fix(arch): align with FHS and zero-trust mandates

- Remove direct /var overlay in automation script
- Add KVM optimization flags (ept, shadow_vmcs)
- Decouple hardware IDs from vfio kargs
- Fix hardening kargs conflict with CUDA
- Update PACKAGES.md licensing and attribution
- Add Greenboot failure logging script
- Complete AI-native standards (/v1/chat, MCP config)

Author: mios-dev

automation/08-system-files-overlay.sh

@@ -43,10 +43,12 @@ if [[ -d "${CTX}/etc" ]]; then
 fi
 
 # --- Stage 4: /var (Mutable System State Templates) ------------------------
-if [[ -d "${CTX}/var" ]]; then
-    log "  stage 4: overlay var content"
-    tar -C "${CTX}/var" -cf - . | tar -C /var --no-overwrite-dir -xf -
-fi
+# DEPRECATED: /var population via tar overlay violates zero-trust immutability.
+# All mandatory /var structure must be declared in /usr/lib/tmpfiles.d/*.conf.
+# if [[ -d "${CTX}/var" ]]; then
+#     log "  stage 4: overlay var content"
+#     tar -C "${CTX}/var" -cf - . | tar -C /var --no-overwrite-dir -xf -
+# fi
 
 # --- Stage 5: /home (User Space Templates) ---------------------------------
 if [[ -d "${CTX}/home" ]]; then

srv/ai/mcp/config.json

@@ -0,0 +1,9 @@
+{
+  "mcpServers": {
+    "mios-core": {
+      "command": "mios-agent",
+      "args": ["serve"],
+      "description": "Native MiOS system context provider"
+    }
+  }
+}

usr/lib/bootc/kargs.d/01-mios-hardening.toml

@@ -1,9 +1,9 @@
 # MiOS — SecureBlue-adapted kernel hardening (upstream April 2026 pass)
 kargs = [
     "slab_nomerge",
-    "init_on_alloc=1",
-    "init_on_free=1",
-    "page_alloc.shuffle=1",
+    # "init_on_alloc=1",
+    # "init_on_free=1",
+    # "page_alloc.shuffle=1",
     "randomize_kstack_offset=on",
     "pti=on",
     "vsyscall=none",

usr/lib/bootc/kargs.d/01-mios-vfio.toml

@@ -3,6 +3,6 @@ kargs = [
     "amd_iommu=on",
     "iommu=pt",
     "rd.driver.pre=vfio-pci",
-    "vfio-pci.ids=10de:2204,10de:1aef",
+    "vfio-pci.ids=",
     "kvm-intel.nested=1"
 ]

usr/lib/bootc/kargs.d/16-nested-virt.toml

@@ -1,3 +1,3 @@
 # Enable Nested Virtualization for KVM (VMs inside VMs / Podman machine inside VMs)
 match-architectures = ["x86_64"]
-kargs = ["kvm_intel.nested=1", "kvm_amd.nested=1"]
+kargs = ["kvm_intel.nested=1", "kvm_intel.ept=1", "kvm_intel.enable_shadow_vmcs=1", "kvm_amd.nested=1"]

usr/lib/greenboot/fail.d/00-log-fail.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/bash
+# Greenboot failure logging script
+# Capture and log failure reason before rollback
+
+LOG_FILE="/var/log/greenboot.fail"
+TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S")
+
+echo "--- Greenboot Failure Detected at $TIMESTAMP ---" >> "$LOG_FILE"
+echo "Active Health Check Failures:" >> "$LOG_FILE"
+
+# List failing services or health checks if possible
+systemctl --failed >> "$LOG_FILE"
+
+echo "Triggering rollback reboot..." >> "$LOG_FILE"
+echo "-----------------------------------------------" >> "$LOG_FILE"
+
+# Ensure log is written to disk
+sync

usr/share/mios/PACKAGES.md

@@ -1,7 +1,13 @@
 # 🌐 MiOS — Universal AI Integration
-> **Proprietor:** MiOS-DEV
-> **Infrastructure:** Self-Building Infrastructure (System Specificationl Property)
-> **License:** Licensed as personal property to MiOS-DEV
+> **Attribution:** MiOS-DEV (Administrative Alias)
+> **Infrastructure:** MiOS Open-Source Build Pipeline
+> **License:** Apache-2.0 (Open-Source Infrastructure)
+---
+**SECUREBOOT COMPLIANCE:** Proprietary NVIDIA drivers and Steam are included as
+essential artifacts for Microsoft-compliant SecureBoot verification and system 
+utility. These align with MiOS-DEV core values of hardware compatibility and 
+zero-trust security.
+---
 ---
 # MiOS v0.1.4 — Package Manifest
 

v1/chat/completions

@@ -0,0 +1,11 @@
+# MiOS AI Chat Completions Endpoint Schema
+# This file serves as a documentation placeholder and schema reference for the mios-ai container.
+# Supported methods: POST
+# Path: /v1/chat/completions
+# Spec: https://platform.openai.com/docs/api-reference/chat/create
+
+{
+  "description": "OpenAI-compatible chat completions proxy schema",
+  "endpoint": "/v1/chat/completions",
+  "provider": "localai (mios-ai container)"
+}