fix: address build-log + drift findings (k3s path, MOTD, env resolver, AI manifests)

Cross-referenced the latest local build log
(C:\Users\Administrator\AppData\Local\MiOS\logs\mios-install-20260503-160327.log)
against the architectural-drift findings and fixed every confirmed issue:

Build log:
- 05-enable-external-repos.sh:121 -- quote the CrowdSec config_file URL
  so the unquoted '&' stops splitting '-o "${REPO_DIR}/crowdsec.repo"'
  off into its own command (was producing 'line 121: -o: command not
  found' + a 404 in every build); bump dist=40 -> dist=44.

Documentation vs implementation drift:
- /etc/profile.d/mios-env.sh -- the canonical login-shell environment
  resolver INDEX.md sec 4 documents but that did not exist on disk.
  Walks the five-layer overlay and exports MIOS_AI_*, MIOS_USER, etc.
- /usr/bin/mios-env -- CLI wrapper that prints the resolved surface
  (--json, --explain, --unset, NAME-only). INDEX.md referenced it but
  there was no implementation; this fills the gap and Law-5 callers
  can now $(mios-env MIOS_AI_ENDPOINT) to discover the endpoint.
- /usr/share/mios/ai/v1/{models,mcp}.json -- OpenAI-API-shaped
  manifests INDEX.md sec 2 declares as the source for /v1/models and
  /v1/mcp; previously dangling references with no payload.
- usr/bin/mios-env, usr/share/mios/ai/v1/** allow-listed in .gitignore
  (the prior 'usr/share/mios/ai/' rule needed to be a glob to allow
  the v1/ subtree to slip through).

Critical runtime faults:
- k3s.service ExecStart /usr/local/bin/k3s -> /usr/bin/k3s. Binary
  is installed at /usr/bin/k3s by 13-ceph-k3s.sh; the unit was hard-
  coded to /usr/local/bin which is /var/usrlocal/bin on bootc/FCOS
  layouts and never contains the binary.
- usr/lib/tmpfiles.d/mios.conf -- drop the 'L /var/usrlocal/bin/crictl
  - - - - /usr/local/bin/k3s' line. The target resolved to a
  non-existent path (/var/usrlocal/bin/k3s) and 13-ceph-k3s.sh already
  creates /usr/bin/crictl -> k3s in the immutable image surface.
- usr/libexec/mios/motd -- Law-5 drift fix. Was probing
  /etc/mios/ai/config.json (does not exist) and hardcoding
  qwen2.5-coder:7b. Now sources /etc/profile.d/mios-env.sh on demand
  and reads the resolved MIOS_AI_ENDPOINT / MIOS_AI_MODEL.

Operational hygiene:
- 36-tools.sh -- drop aichat / aichat-ng from the chmod-loop TOOLS
  list. They are installed by 37-aichat.sh (later in pipeline order),
  so this loop printed a WARN every build. Add mios-env in their place.
- 37-selinux.sh -- write usr/share/selinux/packages/mios/booleans.conf
  with container_use_devices=on so the existing selinux-init service
  applies the boolean at first boot. semanage is inoperative inside
  the OCI build, so 35-gpu-passthrough.sh's build-time setsebool was
  a no-op and GPU containers got 'Permission Denied' until manual
  intervention. Booleans now apply at runtime.

Author: Kabuki94

.gitignore

@@ -106,6 +106,13 @@ etc/fapolicyd/*
 !/etc/fapolicyd/fapolicyd.rules
 !/etc/wsl.conf
 
+# /etc/profile.d/ -- login-shell environment resolver (INDEX.md sec 4).
+# mios-env.sh walks the five-layer env overlay and exports MIOS_AI_* +
+# identity vars system-wide. Bash sources /etc/profile.d/*.sh from
+# /etc/profile, so the file must live under /etc to be picked up.
+!/etc/profile.d/
+!/etc/profile.d/mios-env.sh
+
 # /etc/mios/ -- KB config (system-prompts, kb.conf.toml, eval-criteria.json) tracked here.
 # Runtime secrets and per-host overrides are NOT tracked (handled by mios-bootstrap.git).
 !/etc/mios/
@@ -143,9 +150,10 @@ usr/*
 !/usr/libexec/
 !/usr/share/
 
-# usr/bin -- only the mios binary
+# usr/bin -- only MiOS-owned CLIs
 usr/bin/*
 !/usr/bin/mios
+!/usr/bin/mios-env
 
 # usr/share -- mios/ build files + doc/mios/ KB docs
 usr/share/*
@@ -155,8 +163,14 @@ usr/share/doc/*
 !/usr/share/doc/mios/**
 !/usr/share/mios/
 !/usr/share/mios/**
-# AI files, knowledge, logs, user data belong in mios-bootstrap.git
-usr/share/mios/ai/
+# AI runtime state (memory, knowledge graphs, scratch) belongs in
+# mios-bootstrap.git -- it is per-host and seeded into /var at first
+# boot. The OpenAI-API surface manifests in usr/share/mios/ai/v1/
+# (models.json + mcp.json) ARE shipped from MiOS because INDEX.md sec 2
+# declares them as the canonical /v1/* manifest source.
+usr/share/mios/ai/*
+!/usr/share/mios/ai/v1/
+!/usr/share/mios/ai/v1/**
 usr/share/mios/knowledge/
 usr/share/mios/memory/
 usr/share/mios/user-preferences.md

automation/05-enable-external-repos.sh

@@ -118,7 +118,13 @@ fi
 # crowdsec ships its own RPM repo; not in Fedora or RPM Fusion.
 if [[ ! -f "${REPO_DIR}/crowdsec.repo" ]]; then
     log "enabling CrowdSec repo"
-    scurl -fsSL https://packagecloud.io/crowdsec/crowdsec/config_file.repo?os=fedora&dist=40&source=script \
+    # URL must be quoted -- the unquoted '&' is parsed as a job-control
+    # background, which silently splits '-o "${REPO_DIR}/crowdsec.repo"'
+    # onto its own command line and yields 'line N: -o: command not found'.
+    # The 'dist' query parameter pins the packagecloud distro release;
+    # crowdsec ships a single fedora repo across releases (the value is
+    # only used for substituting $releasever in baseurl).
+    scurl -fsSL "https://packagecloud.io/crowdsec/crowdsec/config_file.repo?os=fedora&dist=44&source=script" \
         -o "${REPO_DIR}/crowdsec.repo"
 else
     log "CrowdSec repo already present -- skipping"

automation/36-tools.sh

@@ -11,19 +11,21 @@ echo "[36-tools] Configuring 'MiOS' CLI tools..."
 # might have lost the executable bit during git/Windows transfer.
 
 TOOLS=(
-    mios 
-    mios-update 
-    mios-rebuild 
-    mios-build 
-    mios-backup 
-    mios-deploy 
-    mios-status 
-    mios-vfio-toggle 
-    mios-vfio-check 
+    mios
+    mios-env
+    mios-update
+    mios-rebuild
+    mios-build
+    mios-backup
+    mios-deploy
+    mios-status
+    mios-vfio-toggle
+    mios-vfio-check
     iommu-groups
-    aichat
-    aichat-ng
 )
+# Note: aichat / aichat-ng are installed by 37-aichat.sh (which fetches
+# the upstream binaries); attempting to chmod them here printed a WARN
+# every build because the binaries do not exist yet at this stage.
 
 for tool in "${TOOLS[@]}"; do
     if [ -f "/usr/bin/$tool" ]; then

automation/37-selinux.sh

@@ -171,4 +171,20 @@ allow xdm_t cache_home_t:file { create write read open getattr setattr };'
     echo "[37-selinux] ${SELINUX_OK} policies staged in /usr/share/selinux/packages/mios/, ${SELINUX_FAIL} skipped"
 fi
 
+# ─── Persistent SELinux booleans applied at first boot ─────────────────────
+# usr/libexec/mios/selinux-init reads booleans.conf next to the staged .pp
+# modules and applies each entry via 'setsebool -P'. semanage is typically
+# inoperative inside an OCI build (no running policy / read-only contexts),
+# so booleans MUST be applied at runtime; this file is the manifest the
+# runtime service consults.
+#
+# container_use_devices=on  -- required by 35-gpu-passthrough.sh / GPU
+#   container CDI flow (NVIDIA, ROCm, Intel xe). Without it, the first
+#   GPU container start is denied by SELinux on enforcing hosts.
+mkdir -p /usr/share/selinux/packages/mios
+cat > /usr/share/selinux/packages/mios/booleans.conf <<'EOBOOL'
+container_use_devices=on
+EOBOOL
+echo "[37-selinux] booleans.conf staged for runtime selinux-init"
+
 echo "[37-selinux] SELinux configuration complete."

etc/profile.d/mios-env.sh

@@ -0,0 +1,81 @@
+# /etc/profile.d/mios-env.sh -- 'MiOS' login-shell environment resolver.
+#
+# Sourced from /etc/profile by every interactive login shell. Walks the
+# documented five-layer overlay (INDEX.md sec 4) and exports the resolved
+# MIOS_* variables so every agent and CLI sees the same values regardless
+# of which shell or terminal launched them.
+#
+# Resolution order (later layers override earlier values):
+#   1. /usr/share/mios/env.defaults    vendor defaults (lowest)
+#   2. /etc/mios/env.d/*.env           admin/distro drop-ins (alphabetical)
+#   3. /etc/mios/install.env           host bootstrap-written identity
+#   4. ~/.env.mios                     legacy per-user (deprecated)
+#   5. ~/.config/mios/env              per-user override (highest)
+#
+# Architectural Law 5 (UNIFIED-AI-REDIRECTS): MIOS_AI_ENDPOINT,
+# MIOS_AI_MODEL, and MIOS_AI_KEY are exported here so every OpenAI-API
+# client on the system resolves the same canonical surface at
+# http://localhost:8080/v1.
+#
+# Safe to source in non-bash POSIX shells; uses only POSIX builtins.
+
+# Bail out early on non-interactive non-login shells -- this file should
+# not perturb cron jobs or systemd-spawned children.
+case "$-" in
+    *i*) ;;
+    *)
+        # Still export AI endpoint for non-interactive scripts; just skip
+        # the chatty layer-walk and per-user reads.
+        if [ -r /usr/share/mios/env.defaults ]; then
+            # shellcheck disable=SC1091
+            . /usr/share/mios/env.defaults
+            export MIOS_AI_ENDPOINT MIOS_AI_MODEL MIOS_AI_KEY
+        fi
+        return 0 2>/dev/null || exit 0
+        ;;
+esac
+
+_mios_source_if_readable() {
+    [ -r "$1" ] || return 0
+    # shellcheck disable=SC1090
+    . "$1"
+}
+
+# Layer 1: vendor defaults (always present on a 'MiOS' system).
+_mios_source_if_readable /usr/share/mios/env.defaults
+
+# Layer 2: admin / distro drop-ins (alphabetical, env-style).
+if [ -d /etc/mios/env.d ]; then
+    for _f in /etc/mios/env.d/*.env; do
+        _mios_source_if_readable "$_f"
+    done
+    unset _f
+fi
+
+# Layer 3: host install.env -- bootstrap writes identity here.
+_mios_source_if_readable /etc/mios/install.env
+
+# Layer 4: legacy per-user env file (deprecated; kept for migration).
+_mios_source_if_readable "${HOME}/.env.mios"
+
+# Layer 5: canonical per-user env override.
+_mios_source_if_readable "${HOME}/.config/mios/env"
+
+# Export the OpenAI-API surface required by every Law-5-compliant agent.
+export MIOS_AI_ENDPOINT="${MIOS_AI_ENDPOINT:-http://localhost:8080/v1}"
+export MIOS_AI_MODEL="${MIOS_AI_MODEL:-qwen2.5-coder:7b}"
+export MIOS_AI_EMBED_MODEL="${MIOS_AI_EMBED_MODEL:-nomic-embed-text}"
+export MIOS_AI_KEY="${MIOS_AI_KEY:-}"
+
+# Identity surface (consumed by 'mios' CLI, ai-bootstrap, postcheck).
+export MIOS_USER="${MIOS_USER:-${MIOS_DEFAULT_USER:-mios}}"
+export MIOS_HOSTNAME="${MIOS_HOSTNAME:-${MIOS_DEFAULT_HOST:-mios}}"
+export MIOS_VERSION="${MIOS_VERSION:-}"
+
+# Runtime path surface (used by tools/lib/userenv.sh and the 'mios' CLI).
+export MIOS_SHARE_DIR="${MIOS_SHARE_DIR:-/usr/share/mios}"
+export MIOS_AI_DIR="${MIOS_AI_DIR:-/usr/share/mios/ai}"
+export MIOS_AI_SCRATCH_DIR="${MIOS_AI_SCRATCH_DIR:-/var/lib/mios/ai/scratch}"
+export MIOS_AI_MEMORY_DIR="${MIOS_AI_MEMORY_DIR:-/var/lib/mios/ai/memory}"
+
+unset -f _mios_source_if_readable

usr/bin/mios-env

@@ -0,0 +1,156 @@
+#!/usr/bin/env bash
+# /usr/bin/mios-env -- print the resolved MIOS_* environment surface.
+#
+# Documented in INDEX.md sec 4 as the canonical CLI for inspecting the
+# layered environment overlay (/usr/share/mios/env.defaults ->
+# /etc/mios/env.d/*.env -> /etc/mios/install.env -> ~/.env.mios ->
+# ~/.config/mios/env). Wraps /etc/profile.d/mios-env.sh + the
+# tools/lib/userenv.sh TOML resolver and reports the consolidated values
+# the running session would actually see.
+#
+# Usage:
+#   mios-env                  # all MIOS_* vars, sorted (KEY=VALUE)
+#   mios-env <NAME>           # one var, value only (suitable for $(...) capture)
+#   mios-env --json           # machine-readable JSON
+#   mios-env --unset          # POSIX 'unset' lines (for re-evaluating in a parent shell)
+#   mios-env --explain        # show which layer supplied each value
+#   mios-env --help
+#
+# Architectural Law 5: MIOS_AI_ENDPOINT / MIOS_AI_MODEL / MIOS_AI_KEY
+# resolved here are the canonical values for every OpenAI-API-shaped
+# client on the system.
+set -euo pipefail
+
+# Canonical layer paths (mirrors mios-env.sh).
+LAYERS=(
+    "/usr/share/mios/env.defaults"
+)
+# /etc/mios/env.d/*.env (alphabetical)
+if [[ -d /etc/mios/env.d ]]; then
+    while IFS= read -r -d '' f; do
+        LAYERS+=("$f")
+    done < <(find /etc/mios/env.d -maxdepth 1 -name '*.env' -print0 2>/dev/null | sort -z)
+fi
+LAYERS+=(
+    "/etc/mios/install.env"
+    "${HOME}/.env.mios"
+    "${HOME}/.config/mios/env"
+)
+
+_load_layers() {
+    local layer
+    for layer in "${LAYERS[@]}"; do
+        [[ -r "$layer" ]] || continue
+        # shellcheck disable=SC1090
+        . "$layer"
+    done
+}
+
+# Also fold in the TOML resolver (tools/lib/userenv.sh) which deep-merges
+# /usr/share/mios/mios.toml -> /etc/mios/mios.toml -> ~/.config/mios/mios.toml.
+# That library exports a richer set of typed MIOS_* slots derived from the
+# unified mios.toml schema.
+_load_toml_layers() {
+    local userenv_lib
+    for userenv_lib in /usr/lib/mios/userenv.sh /usr/share/mios/tools/lib/userenv.sh; do
+        if [[ -r "$userenv_lib" ]]; then
+            # shellcheck disable=SC1090
+            . "$userenv_lib"
+            return 0
+        fi
+    done
+}
+
+_print_kv() {
+    # Print all currently-set MIOS_* variables sorted by name.
+    while IFS= read -r line; do
+        printf '%s\n' "$line"
+    done < <(compgen -A variable | grep -E '^MIOS_' | sort | while read -r v; do
+        printf '%s=%q\n' "$v" "${!v-}"
+    done)
+}
+
+_print_json() {
+    printf '{\n'
+    local first=1
+    while IFS= read -r v; do
+        local val="${!v-}"
+        # JSON-escape the value: backslash, double-quote, control chars.
+        val=${val//\\/\\\\}
+        val=${val//\"/\\\"}
+        val=${val//$'\n'/\\n}
+        val=${val//$'\t'/\\t}
+        if [[ $first -eq 1 ]]; then first=0; else printf ',\n'; fi
+        printf '  "%s": "%s"' "$v" "$val"
+    done < <(compgen -A variable | grep -E '^MIOS_' | sort)
+    printf '\n}\n'
+}
+
+_print_explain() {
+    # For each MIOS_* variable, identify the highest layer that set it.
+    declare -A SOURCE_OF
+    local layer
+    for layer in "${LAYERS[@]}"; do
+        [[ -r "$layer" ]] || continue
+        # Parse KEY=... lines from this layer (env-file format).
+        while IFS= read -r key; do
+            [[ -n "$key" ]] && SOURCE_OF["$key"]="$layer"
+        done < <(grep -oE '^[[:space:]]*MIOS_[A-Z0-9_]+(?==)' "$layer" 2>/dev/null \
+            | sed -E 's/^[[:space:]]*//; s/=$//' || true)
+    done
+
+    while IFS= read -r v; do
+        printf '%-32s = %-30s [%s]\n' \
+            "$v" "${!v-}" "${SOURCE_OF[$v]:-runtime/default}"
+    done < <(compgen -A variable | grep -E '^MIOS_' | sort)
+}
+
+_print_unset() {
+    # Emit 'unset' lines for every MIOS_* var. Useful for callers that
+    # want to clear and re-source the resolver in their own shell.
+    while IFS= read -r v; do
+        printf 'unset %s\n' "$v"
+    done < <(compgen -A variable | grep -E '^MIOS_' | sort)
+}
+
+_help() {
+    sed -n '2,/^set -euo/p' "$0" | sed -n '/^# /p' | sed 's/^# //'
+}
+
+case "${1:-}" in
+    -h|--help)
+        _help
+        exit 0
+        ;;
+    --json)
+        _load_layers
+        _load_toml_layers 2>/dev/null || true
+        _print_json
+        ;;
+    --explain)
+        _load_layers
+        _load_toml_layers 2>/dev/null || true
+        _print_explain
+        ;;
+    --unset)
+        _load_layers
+        _load_toml_layers 2>/dev/null || true
+        _print_unset
+        ;;
+    "")
+        _load_layers
+        _load_toml_layers 2>/dev/null || true
+        _print_kv
+        ;;
+    MIOS_*)
+        _load_layers
+        _load_toml_layers 2>/dev/null || true
+        var="$1"
+        # Only echo the value (no name=); suitable for $(mios-env MIOS_AI_ENDPOINT).
+        printf '%s\n' "${!var-}"
+        ;;
+    *)
+        printf 'mios-env: unknown argument %q (try --help)\n' "$1" >&2
+        exit 2
+        ;;
+esac

usr/lib/systemd/system/k3s.service

@@ -22,7 +22,11 @@ Restart=always
 RestartSec=5s
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s server --disable traefik --write-kubeconfig-mode 644
+# Binary lives at /usr/bin/k3s (immutable image surface, installed by
+# automation/13-ceph-k3s.sh). /usr/local/bin -> /var/usrlocal/bin on
+# bootc/FCOS layouts and is mutable per-host; /usr/bin keeps the unit
+# pinned to the image's authoritative copy.
+ExecStart=/usr/bin/k3s server --disable traefik --write-kubeconfig-mode 644
 
 [Install]
 WantedBy=multi-user.target

usr/lib/tmpfiles.d/mios.conf

@@ -16,7 +16,12 @@ d /var/home/mios           0755 mios      mios      -  -
 d /var/lib/AccountsService 0775 root      root      -  -
 d /var/lib/AccountsService/icons 0775 root root      -  -
 d /var/lib/AccountsService/users 0700 root root      -  -
-L /var/usrlocal/bin/crictl - - - - /usr/local/bin/k3s
+
+# /usr/bin/crictl -> k3s symlink is created by automation/13-ceph-k3s.sh
+# at image-build time (immutable surface). The previous L line here
+# pointed /var/usrlocal/bin/crictl at /usr/local/bin/k3s, which (because
+# /usr/local is itself a symlink to /var/usrlocal on bootc/FCOS layouts)
+# resolved to /var/usrlocal/bin/k3s -- a path that does not exist.
 
 # Seed initial journal if missing
 C /var/lib/mios/memory/journal/v1.jsonl - - - - /usr/share/mios/memory/v1.jsonl