Refactor bee CLI and LiveCD integration

bible-local/architecture/system-overview.md

@@ -21,16 +21,15 @@ Fills gaps where Redfish/logpile is blind:
 - Read-only hardware inventory: board, CPU, memory, storage, PCIe, PSU, GPU, NIC, RAID
 - Unattended operation — no user interaction required
 - NVIDIA proprietary driver loaded at boot for GPU enrichment via `nvidia-smi`
-- SSH access (dropbear) always available for inspection and debugging
-- Interactive TUI (`bee-tui`) for network setup, service management, GPU tests
-- GPU stress testing via `gpu_burn` (vendor binary, optional)
+- SSH access (OpenSSH) always available for inspection and debugging
+- Interactive Go TUI via `bee tui` for network setup, service management, and acceptance tests
 
 ## Network isolation — CRITICAL
 
 **The live CD runs in an isolated network segment with no internet access.**
 
 - All tools, drivers, and binaries MUST be pre-baked into the ISO at build time
-- No `apk add` at boot — packages are installed during ISO creation, not at runtime
+- No package installation at boot — packages are installed during ISO creation, not at runtime
 - No downloads at boot — NVIDIA modules, vendor tools, and all binaries come from the ISO overlay
 - DHCP is used only for LAN access (SSH from operator laptop); internet is NOT assumed
 - Any feature requiring network downloads cannot be added to the live CD
@@ -49,26 +48,32 @@ Fills gaps where Redfish/logpile is blind:
 | Component | Technology |
 |---|---|
 | Audit binary | Go, static, `CGO_ENABLED=0` |
-| LiveCD | Alpine Linux 3.21, linux-lts 6.12.x |
-| ISO build | Alpine mkimage + apkovl overlay (`iso/overlay/`) |
-| Init system | OpenRC |
-| SSH | Dropbear (always included) |
-| NVIDIA driver | Proprietary `.run` installer, built against linux-lts headers |
-| NVIDIA modules | Loaded via `insmod` from `/usr/local/lib/nvidia/` (not modloop path) |
-| glibc compat | `gcompat` — required for `nvidia-smi` (glibc binary on musl Alpine) |
-| Builder VM | Alpine 3.21 |
+| Live ISO | Debian 12 (bookworm), amd64 live-build image |
+| ISO build | Debian `live-build` + overlay sync into `config/includes.chroot/` |
+| Init system | `systemd` |
+| SSH | OpenSSH server |
+| NVIDIA driver | Proprietary `.run` installer, built against Debian kernel headers |
+| NVIDIA modules | Loaded via `insmod` from `/usr/local/lib/nvidia/` |
+| Builder | Debian 12 host/VM or Debian 12 container image |
+
+## Runtime split
+
+- The main Go application must run both on a normal Linux host and inside the live ISO
+- Live-ISO-only responsibilities stay in `iso/` integration code
+- Live ISO launches the Go CLI with `--runtime livecd`
+- Local/manual runs use `--runtime auto` or `--runtime local`
 
 ## Key paths
 
 | Path | Purpose |
 |---|---|
-| `audit/cmd/audit/` | CLI entry point |
+| `audit/cmd/bee/` | Main CLI entry point |
 | `audit/internal/collector/` | Per-subsystem collectors |
 | `audit/internal/schema/` | HardwareIngestRequest types |
-| `iso/builder/` | ISO build scripts and mkimage profile |
-| `iso/overlay/` | Single overlay: files injected into ISO via apkovl |
-| `iso/vendor/` | Optional pre-built vendor binaries (storcli64, gpu_burn, …) |
-| `iso/builder/VERSIONS` | Pinned versions: Alpine, Go, NVIDIA driver, kernel |
+| `iso/builder/` | ISO build scripts and `live-build` profile |
+| `iso/overlay/` | Source overlay copied into a staged build overlay |
+| `iso/vendor/` | Optional pre-built vendor binaries (storcli64, sas2ircu, sas3ircu, mstflint, …) |
+| `iso/builder/VERSIONS` | Pinned versions: Debian, Go, NVIDIA driver, kernel ABI |
 | `iso/builder/smoketest.sh` | Post-boot smoke test — run via SSH to verify live ISO |
 | `dist/` | Build outputs (gitignored) |
 | `iso/out/` | Downloaded ISO files (gitignored) |