reproed in VM.
-bootloader --location=mbr --append="lockdown=integrity module.sig_enforce=1 slab_nomerge randomize_kstack_offset=on vsyscall=none plymouth.enable=0 fbcon=nodefer i915.modeset=1 amdgpu.modeset=1 nvidia-drm.modeset=1 rd.vconsole.keymap=us"
+bootloader --location=mbr --append="lockdown=integrity slab_nomerge randomize_kstack_offset=on vsyscall=none plymouth.enable=0 fbcon=nodefer"
 
 # ── Live ISO partitioning (flat — for live rootfs build only) ──
 # NOTE: This is the *live* image kickstart. Final installed system uses
@@ -119,11 +119,6 @@ chrony
 firewalld
 plymouth
 
-# AppArmor stack — DEFERRED. apparmor-parser / apparmor-utils /
-# apparmor-profiles are not in Fedora 43 base or updates. v0.6 ships
-# without AppArmor; tier-2 plan to land via COPR or as part of the v0.7
-# secureblue OCI hybrid (which has its own LSM stack).
-
 # admin essentials
 git
 vim-enhanced

overlay/etc/apparmor.d/veilor.d/firefox

@@ -1,11 +0,0 @@
-# veilor-os AppArmor profile stub — firefox
-#
-# v0.6 scope: marker only. Loads in complain mode via scripts/40-apparmor.sh
-# so AppArmor can log the syscall surface for v0.7 policy authoring. No
-# actual confinement rules yet — full policy is post-v0.6.
-
-#include <tunables/global>
-
-profile veilor-firefox /usr/lib*/firefox/firefox flags=(complain) {
-  #include <abstractions/base>
-}

overlay/etc/apparmor.d/veilor.d/thunderbird

@@ -1,11 +0,0 @@
-# veilor-os AppArmor profile stub — thunderbird
-#
-# v0.6 scope: marker only. Loads in complain mode via scripts/40-apparmor.sh
-# so AppArmor can log the syscall surface for v0.7 policy authoring. No
-# actual confinement rules yet — full policy is post-v0.6.
-
-#include <tunables/global>
-
-profile veilor-thunderbird /usr/lib*/thunderbird/thunderbird flags=(complain) {
-  #include <abstractions/base>
-}

overlay/etc/firewalld/zones/trusted.xml

@@ -1,12 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- veilor-os: trusted zone with tailscale0 pre-bound.
-     Default zone stays drop (per 10-harden-base.sh). Tailscale's
-     interface is added here so `tailscale up` traffic isn't dropped.
-     Without this entry the firewalld drop zone blocks the tailnet
-     traffic and the user sees: "tailscale up succeeded, but I can't
-     reach hs.s8n.ru". (Agent 9, 2026-05-05 wave.) -->
-<zone target="ACCEPT">
-  <short>Trusted</short>
-  <description>All network connections are accepted. veilor-os pre-binds tailscale0 here so the mesh layer-1 (Tailscale via Headscale) works out-of-box without manual firewalld zone juggling.</description>
-  <interface name="tailscale0"/>
-</zone>

overlay/etc/skel/.config/breezerc

@@ -1,60 +0,0 @@
-# veilor-os — Breeze window decoration override
-# Tighter borders, solid black title bar, minimal buttons, smallest border.
-# Merged into /etc/xdg/breezerc (system default) by 30-apply-v03-theme.sh.
-
-[Common]
-# Tighter outline; subtle separator only when active.
-OutlineCloseButton=false
-ShadowSize=ShadowSmall
-ShadowStrength=128
-ShadowColor=0,0,0
-
-[Windeco]
-# Border thickness: smallest available (= "None" leaves only resize edge,
-# "NoSides" keeps top/bottom only). We pick "None" for the tightest look,
-# matching the black-on-black aesthetic.
-BorderSize=None
-ButtonSize=ButtonSmall
-CloseButton=true
-DrawBackgroundGradient=false
-DrawBorderOnMaximizedWindows=false
-DrawSizeGrip=false
-DrawTitleBarSeparator=false
-ExceptionType=0
-HideTitleBar=false
-OpaqueTitleBar=true
-TitleAlignment=AlignCenter
-UseBackgroundGradient=false
-UseTitleBarColor=true
-
-# Buttons: minimal — close / max / min only, no shade/help/keep-above.
-ButtonsOnLeft=M
-ButtonsOnRight=IAX
-
-[Style]
-# Disable per-app blur, transparency, and gradient effects.
-MenuOpacity=100
-WindowDragMode=1
-ScrollBarAddLineButtons=0
-ScrollBarSubLineButtons=0
-SidePanelDrawFrame=false
-SliderDrawTickMarks=false
-TabBarDrawCenteredTabs=true
-ToolBarDrawItemSeparator=false
-DockWidgetDrawFrame=false
-ProgressBarAnimated=false
-AnimationsEnabled=false
-StackedWidgetDrawFrame=false
-
-# ── Active / inactive title bar colors (override Breeze defaults) ──
-# kdeglobals [WM] section is the canonical source; these mirror it here
-# so apps that only read breezerc see consistent values.
-[Windeco][Active]
-TitleBarColor=0,0,0
-TitleBarTextColor=216,216,216
-TitleBarBorderColor=104,107,111
-
-[Windeco][Inactive]
-TitleBarColor=15,17,18
-TitleBarTextColor=161,169,177
-TitleBarBorderColor=42,46,50

overlay/etc/skel/.config/kdeglobals

@@ -1,29 +0,0 @@
-[General]
-ColorScheme=veilor-black
-Name=veilor black
-AccentColor=104,107,111
-LastUsedCustomAccentColor=104,107,111
-font=Fira Code,11,-1,5,400,0,0,0,0,0,0,0,0,0,0,1
-fixed=Fira Code,10,-1,5,400,0,0,0,0,0,0,0,0,0,0,1
-menuFont=Fira Code,11,-1,5,400,0,0,0,0,0,0,0,0,0,0,1
-smallestReadableFont=Fira Code,9,-1,5,400,0,0,0,0,0,0,0,0,0,0,1
-toolBarFont=Fira Code,10,-1,5,400,0,0,0,0,0,0,0,0,0,0,1
-
-[Icons]
-Theme=breeze-dark
-
-[KDE]
-LookAndFeelPackage=org.kde.breezedark.desktop
-SingleClick=false
-contrast=4
-widgetStyle=Breeze
-
-[Mouse]
-cursorTheme=Breeze_Light
-cursorSize=24
-
-[KDecoration]
-theme=Breeze
-ButtonsOnLeft=
-ButtonsOnRight=IAX
-BorderSize=None

overlay/etc/skel/.config/konsolerc

@@ -1,10 +0,0 @@
-# veilor-os Konsole default — branded profile pre-selected so first
-# Konsole launch on a fresh user account opens the veilor profile,
-# not Fedora's default white-bg Breeze.
-
-[Desktop Entry]
-DefaultProfile=Veilor.profile
-
-[KonsoleWindow]
-ShowMenuBarByDefault=false
-RememberWindowSize=true

overlay/etc/skel/.config/kwinrc

@@ -1,29 +0,0 @@
-# veilor-os Plasma 6 kwin defaults — seeded into /etc/skel so first-login
-# users inherit deliberate windowing behaviour rather than default Breeze
-# animations. Per-user; user can override post-login.
-
-[Compositing]
-# OpenGL backend = standard for hardware accel; AnimationSpeed=0 = no
-# slow window animations on every focus change.
-Backend=OpenGL
-AnimationSpeed=0
-HiddenPreviews=5
-LatencyPolicy=Low
-WindowsBlockCompositing=true
-
-[Plugins]
-# Disable visual fluff that isn't security-relevant + costs perf.
-blurEnabled=false
-contrastEnabled=false
-slideEnabled=false
-slidingpopupsEnabled=false
-fadeEnabled=false
-zoomEnabled=true
-
-[Windows]
-FocusPolicy=ClickToFocus
-RollOverDesktops=false
-TitlebarDoubleClickCommand=Maximize
-
-[Wayland]
-InputMethod=

overlay/etc/skel/.local/share/konsole/Veilor.colorscheme

@@ -1,104 +0,0 @@
-[General]
-Anchor=0.5,0.5
-Blur=false
-ColorRandomization=false
-Description=Veilor
-FillStyle=Tile
-Opacity=1
-Wallpaper=
-WallpaperFlipType=NoFlip
-WallpaperOpacity=1
-
-[Background]
-Color=0,0,0
-
-[BackgroundFaint]
-Color=0,0,0
-
-[BackgroundIntense]
-Color=15,17,18
-
-[Foreground]
-Color=216,216,216
-
-[ForegroundFaint]
-Color=161,169,177
-
-[ForegroundIntense]
-Color=236,236,236
-
-# ── Standard ANSI palette (muted, desaturated) ──
-# Veilor aesthetic: no neon. Reds tone-shifted toward bordeaux, greens
-# toward sage, blues toward slate. Greys lifted to remain readable.
-
-[Color0]
-Color=27,27,27
-
-[Color0Faint]
-Color=20,20,20
-
-[Color0Intense]
-Color=58,58,58
-
-[Color1]
-Color=176,55,69
-
-[Color1Faint]
-Color=130,40,52
-
-[Color1Intense]
-Color=205,87,99
-
-[Color2]
-Color=102,138,90
-
-[Color2Faint]
-Color=78,107,68
-
-[Color2Intense]
-Color=141,176,128
-
-[Color3]
-Color=185,158,98
-
-[Color3Faint]
-Color=140,118,72
-
-[Color3Intense]
-Color=216,193,134
-
-[Color4]
-Color=92,116,143
-
-[Color4Faint]
-Color=68,87,107
-
-[Color4Intense]
-Color=131,154,182
-
-[Color5]
-Color=141,113,150
-
-[Color5Faint]
-Color=104,84,112
-
-[Color5Intense]
-Color=176,148,186
-
-[Color6]
-Color=99,144,148
-
-[Color6Faint]
-Color=72,107,110
-
-[Color6Intense]
-Color=139,180,184
-
-[Color7]
-Color=200,200,200
-
-[Color7Faint]
-Color=161,169,177
-
-[Color7Intense]
-Color=236,236,236

overlay/etc/skel/.local/share/konsole/Veilor.profile

@@ -1,55 +0,0 @@
-[General]
-Name=Veilor
-Parent=FALLBACK/
-Command=/bin/bash
-Directory=
-Icon=utilities-terminal
-LocalTabTitleFormat=%w
-RemoteTabTitleFormat=(%u) %h
-ShowTerminalSizeHint=false
-StartInCurrentSessionDir=true
-TerminalCenter=false
-TerminalMargin=4
-
-[Appearance]
-ColorScheme=Veilor
-Font=Fira Code,11,-1,5,400,0,0,0,0,0,0,0,0,0,0,1
-LineSpacing=1
-UseFontLineCharacters=true
-
-[Cursor Options]
-CursorShape=0
-UseCustomCursorColor=true
-CustomCursorColor=104,107,111
-CustomCursorTextColor=216,216,216
-
-[Scrolling]
-HistoryMode=2
-HistorySize=10000
-ScrollBarPosition=2
-HighlightScrolledLines=false
-
-[Terminal Features]
-BellMode=3
-BlinkingCursorEnabled=false
-BlinkingTextEnabled=false
-FlowControlEnabled=false
-UrlHintsModifiers=67108864
-ReverseUrlHints=false
-VerticalLine=false
-
-[Interaction Options]
-AutoCopySelectedText=false
-CopyTextAsHTML=false
-TrimLeadingSpacesInSelectedText=false
-TrimTrailingSpacesInSelectedText=true
-UnderlineFilesEnabled=true
-UnderlineLinksEnabled=true
-OpenLinksByDirectClickEnabled=false
-WordCharacters=:@-./_~?&=%+#
-
-[Encoding Options]
-DefaultEncoding=UTF-8
-
-[Keyboard]
-KeyBindings=default

overlay/etc/systemd/system/veilor-firstboot.service

@@ -18,9 +18,4 @@ TTYReset=yes
 TTYVHangup=yes
 
 [Install]
-# Real installs default to graphical.target. Without this entry the unit
-# never runs on installed systems — admin pw stays at install-time value
-# + chage -d 0 expired, SDDM PAM bounces user to a chauthtok screen
-# (recoverable but ugly). Live ISO + multi-user.target installs both
-# resolve via this list. (Agent 2, 2026-05-05 wave.)
-WantedBy=graphical.target multi-user.target
+WantedBy=multi-user.target

overlay/etc/usbguard/rules.conf

@@ -1,43 +0,0 @@
-# veilor-os USBGuard baseline rules
-#
-# Default policy is `block` (set in usbguard-daemon.conf via the
-# overlay). Without any allow rule, every USB device — including the
-# user's keyboard — is blocked at boot. That includes the desktop
-# user with a USB keyboard at SDDM.
-#
-# This file allows HID-class interfaces (keyboard, mouse, touchpad,
-# fingerprint reader, NFC, gamepad) without pinning to specific
-# vendor:product/serial/hash. id-based rules survive dock replug and
-# vendor-bump kernel changes, where hash+parent-hash rules don't —
-# verified pain on onyx (memory: feedback_usbguard_dock.md). Same fix.
-#
-# After first login, the user runs:
-#     ujust veilor-usbguard-enroll
-# (or `usbguard generate-policy --with-hash=false > rules.conf`)
-# to add their own keyboard's id-rule and tighten the policy further.
-#
-# References:
-#   - usbguard-rules.conf(5)
-#   - https://usbguard.github.io/documentation/rule-language.html
-#   - veilor-os agent 9 audit, 2026-05-05
-
-# HID class — keyboards, mice, pointers, gamepads, fingerprint, NFC.
-# Interface descriptor 03:NN:NN where 03=HID. We accept any HID
-# subclass + protocol so the rule is robust to future HID variants.
-allow with-interface match-all { 03:*:* }
-
-# Mass-storage prompt: ask the user before mounting a new flash drive.
-# Reject blanket-allow (would silently allow USB Rubber Ducky).
-# Accept only after user confirms via the gnome/plasma USB dialog.
-# (USBGuard has no native "ask" verb; we leave mass-storage devices
-# implicit-block here, the user runs `usbguard allow-device <id>`
-# from a Plasma applet OR the firstboot wizard documents this flow.)
-
-# Block known-bad. USB Killer signature shows up as a generic-HID
-# composite descriptor + power draw out of spec. We can't reliably
-# detect that from descriptors alone — relying on default-block
-# semantics for now.
-
-# DO NOT pin to specific id=, serial=, hash=, or parent-hash= here.
-# That's the user's job post-firstboot for their actual hardware.
-# Pre-shipped pinned rules break on every dock replug + kernel bump.

overlay/usr/local/bin/veilor-installer

@@ -69,21 +69,6 @@ banner() {
     local vline="veilor-os ${ver} · ${d} · live"
 
     if [[ -r $BANNER_FILE ]]; then
-        # v0.6: staged line-by-line reveal of the banner before the
-        # gum-style border draws around it. 40ms/line gives a subtle
-        # "typewriter" feel — 5 lines × 40ms = 200ms total, fast enough
-        # not to feel laggy but slow enough to land an aesthetic on the
-        # very first frame the user sees. Once the reveal finishes we
-        # clear and re-draw with the bordered gum-style version so the
-        # operator never sees both stacked on top of each other.
-        local line
-        while IFS= read -r line; do
-            printf '  %s\n' "$line"
-            sleep 0.04
-        done < "$BANNER_FILE"
-        sleep 0.08
-        clear
-
         if [[ $TUI == gum ]]; then
             # gum style: rounded border, banner + blank line + version line.
             gum style --border rounded --margin "0 2" --padding "1 3" \
@@ -165,30 +150,10 @@ prompt_input() {
 }
 
 # prompt_password <header>
-#
-# v0.6: gum-path replaced with bash `read -srp` because `gum input
-# --password` rendered as a duplicate-"Install" + stray-T artefact on
-# the linux fbcon since v0.5.27 (Agent 7 of the v0.6 polish research
-# wave traced this to gum's bubbletea screen-restore writing back the
-# previous menu buffer when the framebuffer terminfo lacked
-# `civis/cnorm` cursor-hide sequences). bash `read -srp` is a single
-# write to stdout + termios echo-off — no redraw, no glitch. Header
-# rendered separately via gum style for visual parity with the rest
-# of the installer.
 prompt_password() {
     local header=$1
     if [[ $TUI == gum ]]; then
-        # Render the prompt header as a styled box so it looks at home
-        # next to the other gum prompts, then collect the password via
-        # plain bash read on the next line. `read -s` disables echo,
-        # `read -p` writes the prompt to stderr (so command-substitution
-        # callers still get the password on stdout cleanly).
-        gum style --foreground "${VEILOR_FG:-15}" --border rounded \
-            --border-foreground "${VEILOR_DIM:-240}" --padding "0 2" -- "$header"
-        local pw
-        read -srp "  password: " pw
-        echo >&2  # newline after silent read so next prompt isn't on same line
-        printf '%s' "$pw"
+        gum input --password --header "$header"
     else
         whiptail --title "veilor-os" --passwordbox "$header" 10 60 \
             3>&1 1>&2 2>&3
@@ -288,36 +253,12 @@ collect_answers() {
     }
 
     # ── LUKS passphrase ──
-    # v0.6: prompt twice + string-compare. A typo in the LUKS passphrase
-    # is unrecoverable — the disk is unmountable without it and we
-    # don't escrow the key. Re-prompting until the two reads match
-    # catches keyboard-layout surprises (US vs UK quote position is
-    # the most common one) before they brick the install.
-    local luks_pw_confirm
-    while true; do
-        luks_pw=$(prompt_password "[2/3] Encryption · LUKS2 passphrase (min 8)") || return 1
-        validate_pw "$luks_pw" "passphrase" || continue
-        luks_pw_confirm=$(prompt_password "[2/3] Confirm LUKS2 passphrase") || return 1
-        if [[ $luks_pw == "$luks_pw_confirm" ]]; then
-            break
-        fi
-        prompt_error "Passphrases do not match — try again."
-    done
+    luks_pw=$(prompt_password "[2/3] Encryption · LUKS2 passphrase (min 8)") || return 1
+    validate_pw "$luks_pw" "passphrase" || return 1
 
     # ── Admin password ──
-    # Same confirm-twice pattern. Less catastrophic than LUKS (admin
-    # password can be reset from a recovery shell) but a mismatch here
-    # still locks the user out of their fresh install on first boot.
-    local admin_pw_confirm
-    while true; do
-        admin_pw=$(prompt_password "[3/3] Admin user · password for 'admin'") || return 1
-        validate_pw "$admin_pw" "password" || continue
-        admin_pw_confirm=$(prompt_password "[3/3] Confirm admin password") || return 1
-        if [[ $admin_pw == "$admin_pw_confirm" ]]; then
-            break
-        fi
-        prompt_error "Passwords do not match — try again."
-    done
+    admin_pw=$(prompt_password "[3/3] Admin user · password for 'admin'") || return 1
+    validate_pw "$admin_pw" "password" || return 1
 
     # ── Locale ──
     # Hardcoded en_US.UTF-8 for branded consistency. The picker that
@@ -486,7 +427,7 @@ __SSHKEY_DIRECTIVE__
 # re-runs kernel-install per kernel. That's the canonical Fedora 43 path
 # for landing args in BLS entries — kernel-install reads /etc/kernel/cmdline
 # (90-loaderentry.install:84-95) when generating BLS option lines.
-bootloader --append="lockdown=integrity module.sig_enforce=1 slab_nomerge init_on_alloc=1 init_on_free=1 randomize_kstack_offset=on vsyscall=none fbcon=nodefer i915.modeset=1 amdgpu.modeset=1 nvidia-drm.modeset=1 rd.vconsole.keymap=us"
+bootloader --append="lockdown=integrity slab_nomerge init_on_alloc=1 init_on_free=1 randomize_kstack_offset=on vsyscall=none fbcon=nodefer"
 
 # Disk: zero, LUKS2 (argon2id), btrfs subvolumes (no LVM intermediary).
 # Native btrfs-on-LUKS matches Fedora KDE Spin defaults; LVM+btrfs combo
@@ -547,12 +488,6 @@ chrony
 firewalld
 plymouth
 
-# AppArmor stack — Fedora 43 ships parser/utils/profiles. v0.6 ships
-# loaded-but-complain only (see scripts/40-apparmor.sh + tier-2 plan).
-apparmor-parser
-apparmor-utils
-apparmor-profiles
-
 # admin essentials
 git
 vim-enhanced
@@ -992,33 +927,7 @@ KSEOF
     return 0
 }
 
-_dump_logs_to_host() {
-    # If a virtio-9p share tagged "hostlogs" was attached by run-vm.sh,
-    # mount it and dump every anaconda + installer log into it. Runs on
-    # success AND failure (called via trap). No-op on real hardware where
-    # the 9p tag doesn't exist.
-    if ! grep -qw 9p /proc/filesystems 2>/dev/null; then return 0; fi
-    local m=/mnt/hostlogs
-    mkdir -p "$m"
-    mount -t 9p -o trans=virtio,version=9p2000.L hostlogs "$m" 2>/dev/null || return 0
-    cp -af /tmp/anaconda.log         "$m/" 2>/dev/null || true
-    cp -af /tmp/program.log          "$m/" 2>/dev/null || true
-    cp -af /tmp/storage.log          "$m/" 2>/dev/null || true
-    cp -af /tmp/packaging.log        "$m/" 2>/dev/null || true
-    cp -af /tmp/dnf.log              "$m/" 2>/dev/null || true
-    cp -af /tmp/dnf.librepo.log      "$m/" 2>/dev/null || true
-    cp -af /tmp/anaconda-cmdline.log "$m/" 2>/dev/null || true
-    cp -af /var/log/veilor-installer.log "$m/" 2>/dev/null || true
-    cp -af /run/install/veilor-generated.ks "$m/" 2>/dev/null || true
-    dmesg > "$m/dmesg.log" 2>/dev/null || true
-    journalctl -b > "$m/journal.log" 2>/dev/null || true
-    sync
-    umount "$m" 2>/dev/null || true
-}
-
 run_install() {
-    # Capture logs to host on every exit path (success, failure, ^C).
-    trap _dump_logs_to_host EXIT
     # Anaconda env setup (see comments below).
     export LANG="${SEL_LOCALE:-en_GB.UTF-8}"
     export LC_ALL="$LANG"
@@ -1043,39 +952,12 @@ run_install() {
             --show-output \
             -- bash -c 'anaconda --cmdline --kickstart=/run/install/veilor-generated.ks 2>&1 | tee /tmp/anaconda-cmdline.log' || rc=$?
         if [[ $rc -eq 0 ]]; then
-            # v0.6: split the success screen into THREE stacked boxes.
-            #
-            #   1. Green success box  — quiet confirmation.
-            #   2. Yellow eject box   — promoted out of the buried
-            #      one-liner the v0.5 success box used. Operators on
-            #      both onyx and the friend's RTX 4080 rig missed the
-            #      reminder and rebooted into the live ISO instead of
-            #      the install. Now it's its own loud thick-bordered
-            #      box that sits BELOW the success box and is
-            #      impossible to miss.
-            #   3. Reboot countdown   — embedded inside the green
-            #      success box so the operator can see "complete +
-            #      Xs to reboot" at a glance.
-            #
-            # Each tick clears + redraws all three, so the eject-media
-            # box stays in front of the operator for the full 10-second
-            # window and isn't scrolled off by a banner refresh.
-            local secs
-            for secs in 10 9 8 7 6 5 4 3 2 1; do
-                clear
-                gum style --foreground 2 --border rounded --margin "1 2" --padding "1 3" \
-                    "✓ Install complete" \
-                    "" \
-                    "Rebooting in ${secs}s..."
-                gum style --foreground 3 --border thick --margin "0 2" --padding "1 3" \
-                    --border-foreground 3 \
-                    "  Remove the install media NOW  " \
-                    "" \
-                    "  Unplug the USB stick / eject the DVD before  " \
-                    "  reboot, otherwise the system will boot back  " \
-                    "  into the live ISO instead of your fresh install.  "
-                sleep 1
-            done
+            gum style --foreground 2 --border rounded --margin "1 2" --padding "1 3" \
+                "✓ Install complete" \
+                "" \
+                "System will reboot in 5 seconds." \
+                "Remove the install media."
+            sleep 5
             systemctl reboot
         else
             prompt_error "Anaconda exited non-zero (status $rc).

scripts/40-apparmor.sh

@@ -1,77 +0,0 @@
-#!/usr/bin/env bash
-# veilor-os — 40-apparmor: load veilor-shipped AppArmor profiles in
-# COMPLAIN mode. v0.6 scope: "loaded, present, nothing breaks".
-#
-# Per docs/research/2026-05-05-agent-wave/04-hardening-tier-2.md, v0.6
-# ships AppArmor stacked alongside SELinux, but every veilor-shipped
-# profile stays in complain mode (logs only, no enforce). Real policy
-# authoring is post-v0.6.
-#
-# Idempotent: profiles already in complain mode are skipped. Run as
-# root during kickstart %post or post-install.
-
-set -uo pipefail
-
-GREEN='\033[0;32m'; YELLOW='\033[1;33m'; RED='\033[0;31m'; NC='\033[0m'
-ok()   { echo -e "${GREEN}[OK]${NC}    $*"; }
-info() { echo -e "${YELLOW}[INFO]${NC}  $*"; }
-warn() { echo -e "${YELLOW}[WARN]${NC}  $*"; }
-err()  { echo -e "${RED}[ERR]${NC}   $*"; }
-
-[[ $EUID -eq 0 ]] || { err "Must run as root"; exit 1; }
-
-echo "════════════════════════════════════════════════════════"
-echo "  veilor-os :: 40-apparmor (complain mode only)"
-echo "════════════════════════════════════════════════════════"
-
-PROFILE_DIR=/etc/apparmor.d/veilor.d
-
-# ── Sanity: tools present? ──
-if ! command -v apparmor_parser >/dev/null 2>&1; then
-    warn "apparmor_parser not installed — skipping (package step missed?)"
-    exit 0
-fi
-if ! command -v aa-complain >/dev/null 2>&1; then
-    warn "aa-complain not installed (apparmor-utils missing) — skipping"
-    exit 0
-fi
-
-if [[ ! -d $PROFILE_DIR ]]; then
-    info "$PROFILE_DIR not present — no veilor profiles to load"
-    exit 0
-fi
-
-# ── Walk every profile we ship and force complain mode ──
-shopt -s nullglob
-loaded=0
-skipped=0
-failed=0
-
-for profile in "$PROFILE_DIR"/*; do
-    [[ -f $profile ]] || continue
-    name=$(basename "$profile")
-
-    # Already in complain mode? aa-status reports loaded profiles by
-    # internal profile name, not file path — best-effort match against
-    # the file basename to avoid re-parsing on repeat runs.
-    if command -v aa-status >/dev/null 2>&1 \
-       && aa-status --complaining 2>/dev/null | grep -qE "(^|/)veilor-${name}([[:space:]]|$)"; then
-        info "$name already in complain mode — skipping"
-        skipped=$((skipped + 1))
-        continue
-    fi
-
-    info "loading $name (complain mode)"
-    if aa-complain "$profile" >/dev/null 2>&1; then
-        ok "$name → complain"
-        loaded=$((loaded + 1))
-    else
-        warn "$name failed to load (parser may reject stub on this kernel)"
-        failed=$((failed + 1))
-    fi
-done
-
-echo "────────────────────────────────────────────────────────"
-info "summary: loaded=$loaded skipped=$skipped failed=$failed"
-ok "v0.6 AppArmor stub: complain-mode only — no enforcement, log-only"
-exit 0

test/METHOD-CHANGELOG.md

@@ -9,50 +9,6 @@ Entries are newest-first.
 
 ---
 
-## 2026-05-06 · v0.5.32 · ISO build path moved to Forgejo
-
-**Change:** Build host for the test ISO has moved off GitHub Actions
-onto the Forgejo runner on nullstone. The hybrid VM test procedure in
-`TESTING.md` is **unchanged** — the gum installer still drives every
-step it can, the operator still types the LUKS + admin passwords
-directly into the QEMU window. The only thing different is where the
-ISO comes from and how the host log is captured.
-
-**Practical deltas for testers:**
-
-- ISO download: from the Forgejo `ci-latest` rolling release at
-  <https://git.s8n.ru/veilor-org/veilor-os/releases/tag/ci-latest>.
-  The tag is force-replaced on each successful `build-iso.yml` run, so
-  always re-download — don't rely on a cached copy.
-- Re-flash to USB / virtio-blk image via Etcher / `dd` — **unchanged**.
-  Same `sha256sum -c` step; same image format.
-- virtio-9p host log capture is now **active by default** in
-  `test/run-vm.sh`. This replaces the broken virtio-serial path
-  flagged by Agent 6 in the 2026-05-05 wave; Anaconda logs land in the
-  host-side mount automatically once the VM boots, no manual `tail -f`
-  on a broken serial console.
-- Build host for the record: forgejo-runner on nullstone, runner label
-  `ubuntu-24.04`, image `catthehacker/ubuntu:act-24.04`. Reproducibility
-  is unchanged from the GH Actions ubuntu-24.04 base — the act image
-  matches GHA's runner image to within package versions.
-
-**Why:** GitHub mirror was disabled 2026-05-06 (repo is now
-private-by-default on Forgejo); GH Actions builds would just stop
-producing artifacts. Moving CI in-house onto nullstone keeps the
-test/release loop intact and removes the external dependency for
-private-build cycles. Documenting the change here so a future tester
-reading TESTING.md doesn't waste time hunting an artifact in a
-GitHub run that never happened.
-
-**Files touched in this entry:**
-- `test/METHOD-CHANGELOG.md` — this entry.
-
-`test/TESTING.md` itself is **not** edited — the procedure prose still
-applies verbatim. Only the build host and the URL where the ISO lives
-changed.
-
----
-
 ## 2026-05-05 · v0.5.27 · TESTING.md created
 
 **Change:** First version of the canonical procedure document.

test/run-vm.sh

@@ -208,20 +208,12 @@ echo "  Seed  : ${SEED_ISO:-<none>}"
 # We've lost logs three times in a row to anaconda failures + tmpfs
 # reboots. Wiring this up so future failures auto-capture.
 ANACONDA_LOG="$TEST_DIR/anaconda-vm-$(date +%Y%m%d-%H%M%S).log"
-ANACONDA_LOG_DIR="$TEST_DIR/test-runs/$(date +%Y%m%d-%H%M%S)"
-mkdir -p "$ANACONDA_LOG_DIR"
 ANACONDA_LOG_ARGS=(
-    # Belt: virtio-serial (anaconda's setupVirtio rsyslog forward, fragile —
-    # depends on rsyslog being installed in the live ISO).
     -chardev "file,id=anaclog,path=$ANACONDA_LOG"
     -device virtio-serial-pci,id=vs1
     -device "virtserialport,chardev=anaclog,bus=vs1.0,name=org.fedoraproject.anaconda.log.0"
-    # Braces: virtio-9p host directory share. veilor-installer mounts this
-    # at /mnt/hostlogs and rsyncs /tmp/*.log there post-anaconda.
-    -virtfs "local,path=$ANACONDA_LOG_DIR,mount_tag=hostlogs,security_model=mapped-xattr,id=hostlogs"
 )
-echo "  AnaLog : $ANACONDA_LOG"
-echo "  HostFS : $ANACONDA_LOG_DIR (9p tag: hostlogs)"
+echo "  AnaLog: $ANACONDA_LOG"
 
 echo "  Mode  : ${SECBOOT:+secboot}${SECBOOT:-stock UEFI}"
 echo "  Inject: ${HOST_PUBKEY:+yes}${HOST_PUBKEY:-no (no host pubkey)}"

test/test-runs/2026-05-06-v0.5.32-build.md

@@ -1,142 +0,0 @@
-# Test run — v0.5.32
-
-- **Date:** 2026-05-06
-- **ISO:** `veilor-os-43-20260506-HHMMSS.iso` (sha256: `TBD — fill in once A1 reports the build artifact`)
-- **Tester:** A1 (build) + operator (P) + A5 (report scribe)
-- **Build host:** forgejo-runner on nullstone (runner label `ubuntu-24.04`,
-  image `catthehacker/ubuntu:act-24.04`); first ISO produced off the
-  Forgejo build pipeline after the GH Actions mirror was disabled
-  2026-05-06.
-- **Environment:** VM (qemu/q35/ovmf, 4 vCPU, 4 GiB RAM, virtio-vga,
-  virtio-9p host log mount). Real-hardware run is a separate report —
-  this file is the VM run only.
-
----
-
-## Result
-
-⏳ **Pending A1 build.** Operator + A5 fill in pass/fail per-step once
-the actual VM test is walked through against the v0.5.32 ISO. Until
-the ISO sha256 lands here, treat every row in the per-step table as
-unverified.
-
-One-line summary (write here once known): _TBD_.
-
----
-
-## Regressions vs previous run
-
-(v0.5.31 was the last tagged release; compare against any pass-with-issues
-notes from that test run if a report exists. Empty otherwise — fill in
-during the actual test walkthrough.)
-
-- _TBD_
-
----
-
-## Per-step results
-
-Walk `test/TESTING.md` step-by-step. Mark each pass/fail with a brief
-note when failed. Until the test runs, every row is `⏳ pending`.
-
-| #  | Step                              | Result | Notes |
-|----|-----------------------------------|--------|-------|
-| 1  | Live boot to installer banner     | ⏳ pending |  |
-| 2  | Installer menu render             | ⏳ pending |  |
-| 3  | Disk picker                       | ⏳ pending |  |
-| 4  | LUKS + admin passwords            | ⏳ pending | Operator types directly into QEMU window — plymouth ignores synthesised keys. |
-| 5  | Locale                            | ⏳ pending |  |
-| 6  | Confirm                           | ⏳ pending |  |
-| 7  | Anaconda transaction              | ⏳ pending |  |
-| 8  | Reboot                            | ⏳ pending |  |
-| 9  | GRUB single veilor-os entry       | ⏳ pending |  |
-| 10 | LUKS unlock prompt                | ⏳ pending |  |
-| 11 | First boot → SDDM → KDE           | ⏳ pending |  |
-| 12 | Hardening checks                  | ⏳ pending |  |
-
----
-
-## Hardening verification
-
-```text
-$ getenforce
-TBD
-
-$ systemctl is-active fail2ban usbguard tuned auditd firewalld
-TBD
-
-$ cat /proc/cmdline
-TBD — must include rd.luks.uuid=luks-... and the v0.5.32 cmdline set.
-
-$ lsblk -f
-TBD
-
-$ systemctl is-enabled veilor-firstboot.service
-TBD — must report enabled with WantedBy=graphical.target (blocker #2).
-
-$ nft list ruleset | grep -i tailscale
-TBD — tailscale0 must be in the trusted zone (blocker #5).
-
-$ cat /etc/skel/.config/kdeglobals 2>/dev/null | head
-TBD — branding must be present (blocker #6).
-
-$ ls /var/log/anaconda/host-9p-mount/
-TBD — virtio-9p Anaconda log capture (blocker #7).
-```
-
-Paste real output. If any service is inactive, any cmdline arg is
-missing, or any blocker artifact is absent, raise as a Regression
-above.
-
----
-
-## Findings
-
-The 7 v0.5.32 blocker fixes from the
-[2026-05-05 9-agent research wave](../../docs/research/2026-05-05-agent-wave/README.md)
-land in this build. Each is listed here as an **expected behaviour**
-the tester must observe — if any of these regress, log it under
-Regressions above.
-
-1. **Suspend/resume wifi survives lid-close.** `kernel.modules_disabled=1`
-   no longer fires before the wifi module reloads on resume. Test:
-   suspend the VM (or lid-close on real HW), wake, reconnect to the
-   same network without manual `modprobe`.
-2. **`veilor-firstboot.service` is `WantedBy=graphical.target`.** The
-   first-boot admin password flow must run on real installs, not just
-   on multi-user.target boots. Test: fresh install boots straight to
-   the TTY password prompt before SDDM lights up.
-3. **Kernel-upgrade does not drift GRUB.** First `dnf upgrade kernel`
-   must leave the system bootable — `grub2-mkconfig` is wired into the
-   kernel-install hook. Test: install, run `sudo dnf upgrade kernel`,
-   reboot, system comes up.
-4. **USBGuard rules are id-based, not hash + parent-hash.** Mirrors the
-   onyx dock-replug fix in `feedback_usbguard_dock.md`. Test:
-   unplug/replug a known device — it stays allowed. The hash variant
-   re-blocks on every replug; the id variant must not.
-5. **firewalld trusts `tailscale0`.** The interface is in the trusted
-   zone out-of-the-box. Test: bring tailscale up, ping a peer in the
-   mesh — no firewall mods required.
-6. **`/etc/skel/` carries veilor branding.** New users get the black
-   colour scheme, Konsole profile, and Plasma layout on first login.
-   Test: `useradd test`; log in as `test`; KDE comes up branded, no
-   white flash, Fira Code system font.
-7. **virtio-9p Anaconda log capture is active by default.**
-   `test/run-vm.sh` mounts a host directory into the VM; Anaconda logs
-   land there during install. Replaces the broken virtio-serial path
-   from earlier runs. Test: run install in VM; host-side mount has
-   `program.log`, `storage.log`, `packaging.log` populated.
-
-Free-form notes from the actual walkthrough — cosmetic glitches, slow
-paths, surprising behaviour — append below.
-
-- _TBD — fill in during the operator-driven VM run._
-
----
-
-## Action items for next release
-
-(Empty until the test exposes something. PRs / commits opened during
-the run go here.)
-
-- [ ] _TBD_