Implement audit enrichments, TUI workflows, and production ISO scaffold

iso/builder/build.sh

@@ -0,0 +1,97 @@
+#!/bin/sh
+# build.sh — production ISO build (unattended mode)
+
+set -e
+
+REPO_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
+BUILDER_DIR="${REPO_ROOT}/iso/builder"
+OVERLAY_DIR="${REPO_ROOT}/iso/overlay"
+DIST_DIR="${REPO_ROOT}/dist"
+VENDOR_DIR="${REPO_ROOT}/iso/vendor"
+
+. "${BUILDER_DIR}/VERSIONS"
+export PATH="$PATH:/usr/local/go/bin"
+
+echo "=== bee production ISO build ==="
+echo "Alpine: ${ALPINE_VERSION}, Go: ${GO_VERSION}, NVIDIA: ${NVIDIA_DRIVER_VERSION}"
+
+AUDIT_BIN="${DIST_DIR}/bee-audit-linux-amd64"
+mkdir -p "$DIST_DIR"
+
+cd "${REPO_ROOT}/audit"
+GOOS=linux GOARCH=amd64 CGO_ENABLED=0 \
+    go build \
+    -ldflags "-s -w -X main.Version=${AUDIT_VERSION}" \
+    -o "$AUDIT_BIN" \
+    ./cmd/audit
+
+mkdir -p "${OVERLAY_DIR}/usr/local/bin"
+cp "$AUDIT_BIN" "${OVERLAY_DIR}/usr/local/bin/audit"
+chmod +x "${OVERLAY_DIR}/usr/local/bin/audit"
+
+# Copy optional vendor utilities if already fetched.
+for tool in storcli64 sas2ircu sas3ircu mstflint; do
+    if [ -f "${VENDOR_DIR}/${tool}" ]; then
+        cp "${VENDOR_DIR}/${tool}" "${OVERLAY_DIR}/usr/local/bin/${tool}"
+        chmod +x "${OVERLAY_DIR}/usr/local/bin/${tool}" || true
+        echo "vendor tool: ${tool} (included)"
+    else
+        echo "vendor tool: ${tool} (not found, skipped)"
+    fi
+done
+
+# Build and inject NVIDIA proprietary modules + userspace tools.
+echo "=== building NVIDIA modules ==="
+sh "${BUILDER_DIR}/build-nvidia-module.sh" "${NVIDIA_DRIVER_VERSION}" "${DIST_DIR}"
+KVER="$(ls /usr/src/ 2>/dev/null | grep '^linux-headers-' | sed 's/linux-headers-//' | head -1)"
+NVIDIA_CACHE="${DIST_DIR}/nvidia-${NVIDIA_DRIVER_VERSION}-${KVER}"
+
+mkdir -p "${OVERLAY_DIR}/lib/modules/${KVER}/extra/nvidia"
+cp "${NVIDIA_CACHE}/modules/"*.ko "${OVERLAY_DIR}/lib/modules/${KVER}/extra/nvidia/"
+
+mkdir -p "${OVERLAY_DIR}/usr/local/bin" "${OVERLAY_DIR}/usr/lib"
+cp "${NVIDIA_CACHE}/bin/nvidia-smi" "${OVERLAY_DIR}/usr/local/bin/"
+chmod +x "${OVERLAY_DIR}/usr/local/bin/nvidia-smi"
+cp "${NVIDIA_CACHE}/lib/"* "${OVERLAY_DIR}/usr/lib/" 2>/dev/null || true
+
+# Embed build metadata used at runtime.
+mkdir -p "${OVERLAY_DIR}/etc"
+BUILD_DATE="$(date +%Y-%m-%d)"
+GIT_COMMIT="$(git -C "${REPO_ROOT}" rev-parse --short HEAD 2>/dev/null || echo unknown)"
+cat > "${OVERLAY_DIR}/etc/bee-release" <<EOF
+BEE_ISO_VERSION=${AUDIT_VERSION}
+BEE_AUDIT_VERSION=${AUDIT_VERSION}
+BUILD_DATE=${BUILD_DATE}
+GIT_COMMIT=${GIT_COMMIT}
+ALPINE_VERSION=${ALPINE_VERSION}
+NVIDIA_DRIVER_VERSION=${NVIDIA_DRIVER_VERSION}
+EOF
+
+mkdir -p "${HOME}/.mkimage"
+cp "${BUILDER_DIR}/mkimg.bee.sh" "${HOME}/.mkimage/"
+cp "${BUILDER_DIR}/genapkovl-bee.sh" "${HOME}/.mkimage/"
+
+export BEE_OVERLAY_DIR="${OVERLAY_DIR}"
+
+if [ -d /var/tmp/bee-iso-work ]; then
+    find /var/tmp/bee-iso-work -maxdepth 1 -mindepth 1 \
+        -not -name 'apks_*' -not -name 'kernel_*' \
+        -not -name 'syslinux_*' -not -name 'grub_*' \
+        -exec rm -rf {} + 2>/dev/null || true
+fi
+
+export TMPDIR=/var/tmp
+cp "${BUILDER_DIR}/genapkovl-bee.sh" /var/tmp/
+cd /var/tmp
+sh /usr/share/aports/scripts/mkimage.sh \
+    --tag "v${ALPINE_VERSION}" \
+    --outdir "${DIST_DIR}" \
+    --arch x86_64 \
+    --repository "https://dl-cdn.alpinelinux.org/alpine/v${ALPINE_VERSION}/main" \
+    --repository "https://dl-cdn.alpinelinux.org/alpine/v${ALPINE_VERSION}/community" \
+    --workdir /var/tmp/bee-iso-work \
+    --profile bee
+
+ISO="${DIST_DIR}/alpine-bee-${ALPINE_VERSION}-x86_64.iso"
+echo "=== done ==="
+echo "ISO: $ISO"