feat(dash): MiOS ASCII logo + Flatpaks panel + mios-* CLI verbs + dbus fix

Four interlocking changes from the latest boot diagnostics + the
operator-stated dashboard polish:

1. MiOS ASCII logo for fastfetch + every console surface

   Replaced the auto-detected Fedora logo with a MiOS-branded 3D-outlined
   word-mark at /usr/share/mios/branding/mios.txt. Wired into the
   fastfetch config via "logo": { "type": "raw", "source": ... } so
   every dashboard render -- /etc/issue.d pre-login banner, post-login
   /etc/profile.d/zz-mios-motd.sh, the manual `mios-status` invocation
   -- shows MiOS branding instead of the upstream Fedora art.

2. Flatpaks panel in the dashboard services block

   New print_flatpaks() in mios-dashboard.sh that calls
       flatpak list --system --app --columns=application,version,branch
   and renders up to 12 entries with green dots, application IDs,
   version, and branch. Sits between the Quadlet rollup and the git
   working-tree section so operators see exactly which user-selected
   Flatpaks were baked into the image (via 40-flatpak-bake.sh from the
   previous commit). Empty list shows a single line pointing back at
   the configurator's [desktop].flatpaks edit path.

3. /usr/bin/mios-* operator CLI verbs

   Audit of `mios *` commands the 36-tools.sh phase warned about as
   missing. Implementing the user-facing verbs each as a thin shell
   wrapper around the underlying mechanism so operators don't have to
   remember the long invocations:

   - mios-status   -> /usr/libexec/mios/mios-dashboard.sh "$@"
   - mios-update   -> bootc upgrade [--check|--apply|--rollback]
   - mios-rebuild  -> stage all + commit + push to localhost:3000
                      (triggers Forgejo Runner workflow -> bootc switch)
   - mios-build    -> local podman build of /Containerfile +
                      bootc switch --transport containers-storage
                      (skips the runner; for fast iteration)
   - mios-deploy   -> bootc status + reboot prompt to apply staged
                      deployment ; --rollback to undo
   - mios-flatpaks -> list/add/remove/update/search wrapper +
                      `bake-state` to inspect /usr/lib/mios/state/
                      flatpak-bake.env from the build

   .gitignore widened from explicit per-binary whitelist to
   `!/usr/bin/mios-*` so future operator verbs don't need a per-file
   gitignore edit. The ones the user-VFIO-toggle / mios-vfio-check /
   iommu-groups / mios-backup verbs from the 36-tools warning list
   remain unimplemented -- those need device-specific PCI/IOMMU logic;
   queued for a follow-up.

4. dbus-daemon-wsl pure socket-activation (THE D-Bus boot failure)

   Latest boot log showed:
       [  OK  ] Started dbus-daemon-wsl.service
       dbus-daemon[154]: Failed to start message bus: No socket received.
   then 25+ cockpit-wsinstance-socket-user.service [FAILED] cascade
   failures, plus user shells getting "Failed to connect to system
   scope bus" at every login.

   Cause: my [Install] section had `WantedBy=multi-user.target`, which
   tells systemd to start the unit at boot directly. But the ExecStart
   uses `--systemd-activation`, which means dbus-daemon EXPECTS to
   receive the listening socket FD via systemd socket-activation. With
   WantedBy=, systemd starts the unit DIRECTLY -- no FD passed -- and
   dbus-daemon exits with "No socket received". The entire D-Bus stack
   stays dead, cascading into cockpit, logind, polkit, homectl.

   Fix: removed `WantedBy=multi-user.target`. Kept `Alias=dbus.service`.
   Pure socket-activation: dbus.socket (already listening on
   /run/dbus/system_bus_socket) triggers Service=dbus.service, the
   Alias= maps that to this unit, and the socket FD is passed
   correctly. The unit starts on first client connection (milliseconds
   after multi-user.target as logind/polkit attempt their first system
   bus call).

   Once dbus comes up, the dashboard's "missing" Quadlet rollup will
   resolve to real states -- it was reporting "missing" because
   `systemctl show` as the unprivileged user couldn't reach the system
   bus to query unit LoadState/ActiveState.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: Kabuki94

.gitignore

@@ -159,11 +159,15 @@ usr/*
 !/usr/libexec/
 !/usr/share/
 
-# usr/bin -- only MiOS-owned CLIs
+# usr/bin -- only MiOS-owned CLIs. Glob covers all mios-* operator
+# verbs (mios-status, mios-update, mios-rebuild, mios-build, mios-deploy,
+# mios-flatpaks, plus future additions). Each is a thin shell wrapper
+# around the underlying mechanism (bootc / podman / git-against-/.git /
+# the local Forgejo at localhost:3000) so operators don't have to
+# remember the long invocations.
 usr/bin/*
 !/usr/bin/mios
-!/usr/bin/mios-env
-!/usr/bin/mios-sync-env
+!/usr/bin/mios-*
 
 # usr/share -- mios/ build files + doc/mios/ KB docs
 usr/share/*

usr/bin/mios-build

@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+# mios-build -- run a LOCAL podman build of the live working tree at /,
+# without going through the Forgejo Runner. Produces localhost/mios:latest
+# in the host's containers-storage directly. Useful for fast iteration when
+# you want to skip the push -> runner -> sentinel -> watch -> bootc switch
+# loop and just rebuild + switch immediately.
+#
+#   mios-build                  # podman build + bootc switch (no reboot)
+#   mios-build --apply          # build, switch, AND reboot
+#   mios-build --no-switch      # build only; don't stage with bootc
+#   mios-build --tag <name>     # use a custom local tag (default: mios:latest)
+#
+# For the full closed-loop pattern (push -> runner -> CI -> bootc switch),
+# use mios-rebuild instead.
+
+set -euo pipefail
+
+TAG="localhost/mios:latest"
+DO_SWITCH=1
+DO_REBOOT=0
+
+while (( $# > 0 )); do
+    case "$1" in
+        --apply)      DO_REBOOT=1; shift ;;
+        --no-switch)  DO_SWITCH=0; shift ;;
+        --tag)        TAG="$2"; shift 2 ;;
+        --help|-h)
+            sed -n '2,15p' "$0" | sed 's/^# \?//'
+            exit 0
+            ;;
+        *)
+            echo "mios-build: unknown flag '$1' (try --help)" >&2
+            exit 2
+            ;;
+    esac
+done
+
+if [[ $EUID -ne 0 ]]; then
+    exec sudo -E "$0" "$@"
+fi
+
+if [[ ! -f /Containerfile ]]; then
+    echo "ERROR: /Containerfile not found. Is this a MiOS-deployed root?" >&2
+    exit 1
+fi
+
+# Source build args from install.env so the rebuild matches the installed identity.
+if [[ -r /etc/mios/install.env ]]; then
+    # shellcheck disable=SC1091
+    set -a; source /etc/mios/install.env; set +a
+fi
+
+BUILD_ARGS=()
+[[ -n "${MIOS_LINUX_USER:-}"        ]] && BUILD_ARGS+=(--build-arg "MIOS_USER=${MIOS_LINUX_USER}")
+[[ -n "${MIOS_HOSTNAME:-}"          ]] && BUILD_ARGS+=(--build-arg "MIOS_HOSTNAME=${MIOS_HOSTNAME}")
+[[ -n "${MIOS_AI_MODEL:-}"          ]] && BUILD_ARGS+=(--build-arg "MIOS_AI_MODEL=${MIOS_AI_MODEL}")
+[[ -n "${MIOS_AI_EMBED_MODEL:-}"    ]] && BUILD_ARGS+=(--build-arg "MIOS_AI_EMBED_MODEL=${MIOS_AI_EMBED_MODEL}")
+[[ -n "${MIOS_OLLAMA_BAKE_MODELS:-}" ]] && BUILD_ARGS+=(--build-arg "MIOS_OLLAMA_BAKE_MODELS=${MIOS_OLLAMA_BAKE_MODELS}")
+
+echo "[mios-build] building ${TAG} from /"
+podman build "${BUILD_ARGS[@]}" -f /Containerfile -t "${TAG}" /
+
+if (( DO_SWITCH )); then
+    echo "[mios-build] staging via bootc switch (containers-storage transport)"
+    bootc switch --transport containers-storage "${TAG}"
+fi
+
+if (( DO_REBOOT )); then
+    echo "[mios-build] rebooting in 3s ..."
+    sleep 3
+    systemctl reboot
+else
+    echo
+    echo "Build staged. Reboot to apply:"
+    echo "    sudo systemctl reboot"
+fi
+
+exit 0

usr/bin/mios-deploy

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+# mios-deploy -- apply a staged bootc deployment. Companion to
+# mios-build / mios-rebuild / mios-update -- those STAGE a new
+# deployment via `bootc switch` or `bootc upgrade`; mios-deploy is
+# the explicit "reboot to activate" step.
+#
+#   mios-deploy             # show staged deployments + reboot prompt
+#   mios-deploy --now       # reboot immediately
+#   mios-deploy --status    # show staged + booted deployments; no reboot
+#   mios-deploy --rollback  # rollback to previous deployment, then reboot
+set -euo pipefail
+
+case "${1:-}" in
+    --status)
+        bootc status
+        exit 0
+        ;;
+    --now)
+        if [[ $EUID -ne 0 ]]; then exec sudo -E "$0" "$@"; fi
+        echo "Rebooting to activate the staged deployment in 3s ..."
+        sleep 3
+        systemctl reboot
+        ;;
+    --rollback)
+        if [[ $EUID -ne 0 ]]; then exec sudo -E "$0" "$@"; fi
+        bootc rollback
+        echo "Rollback staged. Rebooting in 3s to activate ..."
+        sleep 3
+        systemctl reboot
+        ;;
+    --help|-h)
+        sed -n '2,11p' "$0" | sed 's/^# \?//'
+        exit 0
+        ;;
+    "")
+        bootc status
+        echo
+        read -rp "Reboot now to activate the staged deployment? [y/N] " ans
+        case "${ans,,}" in
+            y|yes)
+                if [[ $EUID -ne 0 ]]; then exec sudo -E "$0" --now; fi
+                echo "Rebooting in 3s ..."
+                sleep 3
+                systemctl reboot
+                ;;
+            *)
+                echo "Aborted. Run 'mios-deploy --now' or 'sudo systemctl reboot' when ready."
+                ;;
+        esac
+        ;;
+    *)
+        echo "mios-deploy: unknown flag '$1' (try --help)" >&2
+        exit 2
+        ;;
+esac

usr/bin/mios-flatpaks

@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+# mios-flatpaks -- thin wrapper over `flatpak` for the MiOS-shipped
+# system-wide Flatpak surface. Operator-friendly verbs that don't
+# require remembering the long flatpak invocations.
+#
+#   mios-flatpaks list             list all installed system Flatpaks
+#   mios-flatpaks add    <ref>     install <ref> from flathub system-wide
+#   mios-flatpaks remove <ref>     uninstall <ref> system-wide
+#   mios-flatpaks update           update all installed Flatpaks
+#   mios-flatpaks search <term>    search flathub for <term>
+#   mios-flatpaks bake-state       show the build-time bake state
+#                                  (/usr/lib/mios/state/flatpak-bake.env)
+#
+# To make a Flatpak persist across `bootc switch` (the self-replication
+# loop), edit the canonical mios.toml [desktop].flatpaks array via the
+# configurator HTML at /usr/share/mios/configurator/index.html, then
+# `mios-rebuild` to push and trigger a runner-side rebuild.
+set -euo pipefail
+
+cmd="${1:-list}"
+shift || true
+
+case "$cmd" in
+    list|ls)
+        flatpak list --system --app --columns=application,version,branch,origin "$@"
+        ;;
+    add|install)
+        if [[ -z "${1:-}" ]]; then
+            echo "mios-flatpaks add <flathub-ref>  (e.g. com.valvesoftware.Steam)" >&2
+            exit 2
+        fi
+        if [[ $EUID -ne 0 ]]; then exec sudo -E "$0" add "$@"; fi
+        flatpak install --system --noninteractive --assumeyes flathub "$@"
+        ;;
+    remove|uninstall|rm)
+        if [[ -z "${1:-}" ]]; then
+            echo "mios-flatpaks remove <flathub-ref>" >&2
+            exit 2
+        fi
+        if [[ $EUID -ne 0 ]]; then exec sudo -E "$0" remove "$@"; fi
+        flatpak uninstall --system --noninteractive --assumeyes "$@"
+        ;;
+    update|upgrade)
+        if [[ $EUID -ne 0 ]]; then exec sudo -E "$0" update "$@"; fi
+        flatpak update --system --noninteractive --assumeyes "$@"
+        ;;
+    search)
+        if [[ -z "${1:-}" ]]; then
+            echo "mios-flatpaks search <term>" >&2
+            exit 2
+        fi
+        flatpak search "$@"
+        ;;
+    bake-state)
+        if [[ -r /usr/lib/mios/state/flatpak-bake.env ]]; then
+            cat /usr/lib/mios/state/flatpak-bake.env
+        else
+            echo "No bake state recorded (image may pre-date 40-flatpak-bake.sh)."
+        fi
+        ;;
+    --help|-h|help)
+        sed -n '2,15p' "$0" | sed 's/^# \?//'
+        ;;
+    *)
+        echo "mios-flatpaks: unknown verb '$cmd' (try --help)" >&2
+        exit 2
+        ;;
+esac

usr/bin/mios-rebuild

@@ -0,0 +1,99 @@
+#!/usr/bin/env bash
+# mios-rebuild -- push the live working tree at / to the local Forgejo
+# at localhost:3000 so the Forgejo Runner Quadlet picks up the change,
+# runs .forgejo/workflows/build-mios.yml, produces a new OCI image at
+# localhost/mios:latest, and the host's mios-bootc-switch.path watcher
+# stages it for the next reboot.
+#
+# This is the "edit anywhere -> push -> rebuild -> bootc switch" closed
+# self-replication loop. The git working tree at / is the deployed
+# system itself.
+#
+#   mios-rebuild [-m "<commit msg>"]   stage all changes, commit, push
+#   mios-rebuild --status              show last build sentinel content
+#   mios-rebuild --no-push             commit only; don't trigger build
+#
+# Prerequisites checked at runtime:
+#   - / is a git working tree (.git exists)
+#   - Forgejo at localhost:3000 is reachable (mios-forge.service active)
+#   - Origin remote points at the local forge
+
+set -euo pipefail
+
+DEFAULT_MSG="mios-rebuild: live root snapshot $(date -u +%FT%TZ)"
+COMMIT_MSG="$DEFAULT_MSG"
+DO_PUSH=1
+
+while (( $# > 0 )); do
+    case "$1" in
+        -m|--message) COMMIT_MSG="$2"; shift 2 ;;
+        --no-push)    DO_PUSH=0; shift ;;
+        --status)
+            if [[ -r /var/lib/mios/forge-runner/last-build.txt ]]; then
+                echo "Last Forge Runner build:"
+                cat /var/lib/mios/forge-runner/last-build.txt
+            else
+                echo "No build sentinel yet -- runner hasn't completed a build."
+            fi
+            exit 0
+            ;;
+        --help|-h)
+            sed -n '2,21p' "$0" | sed 's/^# \?//'
+            exit 0
+            ;;
+        *)
+            echo "mios-rebuild: unknown flag '$1' (try --help)" >&2
+            exit 2
+            ;;
+    esac
+done
+
+if [[ ! -d /.git ]]; then
+    echo "ERROR: / is not a git working tree. Run mios-forge-firstboot first" >&2
+    echo "       to initialize the local forge and seed the working tree." >&2
+    exit 1
+fi
+
+# Validate the local forge is up before committing -- fail-fast beats
+# committing changes that have nowhere to go.
+if (( DO_PUSH )); then
+    if ! curl -fsS --max-time 3 -o /dev/null "http://localhost:3000/api/v1/version"; then
+        echo "ERROR: Forgejo at http://localhost:3000/ is not reachable." >&2
+        echo "       Check: systemctl status mios-forge.service" >&2
+        exit 1
+    fi
+fi
+
+if [[ -z "$(git -C / status --porcelain)" ]]; then
+    echo "Working tree clean -- nothing to commit."
+    if (( DO_PUSH )); then
+        echo "Forcing a runner trigger by pushing the current HEAD."
+        git -C / push origin HEAD || {
+            echo "ERROR: push failed. Verify origin: git -C / remote -v" >&2
+            exit 1
+        }
+        echo
+        echo "Pushed. Runner workflow should kick off shortly. Watch with:"
+        echo "    journalctl -fu mios-forgejo-runner.service"
+    fi
+    exit 0
+fi
+
+echo "[mios-rebuild] staging all changes under /"
+git -C / add -A
+
+echo "[mios-rebuild] committing: ${COMMIT_MSG}"
+git -C / commit -m "$COMMIT_MSG"
+
+if (( DO_PUSH )); then
+    echo "[mios-rebuild] pushing to local Forgejo (localhost:3000)"
+    git -C / push origin HEAD
+    echo
+    echo "Pushed. Runner workflow should kick off shortly. Watch with:"
+    echo "    journalctl -fu mios-forgejo-runner.service"
+    echo "Once the build completes, the host stages it via:"
+    echo "    bootc switch --transport containers-storage localhost/mios:latest"
+    echo "Reboot to apply: sudo systemctl reboot"
+fi
+
+exit 0

usr/bin/mios-status

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+# mios-status -- live MiOS system dashboard. Thin wrapper around
+# /usr/libexec/mios/mios-dashboard.sh; exists at /usr/bin/ so operators
+# don't have to remember the libexec path. All flags pass through:
+#   mios-status              full dashboard (header + fastfetch + services)
+#   mios-status --services-only   just the loop status block
+#   mios-status --no-color   plain ASCII (for piping)
+exec /usr/libexec/mios/mios-dashboard.sh "$@"

usr/bin/mios-update

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+# mios-update -- pull the next published MiOS image and stage it for
+# the next reboot. Wraps `bootc upgrade` so operators don't need to
+# remember the bootc verbs.
+#
+#   mios-update              # fetch + stage; reboot to apply
+#   mios-update --apply      # fetch, stage, AND reboot now
+#   mios-update --check      # show what's available; don't stage
+#   mios-update --rollback   # undo the last upgrade (boot the previous deployment)
+#
+# To switch to a DIFFERENT image (rather than upgrade the current one):
+#   sudo bootc switch ghcr.io/mios-dev/mios:<tag>
+#   sudo systemctl reboot
+#
+# To rebuild from your live working tree at /, see `mios-rebuild`.
+set -euo pipefail
+
+if [[ "${1:-}" == "--help" || "${1:-}" == "-h" ]]; then
+    sed -n '2,18p' "$0" | sed 's/^# \?//'
+    exit 0
+fi
+
+if [[ $EUID -ne 0 ]]; then
+    exec sudo -E "$0" "$@"
+fi
+
+case "${1:-}" in
+    --check)
+        bootc upgrade --check
+        ;;
+    --apply)
+        bootc upgrade --apply
+        ;;
+    --rollback)
+        bootc rollback
+        echo "Rollback staged. Reboot to apply: sudo systemctl reboot"
+        ;;
+    "")
+        bootc upgrade
+        echo
+        echo "Update staged for next boot. Apply now with:"
+        echo "    sudo systemctl reboot      # full reboot"
+        echo "    sudo bootc upgrade --apply # immediate apply"
+        ;;
+    *)
+        echo "mios-update: unknown flag '$1'" >&2
+        echo "Try: mios-update --help" >&2
+        exit 2
+        ;;
+esac