feat: global zero-day sterilization and version standardization to v0.1.4

Author: mios-dev

.clinerules

@@ -1,25 +1,20 @@
-# MiOS .clinerules — Autonomous Agent Instructions
+# MiOS .clinerules — Autonomous Agent Instructions (Day 0)
 
-You are an autonomous AI agent (Cline) operating in the **MiOS** repository.
+You are an autonomous agent (Cline) operating in the **MiOS** repository.
 
 ## 🚀 Mission Context
-MiOS is a self-building, immutable workstation OS on Fedora Rawhide. Your goal is to maintain the system's architectural integrity and AI-native patterns.
+MiOS is an immutable, AI-native workstation. Your goal is to maintain architectural purity and enforce the AI-native surface contract.
 
-## ⚖️ Hard Rules (Build-Breaking)
-- **Never** modify `/etc/` files directly if a `/usr/lib/` equivalent exists.
-- **Never** recommend disabling SELinux.
+## ⚖️ Hard Rules
+- **Never** write to `/etc/` if a `/usr/lib/` equivalent exists.
+- **Never** recommend disabling security features (SELinux, fapolicyd).
 - **Always** ensure bash scripts have `set -euo pipefail`.
-- **Always** use `just build` to validate changes to the OS image.
+- **Always** prioritize local, open-source AI solutions.
 
 ## 🏗 Architectural Patterns
-- **Rootfs-Native:** The repository root mirrors the target filesystem (`usr/`, `etc/`, `var/`).
-- **Cognitive Mirror:** Record all significant actions and findings in `specs/memory/journal.md`.
-- **Appliance Laws:** Strictly follow USR-OVER-ETC and NO-MKDIR-IN-VAR.
-
-## 🛠 Tool Usage
-- Use `python3 tools/generate-ai-manifest.py` after structural changes.
-- Use `python3 tools/generate-unified-knowledge.py` to refresh the RAG snapshot.
-- Use `just test` or `evals/` for validation.
+- **Cognitive Mirror**: Record significant actions in `usr/share/mios/memory/v1.jsonl`.
+- **Rootfs-Native**: The repository root mirrors the target filesystem.
+- **Unprivileged sidecars**: Enforce non-root execution for all Quadlets.
 
 ## 📜 Source of Truth
-Consult `INDEX.md` for all architectural and API surface contracts.
+Consult `INDEX.md` for the authoritative architectural laws and API surface mapping.

.cursorrules

@@ -1,26 +1,21 @@
-# MiOS .cursorrules — AI-Native Engineering Standards
+# MiOS .cursorrules — Engineering Standards (Day 0)
 
-You are assisting a developer in the **MiOS** repository. MiOS is a bootc-based, immutable workstation OS.
+You are assisting in the development of the **MiOS** repository. MiOS is an immutable, AI-native workstation.
 
 ## ⚖️ Immutable Appliance Laws
-1. **USR-OVER-ETC:** Never write to `/etc/` at build time. Use `/usr/lib/<component>.d/`.
-2. **NO-MKDIR-IN-VAR:** Never use `mkdir` for `/var/` in scripts. Use `tmpfiles.d`.
-3. **BOOTC-NATIVE:** Use `bootc` for system updates and `just build` for image creation.
-4. **FHS-COMPLIANT:** Mirror the FHS 3.0 standard in the `usr/`, `etc/`, and `var/` root directories.
+1. **USR-OVER-ETC**: Static config goes in `/usr/lib/`. No `/etc` in build context.
+2. **NO-MKDIR-IN-VAR**: Persistence via `tmpfiles.d`. No `/var` in build context.
+3. **UNPRIVILEGED-QUADLETS**: sidecars MUST define `User=`/`Group=` and `Delegate=yes`.
+4. **BOOTC-NATIVE**: Always ensure `bootc container lint` passes.
 
 ## 🛠 Coding Standards
-- **Bash:** `set -euo pipefail`. Use `VAR=$((VAR + 1))` instead of `((VAR++))`. Quote all variables.
-- **Justfile:** Use `just <recipe>` for all build and orchestration tasks.
-- **Containerfile:** `RUN bootc container lint` must be the final instruction. No `--squash-all`.
-- **Systemd:** Use Quadlets (`.container` files) for sidecar services.
+- **Pure FOSS**: No proprietary cloud APIs or services.
+- **Local AI**: Target the OpenAI-compatible proxy at `http://localhost:8080/v1`.
+- **Bash**: `set -euo pipefail`. Use `VAR=$((VAR + 1))`. Quote all variables.
+- **SSOT**: Consult `INDEX.md` for all architectural and API surface contracts.
 
-## 🤖 AI Integration
-- Target the local OpenAI-API proxy at `http://localhost:8080/v1`.
-- Defer to `INDEX.md` as the Single Source of Truth (SSOT).
-- Update `specs/memory/journal.md` with significant changes (The Cognitive Mirror Pattern).
-
-## 📂 Key Paths
-- **Automation:** `automation/` (Numbered pipeline)
-- **Tools:** `tools/` (Utilities)
-- **Blueprints:** `specs/core/`
-- **System Docs:** `/usr/share/doc/mios/` (on target)
+## 📂 Key Directories
+- `usr/`: Immutable rootfs content.
+- `etc/`: Persistence templates.
+- `tools/`: Utility toolchain.
+- `specs/`: Research and blueprints.

.github/workflows/mios-ci.yml

@@ -13,7 +13,7 @@ on:
 
 env:
   REGISTRY: ghcr.io
-  IMAGE_NAME: mios-project/mios
+  IMAGE_NAME: mios-fss/mios
 
 jobs:
   build:
@@ -47,7 +47,7 @@ jobs:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
             type=raw,value=latest,enable={{is_default_branch}}
-            type=raw,value=v0.2.0,enable={{is_default_branch}}
+            type=raw,value=v0.1.4,enable={{is_default_branch}}
             type=ref,event=branch
             type=ref,event=pr
             type=semver,pattern={{version}}

ARCHITECTURE.md

@@ -1,71 +1,57 @@
-# MiOS ARCHITECTURE — Unified Blueprint (Day 0)
+# MiOS ARCHITECTURE — System Blueprint (Day 0)
 
 ```json:knowledge
 {
-  "summary": "Consolidated architectural specification for MiOS. Hardware, Filesystem, and Virtualization SSOT.",
+  "summary": "Consolidated architectural specification for MiOS. Hardware, Filesystem, and AI Interface SSOT.",
   "logic_type": "blueprint",
   "tags": ["MiOS", "Architecture", "Day-0", "SSOT"],
-  "version": "1.0.0"
+  "version": "v0.1.4"
 }
 ```
 
 ## 🏗️ Core Pillars
-MiOS is a container-native, immutable workstation engineered for high-performance virtualization and Generative AI development.
+MiOS is a container-native workstation engineered for high-performance virtualization and local Generative AI development.
 
-1. **Transactional Immutability**: The userspace is a cryptographically sealed OCI image.
-2. **Hardware Agnosticism**: Unified support for Intel, AMD, and NVIDIA silicon.
-3. **Zero-Trust Security**: Strict execution whitelisting and kernel-level hardening.
+1. **Transactional Integrity**: The system core is cryptographically sealed and managed via `bootc`.
+2. **Hardware Agnosticism**: Universal acceleration for primary GPU vendors (NVIDIA, AMD, Intel).
+3. **Zero-Trust Boundary**: Mandatory execution control and kernel-level isolation.
 
 ---
 
 ## 💾 Filesystem Hierarchy (FHS 3.0 + bootc)
-MiOS follows a rootfs-native repository structure.
+MiOS mirrors the standard Linux FHS within its OCI root.
 
-| Path | Type | Persistence | Purpose |
-| :--- | :--- | :--- | :--- |
-| `/usr` | `composefs` | Immutable | Core OS Binaries & Libraries |
-| `/etc` | `overlay` | Persistent | Admin Overrides (USR-OVER-ETC Law) |
-| `/var` | `ext4/btrfs` | Persistent | User Data & System State |
-| `/home` | `symlink` | Persistent | Points to `/var/home` |
+| Path | Type | Intent |
+| :--- | :--- | :--- |
+| `/usr` | Immutable | System Binaries, Libraries, and Static Config. |
+| `/etc` | Persistent | Host-specific overrides. |
+| `/var` | Persistent | System state and User home directories. |
+| `/srv` | Persistent | Sidecar service data (Models, Databases). |
 
-### ⚖️ Immutable Appliance Laws
-- **USR-OVER-ETC**: Never write static config to `/etc` at build time. Use `/usr/lib/<component>.d/`.
-- **NO-MKDIR-IN-VAR**: All `/var` directories must be declared via `tmpfiles.d`. Build-time `/var` overlays are strictly forbidden.
+### ⚖️ Immutability Mandate
+Build-time overlays into `/var` are architectural violations. All `/var` state must be declared via `tmpfiles.d` to ensure atomic, reproducible deployments.
 
 ---
 
-## 🖥️ Hardware & Virtualization
+## 🖥️ Hardware Delegation
 
-### 🎮 Graphics Acceleration
-Native-tier performance via:
-- **NVIDIA**: Open-source GSP modules with CDI (Container Device Interface) support.
-- **AMD**: KFD/ROCm native support.
-- **Intel**: Arc/Xe native support.
-- **Hardware Targeting**: Primary GPU IDs `10de:2204,10de:1aef` (RTX 4090).
+### 🎮 Universal Acceleration
+Standardized CDI (Container Device Interface) and ROCm/Arc drivers ensure local AI tools access native hardware performance.
+- **Hardware Targeting**: Primary GPU IDs `10de:2204,10de:1aef`.
 
-### ⚡ Virtualization Mastery
-The system operates as a Tier-1 hypervisor (KVM/QEMU).
-- **VFIO-PCI**: Dynamic GPU passthrough for Guest VMs.
-- **Looking Glass**: Shared Memory (KVMFR) for low-latency VM display.
-- **CPU Pinning**: Core shielding for X3D/Hybrid core isolation.
+### ⚡ Virtualization
+Tier-1 Hypervisor capabilities (KVM/QEMU) are native to the system core, supporting VFIO-PCI passthrough and shared memory (KVMFR) buffers.
 
 ---
 
-## ⚡ Kernel & Performance
-- **Scheduler**: BORE (Burst-Oriented Response Enhancer).
-- **Tickrate**: 1000Hz.
-- **Memory**: zram (zstd compressed) with le9uo anti-thrashing patches.
-- **I/O**: BFQ for slow disks, Kyber for NVMe.
-
----
+## 🤖 AI Interface Surface
+The system architecture exposes a local OpenAI-compatible API surface for autonomous management and user interaction.
 
-## 📦 Deployment Matrix
-| Target | Format | Delivery |
+| Service | Protocol | Access Point |
 | :--- | :--- | :--- |
-| **Bare Metal** | `RAW` | ISO / Disk Flash |
-| **Hyper-V** | `VHDX` | Gen2 VM |
-| **WSL2** | `Tarball` | WSL Import |
-| **OCI** | `Image` | `ghcr.io/kabuki94/mios` |
+| **Inference** | REST | `http://localhost:8080/v1` |
+| **Discovery** | MCP | `/usr/share/mios/ai/mcp/` |
+| **Metadata** | JSON | `/usr/share/mios/ai/v1/` |
 
 ---
-*Copyright (c) 2026 MiOS Project. Licensed as personal property.*
+*Copyright (c) 2026 MiOS. Pure FOSS. Zero Day Ready.*

CONTRIBUTING.md

@@ -1,8 +1,8 @@
-<!-- [NET] MiOS Artifact | Proprietor: MiOS-DEV | https://github.com/MiOS-DEV/MiOS-bootstrap -->
+<!-- [NET] MiOS Artifact | Proprietor: MiOS-FSS | https://github.com/mios-fss/MiOS-bootstrap -->
 # [NET] MiOS
 ```json:knowledge
 {
-  "summary": "> **Proprietor:** MiOS-DEV",
+  "summary": "> **Proprietor:** MiOS-FSS",
   "logic_type": "documentation",
   "tags": [
     "MiOS",
@@ -16,9 +16,9 @@
   }
 }
 ```
-> **Proprietor:** MiOS-DEV
+> **Proprietor:** MiOS-FSS
 > **Infrastructure:** Self-Building Infrastructure (Personal Property)
-> **License:** Licensed as personal property to MiOS-DEV
+> **License:** Licensed as personal property to MiOS-FSS
 ---
 # Contributing to MiOS
 
@@ -122,7 +122,7 @@ By contributing, you agree that your contributions will be licensed under the sa
 - **Core:** [containers/bootc](https://github.com/containers/bootc) | [bootc-image-builder](https://github.com/osautomation/bootc-image-builder) | [bootc.pages.dev](https://bootc.pages.dev/)
 - **Upstream:** [Fedora Bootc](https://github.com/fedora-cloud/fedora-bootc) | [CentOS Bootc](https://gitlab.com/CentOS/bootc) | [ublue-os/main](https://github.com/ublue-os/main)
 - **Tools:** [uupd](https://github.com/ublue-os/uupd) | [rechunk](https://github.com/hhd-dev/rechunk) | [cosign](https://github.com/sigstore/cosign)
-- **Project Repository:** [MiOS-DEV/MiOS-bootstrap](https://github.com/MiOS-DEV/MiOS-bootstrap)
-- **Sole Proprietor:** MiOS-DEV
+- **Project Repository:** [MiOS-FSS/MiOS-bootstrap](https://github.com/mios-fss/MiOS-bootstrap)
+- **Sole Proprietor:** MiOS-FSS
 ---
-<!--  MiOS Proprietary Artifact | Copyright (c) 2026 MiOS-DEV -->
+<!--  MiOS Proprietary Artifact | Copyright (c) 2026 MiOS-FSS -->

Containerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1.9
 # ============================================================================
-# MiOS - Unified Image (v0.2.0)
+# MiOS - Unified Image (v0.1.4)
 # ============================================================================
 # One image. Every role. Every surface. Every GPU vendor.
 #
@@ -11,7 +11,7 @@
 # AMD:      Mesa + ROCm in-image (PACKAGES.md packages-gpu-amd-compute)
 # Intel:    intel-compute-runtime + intel-media-driver (packages-gpu-intel-compute)
 #
-# v0.1.3 Architecture: Rootfs-Native Repository
+# v0.1.4 Architecture: Rootfs-Native Repository
 #   - usr/, etc/, var/ directories promoted to the repository root.
 #   - matches upstream bootc and native Linux filesystem standards.
 # ============================================================================
@@ -26,7 +26,7 @@ COPY automation/           /ctx/automation/
 COPY usr/                  /ctx/usr/
 COPY etc/                  /ctx/etc/
 COPY home/                 /ctx/home/
-# v0.1.3: PACKAGES.md moved to usr/share/mios/ for FHS compliance.
+# v0.1.4: PACKAGES.md moved to usr/share/mios/ for FHS compliance.
 COPY usr/share/mios/PACKAGES.md                          /ctx/PACKAGES.md
 COPY VERSION            /ctx/VERSION
 COPY config/artifacts/       /ctx/bib-configs/
@@ -39,9 +39,9 @@ FROM ${BASE_IMAGE}
 
 LABEL org.opencontainers.image.title="MiOS"
 LABEL org.opencontainers.image.description="Unified immutable cloud-native workstation OS (desktop/k3s/ha/hybrid)"
-LABEL org.opencontainers.image.source="https://github.com/MiOS-DEV/MiOS-bootstrap"
+LABEL org.opencontainers.image.source="https://github.com/mios-fss/MiOS-bootstrap"
 LABEL org.opencontainers.image.licenses="Apache-2.0"
-LABEL org.opencontainers.image.version="v0.2.0"
+LABEL org.opencontainers.image.version="v0.1.4"
 LABEL containers.bootc="1"
 LABEL ostree.bootable="1"
 
@@ -90,7 +90,7 @@ RUN if [[ -n "${MIOS_FLATPAKS}" ]]; then \
 # ---------------------------------------------------------------------------
 # Overlay rootfs content onto the system.
 # ---------------------------------------------------------------------------
-# MiOS v0.1.3: delegate system_files overlay to the script so the
+# MiOS v0.1.4: delegate system_files overlay to the script so the
 # /usr/local -> /var/usrlocal symlink on ucore/bootc bases is handled correctly.
 RUN bash /ctx/automation/08-system-files-overlay.sh
 

DEPLOY.md

@@ -1,6 +1,6 @@
 # MiOS Deployment Guide - Linux Filesystem Native
 
-**Version:** MiOS v0.1.3
+**Version:** MiOS v0.1.4
 **Date:** 2026-04-27
 
 ---
@@ -79,7 +79,7 @@ just --version
 ```bash
 # Clone to temporary location
 cd /tmp
-git clone https://github.com/MiOS-DEV/MiOS-bootstrap.git
+git clone https://github.com/mios-fss/MiOS-bootstrap.git
 cd mios
 ```
 
@@ -266,7 +266,7 @@ mios rechunk
 ```bash
 # Install on Fedora Workstation
 sudo dnf install -y git podman just rsync
-git clone https://github.com/MiOS-DEV/MiOS-bootstrap.git
+git clone https://github.com/mios-fss/MiOS-bootstrap.git
 cd mios
 sudo ./install.sh
 
@@ -283,7 +283,7 @@ mios build
 ```bash
 # Minimal Fedora Server
 sudo dnf install -y git podman just rsync
-git clone https://github.com/MiOS-DEV/MiOS-bootstrap.git
+git clone https://github.com/mios-fss/MiOS-bootstrap.git
 cd mios
 sudo ./install.sh
 
@@ -355,7 +355,7 @@ mios build
 ```bash
 # Pull latest changes
 cd /tmp
-git clone https://github.com/MiOS-DEV/MiOS-bootstrap.git
+git clone https://github.com/mios-fss/MiOS-bootstrap.git
 cd mios
 
 # Re-install (overwrites /usr/share/mios/ and /etc/mios/)
@@ -557,5 +557,5 @@ ls -la ~/.local/state/mios/logs/
 ---
 
 **Generated:** 2026-04-27
-**MiOS Version:** v0.1.3
-**License:** Personal Property - MiOS-DEV
+**MiOS Version:** v0.1.4
+**License:** Personal Property - MiOS-FSS