Embed MOTD banner into TUI

- New tui/sat_progress.go: polls {DefaultSATBaseDir}/{prefix}-*/verbose.log every 300ms and parses completed/in-progress steps
  - Busy screen now shows each step as PASS  lscpu (234ms) / FAIL  stress-ng (60.0s) / ...   sensors-after instead of just "Working..."

  2. Test results shown on screen (instead of just "Archive written to /path")
  - RunCPUAcceptancePackResult, RunMemoryAcceptancePackResult, RunStorageAcceptancePackResult, RunAMDAcceptancePackResult now read summary.txt from the run directory and return a formatted per-step result:
  Run: 2025-03-25T10:00:00Z

  PASS  lscpu
  PASS  sensors-before
  FAIL  stress-ng
  PASS  sensors-after

  Overall: FAILED  (ok=3  failed=1)

  3. AMD GPU SAT with auto-detection
  - platform.System.DetectGPUVendor(): checks /dev/nvidia0 → "nvidia", /dev/kfd → "amd"
  - platform.System.RunAMDAcceptancePack(): runs rocm-smi, rocm-smi --showallinfo, dmidecode
  - GPU SAT (G key / GPU row enter) automatically routes to AMD or NVIDIA based on detected vendor
  - "Run All" also auto-detects vendor

  4. Panel detail view
  - GPU detail now shows the most recent (NVIDIA or AMD) SAT result, whichever is newer
  - All SAT detail views use the same human-readable formatSATDetail format

.env.example

@@ -1 +1,2 @@
 BUILDER_HOST=
+BUILDER_USER=

.gitmodules

@@ -1,3 +1,6 @@
 [submodule "bible"]
 	path = bible
 	url = https://git.mchus.pro/mchus/bible.git
+[submodule "internal/chart"]
+	path = internal/chart
+	url = https://git.mchus.pro/reanimator/chart.git

PLAN.md

@@ -4,13 +4,13 @@ Hardware audit LiveCD for offline server inventory.
 Produces `HardwareIngestRequest` JSON compatible with core/reanimator.
 
 **Principle:** OS-level collection — reads hardware directly, not through BMC.
-Fully unattended — no user interaction required at any stage. Boot → update → audit → output → done.
-All errors are logged, never presented interactively. Every failure path has a silent fallback.
+Automatic boot audit plus operator console. Boot runs audit immediately, but local/SSH operators can rerun checks through the TUI and CLI.
+Errors are logged and should not block boot on partial collector failures.
 Fills the gaps where logpile/Redfish is blind: NVMe, DIMM serials, GPU serials, physical disks behind RAID, full SMART, NIC firmware.
 
 ---
 
-## Status snapshot (2026-03-06)
+## Status snapshot (2026-03-14)
 
 ### Phase 1 — Go Audit Binary
 
@@ -23,33 +23,38 @@ Fills the gaps where logpile/Redfish is blind: NVMe, DIMM serials, GPU serials,
 - 1.7 PSU collector — **DONE (basic FRU path)**
 - 1.8 NVIDIA GPU enrichment — **DONE**
 - 1.8b Component wear / age telemetry — **DONE** (storage + NVMe + NVIDIA + NIC SFP/DOM + NIC packet stats)
+- 1.8c Storage health verdicts — **DONE** (SMART/NVMe warning/failed status derivation)
 - 1.9 Mellanox/NVIDIA NIC enrichment — **DONE** (mstflint + ethtool firmware fallback)
 - 1.10 RAID controller enrichment — **DONE (initial multi-tool support)** (storcli + sas2/3ircu + arcconf + ssacli + VROC/mdstat)
-- 1.11 Output and USB write — **DONE** (usb + /tmp fallback)
+- 1.11 PSU SDR health — **DONE** (`ipmitool sdr` merged with FRU inventory)
+- 1.11 Output and export workflow — **DONE** (explicit file output + manual removable export via TUI)
 - 1.12 Integration test (local) — **DONE** (`scripts/test-local.sh`)
 
-### Phase 2 — Alpine LiveCD
+### Phase 2 — Debian Live ISO
 
-- Debug ISO track is active (builder + overlay-debug + OpenRC services + TUI workflow).
-- Production ISO track — **IN PROGRESS**.
-- 2.3 Alpine mkimage profile — **DONE (production profile scaffold)**
-- 2.4 Network bring-up on boot — **DONE**
-- 2.5 OpenRC boot service (bee-audit) — **DONE** (with explicit bee-nvidia ordering)
-- 2.6 Vendor utilities in overlay — **DONE (fetch script + iso/vendor scaffold)**
-- 2.7 Auto-update wiring (USB first, network second) — **PARTIAL** (shell flow done; strict Ed25519 verification intentionally deferred to final stage)
-- 2.8 Release workflow — **PARTIAL** (production build now injects audit binary, NVIDIA modules/tools, vendor tools, and build metadata)
+- Current implementation uses Debian 12 `live-build`, `systemd`, and OpenSSH.
+- Network bring-up on boot — **DONE**
+- Boot services (`bee-network`, `bee-nvidia`, `bee-audit`, `bee-sshsetup`) — **DONE**
+- Local console UX (`bee` autologin on `tty1`, `menu` auto-start, TUI privilege escalation via `sudo -n`) — **DONE**
+- VM/debug support (`qemu-guest-agent`, serial console, virtual GPU initramfs modules) — **DONE**
+- Vendor utilities in overlay — **DONE**
+- Build metadata + staged overlay injection — **DONE**
+- Builder container cache persisted outside container writable layer — **DONE**
+- ISO volume label `BEE` — **DONE**
+- Auto-update flow remains deferred; current focus is deterministic offline audit ISO behavior.
+- Real-hardware validation remains **PENDING**; current validation is limited to local/libvirt VM boot + service checks.
 
 ---
 
 ## Phase 1 — Go Audit Binary
 
-Self-contained static binary. Runs on any Linux (including Alpine LiveCD).
+Self-contained static binary. Runs on any Linux (including the Debian live ISO).
 Calls system utilities, parses their output, produces `HardwareIngestRequest` JSON.
 
 ### 1.1 — Project scaffold
 
 - `audit/go.mod` — module `bee/audit`
-- `audit/cmd/audit/main.go` — CLI entry point: flags, orchestration, JSON output
+- `audit/cmd/bee/main.go` — main CLI entry point: subcommands, runtime selection, JSON output
 - `audit/internal/schema/` — copy of `HardwareIngestRequest` types from core (no import dependency)
 - `audit/internal/collector/` — empty package stubs for all collectors
 - `const Version = "1.0"` in main
@@ -237,305 +242,143 @@ No hardcoded vendor names in detection logic — pure PCI vendor_id map.
 
 Tests: table tests with storcli/sas2ircu text fixtures
 
-### 1.11 — Output and USB write
+### 1.11 — Output and export workflow
 
 `--output stdout` (default): pretty-printed JSON to stdout
 `--output file:<path>`: write JSON to explicit path
-`--output usb`: auto-detect first removable block device, mount it, write `audit-<board_serial>-<YYYYMMDD-HHMMSS>.json`
 
-USB detection: scan `/sys/block/*/removable`, pick first `1`, mount to `/tmp/bee-usb`
+Live ISO default service output: `/var/log/bee-audit.json`
 
-QR summary to stdout (always): board serial + model + component counts — fits in one QR code
-Uses `qrencode` if present, else skips silently
+Removable-media export is manual via `bee tui` (or the LiveCD wrapper `bee-tui`):
+- operator chooses a removable filesystem explicitly
+- TUI mounts it if needed
+- TUI asks for confirmation before copying the JSON
+- TUI unmounts temporary mountpoints after export
+
+No auto-write to arbitrary removable media is allowed.
 
 ### 1.12 — Integration test (local)
 
-`scripts/test-local.sh` — runs audit binary on developer machine (Linux), captures JSON,
+`scripts/test-local.sh` — runs `bee audit` on developer machine (Linux), captures JSON,
 validates required fields are present (board.serial_number non-empty, cpus non-empty, etc.)
 
 Not a unit test — requires real hardware access. Documents how to run for verification.
 
 ---
 
-## Phase 2 — Alpine LiveCD
+## Phase 2 — Debian Live ISO
 
-ISO image bootable via BMC virtual media. Runs audit binary automatically on boot.
+ISO image bootable via BMC virtual media or USB. Runs boot services automatically and writes the audit result to `/var/log/bee-audit.json`.
 
 ### 2.1 — Builder environment
 
-`iso/builder/Dockerfile` — Alpine 3.21 build environment with:
-- `alpine-sdk`, `abuild`, `squashfs-tools`, `xorriso`
-- Go toolchain (for binary compilation inside builder)
-- NVIDIA driver `.run` pre-fetched during image build
+`iso/builder/build-in-container.sh` is the only supported builder entrypoint.
+It builds a Debian 12 builder image with `live-build`, toolchains, and pinned kernel headers,
+then runs the ISO assembly in a privileged container because `live-build` needs
+mount/chroot/loop capabilities.
 
-`iso/builder/build.sh` — orchestrates full ISO build:
-1. Compile Go binary (static, `CGO_ENABLED=0`)
-2. Compile NVIDIA kernel module against Alpine 3.21 LTS kernel headers
-3. Run `mkimage.sh` with bee profile
-4. Output: `dist/bee-<version>.iso`
+`iso/builder/build.sh` orchestrates the full ISO build:
+1. compile the Go `bee` binary
+2. create a staged overlay under `dist/overlay-stage`
+3. inject SSH auth, vendor tools, NVIDIA artifacts, and build metadata into the staged overlay
+4. create a disposable `live-build` workdir under `dist/live-build-work`
+5. sync the staged overlay into `config/includes.chroot/`
+6. run `lb config && lb build`
+7. copy the final ISO into `dist/`
 
 ### 2.2 — NVIDIA driver build
 
-Alpine 3.21, LTS kernel 6.6 — fixed versions in builder.
+`iso/builder/build-nvidia-module.sh`:
+- downloads the pinned NVIDIA `.run` installer
+- verifies SHA256
+- builds kernel modules against the pinned Debian kernel ABI
+- caches modules, userspace tools, and libs in `dist/nvidia-<version>-<kver>/`
 
-`iso/builder/build-nvidia.sh`:
-- Download `NVIDIA-Linux-x86_64-<ver>.run` (version pinned in `iso/builder/VERSIONS`)
-- Extract kernel module sources
-- Compile against `linux-lts-dev` headers
-- Strip and package as `nvidia-<ver>-k6.6.ko.tar.gz` for inclusion in overlay
+`iso/overlay/usr/local/bin/bee-nvidia-load`:
+- loads `nvidia`, `nvidia-modeset`, `nvidia-uvm` via `insmod`
+- creates `/dev/nvidia*` nodes if the driver registered successfully
+- logs failures but does not block the rest of boot
 
-`iso/overlay/usr/local/bin/load-nvidia.sh`:
-- `insmod` sequence: nvidia.ko → nvidia-modeset.ko → nvidia-uvm.ko
-- Verify: `nvidia-smi -L` → log result
-- On failure: log warning, continue (audit runs without GPU enrichment)
+### 2.3 — ISO assembly and overlay policy
 
-### 2.3 — Alpine mkimage profile
+`iso/overlay/` is source-only input for the build.
 
-`iso/builder/mkimg.bee.sh` — Alpine mkimage profile:
-- Base: `alpine-base`
-- Kernel: `linux-lts`
-- Packages: `dmidecode smartmontools nvme-cli pciutils ipmitool util-linux e2fsprogs qrencode`
-- Overlay: `iso/overlay/` included as apkovl
+Build-time files are injected into the staged overlay only:
+- `bee`
+- `bee-smoketest`
+- `authorized_keys`
+- password-fallback marker
+- `/etc/bee-release`
+- vendor tools from `iso/vendor/`
 
-### 2.4 — Network bring-up on boot
+The source tree must stay clean after a build.
 
-`iso/overlay/usr/local/bin/bee-network.sh`:
-- Enumerate all network interfaces: `ip link show` → filter out loopback and virtual (docker/bridge)
-- For each physical interface: `ip link set <iface> up` + `udhcpc -i <iface> -t 5 -T 3 -n`
-- Log each interface result (got IP / timeout / no carrier)
-- Continue regardless — network is best-effort for auto-update
+### 2.4 — Boot services
 
-`iso/overlay/etc/init.d/bee-network`:
-- runlevel: default, before: bee-update
-- Calls bee-network.sh
-- Does not block boot if DHCP fails on all interfaces
+`systemd` service order:
+- `bee-sshsetup.service` → configures SSH auth before `ssh.service`
+- `bee-network.service` → starts best-effort DHCP on all physical interfaces
+- `bee-nvidia.service` → loads NVIDIA modules if present
+- `bee-audit.service` → runs audit and logs failures without turning partial collector bugs into a boot blocker
 
-### 2.5 — OpenRC boot service (bee-audit)
+### 2.4b — Runtime split
 
-`iso/overlay/etc/init.d/bee-audit`:
-- runlevel: default, after: bee-update
-- start(): load-nvidia.sh → /usr/local/bin/audit --output usb
-- on completion: print QR summary to /dev/tty1 (always, even if USB write failed)
-- log everything to /var/log/bee-audit.log
-- exits 0 regardless of partial failures — unattended, no prompts, no waits
+Target split:
+- main Go application works on a normal Linux host and on the live ISO
+- live-ISO specifics stay in integration glue under `iso/`
+- the live ISO passes `--runtime livecd` to the Go binary
+- local runs default to `--runtime auto`, which resolves to `local` unless a live marker is detected
 
-Unattended invariants:
-- No TTY prompts ever. All decisions are automatic.
-- Missing USB: output goes to /tmp/bee-audit-<serial>-<date>.json, QR shown on screen.
-- Missing NVIDIA driver: GPU records have status UNKNOWN, audit continues.
-- Missing ipmitool/storcli/any tool: that collector is skipped, rest continue.
-- Timeout on any external command: 30s hard limit via `timeout` wrapper, then skip.
-- Boot never hangs waiting for user input.
+Planned code shape:
+- `audit/cmd/bee/` — main CLI entrypoint
+- `audit/internal/runtimeenv/` — runtime detection and mode selection
+- future `audit/internal/tui/` — host/live shared TUI logic
+- `iso/overlay/` — boot-time livecd integration only
 
-`iso/overlay/etc/runlevels/default/bee-audit` symlink
+### 2.5 — Operator workflows
 
-### 2.6 — Vendor utilities in overlay
+- Automatic boot audit writes JSON to `/var/log/bee-audit.json`
+- `tty1` autologins into `bee` and auto-runs `menu`
+- `menu` launches the LiveCD wrapper `bee-tui`, which escalates to `root` via `sudo -n`
+- `bee tui` can rerun the audit manually
+- `bee tui` can export the latest audit JSON to removable media
+- `bee tui` can show health summary and run NVIDIA/memory/storage acceptance tests
+- NVIDIA SAT now includes a lightweight in-image GPU stress step via `bee-gpu-stress`
+- SAT summaries now expose `overall_status` plus per-job `OK/FAILED/UNSUPPORTED`
+- Memory/GPU SAT runtime defaults can be overridden via `BEE_MEMTESTER_*` and `BEE_GPU_STRESS_*`
+- removable export requires explicit target selection, mount, confirmation, copy, and cleanup
 
-`iso/overlay/usr/local/bin/` includes pre-fetched proprietary tools:
-- `storcli64` (Broadcom)
-- `sas2ircu`, `sas3ircu` (Broadcom/LSI)
-- `mstflint` (NVIDIA Networking / Mellanox)
+### 2.6 — Vendor utilities and optional assets
 
-`scripts/fetch-vendor.sh` — downloads and places these before ISO build.
-Checksums verified. Tools not committed to git — fetched at build time.
+Optional binaries live in `iso/vendor/` and are included when present:
+- `storcli64`
+- `sas2ircu`, `sas3ircu`
+- `arcconf`
+- `ssacli`
+- `mstflint` (via Debian package set)
 
-`iso/vendor/.gitkeep` — placeholder, directory gitignored except .gitkeep
+Missing optional tools do not fail the build or boot.
 
-### 2.7 — Auto-update of audit binary (USB + network)
+### 2.7 — Release workflow
 
-Two update paths, tried in order on every boot:
+`iso/builder/VERSIONS` pins the current release inputs:
+- audit version
+- Debian version / kernel ABI
+- Go version
+- NVIDIA driver version
 
-**Path A — USB (no network required, higher priority):**
-
-`bee-update.sh` scans mounted removable media for an update package before checking network.
-
-Looks for: `<usb>/bee-update/bee-audit-linux-amd64` + `<usb>/bee-update/bee-audit-linux-amd64.sha256`
-
-Steps:
-1. Find USB mount point (same detection as audit output: `/sys/block/*/removable`)
-2. Check for `bee-update/bee-audit-linux-amd64` on the USB root
-3. Read version from `bee-update/VERSION` file (plain text, e.g. `1.3`)
-4. Compare with running binary version (`/usr/local/bin/audit --version`)
-5. If USB version > running: verify SHA256 checksum, replace binary, log update
-6. Re-run audit if updated
-
-**Authenticity verification — Ed25519 multi-key trust (stdlib only, no external tools):**
-
-Problem: SHA256 alone does not prevent a crafted attack — an attacker places their binary
-and a matching SHA256 next to it. The LiveCD would accept it.
-
-Solution: Ed25519 asymmetric signatures via Go stdlib `crypto/ed25519`.
-Multiple developer public keys are supported. A binary update is accepted if its signature
-verifies against ANY of the embedded trusted public keys.
-
-This mirrors the SSH authorized_keys model: add a developer → add their public key.
-Remove a developer → rebuild without their key.
-
-**Key management — centralized across all projects:**
-
-Public keys live in a dedicated repo at git.mchus.pro/mchus/keys (or similar):
-```
-keys/
-  developers/
-    mchusavitin.pub    ← Ed25519 public key, base64, one line
-    developer2.pub
-  README.md            ← how to generate a key pair
-```
-
-Public keys are safe to commit — they are not secret.
-Private keys stay on each developer's machine, never committed anywhere.
-
-Key generation (one-time per developer, run locally):
-```sh
-# scripts/keygen.sh — also lives in the keys repo
-openssl genpkey -algorithm ed25519 -out ~/.bee-release.key
-openssl pkey -in ~/.bee-release.key -pubout -outform DER \
-  | tail -c 32 | base64 > mchusavitin.pub
-```
-
-**Embedding public keys at release time (not compile time):**
-
-Public keys are injected via `-ldflags` at build time from the keys repo.
-The binary does not hardcode keys — they are provided by the release script.
-
-```go
-// audit/internal/updater/trust.go
-// trustedKeysRaw is injected at build time via -ldflags
-// format: base64(key1):base64(key2):...
-var trustedKeysRaw string
-
-func trustedKeys() ([]ed25519.PublicKey, error) {
-    if trustedKeysRaw == "" {
-        return nil, fmt.Errorf("binary built without trusted keys — updates disabled")
-    }
-    var keys []ed25519.PublicKey
-    for _, enc := range strings.Split(trustedKeysRaw, ":") {
-        b, err := base64.StdEncoding.DecodeString(strings.TrimSpace(enc))
-        if err != nil || len(b) != ed25519.PublicKeySize {
-            return nil, fmt.Errorf("invalid trusted key: %w", err)
-        }
-        keys = append(keys, ed25519.PublicKey(b))
-    }
-    return keys, nil
-}
-
-func verifySignature(binaryPath, sigPath string) error {
-    keys, err := trustedKeys()
-    if err != nil {
-        return err
-    }
-    data, _ := os.ReadFile(binaryPath)
-    sig, _ := os.ReadFile(sigPath)  // 64 bytes raw Ed25519 signature
-    for _, key := range keys {
-        if ed25519.Verify(key, data, sig) {
-            return nil  // any trusted key accepts → pass
-        }
-    }
-    return fmt.Errorf("signature verification failed: no trusted key matched")
-}
-```
-
-Release build injects keys:
-```sh
-# scripts/build-release.sh
-KEYS=$(paste -sd: keys/developers/*.pub)
-go build -ldflags "-X bee/audit/internal/updater/trust.trustedKeysRaw=${KEYS}" \
-  -o dist/bee-audit-linux-amd64 ./cmd/audit
-```
-
-Signing (release engineer signs with their private key):
-```sh
-# scripts/sign-release.sh <binary>
-openssl pkeyutl -sign -inkey ~/.bee-release.key \
-  -rawin -in "$1" -out "$1.sig"
-```
-
-Binary built without `-ldflags` injection (e.g. local dev build) has `trustedKeysRaw=""`
-→ updates are disabled, logged as INFO, audit continues normally.
-
-Update rejected silently (logged as WARNING, audit continues with current binary) if:
-- `.sig` file missing
-- Signature does not match any trusted key
-- `trustedKeysRaw` empty (dev build)
-
-Update package layout on USB:
-```
-/bee-update/
-  bee-audit-linux-amd64        ← new binary (also signed with embedded keys)
-  bee-audit-linux-amd64.sig    ← Ed25519 signature (64 bytes raw)
-  VERSION                      ← plain version string e.g. "1.3"
-```
-
-Admin workflow: download `bee-audit-linux-amd64` + `bee-audit-linux-amd64.sig` from Gitea
-release assets, place in `bee-update/` on USB.
-
-**Path B — Network (requires DHCP on at least one interface):**
-1. Check network: ping git.mchus.pro -c 1 -W 3 || skip
-2. Fetch: `GET https://git.mchus.pro/api/v1/repos/<org>/bee/releases/latest`
-3. Parse tag_name, asset URLs for `bee-audit-linux-amd64` + `bee-audit-linux-amd64.sig`
-4. Compare tag with running version
-5. If newer: download both files to /tmp, verify Ed25519 signature against all trusted keys
-6. Replace binary on pass, log and skip on fail
-7. Re-run audit if updated
-
-**Ordering:** USB update checked first, network checked second.
-If USB update applied and verified, network check is skipped.
-
-`iso/overlay/etc/init.d/bee-update`:
-- runlevel: default
-- after: bee-network (network path needs interfaces up)
-- before: bee-audit (audit runs with latest binary)
-- Calls bee-update.sh
-
-Triggered after bee-audit completes, only if network is available.
-
-`iso/overlay/usr/local/bin/bee-update.sh`:
-
-```
-1. Check network: ping git.mchus.pro -c 1 -W 3 || exit 0
-2. Fetch latest release metadata:
-   GET https://git.mchus.pro/api/v1/repos/<org>/bee/releases/latest
-3. Parse: extract tag_name, asset URL for bee-audit-linux-amd64
-4. Compare tag_name with /usr/local/bin/audit --version output
-5. If newer: download to /tmp/bee-audit-new, verify SHA256 checksum from release assets
-6. Replace /usr/local/bin/audit (tmpfs — survives until reboot)
-7. Log: updated from vX.Y to vX.Z
-8. Re-run audit if update happened: /usr/local/bin/audit --output usb
-```
-
-`iso/overlay/etc/init.d/bee-update`:
-- runlevel: default
-- after: bee-audit, network
-- Calls bee-update.sh
-
-Release naming convention: binary asset named `bee-audit-linux-amd64` per release tag.
-
-### 2.8 — Release workflow
-
-`iso/builder/VERSIONS` — pinned versions:
-```
-AUDIT_VERSION=1.0
-ALPINE_VERSION=3.21
-KERNEL_VERSION=6.12
-NVIDIA_DRIVER_VERSION=590.48.01
-```
-
-LiveCD release = full ISO rebuild. Binary-only patch = new Gitea release with binary asset.
-On boot with network: ISO auto-patches its binary without full rebuild.
-
-ISO version embedded in `/etc/bee-release`:
-```
-BEE_ISO_VERSION=1.0
-BEE_AUDIT_VERSION=1.0
-BUILD_DATE=2026-03-05
-```
+Current release model:
+- shipping a new ISO means a full rebuild
+- build metadata is embedded into `/etc/bee-release` and `motd`
+- current ISO label is `BEE`
+- binary self-update remains deferred; no automatic USB/network patching is part of the current runtime
 
 ---
 
 ## Eating order
 
 Builder environment is set up early (after 1.3) so every subsequent collector
-is developed and tested directly on real hardware in the actual Alpine environment.
+is developed and tested directly on real hardware in the actual Debian live ISO environment.
 No "works on my Mac" drift.
 
 ```
@@ -544,10 +387,10 @@ No "works on my Mac" drift.
 1.2  board collector               → first real data
 1.3  CPU collector                 → +CPUs
 
---- BUILDER + DEBUG ISO (unblock real-hardware testing) ---
+--- BUILDER + BEE ISO (unblock real-hardware testing) ---
 
-2.1  builder VM setup              → Alpine VM with build deps + Go toolchain
-2.2  debug ISO profile             → minimal Alpine ISO: audit binary + dropbear SSH + all packages
+2.1  builder setup                 → privileged container with build deps
+2.2  debug ISO profile             → minimal Debian ISO: `bee` binary + OpenSSH + all packages
 2.3  boot on real server           → SSH in, verify packages present, run audit manually
 
 --- CONTINUE COLLECTORS (tested on real hardware from here) ---
@@ -560,14 +403,14 @@ No "works on my Mac" drift.
 1.8b wear/age telemetry            → +SMART hours, NVMe % used, SFP DOM, ECC
 1.9  Mellanox NIC enrichment       → +NIC firmware/serial
 1.10 RAID enrichment               → +physical disks behind RAID
-1.11 output + USB write            → production-ready output
+1.11 output + export workflow      → file output + explicit removable export
 
 --- PRODUCTION ISO ---
 
 2.4  NVIDIA driver build           → driver compiled into overlay
 2.5  network bring-up on boot      → DHCP on all interfaces
-2.6  OpenRC boot service           → audit runs on boot automatically
-2.7  vendor utilities              → storcli/sas2ircu/mstflint in image
-2.8  auto-update                   → binary self-patches from Gitea
-2.9  release workflow              → versioning + release notes
+2.6  systemd boot service          → audit runs on boot automatically
+2.7  vendor utilities              → storcli/sas2ircu/arcconf/ssacli in image
+2.8  release workflow              → versioning + release notes
+2.9  operator export flow          → explicit TUI export to removable media
 ```

audit/cmd/audit/main.go

@@ -1,167 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"flag"
-	"fmt"
-	"log/slog"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"sort"
-	"strings"
-	"time"
-
-	"bee/audit/internal/collector"
-)
-
-// Version is the audit binary version.
-// Injected at release build time via:
-//
-//	-ldflags "-X main.Version=1.2"
-//
-// Defaults to "dev" in local builds.
-var Version = "dev"
-
-func main() {
-	output := flag.String("output", "stdout", `output destination:
-  stdout          — print JSON to stdout (default)
-  file:<path>     — write JSON to file
-  usb             — auto-detect removable media, write JSON there`)
-	showVersion := flag.Bool("version", false, "print version and exit")
-	flag.Parse()
-
-	if *showVersion {
-		fmt.Println(Version)
-		return
-	}
-
-	slog.SetDefault(slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{
-		Level: slog.LevelInfo,
-	})))
-
-	result := collector.Run()
-
-	data, err := json.MarshalIndent(result, "", "  ")
-	if err != nil {
-		slog.Error("marshal result", "err", err)
-		os.Exit(1)
-	}
-
-	if err := writeOutput(*output, data); err != nil {
-		slog.Error("write output", "destination", *output, "err", err)
-		os.Exit(1)
-	}
-}
-
-func writeOutput(dest string, data []byte) error {
-	switch {
-	case dest == "stdout":
-		_, err := os.Stdout.Write(append(data, '\n'))
-		return err
-
-	case strings.HasPrefix(dest, "file:"):
-		path := strings.TrimPrefix(dest, "file:")
-		return os.WriteFile(path, append(data, '\n'), 0644)
-
-	case dest == "usb":
-		return writeToUSB(data)
-
-	default:
-		return fmt.Errorf("unknown output destination %q — use stdout, file:<path>, or usb", dest)
-	}
-}
-
-// writeToUSB auto-detects the first removable block device, mounts it,
-// and writes the audit JSON. Falls back to /tmp on any failure.
-func writeToUSB(data []byte) error {
-	boardSerial := extractBoardSerial(data)
-	filename := auditFilename(boardSerial, time.Now().UTC())
-
-	device, err := firstRemovableDevice()
-	if err != nil {
-		slog.Warn("usb output: no removable device, writing to /tmp", "err", err)
-		return writeAuditToPath(filepath.Join("/tmp", filename), data)
-	}
-
-	mountpoint := "/tmp/bee-usb"
-	if err := os.MkdirAll(mountpoint, 0755); err != nil {
-		return err
-	}
-
-	if err := exec.Command("mount", device, mountpoint).Run(); err != nil {
-		slog.Warn("usb output: mount failed, writing to /tmp", "device", device, "err", err)
-		return writeAuditToPath(filepath.Join("/tmp", filename), data)
-	}
-	defer func() {
-		if err := exec.Command("umount", mountpoint).Run(); err != nil {
-			slog.Warn("usb output: umount failed", "mountpoint", mountpoint, "err", err)
-		}
-	}()
-
-	path := filepath.Join(mountpoint, filename)
-	if err := writeAuditToPath(path, data); err != nil {
-		slog.Warn("usb output: write failed, falling back to /tmp", "path", path, "err", err)
-		return writeAuditToPath(filepath.Join("/tmp", filename), data)
-	}
-
-	slog.Info("usb output: written", "path", path)
-	return nil
-}
-
-func writeAuditToPath(path string, data []byte) error {
-	if err := os.WriteFile(path, append(data, '\n'), 0644); err != nil {
-		return err
-	}
-	slog.Info("audit output written", "path", path)
-	return nil
-}
-
-func extractBoardSerial(data []byte) string {
-	var doc struct {
-		Hardware struct {
-			Board struct {
-				SerialNumber string `json:"serial_number"`
-			} `json:"board"`
-		} `json:"hardware"`
-	}
-	if err := json.Unmarshal(data, &doc); err != nil {
-		return "unknown"
-	}
-	serial := strings.TrimSpace(doc.Hardware.Board.SerialNumber)
-	if serial == "" {
-		return "unknown"
-	}
-	return serial
-}
-
-func auditFilename(boardSerial string, now time.Time) string {
-	boardSerial = strings.TrimSpace(boardSerial)
-	if boardSerial == "" {
-		boardSerial = "unknown"
-	}
-	return fmt.Sprintf("audit-%s-%s.json", boardSerial, now.Format("20060102-150405"))
-}
-
-func firstRemovableDevice() (string, error) {
-	entries, err := os.ReadDir("/sys/block")
-	if err != nil {
-		return "", err
-	}
-	sort.Slice(entries, func(i, j int) bool { return entries[i].Name() < entries[j].Name() })
-
-	for _, e := range entries {
-		name := e.Name()
-		if strings.HasPrefix(name, "loop") || strings.HasPrefix(name, "ram") {
-			continue
-		}
-		removableFlag, err := os.ReadFile(filepath.Join("/sys/block", name, "removable"))
-		if err != nil {
-			continue
-		}
-		if strings.TrimSpace(string(removableFlag)) == "1" {
-			return filepath.Join("/dev", name), nil
-		}
-	}
-	return "", fmt.Errorf("no removable block device found")
-}

audit/cmd/bee/main.go

@@ -0,0 +1,403 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"io"
+	"log/slog"
+	"os"
+	"strings"
+
+	"bee/audit/internal/app"
+	"bee/audit/internal/platform"
+	"bee/audit/internal/runtimeenv"
+	"bee/audit/internal/tui"
+	"bee/audit/internal/webui"
+)
+
+var Version = "dev"
+
+func main() {
+	os.Exit(run(os.Args[1:], os.Stdout, os.Stderr))
+}
+
+func run(args []string, stdout, stderr io.Writer) int {
+	slog.SetDefault(slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{
+		Level: slog.LevelInfo,
+	})))
+
+	if len(args) == 0 {
+		printRootUsage(stderr)
+		return 2
+	}
+
+	switch args[0] {
+	case "help", "--help", "-h":
+		if len(args) > 1 {
+			return runHelp(args[1:], stdout, stderr)
+		}
+		printRootUsage(stdout)
+		return 0
+	case "audit":
+		return runAudit(args[1:], stdout, stderr)
+	case "tui":
+		return runTUI(args[1:], stdout, stderr)
+	case "export":
+		return runExport(args[1:], stdout, stderr)
+	case "preflight":
+		return runPreflight(args[1:], stdout, stderr)
+	case "support-bundle":
+		return runSupportBundle(args[1:], stdout, stderr)
+	case "web":
+		return runWeb(args[1:], stdout, stderr)
+	case "sat":
+		return runSAT(args[1:], stdout, stderr)
+	case "version", "--version", "-version":
+		fmt.Fprintln(stdout, Version)
+		return 0
+	default:
+		fmt.Fprintf(stderr, "bee: unknown command %q\n\n", args[0])
+		printRootUsage(stderr)
+		return 2
+	}
+}
+
+func printRootUsage(w io.Writer) {
+	fmt.Fprintln(w, `bee commands:
+  bee audit   --runtime auto|local|livecd --output stdout|file:<path>
+  bee preflight --output stdout|file:<path>
+  bee tui     --runtime auto|local|livecd
+  bee export  --target <device>
+  bee support-bundle --output stdout|file:<path>
+  bee web     --listen :80 --audit-path `+app.DefaultAuditJSONPath+`
+  bee sat nvidia|memory|storage|cpu [--duration <seconds>]
+  bee version
+  bee help [command]`)
+}
+
+func runHelp(args []string, stdout, stderr io.Writer) int {
+	switch args[0] {
+	case "audit":
+		return runAudit([]string{"--help"}, stdout, stdout)
+	case "tui":
+		return runTUI([]string{"--help"}, stdout, stdout)
+	case "export":
+		return runExport([]string{"--help"}, stdout, stdout)
+	case "preflight":
+		return runPreflight([]string{"--help"}, stdout, stdout)
+	case "support-bundle":
+		return runSupportBundle([]string{"--help"}, stdout, stdout)
+	case "web":
+		return runWeb([]string{"--help"}, stdout, stdout)
+	case "sat":
+		return runSAT([]string{"--help"}, stdout, stderr)
+	case "version":
+		fmt.Fprintln(stdout, "usage: bee version")
+		return 0
+	default:
+		fmt.Fprintf(stderr, "bee help: unknown command %q\n\n", args[0])
+		printRootUsage(stderr)
+		return 2
+	}
+}
+
+func runAudit(args []string, stdout, stderr io.Writer) int {
+	fs := flag.NewFlagSet("audit", flag.ContinueOnError)
+	fs.SetOutput(stderr)
+	output := fs.String("output", "stdout", "output destination: stdout or file:<path>")
+	runtimeFlag := fs.String("runtime", "auto", "runtime environment: auto, local, livecd")
+	showVersion := fs.Bool("version", false, "print version and exit")
+	fs.Usage = func() {
+		fmt.Fprintln(stderr, "usage: bee audit [--runtime auto|local|livecd] [--output stdout|file:<path>]")
+		fs.PrintDefaults()
+	}
+	if err := fs.Parse(args); err != nil {
+		if err == flag.ErrHelp {
+			return 0
+		}
+		return 2
+	}
+	if fs.NArg() != 0 {
+		fs.Usage()
+		return 2
+	}
+	if *showVersion {
+		fmt.Fprintln(stdout, Version)
+		return 0
+	}
+
+	runtimeInfo, err := runtimeenv.Detect(*runtimeFlag)
+	if err != nil {
+		slog.Error("resolve runtime", "err", err)
+		return 1
+	}
+	slog.Info("runtime resolved", "mode", runtimeInfo.Mode, "reason", runtimeInfo.Reason)
+
+	application := app.New(platform.New())
+	path, err := application.RunAudit(runtimeInfo.Mode, *output)
+	if err != nil {
+		slog.Error("run audit", "err", err)
+		return 1
+	}
+	if path != "stdout" {
+		slog.Info("audit output written", "path", path)
+	}
+	return 0
+}
+
+func runTUI(args []string, stdout, stderr io.Writer) int {
+	fs := flag.NewFlagSet("tui", flag.ContinueOnError)
+	fs.SetOutput(stderr)
+	runtimeFlag := fs.String("runtime", "auto", "runtime environment: auto, local, livecd")
+	fs.Usage = func() {
+		fmt.Fprintln(stderr, "usage: bee tui [--runtime auto|local|livecd]")
+		fs.PrintDefaults()
+	}
+	if err := fs.Parse(args); err != nil {
+		if err == flag.ErrHelp {
+			return 0
+		}
+		return 2
+	}
+	if fs.NArg() != 0 {
+		fs.Usage()
+		return 2
+	}
+
+	runtimeInfo, err := runtimeenv.Detect(*runtimeFlag)
+	if err != nil {
+		slog.Error("resolve runtime", "err", err)
+		return 1
+	}
+
+	slog.SetDefault(slog.New(slog.NewTextHandler(io.Discard, &slog.HandlerOptions{
+		Level: slog.LevelInfo,
+	})))
+
+	application := app.New(platform.New())
+	if err := tui.Run(application, runtimeInfo.Mode); err != nil {
+		slog.Error("run tui", "err", err)
+		return 1
+	}
+	return 0
+}
+
+func runExport(args []string, stdout, stderr io.Writer) int {
+	fs := flag.NewFlagSet("export", flag.ContinueOnError)
+	fs.SetOutput(stderr)
+	targetDevice := fs.String("target", "", "removable device path, e.g. /dev/sdb1")
+	fs.Usage = func() {
+		fmt.Fprintln(stderr, "usage: bee export --target <device>")
+		fs.PrintDefaults()
+	}
+	if err := fs.Parse(args); err != nil {
+		if err == flag.ErrHelp {
+			return 0
+		}
+		return 2
+	}
+	if fs.NArg() != 0 {
+		fs.Usage()
+		return 2
+	}
+	if strings.TrimSpace(*targetDevice) == "" {
+		fmt.Fprintln(stderr, "bee export: --target is required")
+		fs.Usage()
+		return 2
+	}
+
+	application := app.New(platform.New())
+	targets, err := application.ListRemovableTargets()
+	if err != nil {
+		slog.Error("list removable targets", "err", err)
+		return 1
+	}
+
+	for _, target := range targets {
+		if target.Device == *targetDevice {
+			path, err := application.ExportLatestAudit(target)
+			if err != nil {
+				slog.Error("export latest audit", "err", err)
+				return 1
+			}
+			slog.Info("audit exported", "path", path)
+			return 0
+		}
+	}
+
+	slog.Error("target device not found among removable filesystems", "device", *targetDevice)
+	return 1
+}
+
+func runPreflight(args []string, stdout, stderr io.Writer) int {
+	fs := flag.NewFlagSet("preflight", flag.ContinueOnError)
+	fs.SetOutput(stderr)
+	output := fs.String("output", "stdout", "output destination: stdout or file:<path>")
+	fs.Usage = func() {
+		fmt.Fprintf(stderr, "usage: bee preflight [--output stdout|file:%s]\n", app.DefaultRuntimeJSONPath)
+		fs.PrintDefaults()
+	}
+	if err := fs.Parse(args); err != nil {
+		if err == flag.ErrHelp {
+			return 0
+		}
+		return 2
+	}
+	if fs.NArg() != 0 {
+		fs.Usage()
+		return 2
+	}
+	application := app.New(platform.New())
+	path, err := application.RunRuntimePreflight(*output)
+	if err != nil {
+		slog.Error("run preflight", "err", err)
+		return 1
+	}
+	if path != "stdout" {
+		slog.Info("runtime health written", "path", path)
+	}
+	return 0
+}
+
+func runSupportBundle(args []string, stdout, stderr io.Writer) int {
+	fs := flag.NewFlagSet("support-bundle", flag.ContinueOnError)
+	fs.SetOutput(stderr)
+	output := fs.String("output", "stdout", "output destination: stdout or file:<path>")
+	fs.Usage = func() {
+		fmt.Fprintln(stderr, "usage: bee support-bundle [--output stdout|file:<path>]")
+		fs.PrintDefaults()
+	}
+	if err := fs.Parse(args); err != nil {
+		if err == flag.ErrHelp {
+			return 0
+		}
+		return 2
+	}
+	if fs.NArg() != 0 {
+		fs.Usage()
+		return 2
+	}
+	path, err := app.BuildSupportBundle(app.DefaultExportDir)
+	if err != nil {
+		slog.Error("build support bundle", "err", err)
+		return 1
+	}
+	defer os.Remove(path)
+
+	raw, err := os.ReadFile(path)
+	if err != nil {
+		slog.Error("read support bundle", "err", err)
+		return 1
+	}
+	switch {
+	case *output == "stdout":
+		if _, err := stdout.Write(raw); err != nil {
+			slog.Error("write support bundle stdout", "err", err)
+			return 1
+		}
+	case strings.HasPrefix(*output, "file:"):
+		dst := strings.TrimPrefix(*output, "file:")
+		if err := os.WriteFile(dst, raw, 0644); err != nil {
+			slog.Error("write support bundle", "err", err)
+			return 1
+		}
+		slog.Info("support bundle written", "path", dst)
+	default:
+		fmt.Fprintln(stderr, "bee support-bundle: unknown output destination")
+		fs.Usage()
+		return 2
+	}
+	return 0
+}
+
+func runWeb(args []string, stdout, stderr io.Writer) int {
+	fs := flag.NewFlagSet("web", flag.ContinueOnError)
+	fs.SetOutput(stderr)
+	listenAddr := fs.String("listen", ":8080", "listen address, e.g. :80")
+	auditPath := fs.String("audit-path", app.DefaultAuditJSONPath, "path to the latest audit JSON snapshot")
+	exportDir := fs.String("export-dir", app.DefaultExportDir, "directory with logs, SAT results, and support bundles")
+	title := fs.String("title", "Bee Hardware Audit", "page title")
+	fs.Usage = func() {
+		fmt.Fprintf(stderr, "usage: bee web [--listen :80] [--audit-path %s] [--export-dir %s] [--title \"Bee Hardware Audit\"]\n", app.DefaultAuditJSONPath, app.DefaultExportDir)
+		fs.PrintDefaults()
+	}
+	if err := fs.Parse(args); err != nil {
+		if err == flag.ErrHelp {
+			return 0
+		}
+		return 2
+	}
+	if fs.NArg() != 0 {
+		fs.Usage()
+		return 2
+	}
+
+	slog.Info("starting bee web", "listen", *listenAddr, "audit_path", *auditPath)
+	if err := webui.ListenAndServe(*listenAddr, webui.HandlerOptions{
+		Title:     *title,
+		AuditPath: *auditPath,
+		ExportDir: *exportDir,
+	}); err != nil {
+		slog.Error("run web", "err", err)
+		return 1
+	}
+	return 0
+}
+
+func runSAT(args []string, stdout, stderr io.Writer) int {
+	if len(args) == 0 {
+		fmt.Fprintln(stderr, "usage: bee sat nvidia|memory|storage|cpu [--duration <seconds>]")
+		return 2
+	}
+	if args[0] == "help" || args[0] == "--help" || args[0] == "-h" {
+		fmt.Fprintln(stdout, "usage: bee sat nvidia|memory|storage|cpu [--duration <seconds>]")
+		return 0
+	}
+
+	fs := flag.NewFlagSet("sat", flag.ContinueOnError)
+	fs.SetOutput(stderr)
+	duration := fs.Int("duration", 0, "stress-ng duration in seconds (cpu only; default: 60)")
+	if err := fs.Parse(args[1:]); err != nil {
+		if err == flag.ErrHelp {
+			return 0
+		}
+		return 2
+	}
+	if fs.NArg() != 0 {
+		fmt.Fprintf(stderr, "bee sat: unexpected arguments\n")
+		return 2
+	}
+
+	target := args[0]
+	if target != "nvidia" && target != "memory" && target != "storage" && target != "cpu" {
+		fmt.Fprintf(stderr, "bee sat: unknown target %q\n", target)
+		fmt.Fprintln(stderr, "usage: bee sat nvidia|memory|storage|cpu [--duration <seconds>]")
+		return 2
+	}
+
+	application := app.New(platform.New())
+	var (
+		archive string
+		err     error
+	)
+	switch target {
+	case "nvidia":
+		archive, err = application.RunNvidiaAcceptancePack("")
+	case "memory":
+		archive, err = application.RunMemoryAcceptancePack("")
+	case "storage":
+		archive, err = application.RunStorageAcceptancePack("")
+	case "cpu":
+		dur := *duration
+		if dur <= 0 {
+			dur = 60
+		}
+		archive, err = application.RunCPUAcceptancePack("", dur)
+	}
+	if err != nil {
+		slog.Error("run sat", "target", target, "err", err)
+		return 1
+	}
+	slog.Info("sat archive written", "target", target, "path", archive)
+	return 0
+}

audit/cmd/bee/main_test.go

@@ -0,0 +1,219 @@
+package main
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+)
+
+func TestRunRootHelp(t *testing.T) {
+	t.Parallel()
+
+	var stdout, stderr bytes.Buffer
+	rc := run([]string{"help"}, &stdout, &stderr)
+	if rc != 0 {
+		t.Fatalf("rc=%d want 0", rc)
+	}
+	if !strings.Contains(stdout.String(), "bee commands:") {
+		t.Fatalf("stdout missing root usage:\n%s", stdout.String())
+	}
+}
+
+func TestRunNoArgsPrintsUsage(t *testing.T) {
+	t.Parallel()
+
+	var stdout, stderr bytes.Buffer
+	rc := run(nil, &stdout, &stderr)
+	if rc != 2 {
+		t.Fatalf("rc=%d want 2", rc)
+	}
+	if !strings.Contains(stderr.String(), "bee commands:") {
+		t.Fatalf("stderr missing root usage:\n%s", stderr.String())
+	}
+}
+
+func TestRunUnknownCommand(t *testing.T) {
+	t.Parallel()
+
+	var stdout, stderr bytes.Buffer
+	rc := run([]string{"wat"}, &stdout, &stderr)
+	if rc != 2 {
+		t.Fatalf("rc=%d want 2", rc)
+	}
+	if !strings.Contains(stderr.String(), `unknown command "wat"`) {
+		t.Fatalf("stderr missing unknown command message:\n%s", stderr.String())
+	}
+}
+
+func TestRunVersion(t *testing.T) {
+	t.Parallel()
+
+	old := Version
+	Version = "test-version"
+	t.Cleanup(func() { Version = old })
+
+	var stdout, stderr bytes.Buffer
+	rc := run([]string{"version"}, &stdout, &stderr)
+	if rc != 0 {
+		t.Fatalf("rc=%d want 0", rc)
+	}
+	if strings.TrimSpace(stdout.String()) != "test-version" {
+		t.Fatalf("stdout=%q want %q", strings.TrimSpace(stdout.String()), "test-version")
+	}
+}
+
+func TestRunExportRequiresTarget(t *testing.T) {
+	t.Parallel()
+
+	var stdout, stderr bytes.Buffer
+	rc := run([]string{"export"}, &stdout, &stderr)
+	if rc != 2 {
+		t.Fatalf("rc=%d want 2", rc)
+	}
+	if !strings.Contains(stderr.String(), "--target is required") {
+		t.Fatalf("stderr missing target error:\n%s", stderr.String())
+	}
+	if !strings.Contains(stderr.String(), "usage: bee export --target <device>") {
+		t.Fatalf("stderr missing export usage:\n%s", stderr.String())
+	}
+}
+
+func TestRunSATUsage(t *testing.T) {
+	t.Parallel()
+
+	var stdout, stderr bytes.Buffer
+	rc := run([]string{"sat"}, &stdout, &stderr)
+	if rc != 2 {
+		t.Fatalf("rc=%d want 2", rc)
+	}
+	if !strings.Contains(stderr.String(), "usage: bee sat nvidia|memory|storage") {
+		t.Fatalf("stderr missing sat usage:\n%s", stderr.String())
+	}
+}
+
+func TestRunPreflightRejectsExtraArgs(t *testing.T) {
+	t.Parallel()
+
+	var stdout, stderr bytes.Buffer
+	rc := run([]string{"preflight", "extra"}, &stdout, &stderr)
+	if rc != 2 {
+		t.Fatalf("rc=%d want 2", rc)
+	}
+	if !strings.Contains(stderr.String(), "usage: bee preflight") {
+		t.Fatalf("stderr missing preflight usage:\n%s", stderr.String())
+	}
+}
+
+func TestRunSupportBundleRejectsExtraArgs(t *testing.T) {
+	t.Parallel()
+
+	var stdout, stderr bytes.Buffer
+	rc := run([]string{"support-bundle", "extra"}, &stdout, &stderr)
+	if rc != 2 {
+		t.Fatalf("rc=%d want 2", rc)
+	}
+	if !strings.Contains(stderr.String(), "usage: bee support-bundle") {
+		t.Fatalf("stderr missing support-bundle usage:\n%s", stderr.String())
+	}
+}
+
+func TestRunHelpForSubcommand(t *testing.T) {
+	t.Parallel()
+
+	var stdout, stderr bytes.Buffer
+	rc := run([]string{"help", "export"}, &stdout, &stderr)
+	if rc != 0 {
+		t.Fatalf("rc=%d want 0", rc)
+	}
+	if !strings.Contains(stdout.String(), "usage: bee export --target <device>") {
+		t.Fatalf("stdout missing export help:\n%s", stdout.String())
+	}
+}
+
+func TestRunHelpUnknownSubcommand(t *testing.T) {
+	t.Parallel()
+
+	var stdout, stderr bytes.Buffer
+	rc := run([]string{"help", "wat"}, &stdout, &stderr)
+	if rc != 2 {
+		t.Fatalf("rc=%d want 2", rc)
+	}
+	if !strings.Contains(stderr.String(), `bee help: unknown command "wat"`) {
+		t.Fatalf("stderr missing help error:\n%s", stderr.String())
+	}
+}
+
+func TestRunSATUnknownTarget(t *testing.T) {
+	t.Parallel()
+
+	var stdout, stderr bytes.Buffer
+	rc := run([]string{"sat", "amd"}, &stdout, &stderr)
+	if rc != 2 {
+		t.Fatalf("rc=%d want 2", rc)
+	}
+	if !strings.Contains(stderr.String(), `unknown target "amd"`) {
+		t.Fatalf("stderr missing sat target error:\n%s", stderr.String())
+	}
+}
+
+func TestRunSATHelp(t *testing.T) {
+	t.Parallel()
+
+	var stdout, stderr bytes.Buffer
+	rc := run([]string{"sat", "--help"}, &stdout, &stderr)
+	if rc != 0 {
+		t.Fatalf("rc=%d want 0", rc)
+	}
+	if !strings.Contains(stdout.String(), "usage: bee sat nvidia|memory|storage|cpu") {
+		t.Fatalf("stdout missing sat help:\n%s", stdout.String())
+	}
+}
+
+func TestRunSATRejectsExtraArgs(t *testing.T) {
+	t.Parallel()
+
+	var stdout, stderr bytes.Buffer
+	rc := run([]string{"sat", "memory", "extra"}, &stdout, &stderr)
+	if rc != 2 {
+		t.Fatalf("rc=%d want 2", rc)
+	}
+	if !strings.Contains(stderr.String(), "bee sat: unexpected arguments") {
+		t.Fatalf("stderr missing sat error:\n%s", stderr.String())
+	}
+}
+
+func TestRunAuditInvalidRuntime(t *testing.T) {
+	t.Parallel()
+
+	var stdout, stderr bytes.Buffer
+	rc := run([]string{"audit", "--runtime", "bad"}, &stdout, &stderr)
+	if rc != 1 {
+		t.Fatalf("rc=%d want 1", rc)
+	}
+}
+
+func TestRunAuditRejectsExtraArgs(t *testing.T) {
+	t.Parallel()
+
+	var stdout, stderr bytes.Buffer
+	rc := run([]string{"audit", "extra"}, &stdout, &stderr)
+	if rc != 2 {
+		t.Fatalf("rc=%d want 2", rc)
+	}
+	if !strings.Contains(stderr.String(), "usage: bee audit") {
+		t.Fatalf("stderr missing audit usage:\n%s", stderr.String())
+	}
+}
+
+func TestRunExportRejectsExtraArgs(t *testing.T) {
+	t.Parallel()
+
+	var stdout, stderr bytes.Buffer
+	rc := run([]string{"export", "--target", "/dev/sdb1", "extra"}, &stdout, &stderr)
+	if rc != 2 {
+		t.Fatalf("rc=%d want 2", rc)
+	}
+	if !strings.Contains(stderr.String(), "usage: bee export --target <device>") {
+		t.Fatalf("stderr missing export usage:\n%s", stderr.String())
+	}
+}

audit/go.mod

@@ -1,3 +1,28 @@
 module bee/audit
 
-go 1.23
+go 1.24.0
+
+replace reanimator/chart => ../internal/chart
+
+require github.com/charmbracelet/bubbletea v1.3.4
+require github.com/charmbracelet/lipgloss v1.0.0
+require reanimator/chart v0.0.0
+
+require (
+	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/charmbracelet/lipgloss v1.0.0 // promoted to direct — used for TUI colors
+	github.com/charmbracelet/x/ansi v0.8.0 // indirect
+	github.com/charmbracelet/x/term v0.2.1 // indirect
+	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
+	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-localereader v0.0.1 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
+	github.com/muesli/cancelreader v0.2.2 // indirect
+	github.com/muesli/termenv v0.15.2 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	golang.org/x/sync v0.11.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/text v0.3.8 // indirect
+)

audit/go.sum

@@ -0,0 +1,37 @@
+github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
+github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
+github.com/charmbracelet/bubbletea v1.3.4 h1:kCg7B+jSCFPLYRA52SDZjr51kG/fMUEoPoZrkaDHyoI=
+github.com/charmbracelet/bubbletea v1.3.4/go.mod h1:dtcUCyCGEX3g9tosuYiut3MXgY/Jsv9nKVdibKKRRXo=
+github.com/charmbracelet/lipgloss v1.0.0 h1:O7VkGDvqEdGi93X+DeqsQ7PKHDgtQfF8j8/O2qFMQNg=
+github.com/charmbracelet/lipgloss v1.0.0/go.mod h1:U5fy9Z+C38obMs+T+tJqst9VGzlOYGj4ri9reL3qUlo=
+github.com/charmbracelet/x/ansi v0.8.0 h1:9GTq3xq9caJW8ZrBTe0LIe2fvfLR/bYXKTx2llXn7xE=
+github.com/charmbracelet/x/ansi v0.8.0/go.mod h1:wdYl/ONOLHLIVmQaxbIYEC/cRKOQyjTkowiI4blgS9Q=
+github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ=
+github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
+github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
+github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
+github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
+github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4=
+github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
+github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
+github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI=
+github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo=
+github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
+github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
+github.com/muesli/termenv v0.15.2 h1:GohcuySI0QmI3wN8Ok9PtKGkgkFIk7y6Vpb5PvrY+Wo=
+github.com/muesli/termenv v0.15.2/go.mod h1:Epx+iuz8sNs7mNKhxzH4fWXGNpZwUaJKRS1noLXviQ8=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
+github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY=
+golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=

audit/internal/app/app.go

@@ -0,0 +1,924 @@
+package app
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"os"
+	"path/filepath"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+
+	"bee/audit/internal/collector"
+	"bee/audit/internal/platform"
+	"bee/audit/internal/runtimeenv"
+	"bee/audit/internal/schema"
+)
+
+var (
+	DefaultExportDir       = "/appdata/bee/export"
+	DefaultAuditJSONPath   = DefaultExportDir + "/bee-audit.json"
+	DefaultAuditLogPath    = DefaultExportDir + "/bee-audit.log"
+	DefaultWebLogPath      = DefaultExportDir + "/bee-web.log"
+	DefaultNetworkLogPath  = DefaultExportDir + "/bee-network.log"
+	DefaultNvidiaLogPath   = DefaultExportDir + "/bee-nvidia.log"
+	DefaultSSHLogPath      = DefaultExportDir + "/bee-sshsetup.log"
+	DefaultRuntimeJSONPath = DefaultExportDir + "/runtime-health.json"
+	DefaultRuntimeLogPath  = DefaultExportDir + "/runtime-health.log"
+	DefaultTechDumpDir     = DefaultExportDir + "/techdump"
+	DefaultSATBaseDir      = DefaultExportDir + "/bee-sat"
+)
+
+type App struct {
+	network  networkManager
+	services serviceManager
+	exports  exportManager
+	tools    toolManager
+	sat      satRunner
+	runtime  runtimeChecker
+}
+
+type ActionResult struct {
+	Title string
+	Body  string
+}
+
+type networkManager interface {
+	ListInterfaces() ([]platform.InterfaceInfo, error)
+	DefaultRoute() string
+	DHCPOne(iface string) (string, error)
+	DHCPAll() (string, error)
+	SetStaticIPv4(cfg platform.StaticIPv4Config) (string, error)
+}
+
+type serviceManager interface {
+	ListBeeServices() ([]string, error)
+	ServiceStatus(name string) (string, error)
+	ServiceDo(name string, action platform.ServiceAction) (string, error)
+}
+
+type exportManager interface {
+	ListRemovableTargets() ([]platform.RemovableTarget, error)
+	ExportFileToTarget(src string, target platform.RemovableTarget) (string, error)
+}
+
+type toolManager interface {
+	TailFile(path string, lines int) string
+	CheckTools(names []string) []platform.ToolStatus
+}
+
+type satRunner interface {
+	RunNvidiaAcceptancePack(baseDir string) (string, error)
+	RunNvidiaAcceptancePackWithOptions(ctx context.Context, baseDir string, durationSec int, sizeMB int, gpuIndices []int) (string, error)
+	RunMemoryAcceptancePack(baseDir string) (string, error)
+	RunStorageAcceptancePack(baseDir string) (string, error)
+	RunCPUAcceptancePack(baseDir string, durationSec int) (string, error)
+	ListNvidiaGPUs() ([]platform.NvidiaGPU, error)
+	DetectGPUVendor() string
+	ListAMDGPUs() ([]platform.AMDGPUInfo, error)
+	RunAMDAcceptancePack(baseDir string) (string, error)
+}
+
+type runtimeChecker interface {
+	CollectRuntimeHealth(exportDir string) (schema.RuntimeHealth, error)
+	CaptureTechnicalDump(baseDir string) error
+}
+
+func New(platform *platform.System) *App {
+	return &App{
+		network:  platform,
+		services: platform,
+		exports:  platform,
+		tools:    platform,
+		sat:      platform,
+		runtime:  platform,
+	}
+}
+
+func (a *App) RunAudit(runtimeMode runtimeenv.Mode, output string) (string, error) {
+	if runtimeMode == runtimeenv.ModeLiveCD {
+		if err := a.runtime.CaptureTechnicalDump(DefaultTechDumpDir); err != nil {
+			slog.Warn("capture technical dump", "err", err)
+		}
+	}
+	result := collector.Run(runtimeMode)
+	if health, err := ReadRuntimeHealth(DefaultRuntimeJSONPath); err == nil {
+		result.Runtime = &health
+	}
+	data, err := json.MarshalIndent(result, "", "  ")
+	if err != nil {
+		return "", err
+	}
+
+	switch {
+	case output == "stdout":
+		_, err := os.Stdout.Write(append(data, '\n'))
+		return "stdout", err
+	case strings.HasPrefix(output, "file:"):
+		path := strings.TrimPrefix(output, "file:")
+		if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
+			return "", err
+		}
+		if err := os.WriteFile(path, append(data, '\n'), 0644); err != nil {
+			return "", err
+		}
+		return path, nil
+	default:
+		return "", fmt.Errorf("unknown output destination %q — use stdout or file:<path>", output)
+	}
+}
+
+func (a *App) RunRuntimePreflight(output string) (string, error) {
+	health, err := a.runtime.CollectRuntimeHealth(DefaultExportDir)
+	if err != nil {
+		return "", err
+	}
+	data, err := json.MarshalIndent(health, "", "  ")
+	if err != nil {
+		return "", err
+	}
+
+	switch {
+	case output == "stdout":
+		_, err := os.Stdout.Write(append(data, '\n'))
+		return "stdout", err
+	case strings.HasPrefix(output, "file:"):
+		path := strings.TrimPrefix(output, "file:")
+		if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
+			return "", err
+		}
+		if err := os.WriteFile(path, append(data, '\n'), 0644); err != nil {
+			return "", err
+		}
+		return path, nil
+	default:
+		return "", fmt.Errorf("unknown output destination %q — use stdout or file:<path>", output)
+	}
+}
+
+func (a *App) RunRuntimePreflightResult() (ActionResult, error) {
+	path, err := a.RunRuntimePreflight("file:" + DefaultRuntimeJSONPath)
+	body := "Runtime preflight completed."
+	if path != "" {
+		body = "Runtime health written to " + path
+	}
+	return ActionResult{Title: "Run self-check", Body: body}, err
+}
+
+func (a *App) RuntimeHealthResult() ActionResult {
+	health, err := ReadRuntimeHealth(DefaultRuntimeJSONPath)
+	if err != nil {
+		return ActionResult{Title: "Runtime issues", Body: "No runtime health found."}
+	}
+	var body strings.Builder
+	fmt.Fprintf(&body, "Status: %s\n", firstNonEmpty(health.Status, "UNKNOWN"))
+	fmt.Fprintf(&body, "Export dir: %s\n", firstNonEmpty(health.ExportDir, DefaultExportDir))
+	fmt.Fprintf(&body, "Driver ready: %t\n", health.DriverReady)
+	fmt.Fprintf(&body, "CUDA ready: %t\n", health.CUDAReady)
+	fmt.Fprintf(&body, "Network: %s", firstNonEmpty(health.NetworkStatus, "UNKNOWN"))
+	if len(health.Issues) > 0 {
+		body.WriteString("\n\nIssues:\n")
+		for _, issue := range health.Issues {
+			fmt.Fprintf(&body, "- %s: %s\n", issue.Code, issue.Description)
+		}
+	}
+	return ActionResult{Title: "Runtime issues", Body: strings.TrimSpace(body.String())}
+}
+
+func (a *App) RunAuditNow(runtimeMode runtimeenv.Mode) (ActionResult, error) {
+	path, err := a.RunAudit(runtimeMode, "file:"+DefaultAuditJSONPath)
+	body := "Audit completed."
+	if path != "" {
+		body = "Audit output: " + path
+	}
+	return ActionResult{Title: "Run audit", Body: body}, err
+}
+
+func (a *App) RunAuditToDefaultFile(runtimeMode runtimeenv.Mode) (string, error) {
+	return a.RunAudit(runtimeMode, "file:"+DefaultAuditJSONPath)
+}
+
+func (a *App) ExportLatestAudit(target platform.RemovableTarget) (string, error) {
+	if _, err := os.Stat(DefaultAuditJSONPath); err != nil {
+		return "", err
+	}
+	filename := fmt.Sprintf("audit-%s-%s.json", sanitizeFilename(hostnameOr("unknown")), time.Now().UTC().Format("20060102-150405"))
+	tmpPath := filepath.Join(os.TempDir(), filename)
+	data, err := os.ReadFile(DefaultAuditJSONPath)
+	if err != nil {
+		return "", err
+	}
+	if err := os.WriteFile(tmpPath, data, 0644); err != nil {
+		return "", err
+	}
+	defer os.Remove(tmpPath)
+	return a.exports.ExportFileToTarget(tmpPath, target)
+}
+
+func (a *App) ExportLatestAuditResult(target platform.RemovableTarget) (ActionResult, error) {
+	path, err := a.ExportLatestAudit(target)
+	body := "Audit exported."
+	if path != "" {
+		body = "Audit exported to " + path
+	}
+	return ActionResult{Title: "Export audit", Body: body}, err
+}
+
+func (a *App) ExportSupportBundle(target platform.RemovableTarget) (string, error) {
+	archive, err := BuildSupportBundle(DefaultExportDir)
+	if err != nil {
+		return "", err
+	}
+	defer os.Remove(archive)
+	return a.exports.ExportFileToTarget(archive, target)
+}
+
+func (a *App) ExportSupportBundleResult(target platform.RemovableTarget) (ActionResult, error) {
+	path, err := a.ExportSupportBundle(target)
+	body := "Support bundle exported."
+	if path != "" {
+		body = "Support bundle exported to " + path
+	}
+	return ActionResult{Title: "Export support bundle", Body: body}, err
+}
+
+func (a *App) ListInterfaces() ([]platform.InterfaceInfo, error) {
+	return a.network.ListInterfaces()
+}
+
+func (a *App) DefaultRoute() string {
+	return a.network.DefaultRoute()
+}
+
+func (a *App) DHCPOne(iface string) (string, error) {
+	return a.network.DHCPOne(iface)
+}
+
+func (a *App) DHCPOneResult(iface string) (ActionResult, error) {
+	body, err := a.network.DHCPOne(iface)
+	return ActionResult{Title: "DHCP: " + iface, Body: bodyOr(body, "DHCP completed.")}, err
+}
+
+func (a *App) DHCPAll() (string, error) {
+	return a.network.DHCPAll()
+}
+
+func (a *App) DHCPAllResult() (ActionResult, error) {
+	body, err := a.network.DHCPAll()
+	return ActionResult{Title: "DHCP: all interfaces", Body: bodyOr(body, "DHCP completed.")}, err
+}
+
+func (a *App) SetStaticIPv4(cfg platform.StaticIPv4Config) (string, error) {
+	return a.network.SetStaticIPv4(cfg)
+}
+
+func (a *App) SetStaticIPv4Result(cfg platform.StaticIPv4Config) (ActionResult, error) {
+	body, err := a.network.SetStaticIPv4(cfg)
+	return ActionResult{Title: "Static IPv4: " + cfg.Interface, Body: bodyOr(body, "Static IPv4 updated.")}, err
+}
+
+func (a *App) NetworkStatus() (ActionResult, error) {
+	ifaces, err := a.network.ListInterfaces()
+	if err != nil {
+		return ActionResult{Title: "Network status"}, err
+	}
+	if len(ifaces) == 0 {
+		return ActionResult{Title: "Network status", Body: "No physical interfaces found."}, nil
+	}
+	var body strings.Builder
+	for _, iface := range ifaces {
+		ipv4 := "(no IPv4)"
+		if len(iface.IPv4) > 0 {
+			ipv4 = strings.Join(iface.IPv4, ", ")
+		}
+		fmt.Fprintf(&body, "- %s: state=%s ip=%s\n", iface.Name, iface.State, ipv4)
+	}
+	if gw := a.network.DefaultRoute(); gw != "" {
+		fmt.Fprintf(&body, "\nDefault route: %s\n", gw)
+	}
+	return ActionResult{Title: "Network status", Body: strings.TrimSpace(body.String())}, nil
+}
+
+func (a *App) DefaultStaticIPv4FormFields(iface string) []string {
+	return []string{
+		"",
+		"24",
+		strings.TrimSpace(a.network.DefaultRoute()),
+		"77.88.8.8 77.88.8.1 1.1.1.1 8.8.8.8",
+	}
+}
+
+func (a *App) ParseStaticIPv4Config(iface string, fields []string) platform.StaticIPv4Config {
+	get := func(index int) string {
+		if index >= 0 && index < len(fields) {
+			return strings.TrimSpace(fields[index])
+		}
+		return ""
+	}
+	return platform.StaticIPv4Config{
+		Interface: iface,
+		Address:   get(0),
+		Prefix:    get(1),
+		Gateway:   get(2),
+		DNS:       strings.Fields(get(3)),
+	}
+}
+
+func (a *App) ListBeeServices() ([]string, error) {
+	return a.services.ListBeeServices()
+}
+
+func (a *App) ServiceStatus(name string) (string, error) {
+	return a.services.ServiceStatus(name)
+}
+
+func (a *App) ServiceStatusResult(name string) (ActionResult, error) {
+	body, err := a.services.ServiceStatus(name)
+	return ActionResult{Title: "service status: " + name, Body: bodyOr(body, "No status output.")}, err
+}
+
+func (a *App) ServiceDo(name string, action platform.ServiceAction) (string, error) {
+	return a.services.ServiceDo(name, action)
+}
+
+func (a *App) ServiceActionResult(name string, action platform.ServiceAction) (ActionResult, error) {
+	body, err := a.services.ServiceDo(name, action)
+	return ActionResult{Title: "service " + string(action) + ": " + name, Body: bodyOr(body, "Action completed.")}, err
+}
+
+func (a *App) ListRemovableTargets() ([]platform.RemovableTarget, error) {
+	return a.exports.ListRemovableTargets()
+}
+
+func (a *App) TailFile(path string, lines int) string {
+	return a.tools.TailFile(path, lines)
+}
+
+func (a *App) CheckTools(names []string) []platform.ToolStatus {
+	return a.tools.CheckTools(names)
+}
+
+func (a *App) ToolCheckResult(names []string) ActionResult {
+	if len(names) == 0 {
+		return ActionResult{Title: "Required tools", Body: "No tools checked."}
+	}
+	var body strings.Builder
+	for _, tool := range a.tools.CheckTools(names) {
+		status := "MISSING"
+		if tool.OK {
+			status = "OK (" + tool.Path + ")"
+		}
+		fmt.Fprintf(&body, "- %s: %s\n", tool.Name, status)
+	}
+	return ActionResult{Title: "Required tools", Body: strings.TrimSpace(body.String())}
+}
+
+func (a *App) AuditLogTailResult() ActionResult {
+	logTail := strings.TrimSpace(a.tools.TailFile(DefaultAuditLogPath, 40))
+	jsonTail := strings.TrimSpace(a.tools.TailFile(DefaultAuditJSONPath, 20))
+	body := strings.TrimSpace(logTail + "\n\n" + jsonTail)
+	if body == "" {
+		body = "No audit logs found."
+	}
+	return ActionResult{Title: "Audit log tail", Body: body}
+}
+
+func (a *App) RunNvidiaAcceptancePack(baseDir string) (string, error) {
+	if strings.TrimSpace(baseDir) == "" {
+		baseDir = DefaultSATBaseDir
+	}
+	return a.sat.RunNvidiaAcceptancePack(baseDir)
+}
+
+func (a *App) RunNvidiaAcceptancePackResult(baseDir string) (ActionResult, error) {
+	path, err := a.RunNvidiaAcceptancePack(baseDir)
+	body := "Archive written."
+	if path != "" {
+		body = "Archive written to " + path
+	}
+	return ActionResult{Title: "NVIDIA SAT", Body: body}, err
+}
+
+func (a *App) ListNvidiaGPUs() ([]platform.NvidiaGPU, error) {
+	return a.sat.ListNvidiaGPUs()
+}
+
+func (a *App) RunNvidiaAcceptancePackWithOptions(ctx context.Context, baseDir string, durationSec int, sizeMB int, gpuIndices []int) (ActionResult, error) {
+	if strings.TrimSpace(baseDir) == "" {
+		baseDir = DefaultSATBaseDir
+	}
+	path, err := a.sat.RunNvidiaAcceptancePackWithOptions(ctx, baseDir, durationSec, sizeMB, gpuIndices)
+	body := "Archive written."
+	if path != "" {
+		body = "Archive written to " + path
+	}
+	// Include terminal chart if available (runDir = archive path without .tar.gz).
+	if path != "" {
+		termPath := filepath.Join(strings.TrimSuffix(path, ".tar.gz"), "gpu-metrics-term.txt")
+		if chart, readErr := os.ReadFile(termPath); readErr == nil && len(chart) > 0 {
+			body += "\n\n" + string(chart)
+		}
+	}
+	return ActionResult{Title: "NVIDIA SAT", Body: body}, err
+}
+
+func (a *App) RunMemoryAcceptancePack(baseDir string) (string, error) {
+	if strings.TrimSpace(baseDir) == "" {
+		baseDir = DefaultSATBaseDir
+	}
+	return a.sat.RunMemoryAcceptancePack(baseDir)
+}
+
+func (a *App) RunMemoryAcceptancePackResult(baseDir string) (ActionResult, error) {
+	path, err := a.RunMemoryAcceptancePack(baseDir)
+	return ActionResult{Title: "Memory SAT", Body: satResultBody(path)}, err
+}
+
+func (a *App) RunCPUAcceptancePack(baseDir string, durationSec int) (string, error) {
+	if strings.TrimSpace(baseDir) == "" {
+		baseDir = DefaultSATBaseDir
+	}
+	return a.sat.RunCPUAcceptancePack(baseDir, durationSec)
+}
+
+func (a *App) RunCPUAcceptancePackResult(baseDir string, durationSec int) (ActionResult, error) {
+	path, err := a.RunCPUAcceptancePack(baseDir, durationSec)
+	return ActionResult{Title: "CPU SAT", Body: satResultBody(path)}, err
+}
+
+func (a *App) RunStorageAcceptancePack(baseDir string) (string, error) {
+	if strings.TrimSpace(baseDir) == "" {
+		baseDir = DefaultSATBaseDir
+	}
+	return a.sat.RunStorageAcceptancePack(baseDir)
+}
+
+func (a *App) RunStorageAcceptancePackResult(baseDir string) (ActionResult, error) {
+	path, err := a.RunStorageAcceptancePack(baseDir)
+	return ActionResult{Title: "Storage SAT", Body: satResultBody(path)}, err
+}
+
+func (a *App) DetectGPUVendor() string {
+	return a.sat.DetectGPUVendor()
+}
+
+func (a *App) ListAMDGPUs() ([]platform.AMDGPUInfo, error) {
+	return a.sat.ListAMDGPUs()
+}
+
+func (a *App) RunAMDAcceptancePack(baseDir string) (string, error) {
+	if strings.TrimSpace(baseDir) == "" {
+		baseDir = DefaultSATBaseDir
+	}
+	return a.sat.RunAMDAcceptancePack(baseDir)
+}
+
+func (a *App) RunAMDAcceptancePackResult(baseDir string) (ActionResult, error) {
+	path, err := a.RunAMDAcceptancePack(baseDir)
+	return ActionResult{Title: "AMD GPU SAT", Body: satResultBody(path)}, err
+}
+
+// satResultBody reads summary.txt from the SAT run directory (archive path without .tar.gz)
+// and returns a formatted human-readable result. Falls back to a plain message if unreadable.
+func satResultBody(archivePath string) string {
+	if archivePath == "" {
+		return "No output produced."
+	}
+	runDir := strings.TrimSuffix(archivePath, ".tar.gz")
+	raw, err := os.ReadFile(filepath.Join(runDir, "summary.txt"))
+	if err != nil {
+		return "Archive written to " + archivePath
+	}
+	return formatSATDetail(strings.TrimSpace(string(raw)))
+}
+
+func (a *App) HealthSummaryResult() ActionResult {
+	raw, err := os.ReadFile(DefaultAuditJSONPath)
+	if err != nil {
+		return ActionResult{Title: "Health summary", Body: "No audit JSON found."}
+	}
+	var snapshot schema.HardwareIngestRequest
+	if err := json.Unmarshal(raw, &snapshot); err != nil {
+		return ActionResult{Title: "Health summary", Body: "Audit JSON is unreadable."}
+	}
+
+	summary := collector.BuildHealthSummary(snapshot.Hardware)
+	var body strings.Builder
+	status := summary.Status
+	if status == "" {
+		status = "Unknown"
+	}
+	fmt.Fprintf(&body, "Overall: %s\n", status)
+	fmt.Fprintf(&body, "Storage: warn=%d fail=%d\n", summary.StorageWarn, summary.StorageFail)
+	fmt.Fprintf(&body, "PCIe: warn=%d fail=%d\n", summary.PCIeWarn, summary.PCIeFail)
+	fmt.Fprintf(&body, "PSU: warn=%d fail=%d\n", summary.PSUWarn, summary.PSUFail)
+	fmt.Fprintf(&body, "Memory: warn=%d fail=%d\n", summary.MemoryWarn, summary.MemoryFail)
+	for _, item := range latestSATSummaries() {
+		fmt.Fprintf(&body, "\n\n%s", item)
+	}
+	if len(summary.Failures) > 0 {
+		fmt.Fprintf(&body, "\n\nFailures:\n- %s", strings.Join(summary.Failures, "\n- "))
+	}
+	if len(summary.Warnings) > 0 {
+		fmt.Fprintf(&body, "\n\nWarnings:\n- %s", strings.Join(summary.Warnings, "\n- "))
+	}
+	return ActionResult{Title: "Health summary", Body: strings.TrimSpace(body.String())}
+}
+
+func (a *App) MainBanner() string {
+	raw, err := os.ReadFile(DefaultAuditJSONPath)
+	if err != nil {
+		return ""
+	}
+
+	var snapshot schema.HardwareIngestRequest
+	if err := json.Unmarshal(raw, &snapshot); err != nil {
+		return ""
+	}
+
+	var lines []string
+	if system := formatSystemLine(snapshot.Hardware.Board); system != "" {
+		lines = append(lines, system)
+	}
+	if cpu := formatCPULine(snapshot.Hardware.CPUs); cpu != "" {
+		lines = append(lines, cpu)
+	}
+	if memory := formatMemoryLine(snapshot.Hardware.Memory); memory != "" {
+		lines = append(lines, memory)
+	}
+	if storage := formatStorageLine(snapshot.Hardware.Storage); storage != "" {
+		lines = append(lines, storage)
+	}
+	if gpu := formatGPULine(snapshot.Hardware.PCIeDevices); gpu != "" {
+		lines = append(lines, gpu)
+	}
+	if ip := formatIPLine(a.network.ListInterfaces); ip != "" {
+		lines = append(lines, ip)
+	}
+
+	return strings.TrimSpace(strings.Join(lines, "\n"))
+}
+
+func (a *App) FormatToolStatuses(statuses []platform.ToolStatus) string {
+	var body strings.Builder
+	for _, tool := range statuses {
+		status := "MISSING"
+		if tool.OK {
+			status = "OK (" + tool.Path + ")"
+		}
+		fmt.Fprintf(&body, "- %s: %s\n", tool.Name, status)
+	}
+	return strings.TrimSpace(body.String())
+}
+
+func (a *App) ParsePrefix(raw string, fallback int) int {
+	value, err := strconv.Atoi(strings.TrimSpace(raw))
+	if err != nil || value <= 0 {
+		return fallback
+	}
+	return value
+}
+
+func hostnameOr(fallback string) string {
+	hn, err := os.Hostname()
+	if err != nil || strings.TrimSpace(hn) == "" {
+		return fallback
+	}
+	return hn
+}
+
+func sanitizeFilename(v string) string {
+	var out []rune
+	for _, r := range v {
+		switch {
+		case r >= 'a' && r <= 'z', r >= 'A' && r <= 'Z', r >= '0' && r <= '9', r == '-', r == '_', r == '.':
+			out = append(out, r)
+		default:
+			out = append(out, '-')
+		}
+	}
+	if len(out) == 0 {
+		return "unknown"
+	}
+	return string(out)
+}
+
+func bodyOr(body, fallback string) string {
+	body = strings.TrimSpace(body)
+	if body == "" {
+		return fallback
+	}
+	return body
+}
+
+func ReadRuntimeHealth(path string) (schema.RuntimeHealth, error) {
+	raw, err := os.ReadFile(path)
+	if err != nil {
+		return schema.RuntimeHealth{}, err
+	}
+	var health schema.RuntimeHealth
+	if err := json.Unmarshal(raw, &health); err != nil {
+		return schema.RuntimeHealth{}, err
+	}
+	return health, nil
+}
+
+func latestSATSummaries() []string {
+	patterns := []struct {
+		label  string
+		prefix string
+	}{
+		{label: "NVIDIA SAT", prefix: "gpu-nvidia-"},
+		{label: "Memory SAT", prefix: "memory-"},
+		{label: "Storage SAT", prefix: "storage-"},
+		{label: "CPU SAT", prefix: "cpu-"},
+	}
+	var out []string
+	for _, item := range patterns {
+		matches, err := filepath.Glob(filepath.Join(DefaultSATBaseDir, item.prefix+"*/summary.txt"))
+		if err != nil || len(matches) == 0 {
+			continue
+		}
+		sort.Strings(matches)
+		raw, err := os.ReadFile(matches[len(matches)-1])
+		if err != nil {
+			continue
+		}
+		out = append(out, formatSATSummary(item.label, string(raw)))
+	}
+	return out
+}
+
+func formatSATSummary(label, raw string) string {
+	values := parseKeyValueSummary(raw)
+	var body strings.Builder
+	fmt.Fprintf(&body, "%s:", label)
+	if overall := firstNonEmpty(values["overall_status"], "UNKNOWN"); overall != "" {
+		fmt.Fprintf(&body, " %s", overall)
+	}
+	if ok := firstNonEmpty(values["job_ok"], "0"); ok != "" {
+		fmt.Fprintf(&body, " ok=%s", ok)
+	}
+	if failed := firstNonEmpty(values["job_failed"], "0"); failed != "" {
+		fmt.Fprintf(&body, " failed=%s", failed)
+	}
+	if unsupported := firstNonEmpty(values["job_unsupported"], "0"); unsupported != "" && unsupported != "0" {
+		fmt.Fprintf(&body, " unsupported=%s", unsupported)
+	}
+	if devices := strings.TrimSpace(values["devices"]); devices != "" {
+		fmt.Fprintf(&body, "\nDevices: %s", devices)
+	}
+	return body.String()
+}
+
+func formatSystemLine(board schema.HardwareBoard) string {
+	model := strings.TrimSpace(strings.Join([]string{
+		trimPtr(board.Manufacturer),
+		trimPtr(board.ProductName),
+	}, " "))
+	serial := strings.TrimSpace(board.SerialNumber)
+	switch {
+	case model != "" && serial != "":
+		return fmt.Sprintf("System: %s | S/N %s", model, serial)
+	case model != "":
+		return "System: " + model
+	case serial != "":
+		return "System S/N: " + serial
+	default:
+		return ""
+	}
+}
+
+func formatCPULine(cpus []schema.HardwareCPU) string {
+	if len(cpus) == 0 {
+		return ""
+	}
+	modelCounts := map[string]int{}
+	unknown := 0
+	for _, cpu := range cpus {
+		model := trimPtr(cpu.Model)
+		if model == "" {
+			unknown++
+			continue
+		}
+		modelCounts[model]++
+	}
+	if len(modelCounts) == 1 && unknown == 0 {
+		for model, count := range modelCounts {
+			return fmt.Sprintf("CPU: %d x %s", count, model)
+		}
+	}
+	parts := make([]string, 0, len(modelCounts)+1)
+	if len(modelCounts) > 0 {
+		keys := make([]string, 0, len(modelCounts))
+		for key := range modelCounts {
+			keys = append(keys, key)
+		}
+		sort.Strings(keys)
+		for _, key := range keys {
+			parts = append(parts, fmt.Sprintf("%d x %s", modelCounts[key], key))
+		}
+	}
+	if unknown > 0 {
+		parts = append(parts, fmt.Sprintf("%d x unknown", unknown))
+	}
+	return "CPU: " + strings.Join(parts, ", ")
+}
+
+func formatMemoryLine(dimms []schema.HardwareMemory) string {
+	totalMB := 0
+	present := 0
+	types := map[string]struct{}{}
+	for _, dimm := range dimms {
+		if dimm.Present != nil && !*dimm.Present {
+			continue
+		}
+		if dimm.SizeMB == nil || *dimm.SizeMB <= 0 {
+			continue
+		}
+		present++
+		totalMB += *dimm.SizeMB
+		if value := trimPtr(dimm.Type); value != "" {
+			types[value] = struct{}{}
+		}
+	}
+	if totalMB == 0 {
+		return ""
+	}
+	typeText := joinSortedKeys(types)
+	line := fmt.Sprintf("Memory: %s", humanizeMB(totalMB))
+	if typeText != "" {
+		line += " " + typeText
+	}
+	if present > 0 {
+		line += fmt.Sprintf(" (%d DIMMs)", present)
+	}
+	return line
+}
+
+func formatStorageLine(disks []schema.HardwareStorage) string {
+	count := 0
+	totalGB := 0
+	for _, disk := range disks {
+		if disk.Present != nil && !*disk.Present {
+			continue
+		}
+		count++
+		if disk.SizeGB != nil && *disk.SizeGB > 0 {
+			totalGB += *disk.SizeGB
+		}
+	}
+	if count == 0 {
+		return ""
+	}
+	line := fmt.Sprintf("Storage: %d drives", count)
+	if totalGB > 0 {
+		line += fmt.Sprintf(" / %s", humanizeGB(totalGB))
+	}
+	return line
+}
+
+func formatGPULine(devices []schema.HardwarePCIeDevice) string {
+	gpus := map[string]int{}
+	for _, dev := range devices {
+		if !isGPUDevice(dev) {
+			continue
+		}
+		name := firstNonEmpty(trimPtr(dev.Model), trimPtr(dev.Manufacturer), "unknown")
+		gpus[name]++
+	}
+	if len(gpus) == 0 {
+		return ""
+	}
+	keys := make([]string, 0, len(gpus))
+	for key := range gpus {
+		keys = append(keys, key)
+	}
+	sort.Strings(keys)
+	parts := make([]string, 0, len(keys))
+	for _, key := range keys {
+		parts = append(parts, fmt.Sprintf("%d x %s", gpus[key], key))
+	}
+	return "GPU: " + strings.Join(parts, ", ")
+}
+
+func formatIPLine(list func() ([]platform.InterfaceInfo, error)) string {
+	if list == nil {
+		return ""
+	}
+	ifaces, err := list()
+	if err != nil {
+		return ""
+	}
+	seen := map[string]struct{}{}
+	var ips []string
+	for _, iface := range ifaces {
+		for _, ip := range iface.IPv4 {
+			ip = strings.TrimSpace(ip)
+			if ip == "" {
+				continue
+			}
+			if _, ok := seen[ip]; ok {
+				continue
+			}
+			seen[ip] = struct{}{}
+			ips = append(ips, ip)
+		}
+	}
+	if len(ips) == 0 {
+		return ""
+	}
+	sort.Strings(ips)
+	return "IP: " + strings.Join(ips, ", ")
+}
+
+func isGPUDevice(dev schema.HardwarePCIeDevice) bool {
+	class := trimPtr(dev.DeviceClass)
+	model := strings.ToLower(trimPtr(dev.Model))
+	vendor := strings.ToLower(trimPtr(dev.Manufacturer))
+	// Exclude ASPEED (BMC VGA adapter, not a compute GPU)
+	if strings.Contains(vendor, "aspeed") || strings.Contains(model, "aspeed") {
+		return false
+	}
+	// AMD Instinct / Radeon compute GPUs have class ProcessingAccelerator or DisplayController.
+	// Do NOT match by AMD vendor alone — chipset/CPU PCIe devices share that vendor.
+	return class == "VideoController" ||
+		class == "DisplayController" ||
+		class == "ProcessingAccelerator" ||
+		strings.Contains(model, "nvidia") ||
+		strings.Contains(vendor, "nvidia")
+}
+
+func trimPtr(value *string) string {
+	if value == nil {
+		return ""
+	}
+	return strings.TrimSpace(*value)
+}
+
+func joinSortedKeys(values map[string]struct{}) string {
+	if len(values) == 0 {
+		return ""
+	}
+	keys := make([]string, 0, len(values))
+	for key := range values {
+		keys = append(keys, key)
+	}
+	sort.Strings(keys)
+	return strings.Join(keys, "/")
+}
+
+func humanizeMB(totalMB int) string {
+	if totalMB <= 0 {
+		return ""
+	}
+	gb := float64(totalMB) / 1024.0
+	if gb >= 1024.0 {
+		tb := gb / 1024.0
+		return fmt.Sprintf("%.1f TB", tb)
+	}
+	if gb == float64(int64(gb)) {
+		return fmt.Sprintf("%.0f GB", gb)
+	}
+	return fmt.Sprintf("%.1f GB", gb)
+}
+
+func humanizeGB(totalGB int) string {
+	if totalGB <= 0 {
+		return ""
+	}
+	tb := float64(totalGB) / 1024.0
+	if tb >= 1.0 {
+		return fmt.Sprintf("%.1f TB", tb)
+	}
+	return fmt.Sprintf("%d GB", totalGB)
+}
+
+func parseKeyValueSummary(raw string) map[string]string {
+	out := map[string]string{}
+	for _, line := range strings.Split(raw, "\n") {
+		line = strings.TrimSpace(line)
+		if line == "" {
+			continue
+		}
+		key, value, ok := strings.Cut(line, "=")
+		if !ok {
+			continue
+		}
+		out[strings.TrimSpace(key)] = strings.TrimSpace(value)
+	}
+	return out
+}
+
+func firstNonEmpty(values ...string) string {
+	for _, value := range values {
+		value = strings.TrimSpace(value)
+		if value != "" {
+			return value
+		}
+	}
+	return ""
+}

audit/internal/app/app_test.go

@@ -0,0 +1,616 @@
+package app
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"bee/audit/internal/platform"
+	"bee/audit/internal/schema"
+)
+
+type fakeNetwork struct {
+	listInterfacesFn func() ([]platform.InterfaceInfo, error)
+	defaultRouteFn   func() string
+	dhcpOneFn        func(string) (string, error)
+	dhcpAllFn        func() (string, error)
+	setStaticIPv4Fn  func(platform.StaticIPv4Config) (string, error)
+}
+
+func (f fakeNetwork) ListInterfaces() ([]platform.InterfaceInfo, error) {
+	return f.listInterfacesFn()
+}
+
+func (f fakeNetwork) DefaultRoute() string {
+	return f.defaultRouteFn()
+}
+
+func (f fakeNetwork) DHCPOne(iface string) (string, error) {
+	return f.dhcpOneFn(iface)
+}
+
+func (f fakeNetwork) DHCPAll() (string, error) {
+	return f.dhcpAllFn()
+}
+
+func (f fakeNetwork) SetStaticIPv4(cfg platform.StaticIPv4Config) (string, error) {
+	return f.setStaticIPv4Fn(cfg)
+}
+
+type fakeServices struct {
+	serviceStatusFn func(string) (string, error)
+	serviceDoFn     func(string, platform.ServiceAction) (string, error)
+}
+
+func (f fakeServices) ListBeeServices() ([]string, error) {
+	return nil, nil
+}
+
+func (f fakeServices) ServiceStatus(name string) (string, error) {
+	return f.serviceStatusFn(name)
+}
+
+func (f fakeServices) ServiceDo(name string, action platform.ServiceAction) (string, error) {
+	return f.serviceDoFn(name, action)
+}
+
+type fakeExports struct{}
+
+func (f fakeExports) ListRemovableTargets() ([]platform.RemovableTarget, error) {
+	return nil, nil
+}
+
+func (f fakeExports) ExportFileToTarget(src string, target platform.RemovableTarget) (string, error) {
+	return "", nil
+}
+
+type fakeRuntime struct {
+	collectFn func(string) (schema.RuntimeHealth, error)
+	dumpFn    func(string) error
+}
+
+func (f fakeRuntime) CollectRuntimeHealth(exportDir string) (schema.RuntimeHealth, error) {
+	return f.collectFn(exportDir)
+}
+
+func (f fakeRuntime) CaptureTechnicalDump(baseDir string) error {
+	if f.dumpFn != nil {
+		return f.dumpFn(baseDir)
+	}
+	return nil
+}
+
+type fakeTools struct {
+	tailFileFn   func(string, int) string
+	checkToolsFn func([]string) []platform.ToolStatus
+}
+
+func (f fakeTools) TailFile(path string, lines int) string {
+	return f.tailFileFn(path, lines)
+}
+
+func (f fakeTools) CheckTools(names []string) []platform.ToolStatus {
+	return f.checkToolsFn(names)
+}
+
+type fakeSAT struct {
+	runNvidiaFn  func(string) (string, error)
+	runMemoryFn  func(string) (string, error)
+	runStorageFn func(string) (string, error)
+	runCPUFn     func(string, int) (string, error)
+}
+
+func (f fakeSAT) RunNvidiaAcceptancePack(baseDir string) (string, error) {
+	return f.runNvidiaFn(baseDir)
+}
+
+func (f fakeSAT) RunNvidiaAcceptancePackWithOptions(_ context.Context, baseDir string, _ int, _ int, _ []int) (string, error) {
+	return f.runNvidiaFn(baseDir)
+}
+
+func (f fakeSAT) ListNvidiaGPUs() ([]platform.NvidiaGPU, error) {
+	return nil, nil
+}
+
+func (f fakeSAT) RunMemoryAcceptancePack(baseDir string) (string, error) {
+	return f.runMemoryFn(baseDir)
+}
+
+func (f fakeSAT) RunStorageAcceptancePack(baseDir string) (string, error) {
+	return f.runStorageFn(baseDir)
+}
+
+func (f fakeSAT) RunCPUAcceptancePack(baseDir string, durationSec int) (string, error) {
+	if f.runCPUFn != nil {
+		return f.runCPUFn(baseDir, durationSec)
+	}
+	return "", nil
+}
+
+func (f fakeSAT) DetectGPUVendor() string { return "" }
+
+func (f fakeSAT) ListAMDGPUs() ([]platform.AMDGPUInfo, error) { return nil, nil }
+
+func (f fakeSAT) RunAMDAcceptancePack(baseDir string) (string, error) { return "", nil }
+
+func TestNetworkStatusFormatsInterfacesAndRoute(t *testing.T) {
+	t.Parallel()
+
+	a := &App{
+		network: fakeNetwork{
+			listInterfacesFn: func() ([]platform.InterfaceInfo, error) {
+				return []platform.InterfaceInfo{
+					{Name: "eth0", State: "UP", IPv4: []string{"10.0.0.2/24"}},
+					{Name: "eth1", State: "DOWN", IPv4: nil},
+				}, nil
+			},
+			defaultRouteFn: func() string { return "10.0.0.1" },
+		},
+		runtime: fakeRuntime{
+			collectFn: func(string) (schema.RuntimeHealth, error) { return schema.RuntimeHealth{}, nil },
+		},
+	}
+
+	result, err := a.NetworkStatus()
+	if err != nil {
+		t.Fatalf("NetworkStatus error: %v", err)
+	}
+	if result.Title != "Network status" {
+		t.Fatalf("title=%q want %q", result.Title, "Network status")
+	}
+	if want := "- eth0: state=UP ip=10.0.0.2/24"; !contains(result.Body, want) {
+		t.Fatalf("body missing %q\nbody=%s", want, result.Body)
+	}
+	if want := "- eth1: state=DOWN ip=(no IPv4)"; !contains(result.Body, want) {
+		t.Fatalf("body missing %q\nbody=%s", want, result.Body)
+	}
+	if want := "Default route: 10.0.0.1"; !contains(result.Body, want) {
+		t.Fatalf("body missing %q\nbody=%s", want, result.Body)
+	}
+}
+
+func TestNetworkStatusHandlesNoInterfaces(t *testing.T) {
+	t.Parallel()
+
+	a := &App{
+		network: fakeNetwork{
+			listInterfacesFn: func() ([]platform.InterfaceInfo, error) { return nil, nil },
+			defaultRouteFn:   func() string { return "" },
+		},
+		runtime: fakeRuntime{
+			collectFn: func(string) (schema.RuntimeHealth, error) { return schema.RuntimeHealth{}, nil },
+		},
+	}
+
+	result, err := a.NetworkStatus()
+	if err != nil {
+		t.Fatalf("NetworkStatus error: %v", err)
+	}
+	if result.Body != "No physical interfaces found." {
+		t.Fatalf("body=%q want %q", result.Body, "No physical interfaces found.")
+	}
+}
+
+func TestNetworkStatusPropagatesListError(t *testing.T) {
+	t.Parallel()
+
+	a := &App{
+		network: fakeNetwork{
+			listInterfacesFn: func() ([]platform.InterfaceInfo, error) {
+				return nil, errors.New("boom")
+			},
+			defaultRouteFn: func() string { return "" },
+		},
+		runtime: fakeRuntime{
+			collectFn: func(string) (schema.RuntimeHealth, error) { return schema.RuntimeHealth{}, nil },
+		},
+	}
+
+	result, err := a.NetworkStatus()
+	if err == nil {
+		t.Fatal("expected error")
+	}
+	if result.Title != "Network status" {
+		t.Fatalf("title=%q want %q", result.Title, "Network status")
+	}
+}
+
+func TestParseStaticIPv4ConfigAndDefaults(t *testing.T) {
+	t.Parallel()
+
+	a := &App{
+		network: fakeNetwork{
+			defaultRouteFn: func() string { return " 192.168.1.1 " },
+			listInterfacesFn: func() ([]platform.InterfaceInfo, error) {
+				return nil, nil
+			},
+			dhcpOneFn:       func(string) (string, error) { return "", nil },
+			dhcpAllFn:       func() (string, error) { return "", nil },
+			setStaticIPv4Fn: func(platform.StaticIPv4Config) (string, error) { return "", nil },
+		},
+		runtime: fakeRuntime{
+			collectFn: func(string) (schema.RuntimeHealth, error) { return schema.RuntimeHealth{}, nil },
+		},
+	}
+
+	defaults := a.DefaultStaticIPv4FormFields("eth0")
+	if len(defaults) != 4 {
+		t.Fatalf("len(defaults)=%d want 4", len(defaults))
+	}
+	if defaults[1] != "24" || defaults[2] != "192.168.1.1" {
+		t.Fatalf("unexpected defaults: %#v", defaults)
+	}
+
+	cfg := a.ParseStaticIPv4Config("eth0", []string{
+		" 10.10.0.5 ",
+		" 23 ",
+		" 10.10.0.1 ",
+		" 1.1.1.1  8.8.8.8 ",
+	})
+	if cfg.Interface != "eth0" || cfg.Address != "10.10.0.5" || cfg.Prefix != "23" || cfg.Gateway != "10.10.0.1" {
+		t.Fatalf("unexpected cfg: %#v", cfg)
+	}
+	if len(cfg.DNS) != 2 || cfg.DNS[0] != "1.1.1.1" || cfg.DNS[1] != "8.8.8.8" {
+		t.Fatalf("unexpected dns: %#v", cfg.DNS)
+	}
+}
+
+func TestServiceActionResults(t *testing.T) {
+	t.Parallel()
+
+	a := &App{
+		services: fakeServices{
+			serviceStatusFn: func(name string) (string, error) {
+				return "active", nil
+			},
+			serviceDoFn: func(name string, action platform.ServiceAction) (string, error) {
+				return string(action) + " ok", nil
+			},
+		},
+		runtime: fakeRuntime{
+			collectFn: func(string) (schema.RuntimeHealth, error) { return schema.RuntimeHealth{}, nil },
+		},
+	}
+
+	statusResult, err := a.ServiceStatusResult("bee-audit")
+	if err != nil {
+		t.Fatalf("ServiceStatusResult error: %v", err)
+	}
+	if statusResult.Title != "service status: bee-audit" || statusResult.Body != "active" {
+		t.Fatalf("unexpected status result: %#v", statusResult)
+	}
+
+	actionResult, err := a.ServiceActionResult("bee-audit", platform.ServiceRestart)
+	if err != nil {
+		t.Fatalf("ServiceActionResult error: %v", err)
+	}
+	if actionResult.Title != "service restart: bee-audit" || actionResult.Body != "restart ok" {
+		t.Fatalf("unexpected action result: %#v", actionResult)
+	}
+}
+
+func TestToolCheckAndLogTailResults(t *testing.T) {
+	t.Parallel()
+
+	a := &App{
+		tools: fakeTools{
+			tailFileFn: func(path string, lines int) string {
+				return path
+			},
+			checkToolsFn: func(names []string) []platform.ToolStatus {
+				return []platform.ToolStatus{
+					{Name: "dmidecode", OK: true, Path: "/usr/bin/dmidecode"},
+					{Name: "smartctl", OK: false},
+				}
+			},
+		},
+	}
+
+	toolsResult := a.ToolCheckResult([]string{"dmidecode", "smartctl"})
+	if toolsResult.Title != "Required tools" {
+		t.Fatalf("title=%q want %q", toolsResult.Title, "Required tools")
+	}
+	if want := "- dmidecode: OK (/usr/bin/dmidecode)"; !contains(toolsResult.Body, want) {
+		t.Fatalf("body missing %q\nbody=%s", want, toolsResult.Body)
+	}
+	if want := "- smartctl: MISSING"; !contains(toolsResult.Body, want) {
+		t.Fatalf("body missing %q\nbody=%s", want, toolsResult.Body)
+	}
+
+	logResult := a.AuditLogTailResult()
+	if logResult.Title != "Audit log tail" {
+		t.Fatalf("title=%q want %q", logResult.Title, "Audit log tail")
+	}
+	if want := DefaultAuditLogPath + "\n\n" + DefaultAuditJSONPath; logResult.Body != want {
+		t.Fatalf("body=%q want %q", logResult.Body, want)
+	}
+}
+
+func TestActionResultsUseFallbackBody(t *testing.T) {
+	t.Parallel()
+
+	a := &App{
+		network: fakeNetwork{
+			dhcpOneFn:       func(string) (string, error) { return "   ", nil },
+			dhcpAllFn:       func() (string, error) { return "", nil },
+			setStaticIPv4Fn: func(platform.StaticIPv4Config) (string, error) { return "", nil },
+			listInterfacesFn: func() ([]platform.InterfaceInfo, error) {
+				return nil, nil
+			},
+			defaultRouteFn: func() string { return "" },
+		},
+		services: fakeServices{
+			serviceStatusFn: func(string) (string, error) { return "", nil },
+			serviceDoFn:     func(string, platform.ServiceAction) (string, error) { return "", nil },
+		},
+		tools: fakeTools{
+			tailFileFn:   func(string, int) string { return "   " },
+			checkToolsFn: func([]string) []platform.ToolStatus { return nil },
+		},
+		sat: fakeSAT{
+			runNvidiaFn:  func(string) (string, error) { return "", nil },
+			runMemoryFn:  func(string) (string, error) { return "", nil },
+			runStorageFn: func(string) (string, error) { return "", nil },
+		},
+		runtime: fakeRuntime{
+			collectFn: func(string) (schema.RuntimeHealth, error) {
+				return schema.RuntimeHealth{Status: "PARTIAL", ExportDir: "/tmp/export"}, nil
+			},
+		},
+	}
+
+	if got, _ := a.DHCPOneResult("eth0"); got.Body != "DHCP completed." {
+		t.Fatalf("dhcp one body=%q", got.Body)
+	}
+	if got, _ := a.DHCPAllResult(); got.Body != "DHCP completed." {
+		t.Fatalf("dhcp all body=%q", got.Body)
+	}
+	if got, _ := a.SetStaticIPv4Result(platform.StaticIPv4Config{Interface: "eth0"}); got.Body != "Static IPv4 updated." {
+		t.Fatalf("static body=%q", got.Body)
+	}
+	if got, _ := a.ServiceStatusResult("bee-audit"); got.Body != "No status output." {
+		t.Fatalf("status body=%q", got.Body)
+	}
+	if got, _ := a.ServiceActionResult("bee-audit", platform.ServiceRestart); got.Body != "Action completed." {
+		t.Fatalf("action body=%q", got.Body)
+	}
+	if got := a.ToolCheckResult(nil); got.Body != "No tools checked." {
+		t.Fatalf("tool body=%q", got.Body)
+	}
+	if got := a.AuditLogTailResult(); got.Body != "No audit logs found." {
+		t.Fatalf("log body=%q", got.Body)
+	}
+	if got, _ := a.RunNvidiaAcceptancePackResult(""); got.Body != "Archive written." {
+		t.Fatalf("sat body=%q", got.Body)
+	}
+	if got, _ := a.RunMemoryAcceptancePackResult(""); got.Body != "No output produced." {
+		t.Fatalf("memory sat body=%q", got.Body)
+	}
+	if got, _ := a.RunStorageAcceptancePackResult(""); got.Body != "No output produced." {
+		t.Fatalf("storage sat body=%q", got.Body)
+	}
+}
+
+func TestRunNvidiaAcceptancePackResult(t *testing.T) {
+	t.Parallel()
+
+	a := &App{
+		sat: fakeSAT{
+			runNvidiaFn: func(baseDir string) (string, error) {
+				if baseDir != "/tmp/sat" {
+					t.Fatalf("baseDir=%q want %q", baseDir, "/tmp/sat")
+				}
+				return "/tmp/sat/out.tar.gz", nil
+			},
+			runMemoryFn:  func(string) (string, error) { return "", nil },
+			runStorageFn: func(string) (string, error) { return "", nil },
+		},
+		runtime: fakeRuntime{
+			collectFn: func(string) (schema.RuntimeHealth, error) { return schema.RuntimeHealth{}, nil },
+		},
+	}
+
+	result, err := a.RunNvidiaAcceptancePackResult("/tmp/sat")
+	if err != nil {
+		t.Fatalf("RunNvidiaAcceptancePackResult error: %v", err)
+	}
+	if result.Title != "NVIDIA SAT" || result.Body != "Archive written to /tmp/sat/out.tar.gz" {
+		t.Fatalf("unexpected result: %#v", result)
+	}
+}
+
+func TestRunSATDefaultsToExportDir(t *testing.T) {
+	t.Parallel()
+
+	oldSATBaseDir := DefaultSATBaseDir
+	DefaultSATBaseDir = "/tmp/export/bee-sat"
+	t.Cleanup(func() { DefaultSATBaseDir = oldSATBaseDir })
+
+	a := &App{
+		sat: fakeSAT{
+			runNvidiaFn: func(baseDir string) (string, error) {
+				if baseDir != "/tmp/export/bee-sat" {
+					t.Fatalf("nvidia baseDir=%q", baseDir)
+				}
+				return "", nil
+			},
+			runMemoryFn: func(baseDir string) (string, error) {
+				if baseDir != "/tmp/export/bee-sat" {
+					t.Fatalf("memory baseDir=%q", baseDir)
+				}
+				return "", nil
+			},
+			runStorageFn: func(baseDir string) (string, error) {
+				if baseDir != "/tmp/export/bee-sat" {
+					t.Fatalf("storage baseDir=%q", baseDir)
+				}
+				return "", nil
+			},
+		},
+		runtime: fakeRuntime{
+			collectFn: func(string) (schema.RuntimeHealth, error) { return schema.RuntimeHealth{}, nil },
+		},
+	}
+
+	if _, err := a.RunNvidiaAcceptancePack(""); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := a.RunMemoryAcceptancePack(""); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := a.RunStorageAcceptancePack(""); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestFormatSATSummary(t *testing.T) {
+	t.Parallel()
+
+	got := formatSATSummary("Memory SAT", "overall_status=PARTIAL\njob_ok=2\njob_failed=0\njob_unsupported=1\ndevices=3\n")
+	want := "Memory SAT: PARTIAL ok=2 failed=0 unsupported=1\nDevices: 3"
+	if got != want {
+		t.Fatalf("got %q want %q", got, want)
+	}
+}
+
+func TestHealthSummaryResultIncludesCompactSATSummary(t *testing.T) {
+	tmp := t.TempDir()
+	oldAuditPath := DefaultAuditJSONPath
+	oldSATBaseDir := DefaultSATBaseDir
+	DefaultAuditJSONPath = filepath.Join(tmp, "audit.json")
+	DefaultSATBaseDir = filepath.Join(tmp, "sat")
+	t.Cleanup(func() { DefaultAuditJSONPath = oldAuditPath })
+	t.Cleanup(func() { DefaultSATBaseDir = oldSATBaseDir })
+
+	satDir := filepath.Join(DefaultSATBaseDir, "memory-testcase")
+	if err := os.MkdirAll(satDir, 0755); err != nil {
+		t.Fatalf("mkdir sat dir: %v", err)
+	}
+
+	raw := `{"collected_at":"2026-03-15T10:00:00Z","hardware":{"board":{"serial_number":"SRV123"},"storage":[{"serial_number":"DISK1","status":"Warning"}]}}`
+	if err := os.WriteFile(DefaultAuditJSONPath, []byte(raw), 0644); err != nil {
+		t.Fatalf("write audit json: %v", err)
+	}
+	if err := os.WriteFile(filepath.Join(satDir, "summary.txt"), []byte("overall_status=OK\njob_ok=3\njob_failed=0\njob_unsupported=0\n"), 0644); err != nil {
+		t.Fatalf("write sat summary: %v", err)
+	}
+
+	result := (&App{}).HealthSummaryResult()
+	if !contains(result.Body, "Memory SAT: OK ok=3 failed=0") {
+		t.Fatalf("body missing compact sat summary:\n%s", result.Body)
+	}
+}
+
+func TestBuildSupportBundleIncludesExportDirContents(t *testing.T) {
+	tmp := t.TempDir()
+	exportDir := filepath.Join(tmp, "export")
+	if err := os.MkdirAll(filepath.Join(exportDir, "bee-sat", "memory-run"), 0755); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(exportDir, "bee-audit.json"), []byte(`{"ok":true}`), 0644); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(exportDir, "bee-sat", "memory-run", "verbose.log"), []byte("sat verbose"), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	archive, err := BuildSupportBundle(exportDir)
+	if err != nil {
+		t.Fatalf("BuildSupportBundle error: %v", err)
+	}
+	if _, err := os.Stat(archive); err != nil {
+		t.Fatalf("archive stat: %v", err)
+	}
+}
+
+func TestMainBanner(t *testing.T) {
+	tmp := t.TempDir()
+	oldAuditPath := DefaultAuditJSONPath
+	DefaultAuditJSONPath = filepath.Join(tmp, "audit.json")
+	t.Cleanup(func() { DefaultAuditJSONPath = oldAuditPath })
+
+	trueValue := true
+	manufacturer := "Dell"
+	product := "PowerEdge R760"
+	cpuModel := "Intel Xeon Gold 6430"
+	memoryType := "DDR5"
+	gpuClass := "VideoController"
+	gpuModel := "NVIDIA H100"
+
+	payload := schema.HardwareIngestRequest{
+		Hardware: schema.HardwareSnapshot{
+			Board: schema.HardwareBoard{
+				Manufacturer: &manufacturer,
+				ProductName:  &product,
+				SerialNumber: "SRV123",
+			},
+			CPUs: []schema.HardwareCPU{
+				{Model: &cpuModel},
+				{Model: &cpuModel},
+			},
+			Memory: []schema.HardwareMemory{
+				{Present: &trueValue, SizeMB: intPtr(524288), Type: &memoryType},
+				{Present: &trueValue, SizeMB: intPtr(524288), Type: &memoryType},
+			},
+			Storage: []schema.HardwareStorage{
+				{Present: &trueValue, SizeGB: intPtr(3840)},
+				{Present: &trueValue, SizeGB: intPtr(3840)},
+			},
+			PCIeDevices: []schema.HardwarePCIeDevice{
+				{DeviceClass: &gpuClass, Model: &gpuModel},
+				{DeviceClass: &gpuClass, Model: &gpuModel},
+			},
+		},
+	}
+
+	raw, err := json.Marshal(payload)
+	if err != nil {
+		t.Fatalf("marshal: %v", err)
+	}
+	if err := os.WriteFile(DefaultAuditJSONPath, raw, 0644); err != nil {
+		t.Fatalf("write audit json: %v", err)
+	}
+
+	a := &App{
+		network: fakeNetwork{
+			listInterfacesFn: func() ([]platform.InterfaceInfo, error) {
+				return []platform.InterfaceInfo{
+					{Name: "eth0", IPv4: []string{"10.0.0.10"}},
+					{Name: "eth1", IPv4: []string{"192.168.1.10"}},
+				}, nil
+			},
+		},
+	}
+
+	got := a.MainBanner()
+	for _, want := range []string{
+		"System: Dell PowerEdge R760 | S/N SRV123",
+		"CPU: 2 x Intel Xeon Gold 6430",
+		"Memory: 1.0 TB DDR5 (2 DIMMs)",
+		"Storage: 2 drives / 7.5 TB",
+		"GPU: 2 x NVIDIA H100",
+		"IP: 10.0.0.10, 192.168.1.10",
+	} {
+		if !contains(got, want) {
+			t.Fatalf("banner missing %q:\n%s", want, got)
+		}
+	}
+}
+
+func intPtr(v int) *int { return &v }
+
+func contains(haystack, needle string) bool {
+	return len(needle) == 0 || (len(haystack) >= len(needle) && (haystack == needle || containsAt(haystack, needle)))
+}
+
+func containsAt(haystack, needle string) bool {
+	for i := 0; i+len(needle) <= len(haystack); i++ {
+		if haystack[i:i+len(needle)] == needle {
+			return true
+		}
+	}
+	return false
+}

audit/internal/app/panel.go

@@ -0,0 +1,387 @@
+package app
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+
+	"bee/audit/internal/schema"
+)
+
+// ComponentRow is one line in the hardware panel.
+type ComponentRow struct {
+	Key    string // "CPU", "MEM", "GPU", "DISK", "PSU"
+	Status string // "PASS", "FAIL", "CANCEL", "N/A"
+	Detail string // compact one-liner
+}
+
+// HardwarePanelData holds everything the TUI right panel needs.
+type HardwarePanelData struct {
+	Header []string
+	Rows   []ComponentRow
+}
+
+// LoadHardwarePanel reads the latest audit JSON and SAT summaries.
+// Returns empty panel if no audit data exists yet.
+func (a *App) LoadHardwarePanel() HardwarePanelData {
+	raw, err := os.ReadFile(DefaultAuditJSONPath)
+	if err != nil {
+		return HardwarePanelData{Header: []string{"No audit data — run audit first."}}
+	}
+	var snap schema.HardwareIngestRequest
+	if err := json.Unmarshal(raw, &snap); err != nil {
+		return HardwarePanelData{Header: []string{"Audit data unreadable."}}
+	}
+
+	statuses := satStatuses()
+
+	var header []string
+	if sys := formatSystemLine(snap.Hardware.Board); sys != "" {
+		header = append(header, sys)
+	}
+	for _, fw := range snap.Hardware.Firmware {
+		if fw.DeviceName == "BIOS" && fw.Version != "" {
+			header = append(header, "BIOS: "+fw.Version)
+		}
+		if fw.DeviceName == "BMC" && fw.Version != "" {
+			header = append(header, "BMC:  "+fw.Version)
+		}
+	}
+	if ip := formatIPLine(a.network.ListInterfaces); ip != "" {
+		header = append(header, ip)
+	}
+
+	var rows []ComponentRow
+
+	if cpu := formatCPULine(snap.Hardware.CPUs); cpu != "" {
+		rows = append(rows, ComponentRow{
+			Key:    "CPU",
+			Status: statuses["cpu"],
+			Detail: strings.TrimPrefix(cpu, "CPU: "),
+		})
+	}
+	if mem := formatMemoryLine(snap.Hardware.Memory); mem != "" {
+		rows = append(rows, ComponentRow{
+			Key:    "MEM",
+			Status: statuses["memory"],
+			Detail: strings.TrimPrefix(mem, "Memory: "),
+		})
+	}
+	if gpu := formatGPULine(snap.Hardware.PCIeDevices); gpu != "" {
+		rows = append(rows, ComponentRow{
+			Key:    "GPU",
+			Status: statuses["gpu"],
+			Detail: strings.TrimPrefix(gpu, "GPU: "),
+		})
+	}
+	if disk := formatStorageLine(snap.Hardware.Storage); disk != "" {
+		rows = append(rows, ComponentRow{
+			Key:    "DISK",
+			Status: statuses["storage"],
+			Detail: strings.TrimPrefix(disk, "Storage: "),
+		})
+	}
+	if psu := formatPSULine(snap.Hardware.PowerSupplies); psu != "" {
+		rows = append(rows, ComponentRow{
+			Key:    "PSU",
+			Status: "N/A",
+			Detail: psu,
+		})
+	}
+
+	return HardwarePanelData{Header: header, Rows: rows}
+}
+
+// ComponentDetailResult returns detail text for a component shown in the panel.
+func (a *App) ComponentDetailResult(key string) ActionResult {
+	switch key {
+	case "CPU":
+		return a.cpuDetailResult(false)
+	case "MEM":
+		return a.satDetailResult("memory", "memory-", "MEM detail")
+	case "GPU":
+		// Prefer whichever GPU SAT was run most recently.
+		nv, _ := filepath.Glob(filepath.Join(DefaultSATBaseDir, "gpu-nvidia-*/summary.txt"))
+		am, _ := filepath.Glob(filepath.Join(DefaultSATBaseDir, "gpu-amd-*/summary.txt"))
+		sort.Strings(nv)
+		sort.Strings(am)
+		latestNV := ""
+		if len(nv) > 0 {
+			latestNV = nv[len(nv)-1]
+		}
+		latestAM := ""
+		if len(am) > 0 {
+			latestAM = am[len(am)-1]
+		}
+		if latestAM > latestNV {
+			return a.satDetailResult("gpu", "gpu-amd-", "GPU detail")
+		}
+		return a.satDetailResult("gpu", "gpu-nvidia-", "GPU detail")
+	case "DISK":
+		return a.satDetailResult("storage", "storage-", "DISK detail")
+	case "PSU":
+		return a.psuDetailResult()
+	default:
+		return ActionResult{Title: key, Body: "No detail available."}
+	}
+}
+
+func (a *App) cpuDetailResult(satOnly bool) ActionResult {
+	var b strings.Builder
+
+	// Show latest SAT summary if available.
+	satResult := a.satDetailResult("cpu", "cpu-", "CPU SAT")
+	if satResult.Body != "No test results found. Run a test first." {
+		fmt.Fprintln(&b, "=== Last SAT ===")
+		fmt.Fprintln(&b, satResult.Body)
+		fmt.Fprintln(&b)
+	}
+
+	if satOnly {
+		body := strings.TrimSpace(b.String())
+		if body == "" {
+			body = "No CPU SAT results found. Run a test first."
+		}
+		return ActionResult{Title: "CPU SAT", Body: body}
+	}
+
+	raw, err := os.ReadFile(DefaultAuditJSONPath)
+	if err != nil {
+		return ActionResult{Title: "CPU", Body: strings.TrimSpace(b.String())}
+	}
+	var snap schema.HardwareIngestRequest
+	if err := json.Unmarshal(raw, &snap); err != nil {
+		return ActionResult{Title: "CPU", Body: strings.TrimSpace(b.String())}
+	}
+	if len(snap.Hardware.CPUs) == 0 {
+		return ActionResult{Title: "CPU", Body: strings.TrimSpace(b.String())}
+	}
+	fmt.Fprintln(&b, "=== Audit ===")
+	for i, cpu := range snap.Hardware.CPUs {
+		fmt.Fprintf(&b, "CPU %d\n", i)
+		if cpu.Model != nil {
+			fmt.Fprintf(&b, "  Model:    %s\n", *cpu.Model)
+		}
+		if cpu.Manufacturer != nil {
+			fmt.Fprintf(&b, "  Vendor:   %s\n", *cpu.Manufacturer)
+		}
+		if cpu.Cores != nil {
+			fmt.Fprintf(&b, "  Cores:    %d\n", *cpu.Cores)
+		}
+		if cpu.Threads != nil {
+			fmt.Fprintf(&b, "  Threads:  %d\n", *cpu.Threads)
+		}
+		if cpu.MaxFrequencyMHz != nil {
+			fmt.Fprintf(&b, "  Max freq: %d MHz\n", *cpu.MaxFrequencyMHz)
+		}
+		if cpu.TemperatureC != nil {
+			fmt.Fprintf(&b, "  Temp:     %.1f°C\n", *cpu.TemperatureC)
+		}
+		if cpu.Throttled != nil {
+			fmt.Fprintf(&b, "  Throttled: %v\n", *cpu.Throttled)
+		}
+		if cpu.CorrectableErrorCount != nil && *cpu.CorrectableErrorCount > 0 {
+			fmt.Fprintf(&b, "  ECC correctable:   %d\n", *cpu.CorrectableErrorCount)
+		}
+		if cpu.UncorrectableErrorCount != nil && *cpu.UncorrectableErrorCount > 0 {
+			fmt.Fprintf(&b, "  ECC uncorrectable: %d\n", *cpu.UncorrectableErrorCount)
+		}
+		if i < len(snap.Hardware.CPUs)-1 {
+			fmt.Fprintln(&b)
+		}
+	}
+	return ActionResult{Title: "CPU", Body: strings.TrimSpace(b.String())}
+}
+
+func (a *App) satDetailResult(statusKey, prefix, title string) ActionResult {
+	matches, err := filepath.Glob(filepath.Join(DefaultSATBaseDir, prefix+"*/summary.txt"))
+	if err != nil || len(matches) == 0 {
+		return ActionResult{Title: title, Body: "No test results found. Run a test first."}
+	}
+	sort.Strings(matches)
+	raw, err := os.ReadFile(matches[len(matches)-1])
+	if err != nil {
+		return ActionResult{Title: title, Body: "Could not read test results."}
+	}
+	return ActionResult{Title: title, Body: formatSATDetail(strings.TrimSpace(string(raw)))}
+}
+
+// formatSATDetail converts raw summary.txt key=value content to a human-readable per-step display.
+func formatSATDetail(raw string) string {
+	var b strings.Builder
+	kv := parseKeyValueSummary(raw)
+
+	if t, ok := kv["run_at_utc"]; ok {
+		fmt.Fprintf(&b, "Run: %s\n\n", t)
+	}
+
+	// Collect step names in order they appear in the file
+	lines := strings.Split(raw, "\n")
+	var stepKeys []string
+	seenStep := map[string]bool{}
+	for _, line := range lines {
+		if idx := strings.Index(line, "_status="); idx >= 0 {
+			key := line[:idx]
+			if !seenStep[key] && key != "overall" {
+				seenStep[key] = true
+				stepKeys = append(stepKeys, key)
+			}
+		}
+	}
+
+	for _, key := range stepKeys {
+		status := kv[key+"_status"]
+		display := cleanSummaryKey(key)
+		switch status {
+		case "OK":
+			fmt.Fprintf(&b, "PASS  %s\n", display)
+		case "FAILED":
+			fmt.Fprintf(&b, "FAIL  %s\n", display)
+		case "UNSUPPORTED":
+			fmt.Fprintf(&b, "SKIP  %s\n", display)
+		default:
+			fmt.Fprintf(&b, "?     %s\n", display)
+		}
+	}
+
+	if overall, ok := kv["overall_status"]; ok {
+		ok2 := kv["job_ok"]
+		failed := kv["job_failed"]
+		fmt.Fprintf(&b, "\nOverall: %s  (ok=%s  failed=%s)", overall, ok2, failed)
+	}
+
+	return strings.TrimSpace(b.String())
+}
+
+// cleanSummaryKey strips the leading numeric prefix from a SAT step key.
+// "1-lscpu" → "lscpu", "3-stress-ng" → "stress-ng"
+func cleanSummaryKey(key string) string {
+	idx := strings.Index(key, "-")
+	if idx <= 0 {
+		return key
+	}
+	prefix := key[:idx]
+	for _, c := range prefix {
+		if c < '0' || c > '9' {
+			return key
+		}
+	}
+	return key[idx+1:]
+}
+
+func (a *App) psuDetailResult() ActionResult {
+	raw, err := os.ReadFile(DefaultAuditJSONPath)
+	if err != nil {
+		return ActionResult{Title: "PSU", Body: "No audit data."}
+	}
+	var snap schema.HardwareIngestRequest
+	if err := json.Unmarshal(raw, &snap); err != nil {
+		return ActionResult{Title: "PSU", Body: "Audit data unreadable."}
+	}
+	if len(snap.Hardware.PowerSupplies) == 0 {
+		return ActionResult{Title: "PSU", Body: "No PSU data in last audit."}
+	}
+	var b strings.Builder
+	for i, psu := range snap.Hardware.PowerSupplies {
+		fmt.Fprintf(&b, "PSU %d\n", i)
+		if psu.Model != nil {
+			fmt.Fprintf(&b, "  Model:   %s\n", *psu.Model)
+		}
+		if psu.Vendor != nil {
+			fmt.Fprintf(&b, "  Vendor:  %s\n", *psu.Vendor)
+		}
+		if psu.WattageW != nil {
+			fmt.Fprintf(&b, "  Rated:   %d W\n", *psu.WattageW)
+		}
+		if psu.InputPowerW != nil {
+			fmt.Fprintf(&b, "  Input:   %.1f W\n", *psu.InputPowerW)
+		}
+		if psu.OutputPowerW != nil {
+			fmt.Fprintf(&b, "  Output:  %.1f W\n", *psu.OutputPowerW)
+		}
+		if psu.TemperatureC != nil {
+			fmt.Fprintf(&b, "  Temp:    %.1f°C\n", *psu.TemperatureC)
+		}
+		if i < len(snap.Hardware.PowerSupplies)-1 {
+			fmt.Fprintln(&b)
+		}
+	}
+	return ActionResult{Title: "PSU", Body: strings.TrimSpace(b.String())}
+}
+
+// satStatuses reads the latest summary.txt for each SAT type and returns
+// a map of component key ("gpu","memory","storage") → status ("PASS","FAIL","CANCEL","N/A").
+func satStatuses() map[string]string {
+	result := map[string]string{
+		"gpu":     "N/A",
+		"memory":  "N/A",
+		"storage": "N/A",
+		"cpu":     "N/A",
+	}
+	patterns := []struct {
+		key    string
+		prefix string
+	}{
+		{"gpu", "gpu-nvidia-"},
+		{"gpu", "gpu-amd-"},
+		{"memory", "memory-"},
+		{"storage", "storage-"},
+		{"cpu", "cpu-"},
+	}
+	for _, item := range patterns {
+		matches, err := filepath.Glob(filepath.Join(DefaultSATBaseDir, item.prefix+"*/summary.txt"))
+		if err != nil || len(matches) == 0 {
+			continue
+		}
+		sort.Strings(matches)
+		raw, err := os.ReadFile(matches[len(matches)-1])
+		if err != nil {
+			continue
+		}
+		values := parseKeyValueSummary(string(raw))
+		switch strings.ToUpper(strings.TrimSpace(values["overall_status"])) {
+		case "OK":
+			result[item.key] = "PASS"
+		case "FAILED":
+			result[item.key] = "FAIL"
+		case "CANCELED", "CANCELLED":
+			result[item.key] = "CANCEL"
+		}
+	}
+	return result
+}
+
+func formatPSULine(psus []schema.HardwarePowerSupply) string {
+	var present []schema.HardwarePowerSupply
+	for _, psu := range psus {
+		if psu.Present != nil && !*psu.Present {
+			continue
+		}
+		present = append(present, psu)
+	}
+	if len(present) == 0 {
+		return ""
+	}
+	firstW := 0
+	if present[0].WattageW != nil {
+		firstW = *present[0].WattageW
+	}
+	allSame := firstW > 0
+	for _, p := range present[1:] {
+		w := 0
+		if p.WattageW != nil {
+			w = *p.WattageW
+		}
+		if w != firstW {
+			allSame = false
+			break
+		}
+	}
+	if allSame && firstW > 0 {
+		return fmt.Sprintf("%dx %dW", len(present), firstW)
+	}
+	return fmt.Sprintf("%d PSU", len(present))
+}

audit/internal/app/support_bundle.go

@@ -0,0 +1,300 @@
+package app
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"sort"
+	"strings"
+	"time"
+)
+
+var supportBundleServices = []string{
+	"bee-audit.service",
+	"bee-web.service",
+	"bee-network.service",
+	"bee-nvidia.service",
+	"bee-preflight.service",
+	"bee-sshsetup.service",
+}
+
+var supportBundleCommands = []struct {
+	name string
+	cmd  []string
+}{
+	{name: "system/uname.txt", cmd: []string{"uname", "-a"}},
+	{name: "system/lsmod.txt", cmd: []string{"lsmod"}},
+	{name: "system/lspci-nn.txt", cmd: []string{"lspci", "-nn"}},
+	{name: "system/ip-addr.txt", cmd: []string{"ip", "addr"}},
+	{name: "system/ip-route.txt", cmd: []string{"ip", "route"}},
+	{name: "system/mount.txt", cmd: []string{"mount"}},
+	{name: "system/df-h.txt", cmd: []string{"df", "-h"}},
+	{name: "system/dmesg-tail.txt", cmd: []string{"sh", "-c", "dmesg | tail -n 200"}},
+}
+
+func BuildSupportBundle(exportDir string) (string, error) {
+	exportDir = strings.TrimSpace(exportDir)
+	if exportDir == "" {
+		exportDir = DefaultExportDir
+	}
+	if err := os.MkdirAll(exportDir, 0755); err != nil {
+		return "", err
+	}
+	if err := cleanupOldSupportBundles(os.TempDir()); err != nil {
+		return "", err
+	}
+
+	host := sanitizeFilename(hostnameOr("unknown"))
+	ts := time.Now().UTC().Format("20060102-150405")
+	stageRoot := filepath.Join(os.TempDir(), fmt.Sprintf("bee-support-%s-%s", host, ts))
+	if err := os.MkdirAll(stageRoot, 0755); err != nil {
+		return "", err
+	}
+	defer os.RemoveAll(stageRoot)
+
+	if err := copyDirContents(exportDir, filepath.Join(stageRoot, "export")); err != nil {
+		return "", err
+	}
+	if err := writeJournalDump(filepath.Join(stageRoot, "systemd", "combined.journal.log")); err != nil {
+		return "", err
+	}
+	for _, svc := range supportBundleServices {
+		if err := writeCommandOutput(filepath.Join(stageRoot, "systemd", svc+".status.txt"), []string{"systemctl", "status", svc, "--no-pager"}); err != nil {
+			return "", err
+		}
+		if err := writeCommandOutput(filepath.Join(stageRoot, "systemd", svc+".journal.log"), []string{"journalctl", "--no-pager", "-u", svc}); err != nil {
+			return "", err
+		}
+	}
+	for _, item := range supportBundleCommands {
+		if err := writeCommandOutput(filepath.Join(stageRoot, item.name), item.cmd); err != nil {
+			return "", err
+		}
+	}
+	if err := writeManifest(filepath.Join(stageRoot, "manifest.txt"), exportDir, stageRoot); err != nil {
+		return "", err
+	}
+
+	archivePath := filepath.Join(os.TempDir(), fmt.Sprintf("bee-support-%s-%s.tar.gz", host, ts))
+	if err := createSupportTarGz(archivePath, stageRoot); err != nil {
+		return "", err
+	}
+	return archivePath, nil
+}
+
+func cleanupOldSupportBundles(dir string) error {
+	matches, err := filepath.Glob(filepath.Join(dir, "bee-support-*.tar.gz"))
+	if err != nil {
+		return err
+	}
+	type entry struct {
+		path string
+		mod  time.Time
+	}
+	list := make([]entry, 0, len(matches))
+	for _, match := range matches {
+		info, err := os.Stat(match)
+		if err != nil {
+			continue
+		}
+		if time.Since(info.ModTime()) > 24*time.Hour {
+			_ = os.Remove(match)
+			continue
+		}
+		list = append(list, entry{path: match, mod: info.ModTime()})
+	}
+	sort.Slice(list, func(i, j int) bool { return list[i].mod.After(list[j].mod) })
+	if len(list) > 3 {
+		for _, old := range list[3:] {
+			_ = os.Remove(old.path)
+		}
+	}
+	return nil
+}
+
+func writeJournalDump(dst string) error {
+	args := []string{"--no-pager"}
+	for _, svc := range supportBundleServices {
+		args = append(args, "-u", svc)
+	}
+	raw, err := exec.Command("journalctl", args...).CombinedOutput()
+	if len(raw) == 0 && err != nil {
+		raw = []byte(err.Error() + "\n")
+	}
+	if len(raw) == 0 {
+		raw = []byte("no journal output\n")
+	}
+	if err := os.MkdirAll(filepath.Dir(dst), 0755); err != nil {
+		return err
+	}
+	return os.WriteFile(dst, raw, 0644)
+}
+
+func writeCommandOutput(dst string, cmd []string) error {
+	if len(cmd) == 0 {
+		return nil
+	}
+	raw, err := exec.Command(cmd[0], cmd[1:]...).CombinedOutput()
+	if len(raw) == 0 {
+		if err != nil {
+			raw = []byte(err.Error() + "\n")
+		} else {
+			raw = []byte("no output\n")
+		}
+	}
+	if err := os.MkdirAll(filepath.Dir(dst), 0755); err != nil {
+		return err
+	}
+	return os.WriteFile(dst, raw, 0644)
+}
+
+func writeManifest(dst, exportDir, stageRoot string) error {
+	if err := os.MkdirAll(filepath.Dir(dst), 0755); err != nil {
+		return err
+	}
+	var body strings.Builder
+	fmt.Fprintf(&body, "bee_version=%s\n", buildVersion())
+	fmt.Fprintf(&body, "host=%s\n", hostnameOr("unknown"))
+	fmt.Fprintf(&body, "generated_at_utc=%s\n", time.Now().UTC().Format(time.RFC3339))
+	fmt.Fprintf(&body, "export_dir=%s\n", exportDir)
+	fmt.Fprintf(&body, "\nfiles:\n")
+
+	var files []string
+	if err := filepath.Walk(stageRoot, func(path string, info os.FileInfo, err error) error {
+		if err != nil || info.IsDir() {
+			return err
+		}
+		if filepath.Clean(path) == filepath.Clean(dst) {
+			return nil
+		}
+		rel, err := filepath.Rel(stageRoot, path)
+		if err != nil {
+			return err
+		}
+		files = append(files, fmt.Sprintf("%s\t%d", rel, info.Size()))
+		return nil
+	}); err != nil {
+		return err
+	}
+	sort.Strings(files)
+	for _, line := range files {
+		body.WriteString(line)
+		body.WriteByte('\n')
+	}
+	return os.WriteFile(dst, []byte(body.String()), 0644)
+}
+
+func buildVersion() string {
+	raw, err := exec.Command("bee", "version").CombinedOutput()
+	if err != nil {
+		return "unknown"
+	}
+	return strings.TrimSpace(string(raw))
+}
+
+func copyDirContents(srcDir, dstDir string) error {
+	entries, err := os.ReadDir(srcDir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+	for _, entry := range entries {
+		src := filepath.Join(srcDir, entry.Name())
+		dst := filepath.Join(dstDir, entry.Name())
+		if err := copyPath(src, dst); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func copyPath(src, dst string) error {
+	info, err := os.Stat(src)
+	if err != nil {
+		return err
+	}
+	if info.IsDir() {
+		if err := os.MkdirAll(dst, info.Mode().Perm()); err != nil {
+			return err
+		}
+		entries, err := os.ReadDir(src)
+		if err != nil {
+			return err
+		}
+		for _, entry := range entries {
+			if err := copyPath(filepath.Join(src, entry.Name()), filepath.Join(dst, entry.Name())); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+
+	if err := os.MkdirAll(filepath.Dir(dst), 0755); err != nil {
+		return err
+	}
+	in, err := os.Open(src)
+	if err != nil {
+		return err
+	}
+	defer in.Close()
+
+	out, err := os.OpenFile(dst, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, info.Mode().Perm())
+	if err != nil {
+		return err
+	}
+	defer out.Close()
+
+	_, err = io.Copy(out, in)
+	return err
+}
+
+func createSupportTarGz(dst, srcDir string) error {
+	file, err := os.Create(dst)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	gz := gzip.NewWriter(file)
+	defer gz.Close()
+
+	tw := tar.NewWriter(gz)
+	defer tw.Close()
+
+	base := filepath.Dir(srcDir)
+	return filepath.Walk(srcDir, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if info.IsDir() {
+			return nil
+		}
+
+		header, err := tar.FileInfoHeader(info, "")
+		if err != nil {
+			return err
+		}
+		header.Name, err = filepath.Rel(base, path)
+		if err != nil {
+			return err
+		}
+		if err := tw.WriteHeader(header); err != nil {
+			return err
+		}
+
+		f, err := os.Open(path)
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+
+		_, err = io.Copy(tw, f)
+		return err
+	})
+}

audit/internal/collector/board.go

@@ -4,10 +4,27 @@ import (
 	"bee/audit/internal/schema"
 	"bufio"
 	"log/slog"
+	"os"
 	"os/exec"
 	"strings"
 )
 
+var execDmidecode = func(typeNum string) (string, error) {
+	out, err := exec.Command("dmidecode", "-t", typeNum).Output()
+	if err != nil {
+		return "", err
+	}
+	return string(out), nil
+}
+
+var execIpmitool = func(args ...string) (string, error) {
+	out, err := exec.Command("ipmitool", args...).Output()
+	if err != nil {
+		return "", err
+	}
+	return string(out), nil
+}
+
 // collectBoard runs dmidecode for types 0, 1, 2 and returns the board record
 // plus the BIOS firmware entry. Any failure is logged and returns zero values.
 func collectBoard() (schema.HardwareBoard, []schema.HardwareFirmwareRecord) {
@@ -61,6 +78,45 @@ func parseBoard(type1, type2 string) schema.HardwareBoard {
 	return board
 }
 
+// collectBMCFirmware collects BMC firmware version via ipmitool mc info.
+// Returns nil if ipmitool is missing, /dev/ipmi0 is absent, or any error occurs.
+func collectBMCFirmware() []schema.HardwareFirmwareRecord {
+	if _, err := exec.LookPath("ipmitool"); err != nil {
+		return nil
+	}
+	if _, err := os.Stat("/dev/ipmi0"); err != nil {
+		return nil
+	}
+	out, err := execIpmitool("mc", "info")
+	if err != nil {
+		slog.Info("bmc: ipmitool mc info unavailable", "err", err)
+		return nil
+	}
+	version := parseBMCFirmwareRevision(out)
+	if version == "" {
+		return nil
+	}
+	slog.Info("bmc: collected", "version", version)
+	return []schema.HardwareFirmwareRecord{
+		{DeviceName: "BMC", Version: version},
+	}
+}
+
+// parseBMCFirmwareRevision extracts the "Firmware Revision" field from ipmitool mc info output.
+func parseBMCFirmwareRevision(out string) string {
+	for _, line := range strings.Split(out, "\n") {
+		line = strings.TrimSpace(line)
+		key, val, ok := strings.Cut(line, ":")
+		if !ok {
+			continue
+		}
+		if strings.TrimSpace(key) == "Firmware Revision" {
+			return strings.TrimSpace(val)
+		}
+	}
+	return ""
+}
+
 // parseBIOSFirmware extracts BIOS version from dmidecode type 0 output.
 func parseBIOSFirmware(type0 string) []schema.HardwareFirmwareRecord {
 	fields := parseDMIFields(type0, "BIOS Information")
@@ -141,9 +197,5 @@ func cleanDMIValue(v string) string {
 
 // runDmidecode executes dmidecode -t <typeNum> and returns its stdout.
 func runDmidecode(typeNum string) (string, error) {
-	out, err := exec.Command("dmidecode", "-t", typeNum).Output()
-	if err != nil {
-		return "", err
-	}
-	return string(out), nil
+	return execDmidecode(typeNum)
 }

audit/internal/collector/collector.go

@@ -4,15 +4,18 @@
 package collector
 
 import (
+	"bee/audit/internal/runtimeenv"
 	"bee/audit/internal/schema"
 	"log/slog"
+	"os"
 	"time"
 )
 
 // Run executes all collectors and returns the combined snapshot.
 // Partial failures are logged as warnings; collection always completes.
-func Run() schema.HardwareIngestRequest {
+func Run(_ runtimeenv.Mode) schema.HardwareIngestRequest {
 	start := time.Now()
+	collectedAt := time.Now().UTC().Format(time.RFC3339)
 	slog.Info("audit started")
 
 	snap := schema.HardwareSnapshot{}
@@ -20,32 +23,43 @@ func Run() schema.HardwareIngestRequest {
 	board, biosFW := collectBoard()
 	snap.Board = board
 	snap.Firmware = append(snap.Firmware, biosFW...)
+	snap.Firmware = append(snap.Firmware, collectBMCFirmware()...)
 
-	cpus, cpuFW := collectCPUs(snap.Board.SerialNumber)
-	snap.CPUs = cpus
-	snap.Firmware = append(snap.Firmware, cpuFW...)
+	snap.CPUs = collectCPUs()
 
 	snap.Memory = collectMemory()
+	sensorDoc, err := readSensorsJSONDoc()
+	if err != nil {
+		slog.Info("sensors: unavailable for enrichment", "err", err)
+	}
+	snap.CPUs = enrichCPUsWithTelemetry(snap.CPUs, sensorDoc)
+	snap.Memory = enrichMemoryWithTelemetry(snap.Memory, sensorDoc)
 	snap.Storage = collectStorage()
 	snap.PCIeDevices = collectPCIe()
-	snap.PCIeDevices = enrichPCIeWithNVIDIA(snap.PCIeDevices, snap.Board.SerialNumber)
+	snap.PCIeDevices = enrichPCIeWithNVIDIA(snap.PCIeDevices)
 	snap.PCIeDevices = enrichPCIeWithMellanox(snap.PCIeDevices)
 	snap.PCIeDevices = enrichPCIeWithNICTelemetry(snap.PCIeDevices)
+	snap.PCIeDevices = enrichPCIeWithRAIDTelemetry(snap.PCIeDevices)
 	snap.Storage = enrichStorageWithVROC(snap.Storage, snap.PCIeDevices)
 	snap.Storage = appendUniqueStorage(snap.Storage, collectRAIDStorage(snap.PCIeDevices))
 	snap.PowerSupplies = collectPSUs()
+	snap.PowerSupplies = enrichPSUsWithTelemetry(snap.PowerSupplies, sensorDoc)
+	snap.Sensors = buildSensorsFromDoc(sensorDoc)
+	finalizeSnapshot(&snap, collectedAt)
 
 	// remaining collectors added in steps 1.8 – 1.10
 
 	slog.Info("audit completed", "duration", time.Since(start).Round(time.Millisecond))
 
-	sourceType := "livcd"
-	protocol := "os-direct"
-
+	sourceType := "manual"
+	var targetHost *string
+	if hostname, err := os.Hostname(); err == nil && hostname != "" {
+		targetHost = &hostname
+	}
 	return schema.HardwareIngestRequest{
 		SourceType:  &sourceType,
-		Protocol:    &protocol,
-		CollectedAt: time.Now().UTC().Format(time.RFC3339),
+		TargetHost:  targetHost,
+		CollectedAt: collectedAt,
 		Hardware:    snap,
 	}
 }

audit/internal/collector/contract.go

@@ -0,0 +1,64 @@
+package collector
+
+import "strings"
+
+const (
+	statusOK       = "OK"
+	statusWarning  = "Warning"
+	statusCritical = "Critical"
+	statusUnknown  = "Unknown"
+	statusEmpty    = "Empty"
+)
+
+func mapPCIeDeviceClass(raw string) string {
+	normalized := strings.ToLower(strings.TrimSpace(raw))
+	switch {
+	case normalized == "":
+		return ""
+	case strings.Contains(normalized, "ethernet controller"):
+		return "EthernetController"
+	case strings.Contains(normalized, "fibre channel"):
+		return "FibreChannelController"
+	case strings.Contains(normalized, "network controller"), strings.Contains(normalized, "infiniband controller"):
+		return "NetworkController"
+	case strings.Contains(normalized, "serial attached scsi"), strings.Contains(normalized, "storage controller"):
+		return "StorageController"
+	case strings.Contains(normalized, "raid"), strings.Contains(normalized, "mass storage"):
+		return "MassStorageController"
+	case strings.Contains(normalized, "display controller"):
+		return "DisplayController"
+	case strings.Contains(normalized, "vga"), strings.Contains(normalized, "3d controller"), strings.Contains(normalized, "video controller"):
+		return "VideoController"
+	case strings.Contains(normalized, "processing accelerators"), strings.Contains(normalized, "processing accelerator"):
+		return "ProcessingAccelerator"
+	default:
+		return raw
+	}
+}
+
+func isNICClass(class string) bool {
+	switch strings.TrimSpace(class) {
+	case "EthernetController", "NetworkController":
+		return true
+	default:
+		return false
+	}
+}
+
+func isGPUClass(class string) bool {
+	switch strings.TrimSpace(class) {
+	case "VideoController", "DisplayController", "ProcessingAccelerator":
+		return true
+	default:
+		return false
+	}
+}
+
+func isRAIDClass(class string) bool {
+	switch strings.TrimSpace(class) {
+	case "MassStorageController", "StorageController":
+		return true
+	default:
+		return false
+	}
+}

audit/internal/collector/cpu.go

@@ -3,42 +3,39 @@ package collector
 import (
 	"bee/audit/internal/schema"
 	"bufio"
-	"fmt"
 	"log/slog"
 	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 )
 
-// collectCPUs runs dmidecode -t 4 and reads microcode version from sysfs.
-func collectCPUs(boardSerial string) ([]schema.HardwareCPU, []schema.HardwareFirmwareRecord) {
+// collectCPUs runs dmidecode -t 4 and enriches CPUs with microcode from sysfs.
+func collectCPUs() []schema.HardwareCPU {
 	out, err := runDmidecode("4")
 	if err != nil {
 		slog.Warn("cpu: dmidecode type 4 failed", "err", err)
-		return nil, nil
+		return nil
 	}
 
-	cpus := parseCPUs(out, boardSerial)
-
-	var firmware []schema.HardwareFirmwareRecord
+	cpus := parseCPUs(out)
 	if mc := readMicrocode(); mc != "" {
-		firmware = append(firmware, schema.HardwareFirmwareRecord{
-			DeviceName: "CPU Microcode",
-			Version:    mc,
-		})
+		for i := range cpus {
+			cpus[i].Firmware = &mc
+		}
 	}
 
 	slog.Info("cpu: collected", "count", len(cpus))
-	return cpus, firmware
+	return cpus
 }
 
 // parseCPUs splits dmidecode output into per-processor sections and parses each.
-func parseCPUs(output, boardSerial string) []schema.HardwareCPU {
+func parseCPUs(output string) []schema.HardwareCPU {
 	sections := splitDMISections(output, "Processor Information")
 	cpus := make([]schema.HardwareCPU, 0, len(sections))
 
 	for _, section := range sections {
-		cpu, ok := parseCPUSection(section, boardSerial)
+		cpu, ok := parseCPUSection(section)
 		if !ok {
 			continue
 		}
@@ -49,14 +46,16 @@ func parseCPUs(output, boardSerial string) []schema.HardwareCPU {
 
 // parseCPUSection parses one "Processor Information" block into a HardwareCPU.
 // Returns false if the socket is unpopulated.
-func parseCPUSection(fields map[string]string, boardSerial string) (schema.HardwareCPU, bool) {
+func parseCPUSection(fields map[string]string) (schema.HardwareCPU, bool) {
 	status := parseCPUStatus(fields["Status"])
-	if status == "EMPTY" {
+	if status == statusEmpty {
 		return schema.HardwareCPU{}, false
 	}
 
 	cpu := schema.HardwareCPU{}
 	cpu.Status = &status
+	present := true
+	cpu.Present = &present
 
 	if socket, ok := parseSocketIndex(fields["Socket Designation"]); ok {
 		cpu.Socket = &socket
@@ -70,11 +69,6 @@ func parseCPUSection(fields map[string]string, boardSerial string) (schema.Hardw
 	}
 	if v := cleanDMIValue(fields["Serial Number"]); v != "" {
 		cpu.SerialNumber = &v
-	} else if boardSerial != "" && cpu.Socket != nil {
-		// Intel Xeon never exposes serial via DMI — generate stable fallback
-		// matching core's generateCPUVendorSerial() logic
-		fb := fmt.Sprintf("%s-CPU-%d", boardSerial, *cpu.Socket)
-		cpu.SerialNumber = &fb
 	}
 
 	if v := parseMHz(fields["Max Speed"]); v > 0 {
@@ -99,15 +93,15 @@ func parseCPUStatus(raw string) string {
 	upper := strings.ToUpper(raw)
 	switch {
 	case upper == "" || upper == "UNKNOWN":
-		return "UNKNOWN"
+		return statusUnknown
 	case strings.Contains(upper, "UNPOPULATED") || strings.Contains(upper, "NOT POPULATED"):
-		return "EMPTY"
+		return statusEmpty
 	case strings.Contains(upper, "ENABLED"):
-		return "OK"
+		return statusOK
 	case strings.Contains(upper, "DISABLED"):
-		return "WARNING"
+		return statusWarning
 	default:
-		return "UNKNOWN"
+		return statusUnknown
 	}
 }
 
@@ -178,7 +172,7 @@ func parseInt(v string) int {
 // readMicrocode reads the CPU microcode revision from sysfs.
 // Returns empty string if unavailable.
 func readMicrocode() string {
-	data, err := os.ReadFile("/sys/devices/system/cpu/cpu0/microcode/version")
+	data, err := os.ReadFile(filepath.Join(cpuSysBaseDir, "cpu0", "microcode", "version"))
 	if err != nil {
 		return ""
 	}

audit/internal/collector/cpu_telemetry.go

@@ -0,0 +1,196 @@
+package collector
+
+import (
+	"bee/audit/internal/schema"
+	"os"
+	"path/filepath"
+	"regexp"
+	"sort"
+	"strconv"
+	"strings"
+)
+
+var (
+	cpuSysBaseDir = "/sys/devices/system/cpu"
+	socketIndexRe = regexp.MustCompile(`(?i)(?:package id|socket|cpu)\s*([0-9]+)`)
+)
+
+func enrichCPUsWithTelemetry(cpus []schema.HardwareCPU, doc sensorsDoc) []schema.HardwareCPU {
+	if len(cpus) == 0 {
+		return cpus
+	}
+
+	tempBySocket := cpuTempsFromSensors(doc, len(cpus))
+	powerBySocket := cpuPowerFromSensors(doc, len(cpus))
+	throttleBySocket := cpuThrottleBySocket()
+
+	for i := range cpus {
+		socket := 0
+		if cpus[i].Socket != nil {
+			socket = *cpus[i].Socket
+		}
+		if value, ok := tempBySocket[socket]; ok {
+			cpus[i].TemperatureC = &value
+		}
+		if value, ok := powerBySocket[socket]; ok {
+			cpus[i].PowerW = &value
+		}
+		if value, ok := throttleBySocket[socket]; ok {
+			cpus[i].Throttled = &value
+		}
+	}
+
+	return cpus
+}
+
+func cpuTempsFromSensors(doc sensorsDoc, cpuCount int) map[int]float64 {
+	out := map[int]float64{}
+	if len(doc) == 0 {
+		return out
+	}
+	var fallback []float64
+	for chip, features := range doc {
+		for featureName, raw := range features {
+			feature, ok := raw.(map[string]any)
+			if !ok {
+				continue
+			}
+			if classifySensorFeature(feature) != "temp" {
+				continue
+			}
+			temp, ok := firstFeatureFloat(feature, "_input")
+			if !ok {
+				continue
+			}
+			if socket, ok := detectCPUSocket(chip, featureName); ok {
+				if _, exists := out[socket]; !exists {
+					out[socket] = temp
+				}
+				continue
+			}
+			if isLikelyCPUTemp(chip, featureName) {
+				fallback = append(fallback, temp)
+			}
+		}
+	}
+	if len(out) == 0 && cpuCount == 1 && len(fallback) > 0 {
+		out[0] = fallback[0]
+	}
+	return out
+}
+
+func cpuPowerFromSensors(doc sensorsDoc, cpuCount int) map[int]float64 {
+	out := map[int]float64{}
+	if len(doc) == 0 {
+		return out
+	}
+	var fallback []float64
+	for chip, features := range doc {
+		for featureName, raw := range features {
+			feature, ok := raw.(map[string]any)
+			if !ok {
+				continue
+			}
+			if classifySensorFeature(feature) != "power" {
+				continue
+			}
+			power, ok := firstFeatureFloatWithContains(feature, []string{"power"})
+			if !ok {
+				continue
+			}
+			if socket, ok := detectCPUSocket(chip, featureName); ok {
+				if _, exists := out[socket]; !exists {
+					out[socket] = power
+				}
+				continue
+			}
+			if isLikelyCPUPower(chip, featureName) {
+				fallback = append(fallback, power)
+			}
+		}
+	}
+	if len(out) == 0 && cpuCount == 1 && len(fallback) > 0 {
+		out[0] = fallback[0]
+	}
+	return out
+}
+
+func detectCPUSocket(parts ...string) (int, bool) {
+	for _, part := range parts {
+		matches := socketIndexRe.FindStringSubmatch(strings.ToLower(part))
+		if len(matches) == 2 {
+			value, err := strconv.Atoi(matches[1])
+			if err == nil {
+				return value, true
+			}
+		}
+	}
+	return 0, false
+}
+
+func isLikelyCPUTemp(chip, feature string) bool {
+	value := strings.ToLower(chip + " " + feature)
+	return strings.Contains(value, "coretemp") ||
+		strings.Contains(value, "k10temp") ||
+		strings.Contains(value, "package id") ||
+		strings.Contains(value, "tdie") ||
+		strings.Contains(value, "tctl") ||
+		strings.Contains(value, "cpu temp")
+}
+
+func isLikelyCPUPower(chip, feature string) bool {
+	value := strings.ToLower(chip + " " + feature)
+	return strings.Contains(value, "intel-rapl") ||
+		strings.Contains(value, "package id") ||
+		strings.Contains(value, "package-") ||
+		strings.Contains(value, "cpu power")
+}
+
+func cpuThrottleBySocket() map[int]bool {
+	out := map[int]bool{}
+	cpuDirs, err := filepath.Glob(filepath.Join(cpuSysBaseDir, "cpu[0-9]*"))
+	if err != nil {
+		return out
+	}
+	sort.Strings(cpuDirs)
+	for _, cpuDir := range cpuDirs {
+		socket, ok := readSocketIndex(cpuDir)
+		if !ok {
+			continue
+		}
+		if cpuPackageThrottled(cpuDir) {
+			out[socket] = true
+		}
+	}
+	return out
+}
+
+func readSocketIndex(cpuDir string) (int, bool) {
+	raw, err := os.ReadFile(filepath.Join(cpuDir, "topology", "physical_package_id"))
+	if err != nil {
+		return 0, false
+	}
+	value, err := strconv.Atoi(strings.TrimSpace(string(raw)))
+	if err != nil || value < 0 {
+		return 0, false
+	}
+	return value, true
+}
+
+func cpuPackageThrottled(cpuDir string) bool {
+	paths := []string{
+		filepath.Join(cpuDir, "thermal_throttle", "package_throttle_count"),
+		filepath.Join(cpuDir, "thermal_throttle", "core_throttle_count"),
+	}
+	for _, path := range paths {
+		raw, err := os.ReadFile(path)
+		if err != nil {
+			continue
+		}
+		value, err := strconv.ParseInt(strings.TrimSpace(string(raw)), 10, 64)
+		if err == nil && value > 0 {
+			return true
+		}
+	}
+	return false
+}

audit/internal/collector/cpu_telemetry_test.go

@@ -0,0 +1,71 @@
+package collector
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"bee/audit/internal/schema"
+)
+
+func TestEnrichCPUsWithTelemetry(t *testing.T) {
+	tmp := t.TempDir()
+	oldBase := cpuSysBaseDir
+	cpuSysBaseDir = tmp
+	t.Cleanup(func() { cpuSysBaseDir = oldBase })
+
+	mustWriteFile(t, filepath.Join(tmp, "cpu0", "topology", "physical_package_id"), "0\n")
+	mustWriteFile(t, filepath.Join(tmp, "cpu0", "thermal_throttle", "package_throttle_count"), "3\n")
+	mustWriteFile(t, filepath.Join(tmp, "cpu1", "topology", "physical_package_id"), "1\n")
+	mustWriteFile(t, filepath.Join(tmp, "cpu1", "thermal_throttle", "package_throttle_count"), "0\n")
+
+	doc := sensorsDoc{
+		"coretemp-isa-0000": {
+			"Package id 0": map[string]any{"temp1_input": 61.5},
+			"Package id 1": map[string]any{"temp2_input": 58.0},
+		},
+		"intel-rapl-mmio-0": {
+			"Package id 0": map[string]any{"power1_average": 180.0},
+			"Package id 1": map[string]any{"power2_average": 175.0},
+		},
+	}
+
+	socket0 := 0
+	socket1 := 1
+	status := statusOK
+	cpus := []schema.HardwareCPU{
+		{Socket: &socket0, HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status}},
+		{Socket: &socket1, HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status}},
+	}
+
+	got := enrichCPUsWithTelemetry(cpus, doc)
+
+	if got[0].TemperatureC == nil || *got[0].TemperatureC != 61.5 {
+		t.Fatalf("cpu0 temperature mismatch: %#v", got[0].TemperatureC)
+	}
+	if got[0].PowerW == nil || *got[0].PowerW != 180.0 {
+		t.Fatalf("cpu0 power mismatch: %#v", got[0].PowerW)
+	}
+	if got[0].Throttled == nil || !*got[0].Throttled {
+		t.Fatalf("cpu0 throttled mismatch: %#v", got[0].Throttled)
+	}
+	if got[1].TemperatureC == nil || *got[1].TemperatureC != 58.0 {
+		t.Fatalf("cpu1 temperature mismatch: %#v", got[1].TemperatureC)
+	}
+	if got[1].PowerW == nil || *got[1].PowerW != 175.0 {
+		t.Fatalf("cpu1 power mismatch: %#v", got[1].PowerW)
+	}
+	if got[1].Throttled != nil && *got[1].Throttled {
+		t.Fatalf("cpu1 throttled mismatch: %#v", got[1].Throttled)
+	}
+}
+
+func mustWriteFile(t *testing.T, path, content string) {
+	t.Helper()
+	if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
+		t.Fatalf("mkdir %s: %v", path, err)
+	}
+	if err := os.WriteFile(path, []byte(content), 0644); err != nil {
+		t.Fatalf("write %s: %v", path, err)
+	}
+}

audit/internal/collector/cpu_test.go

@@ -1,12 +1,14 @@
 package collector
 
 import (
+	"os"
+	"path/filepath"
 	"testing"
 )
 
 func TestParseCPUs_dual_socket(t *testing.T) {
 	out := mustReadFile(t, "testdata/dmidecode_type4.txt")
-	cpus := parseCPUs(out, "CAR315KA0803B90")
+	cpus := parseCPUs(out)
 
 	if len(cpus) != 2 {
 		t.Fatalf("expected 2 CPUs, got %d", len(cpus))
@@ -37,23 +39,22 @@ func TestParseCPUs_dual_socket(t *testing.T) {
 	if cpu0.Status == nil || *cpu0.Status != "OK" {
 		t.Errorf("cpu0 status: got %v, want OK", cpu0.Status)
 	}
-	// Intel Xeon serial not available → fallback
-	if cpu0.SerialNumber == nil || *cpu0.SerialNumber != "CAR315KA0803B90-CPU-0" {
-		t.Errorf("cpu0 serial fallback: got %v, want CAR315KA0803B90-CPU-0", cpu0.SerialNumber)
+	if cpu0.SerialNumber != nil {
+		t.Errorf("cpu0 serial should stay nil without source data, got %v", cpu0.SerialNumber)
 	}
 
 	cpu1 := cpus[1]
 	if cpu1.Socket == nil || *cpu1.Socket != 1 {
 		t.Errorf("cpu1 socket: got %v, want 1", cpu1.Socket)
 	}
-	if cpu1.SerialNumber == nil || *cpu1.SerialNumber != "CAR315KA0803B90-CPU-1" {
-		t.Errorf("cpu1 serial fallback: got %v, want CAR315KA0803B90-CPU-1", cpu1.SerialNumber)
+	if cpu1.SerialNumber != nil {
+		t.Errorf("cpu1 serial should stay nil without source data, got %v", cpu1.SerialNumber)
 	}
 }
 
 func TestParseCPUs_unpopulated_skipped(t *testing.T) {
 	out := mustReadFile(t, "testdata/dmidecode_type4_disabled.txt")
-	cpus := parseCPUs(out, "BOARD-001")
+	cpus := parseCPUs(out)
 
 	if len(cpus) != 1 {
 		t.Fatalf("expected 1 CPU (unpopulated skipped), got %d", len(cpus))
@@ -63,18 +64,51 @@ func TestParseCPUs_unpopulated_skipped(t *testing.T) {
 	}
 }
 
+func TestCollectCPUsSetsFirmwareFromMicrocode(t *testing.T) {
+	tmp := t.TempDir()
+	origBase := cpuSysBaseDir
+	cpuSysBaseDir = tmp
+	t.Cleanup(func() { cpuSysBaseDir = origBase })
+
+	if err := os.MkdirAll(filepath.Join(tmp, "cpu0", "microcode"), 0755); err != nil {
+		t.Fatalf("mkdir microcode dir: %v", err)
+	}
+	if err := os.WriteFile(filepath.Join(tmp, "cpu0", "microcode", "version"), []byte("0x2b000643\n"), 0644); err != nil {
+		t.Fatalf("write microcode version: %v", err)
+	}
+
+	origRun := execDmidecode
+	execDmidecode = func(typeNum string) (string, error) {
+		if typeNum != "4" {
+			t.Fatalf("unexpected dmidecode type: %s", typeNum)
+		}
+		return mustReadFile(t, "testdata/dmidecode_type4.txt"), nil
+	}
+	t.Cleanup(func() { execDmidecode = origRun })
+
+	cpus := collectCPUs()
+	if len(cpus) != 2 {
+		t.Fatalf("expected 2 CPUs, got %d", len(cpus))
+	}
+	for i, cpu := range cpus {
+		if cpu.Firmware == nil || *cpu.Firmware != "0x2b000643" {
+			t.Fatalf("cpu[%d] firmware=%v want microcode", i, cpu.Firmware)
+		}
+	}
+}
+
 func TestParseCPUStatus(t *testing.T) {
 	tests := []struct {
 		input string
 		want  string
 	}{
 		{"Populated, Enabled", "OK"},
-		{"Populated, Disabled By User", "WARNING"},
-		{"Populated, Disabled By BIOS", "WARNING"},
-		{"Unpopulated", "EMPTY"},
-		{"Not Populated", "EMPTY"},
-		{"Unknown", "UNKNOWN"},
-		{"", "UNKNOWN"},
+		{"Populated, Disabled By User", statusWarning},
+		{"Populated, Disabled By BIOS", statusWarning},
+		{"Unpopulated", statusEmpty},
+		{"Not Populated", statusEmpty},
+		{"Unknown", statusUnknown},
+		{"", statusUnknown},
 	}
 	for _, tt := range tests {
 		got := parseCPUStatus(tt.input)

audit/internal/collector/finalize.go

@@ -0,0 +1,77 @@
+package collector
+
+import "bee/audit/internal/schema"
+
+func finalizeSnapshot(snap *schema.HardwareSnapshot, collectedAt string) {
+	snap.Memory = filterMemory(snap.Memory)
+	snap.Storage = filterStorage(snap.Storage)
+	snap.PowerSupplies = filterPSUs(snap.PowerSupplies)
+
+	setComponentStatusMetadata(snap, collectedAt)
+}
+
+func filterMemory(dimms []schema.HardwareMemory) []schema.HardwareMemory {
+	out := make([]schema.HardwareMemory, 0, len(dimms))
+	for _, dimm := range dimms {
+		if dimm.Present != nil && !*dimm.Present {
+			continue
+		}
+		if dimm.Status != nil && *dimm.Status == statusEmpty {
+			continue
+		}
+		if dimm.SerialNumber == nil || *dimm.SerialNumber == "" {
+			continue
+		}
+		out = append(out, dimm)
+	}
+	return out
+}
+
+func filterStorage(disks []schema.HardwareStorage) []schema.HardwareStorage {
+	out := make([]schema.HardwareStorage, 0, len(disks))
+	for _, disk := range disks {
+		if disk.SerialNumber == nil || *disk.SerialNumber == "" {
+			continue
+		}
+		out = append(out, disk)
+	}
+	return out
+}
+
+func filterPSUs(psus []schema.HardwarePowerSupply) []schema.HardwarePowerSupply {
+	out := make([]schema.HardwarePowerSupply, 0, len(psus))
+	for _, psu := range psus {
+		if psu.SerialNumber == nil || *psu.SerialNumber == "" {
+			continue
+		}
+		out = append(out, psu)
+	}
+	return out
+}
+
+func setComponentStatusMetadata(snap *schema.HardwareSnapshot, collectedAt string) {
+	for i := range snap.CPUs {
+		setStatusCheckedAt(&snap.CPUs[i].HardwareComponentStatus, collectedAt)
+	}
+	for i := range snap.Memory {
+		setStatusCheckedAt(&snap.Memory[i].HardwareComponentStatus, collectedAt)
+	}
+	for i := range snap.Storage {
+		setStatusCheckedAt(&snap.Storage[i].HardwareComponentStatus, collectedAt)
+	}
+	for i := range snap.PCIeDevices {
+		setStatusCheckedAt(&snap.PCIeDevices[i].HardwareComponentStatus, collectedAt)
+	}
+	for i := range snap.PowerSupplies {
+		setStatusCheckedAt(&snap.PowerSupplies[i].HardwareComponentStatus, collectedAt)
+	}
+}
+
+func setStatusCheckedAt(status *schema.HardwareComponentStatus, collectedAt string) {
+	if status == nil || status.Status == nil || *status.Status == "" {
+		return
+	}
+	if status.StatusCheckedAt == nil {
+		status.StatusCheckedAt = &collectedAt
+	}
+}

audit/internal/collector/finalize_test.go

@@ -0,0 +1,63 @@
+package collector
+
+import (
+	"bee/audit/internal/schema"
+	"testing"
+)
+
+func TestFinalizeSnapshotFiltersComponentsWithoutRequiredSerials(t *testing.T) {
+	collectedAt := "2026-03-15T12:00:00Z"
+	present := true
+	status := statusOK
+	serial := "SN-1"
+
+	snap := schema.HardwareSnapshot{
+		Memory: []schema.HardwareMemory{
+			{Present: &present, SerialNumber: &serial, HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status}},
+			{Present: &present, HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status}},
+		},
+		Storage: []schema.HardwareStorage{
+			{SerialNumber: &serial, HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status}},
+			{HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status}},
+		},
+		PowerSupplies: []schema.HardwarePowerSupply{
+			{SerialNumber: &serial, HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status}},
+			{HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status}},
+		},
+	}
+
+	finalizeSnapshot(&snap, collectedAt)
+
+	if len(snap.Memory) != 1 || snap.Memory[0].StatusCheckedAt == nil || *snap.Memory[0].StatusCheckedAt != collectedAt {
+		t.Fatalf("memory finalize mismatch: %+v", snap.Memory)
+	}
+	if len(snap.Storage) != 1 || snap.Storage[0].StatusCheckedAt == nil || *snap.Storage[0].StatusCheckedAt != collectedAt {
+		t.Fatalf("storage finalize mismatch: %+v", snap.Storage)
+	}
+	if len(snap.PowerSupplies) != 1 || snap.PowerSupplies[0].StatusCheckedAt == nil || *snap.PowerSupplies[0].StatusCheckedAt != collectedAt {
+		t.Fatalf("psu finalize mismatch: %+v", snap.PowerSupplies)
+	}
+}
+
+func TestFinalizeSnapshotPreservesDuplicateSerials(t *testing.T) {
+	collectedAt := "2026-03-15T12:00:00Z"
+	status := statusOK
+	model := "Device"
+	serial := "DUPLICATE"
+
+	snap := schema.HardwareSnapshot{
+		Storage: []schema.HardwareStorage{
+			{Model: &model, SerialNumber: &serial, HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status}},
+			{Model: &model, SerialNumber: &serial, HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status}},
+		},
+	}
+
+	finalizeSnapshot(&snap, collectedAt)
+
+	if got := *snap.Storage[0].SerialNumber; got != serial {
+		t.Fatalf("first serial changed: %q", got)
+	}
+	if got := *snap.Storage[1].SerialNumber; got != serial {
+		t.Fatalf("duplicate serial should stay unchanged: %q", got)
+	}
+}

audit/internal/collector/memory.go

@@ -47,12 +47,12 @@ func parseMemorySection(fields map[string]string) schema.HardwareMemory {
 	dimm.Present = &present
 
 	if !present {
-		status := "EMPTY"
+		status := statusEmpty
 		dimm.Status = &status
 		return dimm
 	}
 
-	status := "OK"
+	status := statusOK
 	dimm.Status = &status
 
 	if mb := parseMemorySizeMB(rawSize); mb > 0 {

audit/internal/collector/memory_telemetry.go

@@ -0,0 +1,203 @@
+package collector
+
+import (
+	"bee/audit/internal/schema"
+	"os"
+	"path/filepath"
+	"sort"
+	"strconv"
+	"strings"
+)
+
+var edacBaseDir = "/sys/devices/system/edac/mc"
+
+type edacDIMMStats struct {
+	Label   string
+	CECount *int64
+	UECount *int64
+}
+
+func enrichMemoryWithTelemetry(dimms []schema.HardwareMemory, doc sensorsDoc) []schema.HardwareMemory {
+	if len(dimms) == 0 {
+		return dimms
+	}
+
+	tempByLabel := memoryTempsFromSensors(doc)
+	stats := readEDACStats()
+
+	for i := range dimms {
+		labelKeys := dimmMatchKeys(dimms[i].Slot, dimms[i].Location)
+
+		for _, key := range labelKeys {
+			if temp, ok := tempByLabel[key]; ok {
+				dimms[i].TemperatureC = &temp
+				break
+			}
+		}
+
+		for _, key := range labelKeys {
+			if stat, ok := stats[key]; ok {
+				if stat.CECount != nil {
+					dimms[i].CorrectableECCErrorCount = stat.CECount
+				}
+				if stat.UECount != nil {
+					dimms[i].UncorrectableECCErrorCount = stat.UECount
+				}
+				if stat.UECount != nil && *stat.UECount > 0 {
+					dimms[i].DataLossDetected = boolPtr(true)
+					status := statusCritical
+					dimms[i].Status = &status
+					if dimms[i].ErrorDescription == nil {
+						dimms[i].ErrorDescription = stringPtr("EDAC reports uncorrectable ECC errors")
+					}
+				} else if stat.CECount != nil && *stat.CECount > 0 && (dimms[i].Status == nil || *dimms[i].Status == statusOK) {
+					status := statusWarning
+					dimms[i].Status = &status
+					if dimms[i].ErrorDescription == nil {
+						dimms[i].ErrorDescription = stringPtr("EDAC reports correctable ECC errors")
+					}
+				}
+				break
+			}
+		}
+	}
+
+	return dimms
+}
+
+func memoryTempsFromSensors(doc sensorsDoc) map[string]float64 {
+	out := map[string]float64{}
+	if len(doc) == 0 {
+		return out
+	}
+	for chip, features := range doc {
+		for featureName, raw := range features {
+			feature, ok := raw.(map[string]any)
+			if !ok || classifySensorFeature(feature) != "temp" {
+				continue
+			}
+			if !isLikelyMemoryTemp(chip, featureName) {
+				continue
+			}
+			temp, ok := firstFeatureFloat(feature, "_input")
+			if !ok {
+				continue
+			}
+			key := canonicalLabel(featureName)
+			if key == "" {
+				continue
+			}
+			if _, exists := out[key]; !exists {
+				out[key] = temp
+			}
+		}
+	}
+	return out
+}
+
+func readEDACStats() map[string]edacDIMMStats {
+	out := map[string]edacDIMMStats{}
+	mcDirs, err := filepath.Glob(filepath.Join(edacBaseDir, "mc*"))
+	if err != nil {
+		return out
+	}
+	sort.Strings(mcDirs)
+	for _, mcDir := range mcDirs {
+		dimmDirs, err := filepath.Glob(filepath.Join(mcDir, "dimm*"))
+		if err != nil {
+			continue
+		}
+		sort.Strings(dimmDirs)
+		for _, dimmDir := range dimmDirs {
+			stat, ok := readEDACDIMMStats(dimmDir)
+			if !ok {
+				continue
+			}
+			key := canonicalLabel(stat.Label)
+			if key == "" {
+				continue
+			}
+			out[key] = stat
+		}
+	}
+	return out
+}
+
+func readEDACDIMMStats(dimmDir string) (edacDIMMStats, bool) {
+	labelBytes, err := os.ReadFile(filepath.Join(dimmDir, "dimm_label"))
+	if err != nil {
+		labelBytes, err = os.ReadFile(filepath.Join(dimmDir, "label"))
+		if err != nil {
+			return edacDIMMStats{}, false
+		}
+	}
+	label := strings.TrimSpace(string(labelBytes))
+	if label == "" {
+		return edacDIMMStats{}, false
+	}
+
+	stat := edacDIMMStats{Label: label}
+	if value, ok := readEDACCount(dimmDir, []string{"dimm_ce_count", "ce_count"}); ok {
+		stat.CECount = &value
+	}
+	if value, ok := readEDACCount(dimmDir, []string{"dimm_ue_count", "ue_count"}); ok {
+		stat.UECount = &value
+	}
+	return stat, true
+}
+
+func readEDACCount(dir string, names []string) (int64, bool) {
+	for _, name := range names {
+		raw, err := os.ReadFile(filepath.Join(dir, name))
+		if err != nil {
+			continue
+		}
+		value, err := strconv.ParseInt(strings.TrimSpace(string(raw)), 10, 64)
+		if err == nil && value >= 0 {
+			return value, true
+		}
+	}
+	return 0, false
+}
+
+func dimmMatchKeys(slot, location *string) []string {
+	var out []string
+	add := func(value *string) {
+		key := canonicalLabel(derefString(value))
+		if key == "" {
+			return
+		}
+		for _, existing := range out {
+			if existing == key {
+				return
+			}
+		}
+		out = append(out, key)
+	}
+	add(slot)
+	add(location)
+	return out
+}
+
+func canonicalLabel(value string) string {
+	value = strings.ToUpper(strings.TrimSpace(value))
+	if value == "" {
+		return ""
+	}
+	var b strings.Builder
+	for _, r := range value {
+		if (r >= 'A' && r <= 'Z') || (r >= '0' && r <= '9') {
+			b.WriteRune(r)
+		}
+	}
+	return b.String()
+}
+
+func isLikelyMemoryTemp(chip, feature string) bool {
+	value := strings.ToLower(chip + " " + feature)
+	return strings.Contains(value, "dimm") || strings.Contains(value, "sodimm")
+}
+
+func boolPtr(value bool) *bool {
+	return &value
+}

audit/internal/collector/memory_telemetry_test.go

@@ -0,0 +1,61 @@
+package collector
+
+import (
+	"path/filepath"
+	"testing"
+
+	"bee/audit/internal/schema"
+)
+
+func TestEnrichMemoryWithTelemetry(t *testing.T) {
+	tmp := t.TempDir()
+	oldBase := edacBaseDir
+	edacBaseDir = tmp
+	t.Cleanup(func() { edacBaseDir = oldBase })
+
+	mustWriteFile(t, filepath.Join(tmp, "mc0", "dimm0", "dimm_label"), "CPU0_DIMM_A1\n")
+	mustWriteFile(t, filepath.Join(tmp, "mc0", "dimm0", "dimm_ce_count"), "7\n")
+	mustWriteFile(t, filepath.Join(tmp, "mc0", "dimm0", "dimm_ue_count"), "0\n")
+	mustWriteFile(t, filepath.Join(tmp, "mc0", "dimm1", "dimm_label"), "CPU1_DIMM_B2\n")
+	mustWriteFile(t, filepath.Join(tmp, "mc0", "dimm1", "dimm_ce_count"), "0\n")
+	mustWriteFile(t, filepath.Join(tmp, "mc0", "dimm1", "dimm_ue_count"), "2\n")
+
+	doc := sensorsDoc{
+		"jc42-i2c-0-18": {
+			"CPU0 DIMM A1": map[string]any{"temp1_input": 43.0},
+			"CPU1 DIMM B2": map[string]any{"temp2_input": 46.0},
+		},
+	}
+
+	status := statusOK
+	slotA := "CPU0_DIMM_A1"
+	slotB := "CPU1_DIMM_B2"
+	dimms := []schema.HardwareMemory{
+		{Slot: &slotA, HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status}},
+		{Slot: &slotB, HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status}},
+	}
+
+	got := enrichMemoryWithTelemetry(dimms, doc)
+
+	if got[0].TemperatureC == nil || *got[0].TemperatureC != 43.0 {
+		t.Fatalf("dimm0 temperature mismatch: %#v", got[0].TemperatureC)
+	}
+	if got[0].CorrectableECCErrorCount == nil || *got[0].CorrectableECCErrorCount != 7 {
+		t.Fatalf("dimm0 ce mismatch: %#v", got[0].CorrectableECCErrorCount)
+	}
+	if got[0].Status == nil || *got[0].Status != statusWarning {
+		t.Fatalf("dimm0 status mismatch: %#v", got[0].Status)
+	}
+	if got[1].TemperatureC == nil || *got[1].TemperatureC != 46.0 {
+		t.Fatalf("dimm1 temperature mismatch: %#v", got[1].TemperatureC)
+	}
+	if got[1].UncorrectableECCErrorCount == nil || *got[1].UncorrectableECCErrorCount != 2 {
+		t.Fatalf("dimm1 ue mismatch: %#v", got[1].UncorrectableECCErrorCount)
+	}
+	if got[1].Status == nil || *got[1].Status != statusCritical {
+		t.Fatalf("dimm1 status mismatch: %#v", got[1].Status)
+	}
+	if got[1].DataLossDetected == nil || !*got[1].DataLossDetected {
+		t.Fatalf("dimm1 data_loss_detected mismatch: %#v", got[1].DataLossDetected)
+	}
+}

audit/internal/collector/nic_telemetry.go

@@ -18,17 +18,13 @@ var (
 		}
 		return string(out), nil
 	}
-	readNetStatFile = func(iface, key string) (int64, error) {
-		path := filepath.Join("/sys/class/net", iface, "statistics", key)
+	readNetAddressFile = func(iface string) (string, error) {
+		path := filepath.Join("/sys/class/net", iface, "address")
 		raw, err := os.ReadFile(path)
 		if err != nil {
-			return 0, err
+			return "", err
 		}
-		v, err := strconv.ParseInt(strings.TrimSpace(string(raw)), 10, 64)
-		if err != nil {
-			return 0, err
-		}
-		return v, nil
+		return strings.TrimSpace(string(raw)), nil
 	}
 )
 
@@ -47,6 +43,7 @@ func enrichPCIeWithNICTelemetry(devs []schema.HardwarePCIeDevice) []schema.Hardw
 			continue
 		}
 		iface := ifaces[0]
+		devs[i].MacAddresses = collectInterfaceMACs(ifaces)
 
 		if devs[i].Firmware == nil {
 			if out, err := ethtoolInfoQuery(iface); err == nil {
@@ -56,16 +53,13 @@ func enrichPCIeWithNICTelemetry(devs []schema.HardwarePCIeDevice) []schema.Hardw
 			}
 		}
 
-		if devs[i].Telemetry == nil {
-			devs[i].Telemetry = map[string]any{}
-		}
-		injectNICPacketStats(devs[i].Telemetry, iface)
 		if out, err := ethtoolModuleQuery(iface); err == nil {
-			injectSFPDOMTelemetry(devs[i].Telemetry, out)
+			if injectSFPDOMTelemetry(&devs[i], out) {
+				enriched++
+				continue
+			}
 		}
-		if len(devs[i].Telemetry) == 0 {
-			devs[i].Telemetry = nil
-		} else {
+		if len(devs[i].MacAddresses) > 0 || devs[i].Firmware != nil {
 			enriched++
 		}
 	}
@@ -77,31 +71,32 @@ func isNICDevice(dev schema.HardwarePCIeDevice) bool {
 	if dev.DeviceClass == nil {
 		return false
 	}
-	c := strings.ToLower(strings.TrimSpace(*dev.DeviceClass))
-	return strings.Contains(c, "ethernet controller") ||
-		strings.Contains(c, "network controller") ||
-		strings.Contains(c, "infiniband controller")
+	c := strings.TrimSpace(*dev.DeviceClass)
+	return isNICClass(c) || strings.EqualFold(c, "FibreChannelController")
 }
 
-func injectNICPacketStats(dst map[string]any, iface string) {
-	for _, key := range []string{"rx_packets", "tx_packets", "rx_errors", "tx_errors"} {
-		if v, err := readNetStatFile(iface, key); err == nil {
-			dst[key] = v
+func collectInterfaceMACs(ifaces []string) []string {
+	seen := map[string]struct{}{}
+	var out []string
+	for _, iface := range ifaces {
+		mac, err := readNetAddressFile(iface)
+		if err != nil || mac == "" {
+			continue
 		}
+		mac = strings.ToLower(strings.TrimSpace(mac))
+		if _, ok := seen[mac]; ok {
+			continue
+		}
+		seen[mac] = struct{}{}
+		out = append(out, mac)
 	}
-}
-
-func injectSFPDOMTelemetry(dst map[string]any, raw string) {
-	parsed := parseSFPDOM(raw)
-	for k, v := range parsed {
-		dst[k] = v
-	}
+	return out
 }
 
 var floatRe = regexp.MustCompile(`[-+]?[0-9]*\.?[0-9]+`)
 
-func parseSFPDOM(raw string) map[string]any {
-	out := map[string]any{}
+func injectSFPDOMTelemetry(dev *schema.HardwarePCIeDevice, raw string) bool {
+	var changed bool
 	for _, line := range strings.Split(raw, "\n") {
 		trimmed := strings.TrimSpace(line)
 		if trimmed == "" {
@@ -117,26 +112,55 @@ func parseSFPDOM(raw string) map[string]any {
 		switch {
 		case strings.Contains(key, "module temperature"):
 			if f, ok := firstFloat(val); ok {
-				out["sfp_temperature_c"] = f
+				dev.SFPTemperatureC = &f
+				changed = true
 			}
 		case strings.Contains(key, "laser output power"):
 			if f, ok := dbmValue(val); ok {
-				out["sfp_tx_power_dbm"] = f
+				dev.SFPTXPowerDBM = &f
+				changed = true
 			}
 		case strings.Contains(key, "receiver signal"):
 			if f, ok := dbmValue(val); ok {
-				out["sfp_rx_power_dbm"] = f
+				dev.SFPRXPowerDBM = &f
+				changed = true
 			}
 		case strings.Contains(key, "module voltage"):
 			if f, ok := firstFloat(val); ok {
-				out["sfp_voltage_v"] = f
+				dev.SFPVoltageV = &f
+				changed = true
 			}
 		case strings.Contains(key, "laser bias current"):
 			if f, ok := firstFloat(val); ok {
-				out["sfp_bias_ma"] = f
+				dev.SFPBiasMA = &f
+				changed = true
 			}
 		}
 	}
+	return changed
+}
+
+func parseSFPDOM(raw string) map[string]any {
+	dev := schema.HardwarePCIeDevice{}
+	if !injectSFPDOMTelemetry(&dev, raw) {
+		return map[string]any{}
+	}
+	out := map[string]any{}
+	if dev.SFPTemperatureC != nil {
+		out["sfp_temperature_c"] = *dev.SFPTemperatureC
+	}
+	if dev.SFPTXPowerDBM != nil {
+		out["sfp_tx_power_dbm"] = *dev.SFPTXPowerDBM
+	}
+	if dev.SFPRXPowerDBM != nil {
+		out["sfp_rx_power_dbm"] = *dev.SFPRXPowerDBM
+	}
+	if dev.SFPVoltageV != nil {
+		out["sfp_voltage_v"] = *dev.SFPVoltageV
+	}
+	if dev.SFPBiasMA != nil {
+		out["sfp_bias_ma"] = *dev.SFPBiasMA
+	}
 	return out
 }
 

audit/internal/collector/nvidia.go

@@ -24,18 +24,29 @@ type nvidiaGPUInfo struct {
 }
 
 // enrichPCIeWithNVIDIA enriches NVIDIA PCIe devices with data from nvidia-smi.
-// If the driver/tool is unavailable, NVIDIA devices get UNKNOWN status and
-// a stable serial fallback based on board serial + slot.
-func enrichPCIeWithNVIDIA(devs []schema.HardwarePCIeDevice, boardSerial string) []schema.HardwarePCIeDevice {
+// If the driver/tool is unavailable, NVIDIA devices get Unknown status.
+func enrichPCIeWithNVIDIA(devs []schema.HardwarePCIeDevice) []schema.HardwarePCIeDevice {
+	if !hasNVIDIADevices(devs) {
+		return devs
+	}
 	gpuByBDF, err := queryNVIDIAGPUs()
 	if err != nil {
 		slog.Info("nvidia: enrichment skipped", "err", err)
-		return enrichPCIeWithNVIDIAData(devs, nil, boardSerial, false)
+		return enrichPCIeWithNVIDIAData(devs, nil, false)
 	}
-	return enrichPCIeWithNVIDIAData(devs, gpuByBDF, boardSerial, true)
+	return enrichPCIeWithNVIDIAData(devs, gpuByBDF, true)
 }
 
-func enrichPCIeWithNVIDIAData(devs []schema.HardwarePCIeDevice, gpuByBDF map[string]nvidiaGPUInfo, boardSerial string, driverLoaded bool) []schema.HardwarePCIeDevice {
+func hasNVIDIADevices(devs []schema.HardwarePCIeDevice) bool {
+	for _, dev := range devs {
+		if isNVIDIADevice(dev) {
+			return true
+		}
+	}
+	return false
+}
+
+func enrichPCIeWithNVIDIAData(devs []schema.HardwarePCIeDevice, gpuByBDF map[string]nvidiaGPUInfo, driverLoaded bool) []schema.HardwarePCIeDevice {
 	enriched := 0
 	for i := range devs {
 		if !isNVIDIADevice(devs[i]) {
@@ -43,7 +54,7 @@ func enrichPCIeWithNVIDIAData(devs []schema.HardwarePCIeDevice, gpuByBDF map[str
 		}
 
 		if !driverLoaded {
-			setPCIeFallback(&devs[i], boardSerial)
+			setPCIeFallback(&devs[i])
 			continue
 		}
 
@@ -53,22 +64,21 @@ func enrichPCIeWithNVIDIAData(devs []schema.HardwarePCIeDevice, gpuByBDF map[str
 		}
 		info, ok := gpuByBDF[bdf]
 		if !ok {
-			setPCIeFallback(&devs[i], boardSerial)
+			setPCIeFallback(&devs[i])
 			continue
 		}
 
 		if v := strings.TrimSpace(info.Serial); v != "" {
 			devs[i].SerialNumber = &v
-		} else {
-			setPCIeFallbackSerial(&devs[i], boardSerial)
 		}
 		if v := strings.TrimSpace(info.VBIOS); v != "" {
 			devs[i].Firmware = &v
 		}
 
-		status := "OK"
+		status := statusOK
 		if info.ECCUncorrected != nil && *info.ECCUncorrected > 0 {
-			status = "WARNING"
+			status = statusWarning
+			devs[i].ErrorDescription = stringPtr("GPU reports uncorrected ECC errors")
 		}
 		devs[i].Status = &status
 		injectNVIDIATelemetry(&devs[i], info)
@@ -200,46 +210,25 @@ func isNVIDIADevice(dev schema.HardwarePCIeDevice) bool {
 	return false
 }
 
-func setPCIeFallback(dev *schema.HardwarePCIeDevice, boardSerial string) {
-	setPCIeFallbackSerial(dev, boardSerial)
-	status := "UNKNOWN"
+func setPCIeFallback(dev *schema.HardwarePCIeDevice) {
+	status := statusUnknown
 	dev.Status = &status
 }
 
-func setPCIeFallbackSerial(dev *schema.HardwarePCIeDevice, boardSerial string) {
-	if strings.TrimSpace(boardSerial) == "" || dev.SerialNumber != nil {
-		return
-	}
-	slot := "unknown"
-	if dev.BDF != nil && strings.TrimSpace(*dev.BDF) != "" {
-		slot = strings.TrimSpace(*dev.BDF)
-	} else if dev.Slot != nil && strings.TrimSpace(*dev.Slot) != "" {
-		slot = strings.TrimSpace(*dev.Slot)
-	}
-	fb := fmt.Sprintf("%s-PCIE-%s", boardSerial, slot)
-	dev.SerialNumber = &fb
-}
-
 func injectNVIDIATelemetry(dev *schema.HardwarePCIeDevice, info nvidiaGPUInfo) {
-	if dev.Telemetry == nil {
-		dev.Telemetry = map[string]any{}
-	}
 	if info.TemperatureC != nil {
-		dev.Telemetry["temperature_c"] = *info.TemperatureC
+		dev.TemperatureC = info.TemperatureC
 	}
 	if info.PowerW != nil {
-		dev.Telemetry["power_w"] = *info.PowerW
+		dev.PowerW = info.PowerW
 	}
 	if info.ECCUncorrected != nil {
-		dev.Telemetry["ecc_uncorrected_total"] = *info.ECCUncorrected
+		dev.ECCUncorrectedTotal = info.ECCUncorrected
 	}
 	if info.ECCCorrected != nil {
-		dev.Telemetry["ecc_corrected_total"] = *info.ECCCorrected
+		dev.ECCCorrectedTotal = info.ECCCorrected
 	}
 	if info.HWSlowdown != nil {
-		dev.Telemetry["hw_slowdown_active"] = *info.HWSlowdown
-	}
-	if len(dev.Telemetry) == 0 {
-		dev.Telemetry = nil
+		dev.HWSlowdown = info.HWSlowdown
 	}
 }

audit/internal/collector/nvidia_test.go

@@ -54,10 +54,10 @@ func TestEnrichPCIeWithNVIDIAData_driverLoaded(t *testing.T) {
 	status := "OK"
 	devices := []schema.HardwarePCIeDevice{
 		{
-			VendorID:     &vendorID,
-			BDF:          &bdf,
-			Manufacturer: &manufacturer,
-			Status:       &status,
+			HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status},
+			VendorID:                &vendorID,
+			BDF:                     &bdf,
+			Manufacturer:            &manufacturer,
 		},
 	}
 
@@ -73,21 +73,21 @@ func TestEnrichPCIeWithNVIDIAData_driverLoaded(t *testing.T) {
 		},
 	}
 
-	out := enrichPCIeWithNVIDIAData(devices, byBDF, "BOARD-001", true)
+	out := enrichPCIeWithNVIDIAData(devices, byBDF, true)
 	if out[0].SerialNumber == nil || *out[0].SerialNumber != "GPU-ABC" {
 		t.Fatalf("serial: got %v", out[0].SerialNumber)
 	}
 	if out[0].Firmware == nil || *out[0].Firmware != "96.00.1F.00.02" {
 		t.Fatalf("firmware: got %v", out[0].Firmware)
 	}
-	if out[0].Status == nil || *out[0].Status != "WARNING" {
+	if out[0].Status == nil || *out[0].Status != statusWarning {
 		t.Fatalf("status: got %v", out[0].Status)
 	}
-	if out[0].Telemetry == nil {
-		t.Fatal("expected telemetry")
+	if out[0].ECCUncorrectedTotal == nil || *out[0].ECCUncorrectedTotal != 2 {
+		t.Fatalf("ecc_uncorrected_total: got %#v", out[0].ECCUncorrectedTotal)
 	}
-	if got, ok := out[0].Telemetry["ecc_uncorrected_total"].(int64); !ok || got != 2 {
-		t.Fatalf("ecc_uncorrected_total: got %#v", out[0].Telemetry["ecc_uncorrected_total"])
+	if out[0].TemperatureC == nil || *out[0].TemperatureC != 55.5 {
+		t.Fatalf("temperature_c: got %#v", out[0].TemperatureC)
 	}
 }
 
@@ -103,11 +103,11 @@ func TestEnrichPCIeWithNVIDIAData_driverMissingFallback(t *testing.T) {
 		},
 	}
 
-	out := enrichPCIeWithNVIDIAData(devices, nil, "BOARD-123", false)
-	if out[0].SerialNumber == nil || *out[0].SerialNumber != "BOARD-123-PCIE-0000:17:00.0" {
-		t.Fatalf("fallback serial: got %v", out[0].SerialNumber)
+	out := enrichPCIeWithNVIDIAData(devices, nil, false)
+	if out[0].SerialNumber != nil {
+		t.Fatalf("serial should stay nil without source data, got %v", out[0].SerialNumber)
 	}
-	if out[0].Status == nil || *out[0].Status != "UNKNOWN" {
+	if out[0].Status == nil || *out[0].Status != statusUnknown {
 		t.Fatalf("fallback status: got %v", out[0].Status)
 	}
 }

audit/internal/collector/pcie.go

@@ -57,6 +57,8 @@ func shouldIncludePCIeDevice(class string) bool {
 		"host bridge",
 		"isa bridge",
 		"pci bridge",
+		"performance counter",
+		"performance counters",
 		"ram memory",
 		"system peripheral",
 		"communication controller",
@@ -79,11 +81,12 @@ func parseLspciDevice(fields map[string]string) schema.HardwarePCIeDevice {
 	dev := schema.HardwarePCIeDevice{}
 	present := true
 	dev.Present = &present
-	status := "OK"
+	status := statusOK
 	dev.Status = &status
 
 	// Slot is the BDF: "0000:00:02.0"
 	if bdf := fields["Slot"]; bdf != "" {
+		dev.Slot = &bdf
 		dev.BDF = &bdf
 		// parse vendor_id and device_id from sysfs
 		vendorID, deviceID := readPCIIDs(bdf)
@@ -93,10 +96,32 @@ func parseLspciDevice(fields map[string]string) schema.HardwarePCIeDevice {
 		if deviceID != 0 {
 			dev.DeviceID = &deviceID
 		}
+		if numaNode, ok := readPCINumaNode(bdf); ok {
+			dev.NUMANode = &numaNode
+		}
+		if width, ok := readPCIIntAttribute(bdf, "current_link_width"); ok {
+			dev.LinkWidth = &width
+		}
+		if width, ok := readPCIIntAttribute(bdf, "max_link_width"); ok {
+			dev.MaxLinkWidth = &width
+		}
+		if speed, ok := readPCIStringAttribute(bdf, "current_link_speed"); ok {
+			linkSpeed := normalizePCILinkSpeed(speed)
+			if linkSpeed != "" {
+				dev.LinkSpeed = &linkSpeed
+			}
+		}
+		if speed, ok := readPCIStringAttribute(bdf, "max_link_speed"); ok {
+			linkSpeed := normalizePCILinkSpeed(speed)
+			if linkSpeed != "" {
+				dev.MaxLinkSpeed = &linkSpeed
+			}
+		}
 	}
 
 	if v := fields["Class"]; v != "" {
-		dev.DeviceClass = &v
+		class := mapPCIeDeviceClass(v)
+		dev.DeviceClass = &class
 	}
 	if v := fields["Vendor"]; v != "" {
 		dev.Manufacturer = &v
@@ -131,3 +156,55 @@ func readHexFile(path string) (int, error) {
 	n, err := strconv.ParseInt(s, 16, 64)
 	return int(n), err
 }
+
+func readPCINumaNode(bdf string) (int, bool) {
+	value, ok := readPCIIntAttribute(bdf, "numa_node")
+	if !ok || value < 0 {
+		return 0, false
+	}
+	return value, true
+}
+
+func readPCIIntAttribute(bdf, attribute string) (int, bool) {
+	out, err := exec.Command("cat", "/sys/bus/pci/devices/"+bdf+"/"+attribute).Output()
+	if err != nil {
+		return 0, false
+	}
+	value, err := strconv.Atoi(strings.TrimSpace(string(out)))
+	if err != nil || value < 0 {
+		return 0, false
+	}
+	return value, true
+}
+
+func readPCIStringAttribute(bdf, attribute string) (string, bool) {
+	out, err := exec.Command("cat", "/sys/bus/pci/devices/"+bdf+"/"+attribute).Output()
+	if err != nil {
+		return "", false
+	}
+	value := strings.TrimSpace(string(out))
+	if value == "" {
+		return "", false
+	}
+	return value, true
+}
+
+func normalizePCILinkSpeed(raw string) string {
+	raw = strings.TrimSpace(strings.ToLower(raw))
+	switch {
+	case strings.Contains(raw, "2.5"):
+		return "Gen1"
+	case strings.Contains(raw, "5.0"):
+		return "Gen2"
+	case strings.Contains(raw, "8.0"):
+		return "Gen3"
+	case strings.Contains(raw, "16.0"):
+		return "Gen4"
+	case strings.Contains(raw, "32.0"):
+		return "Gen5"
+	case strings.Contains(raw, "64.0"):
+		return "Gen6"
+	default:
+		return ""
+	}
+}

audit/internal/collector/pcie_filter_test.go

@@ -1,6 +1,10 @@
 package collector
 
-import "testing"
+import (
+	"encoding/json"
+	"strings"
+	"testing"
+)
 
 func TestShouldIncludePCIeDevice(t *testing.T) {
 	tests := []struct {
@@ -13,6 +17,7 @@ func TestShouldIncludePCIeDevice(t *testing.T) {
 		{"Host bridge", false},
 		{"PCI bridge", false},
 		{"SMBus", false},
+		{"Performance counters", false},
 		{"Ethernet controller", true},
 		{"RAID bus controller", true},
 		{"Non-Volatile memory controller", true},
@@ -35,7 +40,50 @@ func TestParseLspci_filtersExcludedClasses(t *testing.T) {
 	if len(devs) != 1 {
 		t.Fatalf("expected 1 filtered device, got %d", len(devs))
 	}
-	if devs[0].DeviceClass == nil || *devs[0].DeviceClass != "VGA compatible controller" {
+	if devs[0].DeviceClass == nil || *devs[0].DeviceClass != "VideoController" {
 		t.Fatalf("unexpected remaining class: %v", devs[0].DeviceClass)
 	}
+	if devs[0].Slot == nil || *devs[0].Slot != "0000:65:00.0" {
+		t.Fatalf("slot: got %v", devs[0].Slot)
+	}
+	if devs[0].BDF == nil || *devs[0].BDF != "0000:65:00.0" {
+		t.Fatalf("bdf: got %v", devs[0].BDF)
+	}
+}
+
+func TestPCIeJSONUsesSlotNotBDF(t *testing.T) {
+	input := "Slot:\t0000:65:00.0\nClass:\tVGA compatible controller\nVendor:\tNVIDIA Corporation\nDevice:\tH100\n\n"
+
+	devs := parseLspci(input)
+	data, err := json.Marshal(devs[0])
+	if err != nil {
+		t.Fatalf("marshal: %v", err)
+	}
+	text := string(data)
+	if !strings.Contains(text, `"slot":"0000:65:00.0"`) {
+		t.Fatalf("json missing slot: %s", text)
+	}
+	if strings.Contains(text, `"bdf"`) {
+		t.Fatalf("json should not emit bdf: %s", text)
+	}
+}
+
+func TestNormalizePCILinkSpeed(t *testing.T) {
+	tests := []struct {
+		raw  string
+		want string
+	}{
+		{"2.5 GT/s PCIe", "Gen1"},
+		{"5.0 GT/s PCIe", "Gen2"},
+		{"8.0 GT/s PCIe", "Gen3"},
+		{"16.0 GT/s PCIe", "Gen4"},
+		{"32.0 GT/s PCIe", "Gen5"},
+		{"64.0 GT/s PCIe", "Gen6"},
+		{"unknown", ""},
+	}
+	for _, tt := range tests {
+		if got := normalizePCILinkSpeed(tt.raw); got != tt.want {
+			t.Fatalf("normalizePCILinkSpeed(%q)=%q want %q", tt.raw, got, tt.want)
+		}
+	}
 }

audit/internal/collector/psu.go

@@ -4,18 +4,32 @@ import (
 	"bee/audit/internal/schema"
 	"log/slog"
 	"os/exec"
+	"regexp"
+	"sort"
 	"strconv"
 	"strings"
 )
 
 func collectPSUs() []schema.HardwarePowerSupply {
-	// ipmitool requires /dev/ipmi0 — not available on non-server hardware
-	out, err := exec.Command("ipmitool", "fru", "print").Output()
-	if err != nil {
+	var psus []schema.HardwarePowerSupply
+	if out, err := exec.Command("ipmitool", "fru", "print").Output(); err == nil {
+		psus = parseFRU(string(out))
+	} else {
+		slog.Info("psu: fru unavailable", "err", err)
+	}
+
+	sdrData := map[int]psuSDR{}
+	if sdrOut, err := exec.Command("ipmitool", "sdr").Output(); err == nil {
+		sdrData = parsePSUSDR(string(sdrOut))
+		if len(psus) == 0 {
+			psus = synthesizePSUsFromSDR(sdrData)
+		} else {
+			mergePSUSDR(psus, sdrData)
+		}
+	} else if len(psus) == 0 {
 		slog.Info("psu: ipmitool unavailable, skipping", "err", err)
 		return nil
 	}
-	psus := parseFRU(string(out))
 	slog.Info("psu: collected", "count", len(psus))
 	return psus
 }
@@ -75,9 +89,7 @@ func parseFRUBlock(block string, slotIdx int) (schema.HardwarePowerSupply, bool)
 
 	// Only process PSU FRU records
 	headerLower := strings.ToLower(header)
-	if !strings.Contains(headerLower, "psu") &&
-		!strings.Contains(headerLower, "power supply") &&
-		!strings.Contains(headerLower, "power_supply") {
+	if !isPSUHeader(headerLower) {
 		return schema.HardwarePowerSupply{}, false
 	}
 
@@ -85,21 +97,24 @@ func parseFRUBlock(block string, slotIdx int) (schema.HardwarePowerSupply, bool)
 	psu := schema.HardwarePowerSupply{Present: &present}
 
 	slotStr := strconv.Itoa(slotIdx)
+	if slot, ok := parsePSUSlot(header); ok && slot > 0 {
+		slotStr = strconv.Itoa(slot - 1)
+	}
 	psu.Slot = &slotStr
 
-	if v := cleanDMIValue(fields["Board Product"]); v != "" {
+	if v := firstNonEmptyField(fields, "Board Product", "Product Name", "Product Part Number"); v != "" {
 		psu.Model = &v
 	}
-	if v := cleanDMIValue(fields["Board Mfg"]); v != "" {
+	if v := firstNonEmptyField(fields, "Board Mfg", "Product Manufacturer", "Product Manufacturer Name"); v != "" {
 		psu.Vendor = &v
 	}
-	if v := cleanDMIValue(fields["Board Serial"]); v != "" {
+	if v := firstNonEmptyField(fields, "Board Serial", "Product Serial", "Product Serial Number"); v != "" {
 		psu.SerialNumber = &v
 	}
-	if v := cleanDMIValue(fields["Board Part Number"]); v != "" {
+	if v := firstNonEmptyField(fields, "Board Part Number", "Product Part Number", "Part Number"); v != "" {
 		psu.PartNumber = &v
 	}
-	if v := cleanDMIValue(fields["Board Extra"]); v != "" {
+	if v := firstNonEmptyField(fields, "Board Extra", "Product Version", "Board Version"); v != "" {
 		psu.Firmware = &v
 	}
 
@@ -110,12 +125,230 @@ func parseFRUBlock(block string, slotIdx int) (schema.HardwarePowerSupply, bool)
 		}
 	}
 
-	status := "OK"
+	status := statusOK
 	psu.Status = &status
 
 	return psu, true
 }
 
+func isPSUHeader(headerLower string) bool {
+	return strings.Contains(headerLower, "psu") ||
+		strings.Contains(headerLower, "pws") ||
+		strings.Contains(headerLower, "power supply") ||
+		strings.Contains(headerLower, "power_supply") ||
+		strings.Contains(headerLower, "power module")
+}
+
+func firstNonEmptyField(fields map[string]string, keys ...string) string {
+	for _, key := range keys {
+		if value := cleanDMIValue(fields[key]); value != "" {
+			return value
+		}
+	}
+	return ""
+}
+
+type psuSDR struct {
+	slot         int
+	status       string
+	reason       string
+	inputPowerW  *float64
+	outputPowerW *float64
+	inputVoltage *float64
+	temperatureC *float64
+	healthPct    *float64
+}
+
+var psuSlotPatterns = []*regexp.Regexp{
+	regexp.MustCompile(`(?i)\bpsu?\s*([0-9]+)\b`),
+	regexp.MustCompile(`(?i)\bps\s*([0-9]+)\b`),
+	regexp.MustCompile(`(?i)\bpws\s*([0-9]+)\b`),
+	regexp.MustCompile(`(?i)\bpower\s*supply(?:\s*bay)?\s*([0-9]+)\b`),
+	regexp.MustCompile(`(?i)\bbay\s*([0-9]+)\b`),
+}
+
+func parsePSUSDR(raw string) map[int]psuSDR {
+	out := map[int]psuSDR{}
+	for _, line := range strings.Split(raw, "\n") {
+		fields := splitSDRFields(line)
+		if len(fields) < 3 {
+			continue
+		}
+		name := fields[0]
+		value := fields[1]
+		state := strings.ToLower(fields[2])
+		slot, ok := parsePSUSlot(name)
+		if !ok {
+			continue
+		}
+
+		entry := out[slot]
+		entry.slot = slot
+		if entry.status == "" {
+			entry.status = statusOK
+		}
+		if state != "" && state != "ok" && state != "ns" {
+			entry.status = statusCritical
+			entry.reason = "PSU sensor reported non-OK state: " + state
+		}
+
+		lowerName := strings.ToLower(name)
+		switch {
+		case strings.Contains(lowerName, "input power"):
+			entry.inputPowerW = parseFloatPtr(value)
+		case strings.Contains(lowerName, "output power"):
+			entry.outputPowerW = parseFloatPtr(value)
+		case strings.Contains(lowerName, "power supply bay"), strings.Contains(lowerName, "psu bay"):
+			entry.outputPowerW = parseFloatPtr(value)
+		case strings.Contains(lowerName, "input voltage"), strings.Contains(lowerName, "ac input"):
+			entry.inputVoltage = parseFloatPtr(value)
+		case strings.Contains(lowerName, "temp"):
+			entry.temperatureC = parseFloatPtr(value)
+		case strings.Contains(lowerName, "health"), strings.Contains(lowerName, "remaining life"), strings.Contains(lowerName, "life remaining"):
+			entry.healthPct = parsePercentPtr(value)
+		}
+		out[slot] = entry
+	}
+	return out
+}
+
+func synthesizePSUsFromSDR(sdr map[int]psuSDR) []schema.HardwarePowerSupply {
+	if len(sdr) == 0 {
+		return nil
+	}
+	slots := make([]int, 0, len(sdr))
+	for slot := range sdr {
+		slots = append(slots, slot)
+	}
+	sort.Ints(slots)
+
+	out := make([]schema.HardwarePowerSupply, 0, len(slots))
+	for _, slot := range slots {
+		entry := sdr[slot]
+		present := true
+		status := entry.status
+		if status == "" {
+			status = statusUnknown
+		}
+		slotStr := strconv.Itoa(slot - 1)
+		model := "PSU"
+		psu := schema.HardwarePowerSupply{
+			HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status},
+			Slot:                    &slotStr,
+			Present:                 &present,
+			Model:                   &model,
+			InputPowerW:             entry.inputPowerW,
+			OutputPowerW:            entry.outputPowerW,
+			InputVoltage:            entry.inputVoltage,
+			TemperatureC:            entry.temperatureC,
+		}
+		if entry.healthPct != nil {
+			psu.LifeRemainingPct = entry.healthPct
+			lifeUsed := 100 - *entry.healthPct
+			psu.LifeUsedPct = &lifeUsed
+		}
+		if entry.reason != "" {
+			psu.ErrorDescription = &entry.reason
+		}
+		out = append(out, psu)
+	}
+	return out
+}
+
+func mergePSUSDR(psus []schema.HardwarePowerSupply, sdr map[int]psuSDR) {
+	for i := range psus {
+		slotIdx, err := strconv.Atoi(derefPSUSlot(psus[i].Slot))
+		if err != nil {
+			continue
+		}
+		entry, ok := sdr[slotIdx+1]
+		if !ok {
+			continue
+		}
+		if entry.inputPowerW != nil {
+			psus[i].InputPowerW = entry.inputPowerW
+		}
+		if entry.outputPowerW != nil {
+			psus[i].OutputPowerW = entry.outputPowerW
+		}
+		if entry.inputVoltage != nil {
+			psus[i].InputVoltage = entry.inputVoltage
+		}
+		if entry.temperatureC != nil {
+			psus[i].TemperatureC = entry.temperatureC
+		}
+		if entry.healthPct != nil {
+			psus[i].LifeRemainingPct = entry.healthPct
+			lifeUsed := 100 - *entry.healthPct
+			psus[i].LifeUsedPct = &lifeUsed
+		}
+		if entry.status != "" {
+			psus[i].Status = &entry.status
+		}
+		if entry.reason != "" {
+			psus[i].ErrorDescription = &entry.reason
+		}
+		if psus[i].Status != nil && *psus[i].Status == statusOK {
+			if (entry.inputPowerW == nil && entry.outputPowerW == nil && entry.inputVoltage == nil) && entry.status == "" {
+				unknown := statusUnknown
+				psus[i].Status = &unknown
+			}
+		}
+	}
+}
+
+func splitSDRFields(line string) []string {
+	parts := strings.Split(line, "|")
+	out := make([]string, 0, len(parts))
+	for _, part := range parts {
+		part = strings.TrimSpace(part)
+		if part != "" {
+			out = append(out, part)
+		}
+	}
+	return out
+}
+
+func parsePSUSlot(name string) (int, bool) {
+	for _, re := range psuSlotPatterns {
+		m := re.FindStringSubmatch(strings.ToLower(name))
+		if len(m) == 0 {
+			continue
+		}
+		for _, group := range m[1:] {
+			if group == "" {
+				continue
+			}
+			n, err := strconv.Atoi(group)
+			if err == nil && n > 0 {
+				return n, true
+			}
+		}
+	}
+	return 0, false
+}
+
+func parseFloatPtr(raw string) *float64 {
+	raw = strings.TrimSpace(raw)
+	if raw == "" || strings.EqualFold(raw, "na") {
+		return nil
+	}
+	for _, field := range strings.Fields(raw) {
+		n, err := strconv.ParseFloat(strings.TrimSpace(field), 64)
+		if err == nil {
+			return &n
+		}
+	}
+	return nil
+}
+
+func derefPSUSlot(slot *string) string {
+	if slot == nil {
+		return ""
+	}
+	return *slot
+}
+
 // parseWattage extracts wattage from strings like "PSU 800W", "1200W PLATINUM".
 func parseWattage(s string) int {
 	s = strings.ToUpper(s)

audit/internal/collector/psu_sdr_test.go

@@ -0,0 +1,91 @@
+package collector
+
+import "testing"
+
+func TestParsePSUSDR(t *testing.T) {
+	raw := `
+PS1 Input Power   | 215 Watts | ok
+PS1 Output Power  | 198 Watts | ok
+PS1 Input Voltage | 229 Volts | ok
+PS1 Temp         | 39 C      | ok
+PS1 Health       | 97 %      | ok
+PS2 Input Power   | 0 Watts   | cr
+`
+
+	got := parsePSUSDR(raw)
+	if len(got) != 2 {
+		t.Fatalf("len(got)=%d want 2", len(got))
+	}
+	if got[1].status != statusOK {
+		t.Fatalf("ps1 status=%q", got[1].status)
+	}
+	if got[1].inputPowerW == nil || *got[1].inputPowerW != 215 {
+		t.Fatalf("ps1 input power=%v", got[1].inputPowerW)
+	}
+	if got[1].outputPowerW == nil || *got[1].outputPowerW != 198 {
+		t.Fatalf("ps1 output power=%v", got[1].outputPowerW)
+	}
+	if got[1].inputVoltage == nil || *got[1].inputVoltage != 229 {
+		t.Fatalf("ps1 input voltage=%v", got[1].inputVoltage)
+	}
+	if got[1].temperatureC == nil || *got[1].temperatureC != 39 {
+		t.Fatalf("ps1 temperature=%v", got[1].temperatureC)
+	}
+	if got[1].healthPct == nil || *got[1].healthPct != 97 {
+		t.Fatalf("ps1 health=%v", got[1].healthPct)
+	}
+	if got[2].status != statusCritical {
+		t.Fatalf("ps2 status=%q", got[2].status)
+	}
+}
+
+func TestParsePSUSlotVendorVariants(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name string
+		want int
+	}{
+		{name: "PWS1 Status", want: 1},
+		{name: "Power Supply Bay 8", want: 8},
+		{name: "PS 6 Input Power", want: 6},
+	}
+
+	for _, tt := range tests {
+		got, ok := parsePSUSlot(tt.name)
+		if !ok || got != tt.want {
+			t.Fatalf("parsePSUSlot(%q)=(%d,%v) want (%d,true)", tt.name, got, ok, tt.want)
+		}
+	}
+}
+
+func TestSynthesizePSUsFromSDR(t *testing.T) {
+	t.Parallel()
+
+	health := 97.0
+	outputPower := 915.0
+	got := synthesizePSUsFromSDR(map[int]psuSDR{
+		1: {
+			slot:         1,
+			status:       statusOK,
+			outputPowerW: &outputPower,
+			healthPct:    &health,
+		},
+	})
+
+	if len(got) != 1 {
+		t.Fatalf("len(got)=%d want 1", len(got))
+	}
+	if got[0].Slot == nil || *got[0].Slot != "0" {
+		t.Fatalf("slot=%v want 0", got[0].Slot)
+	}
+	if got[0].OutputPowerW == nil || *got[0].OutputPowerW != 915 {
+		t.Fatalf("output power=%v", got[0].OutputPowerW)
+	}
+	if got[0].LifeRemainingPct == nil || *got[0].LifeRemainingPct != 97 {
+		t.Fatalf("life remaining=%v", got[0].LifeRemainingPct)
+	}
+	if got[0].LifeUsedPct == nil || *got[0].LifeUsedPct != 3 {
+		t.Fatalf("life used=%v", got[0].LifeUsedPct)
+	}
+}

audit/internal/collector/psu_telemetry.go

@@ -0,0 +1,121 @@
+package collector
+
+import (
+	"bee/audit/internal/schema"
+	"strconv"
+	"strings"
+)
+
+func enrichPSUsWithTelemetry(psus []schema.HardwarePowerSupply, doc sensorsDoc) []schema.HardwarePowerSupply {
+	if len(psus) == 0 || len(doc) == 0 {
+		return psus
+	}
+
+	tempBySlot := psuTempsFromSensors(doc)
+	healthBySlot := psuHealthFromSensors(doc)
+	for i := range psus {
+		slot := derefPSUSlot(psus[i].Slot)
+		if slot == "" {
+			continue
+		}
+		if psus[i].TemperatureC == nil {
+			if value, ok := tempBySlot[slot]; ok {
+				psus[i].TemperatureC = &value
+			}
+		}
+		if psus[i].LifeRemainingPct == nil {
+			if value, ok := healthBySlot[slot]; ok {
+				psus[i].LifeRemainingPct = &value
+				used := 100 - value
+				psus[i].LifeUsedPct = &used
+			}
+		}
+	}
+	return psus
+}
+
+func psuHealthFromSensors(doc sensorsDoc) map[string]float64 {
+	out := map[string]float64{}
+	for chip, features := range doc {
+		for featureName, raw := range features {
+			feature, ok := raw.(map[string]any)
+			if !ok {
+				continue
+			}
+			if !isLikelyPSUHealth(chip, featureName) {
+				continue
+			}
+			value, ok := firstFeaturePercent(feature)
+			if !ok {
+				continue
+			}
+			if slot, ok := detectPSUSlot(chip, featureName); ok {
+				if _, exists := out[slot]; !exists {
+					out[slot] = value
+				}
+			}
+		}
+	}
+	return out
+}
+
+func firstFeaturePercent(feature map[string]any) (float64, bool) {
+	keys := sortedFeatureKeys(feature)
+	for _, key := range keys {
+		lower := strings.ToLower(key)
+		if strings.HasSuffix(lower, "_alarm") {
+			continue
+		}
+		if strings.Contains(lower, "health") || strings.Contains(lower, "life") || strings.Contains(lower, "remain") {
+			if value, ok := floatFromAny(feature[key]); ok {
+				return value, true
+			}
+		}
+	}
+	return 0, false
+}
+
+func isLikelyPSUHealth(chip, feature string) bool {
+	value := strings.ToLower(chip + " " + feature)
+	return (strings.Contains(value, "psu") || strings.Contains(value, "power supply")) &&
+		(strings.Contains(value, "health") || strings.Contains(value, "life") || strings.Contains(value, "remain"))
+}
+
+func psuTempsFromSensors(doc sensorsDoc) map[string]float64 {
+	out := map[string]float64{}
+	for chip, features := range doc {
+		for featureName, raw := range features {
+			feature, ok := raw.(map[string]any)
+			if !ok || classifySensorFeature(feature) != "temp" {
+				continue
+			}
+			if !isLikelyPSUTemp(chip, featureName) {
+				continue
+			}
+			temp, ok := firstFeatureFloat(feature, "_input")
+			if !ok {
+				continue
+			}
+			if slot, ok := detectPSUSlot(chip, featureName); ok {
+				if _, exists := out[slot]; !exists {
+					out[slot] = temp
+				}
+			}
+		}
+	}
+	return out
+}
+
+func isLikelyPSUTemp(chip, feature string) bool {
+	value := strings.ToLower(chip + " " + feature)
+	return strings.Contains(value, "psu") || strings.Contains(value, "power supply")
+}
+
+func detectPSUSlot(parts ...string) (string, bool) {
+	for _, part := range parts {
+		if value, ok := parsePSUSlot(part); ok && value > 0 {
+			return strconv.Itoa(value - 1), true
+		}
+	}
+	return "", false
+}

audit/internal/collector/psu_telemetry_test.go

@@ -0,0 +1,42 @@
+package collector
+
+import (
+	"testing"
+
+	"bee/audit/internal/schema"
+)
+
+func TestEnrichPSUsWithTelemetry(t *testing.T) {
+	slot0 := "0"
+	slot1 := "1"
+	psus := []schema.HardwarePowerSupply{
+		{Slot: &slot0},
+		{Slot: &slot1},
+	}
+
+	doc := sensorsDoc{
+		"psu-hwmon-0": {
+			"PSU1 Temp":           map[string]any{"temp1_input": 39.5},
+			"PSU2 Temp":           map[string]any{"temp2_input": 41.0},
+			"PSU1 Health":         map[string]any{"health1_input": 98.0},
+			"PSU2 Remaining Life": map[string]any{"life2_input": 95.0},
+		},
+	}
+
+	got := enrichPSUsWithTelemetry(psus, doc)
+	if got[0].TemperatureC == nil || *got[0].TemperatureC != 39.5 {
+		t.Fatalf("psu0 temperature mismatch: %#v", got[0].TemperatureC)
+	}
+	if got[1].TemperatureC == nil || *got[1].TemperatureC != 41.0 {
+		t.Fatalf("psu1 temperature mismatch: %#v", got[1].TemperatureC)
+	}
+	if got[0].LifeRemainingPct == nil || *got[0].LifeRemainingPct != 98.0 {
+		t.Fatalf("psu0 life remaining mismatch: %#v", got[0].LifeRemainingPct)
+	}
+	if got[0].LifeUsedPct == nil || *got[0].LifeUsedPct != 2.0 {
+		t.Fatalf("psu0 life used mismatch: %#v", got[0].LifeUsedPct)
+	}
+	if got[1].LifeRemainingPct == nil || *got[1].LifeRemainingPct != 95.0 {
+		t.Fatalf("psu1 life remaining mismatch: %#v", got[1].LifeRemainingPct)
+	}
+}

audit/internal/collector/raid.go

@@ -83,11 +83,7 @@ func isLikelyRAIDController(dev schema.HardwarePCIeDevice) bool {
 	if dev.DeviceClass == nil {
 		return false
 	}
-	c := strings.ToLower(*dev.DeviceClass)
-	return strings.Contains(c, "raid") ||
-		strings.Contains(c, "sas") ||
-		strings.Contains(c, "mass storage") ||
-		strings.Contains(c, "serial attached scsi")
+	return isRAIDClass(*dev.DeviceClass)
 }
 
 func collectStorcliDrives() []schema.HardwareStorage {
@@ -182,7 +178,10 @@ func parseSASIrcuDisplay(raw string) []schema.HardwareStorage {
 
 		present := true
 		status := mapRAIDDriveStatus(b["State"])
-		s := schema.HardwareStorage{Present: &present, Status: &status}
+		s := schema.HardwareStorage{
+			HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status},
+			Present:                 &present,
+		}
 
 		enclosure := strings.TrimSpace(b["Enclosure #"])
 		slot := strings.TrimSpace(b["Slot #"])
@@ -281,7 +280,10 @@ func parseArcconfPhysicalDrives(raw string) []schema.HardwareStorage {
 	for _, b := range blocks {
 		present := true
 		status := mapRAIDDriveStatus(b["State"])
-		s := schema.HardwareStorage{Present: &present, Status: &status}
+		s := schema.HardwareStorage{
+			HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status},
+			Present:                 &present,
+		}
 
 		if v := strings.TrimSpace(b["Reported Location"]); v != "" {
 			s.Slot = &v
@@ -362,8 +364,11 @@ func parseSSACLIPhysicalDrives(raw string) []schema.HardwareStorage {
 		if m := ssacliPhysicalDriveLine.FindStringSubmatch(trimmed); len(m) == 3 {
 			flush()
 			present := true
-			status := "UNKNOWN"
-			s := schema.HardwareStorage{Present: &present, Status: &status}
+			status := statusUnknown
+			s := schema.HardwareStorage{
+				HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status},
+				Present:                 &present,
+			}
 			slot := m[1]
 			s.Slot = &slot
 
@@ -475,8 +480,8 @@ func storcliDriveToStorage(d struct {
 	present := true
 	status := mapRAIDDriveStatus(d.State)
 	s := schema.HardwareStorage{
-		Present: &present,
-		Status:  &status,
+		HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status},
+		Present:                 &present,
 	}
 
 	if v := strings.TrimSpace(d.EIDSlt); v != "" {
@@ -527,15 +532,15 @@ func mapRAIDDriveStatus(raw string) string {
 	u := strings.ToUpper(strings.TrimSpace(raw))
 	switch {
 	case strings.Contains(u, "OK"), strings.Contains(u, "OPTIMAL"), strings.Contains(u, "READY"):
-		return "OK"
+		return statusOK
 	case strings.Contains(u, "ONLN"), strings.Contains(u, "ONLINE"):
-		return "OK"
+		return statusOK
 	case strings.Contains(u, "RBLD"), strings.Contains(u, "REBUILD"):
-		return "WARNING"
+		return statusWarning
 	case strings.Contains(u, "FAIL"), strings.Contains(u, "OFFLINE"):
-		return "CRITICAL"
+		return statusCritical
 	default:
-		return "UNKNOWN"
+		return statusUnknown
 	}
 }
 
@@ -641,8 +646,9 @@ func enrichStorageWithVROC(storage []schema.HardwareStorage, pcie []schema.Hardw
 		storage[i].Telemetry["vroc_array"] = arr.Name
 		storage[i].Telemetry["vroc_degraded"] = arr.Degraded
 		if arr.Degraded {
-			status := "WARNING"
+			status := statusWarning
 			storage[i].Status = &status
+			storage[i].ErrorDescription = stringPtr("VROC array is degraded")
 		}
 		updated++
 	}
@@ -659,14 +665,14 @@ func hasVROCController(pcie []schema.HardwarePCIeDevice) bool {
 
 		class := ""
 		if dev.DeviceClass != nil {
-			class = strings.ToLower(*dev.DeviceClass)
+			class = strings.TrimSpace(*dev.DeviceClass)
 		}
 		model := ""
 		if dev.Model != nil {
 			model = strings.ToLower(*dev.Model)
 		}
 
-		if strings.Contains(class, "raid") ||
+		if isRAIDClass(class) ||
 			strings.Contains(model, "vroc") ||
 			strings.Contains(model, "volume management device") ||
 			strings.Contains(model, "vmd") {

audit/internal/collector/raid_controller_telemetry.go

@@ -0,0 +1,334 @@
+package collector
+
+import (
+	"bee/audit/internal/schema"
+	"encoding/json"
+	"log/slog"
+	"strconv"
+	"strings"
+)
+
+type raidControllerTelemetry struct {
+	BatteryChargePct       *float64
+	BatteryHealthPct       *float64
+	BatteryTemperatureC    *float64
+	BatteryVoltageV        *float64
+	BatteryReplaceRequired *bool
+	ErrorDescription       *string
+}
+
+func enrichPCIeWithRAIDTelemetry(devs []schema.HardwarePCIeDevice) []schema.HardwarePCIeDevice {
+	byVendor := collectRAIDControllerTelemetry()
+	if len(byVendor) == 0 {
+		return devs
+	}
+
+	positions := map[int]int{}
+	for i := range devs {
+		if devs[i].VendorID == nil || !isLikelyRAIDController(devs[i]) {
+			continue
+		}
+		vendor := *devs[i].VendorID
+		list := byVendor[vendor]
+		if len(list) == 0 {
+			continue
+		}
+		index := positions[vendor]
+		if index >= len(list) {
+			continue
+		}
+		positions[vendor] = index + 1
+		applyRAIDControllerTelemetry(&devs[i], list[index])
+	}
+
+	return devs
+}
+
+func applyRAIDControllerTelemetry(dev *schema.HardwarePCIeDevice, tel raidControllerTelemetry) {
+	if tel.BatteryChargePct != nil {
+		dev.BatteryChargePct = tel.BatteryChargePct
+	}
+	if tel.BatteryHealthPct != nil {
+		dev.BatteryHealthPct = tel.BatteryHealthPct
+	}
+	if tel.BatteryTemperatureC != nil {
+		dev.BatteryTemperatureC = tel.BatteryTemperatureC
+	}
+	if tel.BatteryVoltageV != nil {
+		dev.BatteryVoltageV = tel.BatteryVoltageV
+	}
+	if tel.BatteryReplaceRequired != nil {
+		dev.BatteryReplaceRequired = tel.BatteryReplaceRequired
+	}
+	if tel.ErrorDescription != nil {
+		dev.ErrorDescription = tel.ErrorDescription
+		if dev.Status == nil || *dev.Status == statusOK {
+			status := statusWarning
+			dev.Status = &status
+		}
+	}
+}
+
+func collectRAIDControllerTelemetry() map[int][]raidControllerTelemetry {
+	out := map[int][]raidControllerTelemetry{}
+
+	if raw, err := raidToolQuery("storcli64", "/call", "show", "all", "J"); err == nil {
+		list := parseStorcliControllerTelemetry(raw)
+		if len(list) > 0 {
+			out[vendorBroadcomLSI] = append(out[vendorBroadcomLSI], list...)
+			slog.Info("raid: storcli controller telemetry", "count", len(list))
+		}
+	}
+
+	if raw, err := raidToolQuery("ssacli", "ctrl", "all", "show", "config", "detail"); err == nil {
+		list := parseSSACLIControllerTelemetry(string(raw))
+		if len(list) > 0 {
+			out[vendorHPE] = append(out[vendorHPE], list...)
+			slog.Info("raid: ssacli controller telemetry", "count", len(list))
+		}
+	}
+
+	if raw, err := raidToolQuery("arcconf", "getconfig", "1", "ad"); err == nil {
+		list := parseArcconfControllerTelemetry(string(raw))
+		if len(list) > 0 {
+			out[vendorAdaptec] = append(out[vendorAdaptec], list...)
+			slog.Info("raid: arcconf controller telemetry", "count", len(list))
+		}
+	}
+
+	return out
+}
+
+func parseStorcliControllerTelemetry(raw []byte) []raidControllerTelemetry {
+	var doc struct {
+		Controllers []struct {
+			ResponseData map[string]any `json:"Response Data"`
+		} `json:"Controllers"`
+	}
+	if err := json.Unmarshal(raw, &doc); err != nil {
+		slog.Warn("raid: parse storcli controller telemetry failed", "err", err)
+		return nil
+	}
+
+	var out []raidControllerTelemetry
+	for _, ctl := range doc.Controllers {
+		tel := raidControllerTelemetry{}
+		mergeStorcliBatteryMap(&tel, nestedStringMap(ctl.ResponseData["BBU_Info"]))
+		mergeStorcliBatteryMap(&tel, nestedStringMap(ctl.ResponseData["BBU_Info_Details"]))
+		mergeStorcliBatteryMap(&tel, nestedStringMap(ctl.ResponseData["CV_Info"]))
+		mergeStorcliBatteryMap(&tel, nestedStringMap(ctl.ResponseData["CV_Info_Details"]))
+		if hasRAIDControllerTelemetry(tel) {
+			out = append(out, tel)
+		}
+	}
+	return out
+}
+
+func nestedStringMap(raw any) map[string]string {
+	switch value := raw.(type) {
+	case map[string]any:
+		out := map[string]string{}
+		flattenStringMap("", value, out)
+		return out
+	case []any:
+		out := map[string]string{}
+		for _, item := range value {
+			if m, ok := item.(map[string]any); ok {
+				flattenStringMap("", m, out)
+			}
+		}
+		return out
+	default:
+		return nil
+	}
+}
+
+func flattenStringMap(prefix string, in map[string]any, out map[string]string) {
+	for key, raw := range in {
+		fullKey := strings.TrimSpace(strings.ToLower(strings.Trim(prefix+" "+key, " ")))
+		switch value := raw.(type) {
+		case map[string]any:
+			flattenStringMap(fullKey, value, out)
+		case []any:
+			for _, item := range value {
+				if m, ok := item.(map[string]any); ok {
+					flattenStringMap(fullKey, m, out)
+				}
+			}
+		case string:
+			out[fullKey] = value
+		case json.Number:
+			out[fullKey] = value.String()
+		case float64:
+			out[fullKey] = strconv.FormatFloat(value, 'f', -1, 64)
+		case bool:
+			if value {
+				out[fullKey] = "true"
+			} else {
+				out[fullKey] = "false"
+			}
+		}
+	}
+}
+
+func mergeStorcliBatteryMap(tel *raidControllerTelemetry, fields map[string]string) {
+	if len(fields) == 0 {
+		return
+	}
+	for key, raw := range fields {
+		lower := strings.ToLower(strings.TrimSpace(key))
+		switch {
+		case strings.Contains(lower, "relative state of charge"), strings.Contains(lower, "remaining capacity"), strings.Contains(lower, "charge"):
+			if tel.BatteryChargePct == nil {
+				tel.BatteryChargePct = parsePercentPtr(raw)
+			}
+		case strings.Contains(lower, "state of health"), strings.Contains(lower, "health"):
+			if tel.BatteryHealthPct == nil {
+				tel.BatteryHealthPct = parsePercentPtr(raw)
+			}
+		case strings.Contains(lower, "temperature"):
+			if tel.BatteryTemperatureC == nil {
+				tel.BatteryTemperatureC = parseFloatPtr(raw)
+			}
+		case strings.Contains(lower, "voltage"):
+			if tel.BatteryVoltageV == nil {
+				tel.BatteryVoltageV = parseFloatPtr(raw)
+			}
+		case strings.Contains(lower, "replace"), strings.Contains(lower, "replacement required"):
+			if tel.BatteryReplaceRequired == nil {
+				tel.BatteryReplaceRequired = parseReplaceRequired(raw)
+			}
+		case strings.Contains(lower, "learn cycle requested"), strings.Contains(lower, "battery state"), strings.Contains(lower, "capacitance state"):
+			if desc := batteryStateDescription(raw); desc != nil && tel.ErrorDescription == nil {
+				tel.ErrorDescription = desc
+			}
+		}
+	}
+}
+
+func parseSSACLIControllerTelemetry(raw string) []raidControllerTelemetry {
+	lines := strings.Split(raw, "\n")
+	var out []raidControllerTelemetry
+	var current *raidControllerTelemetry
+
+	flush := func() {
+		if current != nil && hasRAIDControllerTelemetry(*current) {
+			out = append(out, *current)
+		}
+		current = nil
+	}
+
+	for _, line := range lines {
+		trimmed := strings.TrimSpace(line)
+		if trimmed == "" {
+			continue
+		}
+		if strings.HasPrefix(strings.ToLower(trimmed), "smart array") || strings.HasPrefix(strings.ToLower(trimmed), "controller ") {
+			flush()
+			current = &raidControllerTelemetry{}
+			continue
+		}
+		if current == nil {
+			continue
+		}
+		if idx := strings.Index(trimmed, ":"); idx > 0 {
+			key := strings.ToLower(strings.TrimSpace(trimmed[:idx]))
+			val := strings.TrimSpace(trimmed[idx+1:])
+			switch {
+			case strings.Contains(key, "capacitor temperature"), strings.Contains(key, "battery temperature"):
+				current.BatteryTemperatureC = parseFloatPtr(val)
+			case strings.Contains(key, "capacitor voltage"), strings.Contains(key, "battery voltage"):
+				current.BatteryVoltageV = parseFloatPtr(val)
+			case strings.Contains(key, "capacitor charge"), strings.Contains(key, "battery charge"):
+				current.BatteryChargePct = parsePercentPtr(val)
+			case strings.Contains(key, "capacitor health"), strings.Contains(key, "battery health"):
+				current.BatteryHealthPct = parsePercentPtr(val)
+			case strings.Contains(key, "replace") || strings.Contains(key, "failed"):
+				if current.BatteryReplaceRequired == nil {
+					current.BatteryReplaceRequired = parseReplaceRequired(val)
+				}
+				if desc := batteryStateDescription(val); desc != nil && current.ErrorDescription == nil {
+					current.ErrorDescription = desc
+				}
+			}
+		}
+	}
+	flush()
+	return out
+}
+
+func parseArcconfControllerTelemetry(raw string) []raidControllerTelemetry {
+	lines := strings.Split(raw, "\n")
+	tel := raidControllerTelemetry{}
+	for _, line := range lines {
+		trimmed := strings.TrimSpace(line)
+		if idx := strings.Index(trimmed, ":"); idx > 0 {
+			key := strings.ToLower(strings.TrimSpace(trimmed[:idx]))
+			val := strings.TrimSpace(trimmed[idx+1:])
+			switch {
+			case strings.Contains(key, "battery temperature"), strings.Contains(key, "capacitor temperature"):
+				tel.BatteryTemperatureC = parseFloatPtr(val)
+			case strings.Contains(key, "battery voltage"), strings.Contains(key, "capacitor voltage"):
+				tel.BatteryVoltageV = parseFloatPtr(val)
+			case strings.Contains(key, "battery charge"), strings.Contains(key, "capacitor charge"):
+				tel.BatteryChargePct = parsePercentPtr(val)
+			case strings.Contains(key, "battery health"), strings.Contains(key, "capacitor health"):
+				tel.BatteryHealthPct = parsePercentPtr(val)
+			case strings.Contains(key, "replace"), strings.Contains(key, "failed"):
+				if tel.BatteryReplaceRequired == nil {
+					tel.BatteryReplaceRequired = parseReplaceRequired(val)
+				}
+				if desc := batteryStateDescription(val); desc != nil && tel.ErrorDescription == nil {
+					tel.ErrorDescription = desc
+				}
+			}
+		}
+	}
+	if hasRAIDControllerTelemetry(tel) {
+		return []raidControllerTelemetry{tel}
+	}
+	return nil
+}
+
+func hasRAIDControllerTelemetry(tel raidControllerTelemetry) bool {
+	return tel.BatteryChargePct != nil ||
+		tel.BatteryHealthPct != nil ||
+		tel.BatteryTemperatureC != nil ||
+		tel.BatteryVoltageV != nil ||
+		tel.BatteryReplaceRequired != nil ||
+		tel.ErrorDescription != nil
+}
+
+func parsePercentPtr(raw string) *float64 {
+	raw = strings.ReplaceAll(strings.TrimSpace(raw), "%", "")
+	return parseFloatPtr(raw)
+}
+
+func parseReplaceRequired(raw string) *bool {
+	lower := strings.ToLower(strings.TrimSpace(raw))
+	switch {
+	case lower == "":
+		return nil
+	case strings.Contains(lower, "replace"), strings.Contains(lower, "failed"), strings.Contains(lower, "yes"), strings.Contains(lower, "required"):
+		value := true
+		return &value
+	case strings.Contains(lower, "no"), strings.Contains(lower, "ok"), strings.Contains(lower, "good"), strings.Contains(lower, "optimal"):
+		value := false
+		return &value
+	default:
+		return nil
+	}
+}
+
+func batteryStateDescription(raw string) *string {
+	lower := strings.ToLower(strings.TrimSpace(raw))
+	if lower == "" {
+		return nil
+	}
+	switch {
+	case strings.Contains(lower, "failed"), strings.Contains(lower, "fault"), strings.Contains(lower, "replace"), strings.Contains(lower, "warning"), strings.Contains(lower, "degraded"):
+		return &raw
+	default:
+		return nil
+	}
+}

audit/internal/collector/raid_parsers_test.go

@@ -1,6 +1,10 @@
 package collector
 
-import "testing"
+import (
+	"bee/audit/internal/schema"
+	"errors"
+	"testing"
+)
 
 func TestParseSASIrcuControllerIDs(t *testing.T) {
 	raw := `LSI Corporation SAS2 IR Configuration Utility.
@@ -90,7 +94,111 @@ physicaldrive 1I:1:2 (894 GB, SAS HDD, Failed)
 	if drives[0].Status == nil || *drives[0].Status != "OK" {
 		t.Fatalf("drive0 status: %v", drives[0].Status)
 	}
-	if drives[1].Status == nil || *drives[1].Status != "CRITICAL" {
+	if drives[1].Status == nil || *drives[1].Status != statusCritical {
 		t.Fatalf("drive1 status: %v", drives[1].Status)
 	}
 }
+
+func TestParseStorcliControllerTelemetry(t *testing.T) {
+	raw := []byte(`{
+  "Controllers": [
+    {
+      "Response Data": {
+        "BBU_Info": {
+          "State of Health": "98 %",
+          "Relative State of Charge": "76 %",
+          "Temperature": "41 C",
+          "Voltage": "12.3 V",
+          "Replacement required": "No"
+        }
+      }
+    }
+  ]
+}`)
+	got := parseStorcliControllerTelemetry(raw)
+	if len(got) != 1 {
+		t.Fatalf("len(got)=%d want 1", len(got))
+	}
+	if got[0].BatteryHealthPct == nil || *got[0].BatteryHealthPct != 98 {
+		t.Fatalf("battery health=%v", got[0].BatteryHealthPct)
+	}
+	if got[0].BatteryChargePct == nil || *got[0].BatteryChargePct != 76 {
+		t.Fatalf("battery charge=%v", got[0].BatteryChargePct)
+	}
+	if got[0].BatteryTemperatureC == nil || *got[0].BatteryTemperatureC != 41 {
+		t.Fatalf("battery temperature=%v", got[0].BatteryTemperatureC)
+	}
+	if got[0].BatteryVoltageV == nil || *got[0].BatteryVoltageV != 12.3 {
+		t.Fatalf("battery voltage=%v", got[0].BatteryVoltageV)
+	}
+	if got[0].BatteryReplaceRequired == nil || *got[0].BatteryReplaceRequired {
+		t.Fatalf("battery replace=%v", got[0].BatteryReplaceRequired)
+	}
+}
+
+func TestParseSSACLIControllerTelemetry(t *testing.T) {
+	raw := `Smart Array P440ar in Slot 0
+   Battery/Capacitor Count: 1
+   Capacitor Temperature  (C): 37
+   Capacitor Charge (%): 94
+   Capacitor Health (%): 96
+   Capacitor Voltage (V): 9.8
+   Capacitor Failed: No
+`
+	got := parseSSACLIControllerTelemetry(raw)
+	if len(got) != 1 {
+		t.Fatalf("len(got)=%d want 1", len(got))
+	}
+	if got[0].BatteryTemperatureC == nil || *got[0].BatteryTemperatureC != 37 {
+		t.Fatalf("battery temperature=%v", got[0].BatteryTemperatureC)
+	}
+	if got[0].BatteryChargePct == nil || *got[0].BatteryChargePct != 94 {
+		t.Fatalf("battery charge=%v", got[0].BatteryChargePct)
+	}
+}
+
+func TestEnrichPCIeWithRAIDTelemetry(t *testing.T) {
+	orig := raidToolQuery
+	t.Cleanup(func() { raidToolQuery = orig })
+	raidToolQuery = func(name string, args ...string) ([]byte, error) {
+		switch name {
+		case "storcli64":
+			return []byte(`{
+  "Controllers": [
+    {
+      "Response Data": {
+        "CV_Info": {
+          "State of Health": "99 %",
+          "Relative State of Charge": "81 %",
+          "Temperature": "38 C",
+          "Voltage": "12.1 V",
+          "Replacement required": "No"
+        }
+      }
+    }
+  ]
+}`), nil
+		default:
+			return nil, errors.New("skip")
+		}
+	}
+
+	vendor := vendorBroadcomLSI
+	class := "MassStorageController"
+	status := statusOK
+	devs := []schema.HardwarePCIeDevice{{
+		VendorID:                &vendor,
+		DeviceClass:             &class,
+		HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status},
+	}}
+	out := enrichPCIeWithRAIDTelemetry(devs)
+	if out[0].BatteryHealthPct == nil || *out[0].BatteryHealthPct != 99 {
+		t.Fatalf("battery health=%v", out[0].BatteryHealthPct)
+	}
+	if out[0].BatteryChargePct == nil || *out[0].BatteryChargePct != 81 {
+		t.Fatalf("battery charge=%v", out[0].BatteryChargePct)
+	}
+	if out[0].BatteryVoltageV == nil || *out[0].BatteryVoltageV != 12.1 {
+		t.Fatalf("battery voltage=%v", out[0].BatteryVoltageV)
+	}
+}

audit/internal/collector/sensors.go

@@ -0,0 +1,373 @@
+package collector
+
+import (
+	"bee/audit/internal/schema"
+	"encoding/json"
+	"log/slog"
+	"os/exec"
+	"sort"
+	"strconv"
+	"strings"
+)
+
+type sensorsDoc map[string]map[string]any
+
+func collectSensors() *schema.HardwareSensors {
+	doc, err := readSensorsJSONDoc()
+	if err != nil {
+		slog.Info("sensors: unavailable, skipping", "err", err)
+		return nil
+	}
+	sensors := buildSensorsFromDoc(doc)
+	if sensors == nil || (len(sensors.Fans) == 0 && len(sensors.Power) == 0 && len(sensors.Temperatures) == 0 && len(sensors.Other) == 0) {
+		return nil
+	}
+	slog.Info("sensors: collected",
+		"fans", len(sensors.Fans),
+		"power", len(sensors.Power),
+		"temperatures", len(sensors.Temperatures),
+		"other", len(sensors.Other),
+	)
+	return sensors
+}
+
+func readSensorsJSONDoc() (sensorsDoc, error) {
+	out, err := exec.Command("sensors", "-j").Output()
+	if err != nil {
+		return nil, err
+	}
+	var doc sensorsDoc
+	if err := json.Unmarshal(out, &doc); err != nil {
+		return nil, err
+	}
+	return doc, nil
+}
+
+func buildSensorsFromDoc(doc sensorsDoc) *schema.HardwareSensors {
+	if len(doc) == 0 {
+		return nil
+	}
+	result := &schema.HardwareSensors{}
+	seen := map[string]struct{}{}
+
+	chips := make([]string, 0, len(doc))
+	for chip := range doc {
+		chips = append(chips, chip)
+	}
+	sort.Strings(chips)
+
+	for _, chip := range chips {
+		features := doc[chip]
+		location := sensorLocation(chip)
+
+		keys := make([]string, 0, len(features))
+		for key := range features {
+			keys = append(keys, key)
+		}
+		sort.Strings(keys)
+
+		for _, key := range keys {
+			if strings.EqualFold(key, "Adapter") {
+				continue
+			}
+			feature, ok := features[key].(map[string]any)
+			if !ok {
+				continue
+			}
+			name := strings.TrimSpace(key)
+			if name == "" {
+				continue
+			}
+			switch classifySensorFeature(feature) {
+			case "fan":
+				item := buildFanSensor(name, location, feature)
+				if item == nil || duplicateSensor(seen, "fan", item.Name) {
+					continue
+				}
+				result.Fans = append(result.Fans, *item)
+			case "temp":
+				item := buildTempSensor(name, location, feature)
+				if item == nil || duplicateSensor(seen, "temp", item.Name) {
+					continue
+				}
+				result.Temperatures = append(result.Temperatures, *item)
+			case "power":
+				item := buildPowerSensor(name, location, feature)
+				if item == nil || duplicateSensor(seen, "power", item.Name) {
+					continue
+				}
+				result.Power = append(result.Power, *item)
+			default:
+				item := buildOtherSensor(name, location, feature)
+				if item == nil || duplicateSensor(seen, "other", item.Name) {
+					continue
+				}
+				result.Other = append(result.Other, *item)
+			}
+		}
+	}
+
+	return result
+}
+
+func parseSensorsJSON(raw []byte) (*schema.HardwareSensors, error) {
+	var doc sensorsDoc
+	err := json.Unmarshal(raw, &doc)
+	if err != nil {
+		return nil, err
+	}
+	return buildSensorsFromDoc(doc), nil
+}
+
+func duplicateSensor(seen map[string]struct{}, sensorType, name string) bool {
+	key := sensorType + "\x00" + name
+	if _, ok := seen[key]; ok {
+		return true
+	}
+	seen[key] = struct{}{}
+	return false
+}
+
+func sensorLocation(chip string) *string {
+	chip = strings.TrimSpace(chip)
+	if chip == "" {
+		return nil
+	}
+	return &chip
+}
+
+func classifySensorFeature(feature map[string]any) string {
+	for key := range feature {
+		switch {
+		case strings.Contains(key, "fan") && strings.HasSuffix(key, "_input"):
+			return "fan"
+		case strings.Contains(key, "temp") && strings.HasSuffix(key, "_input"):
+			return "temp"
+		case strings.Contains(key, "power") && (strings.HasSuffix(key, "_input") || strings.HasSuffix(key, "_average")):
+			return "power"
+		case strings.Contains(key, "curr") && strings.HasSuffix(key, "_input"):
+			return "power"
+		case strings.HasPrefix(key, "in") && strings.HasSuffix(key, "_input"):
+			return "power"
+		}
+	}
+	return "other"
+}
+
+func buildFanSensor(name string, location *string, feature map[string]any) *schema.HardwareFanSensor {
+	rpm, ok := firstFeatureInt(feature, "_input")
+	if !ok {
+		return nil
+	}
+	item := &schema.HardwareFanSensor{Name: name, Location: location, RPM: &rpm}
+	if status := sensorStatusFromFeature(feature); status != nil {
+		item.Status = status
+	}
+	return item
+}
+
+func buildTempSensor(name string, location *string, feature map[string]any) *schema.HardwareTemperatureSensor {
+	celsius, ok := firstFeatureFloat(feature, "_input")
+	if !ok {
+		return nil
+	}
+	item := &schema.HardwareTemperatureSensor{Name: name, Location: location, Celsius: &celsius}
+	if warning, ok := firstFeatureFloatWithSuffixes(feature, []string{"_max", "_high"}); ok {
+		item.ThresholdWarningCelsius = &warning
+	}
+	if critical, ok := firstFeatureFloatWithSuffixes(feature, []string{"_crit", "_emergency"}); ok {
+		item.ThresholdCriticalCelsius = &critical
+	}
+	if status := sensorStatusFromFeature(feature); status != nil {
+		item.Status = status
+	} else {
+		item.Status = deriveTemperatureStatus(item.Celsius, item.ThresholdWarningCelsius, item.ThresholdCriticalCelsius)
+	}
+	return item
+}
+
+func buildPowerSensor(name string, location *string, feature map[string]any) *schema.HardwarePowerSensor {
+	item := &schema.HardwarePowerSensor{Name: name, Location: location}
+	if v, ok := firstFeatureFloatWithContains(feature, []string{"power"}); ok {
+		item.PowerW = &v
+	}
+	if v, ok := firstFeatureFloatWithPrefix(feature, "curr"); ok {
+		item.CurrentA = &v
+	}
+	if v, ok := firstFeatureFloatWithPrefix(feature, "in"); ok {
+		item.VoltageV = &v
+	}
+	if item.PowerW == nil && item.CurrentA == nil && item.VoltageV == nil {
+		return nil
+	}
+	if status := sensorStatusFromFeature(feature); status != nil {
+		item.Status = status
+	}
+	return item
+}
+
+func buildOtherSensor(name string, location *string, feature map[string]any) *schema.HardwareOtherSensor {
+	value, unit, ok := firstGenericSensorValue(feature)
+	if !ok {
+		return nil
+	}
+	item := &schema.HardwareOtherSensor{Name: name, Location: location, Value: &value}
+	if unit != "" {
+		item.Unit = &unit
+	}
+	if status := sensorStatusFromFeature(feature); status != nil {
+		item.Status = status
+	}
+	return item
+}
+
+func sensorStatusFromFeature(feature map[string]any) *string {
+	for key, raw := range feature {
+		if !strings.HasSuffix(key, "_alarm") {
+			continue
+		}
+		if number, ok := floatFromAny(raw); ok && number > 0 {
+			status := statusWarning
+			return &status
+		}
+	}
+	return nil
+}
+
+func deriveTemperatureStatus(current, warning, critical *float64) *string {
+	if current == nil {
+		return nil
+	}
+	switch {
+	case critical != nil && *current >= *critical:
+		status := statusCritical
+		return &status
+	case warning != nil && *current >= *warning:
+		status := statusWarning
+		return &status
+	default:
+		status := statusOK
+		return &status
+	}
+}
+
+func firstFeatureInt(feature map[string]any, suffix string) (int, bool) {
+	for key, raw := range feature {
+		if strings.HasSuffix(key, suffix) {
+			if value, ok := floatFromAny(raw); ok {
+				return int(value), true
+			}
+		}
+	}
+	return 0, false
+}
+
+func firstFeatureFloat(feature map[string]any, suffix string) (float64, bool) {
+	return firstFeatureFloatWithSuffixes(feature, []string{suffix})
+}
+
+func firstFeatureFloatWithSuffixes(feature map[string]any, suffixes []string) (float64, bool) {
+	keys := sortedFeatureKeys(feature)
+	for _, key := range keys {
+		for _, suffix := range suffixes {
+			if strings.HasSuffix(key, suffix) {
+				if value, ok := floatFromAny(feature[key]); ok {
+					return value, true
+				}
+			}
+		}
+	}
+	return 0, false
+}
+
+func firstFeatureFloatWithContains(feature map[string]any, parts []string) (float64, bool) {
+	keys := sortedFeatureKeys(feature)
+	for _, key := range keys {
+		matched := true
+		for _, part := range parts {
+			if !strings.Contains(key, part) {
+				matched = false
+				break
+			}
+		}
+		if matched {
+			if value, ok := floatFromAny(feature[key]); ok {
+				return value, true
+			}
+		}
+	}
+	return 0, false
+}
+
+func firstFeatureFloatWithPrefix(feature map[string]any, prefix string) (float64, bool) {
+	keys := sortedFeatureKeys(feature)
+	for _, key := range keys {
+		if strings.HasPrefix(key, prefix) && strings.HasSuffix(key, "_input") {
+			if value, ok := floatFromAny(feature[key]); ok {
+				return value, true
+			}
+		}
+	}
+	return 0, false
+}
+
+func firstGenericSensorValue(feature map[string]any) (float64, string, bool) {
+	keys := sortedFeatureKeys(feature)
+	for _, key := range keys {
+		if strings.HasSuffix(key, "_alarm") {
+			continue
+		}
+		value, ok := floatFromAny(feature[key])
+		if !ok {
+			continue
+		}
+		unit := inferSensorUnit(key)
+		return value, unit, true
+	}
+	return 0, "", false
+}
+
+func inferSensorUnit(key string) string {
+	switch {
+	case strings.Contains(key, "humidity"):
+		return "%"
+	case strings.Contains(key, "intrusion"):
+		return ""
+	default:
+		return ""
+	}
+}
+
+func sortedFeatureKeys(feature map[string]any) []string {
+	keys := make([]string, 0, len(feature))
+	for key := range feature {
+		keys = append(keys, key)
+	}
+	sort.Strings(keys)
+	return keys
+}
+
+func floatFromAny(raw any) (float64, bool) {
+	switch value := raw.(type) {
+	case float64:
+		return value, true
+	case float32:
+		return float64(value), true
+	case int:
+		return float64(value), true
+	case int64:
+		return float64(value), true
+	case json.Number:
+		if f, err := value.Float64(); err == nil {
+			return f, true
+		}
+	case string:
+		if value == "" {
+			return 0, false
+		}
+		if f, err := strconv.ParseFloat(value, 64); err == nil {
+			return f, true
+		}
+	}
+	return 0, false
+}

audit/internal/collector/sensors_test.go

@@ -0,0 +1,54 @@
+package collector
+
+import "testing"
+
+func TestParseSensorsJSON(t *testing.T) {
+	raw := []byte(`{
+  "coretemp-isa-0000": {
+    "Adapter": "ISA adapter",
+    "Package id 0": {
+      "temp1_input": 61.5,
+      "temp1_max": 80.0,
+      "temp1_crit": 95.0
+    },
+    "fan1": {
+      "fan1_input": 4200
+    }
+  },
+  "acpitz-acpi-0": {
+    "Adapter": "ACPI interface",
+    "in0": {
+      "in0_input": 12.06
+    },
+    "curr1": {
+      "curr1_input": 0.64
+    },
+    "power1": {
+      "power1_average": 137.0
+    },
+    "humidity1": {
+      "humidity1_input": 38.5
+    }
+  }
+}`)
+
+	got, err := parseSensorsJSON(raw)
+	if err != nil {
+		t.Fatalf("parseSensorsJSON error: %v", err)
+	}
+	if got == nil {
+		t.Fatal("expected sensors")
+	}
+	if len(got.Temperatures) != 1 || got.Temperatures[0].Celsius == nil || *got.Temperatures[0].Celsius != 61.5 {
+		t.Fatalf("temperatures mismatch: %#v", got.Temperatures)
+	}
+	if len(got.Fans) != 1 || got.Fans[0].RPM == nil || *got.Fans[0].RPM != 4200 {
+		t.Fatalf("fans mismatch: %#v", got.Fans)
+	}
+	if len(got.Power) != 3 {
+		t.Fatalf("power sensors mismatch: %#v", got.Power)
+	}
+	if len(got.Other) != 1 || got.Other[0].Unit == nil || *got.Other[0].Unit != "%" {
+		t.Fatalf("other sensors mismatch: %#v", got.Other)
+	}
+}

audit/internal/collector/storage.go

@@ -5,11 +5,13 @@ import (
 	"encoding/json"
 	"log/slog"
 	"os/exec"
+	"path/filepath"
+	"strconv"
 	"strings"
 )
 
 func collectStorage() []schema.HardwareStorage {
-	devs := lsblkDevices()
+	devs := discoverStorageDevices()
 	result := make([]schema.HardwareStorage, 0, len(devs))
 	for _, dev := range devs {
 		var s schema.HardwareStorage
@@ -26,19 +28,60 @@ func collectStorage() []schema.HardwareStorage {
 
 // lsblkDevice is a minimal lsblk JSON record.
 type lsblkDevice struct {
-	Name     string `json:"name"`
-	Type     string `json:"type"`
-	Size     string `json:"size"`
-	Serial   string `json:"serial"`
-	Model    string `json:"model"`
-	Tran     string `json:"tran"`
-	Hctl     string `json:"hctl"`
+	Name   string `json:"name"`
+	Type   string `json:"type"`
+	Size   string `json:"size"`
+	Serial string `json:"serial"`
+	Model  string `json:"model"`
+	Tran   string `json:"tran"`
+	Hctl   string `json:"hctl"`
 }
 
 type lsblkRoot struct {
 	Blockdevices []lsblkDevice `json:"blockdevices"`
 }
 
+type nvmeListRoot struct {
+	Devices []nvmeListDevice `json:"Devices"`
+}
+
+type nvmeListDevice struct {
+	DevicePath   string `json:"DevicePath"`
+	ModelNumber  string `json:"ModelNumber"`
+	SerialNumber string `json:"SerialNumber"`
+	Firmware     string `json:"Firmware"`
+	PhysicalSize int64  `json:"PhysicalSize"`
+}
+
+func discoverStorageDevices() []lsblkDevice {
+	merged := map[string]lsblkDevice{}
+	for _, dev := range lsblkDevices() {
+		if dev.Name == "" {
+			continue
+		}
+		merged[dev.Name] = dev
+	}
+	for _, dev := range nvmeListDevices() {
+		if dev.Name == "" {
+			continue
+		}
+		current := merged[dev.Name]
+		merged[dev.Name] = mergeStorageDevice(current, dev)
+	}
+
+	disks := make([]lsblkDevice, 0, len(merged))
+	for _, dev := range merged {
+		if dev.Type == "" {
+			dev.Type = "disk"
+		}
+		if dev.Type != "disk" {
+			continue
+		}
+		disks = append(disks, dev)
+	}
+	return disks
+}
+
 func lsblkDevices() []lsblkDevice {
 	out, err := exec.Command("lsblk", "-J", "-d",
 		"-o", "NAME,TYPE,SIZE,SERIAL,MODEL,TRAN,HCTL").Output()
@@ -60,6 +103,59 @@ func lsblkDevices() []lsblkDevice {
 	return disks
 }
 
+func nvmeListDevices() []lsblkDevice {
+	out, err := exec.Command("nvme", "list", "-o", "json").Output()
+	if err != nil {
+		return nil
+	}
+	var root nvmeListRoot
+	if err := json.Unmarshal(out, &root); err != nil {
+		slog.Warn("storage: nvme list parse failed", "err", err)
+		return nil
+	}
+	devices := make([]lsblkDevice, 0, len(root.Devices))
+	for _, dev := range root.Devices {
+		name := filepath.Base(strings.TrimSpace(dev.DevicePath))
+		if name == "" {
+			continue
+		}
+		devices = append(devices, lsblkDevice{
+			Name:   name,
+			Type:   "disk",
+			Size:   strconv.FormatInt(dev.PhysicalSize, 10),
+			Serial: strings.TrimSpace(dev.SerialNumber),
+			Model:  strings.TrimSpace(dev.ModelNumber),
+			Tran:   "nvme",
+		})
+	}
+	return devices
+}
+
+func mergeStorageDevice(existing, incoming lsblkDevice) lsblkDevice {
+	if existing.Name == "" {
+		return incoming
+	}
+	if existing.Type == "" {
+		existing.Type = incoming.Type
+	}
+	if strings.TrimSpace(existing.Size) == "" {
+		existing.Size = incoming.Size
+	}
+	if strings.TrimSpace(existing.Serial) == "" {
+		existing.Serial = incoming.Serial
+	}
+	if strings.TrimSpace(existing.Model) == "" {
+		existing.Model = incoming.Model
+	}
+	if strings.TrimSpace(existing.Tran) == "" {
+		existing.Tran = incoming.Tran
+	}
+	if strings.TrimSpace(existing.Hctl) == "" {
+		existing.Hctl = incoming.Hctl
+	}
+	return existing
+}
+
 // smartctlInfo is the subset of smartctl -j -a output we care about.
 type smartctlInfo struct {
 	ModelFamily  string `json:"model_family"`
@@ -67,14 +163,22 @@ type smartctlInfo struct {
 	SerialNumber string `json:"serial_number"`
 	FirmwareVer  string `json:"firmware_version"`
 	RotationRate int    `json:"rotation_rate"`
+	Temperature  struct {
+		Current int `json:"current"`
+	} `json:"temperature"`
+	SmartStatus struct {
+		Passed bool `json:"passed"`
+	} `json:"smart_status"`
 	UserCapacity struct {
 		Bytes int64 `json:"bytes"`
 	} `json:"user_capacity"`
 	AtaSmartAttributes struct {
 		Table []struct {
-			ID    int    `json:"id"`
-			Name  string `json:"name"`
-			Raw   struct{ Value int64 `json:"value"` } `json:"raw"`
+			ID   int    `json:"id"`
+			Name string `json:"name"`
+			Raw  struct {
+				Value int64 `json:"value"`
+			} `json:"raw"`
 		} `json:"table"`
 	} `json:"ata_smart_attributes"`
 	PowerOnTime struct {
@@ -149,69 +253,116 @@ func enrichWithSmartctl(dev lsblkDevice) schema.HardwareStorage {
 		} else if info.RotationRate > 0 {
 			devType = "HDD"
 		}
+		s.Type = &devType
 
-		// telemetry
-		tel := map[string]any{}
+		if info.Temperature.Current > 0 {
+			t := float64(info.Temperature.Current)
+			s.TemperatureC = &t
+		}
 		if info.PowerOnTime.Hours > 0 {
-			tel["power_on_hours"] = info.PowerOnTime.Hours
+			v := int64(info.PowerOnTime.Hours)
+			s.PowerOnHours = &v
 		}
 		if info.PowerCycleCount > 0 {
-			tel["power_cycles"] = info.PowerCycleCount
+			v := int64(info.PowerCycleCount)
+			s.PowerCycles = &v
 		}
+		reallocated := int64(0)
+		pending := int64(0)
+		uncorrectable := int64(0)
+		lifeRemaining := int64(0)
 		for _, attr := range info.AtaSmartAttributes.Table {
 			switch attr.ID {
 			case 5:
-				tel["reallocated_sectors"] = attr.Raw.Value
+				reallocated = attr.Raw.Value
+				s.ReallocatedSectors = &reallocated
 			case 177:
-				tel["wear_leveling_pct"] = attr.Raw.Value
+				value := float64(attr.Raw.Value)
+				s.LifeUsedPct = &value
 			case 231:
-				tel["life_remaining_pct"] = attr.Raw.Value
+				lifeRemaining = attr.Raw.Value
+				value := float64(attr.Raw.Value)
+				s.LifeRemainingPct = &value
 			case 241:
-				tel["total_lba_written"] = attr.Raw.Value
+				value := attr.Raw.Value
+				s.WrittenBytes = &value
+			case 197:
+				pending = attr.Raw.Value
+				s.CurrentPendingSectors = &pending
+			case 198:
+				uncorrectable = attr.Raw.Value
+				s.OfflineUncorrectable = &uncorrectable
 			}
 		}
-		if len(tel) > 0 {
-			s.Telemetry = tel
+
+		status := storageHealthStatus{
+			overallPassed:        info.SmartStatus.Passed,
+			hasOverall:           true,
+			reallocatedSectors:   reallocated,
+			pendingSectors:       pending,
+			offlineUncorrectable: uncorrectable,
+			lifeRemainingPct:     lifeRemaining,
 		}
+		setStorageHealthStatus(&s, status)
+		return s
 	}
 
 	s.Type = &devType
-	status := "OK"
+	status := statusUnknown
 	s.Status = &status
 	return s
 }
 
 // nvmeSmartLog is the subset of `nvme smart-log -o json` output we care about.
 type nvmeSmartLog struct {
+	CriticalWarning  int   `json:"critical_warning"`
 	PercentageUsed   int   `json:"percentage_used"`
+	AvailableSpare   int   `json:"available_spare"`
+	SpareThreshold   int   `json:"spare_thresh"`
+	Temperature      int64 `json:"temperature"`
 	PowerOnHours     int64 `json:"power_on_hours"`
 	PowerCycles      int64 `json:"power_cycles"`
 	UnsafeShutdowns  int64 `json:"unsafe_shutdowns"`
+	DataUnitsRead    int64 `json:"data_units_read"`
 	DataUnitsWritten int64 `json:"data_units_written"`
 	ControllerBusy   int64 `json:"controller_busy_time"`
+	MediaErrors      int64 `json:"media_errors"`
+	NumErrLogEntries int64 `json:"num_err_log_entries"`
 }
 
 // nvmeIDCtrl is the subset of `nvme id-ctrl -o json` output.
 type nvmeIDCtrl struct {
-	ModelNumber    string `json:"mn"`
-	SerialNumber   string `json:"sn"`
-	FirmwareRev    string `json:"fr"`
-	TotalCapacity  int64  `json:"tnvmcap"`
+	ModelNumber   string `json:"mn"`
+	SerialNumber  string `json:"sn"`
+	FirmwareRev   string `json:"fr"`
+	TotalCapacity int64  `json:"tnvmcap"`
 }
 
 func enrichWithNVMe(dev lsblkDevice) schema.HardwareStorage {
 	present := true
 	devType := "NVMe"
 	iface := "NVMe"
-	status := "OK"
+	status := statusOK
 	s := schema.HardwareStorage{
-		Present:   &present,
-		Type:      &devType,
-		Interface: &iface,
-		Status:    &status,
+		HardwareComponentStatus: schema.HardwareComponentStatus{Status: &status},
+		Present:                 &present,
+		Type:                    &devType,
+		Interface:               &iface,
 	}
 
 	devPath := "/dev/" + dev.Name
+	if v := cleanDMIValue(strings.TrimSpace(dev.Model)); v != "" {
+		s.Model = &v
+	}
+	if v := cleanDMIValue(strings.TrimSpace(dev.Serial)); v != "" {
+		s.SerialNumber = &v
+	}
+	if size := parseStorageBytes(dev.Size); size > 0 {
+		gb := int(size / 1_000_000_000)
+		if gb > 0 {
+			s.SizeGB = &gb
+		}
+	}
 
 	// id-ctrl: model, serial, firmware, capacity
 	if out, err := exec.Command("nvme", "id-ctrl", devPath, "-o", "json").Output(); err == nil {
@@ -237,30 +388,131 @@ func enrichWithNVMe(dev lsblkDevice) schema.HardwareStorage {
 	if out, err := exec.Command("nvme", "smart-log", devPath, "-o", "json").Output(); err == nil {
 		var log nvmeSmartLog
 		if json.Unmarshal(out, &log) == nil {
-			tel := map[string]any{}
 			if log.PowerOnHours > 0 {
-				tel["power_on_hours"] = log.PowerOnHours
+				s.PowerOnHours = &log.PowerOnHours
 			}
 			if log.PowerCycles > 0 {
-				tel["power_cycles"] = log.PowerCycles
+				s.PowerCycles = &log.PowerCycles
 			}
 			if log.UnsafeShutdowns > 0 {
-				tel["unsafe_shutdowns"] = log.UnsafeShutdowns
+				s.UnsafeShutdowns = &log.UnsafeShutdowns
 			}
 			if log.PercentageUsed > 0 {
-				tel["percentage_used"] = log.PercentageUsed
+				v := float64(log.PercentageUsed)
+				s.LifeUsedPct = &v
+				remaining := 100 - v
+				s.LifeRemainingPct = &remaining
 			}
 			if log.DataUnitsWritten > 0 {
-				tel["data_units_written"] = log.DataUnitsWritten
+				v := nvmeDataUnitsToBytes(log.DataUnitsWritten)
+				s.WrittenBytes = &v
 			}
-			if log.ControllerBusy > 0 {
-				tel["controller_busy_time"] = log.ControllerBusy
+			if log.DataUnitsRead > 0 {
+				v := nvmeDataUnitsToBytes(log.DataUnitsRead)
+				s.ReadBytes = &v
 			}
-			if len(tel) > 0 {
-				s.Telemetry = tel
+			if log.AvailableSpare > 0 {
+				v := float64(log.AvailableSpare)
+				s.AvailableSparePct = &v
 			}
+			if log.MediaErrors > 0 {
+				s.MediaErrors = &log.MediaErrors
+			}
+			if log.NumErrLogEntries > 0 {
+				s.ErrorLogEntries = &log.NumErrLogEntries
+			}
+			if log.Temperature > 0 {
+				v := float64(log.Temperature - 273)
+				s.TemperatureC = &v
+			}
+			setStorageHealthStatus(&s, storageHealthStatus{
+				criticalWarning: log.CriticalWarning,
+				percentageUsed:  int64(log.PercentageUsed),
+				availableSpare:  int64(log.AvailableSpare),
+				spareThreshold:  int64(log.SpareThreshold),
+				unsafeShutdowns: log.UnsafeShutdowns,
+				mediaErrors:     log.MediaErrors,
+				errorLogEntries: log.NumErrLogEntries,
+			})
+			return s
 		}
 	}
 
+	status = statusUnknown
+	s.Status = &status
 	return s
 }
+
+func parseStorageBytes(raw string) int64 {
+	value, err := strconv.ParseInt(strings.TrimSpace(raw), 10, 64)
+	if err == nil && value > 0 {
+		return value
+	}
+	return 0
+}
+
+func nvmeDataUnitsToBytes(units int64) int64 {
+	if units <= 0 {
+		return 0
+	}
+	return units * 512000
+}
+
+type storageHealthStatus struct {
+	hasOverall           bool
+	overallPassed        bool
+	reallocatedSectors   int64
+	pendingSectors       int64
+	offlineUncorrectable int64
+	lifeRemainingPct     int64
+	criticalWarning      int
+	percentageUsed       int64
+	availableSpare       int64
+	spareThreshold       int64
+	unsafeShutdowns      int64
+	mediaErrors          int64
+	errorLogEntries      int64
+}
+
+func setStorageHealthStatus(s *schema.HardwareStorage, health storageHealthStatus) {
+	status := statusOK
+	var description *string
+	switch {
+	case health.hasOverall && !health.overallPassed:
+		status = statusCritical
+		description = stringPtr("SMART overall self-assessment failed")
+	case health.criticalWarning > 0:
+		status = statusCritical
+		description = stringPtr("NVMe critical warning is set")
+	case health.pendingSectors > 0 || health.offlineUncorrectable > 0:
+		status = statusCritical
+		description = stringPtr("Pending or offline uncorrectable sectors detected")
+	case health.mediaErrors > 0:
+		status = statusWarning
+		description = stringPtr("Media errors reported")
+	case health.reallocatedSectors > 0:
+		status = statusWarning
+		description = stringPtr("Reallocated sectors detected")
+	case health.errorLogEntries > 0:
+		status = statusWarning
+		description = stringPtr("Device error log contains entries")
+	case health.lifeRemainingPct > 0 && health.lifeRemainingPct <= 10:
+		status = statusWarning
+		description = stringPtr("Life remaining is low")
+	case health.percentageUsed >= 95:
+		status = statusWarning
+		description = stringPtr("Drive wear level is high")
+	case health.availableSpare > 0 && health.spareThreshold > 0 && health.availableSpare <= health.spareThreshold:
+		status = statusWarning
+		description = stringPtr("Available spare is at or below threshold")
+	case health.unsafeShutdowns > 100:
+		status = statusWarning
+		description = stringPtr("Unsafe shutdown count is high")
+	}
+	s.Status = &status
+	s.ErrorDescription = description
+}
+
+func stringPtr(value string) *string {
+	return &value
+}

audit/internal/collector/storage_discovery_test.go

@@ -0,0 +1,33 @@
+package collector
+
+import "testing"
+
+func TestMergeStorageDevicePrefersNonEmptyFields(t *testing.T) {
+	t.Parallel()
+
+	got := mergeStorageDevice(
+		lsblkDevice{Name: "nvme0n1", Type: "disk", Tran: "nvme"},
+		lsblkDevice{Name: "nvme0n1", Type: "disk", Size: "1024", Serial: "SN123", Model: "Kioxia"},
+	)
+
+	if got.Serial != "SN123" {
+		t.Fatalf("serial=%q want SN123", got.Serial)
+	}
+	if got.Model != "Kioxia" {
+		t.Fatalf("model=%q want Kioxia", got.Model)
+	}
+	if got.Size != "1024" {
+		t.Fatalf("size=%q want 1024", got.Size)
+	}
+}
+
+func TestParseStorageBytes(t *testing.T) {
+	t.Parallel()
+
+	if got := parseStorageBytes(" 2048 "); got != 2048 {
+		t.Fatalf("parseStorageBytes=%d want 2048", got)
+	}
+	if got := parseStorageBytes("1.92 TB"); got != 0 {
+		t.Fatalf("parseStorageBytes invalid=%d want 0", got)
+	}
+}

audit/internal/collector/storage_health_test.go

@@ -0,0 +1,63 @@
+package collector
+
+import (
+	"testing"
+
+	"bee/audit/internal/schema"
+)
+
+func TestSetStorageHealthStatus(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name   string
+		health storageHealthStatus
+		want   string
+	}{
+		{
+			name:   "smart overall failed",
+			health: storageHealthStatus{hasOverall: true, overallPassed: false},
+			want:   statusCritical,
+		},
+		{
+			name:   "nvme critical warning",
+			health: storageHealthStatus{criticalWarning: 1},
+			want:   statusCritical,
+		},
+		{
+			name:   "pending sectors",
+			health: storageHealthStatus{pendingSectors: 1},
+			want:   statusCritical,
+		},
+		{
+			name:   "media errors warning",
+			health: storageHealthStatus{mediaErrors: 2},
+			want:   statusWarning,
+		},
+		{
+			name:   "reallocated warning",
+			health: storageHealthStatus{reallocatedSectors: 1},
+			want:   statusWarning,
+		},
+		{
+			name:   "life remaining low",
+			health: storageHealthStatus{lifeRemainingPct: 8},
+			want:   statusWarning,
+		},
+		{
+			name:   "healthy",
+			health: storageHealthStatus{},
+			want:   statusOK,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var disk schema.HardwareStorage
+			setStorageHealthStatus(&disk, tt.health)
+			if disk.Status == nil || *disk.Status != tt.want {
+				t.Fatalf("status=%v want %q", disk.Status, tt.want)
+			}
+		})
+	}
+}

audit/internal/collector/summary.go

@@ -0,0 +1,114 @@
+package collector
+
+import (
+	"bee/audit/internal/schema"
+	"fmt"
+	"time"
+)
+
+func BuildHealthSummary(snap schema.HardwareSnapshot) *schema.HardwareHealthSummary {
+	summary := &schema.HardwareHealthSummary{
+		Status:      statusOK,
+		CollectedAt: time.Now().UTC().Format(time.RFC3339),
+	}
+
+	for _, dimm := range snap.Memory {
+		switch derefString(dimm.Status) {
+		case statusWarning:
+			summary.MemoryWarn++
+			summary.Warnings = append(summary.Warnings, formatMemorySummary(dimm))
+		case statusCritical:
+			summary.MemoryFail++
+			summary.Failures = append(summary.Failures, formatMemorySummary(dimm))
+		case statusEmpty:
+			summary.EmptyDIMMs++
+		}
+	}
+
+	for _, disk := range snap.Storage {
+		switch derefString(disk.Status) {
+		case statusWarning:
+			summary.StorageWarn++
+			summary.Warnings = append(summary.Warnings, formatStorageSummary(disk))
+		case statusCritical:
+			summary.StorageFail++
+			summary.Failures = append(summary.Failures, formatStorageSummary(disk))
+		}
+	}
+
+	for _, dev := range snap.PCIeDevices {
+		switch derefString(dev.Status) {
+		case statusWarning:
+			summary.PCIeWarn++
+			summary.Warnings = append(summary.Warnings, formatPCIeSummary(dev))
+		case statusCritical:
+			summary.PCIeFail++
+			summary.Failures = append(summary.Failures, formatPCIeSummary(dev))
+		}
+	}
+
+	for _, psu := range snap.PowerSupplies {
+		if psu.Present != nil && !*psu.Present {
+			summary.MissingPSUs++
+		}
+		switch derefString(psu.Status) {
+		case statusWarning:
+			summary.PSUWarn++
+			summary.Warnings = append(summary.Warnings, formatPSUSummary(psu))
+		case statusCritical:
+			summary.PSUFail++
+			summary.Failures = append(summary.Failures, formatPSUSummary(psu))
+		}
+	}
+
+	if len(summary.Failures) > 0 || summary.StorageFail > 0 || summary.PCIeFail > 0 || summary.PSUFail > 0 || summary.MemoryFail > 0 {
+		summary.Status = statusCritical
+	} else if len(summary.Warnings) > 0 || summary.StorageWarn > 0 || summary.PCIeWarn > 0 || summary.PSUWarn > 0 || summary.MemoryWarn > 0 {
+		summary.Status = statusWarning
+	}
+
+	if len(summary.Warnings) == 0 {
+		summary.Warnings = nil
+	}
+	if len(summary.Failures) == 0 {
+		summary.Failures = nil
+	}
+
+	return summary
+}
+
+func derefString(value *string) string {
+	if value == nil {
+		return ""
+	}
+	return *value
+}
+
+func preferredName(model, serial, slot *string) string {
+	switch {
+	case model != nil && *model != "":
+		return *model
+	case serial != nil && *serial != "":
+		return *serial
+	case slot != nil && *slot != "":
+		return *slot
+	default:
+		return "unknown"
+	}
+}
+
+func formatStorageSummary(disk schema.HardwareStorage) string {
+	return fmt.Sprintf("storage %s status=%s", preferredName(disk.Model, disk.SerialNumber, disk.Slot), derefString(disk.Status))
+}
+
+func formatPCIeSummary(dev schema.HardwarePCIeDevice) string {
+	return fmt.Sprintf("pcie %s status=%s", preferredName(dev.Model, dev.SerialNumber, dev.BDF), derefString(dev.Status))
+}
+
+func formatPSUSummary(psu schema.HardwarePowerSupply) string {
+	return fmt.Sprintf("psu %s status=%s", preferredName(psu.Model, psu.SerialNumber, psu.Slot), derefString(psu.Status))
+}
+
+func formatMemorySummary(dimm schema.HardwareMemory) string {
+	return fmt.Sprintf("memory %s status=%s", preferredName(dimm.PartNumber, dimm.SerialNumber, dimm.Slot), derefString(dimm.Status))
+}

audit/internal/collector/vroc_test.go

@@ -31,7 +31,7 @@ md125 : active raid1 nvme2n1[0] nvme3n1[1]
 func TestHasVROCController(t *testing.T) {
 	intel := vendorIntel
 	model := "Volume Management Device NVMe RAID Controller"
-	class := "RAID bus controller"
+	class := "MassStorageController"
 	tests := []struct {
 		name string
 		pcie []schema.HardwarePCIeDevice

audit/internal/platform/export.go

@@ -0,0 +1,94 @@
+package platform
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"sort"
+	"strings"
+)
+
+func (s *System) ListRemovableTargets() ([]RemovableTarget, error) {
+	raw, err := exec.Command("lsblk", "-P", "-o", "NAME,TYPE,PKNAME,RM,FSTYPE,MOUNTPOINT,SIZE,LABEL,MODEL").Output()
+	if err != nil {
+		return nil, err
+	}
+
+	var out []RemovableTarget
+	for _, line := range strings.Split(strings.TrimSpace(string(raw)), "\n") {
+		if strings.TrimSpace(line) == "" {
+			continue
+		}
+		fields := parseLSBLKPairs(line)
+		deviceType := fields["TYPE"]
+		if deviceType == "rom" || deviceType == "loop" {
+			continue
+		}
+
+		removable := fields["RM"] == "1"
+		if !removable {
+			if parent := fields["PKNAME"]; parent != "" {
+				if data, err := os.ReadFile(filepath.Join("/sys/class/block", parent, "removable")); err == nil {
+					removable = strings.TrimSpace(string(data)) == "1"
+				}
+			}
+		}
+		if !removable || fields["FSTYPE"] == "" {
+			continue
+		}
+
+		out = append(out, RemovableTarget{
+			Device:     "/dev/" + fields["NAME"],
+			FSType:     fields["FSTYPE"],
+			Size:       fields["SIZE"],
+			Label:      fields["LABEL"],
+			Model:      fields["MODEL"],
+			Mountpoint: fields["MOUNTPOINT"],
+		})
+	}
+
+	sort.Slice(out, func(i, j int) bool { return out[i].Device < out[j].Device })
+	return out, nil
+}
+
+func (s *System) ExportFileToTarget(src string, target RemovableTarget) (string, error) {
+	if src == "" || target.Device == "" {
+		return "", fmt.Errorf("source and target are required")
+	}
+	if _, err := os.Stat(src); err != nil {
+		return "", err
+	}
+
+	mountpoint := strings.TrimSpace(target.Mountpoint)
+	mountedHere := false
+	if mountpoint == "" {
+		mountpoint = filepath.Join("/tmp", "bee-export-"+filepath.Base(target.Device))
+		if err := os.MkdirAll(mountpoint, 0755); err != nil {
+			return "", err
+		}
+		if raw, err := exec.Command("mount", target.Device, mountpoint).CombinedOutput(); err != nil {
+			_ = os.Remove(mountpoint)
+			return string(raw), err
+		}
+		mountedHere = true
+	}
+
+	filename := filepath.Base(src)
+	dst := filepath.Join(mountpoint, filename)
+	data, err := os.ReadFile(src)
+	if err != nil {
+		return "", err
+	}
+	if err := os.WriteFile(dst, data, 0644); err != nil {
+		return "", err
+	}
+	_ = exec.Command("sync").Run()
+
+	if mountedHere {
+		_ = exec.Command("umount", mountpoint).Run()
+		_ = os.Remove(mountpoint)
+	}
+
+	return dst, nil
+}

audit/internal/platform/gpu_metrics.go

@@ -0,0 +1,577 @@
+package platform
+
+import (
+	"bytes"
+	"fmt"
+	"math"
+	"os"
+	"os/exec"
+	"strconv"
+	"strings"
+	"time"
+)
+
+// GPUMetricRow is one telemetry sample from nvidia-smi during a stress test.
+type GPUMetricRow struct {
+	ElapsedSec float64
+	GPUIndex   int
+	TempC      float64
+	UsagePct   float64
+	PowerW     float64
+	ClockMHz   float64
+}
+
+// sampleGPUMetrics runs nvidia-smi once and returns current metrics for each GPU.
+func sampleGPUMetrics(gpuIndices []int) ([]GPUMetricRow, error) {
+	args := []string{
+		"--query-gpu=index,temperature.gpu,utilization.gpu,power.draw,clocks.current.graphics",
+		"--format=csv,noheader,nounits",
+	}
+	if len(gpuIndices) > 0 {
+		ids := make([]string, len(gpuIndices))
+		for i, idx := range gpuIndices {
+			ids[i] = strconv.Itoa(idx)
+		}
+		args = append([]string{"--id=" + strings.Join(ids, ",")}, args...)
+	}
+	out, err := exec.Command("nvidia-smi", args...).Output()
+	if err != nil {
+		return nil, err
+	}
+	var rows []GPUMetricRow
+	for _, line := range strings.Split(strings.TrimSpace(string(out)), "\n") {
+		line = strings.TrimSpace(line)
+		if line == "" {
+			continue
+		}
+		parts := strings.Split(line, ", ")
+		if len(parts) < 5 {
+			continue
+		}
+		idx, _ := strconv.Atoi(strings.TrimSpace(parts[0]))
+		rows = append(rows, GPUMetricRow{
+			GPUIndex: idx,
+			TempC:    parseGPUFloat(parts[1]),
+			UsagePct: parseGPUFloat(parts[2]),
+			PowerW:   parseGPUFloat(parts[3]),
+			ClockMHz: parseGPUFloat(parts[4]),
+		})
+	}
+	return rows, nil
+}
+
+func parseGPUFloat(s string) float64 {
+	s = strings.TrimSpace(s)
+	if s == "N/A" || s == "[Not Supported]" || s == "" {
+		return 0
+	}
+	v, _ := strconv.ParseFloat(s, 64)
+	return v
+}
+
+// WriteGPUMetricsCSV writes collected rows as a CSV file.
+func WriteGPUMetricsCSV(path string, rows []GPUMetricRow) error {
+	var b bytes.Buffer
+	b.WriteString("elapsed_sec,gpu_index,temperature_c,usage_pct,power_w,clock_mhz\n")
+	for _, r := range rows {
+		fmt.Fprintf(&b, "%.1f,%d,%.1f,%.1f,%.1f,%.0f\n",
+			r.ElapsedSec, r.GPUIndex, r.TempC, r.UsagePct, r.PowerW, r.ClockMHz)
+	}
+	return os.WriteFile(path, b.Bytes(), 0644)
+}
+
+// WriteGPUMetricsHTML writes a standalone HTML file with one SVG chart per GPU.
+func WriteGPUMetricsHTML(path string, rows []GPUMetricRow) error {
+	// Group by GPU index preserving order.
+	seen := make(map[int]bool)
+	var order []int
+	gpuMap := make(map[int][]GPUMetricRow)
+	for _, r := range rows {
+		if !seen[r.GPUIndex] {
+			seen[r.GPUIndex] = true
+			order = append(order, r.GPUIndex)
+		}
+		gpuMap[r.GPUIndex] = append(gpuMap[r.GPUIndex], r)
+	}
+
+	var svgs strings.Builder
+	for _, gpuIdx := range order {
+		svgs.WriteString(drawGPUChartSVG(gpuMap[gpuIdx], gpuIdx))
+		svgs.WriteString("\n")
+	}
+
+	ts := time.Now().UTC().Format("2006-01-02 15:04:05 UTC")
+	html := fmt.Sprintf(`<!DOCTYPE html>
+<html><head>
+<meta charset="utf-8">
+<title>GPU Stress Test Metrics</title>
+<style>
+body { font-family: sans-serif; background: #f0f0f0; margin: 0; padding: 20px; }
+h1 { text-align: center; color: #333; margin: 0 0 8px; }
+p  { text-align: center; color: #888; font-size: 13px; margin: 0 0 24px; }
+</style>
+</head><body>
+<h1>GPU Stress Test Metrics</h1>
+<p>Generated %s</p>
+%s
+</body></html>`, ts, svgs.String())
+
+	return os.WriteFile(path, []byte(html), 0644)
+}
+
+// drawGPUChartSVG generates a self-contained SVG chart for one GPU.
+func drawGPUChartSVG(rows []GPUMetricRow, gpuIdx int) string {
+	// Layout
+	const W, H = 960, 520
+	const plotX1 = 120 // usage axis / chart left border
+	const plotX2 = 840 // power axis / chart right border
+	const plotY1 = 70  // top
+	const plotY2 = 465 // bottom  (PH = 395)
+	const PW = plotX2 - plotX1
+	const PH = plotY2 - plotY1
+	// Outer axes
+	const tempAxisX = 60  // temp axis line
+	const clockAxisX = 900 // clock axis line
+
+	colors := [4]string{"#e74c3c", "#3498db", "#2ecc71", "#f39c12"}
+	seriesLabel := [4]string{
+		fmt.Sprintf("GPU %d Temp (°C)", gpuIdx),
+		fmt.Sprintf("GPU %d Usage (%%)", gpuIdx),
+		fmt.Sprintf("GPU %d Power (W)", gpuIdx),
+		fmt.Sprintf("GPU %d Clock (MHz)", gpuIdx),
+	}
+	axisLabel := [4]string{"Temperature (°C)", "GPU Usage (%)", "Power (W)", "Clock (MHz)"}
+
+	// Extract series
+	t := make([]float64, len(rows))
+	vals := [4][]float64{}
+	for i := range vals {
+		vals[i] = make([]float64, len(rows))
+	}
+	for i, r := range rows {
+		t[i] = r.ElapsedSec
+		vals[0][i] = r.TempC
+		vals[1][i] = r.UsagePct
+		vals[2][i] = r.PowerW
+		vals[3][i] = r.ClockMHz
+	}
+
+	tMin, tMax := gpuMinMax(t)
+	type axisScale struct {
+		ticks    []float64
+		min, max float64
+	}
+	var axes [4]axisScale
+	for i := 0; i < 4; i++ {
+		mn, mx := gpuMinMax(vals[i])
+		tks := gpuNiceTicks(mn, mx, 8)
+		axes[i] = axisScale{ticks: tks, min: tks[0], max: tks[len(tks)-1]}
+	}
+
+	xv := func(tv float64) float64 {
+		if tMax == tMin {
+			return float64(plotX1)
+		}
+		return float64(plotX1) + (tv-tMin)/(tMax-tMin)*float64(PW)
+	}
+	yv := func(v float64, ai int) float64 {
+		a := axes[ai]
+		if a.max == a.min {
+			return float64(plotY1 + PH/2)
+		}
+		return float64(plotY2) - (v-a.min)/(a.max-a.min)*float64(PH)
+	}
+
+	var b strings.Builder
+
+	fmt.Fprintf(&b, `<svg xmlns="http://www.w3.org/2000/svg" width="%d" height="%d"`+
+		` style="background:#fff;border-radius:8px;display:block;margin:0 auto 24px;`+
+		`box-shadow:0 2px 12px rgba(0,0,0,.12)">`+"\n", W, H)
+
+	// Title
+	fmt.Fprintf(&b, `<text x="%d" y="22" text-anchor="middle" font-family="sans-serif"`+
+		` font-size="14" font-weight="bold" fill="#333">GPU Stress Test Metrics — GPU %d</text>`+"\n",
+		plotX1+PW/2, gpuIdx)
+
+	// Horizontal grid (align to temp axis ticks)
+	b.WriteString(`<g stroke="#e0e0e0" stroke-width="0.5">` + "\n")
+	for _, tick := range axes[0].ticks {
+		y := yv(tick, 0)
+		if y < float64(plotY1) || y > float64(plotY2) {
+			continue
+		}
+		fmt.Fprintf(&b, `<line x1="%d" y1="%.1f" x2="%d" y2="%.1f"/>`+"\n",
+			plotX1, y, plotX2, y)
+	}
+	// Vertical grid
+	xTicks := gpuNiceTicks(tMin, tMax, 10)
+	for _, tv := range xTicks {
+		x := xv(tv)
+		if x < float64(plotX1) || x > float64(plotX2) {
+			continue
+		}
+		fmt.Fprintf(&b, `<line x1="%.1f" y1="%d" x2="%.1f" y2="%d"/>`+"\n",
+			x, plotY1, x, plotY2)
+	}
+	b.WriteString("</g>\n")
+
+	// Chart border
+	fmt.Fprintf(&b, `<rect x="%d" y="%d" width="%d" height="%d"`+
+		` fill="none" stroke="#333" stroke-width="1"/>`+"\n",
+		plotX1, plotY1, PW, PH)
+
+	// X axis ticks and labels
+	b.WriteString(`<g font-family="sans-serif" font-size="11" fill="#333" text-anchor="middle">` + "\n")
+	for _, tv := range xTicks {
+		x := xv(tv)
+		if x < float64(plotX1) || x > float64(plotX2) {
+			continue
+		}
+		fmt.Fprintf(&b, `<text x="%.1f" y="%d">%s</text>`+"\n", x, plotY2+18, gpuFormatTick(tv))
+		fmt.Fprintf(&b, `<line x1="%.1f" y1="%d" x2="%.1f" y2="%d" stroke="#333" stroke-width="1"/>`+"\n",
+			x, plotY2, x, plotY2+4)
+	}
+	b.WriteString("</g>\n")
+	fmt.Fprintf(&b, `<text x="%d" y="%d" font-family="sans-serif" font-size="13"`+
+		` fill="#333" text-anchor="middle">Time (seconds)</text>`+"\n",
+		plotX1+PW/2, plotY2+38)
+
+	// Y axes: [tempAxisX, plotX1, plotX2, clockAxisX]
+	axisLineX := [4]int{tempAxisX, plotX1, plotX2, clockAxisX}
+	axisRight := [4]bool{false, false, true, true}
+	// Label x positions (for rotated vertical text)
+	axisLabelX := [4]int{10, 68, 868, 950}
+
+	for i := 0; i < 4; i++ {
+		ax := axisLineX[i]
+		right := axisRight[i]
+		color := colors[i]
+
+		// Axis line
+		fmt.Fprintf(&b, `<line x1="%d" y1="%d" x2="%d" y2="%d"`+
+			` stroke="%s" stroke-width="1"/>`+"\n",
+			ax, plotY1, ax, plotY2, color)
+
+		// Ticks and tick labels
+		fmt.Fprintf(&b, `<g font-family="sans-serif" font-size="10" fill="%s">`+"\n", color)
+		for _, tick := range axes[i].ticks {
+			y := yv(tick, i)
+			if y < float64(plotY1) || y > float64(plotY2) {
+				continue
+			}
+			dx := -5
+			textX := ax - 8
+			anchor := "end"
+			if right {
+				dx = 5
+				textX = ax + 8
+				anchor = "start"
+			}
+			fmt.Fprintf(&b, `<line x1="%d" y1="%.1f" x2="%d" y2="%.1f"`+
+				` stroke="%s" stroke-width="1"/>`+"\n",
+				ax, y, ax+dx, y, color)
+			fmt.Fprintf(&b, `<text x="%d" y="%.1f" text-anchor="%s" dy="4">%s</text>`+"\n",
+				textX, y, anchor, gpuFormatTick(tick))
+		}
+		b.WriteString("</g>\n")
+
+		// Axis label (rotated)
+		lx := axisLabelX[i]
+		fmt.Fprintf(&b, `<text transform="translate(%d,%d) rotate(-90)"`+
+			` font-family="sans-serif" font-size="12" fill="%s" text-anchor="middle">%s</text>`+"\n",
+			lx, plotY1+PH/2, color, axisLabel[i])
+	}
+
+	// Data lines
+	for i := 0; i < 4; i++ {
+		var pts strings.Builder
+		for j := range rows {
+			x := xv(t[j])
+			y := yv(vals[i][j], i)
+			if j == 0 {
+				fmt.Fprintf(&pts, "%.1f,%.1f", x, y)
+			} else {
+				fmt.Fprintf(&pts, " %.1f,%.1f", x, y)
+			}
+		}
+		fmt.Fprintf(&b, `<polyline points="%s" fill="none" stroke="%s" stroke-width="1.5"/>`+"\n",
+			pts.String(), colors[i])
+	}
+
+	// Legend
+	const legendY = 42
+	for i := 0; i < 4; i++ {
+		lx := plotX1 + i*(PW/4) + 10
+		fmt.Fprintf(&b, `<line x1="%d" y1="%d" x2="%d" y2="%d"`+
+			` stroke="%s" stroke-width="2"/>`+"\n",
+			lx, legendY, lx+20, legendY, colors[i])
+		fmt.Fprintf(&b, `<text x="%d" y="%d" font-family="sans-serif" font-size="12" fill="#333">%s</text>`+"\n",
+			lx+25, legendY+4, seriesLabel[i])
+	}
+
+	b.WriteString("</svg>\n")
+	return b.String()
+}
+
+const (
+	ansiRed    = "\033[31m"
+	ansiBlue   = "\033[34m"
+	ansiGreen  = "\033[32m"
+	ansiYellow = "\033[33m"
+	ansiReset  = "\033[0m"
+)
+
+const (
+	termChartWidth  = 70
+	termChartHeight = 12
+)
+
+// RenderGPUTerminalChart returns ANSI line charts (asciigraph-style) per GPU.
+// Suitable for display in the TUI screenOutput.
+func RenderGPUTerminalChart(rows []GPUMetricRow) string {
+	seen := make(map[int]bool)
+	var order []int
+	gpuMap := make(map[int][]GPUMetricRow)
+	for _, r := range rows {
+		if !seen[r.GPUIndex] {
+			seen[r.GPUIndex] = true
+			order = append(order, r.GPUIndex)
+		}
+		gpuMap[r.GPUIndex] = append(gpuMap[r.GPUIndex], r)
+	}
+
+	type seriesDef struct {
+		caption string
+		color   string
+		fn      func(GPUMetricRow) float64
+	}
+	defs := []seriesDef{
+		{"Temperature (°C)", ansiRed, func(r GPUMetricRow) float64 { return r.TempC }},
+		{"GPU Usage (%)", ansiBlue, func(r GPUMetricRow) float64 { return r.UsagePct }},
+		{"Power (W)", ansiGreen, func(r GPUMetricRow) float64 { return r.PowerW }},
+		{"Clock (MHz)", ansiYellow, func(r GPUMetricRow) float64 { return r.ClockMHz }},
+	}
+
+	var b strings.Builder
+	for _, gpuIdx := range order {
+		gr := gpuMap[gpuIdx]
+		if len(gr) == 0 {
+			continue
+		}
+		tMax := gr[len(gr)-1].ElapsedSec - gr[0].ElapsedSec
+		fmt.Fprintf(&b, "GPU %d — Stress Test Metrics  (%.0f seconds)\n\n", gpuIdx, tMax)
+		for _, d := range defs {
+			b.WriteString(renderLineChart(extractGPUField(gr, d.fn), d.color, d.caption,
+				termChartHeight, termChartWidth))
+			b.WriteRune('\n')
+		}
+	}
+
+	return strings.TrimRight(b.String(), "\n")
+}
+
+// renderLineChart draws a single time-series line chart using box-drawing characters.
+// Produces output in the style of asciigraph: ╭─╮ │ ╰─╯ with a Y axis and caption.
+func renderLineChart(vals []float64, color, caption string, height, width int) string {
+	if len(vals) == 0 {
+		return caption + "\n"
+	}
+
+	mn, mx := gpuMinMax(vals)
+	if mn == mx {
+		mx = mn + 1
+	}
+
+	// Use the smaller of width or len(vals) to avoid stretching sparse data.
+	w := width
+	if len(vals) < w {
+		w = len(vals)
+	}
+	data := gpuDownsample(vals, w)
+
+	// row[i] = display row index: 0 = top = max value, height = bottom = min value.
+	row := make([]int, w)
+	for i, v := range data {
+		r := int(math.Round((mx - v) / (mx - mn) * float64(height)))
+		if r < 0 {
+			r = 0
+		}
+		if r > height {
+			r = height
+		}
+		row[i] = r
+	}
+
+	// Fill the character grid.
+	grid := make([][]rune, height+1)
+	for i := range grid {
+		grid[i] = make([]rune, w)
+		for j := range grid[i] {
+			grid[i][j] = ' '
+		}
+	}
+	for x := 0; x < w; x++ {
+		r := row[x]
+		if x == 0 {
+			grid[r][0] = '─'
+			continue
+		}
+		p := row[x-1]
+		switch {
+		case r == p:
+			grid[r][x] = '─'
+		case r < p: // value went up (row index decreased toward top)
+			grid[r][x] = '╭'
+			grid[p][x] = '╯'
+			for y := r + 1; y < p; y++ {
+				grid[y][x] = '│'
+			}
+		default: // r > p, value went down
+			grid[p][x] = '╮'
+			grid[r][x] = '╰'
+			for y := p + 1; y < r; y++ {
+				grid[y][x] = '│'
+			}
+		}
+	}
+
+	// Y axis tick labels.
+	ticks := gpuNiceTicks(mn, mx, height/2)
+	tickAtRow := make(map[int]string)
+	labelWidth := 4
+	for _, t := range ticks {
+		r := int(math.Round((mx - t) / (mx - mn) * float64(height)))
+		if r < 0 || r > height {
+			continue
+		}
+		s := gpuFormatTick(t)
+		tickAtRow[r] = s
+		if len(s) > labelWidth {
+			labelWidth = len(s)
+		}
+	}
+
+	var b strings.Builder
+	for r := 0; r <= height; r++ {
+		label := tickAtRow[r]
+		fmt.Fprintf(&b, "%*s", labelWidth, label)
+		switch {
+		case label != "":
+			b.WriteRune('┤')
+		case r == height:
+			b.WriteRune('┼')
+		default:
+			b.WriteRune('│')
+		}
+		b.WriteString(color)
+		b.WriteString(string(grid[r]))
+		b.WriteString(ansiReset)
+		b.WriteRune('\n')
+	}
+
+	// Bottom axis.
+	b.WriteString(strings.Repeat(" ", labelWidth))
+	b.WriteRune('└')
+	b.WriteString(strings.Repeat("─", w))
+	b.WriteRune('\n')
+
+	// Caption centered under the chart.
+	if caption != "" {
+		total := labelWidth + 1 + w
+		if pad := (total - len(caption)) / 2; pad > 0 {
+			b.WriteString(strings.Repeat(" ", pad))
+		}
+		b.WriteString(caption)
+		b.WriteRune('\n')
+	}
+
+	return b.String()
+}
+
+func extractGPUField(rows []GPUMetricRow, fn func(GPUMetricRow) float64) []float64 {
+	v := make([]float64, len(rows))
+	for i, r := range rows {
+		v[i] = fn(r)
+	}
+	return v
+}
+
+// gpuDownsample averages vals into w buckets (or nearest-neighbor upsamples if len(vals) < w).
+func gpuDownsample(vals []float64, w int) []float64 {
+	n := len(vals)
+	if n == 0 {
+		return make([]float64, w)
+	}
+	result := make([]float64, w)
+	if n >= w {
+		counts := make([]int, w)
+		for i, v := range vals {
+			bucket := i * w / n
+			if bucket >= w {
+				bucket = w - 1
+			}
+			result[bucket] += v
+			counts[bucket]++
+		}
+		for i := range result {
+			if counts[i] > 0 {
+				result[i] /= float64(counts[i])
+			}
+		}
+	} else {
+		// Nearest-neighbour upsample.
+		for i := range result {
+			src := i * (n - 1) / (w - 1)
+			if src >= n {
+				src = n - 1
+			}
+			result[i] = vals[src]
+		}
+	}
+	return result
+}
+
+func gpuMinMax(vals []float64) (float64, float64) {
+	if len(vals) == 0 {
+		return 0, 1
+	}
+	mn, mx := vals[0], vals[0]
+	for _, v := range vals[1:] {
+		if v < mn {
+			mn = v
+		}
+		if v > mx {
+			mx = v
+		}
+	}
+	return mn, mx
+}
+
+func gpuNiceTicks(mn, mx float64, targetCount int) []float64 {
+	if mn == mx {
+		mn -= 1
+		mx += 1
+	}
+	r := mx - mn
+	step := math.Pow(10, math.Floor(math.Log10(r/float64(targetCount))))
+	for _, f := range []float64{1, 2, 5, 10} {
+		if r/(f*step) <= float64(targetCount)*1.5 {
+			step = f * step
+			break
+		}
+	}
+	lo := math.Floor(mn/step) * step
+	hi := math.Ceil(mx/step) * step
+	var ticks []float64
+	for v := lo; v <= hi+step*0.001; v += step {
+		ticks = append(ticks, math.Round(v*1e9)/1e9)
+	}
+	return ticks
+}
+
+func gpuFormatTick(v float64) string {
+	if v == math.Trunc(v) {
+		return strconv.Itoa(int(v))
+	}
+	return strconv.FormatFloat(v, 'f', 1, 64)
+}

audit/internal/platform/network.go

@@ -0,0 +1,156 @@
+package platform
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"sort"
+	"strings"
+)
+
+func (s *System) ListInterfaces() ([]InterfaceInfo, error) {
+	names, err := listInterfaceNames()
+	if err != nil {
+		return nil, err
+	}
+
+	out := make([]InterfaceInfo, 0, len(names))
+	for _, name := range names {
+		state := "unknown"
+		if raw, err := exec.Command("ip", "-o", "link", "show", name).Output(); err == nil {
+			fields := strings.Fields(string(raw))
+			if len(fields) >= 9 {
+				state = fields[8]
+			}
+		}
+
+		var ipv4 []string
+		if raw, err := exec.Command("ip", "-o", "-4", "addr", "show", "dev", name).Output(); err == nil {
+			for _, line := range strings.Split(strings.TrimSpace(string(raw)), "\n") {
+				fields := strings.Fields(line)
+				if len(fields) >= 4 {
+					ipv4 = append(ipv4, fields[3])
+				}
+			}
+		}
+
+		out = append(out, InterfaceInfo{Name: name, State: state, IPv4: ipv4})
+	}
+
+	return out, nil
+}
+
+func (s *System) DefaultRoute() string {
+	raw, err := exec.Command("ip", "route", "show", "default").Output()
+	if err != nil {
+		return ""
+	}
+	fields := strings.Fields(string(raw))
+	for i := 0; i < len(fields)-1; i++ {
+		if fields[i] == "via" {
+			return fields[i+1]
+		}
+	}
+	return ""
+}
+
+func (s *System) DHCPOne(iface string) (string, error) {
+	var out bytes.Buffer
+	if err := exec.Command("ip", "link", "set", iface, "up").Run(); err != nil {
+		fmt.Fprintf(&out, "WARN: ip link set up failed: %v\n", err)
+	}
+	if raw, err := exec.Command("dhclient", "-r", iface).CombinedOutput(); err == nil {
+		out.Write(raw)
+	} else if len(raw) > 0 {
+		out.Write(raw)
+	}
+	raw, err := exec.Command("dhclient", "-4", "-v", iface).CombinedOutput()
+	out.Write(raw)
+	if err != nil {
+		return out.String(), err
+	}
+	return out.String(), nil
+}
+
+func (s *System) DHCPAll() (string, error) {
+	ifaces, err := listInterfaceNames()
+	if err != nil {
+		return "", err
+	}
+	var out strings.Builder
+	for _, iface := range ifaces {
+		fmt.Fprintf(&out, "[%s]\n", iface)
+		log, err := s.DHCPOne(iface)
+		out.WriteString(log)
+		if err != nil {
+			fmt.Fprintf(&out, "ERROR: %v\n", err)
+		}
+		out.WriteString("\n")
+	}
+	return out.String(), nil
+}
+
+func (s *System) SetStaticIPv4(cfg StaticIPv4Config) (string, error) {
+	if cfg.Interface == "" || cfg.Address == "" || cfg.Prefix == "" {
+		return "", fmt.Errorf("interface, address, and prefix are required")
+	}
+
+	dns := cfg.DNS
+	if len(dns) == 0 {
+		dns = []string{"77.88.8.8", "77.88.8.1", "1.1.1.1", "8.8.8.8"}
+	}
+
+	var out strings.Builder
+	_ = exec.Command("ip", "link", "set", cfg.Interface, "up").Run()
+	_ = exec.Command("ip", "addr", "flush", "dev", cfg.Interface).Run()
+	if raw, err := exec.Command("ip", "addr", "add", cfg.Address+"/"+cfg.Prefix, "dev", cfg.Interface).CombinedOutput(); err != nil {
+		return string(raw), err
+	}
+	out.WriteString("address configured\n")
+	if cfg.Gateway != "" {
+		_ = exec.Command("ip", "route", "del", "default").Run()
+		if raw, err := exec.Command("ip", "route", "add", "default", "via", cfg.Gateway, "dev", cfg.Interface).CombinedOutput(); err != nil {
+			return out.String() + string(raw), err
+		}
+		out.WriteString("default route configured\n")
+	}
+
+	var resolv strings.Builder
+	for _, dnsServer := range dns {
+		dnsServer = strings.TrimSpace(dnsServer)
+		if dnsServer == "" {
+			continue
+		}
+		fmt.Fprintf(&resolv, "nameserver %s\n", dnsServer)
+	}
+	if err := os.WriteFile("/etc/resolv.conf", []byte(resolv.String()), 0644); err != nil {
+		return out.String(), err
+	}
+	out.WriteString("dns configured\n")
+	return out.String(), nil
+}
+
+func listInterfaceNames() ([]string, error) {
+	raw, err := exec.Command("ip", "-o", "link", "show").Output()
+	if err != nil {
+		return nil, err
+	}
+	var out []string
+	for _, line := range strings.Split(strings.TrimSpace(string(raw)), "\n") {
+		fields := strings.SplitN(line, ": ", 3)
+		if len(fields) < 2 {
+			continue
+		}
+		name := fields[1]
+		if name == "lo" || strings.HasPrefix(name, "docker") || strings.HasPrefix(name, "virbr") ||
+			strings.HasPrefix(name, "veth") || strings.HasPrefix(name, "tun") ||
+			strings.HasPrefix(name, "tap") || strings.HasPrefix(name, "br-") ||
+			strings.HasPrefix(name, "bond") || strings.HasPrefix(name, "dummy") {
+			continue
+		}
+		out = append(out, name)
+	}
+	sort.Strings(out)
+	return out, nil
+}

audit/internal/platform/parse.go

@@ -0,0 +1,43 @@
+package platform
+
+import "strings"
+
+func parseLSBLKPairs(line string) map[string]string {
+	out := map[string]string{}
+	for _, part := range splitQuotedFields(line) {
+		idx := strings.Index(part, "=")
+		if idx <= 0 {
+			continue
+		}
+		key := part[:idx]
+		value := strings.Trim(part[idx+1:], `"`)
+		out[key] = value
+	}
+	return out
+}
+
+func splitQuotedFields(s string) []string {
+	var out []string
+	var cur strings.Builder
+	inQuotes := false
+	for _, r := range s {
+		switch r {
+		case '"':
+			inQuotes = !inQuotes
+			cur.WriteRune(r)
+		case ' ':
+			if inQuotes {
+				cur.WriteRune(r)
+			} else if cur.Len() > 0 {
+				out = append(out, cur.String())
+				cur.Reset()
+			}
+		default:
+			cur.WriteRune(r)
+		}
+	}
+	if cur.Len() > 0 {
+		out = append(out, cur.String())
+	}
+	return out
+}

audit/internal/platform/runtime.go

@@ -0,0 +1,164 @@
+package platform
+
+import (
+	"os"
+	"os/exec"
+	"strings"
+	"time"
+
+	"bee/audit/internal/schema"
+)
+
+var runtimeRequiredTools = []string{
+	"dmidecode",
+	"lspci",
+	"lsblk",
+	"smartctl",
+	"nvme",
+	"ipmitool",
+	"nvidia-smi",
+	"nvidia-bug-report.sh",
+	"bee-gpu-stress",
+	"dhclient",
+	"mount",
+}
+
+var runtimeTrackedServices = []string{
+	"bee-network",
+	"bee-nvidia",
+	"bee-preflight",
+	"bee-audit",
+	"bee-web",
+	"bee-sshsetup",
+}
+
+func (s *System) CollectRuntimeHealth(exportDir string) (schema.RuntimeHealth, error) {
+	checkedAt := time.Now().UTC().Format(time.RFC3339)
+	health := schema.RuntimeHealth{
+		Status:    "OK",
+		CheckedAt: checkedAt,
+		ExportDir: strings.TrimSpace(exportDir),
+	}
+
+	if health.ExportDir != "" {
+		if err := os.MkdirAll(health.ExportDir, 0755); err != nil {
+			health.Status = "FAILED"
+			health.Issues = append(health.Issues, schema.RuntimeIssue{
+				Code:        "export_dir_unavailable",
+				Severity:    "critical",
+				Description: err.Error(),
+			})
+		}
+	}
+
+	interfaces, err := s.ListInterfaces()
+	if err == nil {
+		health.Interfaces = make([]schema.RuntimeInterface, 0, len(interfaces))
+		hasIPv4 := false
+		missingIPv4 := false
+		for _, iface := range interfaces {
+			outcome := "no_offer"
+			if len(iface.IPv4) > 0 {
+				outcome = "lease_acquired"
+				hasIPv4 = true
+			} else if strings.EqualFold(iface.State, "DOWN") {
+				outcome = "link_down"
+			} else {
+				missingIPv4 = true
+			}
+			health.Interfaces = append(health.Interfaces, schema.RuntimeInterface{
+				Name:    iface.Name,
+				State:   iface.State,
+				IPv4:    iface.IPv4,
+				Outcome: outcome,
+			})
+		}
+		switch {
+		case hasIPv4 && !missingIPv4:
+			health.NetworkStatus = "OK"
+		case hasIPv4:
+			health.NetworkStatus = "PARTIAL"
+			health.Issues = append(health.Issues, schema.RuntimeIssue{
+				Code:        "dhcp_partial",
+				Severity:    "warning",
+				Description: "At least one interface did not obtain IPv4 connectivity.",
+			})
+		default:
+			health.NetworkStatus = "FAILED"
+			health.Issues = append(health.Issues, schema.RuntimeIssue{
+				Code:        "dhcp_failed",
+				Severity:    "warning",
+				Description: "No physical interface obtained IPv4 connectivity.",
+			})
+		}
+	}
+
+	for _, tool := range s.CheckTools(runtimeRequiredTools) {
+		health.Tools = append(health.Tools, schema.RuntimeToolStatus{
+			Name: tool.Name,
+			Path: tool.Path,
+			OK:   tool.OK,
+		})
+		if !tool.OK {
+			health.Issues = append(health.Issues, schema.RuntimeIssue{
+				Code:        "tool_missing",
+				Severity:    "warning",
+				Description: "Required tool missing: " + tool.Name,
+			})
+		}
+	}
+
+	for _, name := range runtimeTrackedServices {
+		health.Services = append(health.Services, schema.RuntimeServiceStatus{
+			Name:   name,
+			Status: s.ServiceState(name),
+		})
+	}
+
+	lsmodText := commandText("lsmod")
+	health.DriverReady = strings.Contains(lsmodText, "nvidia ")
+	if !health.DriverReady {
+		health.Issues = append(health.Issues, schema.RuntimeIssue{
+			Code:        "nvidia_kernel_module_missing",
+			Severity:    "warning",
+			Description: "NVIDIA kernel module is not loaded.",
+		})
+	}
+	if health.DriverReady && !strings.Contains(lsmodText, "nvidia_modeset") {
+		health.Issues = append(health.Issues, schema.RuntimeIssue{
+			Code:        "nvidia_modeset_failed",
+			Severity:    "warning",
+			Description: "nvidia-modeset is not loaded; display/CUDA stack may be partial.",
+		})
+	}
+	if out, err := exec.Command("nvidia-smi", "-L").CombinedOutput(); err == nil && strings.TrimSpace(string(out)) != "" {
+		health.DriverReady = true
+	}
+
+	health.CUDAReady = false
+	if lookErr := exec.Command("sh", "-c", "command -v bee-gpu-stress >/dev/null 2>&1").Run(); lookErr == nil {
+		out, err := exec.Command("bee-gpu-stress", "--seconds", "1", "--size-mb", "1").CombinedOutput()
+		if err == nil {
+			health.CUDAReady = true
+		} else if strings.Contains(strings.ToLower(string(out)), "cuda_error_system_not_ready") {
+			health.Issues = append(health.Issues, schema.RuntimeIssue{
+				Code:        "cuda_runtime_not_ready",
+				Severity:    "warning",
+				Description: "CUDA runtime is not ready for GPU SAT.",
+			})
+		}
+	}
+
+	if health.Status != "FAILED" && len(health.Issues) > 0 {
+		health.Status = "PARTIAL"
+	}
+	return health, nil
+}
+
+func commandText(name string, args ...string) string {
+	raw, err := exec.Command(name, args...).CombinedOutput()
+	if err != nil && len(raw) == 0 {
+		return ""
+	}
+	return string(raw)
+}

audit/internal/platform/sat.go

@@ -0,0 +1,580 @@
+package platform
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+)
+
+// NvidiaGPU holds basic GPU info from nvidia-smi.
+type NvidiaGPU struct {
+	Index    int
+	Name     string
+	MemoryMB int
+}
+
+// AMDGPUInfo holds basic info about an AMD GPU from rocm-smi.
+type AMDGPUInfo struct {
+	Index int
+	Name  string
+}
+
+// DetectGPUVendor returns "nvidia" if /dev/nvidia0 exists, "amd" if /dev/kfd exists, or "" otherwise.
+func (s *System) DetectGPUVendor() string {
+	if _, err := os.Stat("/dev/nvidia0"); err == nil {
+		return "nvidia"
+	}
+	if _, err := os.Stat("/dev/kfd"); err == nil {
+		return "amd"
+	}
+	return ""
+}
+
+// ListAMDGPUs returns AMD GPUs visible to rocm-smi.
+func (s *System) ListAMDGPUs() ([]AMDGPUInfo, error) {
+	out, err := exec.Command("rocm-smi", "--showproductname", "--csv").Output()
+	if err != nil {
+		return nil, fmt.Errorf("rocm-smi: %w", err)
+	}
+	var gpus []AMDGPUInfo
+	for _, line := range strings.Split(strings.TrimSpace(string(out)), "\n") {
+		line = strings.TrimSpace(line)
+		if line == "" || strings.HasPrefix(strings.ToLower(line), "device") {
+			continue
+		}
+		parts := strings.SplitN(line, ",", 2)
+		name := ""
+		if len(parts) >= 2 {
+			name = strings.TrimSpace(parts[1])
+		}
+		idx := len(gpus)
+		gpus = append(gpus, AMDGPUInfo{Index: idx, Name: name})
+	}
+	return gpus, nil
+}
+
+// RunAMDAcceptancePack runs an AMD GPU diagnostic pack using rocm-smi.
+func (s *System) RunAMDAcceptancePack(baseDir string) (string, error) {
+	return runAcceptancePack(baseDir, "gpu-amd", []satJob{
+		{name: "01-rocm-smi.log", cmd: []string{"rocm-smi"}},
+		{name: "02-rocm-smi-showallinfo.log", cmd: []string{"rocm-smi", "--showallinfo"}},
+		{name: "03-dmidecode-baseboard.log", cmd: []string{"dmidecode", "-t", "baseboard"}},
+		{name: "04-dmidecode-system.log", cmd: []string{"dmidecode", "-t", "system"}},
+	})
+}
+
+// ListNvidiaGPUs returns GPUs visible to nvidia-smi.
+func (s *System) ListNvidiaGPUs() ([]NvidiaGPU, error) {
+	out, err := exec.Command("nvidia-smi",
+		"--query-gpu=index,name,memory.total",
+		"--format=csv,noheader,nounits").Output()
+	if err != nil {
+		return nil, fmt.Errorf("nvidia-smi: %w", err)
+	}
+	var gpus []NvidiaGPU
+	for _, line := range strings.Split(strings.TrimSpace(string(out)), "\n") {
+		line = strings.TrimSpace(line)
+		if line == "" {
+			continue
+		}
+		parts := strings.SplitN(line, ", ", 3)
+		if len(parts) != 3 {
+			continue
+		}
+		idx, err := strconv.Atoi(strings.TrimSpace(parts[0]))
+		if err != nil {
+			continue
+		}
+		memMB, _ := strconv.Atoi(strings.TrimSpace(parts[2]))
+		gpus = append(gpus, NvidiaGPU{
+			Index:    idx,
+			Name:     strings.TrimSpace(parts[1]),
+			MemoryMB: memMB,
+		})
+	}
+	return gpus, nil
+}
+
+func (s *System) RunNvidiaAcceptancePack(baseDir string) (string, error) {
+	return runAcceptancePack(baseDir, "gpu-nvidia", nvidiaSATJobs())
+}
+
+// RunNvidiaAcceptancePackWithOptions runs the NVIDIA SAT with explicit duration,
+// GPU memory size, and GPU index selection. ctx cancellation kills the running job.
+func (s *System) RunNvidiaAcceptancePackWithOptions(ctx context.Context, baseDir string, durationSec int, sizeMB int, gpuIndices []int) (string, error) {
+	return runAcceptancePackCtx(ctx, baseDir, "gpu-nvidia", nvidiaSATJobsWithOptions(durationSec, sizeMB, gpuIndices))
+}
+
+func (s *System) RunMemoryAcceptancePack(baseDir string) (string, error) {
+	sizeMB := envInt("BEE_MEMTESTER_SIZE_MB", 128)
+	passes := envInt("BEE_MEMTESTER_PASSES", 1)
+	return runAcceptancePack(baseDir, "memory", []satJob{
+		{name: "01-free-before.log", cmd: []string{"free", "-h"}},
+		{name: "02-memtester.log", cmd: []string{"memtester", fmt.Sprintf("%dM", sizeMB), fmt.Sprintf("%d", passes)}},
+		{name: "03-free-after.log", cmd: []string{"free", "-h"}},
+	})
+}
+
+func (s *System) RunCPUAcceptancePack(baseDir string, durationSec int) (string, error) {
+	if durationSec <= 0 {
+		durationSec = 60
+	}
+	return runAcceptancePack(baseDir, "cpu", []satJob{
+		{name: "01-lscpu.log", cmd: []string{"lscpu"}},
+		{name: "02-sensors-before.log", cmd: []string{"sensors"}},
+		{name: "03-stress-ng.log", cmd: []string{"stress-ng", "--cpu", "0", "--cpu-method", "all", "--timeout", fmt.Sprintf("%d", durationSec)}},
+		{name: "04-sensors-after.log", cmd: []string{"sensors"}},
+	})
+}
+
+func (s *System) RunStorageAcceptancePack(baseDir string) (string, error) {
+	if baseDir == "" {
+		baseDir = "/var/log/bee-sat"
+	}
+	ts := time.Now().UTC().Format("20060102-150405")
+	runDir := filepath.Join(baseDir, "storage-"+ts)
+	if err := os.MkdirAll(runDir, 0755); err != nil {
+		return "", err
+	}
+	verboseLog := filepath.Join(runDir, "verbose.log")
+
+	devices, err := listStorageDevices()
+	if err != nil {
+		return "", err
+	}
+	sort.Strings(devices)
+
+	var summary strings.Builder
+	stats := satStats{}
+	fmt.Fprintf(&summary, "run_at_utc=%s\n", time.Now().UTC().Format(time.RFC3339))
+	if len(devices) == 0 {
+		fmt.Fprintln(&summary, "devices=0")
+		stats.Unsupported++
+	} else {
+		fmt.Fprintf(&summary, "devices=%d\n", len(devices))
+	}
+
+	for index, devPath := range devices {
+		prefix := fmt.Sprintf("%02d-%s", index+1, filepath.Base(devPath))
+		commands := storageSATCommands(devPath)
+		for cmdIndex, job := range commands {
+			name := fmt.Sprintf("%s-%02d-%s.log", prefix, cmdIndex+1, job.name)
+			out, err := runSATCommand(verboseLog, job.name, job.cmd)
+			if writeErr := os.WriteFile(filepath.Join(runDir, name), out, 0644); writeErr != nil {
+				return "", writeErr
+			}
+			status, rc := classifySATResult(job.name, out, err)
+			stats.Add(status)
+			key := filepath.Base(devPath) + "_" + strings.ReplaceAll(job.name, "-", "_")
+			fmt.Fprintf(&summary, "%s_rc=%d\n", key, rc)
+			fmt.Fprintf(&summary, "%s_status=%s\n", key, status)
+		}
+	}
+
+	writeSATStats(&summary, stats)
+	if err := os.WriteFile(filepath.Join(runDir, "summary.txt"), []byte(summary.String()), 0644); err != nil {
+		return "", err
+	}
+	archive := filepath.Join(baseDir, "storage-"+ts+".tar.gz")
+	if err := createTarGz(archive, runDir); err != nil {
+		return "", err
+	}
+	return archive, nil
+}
+
+type satJob struct {
+	name       string
+	cmd        []string
+	env        []string // extra env vars (appended to os.Environ)
+	collectGPU bool     // collect GPU metrics via nvidia-smi while this job runs
+	gpuIndices []int    // GPU indices to collect metrics for (empty = all)
+}
+
+type satStats struct {
+	OK          int
+	Failed      int
+	Unsupported int
+}
+
+func nvidiaSATJobs() []satJob {
+	seconds := envInt("BEE_GPU_STRESS_SECONDS", 5)
+	sizeMB := envInt("BEE_GPU_STRESS_SIZE_MB", 64)
+	return []satJob{
+		{name: "01-nvidia-smi-q.log", cmd: []string{"nvidia-smi", "-q"}},
+		{name: "02-dmidecode-baseboard.log", cmd: []string{"dmidecode", "-t", "baseboard"}},
+		{name: "03-dmidecode-system.log", cmd: []string{"dmidecode", "-t", "system"}},
+		{name: "04-nvidia-bug-report.log", cmd: []string{"nvidia-bug-report.sh", "--output-file", "{{run_dir}}/nvidia-bug-report.log"}},
+		{name: "05-bee-gpu-stress.log", cmd: []string{"bee-gpu-stress", "--seconds", fmt.Sprintf("%d", seconds), "--size-mb", fmt.Sprintf("%d", sizeMB)}},
+	}
+}
+
+func runAcceptancePack(baseDir, prefix string, jobs []satJob) (string, error) {
+	if baseDir == "" {
+		baseDir = "/var/log/bee-sat"
+	}
+	ts := time.Now().UTC().Format("20060102-150405")
+	runDir := filepath.Join(baseDir, prefix+"-"+ts)
+	if err := os.MkdirAll(runDir, 0755); err != nil {
+		return "", err
+	}
+	verboseLog := filepath.Join(runDir, "verbose.log")
+
+	var summary strings.Builder
+	stats := satStats{}
+	fmt.Fprintf(&summary, "run_at_utc=%s\n", time.Now().UTC().Format(time.RFC3339))
+	for _, job := range jobs {
+		cmd := make([]string, 0, len(job.cmd))
+		for _, arg := range job.cmd {
+			cmd = append(cmd, strings.ReplaceAll(arg, "{{run_dir}}", runDir))
+		}
+		out, err := runSATCommand(verboseLog, job.name, cmd)
+		if writeErr := os.WriteFile(filepath.Join(runDir, job.name), out, 0644); writeErr != nil {
+			return "", writeErr
+		}
+		status, rc := classifySATResult(job.name, out, err)
+		stats.Add(status)
+		key := strings.TrimSuffix(strings.TrimPrefix(job.name, "0"), ".log")
+		fmt.Fprintf(&summary, "%s_rc=%d\n", key, rc)
+		fmt.Fprintf(&summary, "%s_status=%s\n", key, status)
+	}
+	writeSATStats(&summary, stats)
+	if err := os.WriteFile(filepath.Join(runDir, "summary.txt"), []byte(summary.String()), 0644); err != nil {
+		return "", err
+	}
+
+	archive := filepath.Join(baseDir, prefix+"-"+ts+".tar.gz")
+	if err := createTarGz(archive, runDir); err != nil {
+		return "", err
+	}
+	return archive, nil
+}
+
+func nvidiaSATJobsWithOptions(durationSec, sizeMB int, gpuIndices []int) []satJob {
+	var env []string
+	if len(gpuIndices) > 0 {
+		ids := make([]string, len(gpuIndices))
+		for i, idx := range gpuIndices {
+			ids[i] = strconv.Itoa(idx)
+		}
+		env = []string{"CUDA_VISIBLE_DEVICES=" + strings.Join(ids, ",")}
+	}
+	return []satJob{
+		{name: "01-nvidia-smi-q.log", cmd: []string{"nvidia-smi", "-q"}},
+		{name: "02-dmidecode-baseboard.log", cmd: []string{"dmidecode", "-t", "baseboard"}},
+		{name: "03-dmidecode-system.log", cmd: []string{"dmidecode", "-t", "system"}},
+		{name: "04-nvidia-bug-report.log", cmd: []string{"nvidia-bug-report.sh", "--output-file", "{{run_dir}}/nvidia-bug-report.log"}},
+		{
+			name:       "05-bee-gpu-stress.log",
+			cmd:        []string{"bee-gpu-stress", "--seconds", strconv.Itoa(durationSec), "--size-mb", strconv.Itoa(sizeMB)},
+			env:        env,
+			collectGPU: true,
+			gpuIndices: gpuIndices,
+		},
+	}
+}
+
+func runAcceptancePackCtx(ctx context.Context, baseDir, prefix string, jobs []satJob) (string, error) {
+	if baseDir == "" {
+		baseDir = "/var/log/bee-sat"
+	}
+	ts := time.Now().UTC().Format("20060102-150405")
+	runDir := filepath.Join(baseDir, prefix+"-"+ts)
+	if err := os.MkdirAll(runDir, 0755); err != nil {
+		return "", err
+	}
+	verboseLog := filepath.Join(runDir, "verbose.log")
+
+	var summary strings.Builder
+	stats := satStats{}
+	fmt.Fprintf(&summary, "run_at_utc=%s\n", time.Now().UTC().Format(time.RFC3339))
+	for _, job := range jobs {
+		if ctx.Err() != nil {
+			break
+		}
+		cmd := make([]string, 0, len(job.cmd))
+		for _, arg := range job.cmd {
+			cmd = append(cmd, strings.ReplaceAll(arg, "{{run_dir}}", runDir))
+		}
+
+		var out []byte
+		var err error
+
+		if job.collectGPU {
+			out, err = runSATCommandWithMetrics(ctx, verboseLog, job.name, cmd, job.env, job.gpuIndices, runDir)
+		} else {
+			out, err = runSATCommandCtx(ctx, verboseLog, job.name, cmd, job.env)
+		}
+
+		if writeErr := os.WriteFile(filepath.Join(runDir, job.name), out, 0644); writeErr != nil {
+			return "", writeErr
+		}
+		status, rc := classifySATResult(job.name, out, err)
+		stats.Add(status)
+		key := strings.TrimSuffix(strings.TrimPrefix(job.name, "0"), ".log")
+		fmt.Fprintf(&summary, "%s_rc=%d\n", key, rc)
+		fmt.Fprintf(&summary, "%s_status=%s\n", key, status)
+	}
+	writeSATStats(&summary, stats)
+	if err := os.WriteFile(filepath.Join(runDir, "summary.txt"), []byte(summary.String()), 0644); err != nil {
+		return "", err
+	}
+
+	archive := filepath.Join(baseDir, prefix+"-"+ts+".tar.gz")
+	if err := createTarGz(archive, runDir); err != nil {
+		return "", err
+	}
+	return archive, nil
+}
+
+func runSATCommandCtx(ctx context.Context, verboseLog, name string, cmd []string, env []string) ([]byte, error) {
+	start := time.Now().UTC()
+	appendSATVerboseLog(verboseLog,
+		fmt.Sprintf("[%s] start %s", start.Format(time.RFC3339), name),
+		"cmd: "+strings.Join(cmd, " "),
+	)
+
+	c := exec.CommandContext(ctx, cmd[0], cmd[1:]...)
+	if len(env) > 0 {
+		c.Env = append(os.Environ(), env...)
+	}
+	out, err := c.CombinedOutput()
+
+	rc := 0
+	if err != nil {
+		rc = 1
+	}
+	appendSATVerboseLog(verboseLog,
+		fmt.Sprintf("[%s] finish %s", time.Now().UTC().Format(time.RFC3339), name),
+		fmt.Sprintf("rc: %d", rc),
+		fmt.Sprintf("duration_ms: %d", time.Since(start).Milliseconds()),
+		"",
+	)
+	return out, err
+}
+
+func listStorageDevices() ([]string, error) {
+	out, err := exec.Command("lsblk", "-dn", "-o", "NAME,TYPE").Output()
+	if err != nil {
+		return nil, err
+	}
+	var devices []string
+	for _, line := range strings.Split(strings.TrimSpace(string(out)), "\n") {
+		fields := strings.Fields(strings.TrimSpace(line))
+		if len(fields) != 2 || fields[1] != "disk" {
+			continue
+		}
+		devices = append(devices, "/dev/"+fields[0])
+	}
+	return devices, nil
+}
+
+func storageSATCommands(devPath string) []satJob {
+	if strings.Contains(filepath.Base(devPath), "nvme") {
+		return []satJob{
+			{name: "nvme-id-ctrl", cmd: []string{"nvme", "id-ctrl", devPath, "-o", "json"}},
+			{name: "nvme-smart-log", cmd: []string{"nvme", "smart-log", devPath, "-o", "json"}},
+			{name: "nvme-device-self-test", cmd: []string{"nvme", "device-self-test", devPath, "-s", "1", "--wait"}},
+		}
+	}
+	return []satJob{
+		{name: "smartctl-health", cmd: []string{"smartctl", "-H", "-A", devPath}},
+		{name: "smartctl-self-test-short", cmd: []string{"smartctl", "-t", "short", devPath}},
+	}
+}
+
+func (s *satStats) Add(status string) {
+	switch status {
+	case "OK":
+		s.OK++
+	case "UNSUPPORTED":
+		s.Unsupported++
+	default:
+		s.Failed++
+	}
+}
+
+func (s satStats) Overall() string {
+	if s.Failed > 0 {
+		return "FAILED"
+	}
+	if s.Unsupported > 0 {
+		return "PARTIAL"
+	}
+	return "OK"
+}
+
+func writeSATStats(summary *strings.Builder, stats satStats) {
+	fmt.Fprintf(summary, "overall_status=%s\n", stats.Overall())
+	fmt.Fprintf(summary, "job_ok=%d\n", stats.OK)
+	fmt.Fprintf(summary, "job_failed=%d\n", stats.Failed)
+	fmt.Fprintf(summary, "job_unsupported=%d\n", stats.Unsupported)
+}
+
+func classifySATResult(name string, out []byte, err error) (string, int) {
+	rc := 0
+	if err != nil {
+		rc = 1
+	}
+	if err == nil {
+		return "OK", rc
+	}
+
+	text := strings.ToLower(string(out))
+	if strings.Contains(text, "unsupported") ||
+		strings.Contains(text, "not supported") ||
+		strings.Contains(text, "invalid opcode") ||
+		strings.Contains(text, "unknown command") ||
+		strings.Contains(text, "not implemented") ||
+		strings.Contains(text, "not available") ||
+		strings.Contains(text, "cuda_error_system_not_ready") ||
+		strings.Contains(text, "no such device") ||
+		(strings.Contains(name, "self-test") && strings.Contains(text, "aborted")) {
+		return "UNSUPPORTED", rc
+	}
+	return "FAILED", rc
+}
+
+func runSATCommand(verboseLog, name string, cmd []string) ([]byte, error) {
+	start := time.Now().UTC()
+	appendSATVerboseLog(verboseLog,
+		fmt.Sprintf("[%s] start %s", start.Format(time.RFC3339), name),
+		"cmd: "+strings.Join(cmd, " "),
+	)
+
+	out, err := exec.Command(cmd[0], cmd[1:]...).CombinedOutput()
+
+	rc := 0
+	if err != nil {
+		rc = 1
+	}
+	appendSATVerboseLog(verboseLog,
+		fmt.Sprintf("[%s] finish %s", time.Now().UTC().Format(time.RFC3339), name),
+		fmt.Sprintf("rc: %d", rc),
+		fmt.Sprintf("duration_ms: %d", time.Since(start).Milliseconds()),
+		"",
+	)
+	return out, err
+}
+
+// runSATCommandWithMetrics runs a command while collecting GPU metrics in the background.
+// On completion it writes gpu-metrics.csv and gpu-metrics.html into runDir.
+func runSATCommandWithMetrics(ctx context.Context, verboseLog, name string, cmd []string, env []string, gpuIndices []int, runDir string) ([]byte, error) {
+	stopCh := make(chan struct{})
+	doneCh := make(chan struct{})
+	var metricRows []GPUMetricRow
+	start := time.Now()
+
+	go func() {
+		defer close(doneCh)
+		ticker := time.NewTicker(time.Second)
+		defer ticker.Stop()
+		for {
+			select {
+			case <-stopCh:
+				return
+			case <-ticker.C:
+				samples, err := sampleGPUMetrics(gpuIndices)
+				if err != nil {
+					continue
+				}
+				elapsed := time.Since(start).Seconds()
+				for i := range samples {
+					samples[i].ElapsedSec = elapsed
+				}
+				metricRows = append(metricRows, samples...)
+			}
+		}
+	}()
+
+	out, err := runSATCommandCtx(ctx, verboseLog, name, cmd, env)
+
+	close(stopCh)
+	<-doneCh
+
+	if len(metricRows) > 0 {
+		_ = WriteGPUMetricsCSV(filepath.Join(runDir, "gpu-metrics.csv"), metricRows)
+		_ = WriteGPUMetricsHTML(filepath.Join(runDir, "gpu-metrics.html"), metricRows)
+		chart := RenderGPUTerminalChart(metricRows)
+		_ = os.WriteFile(filepath.Join(runDir, "gpu-metrics-term.txt"), []byte(chart), 0644)
+	}
+
+	return out, err
+}
+
+func appendSATVerboseLog(path string, lines ...string) {
+	if path == "" {
+		return
+	}
+	f, err := os.OpenFile(path, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0644)
+	if err != nil {
+		return
+	}
+	defer f.Close()
+	for _, line := range lines {
+		_, _ = io.WriteString(f, line+"\n")
+	}
+}
+
+func envInt(name string, fallback int) int {
+	raw := strings.TrimSpace(os.Getenv(name))
+	if raw == "" {
+		return fallback
+	}
+	value, err := strconv.Atoi(raw)
+	if err != nil || value <= 0 {
+		return fallback
+	}
+	return value
+}
+
+func createTarGz(dst, srcDir string) error {
+	file, err := os.Create(dst)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	gz := gzip.NewWriter(file)
+	defer gz.Close()
+
+	tw := tar.NewWriter(gz)
+	defer tw.Close()
+
+	base := filepath.Dir(srcDir)
+	return filepath.Walk(srcDir, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if info.IsDir() {
+			return nil
+		}
+		header, err := tar.FileInfoHeader(info, "")
+		if err != nil {
+			return err
+		}
+		rel, err := filepath.Rel(base, path)
+		if err != nil {
+			return err
+		}
+		header.Name = rel
+		if err := tw.WriteHeader(header); err != nil {
+			return err
+		}
+		file, err := os.Open(path)
+		if err != nil {
+			return err
+		}
+		defer file.Close()
+		_, err = io.Copy(tw, file)
+		return err
+	})
+}

audit/internal/platform/sat_test.go

@@ -0,0 +1,93 @@
+package platform
+
+import (
+	"errors"
+	"os"
+	"testing"
+)
+
+func TestStorageSATCommands(t *testing.T) {
+	t.Parallel()
+
+	nvme := storageSATCommands("/dev/nvme0n1")
+	if len(nvme) != 3 || nvme[2].cmd[0] != "nvme" {
+		t.Fatalf("unexpected nvme commands: %#v", nvme)
+	}
+
+	sata := storageSATCommands("/dev/sda")
+	if len(sata) != 2 || sata[0].cmd[0] != "smartctl" {
+		t.Fatalf("unexpected sata commands: %#v", sata)
+	}
+}
+
+func TestRunNvidiaAcceptancePackIncludesGPUStress(t *testing.T) {
+	t.Parallel()
+
+	jobs := nvidiaSATJobs()
+
+	if len(jobs) != 5 {
+		t.Fatalf("jobs=%d want 5", len(jobs))
+	}
+	if got := jobs[4].cmd[0]; got != "bee-gpu-stress" {
+		t.Fatalf("gpu stress command=%q want bee-gpu-stress", got)
+	}
+	if got := jobs[3].cmd[1]; got != "--output-file" {
+		t.Fatalf("bug report flag=%q want --output-file", got)
+	}
+}
+
+func TestNvidiaSATJobsUseEnvOverrides(t *testing.T) {
+	t.Setenv("BEE_GPU_STRESS_SECONDS", "9")
+	t.Setenv("BEE_GPU_STRESS_SIZE_MB", "96")
+
+	jobs := nvidiaSATJobs()
+	got := jobs[4].cmd
+	want := []string{"bee-gpu-stress", "--seconds", "9", "--size-mb", "96"}
+	if len(got) != len(want) {
+		t.Fatalf("cmd len=%d want %d", len(got), len(want))
+	}
+	for i := range want {
+		if got[i] != want[i] {
+			t.Fatalf("cmd[%d]=%q want %q", i, got[i], want[i])
+		}
+	}
+}
+
+func TestEnvIntFallback(t *testing.T) {
+	os.Unsetenv("BEE_MEMTESTER_SIZE_MB")
+	if got := envInt("BEE_MEMTESTER_SIZE_MB", 123); got != 123 {
+		t.Fatalf("got %d want 123", got)
+	}
+	t.Setenv("BEE_MEMTESTER_SIZE_MB", "bad")
+	if got := envInt("BEE_MEMTESTER_SIZE_MB", 123); got != 123 {
+		t.Fatalf("got %d want 123", got)
+	}
+	t.Setenv("BEE_MEMTESTER_SIZE_MB", "256")
+	if got := envInt("BEE_MEMTESTER_SIZE_MB", 123); got != 256 {
+		t.Fatalf("got %d want 256", got)
+	}
+}
+
+func TestClassifySATResult(t *testing.T) {
+	tests := []struct {
+		name   string
+		job    string
+		out    string
+		err    error
+		status string
+	}{
+		{name: "ok", job: "memtester", out: "done", err: nil, status: "OK"},
+		{name: "unsupported", job: "smartctl-self-test-short", out: "Self-test not supported", err: errors.New("rc 1"), status: "UNSUPPORTED"},
+		{name: "failed", job: "bee-gpu-stress", out: "cuda error", err: errors.New("rc 1"), status: "FAILED"},
+		{name: "cuda not ready", job: "bee-gpu-stress", out: "cuInit failed: CUDA_ERROR_SYSTEM_NOT_READY", err: errors.New("rc 1"), status: "UNSUPPORTED"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, _ := classifySATResult(tt.job, []byte(tt.out), tt.err)
+			if got != tt.status {
+				t.Fatalf("status=%q want %q", got, tt.status)
+			}
+		})
+	}
+}

audit/internal/platform/services.go

@@ -0,0 +1,54 @@
+package platform
+
+import (
+	"os/exec"
+	"path/filepath"
+	"sort"
+	"strings"
+)
+
+func (s *System) ListBeeServices() ([]string, error) {
+	seen := map[string]bool{}
+	var out []string
+	for _, pattern := range []string{"/etc/systemd/system/bee-*.service", "/lib/systemd/system/bee-*.service"} {
+		matches, err := filepath.Glob(pattern)
+		if err != nil {
+			return nil, err
+		}
+		for _, match := range matches {
+			name := strings.TrimSuffix(filepath.Base(match), ".service")
+			if !seen[name] {
+				seen[name] = true
+				out = append(out, name)
+			}
+		}
+	}
+	sort.Strings(out)
+	return out, nil
+}
+
+func (s *System) ServiceState(name string) string {
+	raw, err := exec.Command("systemctl", "is-active", name).CombinedOutput()
+	if err == nil {
+		return strings.TrimSpace(string(raw))
+	}
+	raw, err = exec.Command("systemctl", "show", name, "--property=ActiveState", "--value").CombinedOutput()
+	if err != nil {
+		return "unknown"
+	}
+	state := strings.TrimSpace(string(raw))
+	if state == "" {
+		return "unknown"
+	}
+	return state
+}
+
+func (s *System) ServiceDo(name string, action ServiceAction) (string, error) {
+	raw, err := exec.Command("systemctl", string(action), name).CombinedOutput()
+	return string(raw), err
+}
+
+func (s *System) ServiceStatus(name string) (string, error) {
+	raw, err := exec.Command("systemctl", "status", name, "--no-pager").CombinedOutput()
+	return string(raw), err
+}

audit/internal/platform/system_test.go

@@ -0,0 +1,49 @@
+package platform
+
+import "testing"
+
+func TestSplitQuotedFields(t *testing.T) {
+	t.Parallel()
+
+	line := `NAME="sdb1" TYPE="part" LABEL="BEE EXPORT" MODEL="USB DISK 3.0"`
+	got := splitQuotedFields(line)
+	want := []string{
+		`NAME="sdb1"`,
+		`TYPE="part"`,
+		`LABEL="BEE EXPORT"`,
+		`MODEL="USB DISK 3.0"`,
+	}
+
+	if len(got) != len(want) {
+		t.Fatalf("len(got)=%d len(want)=%d; got=%q", len(got), len(want), got)
+	}
+	for i := range want {
+		if got[i] != want[i] {
+			t.Fatalf("got[%d]=%q want %q", i, got[i], want[i])
+		}
+	}
+}
+
+func TestParseLSBLKPairs(t *testing.T) {
+	t.Parallel()
+
+	line := `NAME="sdb1" TYPE="part" PKNAME="sdb" RM="1" FSTYPE="vfat" MOUNTPOINT="" SIZE="57.3G" LABEL="BEE EXPORT" MODEL="USB DISK 3.0"`
+	got := parseLSBLKPairs(line)
+
+	checks := map[string]string{
+		"NAME":       "sdb1",
+		"TYPE":       "part",
+		"PKNAME":     "sdb",
+		"RM":         "1",
+		"FSTYPE":     "vfat",
+		"MOUNTPOINT": "",
+		"SIZE":       "57.3G",
+		"LABEL":      "BEE EXPORT",
+		"MODEL":      "USB DISK 3.0",
+	}
+	for key, want := range checks {
+		if got[key] != want {
+			t.Fatalf("got[%s]=%q want %q", key, got[key], want)
+		}
+	}
+}

audit/internal/platform/techdump.go

@@ -0,0 +1,122 @@
+package platform
+
+import (
+	"encoding/json"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"sort"
+	"strings"
+)
+
+var techDumpFixedCommands = []struct {
+	Name string
+	Args []string
+	File string
+}{
+	{Name: "dmidecode", Args: []string{"-t", "0"}, File: "dmidecode-type0.txt"},
+	{Name: "dmidecode", Args: []string{"-t", "1"}, File: "dmidecode-type1.txt"},
+	{Name: "dmidecode", Args: []string{"-t", "2"}, File: "dmidecode-type2.txt"},
+	{Name: "dmidecode", Args: []string{"-t", "4"}, File: "dmidecode-type4.txt"},
+	{Name: "dmidecode", Args: []string{"-t", "17"}, File: "dmidecode-type17.txt"},
+	{Name: "lspci", Args: []string{"-vmm", "-D"}, File: "lspci-vmm.txt"},
+	{Name: "lsblk", Args: []string{"-J", "-d", "-o", "NAME,TYPE,SIZE,SERIAL,MODEL,TRAN,HCTL"}, File: "lsblk.json"},
+	{Name: "sensors", Args: []string{"-j"}, File: "sensors.json"},
+	{Name: "ipmitool", Args: []string{"fru", "print"}, File: "ipmitool-fru.txt"},
+	{Name: "ipmitool", Args: []string{"sdr"}, File: "ipmitool-sdr.txt"},
+	{Name: "nvidia-smi", Args: []string{"-q"}, File: "nvidia-smi-q.txt"},
+	{Name: "nvidia-smi", Args: []string{"--query-gpu=index,pci.bus_id,serial,vbios_version,temperature.gpu,power.draw,ecc.errors.uncorrected.aggregate.total,ecc.errors.corrected.aggregate.total,clocks_throttle_reasons.hw_slowdown", "--format=csv,noheader,nounits"}, File: "nvidia-smi-query.csv"},
+	{Name: "nvme", Args: []string{"list", "-o", "json"}, File: "nvme-list.json"},
+}
+
+type lsblkDumpRoot struct {
+	Blockdevices []struct {
+		Name string `json:"name"`
+		Type string `json:"type"`
+	} `json:"blockdevices"`
+}
+
+type nvmeDumpRoot struct {
+	Devices []struct {
+		DevicePath string `json:"DevicePath"`
+	} `json:"Devices"`
+}
+
+func (s *System) CaptureTechnicalDump(baseDir string) error {
+	if err := os.MkdirAll(baseDir, 0755); err != nil {
+		return err
+	}
+
+	for _, cmd := range techDumpFixedCommands {
+		writeCommandDump(filepath.Join(baseDir, cmd.File), cmd.Name, cmd.Args...)
+	}
+
+	for _, dev := range lsblkDumpDevices(filepath.Join(baseDir, "lsblk.json")) {
+		writeCommandDump(filepath.Join(baseDir, "smartctl-"+sanitizeDumpName(dev)+".json"), "smartctl", "-j", "-a", "/dev/"+dev)
+	}
+	for _, dev := range nvmeDumpDevices(filepath.Join(baseDir, "nvme-list.json")) {
+		writeCommandDump(filepath.Join(baseDir, "nvme-id-ctrl-"+sanitizeDumpName(dev)+".json"), "nvme", "id-ctrl", dev, "-o", "json")
+		writeCommandDump(filepath.Join(baseDir, "nvme-smart-log-"+sanitizeDumpName(dev)+".json"), "nvme", "smart-log", dev, "-o", "json")
+	}
+	return nil
+}
+
+func writeCommandDump(path, name string, args ...string) {
+	out, err := exec.Command(name, args...).CombinedOutput()
+	if err != nil && len(out) == 0 {
+		return
+	}
+	_ = os.WriteFile(path, out, 0644)
+}
+
+func lsblkDumpDevices(path string) []string {
+	raw, err := os.ReadFile(path)
+	if err != nil {
+		return nil
+	}
+	var root lsblkDumpRoot
+	if err := json.Unmarshal(raw, &root); err != nil {
+		return nil
+	}
+	var devices []string
+	for _, dev := range root.Blockdevices {
+		if dev.Type == "disk" && strings.TrimSpace(dev.Name) != "" {
+			devices = append(devices, strings.TrimSpace(dev.Name))
+		}
+	}
+	sort.Strings(devices)
+	return devices
+}
+
+func nvmeDumpDevices(path string) []string {
+	raw, err := os.ReadFile(path)
+	if err != nil {
+		return nil
+	}
+	var root nvmeDumpRoot
+	if err := json.Unmarshal(raw, &root); err != nil {
+		return nil
+	}
+	seen := map[string]bool{}
+	var devices []string
+	for _, dev := range root.Devices {
+		name := strings.TrimSpace(dev.DevicePath)
+		if name == "" || seen[name] {
+			continue
+		}
+		seen[name] = true
+		devices = append(devices, name)
+	}
+	sort.Strings(devices)
+	return devices
+}
+
+func sanitizeDumpName(value string) string {
+	value = strings.TrimSpace(value)
+	value = strings.TrimPrefix(value, "/dev/")
+	value = strings.ReplaceAll(value, "/", "_")
+	if value == "" {
+		return "unknown"
+	}
+	return value
+}

audit/internal/platform/techdump_test.go

@@ -0,0 +1,48 @@
+package platform
+
+import (
+	"os"
+	"path/filepath"
+	"reflect"
+	"testing"
+)
+
+func TestLSBLKDumpDevices(t *testing.T) {
+	t.Parallel()
+
+	dir := t.TempDir()
+	path := filepath.Join(dir, "lsblk.json")
+	if err := os.WriteFile(path, []byte(`{"blockdevices":[{"name":"sda","type":"disk"},{"name":"sda1","type":"part"},{"name":"nvme0n1","type":"disk"}]}`), 0644); err != nil {
+		t.Fatalf("write lsblk fixture: %v", err)
+	}
+
+	got := lsblkDumpDevices(path)
+	want := []string{"nvme0n1", "sda"}
+	if !reflect.DeepEqual(got, want) {
+		t.Fatalf("lsblkDumpDevices=%v want %v", got, want)
+	}
+}
+
+func TestNVMEDumpDevices(t *testing.T) {
+	t.Parallel()
+
+	dir := t.TempDir()
+	path := filepath.Join(dir, "nvme-list.json")
+	if err := os.WriteFile(path, []byte(`{"Devices":[{"DevicePath":"/dev/nvme1n1"},{"DevicePath":"/dev/nvme0n1"},{"DevicePath":"/dev/nvme1n1"}]}`), 0644); err != nil {
+		t.Fatalf("write nvme fixture: %v", err)
+	}
+
+	got := nvmeDumpDevices(path)
+	want := []string{"/dev/nvme0n1", "/dev/nvme1n1"}
+	if !reflect.DeepEqual(got, want) {
+		t.Fatalf("nvmeDumpDevices=%v want %v", got, want)
+	}
+}
+
+func TestSanitizeDumpName(t *testing.T) {
+	t.Parallel()
+
+	if got := sanitizeDumpName("/dev/nvme0n1"); got != "nvme0n1" {
+		t.Fatalf("sanitizeDumpName=%q want nvme0n1", got)
+	}
+}

audit/internal/platform/tools.go

@@ -0,0 +1,29 @@
+package platform
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"strings"
+)
+
+func (s *System) TailFile(path string, lines int) string {
+	raw, err := os.ReadFile(path)
+	if err != nil {
+		return fmt.Sprintf("read %s: %v", path, err)
+	}
+	all := strings.Split(strings.TrimRight(string(raw), "\n"), "\n")
+	if lines <= 0 || len(all) <= lines {
+		return string(raw)
+	}
+	return strings.Join(all[len(all)-lines:], "\n")
+}
+
+func (s *System) CheckTools(names []string) []ToolStatus {
+	out := make([]ToolStatus, 0, len(names))
+	for _, name := range names {
+		path, err := exec.LookPath(name)
+		out = append(out, ToolStatus{Name: name, Path: path, OK: err == nil})
+	}
+	return out
+}

audit/internal/platform/types.go

@@ -0,0 +1,44 @@
+package platform
+
+type System struct{}
+
+type InterfaceInfo struct {
+	Name  string
+	State string
+	IPv4  []string
+}
+
+type ServiceAction string
+
+const (
+	ServiceStart   ServiceAction = "start"
+	ServiceStop    ServiceAction = "stop"
+	ServiceRestart ServiceAction = "restart"
+)
+
+type StaticIPv4Config struct {
+	Interface string
+	Address   string
+	Prefix    string
+	Gateway   string
+	DNS       []string
+}
+
+type RemovableTarget struct {
+	Device     string
+	FSType     string
+	Size       string
+	Label      string
+	Model      string
+	Mountpoint string
+}
+
+type ToolStatus struct {
+	Name string
+	Path string
+	OK   bool
+}
+
+func New() *System {
+	return &System{}
+}

audit/internal/runtimeenv/runtimeenv.go

@@ -0,0 +1,77 @@
+package runtimeenv
+
+import (
+	"fmt"
+	"os"
+	"strings"
+)
+
+type Mode string
+
+const (
+	ModeAuto   Mode = "auto"
+	ModeLocal  Mode = "local"
+	ModeLiveCD Mode = "livecd"
+)
+
+type Info struct {
+	Mode     Mode
+	Detected bool
+	Reason   string
+}
+
+func ParseMode(raw string) (Mode, error) {
+	mode := Mode(strings.TrimSpace(strings.ToLower(raw)))
+	switch mode {
+	case "", ModeAuto:
+		return ModeAuto, nil
+	case ModeLocal, ModeLiveCD:
+		return mode, nil
+	default:
+		return "", fmt.Errorf("invalid runtime %q — use auto, local, or livecd", raw)
+	}
+}
+
+func Detect(flagValue string) (Info, error) {
+	flagMode, err := ParseMode(flagValue)
+	if err != nil {
+		return Info{}, err
+	}
+	if flagMode != ModeAuto {
+		return Info{Mode: flagMode, Reason: "flag"}, nil
+	}
+
+	if envMode, ok := getenvMode("BEE_RUNTIME"); ok {
+		return Info{Mode: envMode, Reason: "env:BEE_RUNTIME"}, nil
+	}
+
+	if fileExists("/etc/bee-release") {
+		return Info{Mode: ModeLiveCD, Detected: true, Reason: "marker:/etc/bee-release"}, nil
+	}
+
+	if data, err := os.ReadFile("/proc/cmdline"); err == nil {
+		cmdline := string(data)
+		if strings.Contains(cmdline, " boot=live") || strings.HasPrefix(cmdline, "boot=live ") || strings.Contains(cmdline, "live-media") {
+			return Info{Mode: ModeLiveCD, Detected: true, Reason: "kernel:boot=live"}, nil
+		}
+	}
+
+	return Info{Mode: ModeLocal, Detected: true, Reason: "default:local"}, nil
+}
+
+func getenvMode(name string) (Mode, bool) {
+	value := strings.TrimSpace(os.Getenv(name))
+	if value == "" {
+		return "", false
+	}
+	mode, err := ParseMode(value)
+	if err != nil || mode == ModeAuto {
+		return "", false
+	}
+	return mode, true
+}
+
+func fileExists(path string) bool {
+	info, err := os.Stat(path)
+	return err == nil && !info.IsDir()
+}

audit/internal/runtimeenv/runtimeenv_test.go

@@ -0,0 +1,67 @@
+package runtimeenv
+
+import (
+	"os"
+	"testing"
+)
+
+func TestParseMode(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		in   string
+		want Mode
+		ok   bool
+	}{
+		{in: "", want: ModeAuto, ok: true},
+		{in: "auto", want: ModeAuto, ok: true},
+		{in: "local", want: ModeLocal, ok: true},
+		{in: "livecd", want: ModeLiveCD, ok: true},
+		{in: "bad", ok: false},
+	}
+
+	for _, test := range tests {
+		got, err := ParseMode(test.in)
+		if test.ok && err != nil {
+			t.Fatalf("ParseMode(%q): %v", test.in, err)
+		}
+		if !test.ok && err == nil {
+			t.Fatalf("ParseMode(%q): expected error", test.in)
+		}
+		if test.ok && got != test.want {
+			t.Fatalf("ParseMode(%q): got %q want %q", test.in, got, test.want)
+		}
+	}
+}
+
+func TestDetectHonorsFlag(t *testing.T) {
+	t.Parallel()
+
+	info, err := Detect("livecd")
+	if err != nil {
+		t.Fatalf("Detect(flag): %v", err)
+	}
+	if info.Mode != ModeLiveCD || info.Reason != "flag" {
+		t.Fatalf("unexpected info: %+v", info)
+	}
+}
+
+func TestDetectHonorsEnv(t *testing.T) {
+	t.Parallel()
+
+	old := os.Getenv("BEE_RUNTIME")
+	t.Cleanup(func() {
+		_ = os.Setenv("BEE_RUNTIME", old)
+	})
+	if err := os.Setenv("BEE_RUNTIME", "local"); err != nil {
+		t.Fatalf("Setenv: %v", err)
+	}
+
+	info, err := Detect("auto")
+	if err != nil {
+		t.Fatalf("Detect(env): %v", err)
+	}
+	if info.Mode != ModeLocal || info.Reason != "env:BEE_RUNTIME" {
+		t.Fatalf("unexpected info: %+v", info)
+	}
+}

audit/internal/schema/hardware.go

@@ -2,17 +2,55 @@
 // core/internal/ingest/parser_hardware.go. No import dependency on core.
 package schema
 
-// HardwareIngestRequest is the top-level output document produced by the audit binary.
+// HardwareIngestRequest is the top-level output document produced by `bee audit`.
 // It is accepted as-is by the core /api/ingest/hardware endpoint.
 type HardwareIngestRequest struct {
-	Filename    *string          `json:"filename"`
-	SourceType  *string          `json:"source_type"`
-	Protocol    *string          `json:"protocol"`
-	TargetHost  string           `json:"target_host"`
+	Filename    *string          `json:"filename,omitempty"`
+	SourceType  *string          `json:"source_type,omitempty"`
+	Protocol    *string          `json:"protocol,omitempty"`
+	TargetHost  *string          `json:"target_host,omitempty"`
 	CollectedAt string           `json:"collected_at"`
+	Runtime     *RuntimeHealth   `json:"runtime,omitempty"`
 	Hardware    HardwareSnapshot `json:"hardware"`
 }
 
+type RuntimeHealth struct {
+	Status        string                 `json:"status"`
+	CheckedAt     string                 `json:"checked_at"`
+	ExportDir     string                 `json:"export_dir,omitempty"`
+	DriverReady   bool                   `json:"driver_ready,omitempty"`
+	CUDAReady     bool                   `json:"cuda_ready,omitempty"`
+	NetworkStatus string                 `json:"network_status,omitempty"`
+	Issues        []RuntimeIssue         `json:"issues,omitempty"`
+	Tools         []RuntimeToolStatus    `json:"tools,omitempty"`
+	Services      []RuntimeServiceStatus `json:"services,omitempty"`
+	Interfaces    []RuntimeInterface     `json:"interfaces,omitempty"`
+}
+
+type RuntimeIssue struct {
+	Code        string `json:"code"`
+	Severity    string `json:"severity,omitempty"`
+	Description string `json:"description"`
+}
+
+type RuntimeToolStatus struct {
+	Name string `json:"name"`
+	Path string `json:"path,omitempty"`
+	OK   bool   `json:"ok"`
+}
+
+type RuntimeServiceStatus struct {
+	Name   string `json:"name"`
+	Status string `json:"status"`
+}
+
+type RuntimeInterface struct {
+	Name    string   `json:"name"`
+	State   string   `json:"state,omitempty"`
+	IPv4    []string `json:"ipv4,omitempty"`
+	Outcome string   `json:"outcome,omitempty"`
+}
+
 type HardwareSnapshot struct {
 	Board         HardwareBoard            `json:"board"`
 	Firmware      []HardwareFirmwareRecord `json:"firmware,omitempty"`
@@ -21,14 +59,33 @@ type HardwareSnapshot struct {
 	Storage       []HardwareStorage        `json:"storage,omitempty"`
 	PCIeDevices   []HardwarePCIeDevice     `json:"pcie_devices,omitempty"`
 	PowerSupplies []HardwarePowerSupply    `json:"power_supplies,omitempty"`
+	Sensors       *HardwareSensors         `json:"sensors,omitempty"`
+	EventLogs     []HardwareEventLog       `json:"event_logs,omitempty"`
+}
+
+type HardwareHealthSummary struct {
+	Status      string   `json:"status"`
+	Warnings    []string `json:"warnings,omitempty"`
+	Failures    []string `json:"failures,omitempty"`
+	StorageWarn int      `json:"storage_warn,omitempty"`
+	StorageFail int      `json:"storage_fail,omitempty"`
+	PCIeWarn    int      `json:"pcie_warn,omitempty"`
+	PCIeFail    int      `json:"pcie_fail,omitempty"`
+	PSUWarn     int      `json:"psu_warn,omitempty"`
+	PSUFail     int      `json:"psu_fail,omitempty"`
+	MemoryWarn  int      `json:"memory_warn,omitempty"`
+	MemoryFail  int      `json:"memory_fail,omitempty"`
+	EmptyDIMMs  int      `json:"empty_dimms,omitempty"`
+	MissingPSUs int      `json:"missing_psus,omitempty"`
+	CollectedAt string   `json:"collected_at,omitempty"`
 }
 
 type HardwareBoard struct {
-	Manufacturer *string `json:"manufacturer"`
-	ProductName  *string `json:"product_name"`
+	Manufacturer *string `json:"manufacturer,omitempty"`
+	ProductName  *string `json:"product_name,omitempty"`
 	SerialNumber string  `json:"serial_number"`
-	PartNumber   *string `json:"part_number"`
-	UUID         *string `json:"uuid"`
+	PartNumber   *string `json:"part_number,omitempty"`
+	UUID         *string `json:"uuid,omitempty"`
 }
 
 type HardwareFirmwareRecord struct {
@@ -37,77 +94,196 @@ type HardwareFirmwareRecord struct {
 }
 
 type HardwareCPU struct {
-	Socket          *int    `json:"socket"`
-	Model           *string `json:"model"`
-	Manufacturer    *string `json:"manufacturer"`
-	Status          *string `json:"status"`
-	SerialNumber    *string `json:"serial_number"`
-	Firmware        *string `json:"firmware"`
-	Cores           *int    `json:"cores"`
-	Threads         *int    `json:"threads"`
-	FrequencyMHz    *int    `json:"frequency_mhz"`
-	MaxFrequencyMHz *int    `json:"max_frequency_mhz"`
+	HardwareComponentStatus
+	Socket                  *int     `json:"socket,omitempty"`
+	Model                   *string  `json:"model,omitempty"`
+	Manufacturer            *string  `json:"manufacturer,omitempty"`
+	SerialNumber            *string  `json:"serial_number,omitempty"`
+	Firmware                *string  `json:"firmware,omitempty"`
+	Cores                   *int     `json:"cores,omitempty"`
+	Threads                 *int     `json:"threads,omitempty"`
+	FrequencyMHz            *int     `json:"frequency_mhz,omitempty"`
+	MaxFrequencyMHz         *int     `json:"max_frequency_mhz,omitempty"`
+	TemperatureC            *float64 `json:"temperature_c,omitempty"`
+	PowerW                  *float64 `json:"power_w,omitempty"`
+	Throttled               *bool    `json:"throttled,omitempty"`
+	CorrectableErrorCount   *int64   `json:"correctable_error_count,omitempty"`
+	UncorrectableErrorCount *int64   `json:"uncorrectable_error_count,omitempty"`
+	LifeRemainingPct        *float64 `json:"life_remaining_pct,omitempty"`
+	LifeUsedPct             *float64 `json:"life_used_pct,omitempty"`
+	Present                 *bool    `json:"present,omitempty"`
 }
 
 type HardwareMemory struct {
-	Slot            *string `json:"slot"`
-	Location        *string `json:"location"`
-	Present         *bool   `json:"present"`
-	SizeMB          *int    `json:"size_mb"`
-	Type            *string `json:"type"`
-	MaxSpeedMHz     *int    `json:"max_speed_mhz"`
-	CurrentSpeedMHz *int    `json:"current_speed_mhz"`
-	Manufacturer    *string `json:"manufacturer"`
-	SerialNumber    *string `json:"serial_number"`
-	PartNumber      *string `json:"part_number"`
-	Status          *string `json:"status"`
+	HardwareComponentStatus
+	Slot                       *string  `json:"slot,omitempty"`
+	Location                   *string  `json:"location,omitempty"`
+	Present                    *bool    `json:"present,omitempty"`
+	SizeMB                     *int     `json:"size_mb,omitempty"`
+	Type                       *string  `json:"type,omitempty"`
+	MaxSpeedMHz                *int     `json:"max_speed_mhz,omitempty"`
+	CurrentSpeedMHz            *int     `json:"current_speed_mhz,omitempty"`
+	Manufacturer               *string  `json:"manufacturer,omitempty"`
+	SerialNumber               *string  `json:"serial_number,omitempty"`
+	PartNumber                 *string  `json:"part_number,omitempty"`
+	TemperatureC               *float64 `json:"temperature_c,omitempty"`
+	CorrectableECCErrorCount   *int64   `json:"correctable_ecc_error_count,omitempty"`
+	UncorrectableECCErrorCount *int64   `json:"uncorrectable_ecc_error_count,omitempty"`
+	LifeRemainingPct           *float64 `json:"life_remaining_pct,omitempty"`
+	LifeUsedPct                *float64 `json:"life_used_pct,omitempty"`
+	SpareBlocksRemainingPct    *float64 `json:"spare_blocks_remaining_pct,omitempty"`
+	PerformanceDegraded        *bool    `json:"performance_degraded,omitempty"`
+	DataLossDetected           *bool    `json:"data_loss_detected,omitempty"`
 }
 
 type HardwareStorage struct {
-	Slot         *string        `json:"slot"`
-	Type         *string        `json:"type"`
-	Model        *string        `json:"model"`
-	SizeGB       *int           `json:"size_gb"`
-	SerialNumber *string        `json:"serial_number"`
-	Manufacturer *string        `json:"manufacturer"`
-	Firmware     *string        `json:"firmware"`
-	Interface    *string        `json:"interface"`
-	Present      *bool          `json:"present"`
-	Status       *string        `json:"status"`
-	Telemetry    map[string]any `json:"telemetry,omitempty"`
+	HardwareComponentStatus
+	Slot                  *string        `json:"slot,omitempty"`
+	Type                  *string        `json:"type,omitempty"`
+	Model                 *string        `json:"model,omitempty"`
+	SizeGB                *int           `json:"size_gb,omitempty"`
+	SerialNumber          *string        `json:"serial_number,omitempty"`
+	Manufacturer          *string        `json:"manufacturer,omitempty"`
+	Firmware              *string        `json:"firmware,omitempty"`
+	Interface             *string        `json:"interface,omitempty"`
+	Present               *bool          `json:"present,omitempty"`
+	TemperatureC          *float64       `json:"temperature_c,omitempty"`
+	PowerOnHours          *int64         `json:"power_on_hours,omitempty"`
+	PowerCycles           *int64         `json:"power_cycles,omitempty"`
+	UnsafeShutdowns       *int64         `json:"unsafe_shutdowns,omitempty"`
+	MediaErrors           *int64         `json:"media_errors,omitempty"`
+	ErrorLogEntries       *int64         `json:"error_log_entries,omitempty"`
+	WrittenBytes          *int64         `json:"written_bytes,omitempty"`
+	ReadBytes             *int64         `json:"read_bytes,omitempty"`
+	LifeUsedPct           *float64       `json:"life_used_pct,omitempty"`
+	LifeRemainingPct      *float64       `json:"life_remaining_pct,omitempty"`
+	AvailableSparePct     *float64       `json:"available_spare_pct,omitempty"`
+	ReallocatedSectors    *int64         `json:"reallocated_sectors,omitempty"`
+	CurrentPendingSectors *int64         `json:"current_pending_sectors,omitempty"`
+	OfflineUncorrectable  *int64         `json:"offline_uncorrectable,omitempty"`
+	Telemetry             map[string]any `json:"-"`
 }
 
 type HardwarePCIeDevice struct {
-	Slot         *string        `json:"slot"`
-	VendorID     *int           `json:"vendor_id"`
-	DeviceID     *int           `json:"device_id"`
-	BDF          *string        `json:"bdf"`
-	DeviceClass  *string        `json:"device_class"`
-	Manufacturer *string        `json:"manufacturer"`
-	Model        *string        `json:"model"`
-	LinkWidth    *int           `json:"link_width"`
-	LinkSpeed    *string        `json:"link_speed"`
-	MaxLinkWidth *int           `json:"max_link_width"`
-	MaxLinkSpeed *string        `json:"max_link_speed"`
-	SerialNumber *string        `json:"serial_number"`
-	Firmware     *string        `json:"firmware"`
-	Present      *bool          `json:"present"`
-	Status       *string        `json:"status"`
-	Telemetry    map[string]any `json:"telemetry,omitempty"`
+	HardwareComponentStatus
+	Slot                   *string        `json:"slot,omitempty"`
+	VendorID               *int           `json:"vendor_id,omitempty"`
+	DeviceID               *int           `json:"device_id,omitempty"`
+	NUMANode               *int           `json:"numa_node,omitempty"`
+	TemperatureC           *float64       `json:"temperature_c,omitempty"`
+	PowerW                 *float64       `json:"power_w,omitempty"`
+	LifeRemainingPct       *float64       `json:"life_remaining_pct,omitempty"`
+	LifeUsedPct            *float64       `json:"life_used_pct,omitempty"`
+	ECCCorrectedTotal      *int64         `json:"ecc_corrected_total,omitempty"`
+	ECCUncorrectedTotal    *int64         `json:"ecc_uncorrected_total,omitempty"`
+	HWSlowdown             *bool          `json:"hw_slowdown,omitempty"`
+	BatteryChargePct       *float64       `json:"battery_charge_pct,omitempty"`
+	BatteryHealthPct       *float64       `json:"battery_health_pct,omitempty"`
+	BatteryTemperatureC    *float64       `json:"battery_temperature_c,omitempty"`
+	BatteryVoltageV        *float64       `json:"battery_voltage_v,omitempty"`
+	BatteryReplaceRequired *bool          `json:"battery_replace_required,omitempty"`
+	SFPTemperatureC        *float64       `json:"sfp_temperature_c,omitempty"`
+	SFPTXPowerDBM          *float64       `json:"sfp_tx_power_dbm,omitempty"`
+	SFPRXPowerDBM          *float64       `json:"sfp_rx_power_dbm,omitempty"`
+	SFPVoltageV            *float64       `json:"sfp_voltage_v,omitempty"`
+	SFPBiasMA              *float64       `json:"sfp_bias_ma,omitempty"`
+	BDF                    *string        `json:"-"`
+	DeviceClass            *string        `json:"device_class,omitempty"`
+	Manufacturer           *string        `json:"manufacturer,omitempty"`
+	Model                  *string        `json:"model,omitempty"`
+	LinkWidth              *int           `json:"link_width,omitempty"`
+	LinkSpeed              *string        `json:"link_speed,omitempty"`
+	MaxLinkWidth           *int           `json:"max_link_width,omitempty"`
+	MaxLinkSpeed           *string        `json:"max_link_speed,omitempty"`
+	SerialNumber           *string        `json:"serial_number,omitempty"`
+	Firmware               *string        `json:"firmware,omitempty"`
+	MacAddresses           []string       `json:"mac_addresses,omitempty"`
+	Present                *bool          `json:"present,omitempty"`
+	Telemetry              map[string]any `json:"-"`
 }
 
 type HardwarePowerSupply struct {
-	Slot         *string  `json:"slot"`
-	Present      *bool    `json:"present"`
-	Model        *string  `json:"model"`
-	Vendor       *string  `json:"vendor"`
-	WattageW     *int     `json:"wattage_w"`
-	SerialNumber *string  `json:"serial_number"`
-	PartNumber   *string  `json:"part_number"`
-	Firmware     *string  `json:"firmware"`
-	Status       *string  `json:"status"`
-	InputType    *string  `json:"input_type"`
-	InputPowerW  *float64 `json:"input_power_w"`
-	OutputPowerW *float64 `json:"output_power_w"`
-	InputVoltage *float64 `json:"input_voltage"`
+	HardwareComponentStatus
+	Slot             *string  `json:"slot,omitempty"`
+	Present          *bool    `json:"present,omitempty"`
+	Model            *string  `json:"model,omitempty"`
+	Vendor           *string  `json:"vendor,omitempty"`
+	WattageW         *int     `json:"wattage_w,omitempty"`
+	SerialNumber     *string  `json:"serial_number,omitempty"`
+	PartNumber       *string  `json:"part_number,omitempty"`
+	Firmware         *string  `json:"firmware,omitempty"`
+	InputType        *string  `json:"input_type,omitempty"`
+	InputPowerW      *float64 `json:"input_power_w,omitempty"`
+	OutputPowerW     *float64 `json:"output_power_w,omitempty"`
+	InputVoltage     *float64 `json:"input_voltage,omitempty"`
+	TemperatureC     *float64 `json:"temperature_c,omitempty"`
+	LifeRemainingPct *float64 `json:"life_remaining_pct,omitempty"`
+	LifeUsedPct      *float64 `json:"life_used_pct,omitempty"`
+}
+
+type HardwareComponentStatus struct {
+	Status               *string                 `json:"status,omitempty"`
+	StatusCheckedAt      *string                 `json:"status_checked_at,omitempty"`
+	StatusChangedAt      *string                 `json:"status_changed_at,omitempty"`
+	StatusHistory        []HardwareStatusHistory `json:"status_history,omitempty"`
+	ErrorDescription     *string                 `json:"error_description,omitempty"`
+	ManufacturedYearWeek *string                 `json:"manufactured_year_week,omitempty"`
+}
+
+type HardwareStatusHistory struct {
+	Status    string  `json:"status"`
+	ChangedAt string  `json:"changed_at"`
+	Details   *string `json:"details,omitempty"`
+}
+
+type HardwareSensors struct {
+	Fans         []HardwareFanSensor         `json:"fans,omitempty"`
+	Power        []HardwarePowerSensor       `json:"power,omitempty"`
+	Temperatures []HardwareTemperatureSensor `json:"temperatures,omitempty"`
+	Other        []HardwareOtherSensor       `json:"other,omitempty"`
+}
+
+type HardwareFanSensor struct {
+	Name     string  `json:"name"`
+	Location *string `json:"location,omitempty"`
+	RPM      *int    `json:"rpm,omitempty"`
+	Status   *string `json:"status,omitempty"`
+}
+
+type HardwarePowerSensor struct {
+	Name     string   `json:"name"`
+	Location *string  `json:"location,omitempty"`
+	VoltageV *float64 `json:"voltage_v,omitempty"`
+	CurrentA *float64 `json:"current_a,omitempty"`
+	PowerW   *float64 `json:"power_w,omitempty"`
+	Status   *string  `json:"status,omitempty"`
+}
+
+type HardwareTemperatureSensor struct {
+	Name                     string   `json:"name"`
+	Location                 *string  `json:"location,omitempty"`
+	Celsius                  *float64 `json:"celsius,omitempty"`
+	ThresholdWarningCelsius  *float64 `json:"threshold_warning_celsius,omitempty"`
+	ThresholdCriticalCelsius *float64 `json:"threshold_critical_celsius,omitempty"`
+	Status                   *string  `json:"status,omitempty"`
+}
+
+type HardwareOtherSensor struct {
+	Name     string   `json:"name"`
+	Location *string  `json:"location,omitempty"`
+	Value    *float64 `json:"value,omitempty"`
+	Unit     *string  `json:"unit,omitempty"`
+	Status   *string  `json:"status,omitempty"`
+}
+
+type HardwareEventLog struct {
+	Source       string         `json:"source"`
+	EventTime    *string        `json:"event_time,omitempty"`
+	Severity     *string        `json:"severity,omitempty"`
+	MessageID    *string        `json:"message_id,omitempty"`
+	Message      string         `json:"message"`
+	ComponentRef *string        `json:"component_ref,omitempty"`
+	Fingerprint  *string        `json:"fingerprint,omitempty"`
+	IsActive     *bool          `json:"is_active,omitempty"`
+	RawPayload   map[string]any `json:"raw_payload,omitempty"`
 }

audit/internal/schema/hardware_test.go

@@ -0,0 +1,46 @@
+package schema
+
+import (
+	"encoding/json"
+	"strings"
+	"testing"
+)
+
+func TestHardwareSnapshotMarshalsNewContractFields(t *testing.T) {
+	week := "2024-W07"
+	eventTime := "2026-03-15T14:03:11Z"
+	message := "Correctable ECC error threshold exceeded"
+
+	payload := HardwareIngestRequest{
+		CollectedAt: "2026-03-15T15:00:00Z",
+		Hardware: HardwareSnapshot{
+			Board: HardwareBoard{SerialNumber: "SRV-001"},
+			CPUs: []HardwareCPU{
+				{
+					HardwareComponentStatus: HardwareComponentStatus{
+						ManufacturedYearWeek: &week,
+					},
+				},
+			},
+			EventLogs: []HardwareEventLog{
+				{
+					Source:    "bmc",
+					EventTime: &eventTime,
+					Message:   message,
+				},
+			},
+		},
+	}
+
+	data, err := json.Marshal(payload)
+	if err != nil {
+		t.Fatalf("marshal: %v", err)
+	}
+	text := string(data)
+	if !strings.Contains(text, `"manufactured_year_week":"2024-W07"`) {
+		t.Fatalf("missing manufactured_year_week: %s", text)
+	}
+	if !strings.Contains(text, `"event_logs":[{"source":"bmc","event_time":"2026-03-15T14:03:11Z","message":"Correctable ECC error threshold exceeded"}]`) {
+		t.Fatalf("missing event_logs payload: %s", text)
+	}
+}

audit/internal/tui/forms.go

@@ -0,0 +1,156 @@
+package tui
+
+import (
+	"time"
+
+	tea "github.com/charmbracelet/bubbletea"
+)
+
+func (m model) updateStaticForm(msg tea.KeyMsg) (tea.Model, tea.Cmd) {
+	switch msg.String() {
+	case "esc":
+		m.screen = screenNetwork
+		m.formFields = nil
+		m.formIndex = 0
+		return m, nil
+	case "up", "shift+tab":
+		if m.formIndex > 0 {
+			m.formIndex--
+		}
+	case "down", "tab":
+		if m.formIndex < len(m.formFields)-1 {
+			m.formIndex++
+		}
+	case "enter":
+		if m.formIndex < len(m.formFields)-1 {
+			m.formIndex++
+			return m, nil
+		}
+		cfg := m.app.ParseStaticIPv4Config(m.selectedIface, []string{
+			m.formFields[0].Value,
+			m.formFields[1].Value,
+			m.formFields[2].Value,
+			m.formFields[3].Value,
+		})
+		m.busy = true
+		m.busyTitle = "Static IPv4: " + m.selectedIface
+		return m, func() tea.Msg {
+			result, err := m.app.SetStaticIPv4Result(cfg)
+			return resultMsg{title: result.Title, body: result.Body, err: err, back: screenNetwork}
+		}
+	case "backspace":
+		field := &m.formFields[m.formIndex]
+		if len(field.Value) > 0 {
+			field.Value = field.Value[:len(field.Value)-1]
+		}
+	default:
+		if msg.Type == tea.KeyRunes && len(msg.Runes) > 0 {
+			m.formFields[m.formIndex].Value += string(msg.Runes)
+		}
+	}
+	return m, nil
+}
+
+func (m model) updateConfirm(msg tea.KeyMsg) (tea.Model, tea.Cmd) {
+	switch msg.String() {
+	case "left", "up", "tab":
+		if m.cursor > 0 {
+			m.cursor--
+		}
+	case "right", "down":
+		if m.cursor < 1 {
+			m.cursor++
+		}
+	case "esc":
+		m.screen = m.confirmCancelTarget()
+		m.cursor = 0
+		m.pendingAction = actionNone
+		return m, nil
+	case "enter":
+		if m.cursor == 1 { // Cancel
+			m.screen = m.confirmCancelTarget()
+			m.cursor = 0
+			m.pendingAction = actionNone
+			return m, nil
+		}
+		m.busy = true
+		switch m.pendingAction {
+		case actionExportBundle:
+			m.busyTitle = "Export support bundle"
+			target := *m.selectedTarget
+			return m, func() tea.Msg {
+				result, err := m.app.ExportSupportBundleResult(target)
+				return resultMsg{title: result.Title, body: result.Body, err: err, back: screenMain}
+			}
+		case actionRunAll:
+			return m.executeRunAll()
+		case actionRunMemorySAT:
+			m.busyTitle = "Memory test"
+			m.progressPrefix = "memory"
+			m.progressSince = time.Now()
+			m.progressLines = nil
+			since := m.progressSince
+			return m, tea.Batch(
+				func() tea.Msg {
+					result, err := m.app.RunMemoryAcceptancePackResult("")
+					return resultMsg{title: result.Title, body: result.Body, err: err, back: screenHealthCheck}
+				},
+				pollSATProgress("memory", since),
+			)
+		case actionRunStorageSAT:
+			m.busyTitle = "Storage test"
+			m.progressPrefix = "storage"
+			m.progressSince = time.Now()
+			m.progressLines = nil
+			since := m.progressSince
+			return m, tea.Batch(
+				func() tea.Msg {
+					result, err := m.app.RunStorageAcceptancePackResult("")
+					return resultMsg{title: result.Title, body: result.Body, err: err, back: screenHealthCheck}
+				},
+				pollSATProgress("storage", since),
+			)
+		case actionRunCPUSAT:
+			m.busyTitle = "CPU test"
+			m.progressPrefix = "cpu"
+			m.progressSince = time.Now()
+			m.progressLines = nil
+			since := m.progressSince
+			durationSec := hcCPUDurations[m.hcMode]
+			return m, tea.Batch(
+				func() tea.Msg {
+					result, err := m.app.RunCPUAcceptancePackResult("", durationSec)
+					return resultMsg{title: result.Title, body: result.Body, err: err, back: screenHealthCheck}
+				},
+				pollSATProgress("cpu", since),
+			)
+		case actionRunAMDGPUSAT:
+			m.busyTitle = "AMD GPU test"
+			m.progressPrefix = "gpu-amd"
+			m.progressSince = time.Now()
+			m.progressLines = nil
+			since := m.progressSince
+			return m, tea.Batch(
+				func() tea.Msg {
+					result, err := m.app.RunAMDAcceptancePackResult("")
+					return resultMsg{title: result.Title, body: result.Body, err: err, back: screenHealthCheck}
+				},
+				pollSATProgress("gpu-amd", since),
+			)
+		}
+	case "ctrl+c":
+		return m, tea.Quit
+	}
+	return m, nil
+}
+
+func (m model) confirmCancelTarget() screen {
+	switch m.pendingAction {
+	case actionExportBundle:
+		return screenExportTargets
+	case actionRunAll, actionRunMemorySAT, actionRunStorageSAT, actionRunCPUSAT, actionRunAMDGPUSAT:
+		return screenHealthCheck
+	default:
+		return screenMain
+	}
+}

audit/internal/tui/messages.go

@@ -0,0 +1,46 @@
+package tui
+
+import (
+	"bee/audit/internal/app"
+	"bee/audit/internal/platform"
+)
+
+type resultMsg struct {
+	title string
+	body  string
+	err   error
+	back  screen
+}
+
+type servicesMsg struct {
+	services []string
+	err      error
+}
+
+type interfacesMsg struct {
+	ifaces []platform.InterfaceInfo
+	err    error
+}
+
+type exportTargetsMsg struct {
+	targets []platform.RemovableTarget
+	err     error
+}
+
+type snapshotMsg struct {
+	banner string
+	panel  app.HardwarePanelData
+}
+
+type nvidiaGPUsMsg struct {
+	gpus []platform.NvidiaGPU
+	err  error
+}
+
+type nvtopClosedMsg struct{}
+
+type nvidiaSATDoneMsg struct {
+	title string
+	body  string
+	err   error
+}

audit/internal/tui/sat_progress.go

@@ -0,0 +1,131 @@
+package tui
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+
+	"bee/audit/internal/app"
+	tea "github.com/charmbracelet/bubbletea"
+)
+
+type satProgressMsg struct {
+	lines []string
+}
+
+// pollSATProgress returns a Cmd that waits 300ms then reads the latest verbose.log
+// for the given SAT prefix and returns parsed step progress lines.
+func pollSATProgress(prefix string, since time.Time) tea.Cmd {
+	return tea.Tick(300*time.Millisecond, func(_ time.Time) tea.Msg {
+		return satProgressMsg{lines: readSATProgressLines(prefix, since)}
+	})
+}
+
+func readSATProgressLines(prefix string, since time.Time) []string {
+	pattern := filepath.Join(app.DefaultSATBaseDir, prefix+"-*/verbose.log")
+	matches, err := filepath.Glob(pattern)
+	if err != nil || len(matches) == 0 {
+		return nil
+	}
+	sort.Strings(matches)
+	// Find the latest file created at or after (since - 5s) to account for clock skew.
+	cutoff := since.Add(-5 * time.Second)
+	candidate := ""
+	for _, m := range matches {
+		info, statErr := os.Stat(m)
+		if statErr == nil && info.ModTime().After(cutoff) {
+			candidate = m
+		}
+	}
+	if candidate == "" {
+		return nil
+	}
+	raw, err := os.ReadFile(candidate)
+	if err != nil {
+		return nil
+	}
+	return parseSATVerboseProgress(string(raw))
+}
+
+// parseSATVerboseProgress parses verbose.log content and returns display lines like:
+//
+//	"PASS  lscpu (234ms)"
+//	"FAIL  stress-ng (60.0s)"
+//	"...   sensors-after"
+func parseSATVerboseProgress(content string) []string {
+	type step struct {
+		name       string
+		rc         int
+		durationMs int
+		done       bool
+	}
+
+	lines := strings.Split(content, "\n")
+	var steps []step
+	stepIdx := map[string]int{}
+
+	for i, line := range lines {
+		line = strings.TrimSpace(line)
+		if idx := strings.Index(line, "] start "); idx >= 0 {
+			name := strings.TrimSpace(line[idx+len("] start "):])
+			if _, exists := stepIdx[name]; !exists {
+				stepIdx[name] = len(steps)
+				steps = append(steps, step{name: name})
+			}
+		} else if idx := strings.Index(line, "] finish "); idx >= 0 {
+			name := strings.TrimSpace(line[idx+len("] finish "):])
+			si, exists := stepIdx[name]
+			if !exists {
+				continue
+			}
+			steps[si].done = true
+			for j := i + 1; j < len(lines) && j <= i+3; j++ {
+				l := strings.TrimSpace(lines[j])
+				if strings.HasPrefix(l, "rc: ") {
+					steps[si].rc, _ = strconv.Atoi(strings.TrimPrefix(l, "rc: "))
+				} else if strings.HasPrefix(l, "duration_ms: ") {
+					steps[si].durationMs, _ = strconv.Atoi(strings.TrimPrefix(l, "duration_ms: "))
+				}
+			}
+		}
+	}
+
+	var result []string
+	for _, s := range steps {
+		display := cleanSATStepName(s.name)
+		if s.done {
+			status := "PASS"
+			if s.rc != 0 {
+				status = "FAIL"
+			}
+			result = append(result, fmt.Sprintf("%-4s  %s (%s)", status, display, fmtDurMs(s.durationMs)))
+		} else {
+			result = append(result, fmt.Sprintf("...   %s", display))
+		}
+	}
+	return result
+}
+
+// cleanSATStepName strips leading digits and dash: "01-lscpu.log" → "lscpu".
+func cleanSATStepName(name string) string {
+	name = strings.TrimSuffix(name, ".log")
+	i := 0
+	for i < len(name) && name[i] >= '0' && name[i] <= '9' {
+		i++
+	}
+	if i < len(name) && name[i] == '-' {
+		name = name[i+1:]
+	}
+	return name
+}
+
+func fmtDurMs(ms int) string {
+	if ms < 1000 {
+		return fmt.Sprintf("%dms", ms)
+	}
+	return fmt.Sprintf("%.1fs", float64(ms)/1000)
+}

audit/internal/tui/screen_export.go

@@ -0,0 +1,14 @@
+package tui
+
+import tea "github.com/charmbracelet/bubbletea"
+
+func (m model) handleExportTargetsMenu() (tea.Model, tea.Cmd) {
+	if len(m.targets) == 0 {
+		return m, resultCmd("Export support bundle", "No removable filesystems found", nil, screenMain)
+	}
+	target := m.targets[m.cursor]
+	m.selectedTarget = &target
+	m.pendingAction = actionExportBundle
+	m.screen = screenConfirm
+	return m, nil
+}

audit/internal/tui/screen_health_check.go

@@ -0,0 +1,307 @@
+package tui
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	tea "github.com/charmbracelet/bubbletea"
+)
+
+// Component indices.
+const (
+	hcGPU     = 0
+	hcMemory  = 1
+	hcStorage = 2
+	hcCPU     = 3
+)
+
+// Cursor positions in Health Check screen.
+const (
+	hcCurGPU       = 0
+	hcCurMemory    = 1
+	hcCurStorage   = 2
+	hcCurCPU       = 3
+	hcCurSelectAll = 4
+	hcCurModeQuick = 5
+	hcCurModeStd   = 6
+	hcCurModeExpr  = 7
+	hcCurRunAll    = 8
+	hcCurTotal     = 9
+)
+
+// hcModeDurations maps mode index (0=Quick,1=Standard,2=Express) to GPU stress seconds.
+var hcModeDurations = [3]int{600, 3600, 28800}
+
+// hcCPUDurations maps mode index to CPU stress-ng seconds.
+var hcCPUDurations = [3]int{60, 300, 900}
+
+func (m model) enterHealthCheck() (tea.Model, tea.Cmd) {
+	m.screen = screenHealthCheck
+	if !m.hcInitialized {
+		m.hcSel = [4]bool{true, true, true, true}
+		m.hcMode = 0
+		m.hcCursor = 0
+		m.hcInitialized = true
+	}
+	return m, nil
+}
+
+func (m model) updateHealthCheck(msg tea.KeyMsg) (tea.Model, tea.Cmd) {
+	switch msg.String() {
+	case "up", "k":
+		if m.hcCursor > 0 {
+			m.hcCursor--
+		}
+	case "down", "j":
+		if m.hcCursor < hcCurTotal-1 {
+			m.hcCursor++
+		}
+	case " ":
+		switch m.hcCursor {
+		case hcCurGPU, hcCurMemory, hcCurStorage, hcCurCPU:
+			m.hcSel[m.hcCursor] = !m.hcSel[m.hcCursor]
+		case hcCurSelectAll:
+			allOn := m.hcSel[0] && m.hcSel[1] && m.hcSel[2] && m.hcSel[3]
+			for i := range m.hcSel {
+				m.hcSel[i] = !allOn
+			}
+		case hcCurModeQuick, hcCurModeStd, hcCurModeExpr:
+			m.hcMode = m.hcCursor - hcCurModeQuick
+		}
+	case "enter":
+		switch m.hcCursor {
+		case hcCurGPU, hcCurMemory, hcCurStorage, hcCurCPU:
+			return m.hcRunSingle(m.hcCursor)
+		case hcCurSelectAll:
+			allOn := m.hcSel[0] && m.hcSel[1] && m.hcSel[2] && m.hcSel[3]
+			for i := range m.hcSel {
+				m.hcSel[i] = !allOn
+			}
+		case hcCurModeQuick, hcCurModeStd, hcCurModeExpr:
+			m.hcMode = m.hcCursor - hcCurModeQuick
+		case hcCurRunAll:
+			return m.hcRunAll()
+		}
+	case "g", "G":
+		return m.hcRunSingle(hcGPU)
+	case "m", "M":
+		return m.hcRunSingle(hcMemory)
+	case "s", "S":
+		return m.hcRunSingle(hcStorage)
+	case "c", "C":
+		return m.hcRunSingle(hcCPU)
+	case "r", "R":
+		return m.hcRunAll()
+	case "a", "A":
+		allOn := m.hcSel[0] && m.hcSel[1] && m.hcSel[2] && m.hcSel[3]
+		for i := range m.hcSel {
+			m.hcSel[i] = !allOn
+		}
+	case "1":
+		m.hcMode = 0
+	case "2":
+		m.hcMode = 1
+	case "3":
+		m.hcMode = 2
+	case "esc":
+		m.screen = screenMain
+		m.cursor = 0
+	case "q", "ctrl+c":
+		return m, tea.Quit
+	}
+	return m, nil
+}
+
+func (m model) hcRunSingle(idx int) (tea.Model, tea.Cmd) {
+	switch idx {
+	case hcGPU:
+		if m.app.DetectGPUVendor() == "amd" {
+			m.pendingAction = actionRunAMDGPUSAT
+			m.screen = screenConfirm
+			m.cursor = 0
+			return m, nil
+		}
+		m.nvidiaDurIdx = m.hcMode
+		return m.enterNvidiaSATSetup()
+	case hcMemory:
+		m.pendingAction = actionRunMemorySAT
+		m.screen = screenConfirm
+		m.cursor = 0
+		return m, nil
+	case hcStorage:
+		m.pendingAction = actionRunStorageSAT
+		m.screen = screenConfirm
+		m.cursor = 0
+		return m, nil
+	case hcCPU:
+		m.pendingAction = actionRunCPUSAT
+		m.screen = screenConfirm
+		m.cursor = 0
+		return m, nil
+	}
+	return m, nil
+}
+
+func (m model) hcRunAll() (tea.Model, tea.Cmd) {
+	for _, sel := range m.hcSel {
+		if sel {
+			m.pendingAction = actionRunAll
+			m.screen = screenConfirm
+			m.cursor = 0
+			return m, nil
+		}
+	}
+	return m, nil
+}
+
+func (m model) executeRunAll() (tea.Model, tea.Cmd) {
+	durationSec := hcModeDurations[m.hcMode]
+	durationIdx := m.hcMode
+	sel := m.hcSel
+	app := m.app
+	m.busy = true
+	m.busyTitle = "Health Check"
+	return m, func() tea.Msg {
+		var parts []string
+		if sel[hcGPU] {
+			vendor := app.DetectGPUVendor()
+			if vendor == "amd" {
+				r, err := app.RunAMDAcceptancePackResult("")
+				body := r.Body
+				if err != nil {
+					body += "\nERROR: " + err.Error()
+				}
+				parts = append(parts, "=== GPU (AMD) ===\n"+body)
+			} else {
+				gpus, err := app.ListNvidiaGPUs()
+				if err != nil || len(gpus) == 0 {
+					parts = append(parts, "=== GPU ===\nNo NVIDIA GPUs detected or driver not loaded.")
+				} else {
+					var indices []int
+					sizeMB := 0
+					for _, g := range gpus {
+						indices = append(indices, g.Index)
+						if sizeMB == 0 || g.MemoryMB < sizeMB {
+							sizeMB = g.MemoryMB
+						}
+					}
+					if sizeMB == 0 {
+						sizeMB = 64
+					}
+					r, err := app.RunNvidiaAcceptancePackWithOptions(context.Background(), "", durationSec, sizeMB, indices)
+					body := r.Body
+					if err != nil {
+						body += "\nERROR: " + err.Error()
+					}
+					parts = append(parts, "=== GPU ===\n"+body)
+				}
+			}
+		}
+		if sel[hcMemory] {
+			r, err := app.RunMemoryAcceptancePackResult("")
+			body := r.Body
+			if err != nil {
+				body += "\nERROR: " + err.Error()
+			}
+			parts = append(parts, "=== MEMORY ===\n"+body)
+		}
+		if sel[hcStorage] {
+			r, err := app.RunStorageAcceptancePackResult("")
+			body := r.Body
+			if err != nil {
+				body += "\nERROR: " + err.Error()
+			}
+			parts = append(parts, "=== STORAGE ===\n"+body)
+		}
+		if sel[hcCPU] {
+			cpuDur := hcCPUDurations[durationIdx]
+			r, err := app.RunCPUAcceptancePackResult("", cpuDur)
+			body := r.Body
+			if err != nil {
+				body += "\nERROR: " + err.Error()
+			}
+			parts = append(parts, "=== CPU ===\n"+body)
+		}
+		combined := strings.Join(parts, "\n\n")
+		if combined == "" {
+			combined = "No components selected."
+		}
+		return resultMsg{title: "Health Check", body: combined, back: screenHealthCheck}
+	}
+}
+
+func renderHealthCheck(m model) string {
+	var b strings.Builder
+
+	fmt.Fprintln(&b, "HEALTH CHECK")
+	fmt.Fprintln(&b)
+	fmt.Fprintln(&b, "  Diagnostics:")
+	fmt.Fprintln(&b)
+
+	type comp struct{ name, desc, key string }
+	comps := []comp{
+		{"GPU", "nvidia/amd auto-detect", "G"},
+		{"MEMORY", "memtester", "M"},
+		{"STORAGE", "smartctl + NVMe self-test", "S"},
+		{"CPU", "audit diagnostics", "C"},
+	}
+	for i, c := range comps {
+		pfx := "  "
+		if m.hcCursor == i {
+			pfx = "> "
+		}
+		ch := "[ ]"
+		if m.hcSel[i] {
+			ch = "[x]"
+		}
+		fmt.Fprintf(&b, "%s%s  %-8s  %-28s [%s]\n", pfx, ch, c.name, c.desc, c.key)
+	}
+
+	fmt.Fprintln(&b, "  ─────────────────────────────────────────────────")
+	{
+		pfx := "  "
+		if m.hcCursor == hcCurSelectAll {
+			pfx = "> "
+		}
+		allOn := m.hcSel[0] && m.hcSel[1] && m.hcSel[2] && m.hcSel[3]
+		ch := "[ ]"
+		if allOn {
+			ch = "[x]"
+		}
+		fmt.Fprintf(&b, "%s%s  Select / Deselect All                        [A]\n", pfx, ch)
+	}
+
+	fmt.Fprintln(&b)
+	fmt.Fprintln(&b, "  Mode:")
+	modes := []struct{ label, key string }{
+		{"Quick", "1"},
+		{"Standard", "2"},
+		{"Express", "3"},
+	}
+	for i, mode := range modes {
+		pfx := "  "
+		if m.hcCursor == hcCurModeQuick+i {
+			pfx = "> "
+		}
+		radio := "( )"
+		if m.hcMode == i {
+			radio = "(*)"
+		}
+		fmt.Fprintf(&b, "%s%s  %-10s  [%s]\n", pfx, radio, mode.label, mode.key)
+	}
+
+	fmt.Fprintln(&b)
+	{
+		pfx := "  "
+		if m.hcCursor == hcCurRunAll {
+			pfx = "> "
+		}
+		fmt.Fprintf(&b, "%s[ RUN ALL [R] ]\n", pfx)
+	}
+
+	fmt.Fprintln(&b)
+	fmt.Fprintln(&b, "─────────────────────────────────────────────────────────────────")
+	fmt.Fprint(&b, "[↑↓] move  [space/enter] toggle  [letter] single test  [R] run all  [Esc] back")
+	return b.String()
+}

audit/internal/tui/screen_main.go

@@ -0,0 +1,27 @@
+package tui
+
+import (
+	tea "github.com/charmbracelet/bubbletea"
+)
+
+func (m model) handleMainMenu() (tea.Model, tea.Cmd) {
+	switch m.cursor {
+	case 0: // Health Check
+		return m.enterHealthCheck()
+	case 1: // Export support bundle
+		m.pendingAction = actionExportBundle
+		m.busy = true
+		m.busyTitle = "Export support bundle"
+		return m, func() tea.Msg {
+			targets, err := m.app.ListRemovableTargets()
+			return exportTargetsMsg{targets: targets, err: err}
+		}
+	case 2: // Settings
+		m.screen = screenSettings
+		m.cursor = 0
+		return m, nil
+	case 3: // Exit
+		return m, tea.Quit
+	}
+	return m, nil
+}

audit/internal/tui/screen_network.go

@@ -0,0 +1,76 @@
+package tui
+
+import (
+	"strings"
+
+	tea "github.com/charmbracelet/bubbletea"
+)
+
+func (m model) handleNetworkMenu() (tea.Model, tea.Cmd) {
+	switch m.cursor {
+	case 0:
+		m.busy = true
+		m.busyTitle = "Network status"
+		return m, func() tea.Msg {
+			result, err := m.app.NetworkStatus()
+			return resultMsg{title: result.Title, body: result.Body, err: err, back: screenNetwork}
+		}
+	case 1:
+		m.busy = true
+		m.busyTitle = "DHCP all interfaces"
+		return m, func() tea.Msg {
+			result, err := m.app.DHCPAllResult()
+			return resultMsg{title: result.Title, body: result.Body, err: err, back: screenNetwork}
+		}
+	case 2:
+		m.pendingAction = actionDHCPOne
+		m.busy = true
+		m.busyTitle = "Interfaces"
+		return m, func() tea.Msg {
+			ifaces, err := m.app.ListInterfaces()
+			return interfacesMsg{ifaces: ifaces, err: err}
+		}
+	case 3:
+		m.pendingAction = actionStaticIPv4
+		m.busy = true
+		m.busyTitle = "Interfaces"
+		return m, func() tea.Msg {
+			ifaces, err := m.app.ListInterfaces()
+			return interfacesMsg{ifaces: ifaces, err: err}
+		}
+	case 4:
+		m.screen = screenSettings
+		m.cursor = 0
+		return m, nil
+	}
+	return m, nil
+}
+
+func (m model) handleInterfacePickMenu() (tea.Model, tea.Cmd) {
+	if len(m.interfaces) == 0 {
+		return m, resultCmd("interfaces", "No physical interfaces found", nil, screenNetwork)
+	}
+	m.selectedIface = m.interfaces[m.cursor].Name
+	switch m.pendingAction {
+	case actionDHCPOne:
+		m.busy = true
+		m.busyTitle = "DHCP on " + m.selectedIface
+		return m, func() tea.Msg {
+			result, err := m.app.DHCPOneResult(m.selectedIface)
+			return resultMsg{title: result.Title, body: result.Body, err: err, back: screenNetwork}
+		}
+	case actionStaticIPv4:
+		defaults := m.app.DefaultStaticIPv4FormFields(m.selectedIface)
+		m.formFields = []formField{
+			{Label: "IPv4 address", Value: defaults[0]},
+			{Label: "Prefix", Value: defaults[1]},
+			{Label: "Gateway", Value: strings.TrimSpace(defaults[2])},
+			{Label: "DNS (space-separated)", Value: defaults[3]},
+		}
+		m.formIndex = 0
+		m.screen = screenStaticForm
+		return m, nil
+	default:
+		return m, nil
+	}
+}

audit/internal/tui/screen_nvidia_sat.go

@@ -0,0 +1,238 @@
+package tui
+
+import (
+	"context"
+	"fmt"
+	"os/exec"
+	"strings"
+
+	"bee/audit/internal/platform"
+
+	tea "github.com/charmbracelet/bubbletea"
+)
+
+var nvidiaDurationOptions = []struct {
+	label   string
+	seconds int
+}{
+	{"10 minutes", 600},
+	{"1 hour", 3600},
+	{"8 hours", 28800},
+	{"24 hours", 86400},
+}
+
+// enterNvidiaSATSetup resets the setup screen and starts loading GPU list.
+func (m model) enterNvidiaSATSetup() (tea.Model, tea.Cmd) {
+	m.screen = screenNvidiaSATSetup
+	m.nvidiaGPUs = nil
+	m.nvidiaGPUSel = nil
+	m.nvidiaDurIdx = 0
+	m.nvidiaSATCursor = 0
+	m.busy = true
+	m.busyTitle = "NVIDIA SAT"
+	return m, func() tea.Msg {
+		gpus, err := m.app.ListNvidiaGPUs()
+		return nvidiaGPUsMsg{gpus: gpus, err: err}
+	}
+}
+
+// handleNvidiaGPUsMsg processes the GPU list response.
+func (m model) handleNvidiaGPUsMsg(msg nvidiaGPUsMsg) (tea.Model, tea.Cmd) {
+	m.busy = false
+	m.busyTitle = ""
+	if msg.err != nil {
+		m.title = "NVIDIA SAT"
+		m.body = fmt.Sprintf("Failed to list GPUs: %v", msg.err)
+		m.prevScreen = screenHealthCheck
+		m.screen = screenOutput
+		return m, nil
+	}
+	m.nvidiaGPUs = msg.gpus
+	m.nvidiaGPUSel = make([]bool, len(msg.gpus))
+	for i := range m.nvidiaGPUSel {
+		m.nvidiaGPUSel[i] = true // all selected by default
+	}
+	m.nvidiaSATCursor = 0
+	return m, nil
+}
+
+// updateNvidiaSATSetup handles keys on the setup screen.
+func (m model) updateNvidiaSATSetup(msg tea.KeyMsg) (tea.Model, tea.Cmd) {
+	numDur := len(nvidiaDurationOptions)
+	numGPU := len(m.nvidiaGPUs)
+	totalItems := numDur + numGPU + 2 // +2: Start, Cancel
+	switch msg.String() {
+	case "up", "k":
+		if m.nvidiaSATCursor > 0 {
+			m.nvidiaSATCursor--
+		}
+	case "down", "j":
+		if m.nvidiaSATCursor < totalItems-1 {
+			m.nvidiaSATCursor++
+		}
+	case " ":
+		switch {
+		case m.nvidiaSATCursor < numDur:
+			m.nvidiaDurIdx = m.nvidiaSATCursor
+		case m.nvidiaSATCursor < numDur+numGPU:
+			i := m.nvidiaSATCursor - numDur
+			m.nvidiaGPUSel[i] = !m.nvidiaGPUSel[i]
+		}
+	case "enter":
+		startIdx := numDur + numGPU
+		cancelIdx := startIdx + 1
+		switch {
+		case m.nvidiaSATCursor < numDur:
+			m.nvidiaDurIdx = m.nvidiaSATCursor
+		case m.nvidiaSATCursor < startIdx:
+			i := m.nvidiaSATCursor - numDur
+			m.nvidiaGPUSel[i] = !m.nvidiaGPUSel[i]
+		case m.nvidiaSATCursor == startIdx:
+			return m.startNvidiaSAT()
+		case m.nvidiaSATCursor == cancelIdx:
+			m.screen = screenHealthCheck
+			m.cursor = 0
+		}
+	case "esc":
+		m.screen = screenHealthCheck
+		m.cursor = 0
+	case "ctrl+c", "q":
+		return m, tea.Quit
+	}
+	return m, nil
+}
+
+// startNvidiaSAT launches the SAT and nvtop.
+func (m model) startNvidiaSAT() (tea.Model, tea.Cmd) {
+	var selectedGPUs []platform.NvidiaGPU
+	for i, sel := range m.nvidiaGPUSel {
+		if sel {
+			selectedGPUs = append(selectedGPUs, m.nvidiaGPUs[i])
+		}
+	}
+	if len(selectedGPUs) == 0 {
+		selectedGPUs = m.nvidiaGPUs // fallback: use all if none explicitly selected
+	}
+
+	sizeMB := 0
+	for _, g := range selectedGPUs {
+		if sizeMB == 0 || g.MemoryMB < sizeMB {
+			sizeMB = g.MemoryMB
+		}
+	}
+	if sizeMB == 0 {
+		sizeMB = 64
+	}
+
+	var gpuIndices []int
+	for _, g := range selectedGPUs {
+		gpuIndices = append(gpuIndices, g.Index)
+	}
+
+	durationSec := nvidiaDurationOptions[m.nvidiaDurIdx].seconds
+
+	ctx, cancel := context.WithCancel(context.Background())
+	m.nvidiaSATCancel = cancel
+	m.nvidiaSATAborted = false
+	m.screen = screenNvidiaSATRunning
+	m.nvidiaSATCursor = 0
+
+	satCmd := func() tea.Msg {
+		result, err := m.app.RunNvidiaAcceptancePackWithOptions(ctx, "", durationSec, sizeMB, gpuIndices)
+		return nvidiaSATDoneMsg{title: result.Title, body: result.Body, err: err}
+	}
+
+	nvtopPath, lookErr := exec.LookPath("nvtop")
+	if lookErr != nil {
+		// nvtop not available: just run the SAT, show running screen
+		return m, satCmd
+	}
+
+	return m, tea.Batch(
+		satCmd,
+		tea.ExecProcess(exec.Command(nvtopPath), func(_ error) tea.Msg {
+			return nvtopClosedMsg{}
+		}),
+	)
+}
+
+// updateNvidiaSATRunning handles keys on the running screen.
+func (m model) updateNvidiaSATRunning(msg tea.KeyMsg) (tea.Model, tea.Cmd) {
+	switch msg.String() {
+	case "o", "O":
+		nvtopPath, err := exec.LookPath("nvtop")
+		if err != nil {
+			return m, nil
+		}
+		return m, tea.ExecProcess(exec.Command(nvtopPath), func(_ error) tea.Msg {
+			return nvtopClosedMsg{}
+		})
+	case "a", "A":
+		if m.nvidiaSATCancel != nil {
+			m.nvidiaSATCancel()
+			m.nvidiaSATCancel = nil
+		}
+		m.nvidiaSATAborted = true
+		m.screen = screenHealthCheck
+		m.cursor = 0
+	case "ctrl+c":
+		return m, tea.Quit
+	}
+	return m, nil
+}
+
+// renderNvidiaSATSetup renders the setup screen.
+func renderNvidiaSATSetup(m model) string {
+	var b strings.Builder
+	fmt.Fprintln(&b, "NVIDIA SAT")
+	fmt.Fprintln(&b)
+	fmt.Fprintln(&b, "Duration:")
+	for i, opt := range nvidiaDurationOptions {
+		radio := "( )"
+		if i == m.nvidiaDurIdx {
+			radio = "(*)"
+		}
+		prefix := "  "
+		if m.nvidiaSATCursor == i {
+			prefix = "> "
+		}
+		fmt.Fprintf(&b, "%s%s %s\n", prefix, radio, opt.label)
+	}
+	fmt.Fprintln(&b)
+	if len(m.nvidiaGPUs) == 0 {
+		fmt.Fprintln(&b, "GPUs: (none detected)")
+	} else {
+		fmt.Fprintln(&b, "GPUs:")
+		for i, gpu := range m.nvidiaGPUs {
+			check := "[ ]"
+			if m.nvidiaGPUSel[i] {
+				check = "[x]"
+			}
+			prefix := "  "
+			if m.nvidiaSATCursor == len(nvidiaDurationOptions)+i {
+				prefix = "> "
+			}
+			fmt.Fprintf(&b, "%s%s %d: %s (%d MB)\n", prefix, check, gpu.Index, gpu.Name, gpu.MemoryMB)
+		}
+	}
+	fmt.Fprintln(&b)
+	startIdx := len(nvidiaDurationOptions) + len(m.nvidiaGPUs)
+	startPfx := "  "
+	cancelPfx := "  "
+	if m.nvidiaSATCursor == startIdx {
+		startPfx = "> "
+	}
+	if m.nvidiaSATCursor == startIdx+1 {
+		cancelPfx = "> "
+	}
+	fmt.Fprintf(&b, "%sStart\n", startPfx)
+	fmt.Fprintf(&b, "%sCancel\n", cancelPfx)
+	fmt.Fprintln(&b)
+	b.WriteString("[↑/↓] move  [space] toggle  [enter] select  [esc] cancel\n")
+	return b.String()
+}
+
+// renderNvidiaSATRunning renders the running screen.
+func renderNvidiaSATRunning() string {
+	return "NVIDIA SAT\n\nTest is running...\n\n[o] Open nvtop  [a] Abort test  [ctrl+c] quit\n"
+}

audit/internal/tui/screen_services.go

@@ -0,0 +1,47 @@
+package tui
+
+import (
+	"bee/audit/internal/platform"
+
+	tea "github.com/charmbracelet/bubbletea"
+)
+
+func (m model) handleServicesMenu() (tea.Model, tea.Cmd) {
+	if len(m.services) == 0 {
+		return m, resultCmd("Services", "No bee-* services found.", nil, screenSettings)
+	}
+	m.selectedService = m.services[m.cursor]
+	m.screen = screenServiceAction
+	m.cursor = 0
+	return m, nil
+}
+
+func (m model) handleServiceActionMenu() (tea.Model, tea.Cmd) {
+	action := m.serviceMenu[m.cursor]
+	if action == "back" {
+		m.screen = screenServices
+		m.cursor = 0
+		return m, nil
+	}
+
+	m.busy = true
+	m.busyTitle = "service: " + m.selectedService
+	return m, func() tea.Msg {
+		switch action {
+		case "Status":
+			result, err := m.app.ServiceStatusResult(m.selectedService)
+			return resultMsg{title: result.Title, body: result.Body, err: err, back: screenServiceAction}
+		case "Restart":
+			result, err := m.app.ServiceActionResult(m.selectedService, platform.ServiceRestart)
+			return resultMsg{title: result.Title, body: result.Body, err: err, back: screenServiceAction}
+		case "Start":
+			result, err := m.app.ServiceActionResult(m.selectedService, platform.ServiceStart)
+			return resultMsg{title: result.Title, body: result.Body, err: err, back: screenServiceAction}
+		case "Stop":
+			result, err := m.app.ServiceActionResult(m.selectedService, platform.ServiceStop)
+			return resultMsg{title: result.Title, body: result.Body, err: err, back: screenServiceAction}
+		default:
+			return resultMsg{title: "Service", body: "Unknown action.", back: screenServiceAction}
+		}
+	}
+}

audit/internal/tui/screen_settings.go

@@ -0,0 +1,64 @@
+package tui
+
+import tea "github.com/charmbracelet/bubbletea"
+
+func (m model) handleSettingsMenu() (tea.Model, tea.Cmd) {
+	switch m.cursor {
+	case 0: // Network
+		m.screen = screenNetwork
+		m.cursor = 0
+		return m, nil
+	case 1: // Services
+		m.busy = true
+		m.busyTitle = "Services"
+		return m, func() tea.Msg {
+			services, err := m.app.ListBeeServices()
+			return servicesMsg{services: services, err: err}
+		}
+	case 2: // Re-run audit
+		m.busy = true
+		m.busyTitle = "Re-run audit"
+		runtimeMode := m.runtimeMode
+		return m, func() tea.Msg {
+			result, err := m.app.RunAuditNow(runtimeMode)
+			return resultMsg{title: result.Title, body: result.Body, err: err, back: screenSettings}
+		}
+	case 3: // Run self-check
+		m.busy = true
+		m.busyTitle = "Self-check"
+		return m, func() tea.Msg {
+			result, err := m.app.RunRuntimePreflightResult()
+			return resultMsg{title: result.Title, body: result.Body, err: err, back: screenSettings}
+		}
+	case 4: // Runtime issues
+		m.busy = true
+		m.busyTitle = "Runtime issues"
+		return m, func() tea.Msg {
+			result := m.app.RuntimeHealthResult()
+			return resultMsg{title: result.Title, body: result.Body, back: screenSettings}
+		}
+	case 5: // Audit logs
+		m.busy = true
+		m.busyTitle = "Audit logs"
+		return m, func() tea.Msg {
+			result := m.app.AuditLogTailResult()
+			return resultMsg{title: result.Title, body: result.Body, back: screenSettings}
+		}
+	case 6: // Check tools
+		m.busy = true
+		m.busyTitle = "Check tools"
+		return m, func() tea.Msg {
+			result := m.app.ToolCheckResult([]string{
+				"dmidecode", "smartctl", "nvme", "ipmitool", "lspci",
+				"ethtool", "bee", "nvidia-smi", "bee-gpu-stress",
+				"memtester", "dhclient", "lsblk", "mount",
+			})
+			return resultMsg{title: result.Title, body: result.Body, back: screenSettings}
+		}
+	case 7: // Back
+		m.screen = screenMain
+		m.cursor = 0
+		return m, nil
+	}
+	return m, nil
+}

audit/internal/tui/snapshot.go

@@ -0,0 +1,30 @@
+package tui
+
+import (
+	"bee/audit/internal/app"
+
+	tea "github.com/charmbracelet/bubbletea"
+)
+
+func (m model) refreshSnapshotCmd() tea.Cmd {
+	if m.app == nil {
+		return nil
+	}
+	return func() tea.Msg {
+		return snapshotMsg{
+			banner: m.app.MainBanner(),
+			panel:  m.app.LoadHardwarePanel(),
+		}
+	}
+}
+
+func shouldRefreshSnapshot(prev, next model) bool {
+	return prev.screen != next.screen || prev.busy != next.busy
+}
+
+func emptySnapshot() snapshotMsg {
+	return snapshotMsg{
+		banner: "",
+		panel:  app.HardwarePanelData{},
+	}
+}

audit/internal/tui/tui_test.go

@@ -0,0 +1,628 @@
+package tui
+
+import (
+	"strings"
+	"testing"
+
+	"bee/audit/internal/app"
+	"bee/audit/internal/platform"
+	"bee/audit/internal/runtimeenv"
+
+	tea "github.com/charmbracelet/bubbletea"
+)
+
+func newTestModel() model {
+	return newModel(app.New(platform.New()), runtimeenv.ModeLocal)
+}
+
+func sendKey(t *testing.T, m model, key tea.KeyType) model {
+	t.Helper()
+
+	next, _ := m.Update(tea.KeyMsg{Type: key})
+	return next.(model)
+}
+
+func TestUpdateMainMenuCursorNavigation(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+
+	m = sendKey(t, m, tea.KeyDown)
+	if m.cursor != 1 {
+		t.Fatalf("cursor=%d want 1 after down", m.cursor)
+	}
+
+	m = sendKey(t, m, tea.KeyDown)
+	if m.cursor != 2 {
+		t.Fatalf("cursor=%d want 2 after second down", m.cursor)
+	}
+
+	m = sendKey(t, m, tea.KeyUp)
+	if m.cursor != 1 {
+		t.Fatalf("cursor=%d want 1 after up", m.cursor)
+	}
+}
+
+func TestUpdateMainMenuEnterActions(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name       string
+		cursor     int
+		wantScreen screen
+		wantBusy   bool
+		wantCmd    bool
+	}{
+		{name: "health_check", cursor: 0, wantScreen: screenHealthCheck, wantCmd: true},
+		{name: "export", cursor: 1, wantScreen: screenMain, wantBusy: true, wantCmd: true},
+		{name: "settings", cursor: 2, wantScreen: screenSettings, wantCmd: true},
+		{name: "exit", cursor: 3, wantScreen: screenMain, wantCmd: true},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			m := newTestModel()
+			m.cursor = test.cursor
+
+			next, cmd := m.Update(tea.KeyMsg{Type: tea.KeyEnter})
+			got := next.(model)
+
+			if got.screen != test.wantScreen {
+				t.Fatalf("screen=%q want %q", got.screen, test.wantScreen)
+			}
+			if got.busy != test.wantBusy {
+				t.Fatalf("busy=%v want %v", got.busy, test.wantBusy)
+			}
+			if (cmd != nil) != test.wantCmd {
+				t.Fatalf("cmd present=%v want %v", cmd != nil, test.wantCmd)
+			}
+		})
+	}
+}
+
+func TestUpdateConfirmCancelViaKeys(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+	m.screen = screenConfirm
+	m.pendingAction = actionRunMemorySAT
+
+	next, _ := m.Update(tea.KeyMsg{Type: tea.KeyRight})
+	got := next.(model)
+	if got.cursor != 1 {
+		t.Fatalf("cursor=%d want 1 after right", got.cursor)
+	}
+
+	next, _ = got.Update(tea.KeyMsg{Type: tea.KeyEnter})
+	got = next.(model)
+	if got.screen != screenHealthCheck {
+		t.Fatalf("screen=%q want %q", got.screen, screenHealthCheck)
+	}
+	if got.cursor != 0 {
+		t.Fatalf("cursor=%d want 0 after cancel", got.cursor)
+	}
+}
+
+func TestMainMenuSimpleTransitions(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name       string
+		cursor     int
+		wantScreen screen
+	}{
+		{name: "health_check", cursor: 0, wantScreen: screenHealthCheck},
+		{name: "settings", cursor: 2, wantScreen: screenSettings},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			m := newTestModel()
+			m.cursor = test.cursor
+
+			next, cmd := m.handleMainMenu()
+			got := next.(model)
+
+			if cmd != nil {
+				t.Fatalf("expected nil cmd for %s", test.name)
+			}
+			if got.screen != test.wantScreen {
+				t.Fatalf("screen=%q want %q", got.screen, test.wantScreen)
+			}
+			if got.cursor != 0 {
+				t.Fatalf("cursor=%d want 0", got.cursor)
+			}
+		})
+	}
+}
+
+func TestMainMenuExportSetsBusy(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+	m.cursor = 1 // Export support bundle
+
+	next, cmd := m.handleMainMenu()
+	got := next.(model)
+
+	if !got.busy {
+		t.Fatal("busy=false for export")
+	}
+	if cmd == nil {
+		t.Fatal("expected async cmd for export")
+	}
+}
+
+func TestMainViewRendersTwoColumns(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+	m.cursor = 1
+
+	view := m.View()
+	for _, want := range []string{
+		"bee",
+		"Health Check",
+		"> Export support bundle",
+		"Settings",
+		"Exit",
+		"│",
+		"[↑↓] move",
+	} {
+		if !strings.Contains(view, want) {
+			t.Fatalf("view missing %q\nview:\n%s", want, view)
+		}
+	}
+}
+
+func TestEscapeNavigation(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name       string
+		screen     screen
+		wantScreen screen
+	}{
+		{name: "network to settings", screen: screenNetwork, wantScreen: screenSettings},
+		{name: "services to settings", screen: screenServices, wantScreen: screenSettings},
+		{name: "settings to main", screen: screenSettings, wantScreen: screenMain},
+		{name: "service action to services", screen: screenServiceAction, wantScreen: screenServices},
+		{name: "export targets to main", screen: screenExportTargets, wantScreen: screenMain},
+		{name: "interface pick to network", screen: screenInterfacePick, wantScreen: screenNetwork},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			m := newTestModel()
+			m.screen = test.screen
+			m.cursor = 3
+
+			next, _ := m.updateKey(tea.KeyMsg{Type: tea.KeyEsc})
+			got := next.(model)
+
+			if got.screen != test.wantScreen {
+				t.Fatalf("screen=%q want %q", got.screen, test.wantScreen)
+			}
+			if got.cursor != 0 {
+				t.Fatalf("cursor=%d want 0", got.cursor)
+			}
+		})
+	}
+}
+
+func TestHealthCheckEscReturnsToMain(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+	m.screen = screenHealthCheck
+	m.hcCursor = 3
+
+	next, _ := m.updateHealthCheck(tea.KeyMsg{Type: tea.KeyEsc})
+	got := next.(model)
+
+	if got.screen != screenMain {
+		t.Fatalf("screen=%q want %q", got.screen, screenMain)
+	}
+	if got.cursor != 0 {
+		t.Fatalf("cursor=%d want 0", got.cursor)
+	}
+}
+
+func TestOutputScreenReturnsToPreviousScreen(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+	m.screen = screenOutput
+	m.prevScreen = screenNetwork
+	m.title = "title"
+	m.body = "body"
+
+	next, _ := m.updateKey(tea.KeyMsg{Type: tea.KeyEnter})
+	got := next.(model)
+
+	if got.screen != screenNetwork {
+		t.Fatalf("screen=%q want %q", got.screen, screenNetwork)
+	}
+	if got.title != "" || got.body != "" {
+		t.Fatalf("expected output state cleared, got title=%q body=%q", got.title, got.body)
+	}
+}
+
+func TestHealthCheckGPUOpensNvidiaSATSetup(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+	m.screen = screenHealthCheck
+	m.hcInitialized = true
+	m.hcSel = [4]bool{true, true, true, true}
+
+	next, cmd := m.hcRunSingle(hcGPU)
+	got := next.(model)
+
+	if cmd == nil {
+		t.Fatal("expected non-nil cmd (GPU list loader)")
+	}
+	if got.screen != screenNvidiaSATSetup {
+		t.Fatalf("screen=%q want %q", got.screen, screenNvidiaSATSetup)
+	}
+
+	// esc from setup returns to health check
+	next, _ = got.updateNvidiaSATSetup(tea.KeyMsg{Type: tea.KeyEsc})
+	got = next.(model)
+	if got.screen != screenHealthCheck {
+		t.Fatalf("screen after esc=%q want %q", got.screen, screenHealthCheck)
+	}
+}
+
+func TestHealthCheckRunSingleMapsActions(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		idx  int
+		want actionKind
+	}{
+		{idx: hcMemory, want: actionRunMemorySAT},
+		{idx: hcStorage, want: actionRunStorageSAT},
+	}
+
+	for _, test := range tests {
+		m := newTestModel()
+		m.screen = screenHealthCheck
+		m.hcInitialized = true
+
+		next, _ := m.hcRunSingle(test.idx)
+		got := next.(model)
+		if got.pendingAction != test.want {
+			t.Fatalf("idx=%d pendingAction=%q want %q", test.idx, got.pendingAction, test.want)
+		}
+		if got.screen != screenConfirm {
+			t.Fatalf("idx=%d screen=%q want %q", test.idx, got.screen, screenConfirm)
+		}
+	}
+}
+
+func TestExportTargetSelectionOpensConfirm(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+	m.screen = screenExportTargets
+	m.targets = []platform.RemovableTarget{{Device: "/dev/sdb1", FSType: "vfat", Size: "16G"}}
+
+	next, cmd := m.handleExportTargetsMenu()
+	got := next.(model)
+
+	if cmd != nil {
+		t.Fatal("expected nil cmd")
+	}
+	if got.screen != screenConfirm {
+		t.Fatalf("screen=%q want %q", got.screen, screenConfirm)
+	}
+	if got.pendingAction != actionExportBundle {
+		t.Fatalf("pendingAction=%q want %q", got.pendingAction, actionExportBundle)
+	}
+	if got.selectedTarget == nil || got.selectedTarget.Device != "/dev/sdb1" {
+		t.Fatalf("selectedTarget=%+v want /dev/sdb1", got.selectedTarget)
+	}
+}
+
+func TestInterfacePickStaticIPv4OpensForm(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+	m.pendingAction = actionStaticIPv4
+	m.interfaces = []platform.InterfaceInfo{{Name: "eth0"}}
+
+	next, cmd := m.handleInterfacePickMenu()
+	got := next.(model)
+
+	if cmd != nil {
+		t.Fatal("expected nil cmd")
+	}
+	if got.screen != screenStaticForm {
+		t.Fatalf("screen=%q want %q", got.screen, screenStaticForm)
+	}
+	if got.selectedIface != "eth0" {
+		t.Fatalf("selectedIface=%q want eth0", got.selectedIface)
+	}
+	if len(got.formFields) != 4 {
+		t.Fatalf("len(formFields)=%d want 4", len(got.formFields))
+	}
+}
+
+func TestResultMsgUsesExplicitBackScreen(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+	m.screen = screenConfirm
+
+	next, _ := m.Update(resultMsg{title: "done", body: "ok", back: screenNetwork})
+	got := next.(model)
+
+	if got.screen != screenOutput {
+		t.Fatalf("screen=%q want %q", got.screen, screenOutput)
+	}
+	if got.prevScreen != screenNetwork {
+		t.Fatalf("prevScreen=%q want %q", got.prevScreen, screenNetwork)
+	}
+}
+
+func TestConfirmCancelTarget(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+
+	m.pendingAction = actionExportBundle
+	if got := m.confirmCancelTarget(); got != screenExportTargets {
+		t.Fatalf("export cancel target=%q want %q", got, screenExportTargets)
+	}
+
+	m.pendingAction = actionRunAll
+	if got := m.confirmCancelTarget(); got != screenHealthCheck {
+		t.Fatalf("run all cancel target=%q want %q", got, screenHealthCheck)
+	}
+
+	m.pendingAction = actionRunMemorySAT
+	if got := m.confirmCancelTarget(); got != screenHealthCheck {
+		t.Fatalf("memory sat cancel target=%q want %q", got, screenHealthCheck)
+	}
+
+	m.pendingAction = actionRunStorageSAT
+	if got := m.confirmCancelTarget(); got != screenHealthCheck {
+		t.Fatalf("storage sat cancel target=%q want %q", got, screenHealthCheck)
+	}
+
+	m.pendingAction = actionNone
+	if got := m.confirmCancelTarget(); got != screenMain {
+		t.Fatalf("default cancel target=%q want %q", got, screenMain)
+	}
+}
+
+func TestViewBusyStateIsMinimal(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+	m.busy = true
+
+	view := m.View()
+	want := "bee\n\nWorking...\n\n[ctrl+c] quit\n"
+	if view != want {
+		t.Fatalf("busy view mismatch\nwant:\n%s\ngot:\n%s", want, view)
+	}
+}
+
+func TestViewBusyStateUsesBusyTitle(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+	m.busy = true
+	m.busyTitle = "Export support bundle"
+
+	view := m.View()
+
+	for _, want := range []string{
+		"Export support bundle",
+		"Working...",
+		"[ctrl+c] quit",
+	} {
+		if !strings.Contains(view, want) {
+			t.Fatalf("view missing %q\nview:\n%s", want, view)
+		}
+	}
+}
+
+func TestViewOutputScreenRendersBodyAndBackHint(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+	m.screen = screenOutput
+	m.title = "Run audit"
+	m.body = "audit output: /appdata/bee/export/bee-audit.json\n"
+
+	view := m.View()
+
+	for _, want := range []string{
+		"Run audit",
+		"audit output: /appdata/bee/export/bee-audit.json",
+		"[enter/esc] back  [ctrl+c] quit",
+	} {
+		if !strings.Contains(view, want) {
+			t.Fatalf("view missing %q\nview:\n%s", want, view)
+		}
+	}
+}
+
+func TestViewRendersBannerModuleAboveScreenBody(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+	m.banner = "System: Demo Server\nIP: 10.0.0.10"
+	m.width = 60
+
+	view := m.View()
+
+	for _, want := range []string{
+		"┌ MOTD ",
+		"System: Demo Server",
+		"IP: 10.0.0.10",
+		"Health Check",
+		"Export support bundle",
+	} {
+		if !strings.Contains(view, want) {
+			t.Fatalf("view missing %q\nview:\n%s", want, view)
+		}
+	}
+}
+
+func TestSnapshotMsgUpdatesBannerAndPanel(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+
+	next, cmd := m.Update(snapshotMsg{
+		banner: "System: Demo",
+		panel: app.HardwarePanelData{
+			Header: []string{"Demo header"},
+			Rows: []app.ComponentRow{
+				{Key: "CPU", Status: "PASS", Detail: "ok"},
+			},
+		},
+	})
+	got := next.(model)
+
+	if cmd != nil {
+		t.Fatal("expected nil cmd")
+	}
+	if got.banner != "System: Demo" {
+		t.Fatalf("banner=%q want %q", got.banner, "System: Demo")
+	}
+	if len(got.panel.Rows) != 1 || got.panel.Rows[0].Key != "CPU" {
+		t.Fatalf("panel rows=%+v", got.panel.Rows)
+	}
+}
+
+func TestViewExportTargetsRendersDeviceMetadata(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+	m.screen = screenExportTargets
+	m.targets = []platform.RemovableTarget{
+		{
+			Device:     "/dev/sdb1",
+			FSType:     "vfat",
+			Size:       "29G",
+			Label:      "BEEUSB",
+			Mountpoint: "/media/bee",
+		},
+	}
+
+	view := m.View()
+
+	for _, want := range []string{
+		"Export support bundle",
+		"Select removable filesystem",
+		"> /dev/sdb1 [vfat 29G] label=BEEUSB mounted=/media/bee",
+	} {
+		if !strings.Contains(view, want) {
+			t.Fatalf("view missing %q\nview:\n%s", want, view)
+		}
+	}
+}
+
+func TestViewStaticFormRendersFields(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+	m.screen = screenStaticForm
+	m.selectedIface = "enp1s0"
+	m.formFields = []formField{
+		{Label: "Address", Value: "192.0.2.10/24"},
+		{Label: "Gateway", Value: "192.0.2.1"},
+		{Label: "DNS", Value: "1.1.1.1"},
+	}
+	m.formIndex = 1
+
+	view := m.View()
+
+	for _, want := range []string{
+		"Static IPv4: enp1s0",
+		"  Address: 192.0.2.10/24",
+		"> Gateway: 192.0.2.1",
+		"  DNS: 1.1.1.1",
+		"[tab/↑/↓] move  [enter] next/submit  [backspace] delete  [esc] cancel",
+	} {
+		if !strings.Contains(view, want) {
+			t.Fatalf("view missing %q\nview:\n%s", want, view)
+		}
+	}
+}
+
+func TestViewConfirmScreenMatchesPendingExport(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+	m.screen = screenConfirm
+	m.pendingAction = actionExportBundle
+	m.selectedTarget = &platform.RemovableTarget{Device: "/dev/sdb1"}
+
+	view := m.View()
+
+	for _, want := range []string{
+		"Export support bundle",
+		"Copy support bundle to /dev/sdb1?",
+		"> Confirm",
+		"  Cancel",
+	} {
+		if !strings.Contains(view, want) {
+			t.Fatalf("view missing %q\nview:\n%s", want, view)
+		}
+	}
+}
+
+func TestResultMsgClearsBusyAndPendingAction(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+	m.busy = true
+	m.busyTitle = "Export support bundle"
+	m.pendingAction = actionExportBundle
+	m.screen = screenConfirm
+
+	next, _ := m.Update(resultMsg{title: "Export support bundle", body: "done", back: screenMain})
+	got := next.(model)
+
+	if got.busy {
+		t.Fatal("busy=true want false")
+	}
+	if got.busyTitle != "" {
+		t.Fatalf("busyTitle=%q want empty", got.busyTitle)
+	}
+	if got.pendingAction != actionNone {
+		t.Fatalf("pendingAction=%q want empty", got.pendingAction)
+	}
+}
+
+func TestResultMsgErrorWithoutBodyFormatsCleanly(t *testing.T) {
+	t.Parallel()
+
+	m := newTestModel()
+
+	next, _ := m.Update(resultMsg{title: "Export support bundle", err: assertErr("boom"), back: screenMain})
+	got := next.(model)
+
+	if got.body != "ERROR: boom" {
+		t.Fatalf("body=%q want %q", got.body, "ERROR: boom")
+	}
+}
+
+type assertErr string
+
+func (e assertErr) Error() string { return string(e) }

audit/internal/tui/types.go

@@ -0,0 +1,194 @@
+package tui
+
+import (
+	"strings"
+	"time"
+
+	"bee/audit/internal/app"
+	"bee/audit/internal/platform"
+	"bee/audit/internal/runtimeenv"
+
+	tea "github.com/charmbracelet/bubbletea"
+)
+
+type screen string
+
+const (
+	screenMain             screen = "main"
+	screenHealthCheck      screen = "health_check"
+	screenSettings         screen = "settings"
+	screenNetwork          screen = "network"
+	screenInterfacePick    screen = "interface_pick"
+	screenServices         screen = "services"
+	screenServiceAction    screen = "service_action"
+	screenExportTargets    screen = "export_targets"
+	screenOutput           screen = "output"
+	screenStaticForm       screen = "static_form"
+	screenConfirm          screen = "confirm"
+	screenNvidiaSATSetup   screen = "nvidia_sat_setup"
+	screenNvidiaSATRunning screen = "nvidia_sat_running"
+)
+
+type actionKind string
+
+const (
+	actionNone          actionKind = ""
+	actionDHCPOne       actionKind = "dhcp_one"
+	actionStaticIPv4    actionKind = "static_ipv4"
+	actionExportBundle  actionKind = "export_bundle"
+	actionRunAll        actionKind = "run_all"
+	actionRunMemorySAT  actionKind = "run_memory_sat"
+	actionRunStorageSAT actionKind = "run_storage_sat"
+	actionRunCPUSAT     actionKind = "run_cpu_sat"
+	actionRunAMDGPUSAT  actionKind = "run_amd_gpu_sat"
+)
+
+type model struct {
+	app         *app.App
+	runtimeMode runtimeenv.Mode
+
+	screen       screen
+	prevScreen   screen
+	cursor       int
+	busy         bool
+	busyTitle    string
+	title        string
+	body         string
+	mainMenu     []string
+	settingsMenu []string
+	networkMenu  []string
+	serviceMenu  []string
+
+	services        []string
+	interfaces      []platform.InterfaceInfo
+	targets         []platform.RemovableTarget
+	selectedService string
+	selectedIface   string
+	selectedTarget  *platform.RemovableTarget
+	pendingAction   actionKind
+
+	formFields []formField
+	formIndex  int
+
+	// Hardware panel (right column)
+	panel       app.HardwarePanelData
+	panelFocus  bool
+	panelCursor int
+	banner      string
+
+	// Health Check screen
+	hcSel         [4]bool
+	hcMode        int
+	hcCursor      int
+	hcInitialized bool
+
+	// NVIDIA SAT setup
+	nvidiaGPUs      []platform.NvidiaGPU
+	nvidiaGPUSel    []bool
+	nvidiaDurIdx    int
+	nvidiaSATCursor int
+
+	// NVIDIA SAT running
+	nvidiaSATCancel  func()
+	nvidiaSATAborted bool
+
+	// SAT verbose progress (CPU / Memory / Storage / AMD GPU)
+	progressLines  []string
+	progressPrefix string
+	progressSince  time.Time
+
+	// Terminal size
+	width int
+}
+
+type formField struct {
+	Label string
+	Value string
+}
+
+func Run(application *app.App, runtimeMode runtimeenv.Mode) error {
+	options := []tea.ProgramOption{}
+	if runtimeMode != runtimeenv.ModeLiveCD {
+		options = append(options, tea.WithAltScreen())
+	}
+	program := tea.NewProgram(newModel(application, runtimeMode), options...)
+	_, err := program.Run()
+	return err
+}
+
+func newModel(application *app.App, runtimeMode runtimeenv.Mode) model {
+	return model{
+		app:         application,
+		runtimeMode: runtimeMode,
+		screen:      screenMain,
+		mainMenu: []string{
+			"Health Check",
+			"Export support bundle",
+			"Settings",
+			"Exit",
+		},
+		settingsMenu: []string{
+			"Network",
+			"Services",
+			"Re-run audit",
+			"Run self-check",
+			"Runtime issues",
+			"Audit logs",
+			"Check tools",
+			"Back",
+		},
+		networkMenu: []string{
+			"Show status",
+			"DHCP on all interfaces",
+			"DHCP on one interface",
+			"Set static IPv4",
+			"Back",
+		},
+		serviceMenu: []string{
+			"Status",
+			"Restart",
+			"Start",
+			"Stop",
+			"Back",
+		},
+	}
+}
+
+func (m model) Init() tea.Cmd {
+	return m.refreshSnapshotCmd()
+}
+
+func (m model) confirmBody() (string, string) {
+	switch m.pendingAction {
+	case actionExportBundle:
+		if m.selectedTarget == nil {
+			return "Export support bundle", "No target selected"
+		}
+		return "Export support bundle", "Copy support bundle to " + m.selectedTarget.Device + "?"
+	case actionRunAll:
+		modes := []string{"Quick", "Standard", "Express"}
+		mode := modes[m.hcMode]
+		var sel []string
+		names := []string{"GPU", "Memory", "Storage", "CPU"}
+		for i, on := range m.hcSel {
+			if on {
+				sel = append(sel, names[i])
+			}
+		}
+		if len(sel) == 0 {
+			return "Health Check", "No components selected."
+		}
+		return "Health Check", "Run: " + strings.Join(sel, " + ") + "\nMode: " + mode
+	case actionRunMemorySAT:
+		return "Memory test", "Run memtester?"
+	case actionRunStorageSAT:
+		return "Storage test", "Run storage diagnostic pack?"
+	case actionRunCPUSAT:
+		modes := []string{"Quick (60s)", "Standard (300s)", "Express (900s)"}
+		return "CPU test", "Run stress-ng? Mode: " + modes[m.hcMode]
+	case actionRunAMDGPUSAT:
+		return "AMD GPU test", "Run AMD GPU diagnostic pack (rocm-smi)?"
+	default:
+		return "Confirm", "Proceed?"
+	}
+}

audit/internal/tui/update.go

@@ -0,0 +1,260 @@
+package tui
+
+import (
+	"fmt"
+	"strings"
+
+	tea "github.com/charmbracelet/bubbletea"
+)
+
+func (m model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
+	switch msg := msg.(type) {
+	case tea.WindowSizeMsg:
+		m.width = msg.Width
+		return m, nil
+	case tea.KeyMsg:
+		if m.busy {
+			if msg.String() == "ctrl+c" {
+				return m, tea.Quit
+			}
+			return m, nil
+		}
+		next, cmd := m.updateKey(msg)
+		nextModel := next.(model)
+		if shouldRefreshSnapshot(m, nextModel) {
+			return nextModel, tea.Batch(cmd, nextModel.refreshSnapshotCmd())
+		}
+		return nextModel, cmd
+	case satProgressMsg:
+		if m.busy && m.progressPrefix != "" {
+			if len(msg.lines) > 0 {
+				m.progressLines = msg.lines
+			}
+			return m, pollSATProgress(m.progressPrefix, m.progressSince)
+		}
+		return m, nil
+	case snapshotMsg:
+		m.banner = msg.banner
+		m.panel = msg.panel
+		return m, nil
+	case resultMsg:
+		m.busy = false
+		m.busyTitle = ""
+		m.progressLines = nil
+		m.progressPrefix = ""
+		m.title = msg.title
+		if msg.err != nil {
+			body := strings.TrimSpace(msg.body)
+			if body == "" {
+				m.body = fmt.Sprintf("ERROR: %v", msg.err)
+			} else {
+				m.body = fmt.Sprintf("%s\n\nERROR: %v", body, msg.err)
+			}
+		} else {
+			m.body = msg.body
+		}
+		m.pendingAction = actionNone
+		if msg.back != "" {
+			m.prevScreen = msg.back
+		} else {
+			m.prevScreen = m.screen
+		}
+		m.screen = screenOutput
+		m.cursor = 0
+		return m, m.refreshSnapshotCmd()
+	case servicesMsg:
+		m.busy = false
+		m.busyTitle = ""
+		if msg.err != nil {
+			m.title = "Services"
+			m.body = msg.err.Error()
+			m.prevScreen = screenSettings
+			m.screen = screenOutput
+			return m, m.refreshSnapshotCmd()
+		}
+		m.services = msg.services
+		m.screen = screenServices
+		m.cursor = 0
+		return m, m.refreshSnapshotCmd()
+	case interfacesMsg:
+		m.busy = false
+		m.busyTitle = ""
+		if msg.err != nil {
+			m.title = "interfaces"
+			m.body = msg.err.Error()
+			m.prevScreen = screenNetwork
+			m.screen = screenOutput
+			return m, m.refreshSnapshotCmd()
+		}
+		m.interfaces = msg.ifaces
+		m.screen = screenInterfacePick
+		m.cursor = 0
+		return m, m.refreshSnapshotCmd()
+	case exportTargetsMsg:
+		m.busy = false
+		m.busyTitle = ""
+		if msg.err != nil {
+			m.title = "export"
+			m.body = msg.err.Error()
+			m.prevScreen = screenMain
+			m.screen = screenOutput
+			return m, m.refreshSnapshotCmd()
+		}
+		m.targets = msg.targets
+		m.screen = screenExportTargets
+		m.cursor = 0
+		return m, m.refreshSnapshotCmd()
+	case nvidiaGPUsMsg:
+		return m.handleNvidiaGPUsMsg(msg)
+	case nvtopClosedMsg:
+		return m, nil
+	case nvidiaSATDoneMsg:
+		if m.nvidiaSATAborted {
+			return m, nil
+		}
+		if m.nvidiaSATCancel != nil {
+			m.nvidiaSATCancel()
+			m.nvidiaSATCancel = nil
+		}
+		m.prevScreen = screenHealthCheck
+		m.screen = screenOutput
+		m.title = msg.title
+		if msg.err != nil {
+			body := strings.TrimSpace(msg.body)
+			if body == "" {
+				m.body = fmt.Sprintf("ERROR: %v", msg.err)
+			} else {
+				m.body = fmt.Sprintf("%s\n\nERROR: %v", body, msg.err)
+			}
+		} else {
+			m.body = msg.body
+		}
+		return m, m.refreshSnapshotCmd()
+	}
+	return m, nil
+}
+
+func (m model) updateKey(msg tea.KeyMsg) (tea.Model, tea.Cmd) {
+	switch m.screen {
+	case screenMain:
+		return m.updateMain(msg)
+	case screenHealthCheck:
+		return m.updateHealthCheck(msg)
+	case screenSettings:
+		return m.updateMenu(msg, len(m.settingsMenu), m.handleSettingsMenu)
+	case screenNetwork:
+		return m.updateMenu(msg, len(m.networkMenu), m.handleNetworkMenu)
+	case screenServices:
+		return m.updateMenu(msg, len(m.services), m.handleServicesMenu)
+	case screenServiceAction:
+		return m.updateMenu(msg, len(m.serviceMenu), m.handleServiceActionMenu)
+	case screenNvidiaSATSetup:
+		return m.updateNvidiaSATSetup(msg)
+	case screenNvidiaSATRunning:
+		return m.updateNvidiaSATRunning(msg)
+	case screenExportTargets:
+		return m.updateMenu(msg, len(m.targets), m.handleExportTargetsMenu)
+	case screenInterfacePick:
+		return m.updateMenu(msg, len(m.interfaces), m.handleInterfacePickMenu)
+	case screenOutput:
+		switch msg.String() {
+		case "esc", "enter", "q":
+			m.screen = m.prevScreen
+			m.body = ""
+			m.title = ""
+			m.pendingAction = actionNone
+			return m, nil
+		case "ctrl+c":
+			return m, tea.Quit
+		}
+	case screenStaticForm:
+		return m.updateStaticForm(msg)
+	case screenConfirm:
+		return m.updateConfirm(msg)
+	}
+	if msg.String() == "ctrl+c" {
+		return m, tea.Quit
+	}
+	return m, nil
+}
+
+// updateMain handles keys on the main (two-column) screen.
+func (m model) updateMain(msg tea.KeyMsg) (tea.Model, tea.Cmd) {
+	if m.panelFocus {
+		return m.updateMainPanel(msg)
+	}
+	// Switch focus to right panel.
+	if (msg.String() == "tab" || msg.String() == "right" || msg.String() == "l") && len(m.panel.Rows) > 0 {
+		m.panelFocus = true
+		return m, nil
+	}
+	return m.updateMenu(msg, len(m.mainMenu), m.handleMainMenu)
+}
+
+// updateMainPanel handles keys when right panel has focus.
+func (m model) updateMainPanel(msg tea.KeyMsg) (tea.Model, tea.Cmd) {
+	switch msg.String() {
+	case "up", "k":
+		if m.panelCursor > 0 {
+			m.panelCursor--
+		}
+	case "down", "j":
+		if m.panelCursor < len(m.panel.Rows)-1 {
+			m.panelCursor++
+		}
+	case "enter":
+		if m.panelCursor < len(m.panel.Rows) {
+			key := m.panel.Rows[m.panelCursor].Key
+			m.busy = true
+			m.busyTitle = key
+			return m, func() tea.Msg {
+				r := m.app.ComponentDetailResult(key)
+				return resultMsg{title: r.Title, body: r.Body, back: screenMain}
+			}
+		}
+	case "tab", "left", "h", "esc":
+		m.panelFocus = false
+	case "q", "ctrl+c":
+		return m, tea.Quit
+	}
+	return m, nil
+}
+
+func (m model) updateMenu(msg tea.KeyMsg, size int, onEnter func() (tea.Model, tea.Cmd)) (tea.Model, tea.Cmd) {
+	if size == 0 {
+		size = 1
+	}
+	switch msg.String() {
+	case "up", "k":
+		if m.cursor > 0 {
+			m.cursor--
+		}
+	case "down", "j":
+		if m.cursor < size-1 {
+			m.cursor++
+		}
+	case "enter":
+		return onEnter()
+	case "esc":
+		switch m.screen {
+		case screenNetwork, screenServices:
+			m.screen = screenSettings
+			m.cursor = 0
+		case screenSettings:
+			m.screen = screenMain
+			m.cursor = 0
+		case screenServiceAction:
+			m.screen = screenServices
+			m.cursor = 0
+		case screenExportTargets:
+			m.screen = screenMain
+			m.cursor = 0
+		case screenInterfacePick:
+			m.screen = screenNetwork
+			m.cursor = 0
+		}
+	case "q", "ctrl+c":
+		return m, tea.Quit
+	}
+	return m, nil
+}

audit/internal/tui/view.go

@@ -0,0 +1,294 @@
+package tui
+
+import (
+	"fmt"
+	"strings"
+
+	"bee/audit/internal/platform"
+
+	tea "github.com/charmbracelet/bubbletea"
+	"github.com/charmbracelet/lipgloss"
+)
+
+// Column widths for two-column main layout.
+const leftColWidth = 30
+
+var (
+	stylePass   = lipgloss.NewStyle().Foreground(lipgloss.Color("10")) // bright green
+	styleFail   = lipgloss.NewStyle().Foreground(lipgloss.Color("9"))  // bright red
+	styleCancel = lipgloss.NewStyle().Foreground(lipgloss.Color("11")) // bright yellow
+	styleNA     = lipgloss.NewStyle().Foreground(lipgloss.Color("8"))  // dark gray
+)
+
+func colorStatus(status string) string {
+	switch status {
+	case "PASS":
+		return stylePass.Render("PASS")
+	case "FAIL":
+		return styleFail.Render("FAIL")
+	case "CANCEL":
+		return styleCancel.Render("CANC")
+	default:
+		return styleNA.Render("N/A ")
+	}
+}
+
+func (m model) View() string {
+	var body string
+	if m.busy {
+		title := "bee"
+		if m.busyTitle != "" {
+			title = m.busyTitle
+		}
+		if len(m.progressLines) > 0 {
+			var b strings.Builder
+			fmt.Fprintf(&b, "%s\n\n", title)
+			for _, l := range m.progressLines {
+				fmt.Fprintf(&b, "  %s\n", l)
+			}
+			b.WriteString("\n[ctrl+c] quit\n")
+			body = b.String()
+		} else {
+			body = fmt.Sprintf("%s\n\nWorking...\n\n[ctrl+c] quit\n", title)
+		}
+	} else {
+		switch m.screen {
+		case screenMain:
+			body = renderTwoColumnMain(m)
+		case screenHealthCheck:
+			body = renderHealthCheck(m)
+		case screenSettings:
+			body = renderMenu("Settings", "Select action", m.settingsMenu, m.cursor)
+		case screenNetwork:
+			body = renderMenu("Network", "Select action", m.networkMenu, m.cursor)
+		case screenServices:
+			body = renderMenu("Services", "Select service", m.services, m.cursor)
+		case screenServiceAction:
+			body = renderMenu("Service: "+m.selectedService, "Select action", m.serviceMenu, m.cursor)
+		case screenExportTargets:
+			body = renderMenu("Export support bundle", "Select removable filesystem", renderTargetItems(m.targets), m.cursor)
+		case screenInterfacePick:
+			body = renderMenu("Interfaces", "Select interface", renderInterfaceItems(m.interfaces), m.cursor)
+		case screenStaticForm:
+			body = renderForm("Static IPv4: "+m.selectedIface, m.formFields, m.formIndex)
+		case screenConfirm:
+			title, confirmBody := m.confirmBody()
+			body = renderConfirm(title, confirmBody, m.cursor)
+		case screenNvidiaSATSetup:
+			body = renderNvidiaSATSetup(m)
+		case screenNvidiaSATRunning:
+			body = renderNvidiaSATRunning()
+		case screenOutput:
+			body = fmt.Sprintf("%s\n\n%s\n\n[enter/esc] back  [ctrl+c] quit\n", m.title, strings.TrimSpace(m.body))
+		default:
+			body = "bee\n"
+		}
+	}
+	return m.renderWithBanner(body)
+}
+
+// renderTwoColumnMain renders the main screen with menu on the left and hardware panel on the right.
+func renderTwoColumnMain(m model) string {
+	// Left column lines
+	leftLines := []string{"bee", ""}
+	for i, item := range m.mainMenu {
+		pfx := "  "
+		if !m.panelFocus && m.cursor == i {
+			pfx = "> "
+		}
+		leftLines = append(leftLines, pfx+item)
+	}
+
+	// Right column lines
+	rightLines := buildPanelLines(m)
+
+	// Render side by side
+	var b strings.Builder
+	maxRows := max(len(leftLines), len(rightLines))
+	for i := 0; i < maxRows; i++ {
+		l := ""
+		if i < len(leftLines) {
+			l = leftLines[i]
+		}
+		r := ""
+		if i < len(rightLines) {
+			r = rightLines[i]
+		}
+		w := lipgloss.Width(l)
+		if w < leftColWidth {
+			l += strings.Repeat(" ", leftColWidth-w)
+		}
+		b.WriteString(l + " │ " + r + "\n")
+	}
+
+	sep := strings.Repeat("─", leftColWidth) + "─┴─" + strings.Repeat("─", 46)
+	b.WriteString(sep + "\n")
+
+	if m.panelFocus {
+		b.WriteString("[↑↓] move  [enter] details  [tab/←] menu  [ctrl+c] quit\n")
+	} else {
+		b.WriteString("[↑↓] move  [enter] select  [tab/→] panel  [ctrl+c] quit\n")
+	}
+
+	return b.String()
+}
+
+func buildPanelLines(m model) []string {
+	p := m.panel
+	var lines []string
+
+	for _, h := range p.Header {
+		lines = append(lines, h)
+	}
+	if len(p.Header) > 0 && len(p.Rows) > 0 {
+		lines = append(lines, "")
+	}
+
+	for i, row := range p.Rows {
+		pfx := "  "
+		if m.panelFocus && m.panelCursor == i {
+			pfx = "> "
+		}
+		status := colorStatus(row.Status)
+		lines = append(lines, fmt.Sprintf("%s%s  %-4s  %s", pfx, status, row.Key, row.Detail))
+	}
+
+	return lines
+}
+
+func renderTargetItems(targets []platform.RemovableTarget) []string {
+	items := make([]string, 0, len(targets))
+	for _, target := range targets {
+		desc := fmt.Sprintf("%s [%s %s]", target.Device, target.FSType, target.Size)
+		if target.Label != "" {
+			desc += " label=" + target.Label
+		}
+		if target.Mountpoint != "" {
+			desc += " mounted=" + target.Mountpoint
+		}
+		items = append(items, desc)
+	}
+	return items
+}
+
+func renderInterfaceItems(interfaces []platform.InterfaceInfo) []string {
+	items := make([]string, 0, len(interfaces))
+	for _, iface := range interfaces {
+		label := iface.Name
+		if len(iface.IPv4) > 0 {
+			label += " [" + strings.Join(iface.IPv4, ", ") + "]"
+		}
+		items = append(items, label)
+	}
+	return items
+}
+
+func renderMenu(title, subtitle string, items []string, cursor int) string {
+	var body strings.Builder
+	fmt.Fprintf(&body, "%s\n\n%s\n\n", title, subtitle)
+	if len(items) == 0 {
+		body.WriteString("(no items)\n")
+	} else {
+		for i, item := range items {
+			prefix := "  "
+			if i == cursor {
+				prefix = "> "
+			}
+			fmt.Fprintf(&body, "%s%s\n", prefix, item)
+		}
+	}
+	body.WriteString("\n[↑/↓] move  [enter] select  [esc] back  [ctrl+c] quit\n")
+	return body.String()
+}
+
+func renderForm(title string, fields []formField, idx int) string {
+	var body strings.Builder
+	fmt.Fprintf(&body, "%s\n\n", title)
+	for i, field := range fields {
+		prefix := "  "
+		if i == idx {
+			prefix = "> "
+		}
+		fmt.Fprintf(&body, "%s%s: %s\n", prefix, field.Label, field.Value)
+	}
+	body.WriteString("\n[tab/↑/↓] move  [enter] next/submit  [backspace] delete  [esc] cancel\n")
+	return body.String()
+}
+
+func renderConfirm(title, body string, cursor int) string {
+	options := []string{"Confirm", "Cancel"}
+	var out strings.Builder
+	fmt.Fprintf(&out, "%s\n\n%s\n\n", title, body)
+	for i, option := range options {
+		prefix := "  "
+		if i == cursor {
+			prefix = "> "
+		}
+		fmt.Fprintf(&out, "%s%s\n", prefix, option)
+	}
+	out.WriteString("\n[←/→/↑/↓] move  [enter] select  [esc] cancel\n")
+	return out.String()
+}
+
+func resultCmd(title, body string, err error, back screen) tea.Cmd {
+	return func() tea.Msg {
+		return resultMsg{title: title, body: body, err: err, back: back}
+	}
+}
+
+func (m model) renderWithBanner(body string) string {
+	body = strings.TrimRight(body, "\n")
+	banner := renderBannerModule(m.banner, m.width)
+	if banner == "" {
+		if body == "" {
+			return ""
+		}
+		return body + "\n"
+	}
+	if body == "" {
+		return banner + "\n"
+	}
+	return banner + "\n\n" + body + "\n"
+}
+
+func renderBannerModule(banner string, width int) string {
+	banner = strings.TrimSpace(banner)
+	if banner == "" {
+		return ""
+	}
+
+	lines := strings.Split(banner, "\n")
+	contentWidth := 0
+	for _, line := range lines {
+		if w := lipgloss.Width(line); w > contentWidth {
+			contentWidth = w
+		}
+	}
+	if width > 0 && width-4 > contentWidth {
+		contentWidth = width - 4
+	}
+	if contentWidth < 20 {
+		contentWidth = 20
+	}
+
+	label := " MOTD "
+	topFill := contentWidth + 2 - lipgloss.Width(label)
+	if topFill < 0 {
+		topFill = 0
+	}
+
+	var b strings.Builder
+	b.WriteString("┌" + label + strings.Repeat("─", topFill) + "┐\n")
+	for _, line := range lines {
+		b.WriteString("│ " + padRight(line, contentWidth) + " │\n")
+	}
+	b.WriteString("└" + strings.Repeat("─", contentWidth+2) + "┘")
+	return b.String()
+}
+
+func padRight(value string, width int) string {
+	if gap := width - lipgloss.Width(value); gap > 0 {
+		return value + strings.Repeat(" ", gap)
+	}
+	return value
+}

audit/internal/webui/server.go

@@ -0,0 +1,240 @@
+package webui
+
+import (
+	"errors"
+	"fmt"
+	"html"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+
+	"bee/audit/internal/app"
+	"reanimator/chart/viewer"
+	chartweb "reanimator/chart/web"
+)
+
+const defaultTitle = "Bee Hardware Audit"
+
+type HandlerOptions struct {
+	Title     string
+	AuditPath string
+	ExportDir string
+}
+
+func NewHandler(opts HandlerOptions) http.Handler {
+	title := strings.TrimSpace(opts.Title)
+	if title == "" {
+		title = defaultTitle
+	}
+
+	auditPath := strings.TrimSpace(opts.AuditPath)
+	exportDir := strings.TrimSpace(opts.ExportDir)
+	if exportDir == "" {
+		exportDir = app.DefaultExportDir
+	}
+	mux := http.NewServeMux()
+	mux.Handle("GET /static/", http.StripPrefix("/static/", chartweb.Static()))
+	mux.HandleFunc("GET /healthz", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Cache-Control", "no-store")
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte("ok"))
+	})
+	mux.HandleFunc("GET /audit.json", func(w http.ResponseWriter, r *http.Request) {
+		data, err := loadSnapshot(auditPath)
+		if err != nil {
+			if errors.Is(err, os.ErrNotExist) {
+				http.Error(w, "audit snapshot not found", http.StatusNotFound)
+				return
+			}
+			http.Error(w, fmt.Sprintf("read audit snapshot: %v", err), http.StatusInternalServerError)
+			return
+		}
+		w.Header().Set("Cache-Control", "no-store")
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+		_, _ = w.Write(data)
+	})
+	mux.HandleFunc("GET /export/support.tar.gz", func(w http.ResponseWriter, r *http.Request) {
+		archive, err := app.BuildSupportBundle(exportDir)
+		if err != nil {
+			http.Error(w, fmt.Sprintf("build support bundle: %v", err), http.StatusInternalServerError)
+			return
+		}
+		w.Header().Set("Cache-Control", "no-store")
+		w.Header().Set("Content-Type", "application/gzip")
+		w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%q", filepath.Base(archive)))
+		http.ServeFile(w, r, archive)
+	})
+	mux.HandleFunc("GET /runtime-health.json", func(w http.ResponseWriter, r *http.Request) {
+		data, err := loadSnapshot(filepath.Join(exportDir, "runtime-health.json"))
+		if err != nil {
+			if errors.Is(err, os.ErrNotExist) {
+				http.Error(w, "runtime health not found", http.StatusNotFound)
+				return
+			}
+			http.Error(w, fmt.Sprintf("read runtime health: %v", err), http.StatusInternalServerError)
+			return
+		}
+		w.Header().Set("Cache-Control", "no-store")
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+		_, _ = w.Write(data)
+	})
+	mux.HandleFunc("GET /export/", func(w http.ResponseWriter, r *http.Request) {
+		body, err := renderExportIndex(exportDir)
+		if err != nil {
+			http.Error(w, fmt.Sprintf("render export index: %v", err), http.StatusInternalServerError)
+			return
+		}
+		w.Header().Set("Cache-Control", "no-store")
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		_, _ = w.Write([]byte(body))
+	})
+	mux.HandleFunc("GET /export/file", func(w http.ResponseWriter, r *http.Request) {
+		rel := strings.TrimSpace(r.URL.Query().Get("path"))
+		if rel == "" {
+			http.Error(w, "path is required", http.StatusBadRequest)
+			return
+		}
+		clean := filepath.Clean(rel)
+		if clean == "." || strings.HasPrefix(clean, "..") {
+			http.Error(w, "invalid path", http.StatusBadRequest)
+			return
+		}
+		http.ServeFile(w, r, filepath.Join(exportDir, clean))
+	})
+	mux.HandleFunc("GET /viewer", func(w http.ResponseWriter, r *http.Request) {
+		snapshot, err := loadSnapshot(auditPath)
+		if err != nil && !errors.Is(err, os.ErrNotExist) {
+			http.Error(w, fmt.Sprintf("read audit snapshot: %v", err), http.StatusInternalServerError)
+			return
+		}
+		html, err := viewer.RenderHTML(snapshot, title)
+		if err != nil {
+			http.Error(w, fmt.Sprintf("render snapshot: %v", err), http.StatusInternalServerError)
+			return
+		}
+		w.Header().Set("Cache-Control", "no-store")
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		_, _ = w.Write(html)
+	})
+	mux.HandleFunc("GET /", func(w http.ResponseWriter, r *http.Request) {
+		noticeTitle, noticeBody := runtimeNotice(filepath.Join(exportDir, "runtime-health.json"))
+		body := renderShellPage(title, noticeTitle, noticeBody)
+		w.Header().Set("Cache-Control", "no-store")
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		_, _ = w.Write([]byte(body))
+	})
+	return mux
+}
+
+func ListenAndServe(addr string, opts HandlerOptions) error {
+	return http.ListenAndServe(addr, NewHandler(opts))
+}
+
+func loadSnapshot(path string) ([]byte, error) {
+	if strings.TrimSpace(path) == "" {
+		return nil, os.ErrNotExist
+	}
+	return os.ReadFile(path)
+}
+
+func runtimeNotice(path string) (string, string) {
+	health, err := app.ReadRuntimeHealth(path)
+	if err != nil {
+		return "Runtime Health", "No runtime health snapshot found yet."
+	}
+	body := fmt.Sprintf("Status: %s. Export dir: %s. Driver ready: %t. CUDA ready: %t. Network: %s. Export files: /export/",
+		firstNonEmpty(health.Status, "UNKNOWN"),
+		firstNonEmpty(health.ExportDir, app.DefaultExportDir),
+		health.DriverReady,
+		health.CUDAReady,
+		firstNonEmpty(health.NetworkStatus, "UNKNOWN"),
+	)
+	if len(health.Issues) > 0 {
+		body += " Issues: "
+		parts := make([]string, 0, len(health.Issues))
+		for _, issue := range health.Issues {
+			parts = append(parts, issue.Code)
+		}
+		body += strings.Join(parts, ", ")
+	}
+	return "Runtime Health", body
+}
+
+func renderExportIndex(exportDir string) (string, error) {
+	var entries []string
+	err := filepath.Walk(strings.TrimSpace(exportDir), func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if info.IsDir() {
+			return nil
+		}
+		rel, err := filepath.Rel(exportDir, path)
+		if err != nil {
+			return err
+		}
+		entries = append(entries, rel)
+		return nil
+	})
+	if err != nil && !errors.Is(err, os.ErrNotExist) {
+		return "", err
+	}
+	sort.Strings(entries)
+	var body strings.Builder
+	body.WriteString("<!DOCTYPE html><html><head><meta charset=\"utf-8\"><title>Bee Export Files</title></head><body>")
+	body.WriteString("<h1>Bee Export Files</h1><ul>")
+	for _, entry := range entries {
+		body.WriteString("<li><a href=\"/export/file?path=" + url.QueryEscape(entry) + "\">" + html.EscapeString(entry) + "</a></li>")
+	}
+	if len(entries) == 0 {
+		body.WriteString("<li>No export files found.</li>")
+	}
+	body.WriteString("</ul></body></html>")
+	return body.String(), nil
+}
+
+func renderShellPage(title, noticeTitle, noticeBody string) string {
+	var body strings.Builder
+	body.WriteString("<!DOCTYPE html><html><head><meta charset=\"utf-8\"><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">")
+	body.WriteString("<title>" + html.EscapeString(title) + "</title>")
+	body.WriteString(`<style>
+body{margin:0;font-family:system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",sans-serif;background:#f4f1ea;color:#1b1b18}
+.shell{min-height:100vh;display:grid;grid-template-rows:auto auto 1fr}
+.header{padding:18px 20px 12px;border-bottom:1px solid rgba(0,0,0,.08);background:#fbf8f2}
+.header h1{margin:0;font-size:24px}
+.header p{margin:6px 0 0;color:#5a5a52}
+.actions{display:flex;flex-wrap:wrap;gap:10px;padding:12px 20px;background:#fbf8f2}
+.actions a{display:inline-block;text-decoration:none;padding:10px 14px;border-radius:999px;background:#1f5f4a;color:#fff;font-weight:600}
+.actions a.secondary{background:#d8e5dd;color:#17372b}
+.notice{margin:16px 20px 0;padding:14px 16px;border-radius:14px;background:#fff7df;border:1px solid #ead9a4}
+.notice h2{margin:0 0 6px;font-size:16px}
+.notice p{margin:0;color:#4f4a37}
+.viewer-wrap{padding:16px 20px 20px}
+.viewer{width:100%;height:calc(100vh - 170px);border:0;border-radius:18px;background:#fff;box-shadow:0 12px 40px rgba(0,0,0,.08)}
+@media (max-width:720px){.viewer{height:calc(100vh - 240px)}}
+</style></head><body><div class="shell">`)
+	body.WriteString("<header class=\"header\"><h1>" + html.EscapeString(title) + "</h1><p>Audit viewer with support bundle and raw export access.</p></header>")
+	body.WriteString("<nav class=\"actions\">")
+	body.WriteString("<a href=\"/export/support.tar.gz\">Download support bundle</a>")
+	body.WriteString("<a class=\"secondary\" href=\"/audit.json\">Open audit.json</a>")
+	body.WriteString("<a class=\"secondary\" href=\"/runtime-health.json\">Open runtime-health.json</a>")
+	body.WriteString("<a class=\"secondary\" href=\"/export/\">Browse export files</a>")
+	body.WriteString("</nav>")
+	if strings.TrimSpace(noticeTitle) != "" {
+		body.WriteString("<section class=\"notice\"><h2>" + html.EscapeString(noticeTitle) + "</h2><p>" + html.EscapeString(noticeBody) + "</p></section>")
+	}
+	body.WriteString("<main class=\"viewer-wrap\"><iframe class=\"viewer\" src=\"/viewer\" loading=\"eager\" referrerpolicy=\"same-origin\"></iframe></main>")
+	body.WriteString("</div></body></html>")
+	return body.String()
+}
+
+func firstNonEmpty(value, fallback string) string {
+	value = strings.TrimSpace(value)
+	if value == "" {
+		return fallback
+	}
+	return value
+}

audit/internal/webui/server_test.go

@@ -0,0 +1,167 @@
+package webui
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+func TestRootRendersShellWithIframe(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "audit.json")
+	exportDir := filepath.Join(dir, "export")
+	if err := os.MkdirAll(exportDir, 0755); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(path, []byte(`{"collected_at":"2026-03-15T00:00:00Z","hardware":{"board":{"serial_number":"SERIAL-OLD"}}}`), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	handler := NewHandler(HandlerOptions{
+		Title:     "Bee Hardware Audit",
+		AuditPath: path,
+		ExportDir: exportDir,
+	})
+
+	first := httptest.NewRecorder()
+	handler.ServeHTTP(first, httptest.NewRequest(http.MethodGet, "/", nil))
+	if first.Code != http.StatusOK {
+		t.Fatalf("first status=%d", first.Code)
+	}
+	if !strings.Contains(first.Body.String(), `iframe`) || !strings.Contains(first.Body.String(), `src="/viewer"`) {
+		t.Fatalf("first body missing iframe viewer: %s", first.Body.String())
+	}
+	if !strings.Contains(first.Body.String(), "/export/support.tar.gz") {
+		t.Fatalf("first body missing support bundle link: %s", first.Body.String())
+	}
+	if got := first.Header().Get("Cache-Control"); got != "no-store" {
+		t.Fatalf("first cache-control=%q", got)
+	}
+
+	if err := os.WriteFile(path, []byte(`{"collected_at":"2026-03-15T00:05:00Z","hardware":{"board":{"serial_number":"SERIAL-NEW"}}}`), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	second := httptest.NewRecorder()
+	handler.ServeHTTP(second, httptest.NewRequest(http.MethodGet, "/", nil))
+	if second.Code != http.StatusOK {
+		t.Fatalf("second status=%d", second.Code)
+	}
+	if !strings.Contains(second.Body.String(), `src="/viewer"`) {
+		t.Fatalf("second body missing iframe viewer: %s", second.Body.String())
+	}
+}
+
+func TestViewerRendersLatestSnapshot(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "audit.json")
+	if err := os.WriteFile(path, []byte(`{"collected_at":"2026-03-15T00:00:00Z","hardware":{"board":{"serial_number":"SERIAL-OLD"}}}`), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	handler := NewHandler(HandlerOptions{AuditPath: path})
+	first := httptest.NewRecorder()
+	handler.ServeHTTP(first, httptest.NewRequest(http.MethodGet, "/viewer", nil))
+	if first.Code != http.StatusOK {
+		t.Fatalf("first status=%d", first.Code)
+	}
+	if !strings.Contains(first.Body.String(), "SERIAL-OLD") {
+		t.Fatalf("viewer body missing old serial: %s", first.Body.String())
+	}
+
+	if err := os.WriteFile(path, []byte(`{"collected_at":"2026-03-15T00:05:00Z","hardware":{"board":{"serial_number":"SERIAL-NEW"}}}`), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	second := httptest.NewRecorder()
+	handler.ServeHTTP(second, httptest.NewRequest(http.MethodGet, "/viewer", nil))
+	if second.Code != http.StatusOK {
+		t.Fatalf("second status=%d", second.Code)
+	}
+	if !strings.Contains(second.Body.String(), "SERIAL-NEW") {
+		t.Fatalf("viewer body missing new serial: %s", second.Body.String())
+	}
+	if strings.Contains(second.Body.String(), "SERIAL-OLD") {
+		t.Fatalf("viewer body still contains old serial: %s", second.Body.String())
+	}
+}
+
+func TestAuditJSONServesLatestSnapshot(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "audit.json")
+	body := `{"hardware":{"board":{"serial_number":"SERIAL-API"}}}`
+	if err := os.WriteFile(path, []byte(body), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	handler := NewHandler(HandlerOptions{AuditPath: path})
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/audit.json", nil))
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status=%d", rec.Code)
+	}
+	if got := strings.TrimSpace(rec.Body.String()); got != body {
+		t.Fatalf("body=%q want %q", got, body)
+	}
+	if got := rec.Header().Get("Content-Type"); !strings.Contains(got, "application/json") {
+		t.Fatalf("content-type=%q", got)
+	}
+}
+
+func TestMissingAuditJSONReturnsNotFound(t *testing.T) {
+	handler := NewHandler(HandlerOptions{AuditPath: "/missing/audit.json"})
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/audit.json", nil))
+	if rec.Code != http.StatusNotFound {
+		t.Fatalf("status=%d want %d", rec.Code, http.StatusNotFound)
+	}
+}
+
+func TestSupportBundleEndpointReturnsArchive(t *testing.T) {
+	dir := t.TempDir()
+	exportDir := filepath.Join(dir, "export")
+	if err := os.MkdirAll(exportDir, 0755); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(exportDir, "bee-audit.log"), []byte("audit log"), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	handler := NewHandler(HandlerOptions{ExportDir: exportDir})
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/export/support.tar.gz", nil))
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status=%d body=%s", rec.Code, rec.Body.String())
+	}
+	if got := rec.Header().Get("Content-Disposition"); !strings.Contains(got, "attachment;") {
+		t.Fatalf("content-disposition=%q", got)
+	}
+	if rec.Body.Len() == 0 {
+		t.Fatal("empty archive body")
+	}
+}
+
+func TestRuntimeHealthEndpointReturnsJSON(t *testing.T) {
+	dir := t.TempDir()
+	exportDir := filepath.Join(dir, "export")
+	if err := os.MkdirAll(exportDir, 0755); err != nil {
+		t.Fatal(err)
+	}
+	body := `{"status":"PARTIAL","checked_at":"2026-03-16T10:00:00Z"}`
+	if err := os.WriteFile(filepath.Join(exportDir, "runtime-health.json"), []byte(body), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	handler := NewHandler(HandlerOptions{ExportDir: exportDir})
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/runtime-health.json", nil))
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status=%d body=%s", rec.Code, rec.Body.String())
+	}
+	if strings.TrimSpace(rec.Body.String()) != body {
+		t.Fatalf("body=%q want %q", strings.TrimSpace(rec.Body.String()), body)
+	}
+}

bible-local/README.md

@@ -9,4 +9,5 @@ Generic engineering rules live in `bible/rules/patterns/`.
 |---|---|
 | `architecture/system-overview.md` | What bee does, scope, tech stack |
 | `architecture/runtime-flows.md` | Boot sequence, audit flow, service order |
+| `docs/hardware-ingest-contract.md` | Current Reanimator hardware ingest JSON contract |
 | `decisions/` | Architectural decision log |

bible-local/architecture/runtime-flows.md

@@ -4,100 +4,91 @@
 
 **The live CD runs in an isolated network segment with no internet access.**
 All binaries, kernel modules, and tools must be baked into the ISO at build time.
-No `apk add`, no downloads, no package manager calls are allowed at boot.
+No package installation, no downloads, and no package manager calls are allowed at boot.
 DHCP is used only for LAN (operator SSH access). Internet is NOT available.
 
 ## Boot sequence (single ISO)
 
-OpenRC default runlevel, service start order:
+`systemd` boot order:
 
 ```
-localmount
-  ├── bee-sshsetup   (creates bee user, sets password; runs before dropbear)
-  │     └── dropbear  (SSH on port 22 — starts without network)
-  ├── bee-network    (udhcpc -b on all physical interfaces, non-blocking)
-  │     └── bee-nvidia  (insmod nvidia*.ko from /usr/local/lib/nvidia/,
-  │                      creates libnvidia-ml.so.1 symlinks in /usr/lib/)
-  │           └── bee-audit  (runs audit binary → /var/log/bee-audit.json)
+local-fs.target
+  ├── bee-sshsetup.service   (enables SSH key auth; password fallback only if marker exists)
+  │     └── ssh.service      (OpenSSH on port 22 — starts without network)
+  ├── bee-network.service    (starts `dhclient -nw` on all physical interfaces, non-blocking)
+  ├── bee-nvidia.service     (insmod nvidia*.ko from /usr/local/lib/nvidia/,
+  │                           creates /dev/nvidia* nodes)
+  ├── bee-audit.service      (runs `bee audit` → /var/log/bee-audit.json,
+  │                            never blocks boot on partial collector failures)
+  └── bee-web.service        (runs `bee web` on :80,
+                               reads the latest audit snapshot on each request)
 ```
 
 **Critical invariants:**
-- Dropbear MUST start without network. `bee-sshsetup` has `need localmount` only.
-- `bee-network` uses `udhcpc -b` (background) — retries indefinitely if no cable.
-- `bee-nvidia` loads modules via `insmod` with absolute paths — NOT `modprobe`.
-  Reason: modloop squashfs mounts over `/lib/modules/<kver>/` at boot, making it
-  read-only. The overlay's modules at that path are inaccessible. Modules are stored
-  at `/usr/local/lib/nvidia/` (overlay path, always writable).
-- `bee-nvidia` creates `libnvidia-ml.so.1` symlinks in `/usr/lib/` — required because
-  `nvidia-smi` is a glibc binary that looks for the soname symlink, not the versioned file.
-- `gcompat` package provides `/lib64/ld-linux-x86-64.so.2` for glibc compat on Alpine musl.
-- `bee-audit` uses `after bee-nvidia` — ensures NVIDIA enrichment succeeds.
-- `bee-audit` uses `eend 0` always — never fails boot even if audit errors.
+- OpenSSH MUST start without network. `bee-sshsetup.service` runs before `ssh.service`.
+- `bee-network.service` uses `dhclient -nw` (background) — network bring-up is best effort and non-blocking.
+- `bee-nvidia.service` loads modules via `insmod` with absolute paths — NOT `modprobe`.
+  Reason: the modules are shipped in the ISO overlay under `/usr/local/lib/nvidia/`, not in the host module tree.
+- `bee-audit.service` does not wait for `network-online.target`; audit is local and must run even if DHCP is broken.
+- `bee-audit.service` logs audit failures but does not turn partial collector problems into a boot blocker.
+- `bee-web.service` binds `0.0.0.0:80` and always renders the current `/var/log/bee-audit.json` contents.
+- Audit JSON now includes a `hardware.summary` block with overall verdict and warning/failure counts.
+
+## Console and login flow
+
+Local-console behavior:
+
+```text
+tty1
+  └── live-config autologin → bee
+        └── /home/bee/.profile
+              └── exec menu
+                    └── /usr/local/bin/bee-tui
+                          └── sudo -n /usr/local/bin/bee tui --runtime livecd
+```
+
+Rules:
+- local `tty1` lands in user `bee`, not directly in `root`
+- `menu` must work without typing `sudo`
+- TUI actions still run as `root` via `sudo -n`
+- SSH is independent from the tty1 path
+- serial console support is enabled for VM boot debugging
 
 ## ISO build sequence
 
 ```
-build.sh [--authorized-keys /path/to/keys]
-  1. compile audit binary (skip if .go files older than binary)
-  2. inject authorized_keys into overlay/root/.ssh/ (or set password fallback)
-  3. copy audit binary → overlay/usr/local/bin/audit
-  4. copy vendor binaries from iso/vendor/ → overlay/usr/local/bin/
-     (storcli64, sas2ircu, sas3ircu, mstflint, gpu_burn — each optional)
-  5. build-nvidia-module.sh:
-       a. apk add linux-lts-dev (always, to get current Alpine 3.21 kernel headers)
-       b. detect KVER from /usr/src/linux-headers-*
-       c. download NVIDIA .run installer (sha256 verified, cached in dist/)
-       d. extract installer
-       e. build kernel modules against linux-lts headers
-       f. create libnvidia-ml.so.1 / libcuda.so.1 symlinks in cache
-       g. cache in dist/nvidia-<version>-<kver>/
-  6. inject NVIDIA .ko → overlay/usr/local/lib/nvidia/
-  7. inject nvidia-smi → overlay/usr/local/bin/nvidia-smi
-  8. inject libnvidia-ml + libcuda → overlay/usr/lib/
-  9. write overlay/etc/bee-release (versions + git commit)
-  10. export BEE_BUILD_INFO for motd substitution
-  11. mkimage.sh (from /var/tmp, TMPDIR=/var/tmp):
-        kernel_* section  — cached (linux-lts modloop)
-        apks_* section    — cached (downloaded packages)
-        syslinux_* / grub_* — cached
-        apkovl            — always regenerated (genapkovl-bee.sh)
-        final ISO         — always assembled
+build-in-container.sh [--authorized-keys /path/to/keys]
+  1. compile `bee` binary (skip if .go files older than binary)
+  2. create a temporary overlay staging dir under `dist/`
+  3. inject authorized_keys into staged `root/.ssh/` (or set password fallback marker)
+  4. copy `bee` binary → staged `/usr/local/bin/bee`
+  5. copy vendor binaries from `iso/vendor/` → staged `/usr/local/bin/`
+     (`storcli64`, `sas2ircu`, `sas3ircu`, `arcconf`, `ssacli` — optional; `mstflint` comes from the Debian package set)
+  6. `build-nvidia-module.sh`:
+       a. install Debian kernel headers if missing
+       b. download NVIDIA `.run` installer (sha256 verified, cached in `dist/`)
+       c. extract installer
+       d. build kernel modules against Debian headers
+       e. create `libnvidia-ml.so.1` / `libcuda.so.1` symlinks in cache
+       f. cache in `dist/nvidia-<version>-<kver>/`
+  7. inject NVIDIA `.ko` → staged `/usr/local/lib/nvidia/`
+  8. inject `nvidia-smi` → staged `/usr/local/bin/nvidia-smi`
+  9. inject `libnvidia-ml` + `libcuda` → staged `/usr/lib/`
+  10. write staged `/etc/bee-release` (versions + git commit)
+  11. patch staged `motd` with build metadata
+  12. copy `iso/builder/` into a temporary live-build workdir under `dist/`
+  13. sync staged overlay into workdir `config/includes.chroot/`
+  14. run `lb config && lb build` inside the privileged builder container
 ```
 
 **Critical invariants:**
-- `KERNEL_PKG_VERSION` in `iso/builder/VERSIONS` pins the exact Alpine package version
-  (e.g. `6.12.76-r0`). This version is used in THREE places that MUST stay in sync:
-  1. `build-nvidia-module.sh` — `apk add linux-lts-dev=${KERNEL_PKG_VERSION}` (compile headers)
-  2. `mkimg.bee.sh` — `linux-lts=${KERNEL_PKG_VERSION}` in apks list (ISO kernel)
-  3. `build.sh` — build-time verification that headers match pin (fails loudly if not)
-  When Alpine releases a new linux-lts patch (e.g. r0 → r1), update KERNEL_PKG_VERSION
-  in VERSIONS — that's the only place to change. The build will fail loudly if the pin
-  doesn't match the installed headers, so stale pins are caught immediately.
-- **All three must use the same APK mirror: `dl-cdn.alpinelinux.org`.** Both
-  `build-nvidia-module.sh` (apk add) and `mkimage.sh` (--repository) explicitly use
-  `https://dl-cdn.alpinelinux.org/alpine/v${ALPINE_VERSION}/main|community`.
-  Never use the builder's local `/etc/apk/repositories` — its mirror may serve
-  a different package state, causing "unable to select package" failures.
-- `linux-lts-dev` is always installed (not conditional) — stale 6.6.x headers on the
-  builder would cause modules to be built for the wrong kernel and never load at runtime.
-- NVIDIA modules go to `overlay/usr/local/lib/nvidia/` — NOT `lib/modules/<kver>/extra/`.
-- `genapkovl-bee.sh` must be copied to `/var/tmp/` (CWD when mkimage runs).
-- `TMPDIR=/var/tmp` required — tmpfs `/tmp` is only ~1GB, too small for kernel firmware.
-- Workdir cleanup preserves `apks_*`, `kernel_*`, `syslinux_*`, `grub_*` cache dirs.
-
-## gpu_burn vendor binary
-
-`gpu_burn` requires CUDA nvcc to build. It is NOT built as part of the main ISO build.
-Build separately on the builder VM and place in `iso/vendor/gpu_burn`:
-
-```sh
-sh iso/builder/build-gpu-burn.sh dist/
-cp dist/gpu_burn iso/vendor/gpu_burn
-cp dist/compare.ptx iso/vendor/compare.ptx
-```
-
-Requires: CUDA 12.8+ (supports GCC 14, Alpine 3.21), libxml2, g++, make, git.
-The `build.sh` will include it automatically if `iso/vendor/gpu_burn` exists.
+- `DEBIAN_KERNEL_ABI` in `iso/builder/VERSIONS` pins the exact kernel ABI used in BOTH places:
+  1. `build-in-container.sh` / `build-nvidia-module.sh` — Debian kernel headers for module build
+  2. `auto/config` — `linux-image-${DEBIAN_KERNEL_ABI}` in the ISO
+- NVIDIA modules go to staged `usr/local/lib/nvidia/` — NOT to `/lib/modules/<kver>/extra/`.
+- The source overlay in `iso/overlay/` is treated as immutable source. Build-time files are injected only into the staged overlay.
+- The live-build workdir under `dist/` is disposable; source files under `iso/builder/` stay clean.
+- Container build requires `--privileged` because `live-build` uses mounts/chroots/loop devices during ISO assembly.
 
 ## Post-boot smoke test
 
@@ -109,35 +100,74 @@ ssh root@<ip> 'sh -s' < iso/builder/smoketest.sh
 
 Exit code 0 = all required checks pass. All `FAIL` lines must be zero before shipping.
 
-Key checks: NVIDIA modules loaded, nvidia-smi sees all GPUs, lib symlinks present,
-gcompat installed, services running, audit completed with NVIDIA enrichment, internet.
+Key checks: NVIDIA modules loaded, `nvidia-smi` sees all GPUs, lib symlinks present,
+systemd services running, audit completed with NVIDIA enrichment, LAN reachability.
 
-## apkovl mechanism
+Current validation state:
+- local/libvirt VM boot path is validated for `systemd`, SSH, `bee audit`, `bee-network`, and TUI startup
+- real hardware validation is still required before treating the ISO as release-ready
 
-The apkovl is a `.tar.gz` injected into the ISO at `/boot/`. Alpine initramfs extracts
-it at boot, overlaying `/etc`, `/usr`, `/root`, `/lib` on the tmpfs root.
+## Overlay mechanism
 
-`genapkovl-bee.sh` generates the tarball containing:
-- `/etc/apk/world` — package list (apk installs on first boot)
-- `/etc/runlevels/*/` — OpenRC service symlinks
-- `/etc/conf.d/dropbear` — `DROPBEAR_OPTS="-R -B"`
-- `/etc/network/interfaces` — lo only (bee-network handles DHCP)
-- `/etc/hostname`
-- Everything from `iso/overlay/` (init scripts, binaries, ssh keys, tui)
+`live-build` copies files from `config/includes.chroot/` into the ISO filesystem.
+`build.sh` prepares a staged overlay, then syncs it into a temporary workdir's
+`config/includes.chroot/` before running `lb build`.
 
 ## Collector flow
 
 ```
-audit binary start
+`bee audit` start
   1. board collector   (dmidecode -t 0,1,2)
   2. cpu collector     (dmidecode -t 4)
   3. memory collector  (dmidecode -t 17)
   4. storage collector (lsblk -J, smartctl -j, nvme id-ctrl, nvme smart-log)
   5. pcie collector    (lspci -vmm -D, /sys/bus/pci/devices/)
-  6. psu collector     (ipmitool fru — silent if no /dev/ipmi0)
+  6. psu collector     (ipmitool fru + sdr — silent if no /dev/ipmi0)
   7. nvidia enrichment (nvidia-smi — skipped if binary absent or driver not loaded)
   8. output JSON → /var/log/bee-audit.json
   9. QR summary to stdout (qrencode if available)
 ```
 
 Every collector returns `nil, nil` on tool-not-found. Errors are logged, never fatal.
+
+Acceptance flows:
+- `bee sat nvidia` → diagnostic archive with `nvidia-smi -q` + `nvidia-bug-report` + lightweight `bee-gpu-stress`
+- `bee sat memory` → `memtester` archive
+- `bee sat storage` → SMART/NVMe diagnostic archive and short self-test trigger where supported
+- SAT `summary.txt` now includes `overall_status` and per-job `*_status` values (`OK`, `FAILED`, `UNSUPPORTED`)
+- Runtime overrides:
+  - `BEE_GPU_STRESS_SECONDS`
+  - `BEE_GPU_STRESS_SIZE_MB`
+  - `BEE_MEMTESTER_SIZE_MB`
+  - `BEE_MEMTESTER_PASSES`
+
+## NVIDIA SAT TUI flow (v1.0.0+)
+
+```
+TUI: Acceptance tests → NVIDIA command pack
+  1. screenNvidiaSATSetup
+       a. enumerate GPUs via `nvidia-smi --query-gpu=index,name,memory.total`
+       b. user selects duration preset: 10 min / 1 h / 8 h / 24 h
+       c. user selects GPUs via checkboxes (all selected by default)
+       d. memory size = max(selected GPU memory) — auto-detected, not exposed to user
+  2. Start → screenNvidiaSATRunning
+       a. CUDA_VISIBLE_DEVICES set to selected GPU indices
+       b. tea.Batch: SAT goroutine + tea.ExecProcess(nvtop) launched concurrently
+       c. nvtop occupies full terminal; SAT result queues in background
+       d. [o] reopen nvtop at any time; [a] abort (cancels context → kills bee-gpu-stress)
+  3. GPU metrics collection (during bee-gpu-stress)
+       - background goroutine polls `nvidia-smi` every second
+       - per-second rows: elapsed, GPU index, temp°C, usage%, power W, clock MHz
+       - outputs: gpu-metrics.csv, gpu-metrics.html (offline SVG chart), gpu-metrics-term.txt
+  4. After SAT completes
+       - result shown in screenOutput with terminal line-chart (gpu-metrics-term.txt)
+       - chart is asciigraph-style: box-drawing chars (╭╮╰╯─│), 4 series per GPU,
+         Y axis with ticks, ANSI colours (red=temp, blue=usage, green=power, yellow=clock)
+```
+
+**Critical invariants:**
+- `nvtop` must be in `iso/builder/config/package-lists/bee.list.chroot` (baked into ISO).
+- `bee-gpu-stress` uses `exec.CommandContext` — aborted on cancel.
+- Metric goroutine uses stopCh/doneCh pattern; main goroutine waits `<-doneCh` before reading rows (no mutex needed).
+- If `nvtop` is not found on PATH, SAT still runs without it (graceful degradation).
+- SVG chart is fully offline: no JS, no external CSS, pure inline SVG.

bible-local/architecture/system-overview.md

@@ -4,7 +4,7 @@
 
 Hardware audit LiveCD. Boots on a server via BMC virtual media or USB.
 Collects hardware inventory at OS level (not through BMC/Redfish).
-Produces `HardwareIngestRequest` JSON compatible with core/reanimator.
+Produces `HardwareIngestRequest` JSON compatible with the contract in `bible-local/docs/hardware-ingest-contract.md`.
 
 ## Why it exists
 
@@ -19,18 +19,22 @@ Fills gaps where Redfish/logpile is blind:
 ## In scope
 
 - Read-only hardware inventory: board, CPU, memory, storage, PCIe, PSU, GPU, NIC, RAID
-- Unattended operation — no user interaction required
+- Machine-readable health summary derived from collector verdicts
+- Operator-triggered acceptance tests for NVIDIA, memory, and storage
+- NVIDIA SAT includes both diagnostic collection and lightweight GPU stress via `bee-gpu-stress`
+- Automatic boot audit with operator-facing local console and SSH access
 - NVIDIA proprietary driver loaded at boot for GPU enrichment via `nvidia-smi`
-- SSH access (dropbear) always available for inspection and debugging
-- Interactive TUI (`bee-tui`) for network setup, service management, GPU tests
-- GPU stress testing via `gpu_burn` (vendor binary, optional)
+- SSH access (OpenSSH) always available for inspection and debugging
+- Interactive Go TUI via `bee tui` for network setup, service management, and acceptance tests
+- Read-only web viewer via `bee web`, rendering the latest audit snapshot through the embedded Reanimator Chart
+- Local `tty1` operator UX: `bee` autologin, `menu` auto-start, privileged actions via `sudo -n`
 
 ## Network isolation — CRITICAL
 
 **The live CD runs in an isolated network segment with no internet access.**
 
 - All tools, drivers, and binaries MUST be pre-baked into the ISO at build time
-- No `apk add` at boot — packages are installed during ISO creation, not at runtime
+- No package installation at boot — packages are installed during ISO creation, not at runtime
 - No downloads at boot — NVIDIA modules, vendor tools, and all binaries come from the ISO overlay
 - DHCP is used only for LAN access (SSH from operator laptop); internet is NOT assumed
 - Any feature requiring network downloads cannot be added to the live CD
@@ -43,32 +47,59 @@ Fills gaps where Redfish/logpile is blind:
 - Anything requiring persistent storage on the audited machine
 - Windows support
 - Any functionality requiring internet access at boot
+- Component lifecycle/history across multiple snapshots
+- Status transition history (`status_history`, `status_changed_at`) derived from previous exports
+- Replacement detection between two or more audit runs
+
+## Contract boundary
+
+- `bee` is responsible for the current hardware snapshot only.
+- `bee` should populate current component state, hardware inventory, telemetry, and `status_checked_at`.
+- Historical status transitions and component replacement logic belong to the centralized ingest/lifecycle system, not to `bee`.
+- Contract fields that have no honest local source on a generic Linux host may remain empty.
 
 ## Tech stack
 
 | Component | Technology |
 |---|---|
 | Audit binary | Go, static, `CGO_ENABLED=0` |
-| LiveCD | Alpine Linux 3.21, linux-lts 6.12.x |
-| ISO build | Alpine mkimage + apkovl overlay (`iso/overlay/`) |
-| Init system | OpenRC |
-| SSH | Dropbear (always included) |
-| NVIDIA driver | Proprietary `.run` installer, built against linux-lts headers |
-| NVIDIA modules | Loaded via `insmod` from `/usr/local/lib/nvidia/` (not modloop path) |
-| glibc compat | `gcompat` — required for `nvidia-smi` (glibc binary on musl Alpine) |
-| Builder VM | Alpine 3.21 |
+| Live ISO | Debian 12 (bookworm), amd64 live-build image |
+| ISO build | Debian `live-build` + overlay sync into `config/includes.chroot/` |
+| Init system | `systemd` |
+| SSH | OpenSSH server |
+| NVIDIA driver | Proprietary `.run` installer, built against Debian kernel headers |
+| NVIDIA modules | Loaded via `insmod` from `/usr/local/lib/nvidia/` |
+| Builder | Debian 12 host/VM or Debian 12 container image |
+
+## Operator UX
+
+- On the live ISO, `tty1` autologins as `bee`
+- The login profile auto-runs `menu`, which enters the Go TUI
+- The TUI itself executes privileged actions as `root` via `sudo -n`
+- SSH remains available independently of the local console path
+- VM-oriented builds also include `qemu-guest-agent` and serial console support for debugging
+
+## Runtime split
+
+- The main Go application must run both on a normal Linux host and inside the live ISO
+- Live-ISO-only responsibilities stay in `iso/` integration code
+- Live ISO launches the Go CLI with `--runtime livecd`
+- Local/manual runs use `--runtime auto` or `--runtime local`
 
 ## Key paths
 
 | Path | Purpose |
 |---|---|
-| `audit/cmd/audit/` | CLI entry point |
+| `audit/cmd/bee/` | Main CLI entry point |
 | `audit/internal/collector/` | Per-subsystem collectors |
 | `audit/internal/schema/` | HardwareIngestRequest types |
-| `iso/builder/` | ISO build scripts and mkimage profile |
-| `iso/overlay/` | Single overlay: files injected into ISO via apkovl |
-| `iso/vendor/` | Optional pre-built vendor binaries (storcli64, gpu_burn, …) |
-| `iso/builder/VERSIONS` | Pinned versions: Alpine, Go, NVIDIA driver, kernel |
+| `iso/builder/` | ISO build scripts and `live-build` profile |
+| `iso/overlay/` | Source overlay copied into a staged build overlay |
+| `iso/vendor/` | Optional pre-built vendor binaries (storcli64, sas2ircu, sas3ircu, arcconf, ssacli, …) |
+| `internal/chart/` | Git submodule with `reanimator/chart`, embedded into `bee web` |
+| `iso/builder/VERSIONS` | Pinned versions: Debian, Go, NVIDIA driver, kernel ABI |
 | `iso/builder/smoketest.sh` | Post-boot smoke test — run via SSH to verify live ISO |
+| `iso/overlay/etc/profile.d/bee.sh` | `menu` helper + tty1 auto-start policy |
+| `iso/overlay/home/bee/.profile` | `bee` shell profile for local console startup |
 | `dist/` | Build outputs (gitignored) |
 | `iso/out/` | Downloaded ISO files (gitignored) |

bible-local/backlog.md

@@ -1,21 +1,89 @@
 # Backlog
 
-## GPU stress test (H100)
+## BMC версия через IPMI
 
-**Задача:** добавить GPU burn/stress тест в bee-tui без существенного увеличения ISO.
+**Статус:** реализовано.
 
-**Контекст:**
-- `gpu_burn` (wilicc/gpu-burn) не подходит — требует `libcublas.so` (~500MB), что раздует ISO кратно
-- `libcuda.so` уже есть в ISO (из NVIDIA .run installer)
+Добавить сбор версии BMC firmware в board collector:
+- Команда: `ipmitool mc info` → поле `Firmware Revision`
+- Записывать в `hardware.firmware[]` как `{device_name: "BMC", version: "..."}`
+- Показывать в TUI правой колонке рядом с BIOS версией
+- Graceful skip если `/dev/ipmi0` отсутствует (silent: same pattern as PSU collector)
 
-**Выбранный подход:** написать минимальный стресс-тул на CUDA Driver API
-- Использует только `libcuda.so` (уже в ISO) — никаких новых зависимостей
-- Реализует матричное умножение или memory bandwidth через `cuLaunchKernel`
-- Бинарь ~100KB, компилируется через `nvcc` на builder VM, кладётся в `iso/vendor/`
-- bee-tui вызывает его вместо `gpu_burn`
+## CPU acceptance test через stress-ng
 
-**Отклонённые варианты:**
-- `gpu_burn` — нужен libcublas (~500MB)
-- `nvbandwidth` — только bandwidth, не жжёт FLOPs; нужен libcudart (~8MB)
-- DCGM diag — правильный инструмент для H100 но ~100MB установка
-- Download on demand — нужен libcublas, проблема та же
+**Статус:** реализовано. CPU в Health Check получает PASS/FAIL из summary.txt.
+
+Добавить CPU SAT на базе `stress-ng`:
+- Bake `stress-ng` в ISO (добавить в `bee.list.chroot`)
+- Новый `bee sat cpu` — запускает `stress-ng --cpu 0 --cpu-method all --timeout <N>` где N = duration из режима (Quick=60s, Standard=300s, Express=900s)
+- Параллельно снимает температуры через `sensors` и throttle-флаги из аудит JSON
+- Результат: SAT архив с summary.txt в формате других SAT (overall_status=OK/FAILED)
+- После реализации: CPU в Health Check получает реальный PASS/FAIL статус
+
+## Real hardware validation
+
+**Статус:** ожидает доступа к железу.
+
+Что осталось подтвердить на практике:
+- `bee sat nvidia` на реальном NVIDIA GPU host
+- `bee sat storage` на NVMe/SATA/RAID host
+- `ipmitool sdr` parsing на сервере с реальным BMC/IPMI
+- vendor RAID tooling (`storcli64`, `sas2ircu`, `sas3ircu`, `arcconf`, `ssacli`) в живом ISO
+
+## SAT result polish
+
+**Статус:** частично закрыто.
+
+Что ещё можно улучшить после полевой проверки:
+- точнее классифицировать vendor-specific self-test outputs в `storage SAT`
+- подобрать дефолты `memtester` по объёму RAM на целевых машинах
+- при необходимости расширить `bee-gpu-stress` по длительности/нагрузке
+
+## Hardware Contract backlog
+
+**Статус:** уточнён, сокращён до `bee`-only snapshot scope.
+
+### Не backlog для `bee`
+
+Эти задачи не должны реализовываться в `bee`, потому что относятся к централизованному ingest/lifecycle слою:
+- `status_history`
+- `status_changed_at`
+- определение замены компонента между snapshot'ами
+- timeline/lifecycle/history по diff между экспортами
+
+`bee` отвечает только за текущий snapshot железа и `status_checked_at`.
+
+### Реализуемо инкрементально
+
+Эти поля можно развивать дальше по мере появления реальных sample outputs и vendor-specific parser'ов:
+- `cpus.correctable_error_count`
+- `cpus.uncorrectable_error_count`
+- `power_supplies.life_remaining_pct`
+- `power_supplies.life_used_pct`
+- `pcie_devices.battery_charge_pct`
+- `pcie_devices.battery_health_pct`
+- `pcie_devices.battery_temperature_c`
+- `pcie_devices.battery_voltage_v`
+- `pcie_devices.battery_replace_required`
+
+### Vendor/platform-specific, часто пустые
+
+Эти поля допустимо оставлять пустыми на части платформ даже после реализации parser'ов:
+- `power_supplies.life_remaining_pct`
+- `power_supplies.life_used_pct`
+- часть `pcie_devices.battery_*` для неподдержанных RAID/NIC/GPU вендоров
+
+### Unsupported в `bee`
+
+Эти поля считаются нереалистичными для общего OS-level hardware snapshotter без synthetic/fake data:
+- `cpus.life_remaining_pct`
+- `cpus.life_used_pct`
+- `memory.life_remaining_pct`
+- `memory.life_used_pct`
+- `memory.spare_blocks_remaining_pct`
+- `memory.performance_degraded`
+
+Причина: у обычного Linux-host audit обычно нет честного vendor-neutral runtime source для этих метрик.
+
+Эти поля считаются дропнутыми из backlog `bee` и не должны возвращаться в план работ без появления нового доказуемого локального источника данных на целевых машинах.

bible-local/docs/hardware-ingest-contract.md

@@ -0,0 +1,793 @@
+---
+title: Hardware Ingest JSON Contract
+version: "2.7"
+updated: "2026-03-15"
+maintainer: Reanimator Core
+audience: external-integrators, ai-agents
+language: ru
+---
+
+# Интеграция с Reanimator: контракт JSON-импорта аппаратного обеспечения
+
+Версия: **2.7** · Дата: **2026-03-15**
+
+Документ описывает формат JSON для передачи данных об аппаратном обеспечении серверов в систему **Reanimator** (управление жизненным циклом аппаратного обеспечения).
+Предназначен для разработчиков смежных систем (Redfish-коллекторов, агентов мониторинга, CMDB-экспортёров) и может быть включён в документацию интегрируемых проектов.
+
+> Актуальная версия документа: https://git.mchus.pro/reanimator/core/src/branch/main/bible-local/docs/hardware-ingest-contract.md
+
+---
+
+## Changelog
+
+| Версия | Дата | Изменения |
+|--------|------|-----------|
+| 2.7 | 2026-03-15 | Явно запрещён синтез данных в `event_logs`; интеграторы не должны придумывать серийные номера компонентов, если источник их не отдал |
+| 2.6 | 2026-03-15 | Добавлена необязательная секция `event_logs` для dedup/upsert логов `host` / `bmc` / `redfish` вне history timeline |
+| 2.5 | 2026-03-15 | Добавлено общее необязательное поле `manufactured_year_week` для компонентных секций (`YYYY-Www`) |
+| 2.4 | 2026-03-15 | Добавлена первая волна component telemetry: health/life поля для `cpus`, `memory`, `storage`, `pcie_devices`, `power_supplies` |
+| 2.3 | 2026-03-15 | Добавлены component telemetry поля: `pcie_devices.temperature_c`, `pcie_devices.power_w`, `power_supplies.temperature_c` |
+| 2.2 | 2026-03-15 | Добавлено поле `numa_node` у `pcie_devices` для topology/affinity |
+| 2.1 | 2026-03-15 | Добавлена секция `sensors` (fans, power, temperatures, other); поле `mac_addresses` у `pcie_devices`; расширен список значений `device_class` |
+| 2.0 | 2026-02-01 | История статусов (`status_history`, `status_changed_at`); поля telemetry у PSU; async job response |
+| 1.0 | 2026-01-01 | Начальная версия контракта |
+
+---
+
+## Принципы
+
+1. **Snapshot** — JSON описывает состояние сервера на момент сбора. Может включать историю изменений статуса компонентов.
+2. **Идемпотентность** — повторная отправка идентичного payload не создаёт дублей (дедупликация по хешу).
+3. **Частичность** — можно передавать только те секции, данные по которым доступны. Пустой массив и отсутствие секции эквивалентны.
+4. **Строгая схема** — endpoint использует строгий JSON-декодер; неизвестные поля приводят к `400 Bad Request`.
+5. **Event-driven** — импорт создаёт события в timeline (LOG_COLLECTED, INSTALLED, REMOVED, FIRMWARE_CHANGED и др.).
+6. **Без синтеза со стороны интегратора** — сборщик передаёт только фактически собранные значения. Нельзя придумывать `serial_number`, `component_ref`, `message`, `message_id` или другие идентификаторы/атрибуты, если источник их не предоставил или парсер не смог их надёжно извлечь.
+
+---
+
+## Endpoint
+
+```
+POST /ingest/hardware
+Content-Type: application/json
+```
+
+**Ответ при приёме (202 Accepted):**
+```json
+{
+  "status": "accepted",
+  "job_id": "job_01J..."
+}
+```
+
+Импорт выполняется асинхронно. Результат доступен по:
+```
+GET /ingest/hardware/jobs/{job_id}
+```
+
+**Ответ при успехе задачи:**
+```json
+{
+  "status": "success",
+  "bundle_id": "lb_01J...",
+  "asset_id": "mach_01J...",
+  "collected_at": "2026-02-10T15:30:00Z",
+  "duplicate": false,
+  "summary": {
+    "parts_observed": 15,
+    "parts_created": 2,
+    "parts_updated": 13,
+    "installations_created": 2,
+    "installations_closed": 1,
+    "timeline_events_created": 9,
+    "failure_events_created": 1
+  }
+}
+```
+
+**Ответ при дубликате:**
+```json
+{
+  "status": "success",
+  "duplicate": true,
+  "message": "LogBundle with this content hash already exists"
+}
+```
+
+**Ответ при ошибке (400 Bad Request):**
+```json
+{
+  "status": "error",
+  "error": "validation_failed",
+  "details": {
+    "field": "hardware.board.serial_number",
+    "message": "serial_number is required"
+  }
+}
+```
+
+Частые причины `400`:
+- Неверный формат `collected_at` (требуется RFC3339).
+- Пустой `hardware.board.serial_number`.
+- Наличие неизвестного JSON-поля на любом уровне.
+- Тело запроса превышает допустимый размер.
+
+---
+
+## Структура верхнего уровня
+
+```json
+{
+  "filename":     "redfish://10.10.10.103",
+  "source_type":  "api",
+  "protocol":     "redfish",
+  "target_host":  "10.10.10.103",
+  "collected_at": "2026-02-10T15:30:00Z",
+  "hardware": {
+    "board":          { ... },
+    "firmware":       [ ... ],
+    "cpus":           [ ... ],
+    "memory":         [ ... ],
+    "storage":        [ ... ],
+    "pcie_devices":   [ ... ],
+    "power_supplies": [ ... ],
+    "sensors":        { ... },
+    "event_logs":     [ ... ]
+  }
+}
+```
+
+### Поля верхнего уровня
+
+| Поле | Тип | Обязательно | Описание |
+|------|-----|-------------|----------|
+| `collected_at` | string RFC3339 | **да** | Время сбора данных |
+| `hardware` | object | **да** | Аппаратный снапшот |
+| `hardware.board.serial_number` | string | **да** | Серийный номер платы/сервера |
+| `target_host` | string | нет | IP или hostname |
+| `source_type` | string | нет | Тип источника: `api`, `logfile`, `manual` |
+| `protocol` | string | нет | Протокол: `redfish`, `ipmi`, `snmp`, `ssh` |
+| `filename` | string | нет | Идентификатор источника |
+
+---
+
+## Общие поля статуса компонентов
+
+Применяются ко всем компонентным секциям (`cpus`, `memory`, `storage`, `pcie_devices`, `power_supplies`).
+
+| Поле | Тип | Описание |
+|------|-----|----------|
+| `status` | string | Текущий статус: `OK`, `Warning`, `Critical`, `Unknown`, `Empty` |
+| `status_checked_at` | string RFC3339 | Время последней проверки статуса |
+| `status_changed_at` | string RFC3339 | Время последнего изменения статуса |
+| `status_history` | array | История переходов статусов (см. ниже) |
+| `error_description` | string | Текст ошибки/диагностики |
+| `manufactured_year_week` | string | Дата производства в формате `YYYY-Www`, например `2024-W07` |
+
+**Объект `status_history[]`:**
+
+| Поле | Тип | Обязательно | Описание |
+|------|-----|-------------|----------|
+| `status` | string | **да** | Статус в этот момент |
+| `changed_at` | string RFC3339 | **да** | Время перехода (без этого поля запись игнорируется) |
+| `details` | string | нет | Пояснение к переходу |
+
+**Правила приоритета времени события:**
+
+1. `status_changed_at`
+2. Последняя запись `status_history` с совпадающим статусом
+3. Последняя парсируемая запись `status_history`
+4. `status_checked_at`
+
+**Правила передачи статусов:**
+- Передавайте `status` как текущее состояние компонента в snapshot.
+- Если источник хранит историю — передавайте `status_history` отсортированным по `changed_at` по возрастанию.
+- Не включайте записи `status_history` без `changed_at`.
+- Все даты — RFC3339, рекомендуется UTC (`Z`).
+- `manufactured_year_week` используйте, когда источник знает только год и неделю производства, без точной календарной даты.
+
+---
+
+## Секции hardware
+
+### board
+
+Основная информация о сервере. Обязательная секция.
+
+| Поле | Тип | Обязательно | Описание |
+|------|-----|-------------|----------|
+| `serial_number` | string | **да** | Серийный номер (ключ идентификации Asset) |
+| `manufacturer` | string | нет | Производитель |
+| `product_name` | string | нет | Модель |
+| `part_number` | string | нет | Партномер |
+| `uuid` | string | нет | UUID системы |
+
+Значения `"NULL"` в строковых полях трактуются как отсутствие данных.
+
+```json
+"board": {
+  "manufacturer": "Supermicro",
+  "product_name": "X12DPG-QT6",
+  "serial_number": "21D634101",
+  "part_number": "X12DPG-QT6-REV1.01",
+  "uuid": "d7ef2fe5-2fd0-11f0-910a-346f11040868"
+}
+```
+
+---
+
+### firmware
+
+Версии прошивок системных компонентов (BIOS, BMC, CPLD и др.).
+
+| Поле | Тип | Обязательно | Описание |
+|------|-----|-------------|----------|
+| `device_name` | string | **да** | Название устройства (`BIOS`, `BMC`, `CPLD`, …) |
+| `version` | string | **да** | Версия прошивки |
+
+Записи с пустым `device_name` или `version` игнорируются.
+Изменение версии создаёт событие `FIRMWARE_CHANGED` для Asset.
+
+```json
+"firmware": [
+  { "device_name": "BIOS", "version": "06.08.05" },
+  { "device_name": "BMC",  "version": "5.17.00"  },
+  { "device_name": "CPLD", "version": "01.02.03" }
+]
+```
+
+---
+
+### cpus
+
+| Поле | Тип | Обязательно | Описание |
+|------|-----|-------------|----------|
+| `socket` | int | **да** | Номер сокета (используется для генерации serial) |
+| `model` | string | нет | Модель процессора |
+| `manufacturer` | string | нет | Производитель |
+| `cores` | int | нет | Количество ядер |
+| `threads` | int | нет | Количество потоков |
+| `frequency_mhz` | int | нет | Текущая частота |
+| `max_frequency_mhz` | int | нет | Максимальная частота |
+| `temperature_c` | float | нет | Температура CPU, °C (telemetry) |
+| `power_w` | float | нет | Текущая мощность CPU, Вт (telemetry) |
+| `throttled` | bool | нет | Зафиксирован thermal/power throttling |
+| `correctable_error_count` | int | нет | Количество корректируемых ошибок CPU |
+| `uncorrectable_error_count` | int | нет | Количество некорректируемых ошибок CPU |
+| `life_remaining_pct` | float | нет | Остаточный ресурс / health, % |
+| `life_used_pct` | float | нет | Использованный ресурс / wear, % |
+| `serial_number` | string | нет | Серийный номер (если доступен) |
+| `firmware` | string | нет | Версия микрокода; если логгер отдает `Microcode level`, передавайте его сюда как есть |
+| `present` | bool | нет | Наличие (по умолчанию `true`) |
+| + общие поля статуса | | | см. раздел выше |
+
+**Генерация serial_number при отсутствии:** `{board_serial}-CPU-{socket}`
+
+Если источник использует поле/лейбл `Microcode level`, его значение передавайте в `cpus[].firmware` без дополнительного преобразования.
+
+```json
+"cpus": [
+  {
+    "socket": 0,
+    "model": "INTEL(R) XEON(R) GOLD 6530",
+    "cores": 32,
+    "threads": 64,
+    "frequency_mhz": 2100,
+    "max_frequency_mhz": 4000,
+    "temperature_c": 61.5,
+    "power_w": 182.0,
+    "throttled": false,
+    "manufacturer": "Intel",
+    "status": "OK",
+    "status_checked_at": "2026-02-10T15:28:00Z"
+  }
+]
+```
+
+---
+
+### memory
+
+| Поле | Тип | Обязательно | Описание |
+|------|-----|-------------|----------|
+| `slot` | string | нет | Идентификатор слота |
+| `present` | bool | нет | Наличие модуля (по умолчанию `true`) |
+| `serial_number` | string | нет | Серийный номер |
+| `part_number` | string | нет | Партномер (используется как модель) |
+| `manufacturer` | string | нет | Производитель |
+| `size_mb` | int | нет | Объём в МБ |
+| `type` | string | нет | Тип: `DDR3`, `DDR4`, `DDR5`, … |
+| `max_speed_mhz` | int | нет | Максимальная частота |
+| `current_speed_mhz` | int | нет | Текущая частота |
+| `temperature_c` | float | нет | Температура DIMM/модуля, °C (telemetry) |
+| `correctable_ecc_error_count` | int | нет | Количество корректируемых ECC-ошибок |
+| `uncorrectable_ecc_error_count` | int | нет | Количество некорректируемых ECC-ошибок |
+| `life_remaining_pct` | float | нет | Остаточный ресурс / health, % |
+| `life_used_pct` | float | нет | Использованный ресурс / wear, % |
+| `spare_blocks_remaining_pct` | float | нет | Остаток spare blocks, % |
+| `performance_degraded` | bool | нет | Зафиксирована деградация производительности |
+| `data_loss_detected` | bool | нет | Источник сигнализирует риск/факт потери данных |
+| + общие поля статуса | | | см. раздел выше |
+
+Модуль без `serial_number` игнорируется. Модуль с `present=false` или `status=Empty` игнорируется.
+
+```json
+"memory": [
+  {
+    "slot": "CPU0_C0D0",
+    "present": true,
+    "size_mb": 32768,
+    "type": "DDR5",
+    "max_speed_mhz": 4800,
+    "current_speed_mhz": 4800,
+    "temperature_c": 43.0,
+    "correctable_ecc_error_count": 0,
+    "manufacturer": "Hynix",
+    "serial_number": "80AD032419E17CEEC1",
+    "part_number": "HMCG88AGBRA191N",
+    "status": "OK"
+  }
+]
+```
+
+---
+
+### storage
+
+| Поле | Тип | Обязательно | Описание |
+|------|-----|-------------|----------|
+| `slot` | string | нет | Канонический адрес установки PCIe-устройства; передавайте BDF (`0000:18:00.0`) |
+| `serial_number` | string | нет | Серийный номер |
+| `model` | string | нет | Модель |
+| `manufacturer` | string | нет | Производитель |
+| `type` | string | нет | Тип: `NVMe`, `SSD`, `HDD` |
+| `interface` | string | нет | Интерфейс: `NVMe`, `SATA`, `SAS` |
+| `size_gb` | int | нет | Размер в ГБ |
+| `temperature_c` | float | нет | Температура накопителя, °C (telemetry) |
+| `power_on_hours` | int64 | нет | Время работы, часы |
+| `power_cycles` | int64 | нет | Количество циклов питания |
+| `unsafe_shutdowns` | int64 | нет | Нештатные выключения |
+| `media_errors` | int64 | нет | Ошибки носителя / media errors |
+| `error_log_entries` | int64 | нет | Количество записей в error log |
+| `written_bytes` | int64 | нет | Всего записано байт |
+| `read_bytes` | int64 | нет | Всего прочитано байт |
+| `life_used_pct` | float | нет | Использованный ресурс / wear, % |
+| `life_remaining_pct` | float | нет | Остаточный ресурс / health, % |
+| `available_spare_pct` | float | нет | Доступный spare, % |
+| `reallocated_sectors` | int64 | нет | Переназначенные сектора |
+| `current_pending_sectors` | int64 | нет | Сектора в ожидании ремапа |
+| `offline_uncorrectable` | int64 | нет | Некорректируемые ошибки offline scan |
+| `firmware` | string | нет | Версия прошивки |
+| `present` | bool | нет | Наличие (по умолчанию `true`) |
+| + общие поля статуса | | | см. раздел выше |
+
+Диск без `serial_number` игнорируется. Изменение `firmware` создаёт событие `FIRMWARE_CHANGED`.
+
+```json
+"storage": [
+  {
+    "slot": "OB01",
+    "type": "NVMe",
+    "model": "INTEL SSDPF2KX076T1",
+    "size_gb": 7680,
+    "temperature_c": 38.5,
+    "power_on_hours": 12450,
+    "unsafe_shutdowns": 3,
+    "written_bytes": 9876543210,
+    "life_remaining_pct": 91.0,
+    "serial_number": "BTAX41900GF87P6DGN",
+    "manufacturer": "Intel",
+    "firmware": "9CV10510",
+    "interface": "NVMe",
+    "present": true,
+    "status": "OK"
+  }
+]
+```
+
+---
+
+### pcie_devices
+
+| Поле | Тип | Обязательно | Описание |
+|------|-----|-------------|----------|
+| `slot` | string | нет | Идентификатор слота |
+| `vendor_id` | int | нет | PCI Vendor ID (decimal) |
+| `device_id` | int | нет | PCI Device ID (decimal) |
+| `numa_node` | int | нет | NUMA node / CPU affinity устройства |
+| `temperature_c` | float | нет | Температура устройства, °C (telemetry) |
+| `power_w` | float | нет | Текущее энергопотребление устройства, Вт (telemetry) |
+| `life_remaining_pct` | float | нет | Остаточный ресурс / health, % |
+| `life_used_pct` | float | нет | Использованный ресурс / wear, % |
+| `ecc_corrected_total` | int64 | нет | Всего корректируемых ECC-ошибок |
+| `ecc_uncorrected_total` | int64 | нет | Всего некорректируемых ECC-ошибок |
+| `hw_slowdown` | bool | нет | Устройство вошло в hardware slowdown / protective mode |
+| `battery_charge_pct` | float | нет | Заряд батареи / supercap, % |
+| `battery_health_pct` | float | нет | Состояние батареи / supercap, % |
+| `battery_temperature_c` | float | нет | Температура батареи / supercap, °C |
+| `battery_voltage_v` | float | нет | Напряжение батареи / supercap, В |
+| `battery_replace_required` | bool | нет | Требуется замена батареи / supercap |
+| `sfp_temperature_c` | float | нет | Температура SFP/optic, °C |
+| `sfp_tx_power_dbm` | float | нет | TX optical power, dBm |
+| `sfp_rx_power_dbm` | float | нет | RX optical power, dBm |
+| `sfp_voltage_v` | float | нет | Напряжение SFP, В |
+| `sfp_bias_ma` | float | нет | Bias current SFP, мА |
+| `bdf` | string | нет | Deprecated alias для `slot`; при наличии ingest нормализует его в `slot` |
+| `device_class` | string | нет | Класс устройства (см. список ниже) |
+| `manufacturer` | string | нет | Производитель |
+| `model` | string | нет | Модель |
+| `serial_number` | string | нет | Серийный номер |
+| `firmware` | string | нет | Версия прошивки |
+| `link_width` | int | нет | Текущая ширина линка |
+| `link_speed` | string | нет | Текущая скорость: `Gen3`, `Gen4`, `Gen5` |
+| `max_link_width` | int | нет | Максимальная ширина линка |
+| `max_link_speed` | string | нет | Максимальная скорость |
+| `mac_addresses` | string[] | нет | MAC-адреса портов (для сетевых устройств) |
+| `present` | bool | нет | Наличие (по умолчанию `true`) |
+| + общие поля статуса | | | см. раздел выше |
+
+`numa_node` передавайте для NIC / InfiniBand / RAID / GPU, когда источник знает CPU/NUMA affinity. Поле сохраняется в snapshot-атрибутах PCIe-компонента и дублируется в telemetry для topology use cases.
+Поля `temperature_c` и `power_w` используйте для device-level telemetry GPU / accelerator / smart PCIe devices. Они не влияют на идентификацию компонента.
+
+**Генерация serial_number при отсутствии или `"N/A"`:** `{board_serial}-PCIE-{slot}`, где `slot` для PCIe равен BDF.
+
+`slot` — единственный канонический адрес компонента. Для PCIe в `slot` передавайте BDF. Поле `bdf` сохраняется только как переходный alias на входе и не должно использоваться как отдельная координата рядом со `slot`.
+
+**Значения `device_class`:**
+
+| Значение | Назначение |
+|----------|------------|
+| `MassStorageController` | RAID-контроллеры |
+| `StorageController` | HBA, SAS-контроллеры |
+| `NetworkController` | Сетевые адаптеры (InfiniBand, общий) |
+| `EthernetController` | Ethernet NIC |
+| `FibreChannelController` | Fibre Channel HBA |
+| `VideoController` | GPU, видеокарты |
+| `ProcessingAccelerator` | Вычислительные ускорители (AI/ML) |
+| `DisplayController` | Контроллеры дисплея (BMC VGA) |
+
+Список открытый: допускаются произвольные строки для нестандартных классов.
+
+```json
+"pcie_devices": [
+  {
+    "slot": "0000:3b:00.0",
+    "vendor_id": 5555,
+    "device_id": 4401,
+    "numa_node": 0,
+    "temperature_c": 48.5,
+    "power_w": 18.2,
+    "sfp_temperature_c": 36.2,
+    "sfp_tx_power_dbm": -1.8,
+    "sfp_rx_power_dbm": -2.1,
+    "device_class": "EthernetController",
+    "manufacturer": "Intel",
+    "model": "X710 10GbE",
+    "serial_number": "K65472-003",
+    "firmware": "9.20 0x8000d4ae",
+    "mac_addresses": ["3c:fd:fe:aa:bb:cc", "3c:fd:fe:aa:bb:cd"],
+    "status": "OK"
+  }
+]
+```
+
+---
+
+### power_supplies
+
+| Поле | Тип | Обязательно | Описание |
+|------|-----|-------------|----------|
+| `slot` | string | нет | Идентификатор слота |
+| `present` | bool | нет | Наличие (по умолчанию `true`) |
+| `serial_number` | string | нет | Серийный номер |
+| `part_number` | string | нет | Партномер |
+| `model` | string | нет | Модель |
+| `vendor` | string | нет | Производитель |
+| `wattage_w` | int | нет | Мощность в ваттах |
+| `firmware` | string | нет | Версия прошивки |
+| `input_type` | string | нет | Тип входа (например `ACWideRange`) |
+| `input_voltage` | float | нет | Входное напряжение, В (telemetry) |
+| `input_power_w` | float | нет | Входная мощность, Вт (telemetry) |
+| `output_power_w` | float | нет | Выходная мощность, Вт (telemetry) |
+| `temperature_c` | float | нет | Температура PSU, °C (telemetry) |
+| `life_remaining_pct` | float | нет | Остаточный ресурс / health, % |
+| `life_used_pct` | float | нет | Использованный ресурс / wear, % |
+| + общие поля статуса | | | см. раздел выше |
+
+Поля telemetry (`input_voltage`, `input_power_w`, `output_power_w`, `temperature_c`, `life_remaining_pct`, `life_used_pct`) сохраняются в атрибутах компонента и не влияют на его идентификацию.
+
+PSU без `serial_number` игнорируется.
+
+```json
+"power_supplies": [
+  {
+    "slot": "0",
+    "present": true,
+    "model": "GW-CRPS3000LW",
+    "vendor": "Great Wall",
+    "wattage_w": 3000,
+    "serial_number": "2P06C102610",
+    "firmware": "00.03.05",
+    "status": "OK",
+    "input_type": "ACWideRange",
+    "input_power_w": 137,
+    "output_power_w": 104,
+    "input_voltage": 215.25,
+    "temperature_c": 39.5,
+    "life_remaining_pct": 97.0
+  }
+]
+```
+
+---
+
+### sensors
+
+Показания сенсоров сервера. Секция опциональная, не привязана к компонентам.
+Данные хранятся как последнее известное значение (last-known-value) на уровне Asset.
+
+```json
+"sensors": {
+  "fans":         [ ... ],
+  "power":        [ ... ],
+  "temperatures": [ ... ],
+  "other":        [ ... ]
+}
+```
+
+---
+
+### event_logs
+
+Нормализованные операционные логи сервера из `host`, `bmc` или `redfish`.
+
+Эти записи не попадают в history timeline и не создают history events. Они сохраняются в отдельной deduplicated log store и отображаются в отдельном UI-блоке asset logs / host logs.
+
+| Поле | Тип | Обязательно | Описание |
+|------|-----|-------------|----------|
+| `source` | string | **да** | Источник лога: `host`, `bmc`, `redfish` |
+| `event_time` | string RFC3339 | нет | Время события из источника; если отсутствует, используется время ingest/collection |
+| `severity` | string | нет | Уровень: `OK`, `Info`, `Warning`, `Critical`, `Unknown` |
+| `message_id` | string | нет | Идентификатор/код события источника |
+| `message` | string | **да** | Нормализованный текст события |
+| `component_ref` | string | нет | Ссылка на компонент/устройство/слот, если извлекается |
+| `fingerprint` | string | нет | Внешний готовый dedup-key; если не передан, система вычисляет свой |
+| `is_active` | bool | нет | Признак, что событие всё ещё активно/не погашено, если источник умеет lifecycle |
+| `raw_payload` | object | нет | Сырой vendor-specific payload для диагностики |
+
+**Правила event_logs:**
+- Логи дедуплицируются в рамках asset + source + fingerprint.
+- Если `fingerprint` не передан, система строит его из нормализованных полей (`source`, `message_id`, `message`, `component_ref`, временная нормализация).
+- Интегратор/сборщик логов не должен синтезировать содержимое событий: не придумывайте `message`, `message_id`, `component_ref`, serial/device identifiers или иные поля, если они отсутствуют в исходном логе или не были надёжно извлечены.
+- Повторное получение того же события обновляет `last_seen_at`/счётчик повторов и не должно создавать новый timeline/history event.
+- `event_logs` используются для отдельного UI-представления логов и не изменяют canonical state компонентов/asset по умолчанию.
+
+```json
+"event_logs": [
+  {
+    "source": "bmc",
+    "event_time": "2026-03-15T14:03:11Z",
+    "severity": "Warning",
+    "message_id": "0x000F",
+    "message": "Correctable ECC error threshold exceeded",
+    "component_ref": "CPU0_C0D0",
+    "raw_payload": {
+      "sensor": "DIMM_A1",
+      "sel_record_id": "0042"
+    }
+  },
+  {
+    "source": "redfish",
+    "event_time": "2026-03-15T14:03:20Z",
+    "severity": "Info",
+    "message_id": "OpenBMC.0.1.SystemReboot",
+    "message": "System reboot requested by administrator",
+    "component_ref": "Mainboard"
+  }
+]
+```
+
+#### sensors.fans
+
+| Поле | Тип | Обязательно | Описание |
+|------|-----|-------------|----------|
+| `name` | string | **да** | Уникальное имя сенсора в рамках секции |
+| `location` | string | нет | Физическое расположение |
+| `rpm` | int | нет | Обороты, RPM |
+| `status` | string | нет | Статус: `OK`, `Warning`, `Critical`, `Unknown` |
+
+#### sensors.power
+
+| Поле | Тип | Обязательно | Описание |
+|------|-----|-------------|----------|
+| `name` | string | **да** | Уникальное имя сенсора |
+| `location` | string | нет | Физическое расположение |
+| `voltage_v` | float | нет | Напряжение, В |
+| `current_a` | float | нет | Ток, А |
+| `power_w` | float | нет | Мощность, Вт |
+| `status` | string | нет | Статус |
+
+#### sensors.temperatures
+
+| Поле | Тип | Обязательно | Описание |
+|------|-----|-------------|----------|
+| `name` | string | **да** | Уникальное имя сенсора |
+| `location` | string | нет | Физическое расположение |
+| `celsius` | float | нет | Температура, °C |
+| `threshold_warning_celsius` | float | нет | Порог Warning, °C |
+| `threshold_critical_celsius` | float | нет | Порог Critical, °C |
+| `status` | string | нет | Статус |
+
+#### sensors.other
+
+| Поле | Тип | Обязательно | Описание |
+|------|-----|-------------|----------|
+| `name` | string | **да** | Уникальное имя сенсора |
+| `location` | string | нет | Физическое расположение |
+| `value` | float | нет | Значение |
+| `unit` | string | нет | Единица измерения |
+| `status` | string | нет | Статус |
+
+**Правила sensors:**
+- Идентификатор сенсора: пара `(sensor_type, name)`. Дубли в одном payload — берётся первое вхождение.
+- Сенсоры без `name` игнорируются.
+- При каждом импорте значения перезаписываются (upsert по ключу).
+
+```json
+"sensors": {
+  "fans": [
+    { "name": "FAN1", "location": "Front", "rpm": 4200, "status": "OK" },
+    { "name": "FAN_CPU0", "location": "CPU0", "rpm": 5600, "status": "OK" }
+  ],
+  "power": [
+    { "name": "12V Rail", "location": "Mainboard", "voltage_v": 12.06, "status": "OK" },
+    { "name": "PSU0 Input", "location": "PSU0", "voltage_v": 215.25, "current_a": 0.64, "power_w": 137.0, "status": "OK" }
+  ],
+  "temperatures": [
+    { "name": "CPU0 Temp", "location": "CPU0", "celsius": 46.0, "threshold_warning_celsius": 80.0, "threshold_critical_celsius": 95.0, "status": "OK" },
+    { "name": "Inlet Temp", "location": "Front", "celsius": 22.0, "threshold_warning_celsius": 40.0, "threshold_critical_celsius": 50.0, "status": "OK" }
+  ],
+  "other": [
+    { "name": "System Humidity", "value": 38.5, "unit": "%", "status": "OK" }
+  ]
+}
+```
+
+---
+
+## Обработка статусов компонентов
+
+| Статус | Поведение |
+|--------|-----------|
+| `OK` | Нормальная обработка |
+| `Warning` | Создаётся событие `COMPONENT_WARNING` |
+| `Critical` | Создаётся событие `COMPONENT_FAILED` + запись в `failure_events` |
+| `Unknown` | Компонент считается рабочим, создаётся событие `COMPONENT_UNKNOWN` |
+| `Empty` | Компонент не создаётся/не обновляется |
+
+---
+
+## Обработка отсутствующих serial_number
+
+Общее правило для всех секций: если источник не вернул серийный номер и сборщик не смог его надёжно извлечь, интегратор не должен подставлять вымышленные значения, хеши, локальные placeholder-идентификаторы или серийные номера "по догадке". Разрешены только явно оговорённые ниже server-side fallback-правила ingest.
+
+| Тип | Поведение |
+|-----|-----------|
+| CPU | Генерируется: `{board_serial}-CPU-{socket}` |
+| PCIe | Генерируется: `{board_serial}-PCIE-{slot}` (если serial = `"N/A"` или пустой; `slot` для PCIe = BDF) |
+| Memory | Компонент игнорируется |
+| Storage | Компонент игнорируется |
+| PSU | Компонент игнорируется |
+
+Если `serial_number` не уникален внутри одного payload для того же `model`:
+- Первое вхождение сохраняет оригинальный серийный номер.
+- Каждое следующее дублирующее получает placeholder: `NO_SN-XXXXXXXX`.
+
+---
+
+## Минимальный валидный пример
+
+```json
+{
+  "collected_at": "2026-02-10T15:30:00Z",
+  "target_host": "192.168.1.100",
+  "hardware": {
+    "board": {
+      "serial_number": "SRV-001"
+    }
+  }
+}
+```
+
+---
+
+## Полный пример с историей статусов
+
+```json
+{
+  "filename": "redfish://10.10.10.103",
+  "source_type": "api",
+  "protocol": "redfish",
+  "target_host": "10.10.10.103",
+  "collected_at": "2026-02-10T15:30:00Z",
+  "hardware": {
+    "board": {
+      "manufacturer": "Supermicro",
+      "product_name": "X12DPG-QT6",
+      "serial_number": "21D634101"
+    },
+    "firmware": [
+      { "device_name": "BIOS", "version": "06.08.05" },
+      { "device_name": "BMC",  "version": "5.17.00"  }
+    ],
+    "cpus": [
+      {
+        "socket": 0,
+        "model": "INTEL(R) XEON(R) GOLD 6530",
+        "manufacturer": "Intel",
+        "cores": 32,
+        "threads": 64,
+        "status": "OK"
+      }
+    ],
+    "storage": [
+      {
+        "slot": "OB01",
+        "type": "NVMe",
+        "model": "INTEL SSDPF2KX076T1",
+        "size_gb": 7680,
+        "serial_number": "BTAX41900GF87P6DGN",
+        "manufacturer": "Intel",
+        "firmware": "9CV10510",
+        "present": true,
+        "status": "OK",
+        "status_changed_at": "2026-02-10T15:22:00Z",
+        "status_history": [
+          { "status": "Critical", "changed_at": "2026-02-10T15:10:00Z", "details": "I/O timeout on NVMe queue 3" },
+          { "status": "OK",       "changed_at": "2026-02-10T15:22:00Z", "details": "Recovered after controller reset" }
+        ]
+      }
+    ],
+    "pcie_devices": [
+      {
+        "slot": "0000:18:00.0",
+        "device_class": "EthernetController",
+        "manufacturer": "Intel",
+        "model": "X710 10GbE",
+        "serial_number": "K65472-003",
+        "mac_addresses": ["3c:fd:fe:aa:bb:cc", "3c:fd:fe:aa:bb:cd"],
+        "status": "OK"
+      }
+    ],
+    "power_supplies": [
+      {
+        "slot": "0",
+        "present": true,
+        "model": "GW-CRPS3000LW",
+        "vendor": "Great Wall",
+        "wattage_w": 3000,
+        "serial_number": "2P06C102610",
+        "firmware": "00.03.05",
+        "status": "OK",
+        "input_power_w": 137,
+        "output_power_w": 104,
+        "input_voltage": 215.25
+      }
+    ],
+    "sensors": {
+      "fans": [
+        { "name": "FAN1", "location": "Front", "rpm": 4200, "status": "OK" }
+      ],
+      "power": [
+        { "name": "12V Rail", "voltage_v": 12.06, "status": "OK" }
+      ],
+      "temperatures": [
+        { "name": "CPU0 Temp", "celsius": 46.0, "threshold_warning_celsius": 80.0, "threshold_critical_celsius": 95.0, "status": "OK" }
+      ],
+      "other": [
+        { "name": "System Humidity", "value": 38.5, "unit": "%" }
+      ]
+    }
+  }
+}
+```

iso/builder/Dockerfile

@@ -0,0 +1,43 @@
+FROM debian:12
+
+ARG GO_VERSION=1.24.0
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update -qq && apt-get install -y \
+    ca-certificates \
+    live-build \
+    debootstrap \
+    squashfs-tools \
+    xorriso \
+    grub-pc-bin \
+    grub-efi-amd64-bin \
+    mtools \
+    git \
+    wget \
+    curl \
+    tar \
+    xz-utils \
+    rsync \
+    build-essential \
+    gcc \
+    make \
+    perl \
+    linux-headers-amd64 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN arch="$(dpkg --print-architecture)" \
+    && case "$arch" in \
+        amd64) goarch=amd64 ;; \
+        arm64) goarch=arm64 ;; \
+        *) echo "unsupported architecture: $arch" >&2; exit 1 ;; \
+    esac \
+    && wget -q -O /tmp/go.tar.gz "https://go.dev/dl/go${GO_VERSION}.linux-${goarch}.tar.gz" \
+    && rm -rf /usr/local/go \
+    && tar -C /usr/local -xzf /tmp/go.tar.gz \
+    && rm -f /tmp/go.tar.gz
+
+ENV PATH=/usr/local/go/bin:${PATH}
+WORKDIR /work
+
+CMD ["/bin/bash"]

iso/builder/VERSIONS

@@ -1,4 +1,8 @@
-ALPINE_VERSION=3.21
+DEBIAN_VERSION=12
+DEBIAN_KERNEL_ABI=auto
 NVIDIA_DRIVER_VERSION=590.48.01
-GO_VERSION=1.23.6
-AUDIT_VERSION=0.1.0
+NCCL_VERSION=2.28.9-1
+NCCL_CUDA_VERSION=13.0
+NCCL_SHA256=2e6faafd2c19cffc7738d9283976a3200ea9db9895907f337f0c7e5a25563186
+GO_VERSION=1.24.0
+AUDIT_VERSION=1.0.0

iso/builder/auto/build

@@ -0,0 +1,5 @@
+#!/bin/sh
+# auto/build — live-build build wrapper for bee ISO
+set -e
+
+lb build noauto "${@}" 2>&1

iso/builder/auto/config

@@ -0,0 +1,37 @@
+#!/bin/sh
+# auto/config — live-build configuration for bee ISO
+# Runs automatically when lb config is called.
+# See: man lb_config
+
+set -e
+
+. "$(dirname "$0")/../VERSIONS"
+
+# Pin the exact kernel ABI detected by build.sh so the ISO kernel matches
+# the kernel headers used to compile NVIDIA modules. Falls back to meta-package
+# when lb config is run manually without the environment variable.
+if [ -n "${BEE_KERNEL_ABI:-}" ] && [ "${BEE_KERNEL_ABI}" != "auto" ]; then
+    LB_LINUX_PACKAGES="linux-image-${BEE_KERNEL_ABI}"
+else
+    LB_LINUX_PACKAGES="linux-image"
+fi
+
+lb config noauto \
+    --distribution bookworm \
+    --architectures amd64 \
+    --binary-images iso-hybrid \
+    --bootloaders "grub-efi,syslinux" \
+    --debian-installer none \
+    --archive-areas "main contrib non-free non-free-firmware" \
+    --mirror-bootstrap "https://deb.debian.org/debian" \
+    --mirror-chroot "https://deb.debian.org/debian" \
+    --mirror-binary "https://deb.debian.org/debian" \
+    --security true \
+    --linux-flavours "amd64" \
+    --linux-packages "${LB_LINUX_PACKAGES}" \
+    --memtest none \
+    --iso-volume "EASY-BEE" \
+    --iso-application "EASY-BEE" \
+    --bootappend-live "boot=live components console=tty0 console=ttyS0,115200n8 username=bee user-fullname=Bee modprobe.blacklist=nouveau" \
+    --apt-recommends false \
+    "${@}"

iso/builder/bee-gpu-stress.c

@@ -0,0 +1,314 @@
+#define _POSIX_C_SOURCE 200809L
+
+#include <dlfcn.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+typedef int CUdevice;
+typedef uint64_t CUdeviceptr;
+typedef int CUresult;
+typedef void *CUcontext;
+typedef void *CUmodule;
+typedef void *CUfunction;
+typedef void *CUstream;
+
+#define CU_SUCCESS 0
+
+static const char *ptx_source =
+    ".version 6.0\n"
+    ".target sm_30\n"
+    ".address_size 64\n"
+    "\n"
+    ".visible .entry burn(\n"
+    "    .param .u64 data,\n"
+    "    .param .u32 words,\n"
+    "    .param .u32 rounds\n"
+    ")\n"
+    "{\n"
+    "    .reg .pred %p<2>;\n"
+    "    .reg .b32 %r<8>;\n"
+    "    .reg .b64 %rd<5>;\n"
+    "\n"
+    "    ld.param.u64 %rd1, [data];\n"
+    "    ld.param.u32 %r1, [words];\n"
+    "    ld.param.u32 %r2, [rounds];\n"
+    "    mov.u32 %r3, %ctaid.x;\n"
+    "    mov.u32 %r4, %ntid.x;\n"
+    "    mov.u32 %r5, %tid.x;\n"
+    "    mad.lo.s32 %r0, %r3, %r4, %r5;\n"
+    "    setp.ge.u32 %p0, %r0, %r1;\n"
+    "    @%p0 bra DONE;\n"
+    "    mul.wide.u32 %rd2, %r0, 4;\n"
+    "    add.s64 %rd3, %rd1, %rd2;\n"
+    "    ld.global.u32 %r6, [%rd3];\n"
+    "LOOP:\n"
+    "    setp.eq.u32 %p1, %r2, 0;\n"
+    "    @%p1 bra STORE;\n"
+    "    mad.lo.u32 %r6, %r6, 1664525, 1013904223;\n"
+    "    sub.u32 %r2, %r2, 1;\n"
+    "    bra LOOP;\n"
+    "STORE:\n"
+    "    st.global.u32 [%rd3], %r6;\n"
+    "DONE:\n"
+    "    ret;\n"
+    "}\n";
+
+typedef CUresult (*cuInit_fn)(unsigned int);
+typedef CUresult (*cuDeviceGetCount_fn)(int *);
+typedef CUresult (*cuDeviceGet_fn)(CUdevice *, int);
+typedef CUresult (*cuDeviceGetName_fn)(char *, int, CUdevice);
+typedef CUresult (*cuCtxCreate_fn)(CUcontext *, unsigned int, CUdevice);
+typedef CUresult (*cuCtxDestroy_fn)(CUcontext);
+typedef CUresult (*cuCtxSynchronize_fn)(void);
+typedef CUresult (*cuMemAlloc_fn)(CUdeviceptr *, size_t);
+typedef CUresult (*cuMemFree_fn)(CUdeviceptr);
+typedef CUresult (*cuMemcpyHtoD_fn)(CUdeviceptr, const void *, size_t);
+typedef CUresult (*cuMemcpyDtoH_fn)(void *, CUdeviceptr, size_t);
+typedef CUresult (*cuModuleLoadDataEx_fn)(CUmodule *, const void *, unsigned int, void *, void *);
+typedef CUresult (*cuModuleGetFunction_fn)(CUfunction *, CUmodule, const char *);
+typedef CUresult (*cuLaunchKernel_fn)(CUfunction,
+                                      unsigned int,
+                                      unsigned int,
+                                      unsigned int,
+                                      unsigned int,
+                                      unsigned int,
+                                      unsigned int,
+                                      unsigned int,
+                                      CUstream,
+                                      void **,
+                                      void **);
+typedef CUresult (*cuGetErrorName_fn)(CUresult, const char **);
+typedef CUresult (*cuGetErrorString_fn)(CUresult, const char **);
+
+struct cuda_api {
+    void *lib;
+    cuInit_fn cuInit;
+    cuDeviceGetCount_fn cuDeviceGetCount;
+    cuDeviceGet_fn cuDeviceGet;
+    cuDeviceGetName_fn cuDeviceGetName;
+    cuCtxCreate_fn cuCtxCreate;
+    cuCtxDestroy_fn cuCtxDestroy;
+    cuCtxSynchronize_fn cuCtxSynchronize;
+    cuMemAlloc_fn cuMemAlloc;
+    cuMemFree_fn cuMemFree;
+    cuMemcpyHtoD_fn cuMemcpyHtoD;
+    cuMemcpyDtoH_fn cuMemcpyDtoH;
+    cuModuleLoadDataEx_fn cuModuleLoadDataEx;
+    cuModuleGetFunction_fn cuModuleGetFunction;
+    cuLaunchKernel_fn cuLaunchKernel;
+    cuGetErrorName_fn cuGetErrorName;
+    cuGetErrorString_fn cuGetErrorString;
+};
+
+static int load_symbol(void *lib, const char *name, void **out) {
+    *out = dlsym(lib, name);
+    return *out != NULL;
+}
+
+static int load_cuda(struct cuda_api *api) {
+    memset(api, 0, sizeof(*api));
+    api->lib = dlopen("libcuda.so.1", RTLD_NOW | RTLD_LOCAL);
+    if (!api->lib) {
+        return 0;
+    }
+    return
+        load_symbol(api->lib, "cuInit", (void **)&api->cuInit) &&
+        load_symbol(api->lib, "cuDeviceGetCount", (void **)&api->cuDeviceGetCount) &&
+        load_symbol(api->lib, "cuDeviceGet", (void **)&api->cuDeviceGet) &&
+        load_symbol(api->lib, "cuDeviceGetName", (void **)&api->cuDeviceGetName) &&
+        load_symbol(api->lib, "cuCtxCreate_v2", (void **)&api->cuCtxCreate) &&
+        load_symbol(api->lib, "cuCtxDestroy_v2", (void **)&api->cuCtxDestroy) &&
+        load_symbol(api->lib, "cuCtxSynchronize", (void **)&api->cuCtxSynchronize) &&
+        load_symbol(api->lib, "cuMemAlloc_v2", (void **)&api->cuMemAlloc) &&
+        load_symbol(api->lib, "cuMemFree_v2", (void **)&api->cuMemFree) &&
+        load_symbol(api->lib, "cuMemcpyHtoD_v2", (void **)&api->cuMemcpyHtoD) &&
+        load_symbol(api->lib, "cuMemcpyDtoH_v2", (void **)&api->cuMemcpyDtoH) &&
+        load_symbol(api->lib, "cuModuleLoadDataEx", (void **)&api->cuModuleLoadDataEx) &&
+        load_symbol(api->lib, "cuModuleGetFunction", (void **)&api->cuModuleGetFunction) &&
+        load_symbol(api->lib, "cuLaunchKernel", (void **)&api->cuLaunchKernel);
+}
+
+static const char *cu_error_name(struct cuda_api *api, CUresult rc) {
+    const char *value = NULL;
+    if (api->cuGetErrorName && api->cuGetErrorName(rc, &value) == CU_SUCCESS && value) {
+        return value;
+    }
+    return "CUDA_ERROR";
+}
+
+static const char *cu_error_string(struct cuda_api *api, CUresult rc) {
+    const char *value = NULL;
+    if (api->cuGetErrorString && api->cuGetErrorString(rc, &value) == CU_SUCCESS && value) {
+        return value;
+    }
+    return "unknown";
+}
+
+static int check_rc(struct cuda_api *api, const char *step, CUresult rc) {
+    if (rc == CU_SUCCESS) {
+        return 1;
+    }
+    fprintf(stderr, "%s failed: %s (%s)\n", step, cu_error_name(api, rc), cu_error_string(api, rc));
+    return 0;
+}
+
+static double now_seconds(void) {
+    struct timespec ts;
+    clock_gettime(CLOCK_MONOTONIC, &ts);
+    return (double)ts.tv_sec + ((double)ts.tv_nsec / 1000000000.0);
+}
+
+int main(int argc, char **argv) {
+    int seconds = 5;
+    int size_mb = 64;
+    for (int i = 1; i < argc; i++) {
+        if ((strcmp(argv[i], "--seconds") == 0 || strcmp(argv[i], "-t") == 0) && i + 1 < argc) {
+            seconds = atoi(argv[++i]);
+        } else if ((strcmp(argv[i], "--size-mb") == 0 || strcmp(argv[i], "-m") == 0) && i + 1 < argc) {
+            size_mb = atoi(argv[++i]);
+        } else {
+            fprintf(stderr, "usage: %s [--seconds N] [--size-mb N]\n", argv[0]);
+            return 2;
+        }
+    }
+    if (seconds <= 0) {
+        seconds = 5;
+    }
+    if (size_mb <= 0) {
+        size_mb = 64;
+    }
+
+    struct cuda_api api;
+    if (!load_cuda(&api)) {
+        fprintf(stderr, "failed to load libcuda.so.1 or required Driver API symbols\n");
+        return 1;
+    }
+    load_symbol(api.lib, "cuGetErrorName", (void **)&api.cuGetErrorName);
+    load_symbol(api.lib, "cuGetErrorString", (void **)&api.cuGetErrorString);
+
+    if (!check_rc(&api, "cuInit", api.cuInit(0))) {
+        return 1;
+    }
+
+    int count = 0;
+    if (!check_rc(&api, "cuDeviceGetCount", api.cuDeviceGetCount(&count))) {
+        return 1;
+    }
+    if (count <= 0) {
+        fprintf(stderr, "no CUDA devices found\n");
+        return 1;
+    }
+
+    CUdevice dev = 0;
+    if (!check_rc(&api, "cuDeviceGet", api.cuDeviceGet(&dev, 0))) {
+        return 1;
+    }
+    char name[128] = {0};
+    if (!check_rc(&api, "cuDeviceGetName", api.cuDeviceGetName(name, (int)sizeof(name), dev))) {
+        return 1;
+    }
+
+    CUcontext ctx = NULL;
+    if (!check_rc(&api, "cuCtxCreate", api.cuCtxCreate(&ctx, 0, dev))) {
+        return 1;
+    }
+
+    size_t bytes = (size_t)size_mb * 1024 * 1024;
+    uint32_t words = (uint32_t)(bytes / sizeof(uint32_t));
+    if (words < 1024) {
+        words = 1024;
+        bytes = (size_t)words * sizeof(uint32_t);
+    }
+
+    uint32_t *host = (uint32_t *)malloc(bytes);
+    if (!host) {
+        fprintf(stderr, "malloc failed\n");
+        api.cuCtxDestroy(ctx);
+        return 1;
+    }
+    for (uint32_t i = 0; i < words; i++) {
+        host[i] = i ^ 0x12345678u;
+    }
+
+    CUdeviceptr device_mem = 0;
+    if (!check_rc(&api, "cuMemAlloc", api.cuMemAlloc(&device_mem, bytes))) {
+        free(host);
+        api.cuCtxDestroy(ctx);
+        return 1;
+    }
+    if (!check_rc(&api, "cuMemcpyHtoD", api.cuMemcpyHtoD(device_mem, host, bytes))) {
+        api.cuMemFree(device_mem);
+        free(host);
+        api.cuCtxDestroy(ctx);
+        return 1;
+    }
+
+    CUmodule module = NULL;
+    if (!check_rc(&api, "cuModuleLoadDataEx", api.cuModuleLoadDataEx(&module, ptx_source, 0, NULL, NULL))) {
+        api.cuMemFree(device_mem);
+        free(host);
+        api.cuCtxDestroy(ctx);
+        return 1;
+    }
+
+    CUfunction kernel = NULL;
+    if (!check_rc(&api, "cuModuleGetFunction", api.cuModuleGetFunction(&kernel, module, "burn"))) {
+        api.cuMemFree(device_mem);
+        free(host);
+        api.cuCtxDestroy(ctx);
+        return 1;
+    }
+
+    unsigned int threads = 256;
+    unsigned int blocks = (words + threads - 1) / threads;
+    uint32_t rounds = 256;
+    void *params[] = {&device_mem, &words, &rounds};
+
+    double start = now_seconds();
+    double deadline = start + (double)seconds;
+    unsigned long iterations = 0;
+    while (now_seconds() < deadline) {
+        if (!check_rc(&api, "cuLaunchKernel",
+                      api.cuLaunchKernel(kernel, blocks, 1, 1, threads, 1, 1, 0, NULL, params, NULL))) {
+            api.cuMemFree(device_mem);
+            free(host);
+            api.cuCtxDestroy(ctx);
+            return 1;
+        }
+        iterations++;
+    }
+
+    if (!check_rc(&api, "cuCtxSynchronize", api.cuCtxSynchronize())) {
+        api.cuMemFree(device_mem);
+        free(host);
+        api.cuCtxDestroy(ctx);
+        return 1;
+    }
+    if (!check_rc(&api, "cuMemcpyDtoH", api.cuMemcpyDtoH(host, device_mem, bytes))) {
+        api.cuMemFree(device_mem);
+        free(host);
+        api.cuCtxDestroy(ctx);
+        return 1;
+    }
+
+    uint64_t checksum = 0;
+    for (uint32_t i = 0; i < words; i += words / 256 ? words / 256 : 1) {
+        checksum += host[i];
+    }
+
+    double elapsed = now_seconds() - start;
+    printf("device=%s\n", name);
+    printf("duration_s=%.2f\n", elapsed);
+    printf("buffer_mb=%d\n", size_mb);
+    printf("iterations=%lu\n", iterations);
+    printf("checksum=%llu\n", (unsigned long long)checksum);
+    printf("status=OK\n");
+
+    api.cuMemFree(device_mem);
+    free(host);
+    api.cuCtxDestroy(ctx);
+    return 0;
+}

iso/builder/build-in-container.sh

@@ -0,0 +1,96 @@
+#!/bin/sh
+# build-in-container.sh — build the bee ISO inside the Debian builder container.
+
+set -e
+
+REPO_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
+BUILDER_DIR="${REPO_ROOT}/iso/builder"
+CONTAINER_TOOL="${CONTAINER_TOOL:-docker}"
+IMAGE_TAG="${BEE_BUILDER_IMAGE:-bee-iso-builder}"
+CACHE_DIR="${BEE_BUILDER_CACHE_DIR:-${REPO_ROOT}/dist/container-cache}"
+AUTH_KEYS=""
+REBUILD_IMAGE=0
+
+. "${BUILDER_DIR}/VERSIONS"
+
+while [ $# -gt 0 ]; do
+    case "$1" in
+        --cache-dir)
+            CACHE_DIR="$2"
+            shift 2
+            ;;
+        --rebuild-image)
+            REBUILD_IMAGE=1
+            shift
+            ;;
+        --authorized-keys)
+            AUTH_KEYS="$2"
+            shift 2
+            ;;
+        *)
+            echo "unknown arg: $1" >&2
+            echo "usage: $0 [--cache-dir /path] [--rebuild-image] [--authorized-keys /path/to/authorized_keys]" >&2
+            exit 1
+            ;;
+    esac
+done
+
+if ! command -v "$CONTAINER_TOOL" >/dev/null 2>&1; then
+    echo "container tool not found: $CONTAINER_TOOL" >&2
+    exit 1
+fi
+
+if [ -n "$AUTH_KEYS" ]; then
+    [ -f "$AUTH_KEYS" ] || { echo "authorized_keys not found: $AUTH_KEYS" >&2; exit 1; }
+    AUTH_KEYS_ABS="$(cd "$(dirname "$AUTH_KEYS")" && pwd)/$(basename "$AUTH_KEYS")"
+    AUTH_KEYS_DIR="$(dirname "$AUTH_KEYS_ABS")"
+    AUTH_KEYS_BASE="$(basename "$AUTH_KEYS_ABS")"
+fi
+
+mkdir -p \
+    "${CACHE_DIR}" \
+    "${CACHE_DIR}/go-build" \
+    "${CACHE_DIR}/go-mod" \
+    "${CACHE_DIR}/tmp" \
+    "${CACHE_DIR}/bee"
+
+IMAGE_REF="${IMAGE_TAG}:debian${DEBIAN_VERSION}"
+
+if [ "$REBUILD_IMAGE" = "1" ] || ! "$CONTAINER_TOOL" image inspect "${IMAGE_REF}" >/dev/null 2>&1; then
+    "$CONTAINER_TOOL" build \
+        --build-arg GO_VERSION="${GO_VERSION}" \
+        -t "${IMAGE_REF}" \
+        "${BUILDER_DIR}"
+else
+    echo "=== using existing builder image ${IMAGE_REF} ==="
+fi
+
+set -- \
+    run --rm --privileged \
+    -v "${REPO_ROOT}:/work" \
+    -v "${CACHE_DIR}:/cache" \
+    -e BEE_CONTAINER_BUILD=1 \
+    -e GOCACHE=/cache/go-build \
+    -e GOMODCACHE=/cache/go-mod \
+    -e TMPDIR=/cache/tmp \
+    -e BEE_CACHE_DIR=/cache/bee \
+    -w /work \
+    "${IMAGE_REF}" \
+    sh /work/iso/builder/build.sh
+
+if [ -n "$AUTH_KEYS" ]; then
+    set -- run --rm --privileged \
+        -v "${REPO_ROOT}:/work" \
+        -v "${CACHE_DIR}:/cache" \
+        -v "${AUTH_KEYS_DIR}:/tmp/bee-authkeys:ro" \
+        -e BEE_CONTAINER_BUILD=1 \
+        -e GOCACHE=/cache/go-build \
+        -e GOMODCACHE=/cache/go-mod \
+        -e TMPDIR=/cache/tmp \
+        -e BEE_CACHE_DIR=/cache/bee \
+        -w /work \
+        "${IMAGE_REF}" \
+        sh /work/iso/builder/build.sh --authorized-keys "/tmp/bee-authkeys/${AUTH_KEYS_BASE}"
+fi
+
+"$CONTAINER_TOOL" "$@"

iso/builder/build-nccl.sh

@@ -0,0 +1,94 @@
+#!/bin/sh
+# build-nccl.sh — download and extract NCCL shared library for the LiveCD.
+#
+# Downloads libnccl2 .deb from NVIDIA's CUDA apt repository (Debian 12, x86_64)
+# and extracts the shared library. Package integrity verified via sha256.
+#
+# Output is cached in DIST_DIR/nccl-<version>+cuda<cuda>/ so subsequent builds
+# are instant unless NCCL_VERSION or NCCL_CUDA_VERSION changes.
+#
+# Output layout:
+#   $CACHE_DIR/lib/   — libnccl.so.* files
+
+set -e
+
+NCCL_VERSION="$1"
+NCCL_CUDA_VERSION="$2"
+DIST_DIR="$3"
+EXPECTED_SHA256="$4"
+
+[ -n "$NCCL_VERSION" ]      || { echo "usage: $0 <nccl-version> <cuda-version> <dist-dir> [sha256]"; exit 1; }
+[ -n "$NCCL_CUDA_VERSION" ] || { echo "usage: $0 <nccl-version> <cuda-version> <dist-dir> [sha256]"; exit 1; }
+[ -n "$DIST_DIR" ]          || { echo "usage: $0 <nccl-version> <cuda-version> <dist-dir> [sha256]"; exit 1; }
+
+echo "=== NCCL ${NCCL_VERSION}+cuda${NCCL_CUDA_VERSION} ==="
+
+CACHE_DIR="${DIST_DIR}/nccl-${NCCL_VERSION}+cuda${NCCL_CUDA_VERSION}"
+CACHE_ROOT="${BEE_CACHE_DIR:-${DIST_DIR}/cache}"
+DOWNLOAD_CACHE_DIR="${CACHE_ROOT}/nccl-downloads"
+
+if [ -d "$CACHE_DIR/lib" ] && [ "$(ls "$CACHE_DIR/lib/"libnccl.so.* 2>/dev/null | wc -l)" -gt 0 ]; then
+    echo "=== NCCL cached, skipping download ==="
+    echo "cache: $CACHE_DIR"
+    echo "libs: $(ls "$CACHE_DIR/lib/" | wc -l) files"
+    exit 0
+fi
+
+REPO_BASE="https://developer.download.nvidia.com/compute/cuda/repos/debian12/x86_64"
+PKG_NAME="libnccl2_${NCCL_VERSION}+cuda${NCCL_CUDA_VERSION}_amd64.deb"
+PKG_URL="${REPO_BASE}/${PKG_NAME}"
+
+mkdir -p "$DOWNLOAD_CACHE_DIR"
+DEB_FILE="${DOWNLOAD_CACHE_DIR}/${PKG_NAME}"
+
+echo "=== downloading NCCL package ==="
+echo "URL: ${PKG_URL}"
+wget --show-progress -O "$DEB_FILE" "$PKG_URL"
+
+if [ -n "$EXPECTED_SHA256" ]; then
+    echo "=== verifying sha256 ==="
+    ACTUAL_SHA256=$(sha256sum "$DEB_FILE" | awk '{print $1}')
+    if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then
+        echo "ERROR: sha256 mismatch"
+        echo "  expected: $EXPECTED_SHA256"
+        echo "  actual:   $ACTUAL_SHA256"
+        rm -f "$DEB_FILE"
+        exit 1
+    fi
+    echo "sha256 OK"
+fi
+
+echo "=== extracting NCCL libraries ==="
+EXTRACT_TMP=$(mktemp -d)
+trap 'rm -rf "$EXTRACT_TMP"' EXIT INT TERM
+
+# .deb is an ar archive; data.tar.* contains the actual files
+cd "$EXTRACT_TMP"
+ar x "$DEB_FILE"
+
+# Extract data tarball (xz, gz, or zst)
+DATA_TAR=$(ls data.tar.* 2>/dev/null | head -1)
+[ -n "$DATA_TAR" ] || { echo "ERROR: data.tar.* not found in .deb"; exit 1; }
+tar xf "$DATA_TAR"
+
+# Library lands in ./usr/lib/x86_64-linux-gnu/ or ./usr/lib/
+mkdir -p "$CACHE_DIR/lib"
+found=0
+for f in $(find . -name 'libnccl.so.*' -not -type d 2>/dev/null); do
+    cp "$f" "$CACHE_DIR/lib/"
+    found=$((found + 1))
+done
+
+[ "$found" -gt 0 ] || { echo "ERROR: libnccl.so.* not found in package"; exit 1; }
+
+# Create soname symlinks: libnccl.so.2 -> libnccl.so.<full>, libnccl.so -> libnccl.so.2
+versioned=$(ls "$CACHE_DIR/lib/libnccl.so."[0-9][0-9.]* 2>/dev/null | head -1)
+if [ -n "$versioned" ]; then
+    base=$(basename "$versioned")
+    ln -sf "$base" "$CACHE_DIR/lib/libnccl.so.2" 2>/dev/null || true
+    ln -sf "libnccl.so.2" "$CACHE_DIR/lib/libnccl.so" 2>/dev/null || true
+fi
+
+echo "=== NCCL extraction complete ==="
+echo "cache: $CACHE_DIR"
+ls -lh "$CACHE_DIR/lib/"

iso/builder/build-nvidia-module.sh

@@ -1,5 +1,5 @@
 #!/bin/sh
-# build-nvidia-module.sh — install NVIDIA proprietary driver into ISO overlay
+# build-nvidia-module.sh — compile NVIDIA proprietary driver modules for Debian 12
 #
 # Downloads the official NVIDIA .run installer, extracts kernel modules and
 # userspace tools (nvidia-smi, libnvidia-ml). Everything is proprietary NVIDIA.
@@ -16,34 +16,36 @@ set -e
 
 NVIDIA_VERSION="$1"
 DIST_DIR="$2"
-ALPINE_VERSION="$3"
+DEBIAN_KERNEL_ABI="$3"
 
-[ -n "$NVIDIA_VERSION" ]  || { echo "usage: $0 <nvidia-version> <dist-dir> <alpine-version>"; exit 1; }
-[ -n "$DIST_DIR" ]        || { echo "usage: $0 <nvidia-version> <dist-dir> <alpine-version>"; exit 1; }
-[ -n "$ALPINE_VERSION" ]  || { echo "usage: $0 <nvidia-version> <dist-dir> <alpine-version>"; exit 1; }
+[ -n "$NVIDIA_VERSION" ]    || { echo "usage: $0 <nvidia-version> <dist-dir> <debian-kernel-abi>"; exit 1; }
+[ -n "$DIST_DIR" ]          || { echo "usage: $0 <nvidia-version> <dist-dir> <debian-kernel-abi>"; exit 1; }
+[ -n "$DEBIAN_KERNEL_ABI" ] || { echo "usage: $0 <nvidia-version> <dist-dir> <debian-kernel-abi>"; exit 1; }
 
-# Install linux-lts-dev (no version pin — always use whatever is current in Alpine 3.21 main).
-# This ensures modules are compiled for the same kernel that mkimage will install in the ISO.
-# Both use dl-cdn.alpinelinux.org, so they see the same package state at build time.
-echo "=== installing linux-lts-dev (latest from dl-cdn) ==="
-apk add --quiet --update \
-    --repository "https://dl-cdn.alpinelinux.org/alpine/v${ALPINE_VERSION}/main" \
-    linux-lts-dev
+KVER="${DEBIAN_KERNEL_ABI}-amd64"
+# On Debian, kernel headers are split into two packages:
+#   linux-headers-<kver>        — arch-specific (generated, Makefile)
+#   linux-headers-<kver>-common — common source headers (linux/, asm-generic/, etc.)
+# NVIDIA conftest needs SYSSRC pointing to common (for source headers like linux/mm.h)
+# and SYSOUT pointing to amd64 (for generated headers like autoconf.h, asm/).
+KDIR_ARCH="/usr/src/linux-headers-${KVER}"
+KDIR_COMMON="/usr/src/linux-headers-${DEBIAN_KERNEL_ABI}-common"
 
-# Detect kernel version from installed headers (pick highest version if multiple).
-detect_kver() {
-    ls /usr/src/ 2>/dev/null \
-        | grep '^linux-headers-' \
-        | sed 's/linux-headers-//' \
-        | sort -V \
-        | tail -1
-}
-
-KVER="$(detect_kver)"
-KDIR="/usr/src/linux-headers-${KVER}"
 echo "=== NVIDIA ${NVIDIA_VERSION} (proprietary) for kernel ${KVER} ==="
 
+if [ ! -d "$KDIR_ARCH" ] || [ ! -d "$KDIR_COMMON" ]; then
+    echo "=== installing linux-headers-${KVER} ==="
+    DEBIAN_FRONTEND=noninteractive apt-get install -y \
+        "linux-headers-${KVER}" \
+        gcc make perl
+fi
+echo "kernel headers (arch):   $KDIR_ARCH"
+echo "kernel headers (common): $KDIR_COMMON"
+
 CACHE_DIR="${DIST_DIR}/nvidia-${NVIDIA_VERSION}-${KVER}"
+CACHE_ROOT="${BEE_CACHE_DIR:-${DIST_DIR}/cache}"
+DOWNLOAD_CACHE_DIR="${CACHE_ROOT}/nvidia-downloads"
+EXTRACT_CACHE_DIR="${CACHE_ROOT}/nvidia-extract"
 if [ -d "$CACHE_DIR/modules" ] && [ -f "$CACHE_DIR/bin/nvidia-smi" ]; then
     echo "=== NVIDIA cached, skipping build ==="
     echo "cache: $CACHE_DIR"
@@ -51,20 +53,16 @@ if [ -d "$CACHE_DIR/modules" ] && [ -f "$CACHE_DIR/bin/nvidia-smi" ]; then
     exit 0
 fi
 
-# Install build dependencies (linux-lts-dev already at correct version from above)
-apk add --quiet \
-    --repository "https://dl-cdn.alpinelinux.org/alpine/v${ALPINE_VERSION}/main" \
-    gcc make perl linux-lts-dev wget
-
-# Download official NVIDIA .run installer (proprietary) with sha256 verification
+# Download official NVIDIA .run installer with sha256 verification
 BASE_URL="https://download.nvidia.com/XFree86/Linux-x86_64/${NVIDIA_VERSION}"
-RUN_FILE="/var/tmp/NVIDIA-Linux-x86_64-${NVIDIA_VERSION}.run"
-SHA_FILE="/var/tmp/NVIDIA-Linux-x86_64-${NVIDIA_VERSION}.run.sha256sum"
+mkdir -p "$DOWNLOAD_CACHE_DIR" "$EXTRACT_CACHE_DIR"
+RUN_FILE="${DOWNLOAD_CACHE_DIR}/NVIDIA-Linux-x86_64-${NVIDIA_VERSION}.run"
+SHA_FILE="${DOWNLOAD_CACHE_DIR}/NVIDIA-Linux-x86_64-${NVIDIA_VERSION}.run.sha256sum"
 
 verify_run() {
     [ -s "$SHA_FILE" ] || return 1
     [ -s "$RUN_FILE" ] || return 1
-    cd /var/tmp
+    cd "$DOWNLOAD_CACHE_DIR"
     sha256sum -c "$SHA_FILE" --status 2>/dev/null
 }
 
@@ -75,7 +73,7 @@ if ! verify_run; then
     echo "sha256: $(cat "$SHA_FILE")"
     wget --show-progress -O "$RUN_FILE" "${BASE_URL}/NVIDIA-Linux-x86_64-${NVIDIA_VERSION}.run"
     echo "=== verifying sha256 ==="
-    cd /var/tmp && sha256sum -c "$SHA_FILE" || { echo "ERROR: sha256 mismatch"; rm -f "$RUN_FILE"; exit 1; }
+    cd "$DOWNLOAD_CACHE_DIR" && sha256sum -c "$SHA_FILE" || { echo "ERROR: sha256 mismatch"; rm -f "$RUN_FILE"; exit 1; }
     echo "sha256 OK"
 else
     echo "=== NVIDIA installer verified from cache ==="
@@ -84,7 +82,7 @@ fi
 # Extract installer contents
 echo "=== extracting installer ==="
 chmod +x "$RUN_FILE"
-EXTRACT_DIR="/var/tmp/nvidia-extract-${NVIDIA_VERSION}"
+EXTRACT_DIR="${EXTRACT_CACHE_DIR}/nvidia-extract-${NVIDIA_VERSION}"
 rm -rf "$EXTRACT_DIR"
 "$RUN_FILE" --extract-only --target "$EXTRACT_DIR"
 
@@ -96,10 +94,20 @@ done
 [ -n "$KERNEL_SRC" ] || { echo "ERROR: kernel source dir not found in:"; ls "$EXTRACT_DIR/"; exit 1; }
 echo "kernel source: $KERNEL_SRC"
 
-# Build kernel modules from extracted source
+# Build kernel modules
+# CFLAGS_MODULE: add GCC include dir so NVIDIA's nv_stdarg.h can find stdarg.h.
+# Kernel build uses -nostdinc which strips GCC's own includes; we restore it here.
 echo "=== building kernel modules ($(nproc) cores) ==="
 cd "$KERNEL_SRC"
-make -j$(nproc) KERNEL_UNAME="$KVER" SYSSRC="$KDIR" modules 2>&1 | tail -5
+# SYSSRC=common: conftest finds real kernel headers (linux/mm.h etc.)
+# SYSOUT=amd64:  generated headers (autoconf.h, asm/) from arch package
+# Without this split, conftest uses amd64/include/ which is nearly empty,
+# all compile-tests fail silently, and NVIDIA assumes all APIs present → link errors.
+make -j$(nproc) \
+    KERNEL_UNAME="$KVER" \
+    SYSSRC="$KDIR_COMMON" \
+    SYSOUT="$KDIR_ARCH" \
+    modules 2>&1 | tail -10
 
 # Collect outputs
 mkdir -p "$CACHE_DIR/modules" "$CACHE_DIR/bin" "$CACHE_DIR/lib"
@@ -112,32 +120,40 @@ done
 cp "$EXTRACT_DIR/nvidia-smi"           "$CACHE_DIR/bin/"
 cp "$EXTRACT_DIR/nvidia-bug-report.sh" "$CACHE_DIR/bin/" 2>/dev/null || true
 
-# Copy userspace libraries — use find to handle any versioning scheme (libnvidia-ml.so.X.Y.Z or .so.1)
+# Copy GSP firmware (required for Hopper/Ada GPUs — H100, H800, etc.)
+mkdir -p "$CACHE_DIR/firmware"
+if [ -d "$EXTRACT_DIR/firmware" ]; then
+    cp -r "$EXTRACT_DIR/firmware/." "$CACHE_DIR/firmware/"
+    echo "firmware: $(ls "$CACHE_DIR/firmware/" | wc -l) files"
+else
+    echo "WARNING: no firmware/ dir found in installer (may be needed for Hopper GPUs)"
+fi
+
+# Copy ALL userspace library files
 for lib in libnvidia-ml libcuda; do
-    found=$(find "$EXTRACT_DIR" -maxdepth 1 -name "${lib}.so.*" | head -1)
-    if [ -z "$found" ]; then
+    count=0
+    for f in $(find "$EXTRACT_DIR" -maxdepth 1 -name "${lib}.so.*" 2>/dev/null); do
+        cp "$f" "$CACHE_DIR/lib/" && count=$((count+1))
+    done
+    if [ "$count" -eq 0 ]; then
         echo "ERROR: ${lib}.so.* not found in $EXTRACT_DIR"
         ls "$EXTRACT_DIR/"*.so* 2>/dev/null | head -20 || true
         exit 1
     fi
-    cp "$found" "$CACHE_DIR/lib/"
 done
 
-# Verify .ko files were actually built
+# Verify .ko files were built
 ko_count=$(ls "$CACHE_DIR/modules/"*.ko 2>/dev/null | wc -l)
 [ "$ko_count" -gt 0 ] || { echo "ERROR: no .ko files built in $CACHE_DIR/modules/"; exit 1; }
 
-# Create soname symlinks required by nvidia-smi on Alpine (musl/glibc via gcompat + libc6-compat)
+# Create soname symlinks: use [0-9][0-9]* to avoid circular symlink (.so.1 has single digit)
 for lib in libnvidia-ml libcuda; do
-    versioned=$(ls "$CACHE_DIR/lib/${lib}.so."* 2>/dev/null | grep -v '\.so\.1$' | head -1)
-    [ -n "$versioned" ] || versioned=$(ls "$CACHE_DIR/lib/${lib}.so."* 2>/dev/null | head -1)
+    versioned=$(ls "$CACHE_DIR/lib/${lib}.so."[0-9][0-9]* 2>/dev/null | head -1)
     [ -n "$versioned" ] || continue
     base=$(basename "$versioned")
-    # Only create .so.1 if versioned file is not already named .so.1
-    if [ "$base" != "${lib}.so.1" ]; then
-        ln -sf "$base" "$CACHE_DIR/lib/${lib}.so.1"
-    fi
+    ln -sf "$base" "$CACHE_DIR/lib/${lib}.so.1"
     ln -sf "${lib}.so.1" "$CACHE_DIR/lib/${lib}.so" 2>/dev/null || true
+    echo "${lib}: .so.1 -> $base"
 done
 
 echo "=== NVIDIA build complete ==="

iso/builder/build.sh

@@ -1,19 +1,21 @@
 #!/bin/sh
-# build.sh — build bee ISO
-#
-# Single build script. Produces a bootable live ISO with SSH access, TUI, NVIDIA drivers.
-#
-# Run on Alpine builder VM as root after setup-builder.sh.
-# Usage:
-#   sh iso/builder/build.sh [--authorized-keys /path/to/authorized_keys]
+# build.sh — internal ISO build entrypoint executed inside the builder container.
 
 set -e
 
+if [ "${BEE_CONTAINER_BUILD:-0}" != "1" ]; then
+    echo "build.sh must run inside iso/builder/build-in-container.sh" >&2
+    exit 1
+fi
+
 REPO_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
 BUILDER_DIR="${REPO_ROOT}/iso/builder"
 OVERLAY_DIR="${REPO_ROOT}/iso/overlay"
 DIST_DIR="${REPO_ROOT}/dist"
 VENDOR_DIR="${REPO_ROOT}/iso/vendor"
+BUILD_WORK_DIR="${DIST_DIR}/live-build-work"
+OVERLAY_STAGE_DIR="${DIST_DIR}/overlay-stage"
+CACHE_ROOT="${BEE_CACHE_DIR:-${DIST_DIR}/cache}"
 AUTH_KEYS=""
 
 # parse args
@@ -26,49 +28,117 @@ done
 
 . "${BUILDER_DIR}/VERSIONS"
 export PATH="$PATH:/usr/local/go/bin"
+mkdir -p "${DIST_DIR}"
+mkdir -p "${CACHE_ROOT}"
+: "${GOCACHE:=${CACHE_ROOT}/go-build}"
+: "${GOMODCACHE:=${CACHE_ROOT}/go-mod}"
+export GOCACHE GOMODCACHE
 
-# NOTE: lz4 compression for modloop is disabled — Alpine initramfs may not support lz4 squashfs.
-# Default xz compression is used until lz4 support is confirmed.
+# Auto-detect kernel ABI: refresh apt index, then query current linux-image-amd64 dependency.
+# If headers for the detected ABI are not yet installed (kernel updated since image build),
+# install them on the fly so NVIDIA modules and ISO kernel always match.
+if [ -z "${DEBIAN_KERNEL_ABI}" ] || [ "${DEBIAN_KERNEL_ABI}" = "auto" ]; then
+    echo "=== refreshing apt index to detect current kernel ABI ==="
+    apt-get update -qq
+    DEBIAN_KERNEL_ABI=$(apt-cache depends linux-image-amd64 2>/dev/null \
+        | awk '/Depends:.*linux-image-[0-9]/{print $2}' \
+        | grep -oE '[0-9]+\.[0-9]+\.[0-9]+-[0-9]+' \
+        | head -1)
+    if [ -z "${DEBIAN_KERNEL_ABI}" ]; then
+        echo "ERROR: could not auto-detect kernel ABI from apt-cache" >&2
+        exit 1
+    fi
+    echo "=== kernel ABI: ${DEBIAN_KERNEL_ABI} ==="
+fi
+
+# Export detected ABI so that auto/config can pin the exact kernel package
+# (prevents NVIDIA module/kernel mismatch if linux-image-amd64 meta-package
+# gets updated between build.sh start and lb build chroot step)
+export BEE_KERNEL_ABI="${DEBIAN_KERNEL_ABI}"
+
+KVER="${DEBIAN_KERNEL_ABI}-amd64"
+if [ ! -d "/usr/src/linux-headers-${KVER}" ]; then
+    echo "=== installing linux-headers-${KVER} (kernel updated since image build) ==="
+    apt-get install -y "linux-headers-${KVER}"
+fi
 
 echo "=== bee ISO build ==="
-echo "Alpine: ${ALPINE_VERSION}, Go: ${GO_VERSION}"
+echo "Debian: ${DEBIAN_VERSION}, Kernel ABI: ${DEBIAN_KERNEL_ABI}, Go: ${GO_VERSION}"
 echo ""
 
-# --- compile audit binary (static, Linux amd64) ---
-# Skip rebuild if binary is newer than all Go source files.
-AUDIT_BIN="${DIST_DIR}/bee-audit-linux-amd64"
+echo "=== syncing git submodules ==="
+git -C "${REPO_ROOT}" submodule update --init --recursive
+
+# --- compile bee binary (static, Linux amd64) ---
+BEE_BIN="${DIST_DIR}/bee-linux-amd64"
+GPU_STRESS_BIN="${DIST_DIR}/bee-gpu-stress-linux-amd64"
 NEED_BUILD=1
-if [ -f "$AUDIT_BIN" ]; then
-    NEWEST_SRC=$(find "${REPO_ROOT}/audit" -name '*.go' -newer "$AUDIT_BIN" | head -1)
+if [ -f "$BEE_BIN" ]; then
+    NEWEST_SRC=$(find "${REPO_ROOT}/audit" -name '*.go' -newer "$BEE_BIN" | head -1)
     [ -z "$NEWEST_SRC" ] && NEED_BUILD=0
 fi
 
 if [ "$NEED_BUILD" = "1" ]; then
-    echo "=== building audit binary ==="
+    echo "=== building bee binary ==="
     cd "${REPO_ROOT}/audit"
     GOOS=linux GOARCH=amd64 CGO_ENABLED=0 \
         go build \
         -ldflags "-s -w -X main.Version=${AUDIT_VERSION:-$(date +%Y%m%d)}" \
-        -o "$AUDIT_BIN" \
-        ./cmd/audit
-    echo "binary: $AUDIT_BIN"
-    echo "size:   $(du -sh "$AUDIT_BIN" | cut -f1)"
+        -o "$BEE_BIN" \
+        ./cmd/bee
+    echo "binary: $BEE_BIN"
+    if command -v stat >/dev/null 2>&1; then
+        BEE_SIZE_BYTES="$(stat -c '%s' "$BEE_BIN" 2>/dev/null || stat -f '%z' "$BEE_BIN")"
+    else
+        BEE_SIZE_BYTES="$(wc -c < "$BEE_BIN" | tr -d ' ')"
+    fi
+    if command -v numfmt >/dev/null 2>&1; then
+        echo "size:   $(numfmt --to=iec --suffix=B "$BEE_SIZE_BYTES")"
+    else
+        echo "size:   ${BEE_SIZE_BYTES} bytes"
+    fi
 else
-    echo "=== audit binary up to date, skipping build ==="
+    echo "=== bee binary up to date, skipping build ==="
 fi
 
+GPU_STRESS_NEED_BUILD=1
+if [ -f "$GPU_STRESS_BIN" ] && [ "${BUILDER_DIR}/bee-gpu-stress.c" -ot "$GPU_STRESS_BIN" ]; then
+    GPU_STRESS_NEED_BUILD=0
+fi
+
+if [ "$GPU_STRESS_NEED_BUILD" = "1" ]; then
+    echo "=== building bee-gpu-stress ==="
+    gcc -O2 -s -Wall -Wextra \
+        -o "$GPU_STRESS_BIN" \
+        "${BUILDER_DIR}/bee-gpu-stress.c" \
+        -ldl
+    echo "binary: $GPU_STRESS_BIN"
+else
+    echo "=== bee-gpu-stress up to date, skipping build ==="
+fi
+
+echo "=== preparing staged overlay ==="
+rm -rf "${BUILD_WORK_DIR}" "${OVERLAY_STAGE_DIR}"
+mkdir -p "${BUILD_WORK_DIR}" "${OVERLAY_STAGE_DIR}"
+rsync -a "${BUILDER_DIR}/" "${BUILD_WORK_DIR}/"
+rsync -a "${OVERLAY_DIR}/" "${OVERLAY_STAGE_DIR}/"
+rm -f \
+    "${OVERLAY_STAGE_DIR}/etc/bee-ssh-password-fallback" \
+    "${OVERLAY_STAGE_DIR}/etc/bee-release" \
+    "${OVERLAY_STAGE_DIR}/root/.ssh/authorized_keys" \
+    "${OVERLAY_STAGE_DIR}/usr/local/bin/bee" \
+    "${OVERLAY_STAGE_DIR}/usr/local/bin/bee-gpu-stress" \
+    "${OVERLAY_STAGE_DIR}/usr/local/bin/bee-smoketest"
+
 # --- inject authorized_keys for SSH access ---
-# Uses the same Ed25519 keys as release signing (from git.mchus.pro/mchus/keys).
-# SSH public keys are stored alongside signing keys as ~/.keys/<name>.key.pub
-AUTHORIZED_KEYS_FILE="${OVERLAY_DIR}/root/.ssh/authorized_keys"
-mkdir -p "${OVERLAY_DIR}/root/.ssh"
+AUTHORIZED_KEYS_FILE="${OVERLAY_STAGE_DIR}/root/.ssh/authorized_keys"
+mkdir -p "${OVERLAY_STAGE_DIR}/root/.ssh"
 
 if [ -n "$AUTH_KEYS" ]; then
     cp "$AUTH_KEYS" "$AUTHORIZED_KEYS_FILE"
     chmod 600 "$AUTHORIZED_KEYS_FILE"
     echo "SSH authorized_keys: installed from $AUTH_KEYS"
 else
-    # auto-collect all developer SSH public keys from ~/.keys/*.key.pub
     > "$AUTHORIZED_KEYS_FILE"
     FOUND=0
     for ssh_pub in "$HOME"/.keys/*.key.pub; do
@@ -82,127 +152,146 @@ else
         echo "SSH authorized_keys: $FOUND key(s) from ~/.keys/*.key.pub"
     else
         echo "WARNING: no SSH public keys found — falling back to password auth"
-        echo "  SSH login: bee / eeb (user created by bee-sshsetup at boot)"
-        echo "  (generate a key with: sh keys/scripts/keygen.sh <your-name>)"
+        echo "  SSH login: bee / eeb"
         USE_PASSWORD_FALLBACK=1
     fi
 fi
 
-# --- password fallback: write marker file read by init script ---
 if [ "${USE_PASSWORD_FALLBACK:-0}" = "1" ]; then
-    touch "${OVERLAY_DIR}/etc/bee-ssh-password-fallback"
+    touch "${OVERLAY_STAGE_DIR}/etc/bee-ssh-password-fallback"
+else
+    rm -f "${OVERLAY_STAGE_DIR}/etc/bee-ssh-password-fallback"
 fi
 
-# --- copy audit binary into overlay ---
-mkdir -p "${OVERLAY_DIR}/usr/local/bin"
-cp "${DIST_DIR}/bee-audit-linux-amd64" "${OVERLAY_DIR}/usr/local/bin/audit"
-chmod +x "${OVERLAY_DIR}/usr/local/bin/audit"
+# --- copy bee binary into overlay ---
+mkdir -p "${OVERLAY_STAGE_DIR}/usr/local/bin"
+cp "${DIST_DIR}/bee-linux-amd64" "${OVERLAY_STAGE_DIR}/usr/local/bin/bee"
+chmod +x "${OVERLAY_STAGE_DIR}/usr/local/bin/bee"
+cp "${GPU_STRESS_BIN}" "${OVERLAY_STAGE_DIR}/usr/local/bin/bee-gpu-stress"
+chmod +x "${OVERLAY_STAGE_DIR}/usr/local/bin/bee-gpu-stress"
 
 # --- inject smoketest into overlay so it runs directly on the live CD ---
-cp "${BUILDER_DIR}/smoketest.sh" "${OVERLAY_DIR}/usr/local/bin/bee-smoketest"
-chmod +x "${OVERLAY_DIR}/usr/local/bin/bee-smoketest"
+cp "${BUILDER_DIR}/smoketest.sh" "${OVERLAY_STAGE_DIR}/usr/local/bin/bee-smoketest"
+chmod +x "${OVERLAY_STAGE_DIR}/usr/local/bin/bee-smoketest"
 
 # --- vendor utilities (optional pre-fetched binaries) ---
-for tool in storcli64 sas2ircu sas3ircu mstflint; do
+for tool in storcli64 sas2ircu sas3ircu arcconf ssacli; do
     if [ -f "${VENDOR_DIR}/${tool}" ]; then
-        cp "${VENDOR_DIR}/${tool}" "${OVERLAY_DIR}/usr/local/bin/${tool}"
-        chmod +x "${OVERLAY_DIR}/usr/local/bin/${tool}" || true
+        cp "${VENDOR_DIR}/${tool}" "${OVERLAY_STAGE_DIR}/usr/local/bin/${tool}"
+        chmod +x "${OVERLAY_STAGE_DIR}/usr/local/bin/${tool}" || true
         echo "vendor tool: ${tool} (included)"
     else
         echo "vendor tool: ${tool} (not found, skipped)"
     fi
 done
 
-# --- build NVIDIA kernel modules and inject into overlay ---
+# --- build NVIDIA kernel modules ---
 echo ""
 echo "=== building NVIDIA ${NVIDIA_DRIVER_VERSION} modules ==="
-sh "${BUILDER_DIR}/build-nvidia-module.sh" "${NVIDIA_DRIVER_VERSION}" "${DIST_DIR}" "${ALPINE_VERSION}"
-
-# Detect kernel version from installed headers (set by build-nvidia-module.sh above)
-KVER=$(ls /usr/src/ 2>/dev/null | grep '^linux-headers-' | sed 's/linux-headers-//' | sort -V | tail -1)
-[ -n "$KVER" ] || { echo "ERROR: linux-lts-dev not installed — no headers in /usr/src/"; exit 1; }
-echo "=== kernel version: ${KVER} ==="
+sh "${BUILDER_DIR}/build-nvidia-module.sh" "${NVIDIA_DRIVER_VERSION}" "${DIST_DIR}" "${DEBIAN_KERNEL_ABI}"
 
+KVER="${DEBIAN_KERNEL_ABI}-amd64"
 NVIDIA_CACHE="${DIST_DIR}/nvidia-${NVIDIA_DRIVER_VERSION}-${KVER}"
 
-# Inject .ko files into overlay at /usr/local/lib/nvidia/ (not /lib/modules/ — modloop squashfs
-# mounts over that path at boot and makes it read-only, so overlay content there is inaccessible)
+# Inject .ko files into overlay at /usr/local/lib/nvidia/
 OVERLAY_KMOD_DIR="${OVERLAY_DIR}/usr/local/lib/nvidia"
+OVERLAY_KMOD_DIR="${OVERLAY_STAGE_DIR}/usr/local/lib/nvidia"
 mkdir -p "${OVERLAY_KMOD_DIR}"
 cp "${NVIDIA_CACHE}/modules/"*.ko "${OVERLAY_KMOD_DIR}/"
 
 # Inject nvidia-smi and libnvidia-ml
-mkdir -p "${OVERLAY_DIR}/usr/local/bin" "${OVERLAY_DIR}/usr/lib"
-cp "${NVIDIA_CACHE}/bin/nvidia-smi" "${OVERLAY_DIR}/usr/local/bin/"
-chmod +x "${OVERLAY_DIR}/usr/local/bin/nvidia-smi"
-cp "${NVIDIA_CACHE}/bin/nvidia-bug-report.sh" "${OVERLAY_DIR}/usr/local/bin/" 2>/dev/null || true
-chmod +x "${OVERLAY_DIR}/usr/local/bin/nvidia-bug-report.sh" 2>/dev/null || true
-cp "${NVIDIA_CACHE}/lib/"* "${OVERLAY_DIR}/usr/lib/" 2>/dev/null || true
+mkdir -p "${OVERLAY_STAGE_DIR}/usr/local/bin" "${OVERLAY_STAGE_DIR}/usr/lib"
+cp "${NVIDIA_CACHE}/bin/nvidia-smi" "${OVERLAY_STAGE_DIR}/usr/local/bin/"
+chmod +x "${OVERLAY_STAGE_DIR}/usr/local/bin/nvidia-smi"
+cp "${NVIDIA_CACHE}/bin/nvidia-bug-report.sh" "${OVERLAY_STAGE_DIR}/usr/local/bin/" 2>/dev/null || true
+chmod +x "${OVERLAY_STAGE_DIR}/usr/local/bin/nvidia-bug-report.sh" 2>/dev/null || true
+cp "${NVIDIA_CACHE}/lib/"* "${OVERLAY_STAGE_DIR}/usr/lib/" 2>/dev/null || true
 
+# Inject GSP firmware into /lib/firmware/nvidia/<version>/
+if [ -d "${NVIDIA_CACHE}/firmware" ] && [ "$(ls -A "${NVIDIA_CACHE}/firmware" 2>/dev/null)" ]; then
+    mkdir -p "${OVERLAY_STAGE_DIR}/lib/firmware/nvidia/${NVIDIA_DRIVER_VERSION}"
+    cp "${NVIDIA_CACHE}/firmware/"* "${OVERLAY_STAGE_DIR}/lib/firmware/nvidia/${NVIDIA_DRIVER_VERSION}/"
+    echo "=== firmware: $(ls "${OVERLAY_STAGE_DIR}/lib/firmware/nvidia/${NVIDIA_DRIVER_VERSION}/" | wc -l) files injected ==="
+fi
+
+# --- build / download NCCL ---
+echo ""
+echo "=== downloading NCCL ${NCCL_VERSION}+cuda${NCCL_CUDA_VERSION} ==="
+sh "${BUILDER_DIR}/build-nccl.sh" "${NCCL_VERSION}" "${NCCL_CUDA_VERSION}" "${DIST_DIR}" "${NCCL_SHA256:-}"
+
+NCCL_CACHE="${DIST_DIR}/nccl-${NCCL_VERSION}+cuda${NCCL_CUDA_VERSION}"
+
+# Inject libnccl.so.* into overlay alongside other NVIDIA userspace libs
+cp "${NCCL_CACHE}/lib/"* "${OVERLAY_STAGE_DIR}/usr/lib/"
+echo "=== NCCL: $(ls "${NCCL_CACHE}/lib/" | wc -l) files injected into /usr/lib/ ==="
 
 # --- embed build metadata ---
-mkdir -p "${OVERLAY_DIR}/etc"
+mkdir -p "${OVERLAY_STAGE_DIR}/etc"
 BUILD_DATE="$(date +%Y-%m-%d)"
 GIT_COMMIT="$(git -C "${REPO_ROOT}" rev-parse --short HEAD 2>/dev/null || echo unknown)"
-cat > "${OVERLAY_DIR}/etc/bee-release" <<EOF
+cat > "${OVERLAY_STAGE_DIR}/etc/bee-release" <<EOF
 BEE_ISO_VERSION=${AUDIT_VERSION}
 BEE_AUDIT_VERSION=${AUDIT_VERSION}
 BUILD_DATE=${BUILD_DATE}
 GIT_COMMIT=${GIT_COMMIT}
-ALPINE_VERSION=${ALPINE_VERSION}
+DEBIAN_VERSION=${DEBIAN_VERSION}
+DEBIAN_KERNEL_ABI=${DEBIAN_KERNEL_ABI}
 NVIDIA_DRIVER_VERSION=${NVIDIA_DRIVER_VERSION}
+NCCL_VERSION=${NCCL_VERSION}
+NCCL_CUDA_VERSION=${NCCL_CUDA_VERSION}
 EOF
 
-# --- export build info for genapkovl to inject into motd ---
-BUILD_DATE=$(date +%Y-%m-%d)
-GIT_COMMIT=$(git -C "${REPO_ROOT}" rev-parse --short HEAD 2>/dev/null || echo "unknown")
-export BEE_BUILD_INFO="${BUILD_DATE} git:${GIT_COMMIT} alpine:${ALPINE_VERSION} nvidia:${NVIDIA_DRIVER_VERSION}"
-
-# --- build ISO using mkimage ---
-mkdir -p "${DIST_DIR}"
-echo ""
-echo "=== building ISO ==="
-
-# Install our mkimage profile where mkimage.sh can find it.
-# ~/.mkimage is the user plugin directory loaded by mkimage.sh.
-# Clear ~/.mkimage to avoid stale profiles from previous builds being picked up
-rm -rf "${HOME}/.mkimage"
-mkdir -p "${HOME}/.mkimage"
-cp "${BUILDER_DIR}/mkimg.bee.sh" "${HOME}/.mkimage/"
-cp "${BUILDER_DIR}/genapkovl-bee.sh" "${HOME}/.mkimage/"
-
-# Export overlay dir so the profile script can find it regardless of SRCDIR.
-export BEE_OVERLAY_DIR="${OVERLAY_DIR}"
-
-# Clean workdir: always nuke apks_* (stale packages from old mirror/version cause "unable to select" errors).
-# Keep kernel_*, syslinux_*, grub_* — these are large but stable; they only change when KERNEL_PKG_VERSION changes.
-if [ -d /var/tmp/bee-iso-work ]; then
-    find /var/tmp/bee-iso-work -maxdepth 1 -mindepth 1 \
-        -not -name 'kernel_*' \
-        -not -name 'syslinux_*' -not -name 'grub_*' \
-        -exec rm -rf {} + 2>/dev/null || true
+# Patch motd with build info
+BEE_BUILD_INFO="${BUILD_DATE} git:${GIT_COMMIT} debian:${DEBIAN_VERSION} nvidia:${NVIDIA_DRIVER_VERSION}"
+if [ -f "${OVERLAY_STAGE_DIR}/etc/motd" ]; then
+    sed "s/%%BUILD_INFO%%/${BEE_BUILD_INFO}/" "${OVERLAY_STAGE_DIR}/etc/motd" \
+        > "${OVERLAY_STAGE_DIR}/etc/motd.patched"
+    mv "${OVERLAY_STAGE_DIR}/etc/motd.patched" "${OVERLAY_STAGE_DIR}/etc/motd"
 fi
 
-# Run from /var/tmp: mkimage.sh calls git internally; running from inside /root/bee causes
-# "outside repository" errors. /var/tmp is outside the git repo and has enough scratch space.
-# genapkovl-bee.sh is found by mkimage via ~/.mkimage/.
-# Remove any stale genapkovl from /var/tmp — mkimage checks CWD first, stale files override ~/.mkimage/.
-rm -f /var/tmp/genapkovl-*.sh
-export TMPDIR=/var/tmp
-cd /var/tmp
-sh /usr/share/aports/scripts/mkimage.sh \
-    --tag "v${ALPINE_VERSION}" \
-    --outdir "${DIST_DIR}" \
-    --arch x86_64 \
-    --repository "https://dl-cdn.alpinelinux.org/alpine/v${ALPINE_VERSION}/main" \
-    --repository "https://dl-cdn.alpinelinux.org/alpine/v${ALPINE_VERSION}/community" \
-    --workdir /var/tmp/bee-iso-work \
-    --profile bee
+# --- sync overlay into live-build includes.chroot ---
+LB_DIR="${BUILD_WORK_DIR}"
+LB_INCLUDES="${LB_DIR}/config/includes.chroot"
+mkdir -p "${LB_INCLUDES}"
+rsync -a "${OVERLAY_STAGE_DIR}/" "${LB_INCLUDES}/"
 
-ISO="${DIST_DIR}/alpine-bee-${ALPINE_VERSION}-x86_64.iso"
+# Ensure SSH authorized_keys perms are correct (rsync may alter)
+if [ -f "${LB_INCLUDES}/root/.ssh/authorized_keys" ]; then
+    chmod 700 "${LB_INCLUDES}/root/.ssh"
+    chmod 600 "${LB_INCLUDES}/root/.ssh/authorized_keys"
+fi
+
+# --- build ISO using live-build ---
 echo ""
-echo "=== done ==="
-echo "ISO: $ISO"
-echo "Size: $(du -sh "$ISO" 2>/dev/null | cut -f1 || echo 'not found')"
+echo "=== building ISO (live-build) ==="
+
+cd "${LB_DIR}"
+lb clean 2>&1 | tail -3
+lb config 2>&1 | tail -5
+lb build 2>&1
+
+# live-build outputs live-image-amd64.hybrid.iso in LB_DIR
+ISO_RAW="${LB_DIR}/live-image-amd64.hybrid.iso"
+ISO_OUT="${DIST_DIR}/bee-debian${DEBIAN_VERSION}-v${AUDIT_VERSION}-amd64.iso"
+if [ -f "$ISO_RAW" ]; then
+    cp "$ISO_RAW" "$ISO_OUT"
+    echo ""
+    echo "=== done ==="
+    echo "ISO: $ISO_OUT"
+    if command -v stat >/dev/null 2>&1; then
+        ISO_SIZE_BYTES="$(stat -c '%s' "$ISO_OUT" 2>/dev/null || stat -f '%z' "$ISO_OUT")"
+    else
+        ISO_SIZE_BYTES="$(wc -c < "$ISO_OUT" | tr -d ' ')"
+    fi
+    if command -v numfmt >/dev/null 2>&1; then
+        echo "Size: $(numfmt --to=iec --suffix=B "$ISO_SIZE_BYTES")"
+    else
+        echo "Size: ${ISO_SIZE_BYTES} bytes"
+    fi
+else
+    echo "ERROR: ISO not found at $ISO_RAW"
+    exit 1
+fi
+
 echo ""
 echo "Boot via BMC virtual media and SSH to the server IP on port 22 as root."

iso/builder/config/bootloaders/grub-pc/config.cfg

@@ -0,0 +1,31 @@
+set default=0
+set timeout=5
+
+if [ x$feature_default_font_path = xy ] ; then
+    font=unicode
+else
+    font=$prefix/unicode.pf2
+fi
+
+if loadfont $font ; then
+    set gfxmode=800x600
+    set gfxpayload=keep
+    insmod efi_gop
+    insmod efi_uga
+    insmod video_bochs
+    insmod video_cirrus
+else
+    set gfxmode=auto
+    insmod all_video
+fi
+
+insmod serial
+serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
+
+insmod gfxterm
+insmod png
+
+source /boot/grub/theme.cfg
+
+terminal_input console serial
+terminal_output gfxterm serial

iso/builder/config/bootloaders/grub-pc/grub.cfg

@@ -0,0 +1,26 @@
+source /boot/grub/config.cfg
+
+echo ""
+echo "  ███████╗ █████╗ ███████╗██╗   ██╗      ██████╗ ███████╗███████╗"
+echo "  ██╔════╝██╔══██╗██╔════╝╚██╗ ██╔╝      ██╔══██╗██╔════╝██╔════╝"
+echo "  █████╗  ███████║███████╗ ╚████╔╝ █████╗██████╔╝█████╗  █████╗"
+echo "  ██╔══╝  ██╔══██║╚════██║  ╚██╔╝  ╚════╝██╔══██╗██╔══╝  ██╔══╝"
+echo "  ███████╗██║  ██║███████║   ██║         ██████╔╝███████╗███████╗"
+echo "  ╚══════╝╚═╝  ╚═╝╚══════╝   ╚═╝         ╚═════╝ ╚══════╝╚══════╝"
+echo ""
+
+menuentry "EASY-BEE" {
+    linux   @KERNEL_LIVE@ @APPEND_LIVE@
+    initrd  @INITRD_LIVE@
+}
+
+menuentry "EASY-BEE (fail-safe)" {
+    linux   @KERNEL_LIVE@ @APPEND_LIVE@ memtest noapic noapm nodma nomce nolapic nosmp vga=normal
+    initrd  @INITRD_LIVE@
+}
+
+if [ "${grub_platform}" = "efi" ]; then
+    menuentry "UEFI Firmware Settings" {
+        fwsetup
+    }
+fi

iso/builder/config/bootloaders/grub-pc/live-theme/theme.txt

@@ -0,0 +1,51 @@
+desktop-color: "#000000"
+title-color: "#f5a800"
+title-font: "Unifont Regular 16"
+title-text: ""
+message-font: "Unifont Regular 16"
+terminal-font: "Unifont Regular 16"
+
+#help bar at the bottom
++ label {
+        top = 100%-50
+        left = 0
+        width = 100%
+        height = 20
+        text = "@KEYMAP_SHORT@"
+        align = "center"
+        color = "#5a4800"
+        font = "Unifont Regular 16"
+}
+
+#boot menu
++ boot_menu {
+        left = 20%
+        width = 60%
+        top = 62%
+        height = 38%-80
+        item_color = "#c88000"
+        item_font = "Unifont Regular 16"
+        selected_item_color= "#f5a800"
+        selected_item_font = "Unifont Regular 16"
+        item_height = 16
+        item_padding = 0
+        item_spacing = 4
+        icon_width = 0
+        icon_heigh = 0
+        item_icon_space = 0
+}
+
+#progress bar
++ progress_bar {
+        id = "__timeout__"
+        left = 20%
+        top = 100%-80
+        height = 14
+        width = 60%
+        font = "Unifont Regular 16"
+        text_color = "#0a0a00"
+        fg_color = "#f5a800"
+        bg_color = "#2a2200"
+        border_color = "#5a4800"
+        text = "@TIMEOUT_NOTIFICATION_LONG@"
+}

iso/builder/config/bootloaders/grub-pc/theme.cfg

@@ -0,0 +1,9 @@
+set color_normal=light-gray/black
+set color_highlight=white/dark-gray
+
+if [ -e /boot/grub/splash.png ]; then
+    set theme=/boot/grub/live-theme/theme.txt
+else
+    set menu_color_normal=cyan/black
+    set menu_color_highlight=white/dark-gray
+fi

iso/builder/config/hooks/normal/9000-bee-setup.hook.chroot

@@ -0,0 +1,37 @@
+#!/bin/sh
+# 9000-bee-setup.hook.chroot — runs inside Debian chroot during live-build
+# Enables bee systemd services and configures the live environment.
+set -e
+
+echo "=== bee chroot setup ==="
+
+# Enable bee services
+systemctl enable bee-network.service
+systemctl enable bee-nvidia.service
+systemctl enable bee-preflight.service
+systemctl enable bee-audit.service
+systemctl enable bee-web.service
+systemctl enable bee-sshsetup.service
+systemctl enable ssh.service
+systemctl enable qemu-guest-agent.service 2>/dev/null || true
+systemctl enable serial-getty@ttyS0.service 2>/dev/null || true
+
+# Ensure scripts are executable
+chmod +x /usr/local/bin/bee-network.sh  2>/dev/null || true
+chmod +x /usr/local/bin/bee-nvidia-load 2>/dev/null || true
+chmod +x /usr/local/bin/bee-sshsetup   2>/dev/null || true
+chmod +x /usr/local/bin/bee-smoketest  2>/dev/null || true
+chmod +x /usr/local/bin/bee-tui        2>/dev/null || true
+chmod +x /usr/local/bin/bee            2>/dev/null || true
+
+# Reload udev rules
+udevadm control --reload-rules 2>/dev/null || true
+
+# Create export directory
+mkdir -p /appdata/bee/export
+
+if [ -f /etc/sudoers.d/bee ]; then
+    chmod 0440 /etc/sudoers.d/bee
+fi
+
+echo "=== bee chroot setup complete ==="

iso/builder/config/hooks/normal/9001-amd-rocm.hook.chroot

@@ -0,0 +1,39 @@
+#!/bin/sh
+# 9001-amd-rocm.hook.chroot — install AMD ROCm SMI tool for Instinct GPU monitoring.
+# Runs inside the live-build chroot. Adds AMD's apt repository and installs
+# rocm-smi-lib which provides the `rocm-smi` CLI (analogous to nvidia-smi).
+
+set -e
+
+ROCM_VERSION="6.4"
+ROCM_KEYRING="/etc/apt/keyrings/rocm.gpg"
+ROCM_LIST="/etc/apt/sources.list.d/rocm.list"
+
+echo "=== AMD ROCm ${ROCM_VERSION}: adding repository ==="
+
+mkdir -p /etc/apt/keyrings
+
+# Download and import AMD GPG key
+if ! wget -qO- "https://repo.radeon.com/rocm/rocm.gpg.key" \
+        | gpg --dearmor > "${ROCM_KEYRING}"; then
+    echo "WARN: failed to fetch AMD ROCm GPG key — skipping ROCm install"
+    exit 0
+fi
+
+cat > "${ROCM_LIST}" <<EOF
+deb [arch=amd64 signed-by=${ROCM_KEYRING}] https://repo.radeon.com/rocm/apt/${ROCM_VERSION} bookworm main
+EOF
+
+apt-get update -qq
+
+# rocm-smi-lib provides the rocm-smi CLI tool for GPU monitoring
+if apt-get install -y --no-install-recommends rocm-smi-lib 2>/dev/null; then
+    echo "=== AMD ROCm: rocm-smi installed ==="
+    rocm-smi --version 2>/dev/null || true
+else
+    echo "WARN: rocm-smi-lib install failed — GPU monitoring unavailable"
+fi
+
+# Clean up apt lists to keep ISO size down
+rm -f "${ROCM_LIST}"
+apt-get clean

iso/builder/config/includes.chroot/.gitignore

@@ -0,0 +1,12 @@
+# Generated at build time — do not commit
+usr/local/bin/audit
+usr/local/bin/bee-smoketest
+usr/local/bin/nvidia-smi
+usr/local/bin/nvidia-bug-report.sh
+usr/local/lib/
+usr/lib/libnvidia-ml*
+usr/lib/libcuda*
+root/.ssh/authorized_keys
+etc/bee-release
+etc/bee-ssh-password-fallback
+etc/motd