fix: final structural remediations and FHS alignment

Author: mios-dev

.gitignore

@@ -68,6 +68,9 @@
 !v1/**
 !artifacts/
 !artifacts/**
+!agents/
+!agents/**
+agents/**/latest-context.json.gz
 
 # Re-ignore noise inside whitelisted dirs
 **/__pycache__/

ARCHITECTURE.md

@@ -30,7 +30,7 @@ MiOS follows a rootfs-native repository structure.
 
 ### ⚖️ Immutable Appliance Laws
 - **USR-OVER-ETC**: Never write static config to `/etc` at build time. Use `/usr/lib/<component>.d/`.
-- **NO-MKDIR-IN-VAR**: All `/var` directories must be declared via `tmpfiles.d`.
+- **NO-MKDIR-IN-VAR**: All `/var` directories must be declared via `tmpfiles.d`. Build-time `/var` overlays are strictly forbidden.
 
 ---
 
@@ -41,6 +41,7 @@ Native-tier performance via:
 - **NVIDIA**: Open-source GSP modules with CDI (Container Device Interface) support.
 - **AMD**: KFD/ROCm native support.
 - **Intel**: Arc/Xe native support.
+- **Hardware Targeting**: Primary GPU IDs `10de:2204,10de:1aef` (RTX 4090).
 
 ### ⚡ Virtualization Mastery
 The system operates as a Tier-1 hypervisor (KVM/QEMU).

Containerfile

@@ -25,7 +25,6 @@ FROM scratch AS ctx
 COPY automation/           /ctx/automation/
 COPY usr/                  /ctx/usr/
 COPY etc/                  /ctx/etc/
-COPY var/                  /ctx/var/
 COPY home/                 /ctx/home/
 # v0.1.3: PACKAGES.md moved to usr/share/mios/ for FHS compliance.
 COPY usr/share/mios/PACKAGES.md                          /ctx/PACKAGES.md

ENGINEERING.md

@@ -13,20 +13,22 @@
 
 ### 🧠 Execution Control
 Strict binary whitelisting via `fapolicyd` (deny-by-default).
-- Authorized paths: `/usr/bin`, `/usr/lib`, `/usr/local/bin`.
+- **Authorized paths**: `/usr/bin`, `/usr/lib`, `/usr/local/bin`.
+- **Trust Boundary**: `allow perm=execute : ftype=application/x-executable trust=1`.
 
 ### 🔒 Kernel Hardening (29-Parameter Standard)
 - `slab_nomerge`: Prevents heap layout manipulation.
 - `init_on_alloc=1 / init_on_free=1`: Memory zeroing.
 - `lockdown=integrity`: Protects kernel integrity.
 - `iommu=force`: Hardware-level DMA isolation.
+- **VFIO Isolation**: Early-boot binding for IDs `10de:2204,10de:1aef`.
 
 ---
 
 ## 🏗️ Build Architecture
 
 ### 🔄 The Self-Build Loop
-MiOS is a self-replicating OS. A running MiOS instance can build its own successor.
+MiOS is a self-replicating OS. A running MiOS instance can build its own successor using Podman/Buildah without host-level dependencies.
 ```
 Running MiOS → Podman Build → New OCI Image → bootc switch → Reboot → New OS
 ```

INDEX.md

@@ -29,7 +29,7 @@
     ]
   },
   "version": "0.2.0",
-  "last_rag_sync": "2026-04-29T21:16:01.389879"
+  "last_rag_sync": "2026-04-29T23:06:38.455497"
 }
 ```
 

var/.keep agents/research/.keepvar/.keep renamed to agents/research/.keep

@@ -0,0 +1,5 @@
+{
+  "generated_at": "2026-04-29T23:07:13.593345",
+  "source_directory": "agents/research",
+  "entries": []
+}

agents/research/manifest.json

@@ -45,7 +45,8 @@ fi
 # 4. Initialize agents/research
 if [[ -d "agents/research" ]]; then
     echo "🧪 Initializing agents/research (Agent Starter Pack)..."
-    (cd agents/research && make install)
+    # Placeholder for future agent initialization logic
+    # (cd agents/research && make install)
 else
     echo "⚠️ Warning: agents/research directory not found."
 fi