fix(audit): apply 2026-05-05 audit findings (LAW3/LAW6/security/supply-chain)

Implements the remediation set captured in AUDIT-FINDINGS-20260505.md.

Architectural laws:
- LAW 3 (BOUND-IMAGES): add usr/lib/bootc/bound-images.d/ symlinks for
  mios-forgejo-runner, mios-forge, mios-cockpit-link (mode 120000).
  Fixes 3-of-12 Quadlets that had no deploy-time image binding.
- LAW 6 (UNPRIVILEGED-QUADLETS): document the mios-forgejo-runner
  root-uid exception in INDEX.md sec 3 row 6 and the Quadlet header.
  The runner needs uid=0 to drive `podman build -f /Containerfile`
  against rootful storage and produce an image consumable by
  `bootc switch --transport containers-storage`.

Security posture:
- fapolicyd: tighten the uid=0 catch-all to `trust=1` so RPM-signed
  binaries (every system service) stay unblocked while ad-hoc
  uid=0-owned binaries dropped under /tmp, /var, /home are denied.
  Restores the deny-by-default posture documented in README.md.
- kargs.d: drop lockdown=confidentiality from 01-mios-hardening.toml.
  bootc kargs.d is additive across files; the previous form put both
  `confidentiality` and `integrity` on the kernel command line.
  30-security.toml's intent (integrity, NVIDIA-MOK-safe) is now the
  sole declared value.

Supply chain integrity:
- Pin every Quadlet Image= ref to a digest. Switches the deploy
  surface from floating tags to deterministic pulls; Renovate
  remains the path to digest bumps.
- mios-ceph: :latest -> :v18@sha256:... (the value the file's own
  header comment claims and the only valid Reef tag on
  quay.io/ceph/ceph; :latest does not exist upstream).
- mios-forgejo-runner: :6.5 -> :6@sha256:... (:6.5 does not exist on
  code.forgejo.org; only the floating :6 line is published).

Hygiene:
- automation/10-gnome.sh comment: install_weakdeps -> install_weak_deps.
- automation/19-k3s-selinux.sh: cp -p for re-run idempotency.
- mios-gpu-pv-detect / mios-sriov-init / mios-verify Description=:
  bare 'MiOS-OS' -> project-wide quoted 'MiOS' form.

Author: Kabuki94

INDEX.md

@@ -66,7 +66,7 @@ their resource cost.
 | 3 | **BOUND-IMAGES** -- every Quadlet image symlinked into `/usr/lib/bootc/bound-images.d/`. Binder loop: `automation/08-system-files-overlay.sh:74-86`. | `usr/lib/bootc/bound-images.d/` |
 | 4 | **BOOTC-CONTAINER-LINT** -- final RUN of `Containerfile`. | `Containerfile` (last `RUN`) |
 | 5 | **UNIFIED-AI-REDIRECTS** -- every OpenAI-API-shaped client resolves through one canonical surface: `MIOS_AI_ENDPOINT` (default `http://localhost:8080/v1`, the OpenAI-SDK `base_url` slot), `MIOS_AI_MODEL` (default model id), `MIOS_AI_KEY` (api key, empty for the local proxy). No vendor-hardcoded URLs. | `/etc/profile.d/mios-env.sh`, `usr/bin/mios`, `usr/bin/mios-env`, `etc/mios/ai/` |
-| 6 | **UNPRIVILEGED-QUADLETS** -- every Quadlet declares `User=`, `Group=`, `Delegate=yes`. Documented exceptions: `mios-ceph` and `mios-k3s` declare `User=root`/`Group=root` because Ceph/K3s require uid 0 (see file headers). | `etc/containers/systemd/`, `usr/share/containers/systemd/` |
+| 6 | **UNPRIVILEGED-QUADLETS** -- every Quadlet declares `User=`, `Group=`, `Delegate=yes`. Documented exceptions: `mios-ceph` and `mios-k3s` declare `User=root`/`Group=root` because Ceph/K3s require uid 0 (see file headers); `mios-forgejo-runner` declares `User=0`/`Group=0` because the closed self-replication loop runs `podman build -f /Containerfile` on every push, which requires write access to rootful `/var/lib/containers/storage/` and `bootc switch` permissions on the resulting image (see file header for the loop). | `etc/containers/systemd/`, `usr/share/containers/systemd/` |
 
 ## 4. Profile + environment resolution
 

automation/10-gnome.sh

@@ -2,7 +2,7 @@
 # 'MiOS' v0.2.4 -- 10-gnome: GNOME 50 desktop -- PURE BUILD-UP
 #
 # STRATEGY: ucore has ZERO GNOME packages. We install exactly what we need.
-# With install_weakdeps=False (set globally in 01-repos.sh), only hard deps
+# With install_weak_deps=False (set globally in 01-repos.sh), only hard deps
 # get pulled in. This means:
 #   - malcontent-libs comes in (gnome-control-center hard dep) -- CORRECT
 #   - malcontent-control/pam/tools do NOT come in (weak deps) -- CORRECT

automation/19-k3s-selinux.sh

@@ -50,7 +50,7 @@ if [ -z "$POLICY_DIR" ]; then
 fi
 
 echo "Using policy source from: $POLICY_DIR"
-cp "$POLICY_DIR"/k3s.* .
+cp -p "$POLICY_DIR"/k3s.* .
 
 # Compile the policy using the Fedora 44 SELinux Makefile
 make -f /usr/share/selinux/devel/Makefile k3s.pp

etc/containers/systemd/mios-ai.container

@@ -12,7 +12,7 @@ Wants=network-online.target
 ConditionPathIsDirectory=/etc/mios/ai
 
 [Container]
-Image=docker.io/localai/localai:latest
+Image=docker.io/localai/localai:latest@sha256:a6af99e17a73a92caa134e70ae84492cc47b67645c1676268a7522ad14f4c09d
 ContainerName=mios-ai
 # Single MiOS internal network so sibling Quadlets (mios-forge,
 # mios-aichat, mios-mcp, ollama, etc.) reach LocalAI by container name

etc/containers/systemd/mios-ceph.container

@@ -18,7 +18,7 @@ ConditionPathExists=/etc/ceph/ceph.conf
 ConditionVirtualization=!container
 
 [Container]
-Image=quay.io/ceph/ceph:latest
+Image=quay.io/ceph/ceph:v18@sha256:69cbef90eb58cf96e572e7497227a2bcb0ec9175bc2247809c0a37857db9b820
 ContainerName=mios-ceph
 Network=mios.network
 Volume=/var/lib/ceph:/var/lib/ceph:Z

etc/containers/systemd/mios-cockpit-link.container

@@ -41,7 +41,7 @@ ConditionVirtualization=!wsl
 ConditionVirtualization=!container
 
 [Container]
-Image=docker.io/alpine/socat:latest
+Image=docker.io/alpine/socat:latest@sha256:44e7b87dfeddb0f999ce75eedfa140dc97ea5bf7decbd04b2cef6adb5cc331fe
 ContainerName=mios-cockpit-link
 # Single MiOS internal network -- KISS, every Quadlet on the same
 # bridge so sibling lookups by container name work without host-

etc/containers/systemd/mios-forge.container

@@ -26,7 +26,7 @@ ConditionVirtualization=|!container
 ConditionVirtualization=|wsl
 
 [Container]
-Image=codeberg.org/forgejo/forgejo:11
+Image=codeberg.org/forgejo/forgejo:11@sha256:1d5f7d9e7ec970b50d5817317c3ec86d4aabb10893c5dea2e9dd4f8c3470a09c
 ContainerName=mios-forge
 Network=mios.network
 # 3000 = web UI (reverse-proxy via Cockpit/Caddy if desired).

etc/containers/systemd/mios-forgejo-runner.container

@@ -20,6 +20,16 @@
 # token file -- if firstboot hasn't minted it yet (or has been deleted
 # for re-bootstrap), the unit no-ops at pre-boot rather than crash-
 # looping with "registration token missing".
+#
+# LAW 6 (UNPRIVILEGED-QUADLETS) exception: this Quadlet runs `User=0`
+# / `Group=0` because the build step in the self-replication loop
+# (`podman build -f /Containerfile`) needs write access to rootful
+# `/var/lib/containers/storage/` and the resulting image must be
+# usable by `bootc switch --transport containers-storage`. Rootless
+# podman would require subuid/subgid mappings against /var/lib/mios/
+# forge-runner with allowed write into the rootful storage path,
+# which the bootc immutable-/usr model does not currently support.
+# Documented in INDEX.md sec 3 row 6 alongside mios-ceph / mios-k3s.
 
 [Unit]
 Description='MiOS' Forgejo Runner (self-hosted CI for /=git working tree)
@@ -35,7 +45,7 @@ ConditionVirtualization=|!container
 ConditionVirtualization=|wsl
 
 [Container]
-Image=code.forgejo.org/forgejo/runner:6.5
+Image=code.forgejo.org/forgejo/runner:6@sha256:e8dd2880f2fc81984d2308b93f1bc064dfb41187942300676536c09a3b30043d
 ContainerName=mios-forgejo-runner
 Network=mios.network
 

etc/containers/systemd/mios-k3s.container

@@ -24,7 +24,7 @@ ConditionVirtualization=!wsl
 ConditionVirtualization=!container
 
 [Container]
-Image=docker.io/rancher/k3s:latest
+Image=docker.io/rancher/k3s:latest@sha256:5e0707cfd1239b358ef73f3254bc3eadc027dd30cd5ec6ca41e29e47652a1b8c
 ContainerName=mios-k3s
 Privileged=true
 Environment=K3S_TOKEN=mios-cluster-secret

etc/fapolicyd/fapolicyd.rules

@@ -1,4 +1,17 @@
-allow perm=any uid=0 : all
+# Architectural Law: README.md/SECURITY.md document fapolicyd as
+# "deny-by-default". The previous form (`allow perm=any uid=0 : all`)
+# unconditionally bypassed the policy for every root process, which on a
+# bootc host with `/usr` mounted read-only via composefs is functionally
+# equivalent to "deny-by-default for non-root only". Constraining root to
+# `trust=1` keeps RPM-signed binaries fully unblocked (every system
+# service: systemd, podman, libvirt, k3s, ceph, ...) while denying
+# execution of arbitrary uid=0-owned scripts dropped under /tmp, /var,
+# or /home -- the actual escalation path that "deny-by-default" is meant
+# to close. If a legitimate root-executed binary is missing from the
+# RPM trust db, add a targeted `allow perm=execute path=/exact/path
+# uid=0 : all` rule above this block rather than re-broadening the
+# uid=0 catch-all.
+allow perm=any uid=0 trust=1 : all
 allow perm=execute : ftype=application/x-executable trust=1
 allow perm=execute : ftype=application/x-sharedlib trust=1
 deny_audit perm=execute : all