feat: v0.2.4 -- pipeline orchestrator + globals SSOT + Day-0 AI refresh

Major changes for v0.2.4:

* mios-pipeline.{sh,ps1}: canonical 11-phase end-to-end orchestrator
  (Questions -> Stage -> MiOS-DEV -> Overlay -> Account -> Install ->
  Smoketest -> Build -> Deploy -> Boot -> Repeat). Legacy build-mios.*,
  install.*, automation/bootstrap.sh become workers; each carries a
  CANONICAL ENTRY POINT NOTICE pointing at the new orchestrator.

* automation/lib/globals.{sh,ps1}: single registry for VERSION + USERS/UIDs
  + IMAGES + PORTS + URLS + REPOS + PATHS + FILES + SYSTEMD UNITS +
  CONTAINERS + COLORS. Wired into common.sh so every script that already
  sources it inherits the constants for free. Containerfile LABEL now
  parameterized via ARG MIOS_VERSION; build-mios.ps1 injects --build-arg.

* User account state baked at OVERLAY TIME (not firstboot patching):
  /usr/lib/sysusers.d/10-mios.conf + automation/31-user.sh +
  /usr/lib/tmpfiles.d/mios-user.conf cover passwd/subuid/subgid/linger/
  home-skel. wsl-firstboot stripped to hostname + defensive logging.
  user@1000.service enabled by preset so logind-condition-gated WSL still
  spawns the user systemd manager + dbus user bus.

* Distrobox aichat + Quadlet 5.6+ finalization:
  - usr/share/containers/systemd/mios-aichat.{build,image} declarative
  - etc/containers/storage.conf.d/30-mios-additionalstores.conf bridges
    rootful build storage to rootless distrobox view (Universal Blue
    pattern)
  - usr/bin/mios-ai opinionated entrypoint -> /usr/bin/aichat shim ->
    distrobox-assemble create on first call -> in-container aichat with
    'mios' client at MIOS_AI_ENDPOINT
  - usr/share/applications/mios-ai.desktop launcher (Terminal=true)

* Cockpit Metrics + PCP suite: mios.toml [packages.cockpit] now includes
  cockpit-pcp + cockpit-sosreport + cockpit-kdump + pcp-zeroconf +
  pcp-pmda-systemd + pcp-pmda-openmetrics. 90-mios.preset enables
  pmcd/pmlogger/pmproxy. Eliminates the 'pmlogger.service is not running'
  Metrics-tab error.

* Configurator HTML SSOT surface (usr/share/mios/configurator/index.html):
  - Progressive-disclosure <details> sections grouped by pipeline phase
    (each section carries a phase-badge naming the consumer)
  - :root CSS variables default to the MiOS Hokusai palette; new
    applyColorsToRoot() helper makes the configurator self-skin WYSIWYG
    on every palette edit
  - Color resolution chain closed: tools/lib/userenv.sh exports
    MIOS_COLOR_* / MIOS_ANSI_* from mios.toml [colors];
    etc/profile.d/mios-colors.sh OSC sequences read MIOS_ANSI_*:- defaults
    instead of hardcoded values + sources install.env defensively

* Boot-time fixes from journal triage:
  - mios-mcp.service: stop chmod-ing read-only /srv/ai/mcp
  - mios-forge.container: User=816 numeric (container has no
    'mios-forge' name in /etc/passwd; fixed 'unable to find user' error)
  - mios-cockpit-link: ConditionVirtualization=!wsl (no value on WSL)
  - cockpit.socket: ReusePort=yes (WSL2 wslhost.exe port-linger)
  - mios-ai LocalAI: Volume=/srv/ai/{outputs,collections}:/data/{outputs,collections}
    canonical paths LocalAI v4 hardcodes (was failing EACCES)
  - ollama.service: dropped stale ConditionPathExists=/usr/local/bin/ollama
    drop-in (ollama runs as Quadlet container, not host binary)
  - usr/share/containers/systemd/ollama.container: ContainerName=mios-ollama
    so firstboot script's polling matches
  - tmpfiles.d dedupe: /var/lib/ceph (mios-ceph owns), /etc/mios
    (mios-infra owns), /var/lib/rancher/k3s/server (mios-k3s owns),
    /var/lib/ipa-client/sysrestore (mios-freeipa owns); ceph-crash dir
    pre-created
  - 08-system-files-overlay.sh extended perm-normalization to
    /usr/lib/{udev,tmpfiles,sysusers,modprobe,sysctl,binfmt}.d (Windows
    NTFS executable-bit bleed)

* Acknowledgement gate (automation/lib/agreements-banner.{sh,ps1}):
  scrollable summary opens with the MiOS ASCII banner, walks the
  research-project framing + license chain + third-party agreements +
  data/network posture, requires explicit 'Acknowledged' / 'No thanks'
  by default. Bash uses less -RFXK + /dev/tty so it works under
  curl|bash; PS uses Out-Host -Paging. Escape hatches preserved
  (MIOS_AGREEMENT_ACK=accepted for CI, MIOS_AGREEMENT_BANNER=quiet,
  MIOS_REQUIRE_AGREEMENT_ACK=0).

* Day-0 AI files refreshed:
  - usr/share/mios/ai/system.md fully rewritten with v0.2.4 SSOT table,
    pipeline-phase awareness, overlay-time user-account principle,
    5 Architectural Laws, tool surface (chat-completions + responses),
    failure mode contract
  - mios_build tool def points at mios-pipeline (was: legacy
    mios-build-local.ps1)
  - kb manifest, eval JSON, llms.txt bumped to v0.2.4 / kb 2026.05.04
  - tools/lib/userenv.sh slot map extended with [colors].* ->
    MIOS_COLOR_* / MIOS_ANSI_* exports

* Global version unification: VERSION=0.2.4, mios.toml [meta]=0.2.4,
  Containerfile LABEL parameterized, MOTD reads /usr/share/mios/VERSION
  dynamically (auto-derived from /ctx/VERSION at overlay time -- single
  source of truth at repo root)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: Kabuki94

Containerfile

@@ -14,11 +14,19 @@ COPY tools/                /ctx/tools/
 
 FROM ${BASE_IMAGE}
 
+# MIOS_VERSION: parameterized from the canonical repo-root VERSION file
+# via build-mios.{sh,ps1} (which reads VERSION and passes
+# `--build-arg MIOS_VERSION=$(cat VERSION)`). The default tracks the
+# current stamp so a manual `podman build` without --build-arg still
+# produces a valid image; callers who need a different version pin it
+# at the command line.
+ARG MIOS_VERSION=0.2.4
+
 LABEL org.opencontainers.image.title="MiOS"
 LABEL org.opencontainers.image.description="\MiOS is a user defined, customisable Linux distro based on Fedora/uBlue/uCore"
 LABEL org.opencontainers.image.licenses="Apache-2.0"
 LABEL org.opencontainers.image.source="https://github.com/mios-dev/MiOS"
-LABEL org.opencontainers.image.version="v0.2.2"
+LABEL org.opencontainers.image.version="v${MIOS_VERSION}"
 LABEL containers.bootc="1"
 LABEL ostree.bootable="1"
 

Justfile

@@ -1,4 +1,4 @@
-# 'MiOS' v0.2.0 - Linux Build Targets
+# 'MiOS' v0.2.4 - Linux Build Targets
 # Requires: podman, just
 # Usage: just build | just iso | just all
 #

MiOS-Engineering-Reference.md

@@ -790,7 +790,7 @@ Canonical vars (see `usr/share/mios/env.defaults`):
 
 | Variable | Default | Purpose |
 |---|---|---|
-| `MIOS_VERSION` | `0.2.2` | Image version |
+| `MIOS_VERSION` | `0.2.4` | Image version |
 | `MIOS_DEFAULT_USER` | `mios` | Login user name |
 | `MIOS_DEFAULT_HOST` | `mios` | Hostname |
 | `MIOS_REPO_URL` | https://github.com/mios-dev/mios | System repo URL |

VERSION

@@ -1 +1 @@
-0.2.2
+0.2.4

automation/01-repos.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# 'MiOS' v0.2.0 -- 01-repos: Fedora 44 overlay on ucore
+# 'MiOS' v0.2.4 -- 01-repos: Fedora 44 overlay on ucore
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "${SCRIPT_DIR}/lib/packages.sh"

automation/02-kernel.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# 'MiOS' v0.2.0 -- 02-kernel: Kernel extras + development headers
+# 'MiOS' v0.2.4 -- 02-kernel: Kernel extras + development headers
 # The base fedora-bootc:rawhide image ships the newest kernel with a working
 # initramfs. We NEVER upgrade the base kernel packages inside the container --
 # doing so triggers dracut under the tmpfs mount, which fails with

automation/08-system-files-overlay.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # ============================================================================
-# automation/08-system-files-overlay.sh - 'MiOS' v0.2.0
+# automation/08-system-files-overlay.sh - 'MiOS' v0.2.4
 # ----------------------------------------------------------------------------
 # Overlay /ctx/ onto the rootfs during the Containerfile build,
 # correctly handling the /usr/local -> /var/usrlocal symlink.
@@ -17,6 +17,19 @@ CTX="${CTX:-/ctx}"
 
 log "08-overlay: starting Rootfs-Native overlay"
 
+# Derive /usr/share/mios/VERSION from the canonical top-level VERSION
+# file. The MOTD (/usr/libexec/mios/motd) and the dashboard runtime
+# (/usr/libexec/mios/mios-dashboard.sh) both read this path to render
+# `MiOS v<version>` -- having a single overlay-time emit step here
+# means the source of truth stays at the repo-root VERSION file and
+# can never drift from /usr/share/mios/mios.toml [meta].mios_version
+# or the Containerfile LABEL.
+if [[ -f "${CTX}/VERSION" ]]; then
+    install -d -m 0755 /usr/share/mios
+    install -m 0644 "${CTX}/VERSION" /usr/share/mios/VERSION
+    log "  staged /usr/share/mios/VERSION -> $(cat /usr/share/mios/VERSION)"
+fi
+
 # --- Stage 1: /usr (everything except /usr/local) --------------------------
 if [[ -d "${CTX}/usr" ]]; then
     log "  stage 1: overlay usr content (excluding /usr/local)"
@@ -110,6 +123,32 @@ log "08-overlay: normalizing systemd file permissions"
 find /usr/lib/systemd -type f \( -name "*.service" -o -name "*.socket" -o -name "*.timer" -o -name "*.mount" -o -name "*.conf" -o -name "*.target" -o -name "*.path" -o -name "*.slice" -o -name "*.preset" -o -name "*.automount" -o -name "*.swap" \) -exec chmod 644 {} \; 2>/dev/null || true
 find /usr/lib/systemd -type d -exec chmod 755 {} \; 2>/dev/null || true
 
+# Normalize permissions on udev rules, tmpfiles.d, sysusers.d, modprobe.d.
+# When the build context is checked out on Windows (NTFS via 9p in MiOS-DEV
+# WSL2), every file inherits 0755 + world-writable. udev rejects executable
+# rules files at every boot ("99-kvmfr.rules is marked executable. Please
+# remove executable permission bits"), and the "world-writable" warning is
+# raised on the same files. Force 0644 across every declarative-config
+# directory in /usr/lib/. Mirrors the systemd-units normalization above.
+log "08-overlay: normalizing udev/tmpfiles/sysusers/modprobe permissions"
+for d in \
+    /usr/lib/udev/rules.d \
+    /usr/lib/tmpfiles.d \
+    /usr/lib/sysusers.d \
+    /usr/lib/modprobe.d \
+    /usr/lib/sysctl.d \
+    /usr/lib/binfmt.d \
+    /etc/udev/rules.d \
+    /etc/tmpfiles.d \
+    /etc/sysusers.d \
+    /etc/modprobe.d \
+    /etc/sysctl.d
+do
+    [[ -d "$d" ]] || continue
+    find "$d" -type f -exec chmod 0644 {} + 2>/dev/null || true
+    find "$d" -type d -exec chmod 0755 {} + 2>/dev/null || true
+done
+
 # Logically Bound Images -- bind every Quadlet from both vendor and admin paths
 # (see ARCHITECTURAL LAW 3 -- BOUND-IMAGES).
 BDIR="/usr/lib/bootc/bound-images.d"

automation/10-gnome.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# 'MiOS' v0.2.0 -- 10-gnome: GNOME 50 desktop -- PURE BUILD-UP
+# 'MiOS' v0.2.4 -- 10-gnome: GNOME 50 desktop -- PURE BUILD-UP
 #
 # STRATEGY: ucore has ZERO GNOME packages. We install exactly what we need.
 # With install_weakdeps=False (set globally in 01-repos.sh), only hard deps

automation/11-hardware.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# 'MiOS' v0.2.0 -- 11-hardware: GPU drivers (Mesa + AMD ROCm + Intel + NVIDIA)
+# 'MiOS' v0.2.4 -- 11-hardware: GPU drivers (Mesa + AMD ROCm + Intel + NVIDIA)
 #
 # NVIDIA strategy (v0.2.0):
 #   Primary:  ucore-hci:stable-nvidia ships pre-signed kmods for the base

automation/12-virt.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# 'MiOS' v0.2.0 -- 12-virt: Virtualization, containers, orchestration, gaming
+# 'MiOS' v0.2.4 -- 12-virt: Virtualization, containers, orchestration, gaming
 #
 # CHANGELOG v1.3:
 #   - Looking Glass B7: MOVED to 53-bake-lookingglass-client.sh (refactored out)