From 20f834aa96690a0cb54f584193d41baf076e2f24 Mon Sep 17 00:00:00 2001
From: Mikhail Chusavitin <mchusavitin@mchusmbp.local>
Date: Tue, 31 Mar 2026 10:13:31 +0300
Subject: [PATCH] =?UTF-8?q?feat:=20v3.4=20=E2=80=94=20boot=20reliability,?=
 =?UTF-8?q?=20log=20readability,=20USB=20export,=20screen=20resolution,=20?=
 =?UTF-8?q?GRUB=20UEFI=20fix,=20memtest,=20KVM=20console=20stability?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Web UI / logs:
- Strip ANSI escape codes and handle \r (progress bars) in task log output
- Add USB export API + UI card on Export page (list removable devices, write audit JSON or support bundle)
- Add Display Resolution card in Tools (xrandr-based, per-output mode selector)
- Dashboard: audit status banner with auto-reload when audit task completes

Boot & install:
- bee-web starts immediately with no dependencies (was blocked by audit + network)
- bee-audit.service redesigned: waits for bee-web healthz, sleeps 60s, enqueues audit via /api/audit/run (task system)
- bee-install: fix GRUB UEFI — grub-install exit code was silently ignored (|| true); add --no-nvram fallback; always copy EFI/BOOT/BOOTX64.EFI fallback path
- Add grub-efi-amd64, grub-pc, grub-efi-amd64-signed, shim-signed to package list (grub-install requires these, not just -bin variants)
- memtest hook: fix binary/boot/ not created before cp; handle both Debian (no extension) and upstream (x64.efi) naming
- bee-openbox-session: increase healthz wait from 30s to 120s

KVM console stability:
- runCmdJob: syscall.Setpriority(PRIO_PROCESS, pid, 10) on all stress subprocesses
- lightdm.service.d: Nice=-5 so X server preempts stress processes

Packages: add btop

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 audit/internal/webui/api.go                   | 154 +++++++++++++-
 audit/internal/webui/pages.go                 | 195 +++++++++++++++++-
 audit/internal/webui/server.go                |   7 +
 .../hooks/normal/9100-memtest.hook.binary     |  31 ++-
 .../config/package-lists/bee.list.chroot      |   7 +
 .../etc/systemd/system/bee-audit.service      |  21 +-
 .../etc/systemd/system/bee-web.service        |   5 +-
 .../system/lightdm.service.d/bee-limits.conf  |   3 +
 iso/overlay/usr/local/bin/bee-install         |  54 ++++-
 iso/overlay/usr/local/bin/bee-openbox-session |   7 +-
 10 files changed, 458 insertions(+), 26 deletions(-)

diff --git a/audit/internal/webui/api.go b/audit/internal/webui/api.go
index a88aabc..beb0aeb 100644
--- a/audit/internal/webui/api.go
+++ b/audit/internal/webui/api.go
@@ -9,14 +9,18 @@ import (
 	"net/http"
 	"os/exec"
 	"path/filepath"
+	"regexp"
 	"strings"
 	"sync/atomic"
+	"syscall"
 	"time"
 
 	"bee/audit/internal/app"
 	"bee/audit/internal/platform"
 )
 
+var ansiEscapeRE = regexp.MustCompile(`\x1b\[[0-9;]*[a-zA-Z]|\x1b[()][A-Z0-9]|\x1b[DABC]`)
+
 // ── Job ID counter ────────────────────────────────────────────────────────────
 
 var jobCounter atomic.Uint64
@@ -91,11 +95,25 @@ func runCmdJob(j *jobState, cmd *exec.Cmd) {
 		j.finish(err.Error())
 		return
 	}
+	// Lower the CPU scheduling priority of stress/audit subprocesses to nice+10
+	// so the X server and kernel interrupt handling remain responsive under load
+	// (prevents KVM/IPMI graphical console from freezing during GPU stress tests).
+	if cmd.Process != nil {
+		_ = syscall.Setpriority(syscall.PRIO_PROCESS, cmd.Process.Pid, 10)
+	}
 
 	go func() {
 		scanner := bufio.NewScanner(pr)
 		for scanner.Scan() {
-			j.append(scanner.Text())
+			// Split on \r to handle progress-bar style output (e.g. \r overwrites)
+			// and strip ANSI escape codes so logs are readable in the browser.
+			parts := strings.Split(scanner.Text(), "\r")
+			for _, part := range parts {
+				line := ansiEscapeRE.ReplaceAllString(part, "")
+				if line != "" {
+					j.append(line)
+				}
+			}
 		}
 	}()
 
@@ -405,6 +423,58 @@ func (h *handler) handleAPIExportBundle(w http.ResponseWriter, r *http.Request)
 	})
 }
 
+func (h *handler) handleAPIExportUSBTargets(w http.ResponseWriter, _ *http.Request) {
+	if h.opts.App == nil {
+		writeError(w, http.StatusServiceUnavailable, "app not configured")
+		return
+	}
+	targets, err := h.opts.App.ListRemovableTargets()
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	if targets == nil {
+		targets = []platform.RemovableTarget{}
+	}
+	writeJSON(w, targets)
+}
+
+func (h *handler) handleAPIExportUSBAudit(w http.ResponseWriter, r *http.Request) {
+	if h.opts.App == nil {
+		writeError(w, http.StatusServiceUnavailable, "app not configured")
+		return
+	}
+	var target platform.RemovableTarget
+	if err := json.NewDecoder(r.Body).Decode(&target); err != nil || target.Device == "" {
+		writeError(w, http.StatusBadRequest, "device is required")
+		return
+	}
+	result, err := h.opts.App.ExportLatestAuditResult(target)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	writeJSON(w, map[string]string{"status": "ok", "message": result.Body})
+}
+
+func (h *handler) handleAPIExportUSBBundle(w http.ResponseWriter, r *http.Request) {
+	if h.opts.App == nil {
+		writeError(w, http.StatusServiceUnavailable, "app not configured")
+		return
+	}
+	var target platform.RemovableTarget
+	if err := json.NewDecoder(r.Body).Decode(&target); err != nil || target.Device == "" {
+		writeError(w, http.StatusBadRequest, "device is required")
+		return
+	}
+	result, err := h.opts.App.ExportSupportBundleResult(target)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	writeJSON(w, map[string]string{"status": "ok", "message": result.Body})
+}
+
 // ── GPU presence ──────────────────────────────────────────────────────────────
 
 func (h *handler) handleAPIGPUPresence(w http.ResponseWriter, r *http.Request) {
@@ -790,3 +860,85 @@ func (h *handler) rollbackPendingNetworkChange() error {
 	}
 	return nil
 }
+
+// ── Display / Screen Resolution ───────────────────────────────────────────────
+
+type displayMode struct {
+	Output  string `json:"output"`
+	Mode    string `json:"mode"`
+	Current bool   `json:"current"`
+}
+
+type displayInfo struct {
+	Output  string        `json:"output"`
+	Modes   []displayMode `json:"modes"`
+	Current string        `json:"current"`
+}
+
+var xrandrOutputRE = regexp.MustCompile(`^(\S+)\s+connected`)
+var xrandrModeRE = regexp.MustCompile(`^\s{3}(\d+x\d+)\s`)
+var xrandrCurrentRE = regexp.MustCompile(`\*`)
+
+func parseXrandrOutput(out string) []displayInfo {
+	var infos []displayInfo
+	var cur *displayInfo
+	for _, line := range strings.Split(out, "\n") {
+		if m := xrandrOutputRE.FindStringSubmatch(line); m != nil {
+			if cur != nil {
+				infos = append(infos, *cur)
+			}
+			cur = &displayInfo{Output: m[1]}
+			continue
+		}
+		if cur == nil {
+			continue
+		}
+		if m := xrandrModeRE.FindStringSubmatch(line); m != nil {
+			isCurrent := xrandrCurrentRE.MatchString(line)
+			mode := displayMode{Output: cur.Output, Mode: m[1], Current: isCurrent}
+			cur.Modes = append(cur.Modes, mode)
+			if isCurrent {
+				cur.Current = m[1]
+			}
+		}
+	}
+	if cur != nil {
+		infos = append(infos, *cur)
+	}
+	return infos
+}
+
+func (h *handler) handleAPIDisplayResolutions(w http.ResponseWriter, _ *http.Request) {
+	out, err := exec.Command("xrandr").Output()
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "xrandr: "+err.Error())
+		return
+	}
+	writeJSON(w, parseXrandrOutput(string(out)))
+}
+
+func (h *handler) handleAPIDisplaySet(w http.ResponseWriter, r *http.Request) {
+	var req struct {
+		Output string `json:"output"`
+		Mode   string `json:"mode"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil || req.Output == "" || req.Mode == "" {
+		writeError(w, http.StatusBadRequest, "output and mode are required")
+		return
+	}
+	// Validate mode looks like WxH to prevent injection
+	if !regexp.MustCompile(`^\d+x\d+$`).MatchString(req.Mode) {
+		writeError(w, http.StatusBadRequest, "invalid mode format")
+		return
+	}
+	// Validate output name (no special chars)
+	if !regexp.MustCompile(`^[A-Za-z0-9_\-]+$`).MatchString(req.Output) {
+		writeError(w, http.StatusBadRequest, "invalid output name")
+		return
+	}
+	if out, err := exec.Command("xrandr", "--output", req.Output, "--mode", req.Mode).CombinedOutput(); err != nil {
+		writeError(w, http.StatusInternalServerError, "xrandr: "+strings.TrimSpace(string(out)))
+		return
+	}
+	writeJSON(w, map[string]string{"status": "ok", "output": req.Output, "mode": req.Mode})
+}
diff --git a/audit/internal/webui/pages.go b/audit/internal/webui/pages.go
index 924035e..e04039b 100644
--- a/audit/internal/webui/pages.go
+++ b/audit/internal/webui/pages.go
@@ -205,12 +205,83 @@ document.querySelectorAll('.terminal').forEach(function(t){
 
 func renderDashboard(opts HandlerOptions) string {
 	var b strings.Builder
+	b.WriteString(renderAuditStatusBanner(opts))
 	b.WriteString(renderHardwareSummaryCard(opts))
 	b.WriteString(renderHealthCard(opts))
 	b.WriteString(renderMetrics())
 	return b.String()
 }
 
+// renderAuditStatusBanner shows a live progress banner when an audit task is
+// running and auto-reloads the page when it completes.
+func renderAuditStatusBanner(opts HandlerOptions) string {
+	// If audit data already exists, no banner needed — data is fresh.
+	// We still inject the polling script so a newly-triggered audit also reloads.
+	hasData := false
+	if _, err := loadSnapshot(opts.AuditPath); err == nil {
+		hasData = true
+	}
+	_ = hasData
+
+	return `<div id="audit-banner" style="display:none" class="alert alert-warn" style="margin-bottom:16px">
+  <span id="audit-banner-text">&#9654; Hardware audit is running — page will refresh automatically when complete.</span>
+  <a href="/tasks" style="margin-left:12px;font-size:12px">View in Tasks</a>
+</div>
+<script>
+(function(){
+var _auditPoll = null;
+var _auditSeenRunning = false;
+
+function pollAuditTask() {
+  fetch('/api/tasks').then(function(r){ return r.json(); }).then(function(tasks){
+    if (!tasks) return;
+    var audit = null;
+    for (var i = 0; i < tasks.length; i++) {
+      if (tasks[i].target === 'audit') { audit = tasks[i]; break; }
+    }
+    var banner = document.getElementById('audit-banner');
+    var txt = document.getElementById('audit-banner-text');
+    if (!audit) {
+      if (banner) banner.style.display = 'none';
+      return;
+    }
+    if (audit.status === 'running' || audit.status === 'pending') {
+      _auditSeenRunning = true;
+      if (banner) {
+        banner.style.display = '';
+        var label = audit.status === 'pending' ? 'pending\u2026' : 'running\u2026';
+        if (txt) txt.textContent = '\u25b6 Hardware audit ' + label + ' \u2014 page will refresh when complete.';
+      }
+    } else if (audit.status === 'done' && _auditSeenRunning) {
+      // Audit just finished — reload to show fresh hardware data.
+      clearInterval(_auditPoll);
+      if (banner) {
+        if (txt) txt.textContent = '\u2713 Audit complete \u2014 reloading\u2026';
+        banner.style.background = 'var(--ok-bg,#fcfff5)';
+        banner.style.color = 'var(--ok-fg,#2c662d)';
+      }
+      setTimeout(function(){ window.location.reload(); }, 800);
+    } else if (audit.status === 'failed') {
+      _auditSeenRunning = false;
+      if (banner) {
+        banner.style.display = '';
+        banner.style.background = 'var(--crit-bg,#fff6f6)';
+        banner.style.color = 'var(--crit-fg,#9f3a38)';
+        if (txt) txt.textContent = '\u2717 Audit failed: ' + (audit.error||'unknown error');
+        clearInterval(_auditPoll);
+      }
+    } else {
+      if (banner) banner.style.display = 'none';
+    }
+  }).catch(function(){});
+}
+
+_auditPoll = setInterval(pollAuditTask, 3000);
+pollAuditTask();
+})();
+</script>`
+}
+
 func renderAudit() string {
 	return `<div class="card"><div class="card-head">Audit Viewer <button class="btn btn-sm btn-secondary" style="margin-left:auto" onclick="openAuditModal()">Actions</button></div><div class="card-body" style="padding:0"><iframe class="viewer-frame" src="/viewer" title="Audit viewer"></iframe></div></div>`
 }
@@ -845,12 +916,79 @@ func renderExport(exportDir string) string {
 	return `<div class="grid2">
 <div class="card"><div class="card-head">Support Bundle</div><div class="card-body">
 <p style="font-size:13px;color:var(--muted);margin-bottom:12px">Creates a tar.gz archive of all audit files, SAT results, and logs.</p>
-<a class="btn btn-primary" href="/export/support.tar.gz">⬇ Download Support Bundle</a>
+<a class="btn btn-primary" href="/export/support.tar.gz">&#8595; Download Support Bundle</a>
 </div></div>
 <div class="card"><div class="card-head">Export Files</div><div class="card-body">
 <table><tr><th>File</th></tr>` + rows.String() + `</table>
 </div></div>
-</div>`
+</div>
+
+<div class="card" style="margin-top:16px">
+  <div class="card-head">Export to USB
+    <button class="btn btn-sm btn-secondary" onclick="usbRefresh()" style="margin-left:auto">&#8635; Refresh</button>
+  </div>
+  <div class="card-body">
+    <p style="font-size:13px;color:var(--muted);margin-bottom:12px">Write audit JSON or support bundle directly to a removable USB drive.</p>
+    <div id="usb-status" style="font-size:13px;color:var(--muted)">Scanning for USB devices...</div>
+    <div id="usb-targets" style="margin-top:12px"></div>
+    <div id="usb-msg" style="margin-top:10px;font-size:13px"></div>
+  </div>
+</div>
+<script>
+(function(){
+function usbRefresh() {
+  document.getElementById('usb-status').textContent = 'Scanning...';
+  document.getElementById('usb-targets').innerHTML = '';
+  document.getElementById('usb-msg').textContent = '';
+  fetch('/api/export/usb').then(r=>r.json()).then(targets => {
+    const st = document.getElementById('usb-status');
+    const ct = document.getElementById('usb-targets');
+    if (!targets || targets.length === 0) {
+      st.textContent = 'No removable USB devices found.';
+      return;
+    }
+    st.textContent = targets.length + ' device(s) found:';
+    ct.innerHTML = '<table><tr><th>Device</th><th>FS</th><th>Size</th><th>Label</th><th>Model</th><th>Actions</th></tr>' +
+      targets.map(t => {
+        const dev = t.device || '';
+        const label = t.label || '';
+        const model = t.model || '';
+        return '<tr>' +
+          '<td style="font-family:monospace">'+dev+'</td>' +
+          '<td>'+t.fs_type+'</td>' +
+          '<td>'+t.size+'</td>' +
+          '<td>'+label+'</td>' +
+          '<td style="font-size:12px;color:var(--muted)">'+model+'</td>' +
+          '<td style="white-space:nowrap">' +
+            '<button class="btn btn-sm btn-primary" onclick="usbExport(\'audit\','+JSON.stringify(t)+')">Audit JSON</button> ' +
+            '<button class="btn btn-sm btn-secondary" onclick="usbExport(\'bundle\','+JSON.stringify(t)+')">Support Bundle</button>' +
+          '</td></tr>';
+      }).join('') + '</table>';
+  }).catch(e => {
+    document.getElementById('usb-status').textContent = 'Error: ' + e;
+  });
+}
+window.usbExport = function(type, target) {
+  const msg = document.getElementById('usb-msg');
+  msg.style.color = 'var(--muted)';
+  msg.textContent = 'Exporting to ' + (target.device||'') + '...';
+  fetch('/api/export/usb/'+type, {
+    method: 'POST',
+    headers: {'Content-Type':'application/json'},
+    body: JSON.stringify(target)
+  }).then(r=>r.json()).then(d => {
+    if (d.error) { msg.style.color='var(--err,red)'; msg.textContent = 'Error: '+d.error; return; }
+    msg.style.color = 'var(--ok,green)';
+    msg.textContent = d.message || 'Done.';
+  }).catch(e => {
+    msg.style.color = 'var(--err,red)';
+    msg.textContent = 'Error: '+e;
+  });
+};
+window.usbRefresh = usbRefresh;
+usbRefresh();
+})();
+</script>`
 }
 
 func listExportFiles(exportDir string) ([]string, error) {
@@ -876,6 +1014,56 @@ func listExportFiles(exportDir string) ([]string, error) {
 	return entries, nil
 }
 
+// ── Display Resolution ────────────────────────────────────────────────────────
+
+func renderDisplayInline() string {
+	return `<div id="display-status" style="color:var(--muted);font-size:13px;margin-bottom:12px">Loading displays...</div>
+<div id="display-controls"></div>
+<script>
+(function(){
+function loadDisplays() {
+  fetch('/api/display/resolutions').then(r=>r.json()).then(displays => {
+    const status = document.getElementById('display-status');
+    const ctrl = document.getElementById('display-controls');
+    if (!displays || displays.length === 0) {
+      status.textContent = 'No connected displays found or xrandr not available.';
+      return;
+    }
+    status.textContent = '';
+    ctrl.innerHTML = displays.map(d => {
+      const opts = (d.modes||[]).map(m =>
+        '<option value="'+m.mode+'"'+(m.current?' selected':'')+'>'+m.mode+(m.current?' (current)':'')+'</option>'
+      ).join('');
+      return '<div style="margin-bottom:12px">'
+        +'<span style="font-weight:600;margin-right:8px">'+d.output+'</span>'
+        +'<span style="color:var(--muted);font-size:12px;margin-right:12px">Current: '+d.current+'</span>'
+        +'<select id="res-sel-'+d.output+'" style="margin-right:8px">'+opts+'</select>'
+        +'<button class="btn btn-sm btn-primary" onclick="applyResolution(\''+d.output+'\')">Apply</button>'
+        +'</div>';
+    }).join('');
+  }).catch(()=>{
+    document.getElementById('display-status').textContent = 'xrandr not available on this system.';
+  });
+}
+window.applyResolution = function(output) {
+  const sel = document.getElementById('res-sel-'+output);
+  if (!sel) return;
+  const mode = sel.value;
+  const btn = sel.nextElementSibling;
+  btn.disabled = true;
+  btn.textContent = 'Applying...';
+  fetch('/api/display/set', {method:'POST', headers:{'Content-Type':'application/json'}, body:JSON.stringify({output:output,mode:mode})})
+    .then(r=>r.json()).then(d=>{
+      if (d.error) { alert('Error: '+d.error); }
+      loadDisplays();
+    }).catch(e=>{ alert('Error: '+e); })
+    .finally(()=>{ btn.disabled=false; btn.textContent='Apply'; });
+};
+loadDisplays();
+})();
+</script>`
+}
+
 // ── Tools ─────────────────────────────────────────────────────────────────────
 
 func renderTools() string {
@@ -927,6 +1115,9 @@ function installToRAM() {
 <div class="card"><div class="card-head">Services</div><div class="card-body">` +
 		renderServicesInline() + `</div></div>
 
+<div class="card"><div class="card-head">Display Resolution</div><div class="card-body">` +
+		renderDisplayInline() + `</div></div>
+
 <script>
 function checkTools() {
   document.getElementById('tools-table').innerHTML = '<p style="color:var(--muted);font-size:13px">Checking...</p>';
diff --git a/audit/internal/webui/server.go b/audit/internal/webui/server.go
index 37750e6..a050843 100644
--- a/audit/internal/webui/server.go
+++ b/audit/internal/webui/server.go
@@ -241,10 +241,17 @@ func NewHandler(opts HandlerOptions) http.Handler {
 	// Export
 	mux.HandleFunc("GET /api/export/list", h.handleAPIExportList)
 	mux.HandleFunc("POST /api/export/bundle", h.handleAPIExportBundle)
+	mux.HandleFunc("GET /api/export/usb", h.handleAPIExportUSBTargets)
+	mux.HandleFunc("POST /api/export/usb/audit", h.handleAPIExportUSBAudit)
+	mux.HandleFunc("POST /api/export/usb/bundle", h.handleAPIExportUSBBundle)
 
 	// Tools
 	mux.HandleFunc("GET /api/tools/check", h.handleAPIToolsCheck)
 
+	// Display
+	mux.HandleFunc("GET /api/display/resolutions", h.handleAPIDisplayResolutions)
+	mux.HandleFunc("POST /api/display/set", h.handleAPIDisplaySet)
+
 	// GPU presence
 	mux.HandleFunc("GET /api/gpu/presence", h.handleAPIGPUPresence)
 
diff --git a/iso/builder/config/hooks/normal/9100-memtest.hook.binary b/iso/builder/config/hooks/normal/9100-memtest.hook.binary
index 9c1d7c9..c9acf9f 100755
--- a/iso/builder/config/hooks/normal/9100-memtest.hook.binary
+++ b/iso/builder/config/hooks/normal/9100-memtest.hook.binary
@@ -4,16 +4,23 @@
 # not inside the squashfs).
 #
 # Primary: copy from chroot/boot/ (populated by package postinst).
-# Fallback: extract directly from the cached .deb if postinst didn't place
-#           the files (happens in chroot environments without grub triggers).
+# Naming fallbacks:
+#   Debian Bookworm: /boot/memtest86+       — EFI PE64 (no extension)
+#                    /boot/memtest86+.bin    — legacy binary
+#   Upstream/Ubuntu: /boot/memtest86+x64.efi, /boot/memtest86+x64.bin, etc.
+# Last resort: extract directly from the cached .deb if postinst didn't place
+#              the files (happens in chroot environments without grub triggers).
 set -e
 
 MEMTEST_FILES="memtest86+x64.bin memtest86+x64.efi memtest86+ia32.bin memtest86+ia32.efi"
 
+# Ensure destination directory exists (absence caused silent copy failures).
+mkdir -p binary/boot
+
 echo "memtest: scanning chroot/boot/ for memtest files:"
 ls chroot/boot/memtest* 2>/dev/null || echo "memtest: WARNING: no memtest files in chroot/boot/"
 
-# Primary path: copy from chroot/boot/
+# Primary path: copy upstream-named files from chroot/boot/
 for f in ${MEMTEST_FILES}; do
     src="chroot/boot/${f}"
     if [ -f "${src}" ]; then
@@ -22,14 +29,23 @@ for f in ${MEMTEST_FILES}; do
     fi
 done
 
-# Fallback: if EFI binary still missing, extract from cached .deb
+# Debian Bookworm naming fallback: /boot/memtest86+ (no extension) is the EFI binary.
+if [ ! -f "binary/boot/memtest86+x64.efi" ] && [ -f "chroot/boot/memtest86+" ]; then
+    cp "chroot/boot/memtest86+" "binary/boot/memtest86+x64.efi"
+    echo "memtest: copied /boot/memtest86+ as memtest86+x64.efi (Debian naming)"
+fi
+if [ ! -f "binary/boot/memtest86+x64.bin" ] && [ -f "chroot/boot/memtest86+.bin" ]; then
+    cp "chroot/boot/memtest86+.bin" "binary/boot/memtest86+x64.bin"
+    echo "memtest: copied /boot/memtest86+.bin as memtest86+x64.bin (Debian naming)"
+fi
+
+# Last resort: if EFI binary still missing, extract from cached .deb
 if [ ! -f "binary/boot/memtest86+x64.efi" ]; then
     echo "memtest: EFI binary missing — attempting extraction from .deb cache"
     deb=$(find chroot/var/cache/apt/archives/ chroot/var/lib/apt/lists/ \
               -name 'memtest86+_*.deb' -o -name 'memtest86+*.deb' 2>/dev/null \
           | head -1)
     if [ -z "$deb" ]; then
-        # Also check lb package cache
         deb=$(find cache/ -name 'memtest86+_*.deb' -o -name 'memtest86+*.deb' 2>/dev/null | head -1)
     fi
     if [ -n "$deb" ]; then
@@ -45,6 +61,11 @@ if [ ! -f "binary/boot/memtest86+x64.efi" ]; then
                 echo "memtest: extracted ${f} from .deb"
             fi
         done
+        # Debian naming fallback inside .deb as well
+        if [ ! -f "binary/boot/memtest86+x64.efi" ] && [ -f "${EXTRACT_DIR}/boot/memtest86+" ]; then
+            cp "${EXTRACT_DIR}/boot/memtest86+" "binary/boot/memtest86+x64.efi"
+            echo "memtest: extracted /boot/memtest86+ as memtest86+x64.efi from .deb"
+        fi
         rm -rf "${EXTRACT_DIR}"
     else
         echo "memtest: WARNING: no memtest86+ .deb found in cache — memtest will not be available"
diff --git a/iso/builder/config/package-lists/bee.list.chroot b/iso/builder/config/package-lists/bee.list.chroot
index b9d7816..84a6699 100644
--- a/iso/builder/config/package-lists/bee.list.chroot
+++ b/iso/builder/config/package-lists/bee.list.chroot
@@ -21,8 +21,14 @@ openssh-server
 # Disk installer
 squashfs-tools
 parted
+# grub-pc / grub-efi-amd64 provide grub-install + grub2-common (required for chroot install).
+# The -bin variants only carry binary modules and do NOT include grub-install itself.
+grub-pc
 grub-pc-bin
+grub-efi-amd64
 grub-efi-amd64-bin
+grub-efi-amd64-signed
+shim-signed
 
 # Filesystem support for USB export targets
 exfatprogs
@@ -39,6 +45,7 @@ vim-tiny
 mc
 htop
 nvtop
+btop
 sudo
 zstd
 mstflint
diff --git a/iso/overlay/etc/systemd/system/bee-audit.service b/iso/overlay/etc/systemd/system/bee-audit.service
index dd7417a..aec5af9 100644
--- a/iso/overlay/etc/systemd/system/bee-audit.service
+++ b/iso/overlay/etc/systemd/system/bee-audit.service
@@ -1,14 +1,25 @@
 [Unit]
-Description=Bee: run hardware audit
-After=bee-network.service bee-nvidia.service bee-preflight.service
-Before=bee-web.service
+Description=Bee: schedule startup hardware audit via task queue
+# Start AFTER bee-web, not before — bee-web must not wait for audit.
+After=bee-web.service
+Wants=bee-web.service
 
 [Service]
 Type=oneshot
-ExecStart=/usr/local/bin/bee-log-run /appdata/bee/export/bee-audit.log /bin/sh -c '/usr/local/bin/bee audit --runtime livecd --output file:/appdata/bee/export/bee-audit.json; rc=$?; if [ "$rc" -ne 0 ]; then echo "[bee-audit] WARN: audit exited with rc=$rc"; fi; exit 0'
+RemainAfterExit=yes
+# Wait up to 90s for bee-web to respond on /healthz, then sleep 60s for
+# the system to settle (GPU drivers, sensors), then enqueue the audit as
+# a background task so it appears in the task list and logs.
+ExecStart=/bin/sh -c '\
+  i=0; \
+  while [ $i -lt 90 ]; do \
+    if curl -sf http://localhost/healthz >/dev/null 2>&1; then break; fi; \
+    sleep 1; i=$((i+1)); \
+  done; \
+  sleep 60; \
+  curl -sf -X POST http://localhost/api/audit/run >/dev/null'
 StandardOutput=journal
 StandardError=journal
-RemainAfterExit=yes
 
 [Install]
 WantedBy=multi-user.target
diff --git a/iso/overlay/etc/systemd/system/bee-web.service b/iso/overlay/etc/systemd/system/bee-web.service
index 632b2d3..f07595d 100644
--- a/iso/overlay/etc/systemd/system/bee-web.service
+++ b/iso/overlay/etc/systemd/system/bee-web.service
@@ -1,7 +1,5 @@
 [Unit]
 Description=Bee: hardware audit web viewer
-After=bee-network.service
-Wants=bee-audit.service
 
 [Service]
 Type=simple
@@ -11,6 +9,9 @@ RestartSec=2
 StandardOutput=journal
 StandardError=journal
 LimitMEMLOCK=infinity
+# Keep the web server responsive during GPU/CPU stress (children inherit nice+10
+# via Setpriority in runCmdJob, but the bee-web parent stays at 0).
+Nice=0
 
 [Install]
 WantedBy=multi-user.target
diff --git a/iso/overlay/etc/systemd/system/lightdm.service.d/bee-limits.conf b/iso/overlay/etc/systemd/system/lightdm.service.d/bee-limits.conf
index 42486e7..226f096 100644
--- a/iso/overlay/etc/systemd/system/lightdm.service.d/bee-limits.conf
+++ b/iso/overlay/etc/systemd/system/lightdm.service.d/bee-limits.conf
@@ -4,3 +4,6 @@
 RestartSec=10
 StartLimitIntervalSec=60
 StartLimitBurst=3
+# Raise scheduling priority of the X server so the graphical console (KVM/IPMI)
+# stays responsive during GPU/CPU stress tests running at nice+10.
+Nice=-5
diff --git a/iso/overlay/usr/local/bin/bee-install b/iso/overlay/usr/local/bin/bee-install
index 7a4ebb6..f4c367a 100755
--- a/iso/overlay/usr/local/bin/bee-install
+++ b/iso/overlay/usr/local/bin/bee-install
@@ -158,20 +158,56 @@ mount --bind /sys  "${MOUNT_ROOT}/sys"
 
 # ------------------------------------------------------------------
 log "--- Step 7/7: Installing GRUB bootloader ---"
+
+# Helper: run a chroot command, log all output, return its exit code.
+# Needed because "cmd | while" pipelines hide the exit code of cmd.
+chroot_log() {
+    local rc=0
+    local out
+    out=$(chroot "$MOUNT_ROOT" "$@" 2>&1) || rc=$?
+    echo "$out" | while IFS= read -r line; do log "  $line"; done
+    return $rc
+}
+
 if [ "$UEFI" = "1" ]; then
-    chroot "$MOUNT_ROOT" grub-install \
-        --target=x86_64-efi \
-        --efi-directory=/boot/efi \
-        --bootloader-id=bee \
-        --recheck 2>&1 | while read -r line; do log "  $line"; done || true
+    # Primary attempt: write EFI NVRAM entry (requires writable efivars)
+    if ! chroot_log grub-install \
+            --target=x86_64-efi \
+            --efi-directory=/boot/efi \
+            --bootloader-id=bee \
+            --recheck; then
+        log "  WARNING: grub-install (with NVRAM) failed — retrying with --no-nvram"
+        # --no-nvram: write grubx64.efi but skip EFI variable update.
+        # Needed on headless servers where efivars is read-only or unavailable.
+        chroot_log grub-install \
+            --target=x86_64-efi \
+            --efi-directory=/boot/efi \
+            --bootloader-id=bee \
+            --no-nvram \
+            --recheck || log "  WARNING: grub-install --no-nvram also failed — check logs"
+    fi
+
+    # Always install the UEFI fallback path EFI/BOOT/BOOTX64.EFI.
+    # Many UEFI implementations (especially server BMCs and some firmware)
+    # ignore the NVRAM boot entry and only look for this path.
+    GRUB_EFI="${MOUNT_ROOT}/boot/efi/EFI/bee/grubx64.efi"
+    FALLBACK_DIR="${MOUNT_ROOT}/boot/efi/EFI/BOOT"
+    if [ -f "$GRUB_EFI" ]; then
+        mkdir -p "$FALLBACK_DIR"
+        cp "$GRUB_EFI" "${FALLBACK_DIR}/BOOTX64.EFI"
+        log "  Fallback EFI binary installed: EFI/BOOT/BOOTX64.EFI"
+    else
+        log "  WARNING: grubx64.efi not found at $GRUB_EFI — UEFI fallback path not set"
+    fi
 else
-    chroot "$MOUNT_ROOT" grub-install \
+    chroot_log grub-install \
         --target=i386-pc \
         --recheck \
-        "$DEVICE" 2>&1 | while read -r line; do log "  $line"; done || true
+        "$DEVICE" || log "  WARNING: grub-install (BIOS) failed — check logs"
 fi
-chroot "$MOUNT_ROOT" update-grub 2>&1 | while read -r line; do log "  $line"; done || true
-log "  GRUB installed."
+
+chroot_log update-grub || log "  WARNING: update-grub failed — check logs"
+log "  GRUB step complete."
 
 # ------------------------------------------------------------------
 # Cleanup
diff --git a/iso/overlay/usr/local/bin/bee-openbox-session b/iso/overlay/usr/local/bin/bee-openbox-session
index 55a11b1..c812e84 100755
--- a/iso/overlay/usr/local/bin/bee-openbox-session
+++ b/iso/overlay/usr/local/bin/bee-openbox-session
@@ -8,13 +8,16 @@ xset -dpms
 xset s noblank
 
 tint2 &
-# Wait for bee-web to bind (Go starts fast, usually <2s)
+
+# Wait up to 120s for bee-web to bind. The web server starts immediately now
+# (audit is deferred), so this should succeed in a few seconds on most hardware.
 i=0
-while [ $i -lt 30 ]; do
+while [ $i -lt 120 ]; do
     if curl -sf http://localhost/healthz >/dev/null 2>&1; then break; fi
     sleep 1
     i=$((i+1))
 done
+
 chromium \
     --disable-infobars \
     --disable-translate \