Drop legacy non-container builders

PLAN.md

@@ -272,13 +272,10 @@ ISO image bootable via BMC virtual media or USB. Runs boot services automaticall
 
 ### 2.1 — Builder environment
 
-`iso/builder/setup-builder.sh` prepares a Debian 12 host/VM with:
-- `live-build`, `debootstrap`, bootloader tooling, kernel headers
-- Go toolchain
-- everything needed to compile the `bee` binary and NVIDIA modules
-
-`iso/builder/build-in-container.sh` offers the same builder stack in a Debian 12 container image.
-The container run is privileged because `live-build` needs mount/chroot/loop capabilities.
+`iso/builder/build-in-container.sh` is the only supported builder entrypoint.
+It builds a Debian 12 builder image with `live-build`, toolchains, and pinned kernel headers,
+then runs the ISO assembly in a privileged container because `live-build` needs
+mount/chroot/loop capabilities.
 
 `iso/builder/build.sh` orchestrates the full ISO build:
 1. compile the Go `bee` binary
@@ -392,7 +389,7 @@ No "works on my Mac" drift.
 
 --- BUILDER + BEE ISO (unblock real-hardware testing) ---
 
-2.1  builder setup                 → Debian host/VM or privileged container with build deps
+2.1  builder setup                 → privileged container with build deps
 2.2  debug ISO profile             → minimal Debian ISO: `bee` binary + OpenSSH + all packages
 2.3  boot on real server           → SSH in, verify packages present, run audit manually
 

bible-local/architecture/runtime-flows.md

@@ -57,7 +57,7 @@ Rules:
 ## ISO build sequence
 
 ```
-build.sh [--authorized-keys /path/to/keys]
+build-in-container.sh [--authorized-keys /path/to/keys]
   1. compile `bee` binary (skip if .go files older than binary)
   2. create a temporary overlay staging dir under `dist/`
   3. inject authorized_keys into staged `root/.ssh/` (or set password fallback marker)
@@ -78,13 +78,12 @@ build.sh [--authorized-keys /path/to/keys]
   11. patch staged `motd` with build metadata
   12. copy `iso/builder/` into a temporary live-build workdir under `dist/`
   13. sync staged overlay into workdir `config/includes.chroot/`
-  14. run `lb config && lb build` inside the temporary workdir
-     (either on a Debian host/VM or inside the privileged builder container)
+  14. run `lb config && lb build` inside the privileged builder container
 ```
 
 **Critical invariants:**
 - `DEBIAN_KERNEL_ABI` in `iso/builder/VERSIONS` pins the exact kernel ABI used in BOTH places:
-  1. `setup-builder.sh` / `build-in-container.sh` / `build-nvidia-module.sh` — Debian kernel headers for module build
+  1. `build-in-container.sh` / `build-nvidia-module.sh` — Debian kernel headers for module build
   2. `auto/config` — `linux-image-${DEBIAN_KERNEL_ABI}` in the ISO
 - NVIDIA modules go to staged `usr/local/lib/nvidia/` — NOT to `/lib/modules/<kver>/extra/`.
 - The source overlay in `iso/overlay/` is treated as immutable source. Build-time files are injected only into the staged overlay.

iso/builder/build-in-container.sh

@@ -1,5 +1,5 @@
 #!/bin/sh
-# build-in-container.sh — build the bee ISO inside a Debian container.
+# build-in-container.sh — build the bee ISO inside the Debian builder container.
 
 set -e
 
@@ -70,6 +70,7 @@ set -- \
     run --rm --privileged \
     -v "${REPO_ROOT}:/work" \
     -v "${CACHE_DIR}:/cache" \
+    -e BEE_CONTAINER_BUILD=1 \
     -e GOCACHE=/cache/go-build \
     -e GOMODCACHE=/cache/go-mod \
     -e TMPDIR=/cache/tmp \
@@ -83,6 +84,7 @@ if [ -n "$AUTH_KEYS" ]; then
         -v "${REPO_ROOT}:/work" \
         -v "${CACHE_DIR}:/cache" \
         -v "${AUTH_KEYS_DIR}:/tmp/bee-authkeys:ro" \
+        -e BEE_CONTAINER_BUILD=1 \
         -e GOCACHE=/cache/go-build \
         -e GOMODCACHE=/cache/go-mod \
         -e TMPDIR=/cache/tmp \

iso/builder/build.sh

@@ -1,14 +1,13 @@
 #!/bin/sh
-# build.sh — build bee ISO (Debian 12 / live-build)
-#
-# Single build script. Produces a bootable live ISO with SSH access, TUI, NVIDIA drivers.
-#
-# Run on Debian 12 builder VM as root after setup-builder.sh.
-# Usage:
-#   sh iso/builder/build.sh [--authorized-keys /path/to/authorized_keys]
+# build.sh — internal ISO build entrypoint executed inside the builder container.
 
 set -e
 
+if [ "${BEE_CONTAINER_BUILD:-0}" != "1" ]; then
+    echo "build.sh must run inside iso/builder/build-in-container.sh" >&2
+    exit 1
+fi
+
 REPO_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
 BUILDER_DIR="${REPO_ROOT}/iso/builder"
 OVERLAY_DIR="${REPO_ROOT}/iso/overlay"

iso/builder/setup-builder.sh

@@ -1,75 +0,0 @@
-#!/bin/sh
-# setup-builder.sh — prepare Debian 12 host/VM as bee ISO builder
-#
-# Run once on a fresh Debian 12 (Bookworm) host/VM as root.
-# After this script completes, the machine can build bee ISO images directly.
-# Container alternative: use `iso/builder/build-in-container.sh`.
-#
-# Usage (on Debian VM):
-#   wget -O- https://git.mchus.pro/mchus/bee/raw/branch/main/iso/builder/setup-builder.sh | sh
-#   or: sh setup-builder.sh
-
-set -e
-
-. "$(dirname "$0")/VERSIONS" 2>/dev/null || true
-GO_VERSION="${GO_VERSION:-1.24.0}"
-DEBIAN_VERSION="${DEBIAN_VERSION:-12}"
-DEBIAN_KERNEL_ABI="${DEBIAN_KERNEL_ABI:-6.1.0-28}"
-
-echo "=== bee builder setup ==="
-echo "Debian: $(cat /etc/debian_version)"
-echo "Go target: ${GO_VERSION}"
-echo "Kernel ABI: ${DEBIAN_KERNEL_ABI}"
-echo ""
-
-# --- system packages ---
-export DEBIAN_FRONTEND=noninteractive
-apt-get update -qq
-
-apt-get install -y \
-    live-build \
-    debootstrap \
-    squashfs-tools \
-    xorriso \
-    grub-pc-bin \
-    grub-efi-amd64-bin \
-    mtools \
-    git \
-    wget \
-    curl \
-    tar \
-    xz-utils \
-    screen \
-    rsync \
-    build-essential \
-    gcc \
-    make \
-    perl \
-    "linux-headers-${DEBIAN_KERNEL_ABI}-amd64"
-
-echo "linux-headers installed: $(dpkg -l "linux-headers-${DEBIAN_KERNEL_ABI}-amd64" | awk '/^ii/{print $3}')"
-
-# --- Go toolchain ---
-echo ""
-echo "=== installing Go ${GO_VERSION} ==="
-if [ -d /usr/local/go ] && /usr/local/go/bin/go version 2>/dev/null | grep -q "${GO_VERSION}"; then
-    echo "Go ${GO_VERSION} already installed"
-else
-    ARCH=$(uname -m)
-    case "$ARCH" in
-        x86_64) GOARCH=amd64 ;;
-        aarch64) GOARCH=arm64 ;;
-        *) echo "unsupported arch: $ARCH"; exit 1 ;;
-    esac
-    wget -O /tmp/go.tar.gz \
-        "https://go.dev/dl/go${GO_VERSION}.linux-${GOARCH}.tar.gz"
-    rm -rf /usr/local/go
-    tar -C /usr/local -xzf /tmp/go.tar.gz
-    rm /tmp/go.tar.gz
-fi
-export PATH="$PATH:/usr/local/go/bin"
-echo "Go: $(go version)"
-
-echo ""
-echo "=== builder setup complete ==="
-echo "Next: sh iso/builder/build.sh"

scripts/run-builder.sh

@@ -1,5 +1,5 @@
 #!/bin/sh
-# run-builder.sh — trigger ISO build on remote Debian 12 builder VM
+# run-builder.sh — trigger containerized ISO build on a remote builder host
 #
 # Usage:
 #   sh scripts/run-builder.sh
@@ -79,7 +79,7 @@ screen -S bee-build -X quit 2>/dev/null || true
 
 echo "--- starting build in screen session (survives SSH disconnect) ---"
 echo "--- log: \$LOG ---"
-screen -dmS bee-build sh -c "sudo sh iso/builder/build.sh ${EXTRA_ARGS} > \$LOG 2>&1; echo \$? > /tmp/bee-build-exit"
+screen -dmS bee-build sh -c "sh iso/builder/build-in-container.sh ${EXTRA_ARGS} > \$LOG 2>&1; echo \$? > /tmp/bee-build-exit"
 
 # Stream log until build finishes
 echo "--- streaming build log (Ctrl+C safe — build continues on VM) ---"