docs: add Arch Linux to README and DESIGN

- Available Images table: add three arch-latest entries (grub, uki, uki-sb)
  with a note that rolling release and GRUB+SB is unsupported
- Quick Start / Building a Custom Image: add Arch pacman snippet
- Repository Layout: add Containerfile.arch, update example Containerfile
  description from stub to template
- DESIGN.md installer section: note Arch uses grub-mkstandalone (same as
  Ubuntu), document GRUB+SB unavailability on Arch, confirm UKI+SB works

Author: henrywang

DESIGN.md

@@ -124,21 +124,24 @@ the container itself — no separate image reference needed at install time.
 Three EFI boot paths are supported:
 
 - **Default (GRUB):** on Fedora, runs `grub2-install --target=x86_64-efi`; on
-  Ubuntu/Debian (which do not have `grub2-install`), builds a self-contained EFI
-  binary with `grub-mkstandalone` and generates a traditional `menuentry`-based
-  `grub.cfg` (Ubuntu does not ship `blscfg.mod`). Works on any EFI system;
-  rejected by firmware with Secure Boot enabled.
+  Ubuntu/Debian and Arch (which have `grub` rather than `grub2`), builds a
+  self-contained EFI binary with `grub-mkstandalone` and generates a traditional
+  `menuentry`-based `grub.cfg`. Works on any EFI system; rejected by firmware
+  with Secure Boot enabled.
 - **`--secure-boot` (GRUB + SB):** copies the distro-signed shim + GRUB from
   `/usr/share/efi/EFI/<distro>/` (preserved in the base image at build time) to
   the ESP. The auto-detected distro subdirectory ensures the signed GRUB's
   compiled-in search prefix matches. No custom key enrollment required — the
   Microsoft-signed shim trusts the distro-signed GRUB out of the box.
+  **Not available on Arch Linux** — Arch does not ship a signed shim or signed
+  GRUB EFI binary in official repositories (`shim-signed` is AUR-only).
 - **`--uki --secure-boot` (UKI + SB):** generates a self-signed key pair (or
   accepts `--sb-key`/`--sb-cert`), signs systemd-boot and the UKI `.efi` with
   `sbsign`, and installs signed systemd-boot directly as `BOOTx64.EFI` — no
   shim. The firmware verifies binaries directly against its Signature Database
   (db). The signing cert must be enrolled in the db once; the key is persisted
-  in `/var/lib/cbootc/` so `cbootc upgrade` can re-sign future UKIs.
+  in `/var/lib/cbootc/` so `cbootc upgrade` can re-sign future UKIs. Supported
+  on all three distros including Arch.
 
 ## Command Surface
 

README.md

@@ -27,7 +27,11 @@ See [DESIGN.md](DESIGN.md) for rationale and architecture.
 | `ghcr.io/henrywang/composefs-os:ubuntu-26.04` | GRUB (BLS Type 1) | Working |
 | `ghcr.io/henrywang/composefs-os:ubuntu-26.04-uki` | systemd-boot + UKI (BLS Type 2) | Working |
 | `ghcr.io/henrywang/composefs-os:ubuntu-26.04-uki-sb` | systemd-boot + UKI + Secure Boot | Working |
-| Arch Linux | — | Planned |
+| `ghcr.io/henrywang/composefs-os:arch-latest` | GRUB (BLS Type 1) | Working |
+| `ghcr.io/henrywang/composefs-os:arch-latest-uki` | systemd-boot + UKI (BLS Type 2) | Working |
+| `ghcr.io/henrywang/composefs-os:arch-latest-uki-sb` | systemd-boot + UKI + Secure Boot | Working |
+
+> **Note:** Arch images use a rolling release tag (`arch-latest`). GRUB + Secure Boot is not available for Arch — Arch does not ship a signed shim or signed GRUB EFI binary in official repositories (`shim-signed` is AUR-only). Use the `-uki-sb` variant instead.
 
 
 ## Quick Start
@@ -159,14 +163,18 @@ RUN dnf install -y vim htop && dnf clean all
 FROM ghcr.io/henrywang/composefs-os:ubuntu-26.04
 RUN apt-get install -y vim htop && apt-get clean
 
+# Arch Linux (rolling)
+FROM ghcr.io/henrywang/composefs-os:arch-latest
+RUN pacman -S --noconfirm --needed vim htop && pacman -Scc --noconfirm
+
 # Use COPY (not RUN echo) for /etc/hostname: buildah bind-mounts a synthetic
 # /etc/hostname into every RUN container, so writes via RUN are silently lost.
 COPY <<EOF /etc/hostname
 myhost
 EOF
 ```
 
-Use `examples/fedora/Containerfile` or `examples/ubuntu/Containerfile` as full templates.
+Use `examples/fedora/Containerfile`, `examples/ubuntu/Containerfile`, or `examples/arch/Containerfile` as full templates.
 
 ## In-System Management
 
@@ -199,24 +207,25 @@ survives upgrades. `cbootc-update.timer` (enabled in the base image) runs
 ```
 composefs-os/
   Containerfile.fedora         Builds Fedora 44 base images (--target grub | uki | uki-secureboot)
-  Containerfile.ubuntu       Builds Ubuntu 26.04 base images (--target grub | uki | uki-secureboot)
-  src/                       cbootc source (Rust)
+  Containerfile.ubuntu         Builds Ubuntu 26.04 base images (--target grub | uki | uki-secureboot)
+  Containerfile.arch           Builds Arch Linux base images (--target grub | uki | uki-secureboot)
+  src/                         cbootc source (Rust)
   units/
-    cbootc-update.service    Systemd service for automatic upgrades
-    cbootc-update.timer      Systemd timer (daily, randomised delay)
+    cbootc-update.service      Systemd service for automatic upgrades
+    cbootc-update.timer        Systemd timer (daily, randomised delay)
   examples/
     fedora/
-      Containerfile          Template for derived Fedora images
+      Containerfile            Template for derived Fedora images
     ubuntu/
-      Containerfile          Template for derived Ubuntu 26.04 images
+      Containerfile            Template for derived Ubuntu 26.04 images
     arch/
-      Containerfile          Arch Linux (stub — not yet functional)
+      Containerfile            Template for derived Arch Linux images
   tests/
-    e2e.py                   QEMU-based end-to-end test suite
+    e2e.py                     QEMU-based end-to-end test suite
   .github/workflows/
-    ci.yml                   Rust build, test, lint
-    container.yml            Build and push base image to ghcr.io
-    e2e.yml                  End-to-end tests (boots in QEMU)
+    ci.yml                     Rust build, test, lint
+    container.yml              Build and push base images to ghcr.io
+    e2e.yml                    End-to-end tests (boots in QEMU)
 ```
 
 ## Known Limitations