Add continuous hardware health monitoring and component detail view

- kmsg watcher now records kernel errors (GPU Xid, MCE, EDAC, storage I/O) at all times,
  not only during SAT tasks; flushImmediate writes directly to ComponentStatusDB
- New health_poller: polls ipmitool sdr every 60s for PSU health (watchdog:psu source)
- Hardware Summary card auto-refreshes every 30s via htmx without page reload
- Component rows (CPU/Memory/Storage/GPU/PSU) are now clickable -- opens a modal
  with per-component status, source, timestamp and last 20 history entries

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

audit/internal/platform/install.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"strconv"
 	"strings"
 )
@@ -18,7 +19,7 @@ type InstallDisk struct {
 	MountedParts []string // partition mount points currently active
 }
 
-const squashfsPath = "/run/live/medium/live/filesystem.squashfs"
+const squashfsGlob = "/run/live/medium/live/*.squashfs"
 
 // ListInstallDisks returns block devices suitable for installation.
 // Excludes the current live boot medium but includes USB drives.
@@ -176,11 +177,22 @@ func inferLiveBootKind(fsType, source, deviceType, transport string) string {
 // squashfs size × 1.5 to allow for extracted filesystem and bootloader.
 // Returns 0 if the squashfs is not available (non-live environment).
 func MinInstallBytes() int64 {
-	fi, err := os.Stat(squashfsPath)
-	if err != nil {
+	files, err := filepath.Glob(squashfsGlob)
+	if err != nil || len(files) == 0 {
 		return 0
 	}
-	return fi.Size() * 3 / 2
+	var total int64
+	for _, path := range files {
+		fi, statErr := os.Stat(path)
+		if statErr != nil {
+			continue
+		}
+		total += fi.Size()
+	}
+	if total == 0 {
+		return 0
+	}
+	return total * 3 / 2
 }
 
 // toramActive returns true when the live system was booted with toram.
@@ -222,12 +234,10 @@ func DiskWarnings(d InstallDisk) []string {
 			humanBytes(min), humanBytes(d.SizeBytes)))
 	}
 	if toramActive() {
-		sqFi, err := os.Stat(squashfsPath)
-		if err == nil {
-			free := freeMemBytes()
-			if free > 0 && free < sqFi.Size()*2 {
-				w = append(w, "toram mode — low RAM, extraction may be slow or fail")
-			}
+		free := freeMemBytes()
+		min := MinInstallBytes()
+		if free > 0 && min > 0 && free < (min*4/3) {
+			w = append(w, "toram mode — low RAM, extraction may be slow or fail")
 		}
 	}
 	return w

audit/internal/webui/api.go

@@ -1679,6 +1679,56 @@ func (h *handler) handleAPIBenchmarkResults(w http.ResponseWriter, r *http.Reque
 	fmt.Fprint(w, renderBenchmarkResultsCard(h.opts.ExportDir))
 }
 
+// ── Hardware summary / component detail ──────────────────────────────────────
+
+// handleAPIHardwareSummary returns the hardware summary card HTML fragment for
+// htmx polling (hx-get="/api/hardware-summary" hx-swap="outerHTML").
+func (h *handler) handleAPIHardwareSummary(w http.ResponseWriter, _ *http.Request) {
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.Header().Set("Cache-Control", "no-store")
+	fmt.Fprint(w, renderHardwareSummaryCard(h.opts))
+}
+
+// handleAPIComponentDetail returns an HTML fragment describing the current and
+// historical status for one component type (cpu, memory, storage, gpu, psu).
+func (h *handler) handleAPIComponentDetail(w http.ResponseWriter, r *http.Request) {
+	compType := r.PathValue("type")
+	var exact, prefixes []string
+	var title string
+	switch compType {
+	case "cpu":
+		title = "CPU"
+		exact = []string{"cpu:all"}
+	case "memory":
+		title = "Memory"
+		exact = []string{"memory:all"}
+		prefixes = []string{"memory:"}
+	case "storage":
+		title = "Storage"
+		exact = []string{"storage:all"}
+		prefixes = []string{"storage:"}
+	case "gpu":
+		title = "GPU"
+		prefixes = []string{"pcie:gpu:"}
+	case "psu":
+		title = "PSU"
+		prefixes = []string{"psu:"}
+	default:
+		http.NotFound(w, r)
+		return
+	}
+
+	var records []app.ComponentStatusRecord
+	if h.opts.App != nil && h.opts.App.StatusDB != nil {
+		all := h.opts.App.StatusDB.All()
+		records = matchedRecords(all, exact, prefixes)
+	}
+
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.Header().Set("Cache-Control", "no-store")
+	fmt.Fprint(w, renderComponentDetail(title, records))
+}
+
 func (h *handler) rollbackPendingNetworkChange() error {
 	h.pendingNetMu.Lock()
 	pnc := h.pendingNet

audit/internal/webui/health_poller.go

@@ -0,0 +1,76 @@
+package webui
+
+import (
+	"bytes"
+	"context"
+	"log/slog"
+	"os/exec"
+	"time"
+
+	"bee/audit/internal/app"
+	"bee/audit/internal/collector"
+)
+
+const healthPollInterval = 60 * time.Second
+const psuIPMITimeout = 15 * time.Second
+
+// healthPoller runs periodic health checks for hardware components that do not
+// emit kernel log events (e.g. PSU). Results are written to ComponentStatusDB.
+type healthPoller struct {
+	statusDB *app.ComponentStatusDB
+}
+
+func newHealthPoller(statusDB *app.ComponentStatusDB) *healthPoller {
+	return &healthPoller{statusDB: statusDB}
+}
+
+func (p *healthPoller) start() {
+	goRecoverLoop("health poller", 5*time.Second, p.run)
+}
+
+func (p *healthPoller) run() {
+	ticker := time.NewTicker(healthPollInterval)
+	defer ticker.Stop()
+	for range ticker.C {
+		p.pollPSU()
+	}
+}
+
+func (p *healthPoller) pollPSU() {
+	if p.statusDB == nil {
+		return
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), psuIPMITimeout)
+	defer cancel()
+
+	cmd := exec.CommandContext(ctx, "ipmitool", "sdr")
+	var out bytes.Buffer
+	cmd.Stdout = &out
+	if err := cmd.Run(); err != nil {
+		// IPMI not available or not a server — skip silently.
+		slog.Debug("health poller: ipmitool sdr unavailable", "err", err)
+		return
+	}
+
+	slots := collector.PSUSlotsFromSDR(out.String())
+	if len(slots) == 0 {
+		return
+	}
+
+	const source = "watchdog:psu"
+	for slot, psu := range slots {
+		key := "psu:" + slot
+		status := psu.Status
+		if status == "" {
+			status = "Unknown"
+		}
+		detail := ""
+		switch status {
+		case "Critical":
+			detail = "PSU sensor reported non-OK state"
+		case "Warning":
+			detail = "PSU sensor in warning state"
+		}
+		p.statusDB.Record(key, source, status, detail)
+	}
+}

audit/internal/webui/kmsg_watcher.go

@@ -73,6 +73,9 @@ func (w *kmsgWatcher) run() {
 			w.mu.Lock()
 			if w.window != nil {
 				w.recordEvent(evt)
+			} else {
+				evtCopy := evt
+				goRecoverOnce("kmsg flush immediate", func() { w.flushImmediate(evtCopy) })
 			}
 			w.mu.Unlock()
 		}
@@ -180,6 +183,52 @@ func (w *kmsgWatcher) flushWindow(window *kmsgWindow) {
 	}
 }
 
+// flushImmediate writes a single kmsg event directly to the status DB without a SAT window.
+// Called when an error is detected outside of any SAT task (always-on watching).
+func (w *kmsgWatcher) flushImmediate(evt kmsgEvent) {
+	if w.statusDB == nil {
+		return
+	}
+	const source = "watchdog:kmsg"
+	detail := "kernel: " + truncate(evt.raw, 120)
+
+	var severity string
+	for _, p := range platform.HardwareErrorPatterns {
+		if p.Re.MatchString(evt.raw) {
+			if p.Severity == "critical" {
+				severity = "Critical"
+			} else {
+				severity = "Warning"
+			}
+			break
+		}
+	}
+	if severity == "" {
+		severity = "Warning"
+	}
+
+	if len(evt.ids) == 0 {
+		key := "cpu:all"
+		if evt.category == "memory" {
+			key = "memory:all"
+		}
+		w.statusDB.Record(key, source, severity, detail)
+		return
+	}
+	for _, id := range evt.ids {
+		var key string
+		switch evt.category {
+		case "gpu", "pcie":
+			key = "pcie:" + normalizeBDF(id)
+		case "storage":
+			key = "storage:" + id
+		default:
+			key = "pcie:" + normalizeBDF(id)
+		}
+		w.statusDB.Record(key, source, severity, detail)
+	}
+}
+
 // parseKmsgLine parses a single /dev/kmsg line and returns an event if it matches
 // any pattern in platform.HardwareErrorPatterns.
 // kmsg format: "<priority>,<sequence>,<timestamp_usec>,-;message text"

audit/internal/webui/pages.go

@@ -85,6 +85,7 @@ func renderPage(page string, opts HandlerOptions) string {
 		body +
 		`</div></div>` +
 		renderAuditModal() +
+		`<dialog id="component-detail-dialog" style="min-width:600px;max-width:900px;width:90vw;padding:0;border:1px solid var(--border);border-radius:8px;background:var(--surface)"><div id="component-detail-body" style="padding-bottom:20px"></div></dialog>` +
 		`<script>
 // Add copy button to every .terminal on the page
 document.querySelectorAll('.terminal').forEach(function(t){
@@ -184,13 +185,14 @@ func renderAudit() string {
 }
 
 func renderHardwareSummaryCard(opts HandlerOptions) string {
+	const cardAttrs = ` hx-get="/api/hardware-summary" hx-trigger="every 30s" hx-swap="outerHTML"`
 	data, err := loadSnapshot(opts.AuditPath)
 	if err != nil {
-		return `<div class="card"><div class="card-head card-head-actions"><span>Hardware Summary</span><div class="card-head-buttons"><button class="btn btn-primary btn-sm" onclick="auditModalRun()">Run audit</button></div></div><div class="card-body"></div></div>`
+		return `<div class="card"` + cardAttrs + `><div class="card-head card-head-actions"><span>Hardware Summary</span><div class="card-head-buttons"><button class="btn btn-primary btn-sm" onclick="auditModalRun()">Run audit</button></div></div><div class="card-body"></div></div>`
 	}
 	var ingest schema.HardwareIngestRequest
 	if err := json.Unmarshal(data, &ingest); err != nil {
-		return `<div class="card"><div class="card-head">Hardware Summary</div><div class="card-body"><span class="badge badge-err">Parse error</span></div></div>`
+		return `<div class="card"` + cardAttrs + `><div class="card-head">Hardware Summary</div><div class="card-body"><span class="badge badge-err">Parse error</span></div></div>`
 	}
 	hw := ingest.Hardware
 
@@ -200,7 +202,7 @@ func renderHardwareSummaryCard(opts HandlerOptions) string {
 	}
 
 	var b strings.Builder
-	b.WriteString(`<div class="card"><div class="card-head">Hardware Summary</div><div class="card-body">`)
+	b.WriteString(`<div class="card"` + cardAttrs + `><div class="card-head">Hardware Summary</div><div class="card-body">`)
 
 	// Server identity block above the component table.
 	{
@@ -229,22 +231,32 @@ func renderHardwareSummaryCard(opts HandlerOptions) string {
 	}
 
 	b.WriteString(`<table style="width:auto">`)
-	writeRow := func(label, value, badgeHTML string) {
-		b.WriteString(fmt.Sprintf(`<tr><td style="padding:6px 14px 6px 0;font-weight:700;white-space:nowrap">%s</td><td style="padding:6px 0;color:var(--muted);font-size:13px">%s</td><td style="padding:6px 0 6px 12px">%s</td></tr>`,
-			html.EscapeString(label), html.EscapeString(value), badgeHTML))
+	// writeRow renders one component row. compType is the URL path segment for the detail
+	// endpoint (e.g. "cpu"). Pass "" for rows that have no detail view.
+	writeRow := func(label, value, badgeHTML, compType string) {
+		var labelHTML string
+		if compType != "" {
+			labelHTML = fmt.Sprintf(
+				`<span style="cursor:pointer;text-decoration:underline dotted;text-underline-offset:3px" hx-get="/api/components/%s" hx-target="#component-detail-body" hx-swap="innerHTML" onclick="document.getElementById('component-detail-dialog').showModal()">%s</span>`,
+				compType, html.EscapeString(label))
+		} else {
+			labelHTML = html.EscapeString(label)
+		}
+		fmt.Fprintf(&b, `<tr><td style="padding:6px 14px 6px 0;font-weight:700;white-space:nowrap">%s</td><td style="padding:6px 0;color:var(--muted);font-size:13px">%s</td><td style="padding:6px 0 6px 12px">%s</td></tr>`,
+			labelHTML, html.EscapeString(value), badgeHTML)
 	}
 
 	writeRow("CPU", hwDescribeCPU(hw),
-		renderComponentChips(matchedRecords(records, []string{"cpu:all"}, nil)))
+		renderComponentChips(matchedRecords(records, []string{"cpu:all"}, nil)), "cpu")
 
 	writeRow("Memory", hwDescribeMemory(hw),
-		renderComponentChips(matchedRecords(records, []string{"memory:all"}, []string{"memory:"})))
+		renderComponentChips(matchedRecords(records, []string{"memory:all"}, []string{"memory:"})), "memory")
 
 	writeRow("Storage", hwDescribeStorage(hw),
-		renderComponentChips(matchedRecords(records, []string{"storage:all"}, []string{"storage:"})))
+		renderComponentChips(matchedRecords(records, []string{"storage:all"}, []string{"storage:"})), "storage")
 
 	writeRow("GPU", hwDescribeGPU(hw),
-		renderComponentChips(matchedRecords(records, nil, []string{"pcie:gpu:"})))
+		renderComponentChips(matchedRecords(records, nil, []string{"pcie:gpu:"})), "gpu")
 
 	psuMatched := matchedRecords(records, nil, []string{"psu:"})
 	if len(psuMatched) == 0 && len(hw.PowerSupplies) > 0 {
@@ -252,10 +264,10 @@ func renderHardwareSummaryCard(opts HandlerOptions) string {
 		psuStatus := hwPSUStatus(hw.PowerSupplies)
 		psuMatched = []app.ComponentStatusRecord{{ComponentKey: "psu:ipmi", Status: psuStatus}}
 	}
-	writeRow("PSU", hwDescribePSU(hw), renderComponentChips(psuMatched))
+	writeRow("PSU", hwDescribePSU(hw), renderComponentChips(psuMatched), "psu")
 
 	if nicDesc := hwDescribeNIC(hw); nicDesc != "" {
-		writeRow("Network", nicDesc, "")
+		writeRow("Network", nicDesc, "", "")
 	}
 
 	b.WriteString(`</table>`)
@@ -999,3 +1011,67 @@ func rowIssueHTML(issue string) string {
 	}
 	return html.EscapeString(issue)
 }
+
+// renderComponentDetail renders a modal content fragment for one component type.
+// Called by handleAPIComponentDetail and displayed inside #component-detail-dialog.
+func renderComponentDetail(title string, records []app.ComponentStatusRecord) string {
+	var b strings.Builder
+	fmt.Fprintf(&b, `<div style="padding:20px 24px 0">`)
+	fmt.Fprintf(&b, `<div style="display:flex;align-items:center;justify-content:space-between;margin-bottom:16px">`)
+	fmt.Fprintf(&b, `<span style="font-size:16px;font-weight:700">%s — Status Detail</span>`, html.EscapeString(title))
+	b.WriteString(`<button class="btn btn-sm btn-secondary" onclick="document.getElementById('component-detail-dialog').close()">Close</button>`)
+	b.WriteString(`</div>`)
+
+	if len(records) == 0 {
+		b.WriteString(`<p style="color:var(--muted)">No status data recorded yet for this component type.</p>`)
+		b.WriteString(`</div>`)
+		return b.String()
+	}
+
+	sort.Slice(records, func(i, j int) bool {
+		return records[i].ComponentKey < records[j].ComponentKey
+	})
+
+	for _, rec := range records {
+		letter, cls := chipLetterClass(rec.Status)
+		fmt.Fprintf(&b, `<div style="margin-bottom:20px">`)
+		fmt.Fprintf(&b, `<div style="display:flex;align-items:center;gap:8px;margin-bottom:8px">`)
+		fmt.Fprintf(&b, `<span class="chip %s">%s</span>`, cls, letter)
+		fmt.Fprintf(&b, `<span style="font-weight:700;font-size:13px">%s</span>`, html.EscapeString(rec.ComponentKey))
+		if !rec.LastCheckedAt.IsZero() {
+			fmt.Fprintf(&b, `<span style="color:var(--muted);font-size:12px">checked %s</span>`, rec.LastCheckedAt.Format("2006-01-02 15:04:05"))
+		}
+		b.WriteString(`</div>`)
+		if rec.ErrorSummary != "" {
+			fmt.Fprintf(&b, `<div style="font-size:12px;margin-bottom:8px;color:var(--muted)">%s</div>`, html.EscapeString(rec.ErrorSummary))
+		}
+
+		// History table — newest first, cap at 20 entries.
+		history := rec.History
+		if len(history) > 20 {
+			history = history[len(history)-20:]
+		}
+		b.WriteString(`<table style="width:100%;font-size:12px;border-collapse:collapse">`)
+		b.WriteString(`<tr style="color:var(--muted)"><th style="text-align:left;padding:2px 10px 2px 0;white-space:nowrap">Time</th><th style="text-align:left;padding:2px 10px 2px 0">Status</th><th style="text-align:left;padding:2px 10px 2px 0">Source</th><th style="text-align:left;padding:2px 0">Detail</th></tr>`)
+		for i := len(history) - 1; i >= 0; i-- {
+			e := history[i]
+			eLetter, eCls := chipLetterClass(e.Status)
+			detail := e.Detail
+			if detail == "" {
+				detail = "—"
+			}
+			fmt.Fprintf(&b,
+				`<tr><td style="padding:3px 10px 3px 0;white-space:nowrap;color:var(--muted)">%s</td><td style="padding:3px 10px 3px 0"><span class="chip %s" style="font-size:10px;width:16px;height:16px">%s</span></td><td style="padding:3px 10px 3px 0;white-space:nowrap">%s</td><td style="padding:3px 0;color:var(--muted)">%s</td></tr>`,
+				html.EscapeString(e.At.Format("2006-01-02 15:04:05")),
+				eCls, eLetter,
+				html.EscapeString(e.Source),
+				html.EscapeString(detail),
+			)
+		}
+		b.WriteString(`</table>`)
+		b.WriteString(`</div>`)
+	}
+
+	b.WriteString(`</div>`)
+	return b.String()
+}

audit/internal/webui/server.go

@@ -221,6 +221,11 @@ func NewHandler(opts HandlerOptions) http.Handler {
 		h.kmsg = newKmsgWatcher(opts.App.StatusDB)
 		h.kmsg.start()
 		globalQueue.kmsgWatcher = h.kmsg
+
+		// Start periodic health poller for components that don't emit kernel log events (e.g. PSU).
+		if opts.App.StatusDB != nil {
+			newHealthPoller(opts.App.StatusDB).start()
+		}
 	}
 
 	globalQueue.startWorker(&opts)
@@ -328,6 +333,10 @@ func NewHandler(opts HandlerOptions) http.Handler {
 	mux.HandleFunc("GET /api/install/disks", h.handleAPIInstallDisks)
 	mux.HandleFunc("POST /api/install/run", h.handleAPIInstallRun)
 
+	// Hardware component detail (fragment for modal in Hardware Summary card)
+	mux.HandleFunc("GET /api/hardware-summary", h.handleAPIHardwareSummary)
+	mux.HandleFunc("GET /api/components/{type}", h.handleAPIComponentDetail)
+
 	// Metrics — SSE stream of live sensor data + server-side SVG charts + CSV export
 	mux.HandleFunc("GET /api/metrics/stream", h.handleAPIMetricsStream)
 	mux.HandleFunc("GET /api/metrics/latest", h.handleAPIMetricsLatest)

iso/builder/auto/config

@@ -38,7 +38,7 @@ lb config noauto \
     --memtest memtest86+ \
     --iso-volume "${LB_ISO_VOLUME}" \
     --iso-application "EASY-BEE-${BEE_GPU_VENDOR_UPPER:-NVIDIA}" \
-    --bootappend-live "boot=live live-media-label=${LB_ISO_VOLUME} components video=1920x1080 console=ttyS0,115200n8 console=tty0 loglevel=3 systemd.show_status=1 username=bee user-fullname=Bee modprobe.blacklist=nouveau,snd_hda_intel,snd_hda_codec_realtek,snd_hda_codec_generic,soundcore" \
+    --bootappend-live "boot=live live-media=/dev/disk/by-label/${LB_ISO_VOLUME} live-media-label=${LB_ISO_VOLUME} components video=1920x1080 console=ttyS0,115200n8 console=tty0 loglevel=3 systemd.show_status=1 username=bee user-fullname=Bee modprobe.blacklist=nouveau,snd_hda_intel,snd_hda_codec_realtek,snd_hda_codec_generic,soundcore" \
     --debootstrap-options "--include=ca-certificates" \
     --apt-recommends false \
     --chroot-squashfs-compression-type zstd \

iso/builder/build.sh

@@ -516,12 +516,12 @@ validate_iso_live_boot_entries() {
         exit 1
     fi
 
-    grep -q 'menuentry "EASY-BEE"' "$grub_cfg" || {
+    grep -q 'menuentry "EASY-BEE v' "$grub_cfg" || {
         echo "ERROR: GRUB default EASY-BEE entry is missing" >&2
         rm -f "$grub_cfg" "$isolinux_cfg"
         exit 1
     }
-    grep -q 'menuentry "EASY-BEE -- load to RAM (toram)"' "$grub_cfg" || {
+    grep -q 'menuentry "EASY-BEE v.* -- load to RAM (toram)"' "$grub_cfg" || {
         echo "ERROR: GRUB toram entry is missing" >&2
         rm -f "$grub_cfg" "$isolinux_cfg"
         exit 1
@@ -562,40 +562,38 @@ validate_iso_live_boot_entries() {
     echo "=== live boot validation OK ==="
 }
 
-validate_iso_grub_theme_assets() {
+validate_iso_grub_assets() {
     iso_path="$1"
-    echo "=== validating GRUB theme assets in ISO ==="
+    echo "=== validating GRUB assets in ISO ==="
 
     [ -f "$iso_path" ] || {
-        echo "ERROR: ISO not found for GRUB theme validation: $iso_path" >&2
+        echo "ERROR: ISO not found for GRUB asset validation: $iso_path" >&2
         exit 1
     }
     require_iso_reader "$iso_path" >/dev/null 2>&1 || {
-        echo "ERROR: ISO reader unavailable for GRUB theme validation" >&2
+        echo "ERROR: ISO reader unavailable for GRUB asset validation" >&2
         exit 1
     }
 
     iso_files="$(mktemp)"
     iso_list_files "$iso_path" > "$iso_files" || {
-        echo "ERROR: failed to list ISO files for GRUB theme validation" >&2
+        echo "ERROR: failed to list ISO files for GRUB asset validation" >&2
         rm -f "$iso_files"
         exit 1
     }
 
     for required in \
         boot/grub/config.cfg \
-        boot/grub/theme.cfg \
-        boot/grub/live-theme/theme.txt \
-        boot/grub/live-theme/bee-logo.tga; do
+        boot/grub/grub.cfg; do
         grep -q "^${required}$" "$iso_files" || {
-            echo "ERROR: missing GRUB theme asset in ISO: ${required}" >&2
+            echo "ERROR: missing GRUB asset in ISO: ${required}" >&2
             rm -f "$iso_files"
             exit 1
         }
     done
 
     rm -f "$iso_files"
-    echo "=== GRUB theme validation OK ==="
+    echo "=== GRUB asset validation OK ==="
 }
 
 validate_iso_nvidia_runtime() {
@@ -610,29 +608,37 @@ validate_iso_nvidia_runtime() {
 
     squashfs_tmp="$(mktemp)"
     squashfs_list="$(mktemp)"
-    iso_read_member "$iso_path" live/filesystem.squashfs "$squashfs_tmp" || {
-        rm -f "$squashfs_tmp" "$squashfs_list"
-        nvidia_runtime_fail "failed to extract live/filesystem.squashfs from ISO"
-    }
-    unsquashfs -ll "$squashfs_tmp" > "$squashfs_list" 2>/dev/null || {
-        rm -f "$squashfs_tmp" "$squashfs_list"
-        nvidia_runtime_fail "failed to inspect filesystem.squashfs from ISO"
+    iso_files="$(mktemp)"
+    iso_list_files "$iso_path" > "$iso_files" || {
+        rm -f "$squashfs_tmp" "$squashfs_list" "$iso_files"
+        nvidia_runtime_fail "failed to list ISO files for NVIDIA runtime validation"
     }
+    grep '^live/.*\.squashfs$' "$iso_files" | while IFS= read -r squashfs_member; do
+        iso_read_member "$iso_path" "$squashfs_member" "$squashfs_tmp" || {
+            rm -f "$squashfs_tmp" "$squashfs_list" "$iso_files"
+            nvidia_runtime_fail "failed to extract $squashfs_member from ISO"
+        }
+        unsquashfs -ll "$squashfs_tmp" >> "$squashfs_list" 2>/dev/null || {
+            rm -f "$squashfs_tmp" "$squashfs_list" "$iso_files"
+            nvidia_runtime_fail "failed to inspect $squashfs_member from ISO"
+        }
+        : > "$squashfs_tmp"
+    done
 
     grep -Eq 'usr/bin/dcgmi$' "$squashfs_list" || {
-        rm -f "$squashfs_tmp" "$squashfs_list"
+        rm -f "$squashfs_tmp" "$squashfs_list" "$iso_files"
         nvidia_runtime_fail "dcgmi missing from final NVIDIA ISO"
     }
     grep -Eq 'usr/bin/nv-hostengine$' "$squashfs_list" || {
-        rm -f "$squashfs_tmp" "$squashfs_list"
+        rm -f "$squashfs_tmp" "$squashfs_list" "$iso_files"
         nvidia_runtime_fail "nv-hostengine missing from final NVIDIA ISO"
     }
     grep -Eq 'usr/bin/dcgmproftester([0-9]+)?$' "$squashfs_list" || {
-        rm -f "$squashfs_tmp" "$squashfs_list"
+        rm -f "$squashfs_tmp" "$squashfs_list" "$iso_files"
         nvidia_runtime_fail "dcgmproftester missing from final NVIDIA ISO"
     }
 
-    rm -f "$squashfs_tmp" "$squashfs_list"
+    rm -f "$squashfs_tmp" "$squashfs_list" "$iso_files"
     echo "=== NVIDIA runtime validation OK ==="
 }
 
@@ -674,6 +680,184 @@ label memtest
 EOF
 }
 
+extract_live_grub_entry() {
+    cfg="$1"
+    live_linux="$(awk '/^[[:space:]]*linux[[:space:]]+\/live\// { print; exit }' "$cfg")"
+    live_initrd="$(awk '/^[[:space:]]*initrd[[:space:]]+\/live\// { print; exit }' "$cfg")"
+    [ -n "$live_linux" ] || return 1
+    [ -n "$live_initrd" ] || return 1
+
+    grub_kernel="$(printf '%s\n' "$live_linux" | awk '{print $2}')"
+    grub_append="$(printf '%s\n' "$live_linux" | cut -d' ' -f3-)"
+    grub_initrd="$(printf '%s\n' "$live_initrd" | awk '{print $2}')"
+    [ -n "$grub_kernel" ] || return 1
+    [ -n "$grub_append" ] || return 1
+    [ -n "$grub_initrd" ] || return 1
+    return 0
+}
+
+load_live_build_append() {
+    lb_dir="$1"
+    binary_cfg="$lb_dir/config/binary"
+    [ -f "$binary_cfg" ] || return 1
+
+    # config/binary is generated by live-build and contains shell variable
+    # assignments such as LB_BOOTAPPEND_LIVE="boot=live ...".
+    # shellcheck disable=SC1090
+    . "$binary_cfg"
+
+    [ -n "${LB_BOOTAPPEND_LIVE:-}" ] || return 1
+    live_build_append="$LB_BOOTAPPEND_LIVE"
+    return 0
+}
+
+extract_live_isolinux_entry() {
+    cfg="$1"
+    isolinux_linux="$(awk '/^[[:space:]]*linux[[:space:]]+\/live\// { print; exit }' "$cfg")"
+    isolinux_initrd="$(awk '/^[[:space:]]*initrd[[:space:]]+\/live\// { print; exit }' "$cfg")"
+    isolinux_append="$(awk '/^[[:space:]]*append[[:space:]]+/ { sub(/^[[:space:]]*append[[:space:]]+/, ""); print; exit }' "$cfg")"
+    [ -n "$isolinux_linux" ] || return 1
+    [ -n "$isolinux_initrd" ] || return 1
+    [ -n "$isolinux_append" ] || return 1
+
+    isolinux_kernel="$(printf '%s\n' "$isolinux_linux" | awk '{print $2}')"
+    isolinux_initrd_path="$(printf '%s\n' "$isolinux_initrd" | awk '{print $2}')"
+    [ -n "$isolinux_kernel" ] || return 1
+    [ -n "$isolinux_initrd_path" ] || return 1
+    return 0
+}
+
+write_canonical_grub_cfg() {
+    cfg="$1"
+    kernel="$2"
+    append_live="$3"
+    initrd="$4"
+    version_label="${PROJECT_VERSION_EFFECTIVE}"
+
+    cat > "$cfg" <<EOF
+source /boot/grub/config.cfg
+
+menuentry "EASY-BEE v${version_label}" {
+    linux   ${kernel} ${append_live} nomodeset bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+    initrd  ${initrd}
+}
+
+menuentry "EASY-BEE v${version_label} -- load to RAM (toram)" {
+    linux   ${kernel} ${append_live} toram nomodeset bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+    initrd  ${initrd}
+}
+
+menuentry "EASY-BEE v${version_label} -- no GUI / no X11" {
+    linux   ${kernel} ${append_live} nomodeset bee.gui=off bee.nvidia.mode=gsp-off pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+    initrd  ${initrd}
+}
+
+if [ "\${grub_platform}" = "efi" ]; then
+    menuentry "Memory Test (memtest86+)" {
+        chainloader /boot/memtest86+x64.efi
+    }
+else
+    menuentry "Memory Test (memtest86+)" {
+        linux16 /boot/memtest86+x64.bin
+    }
+fi
+
+if [ "\${grub_platform}" = "efi" ]; then
+    menuentry "UEFI Firmware Settings" {
+        fwsetup
+    }
+fi
+EOF
+}
+
+write_canonical_isolinux_cfg() {
+    cfg="$1"
+    kernel="$2"
+    initrd="$3"
+    append_live="$4"
+    version_label="${PROJECT_VERSION_EFFECTIVE}"
+
+    cat > "$cfg" <<EOF
+label live-@FLAVOUR@-normal
+    menu label ^EASY-BEE v${version_label}
+    linux ${kernel}
+    initrd ${initrd}
+    append ${append_live} nomodeset bee.nvidia.mode=normal net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+
+label live-@FLAVOUR@-toram
+    menu label EASY-BEE v${version_label} (^load to RAM)
+    menu default
+    linux ${kernel}
+    initrd ${initrd}
+    append ${append_live} toram nomodeset bee.nvidia.mode=normal net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+
+label live-@FLAVOUR@-console
+    menu label EASY-BEE v${version_label} (^no GUI / no X11)
+    linux ${kernel}
+    initrd ${initrd}
+    append ${append_live} nomodeset bee.gui=off bee.nvidia.mode=gsp-off net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+
+label live-@FLAVOUR@-gsp-off
+    menu label EASY-BEE (^NVIDIA GSP=off)
+    linux ${kernel}
+    initrd ${initrd}
+    append ${append_live} nomodeset bee.nvidia.mode=gsp-off net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+
+label live-@FLAVOUR@-kms
+    menu label EASY-BEE (^KMS, no nomodeset)
+    linux ${kernel}
+    initrd ${initrd}
+    append ${append_live} bee.nvidia.mode=normal net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+
+label live-@FLAVOUR@-kms-gsp-off
+    menu label EASY-BEE (KMS, ^GSP=off)
+    linux ${kernel}
+    initrd ${initrd}
+    append ${append_live} bee.nvidia.mode=gsp-off net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+
+label live-@FLAVOUR@-failsafe
+    menu label EASY-BEE (^fail-safe)
+    linux ${kernel}
+    initrd ${initrd}
+    append ${append_live} nomodeset bee.nvidia.mode=gsp-off noapic noapm nodma nomce nolapic nosmp vga=normal net.ifnames=0 biosdevname=0
+
+label memtest
+    menu label ^Memory Test (memtest86+)
+    linux /boot/memtest86+x64.bin
+EOF
+}
+
+enforce_live_build_bootloader_assets() {
+    lb_dir="$1"
+    grub_cfg="$lb_dir/binary/boot/grub/grub.cfg"
+    grub_dir="$lb_dir/binary/boot/grub"
+    isolinux_cfg="$lb_dir/binary/isolinux/live.cfg"
+
+    if ! load_live_build_append "$lb_dir"; then
+        echo "bootloader sync: WARNING: could not load LB_BOOTAPPEND_LIVE from $lb_dir/config/binary" >&2
+        live_build_append=""
+    fi
+
+    if [ -f "$grub_cfg" ]; then
+        if extract_live_grub_entry "$grub_cfg"; then
+            cp "${BUILDER_DIR}/config/bootloaders/grub-efi/config.cfg" "$grub_dir/config.cfg"
+            write_canonical_grub_cfg "$grub_cfg" "$grub_kernel" "${live_build_append:-$grub_append}" "$grub_initrd"
+            echo "bootloader sync: rewrote binary/boot/grub/grub.cfg with canonical EASY-BEE menu"
+        else
+            echo "bootloader sync: WARNING: could not extract live entry from $grub_cfg" >&2
+        fi
+    fi
+
+    if [ -f "$isolinux_cfg" ]; then
+        if extract_live_isolinux_entry "$isolinux_cfg"; then
+            write_canonical_isolinux_cfg "$isolinux_cfg" "$isolinux_kernel" "$isolinux_initrd_path" "${live_build_append:-$isolinux_append}"
+            echo "bootloader sync: rewrote binary/isolinux/live.cfg with canonical EASY-BEE menu"
+        else
+            echo "bootloader sync: WARNING: could not extract live entry from $isolinux_cfg" >&2
+        fi
+    fi
+}
+
 copy_memtest_from_deb() {
     deb="$1"
     dst_boot="$2"
@@ -710,8 +894,11 @@ FULL_BUILD_MARKER="${BUILD_WORK_DIR}/.bee-full-build-marker"
 # hooks, archives, Dockerfile, auto/config) require a full lb build.
 needs_full_build() {
     [ -f "${FULL_BUILD_MARKER}" ]                                        || return 0
-    [ -f "${BUILD_WORK_DIR}/binary/live/filesystem.squashfs" ]           || return 0
     [ -f "${BUILD_WORK_DIR}/live-image-amd64.hybrid.iso" ]               || return 0
+    # Accept any versioned squashfs (filesystem-v*.squashfs or legacy filesystem.squashfs)
+    _any_sq=$(find "${BUILD_WORK_DIR}/binary/live" -maxdepth 1 \
+        -name 'filesystem*.squashfs' 2>/dev/null | head -1)
+    [ -n "$_any_sq" ]                                                    || return 0
 
     _heavy=$(find \
         "${BUILDER_DIR}/VERSIONS" \
@@ -734,40 +921,109 @@ needs_full_build() {
 # Fast-path: unsquash existing filesystem, rsync overlay on top, repack.
 # Requires ~10 GB free in BEE_CACHE_DIR for the unpacked squashfs.
 fast_path_repack_squashfs() {
-    _sq="${BUILD_WORK_DIR}/binary/live/filesystem.squashfs"
+    _old_sq=$(find "${BUILD_WORK_DIR}/binary/live" -maxdepth 1 \
+        -name 'filesystem*.squashfs' | sort | head -1)
+    _sq="${BUILD_WORK_DIR}/binary/live/${SQUASHFS_FILENAME}"
     _tmp="${BEE_CACHE_DIR}/fast-unsquash-${BUILD_VARIANT}"
-    echo "=== fast-path: unsquash ($(du -sh "$_sq" | cut -f1) compressed) ==="
+    echo "=== fast-path: unsquash $(basename "$_old_sq") ($(du -sh "$_old_sq" | cut -f1) compressed) ==="
     rm -rf "$_tmp"
-    unsquashfs -d "$_tmp" "$_sq"
+    unsquashfs -d "$_tmp" "$_old_sq"
     echo "=== fast-path: syncing overlay stage ==="
     rsync -a --checksum "${OVERLAY_STAGE_DIR}/" "$_tmp/"
-    echo "=== fast-path: repacking squashfs ==="
+    echo "=== fast-path: repacking as ${SQUASHFS_FILENAME} ==="
     _sq_new="${_sq}.new"
     rm -f "$_sq_new"
-    mksquashfs "$_tmp" "$_sq_new" -comp zstd -b 1048576 -noappend -no-progress
+    mksquashfs "$_tmp" "$_sq_new" -comp zstd -b 1048576 -noappend -no-progress -no-xattrs
     mv "$_sq_new" "$_sq"
     rm -rf "$_tmp"
+    [ "$_old_sq" != "$_sq" ] && rm -f "$_old_sq"
     echo "=== fast-path: squashfs repacked ($(du -sh "$_sq" | cut -f1)) ==="
 }
 
-# Fast-path: rebuild ISO by replacing only live/filesystem.squashfs via xorriso.
+# Fast-path: rebuild ISO replacing the squashfs via xorriso.
 # Boot structure (El Torito, EFI, MBR hybrid) is replayed from the prior ISO.
 fast_path_rebuild_iso() {
-    _sq="${BUILD_WORK_DIR}/binary/live/filesystem.squashfs"
+    _sq="${BUILD_WORK_DIR}/binary/live/${SQUASHFS_FILENAME}"
     _prior="${BUILD_WORK_DIR}/live-image-amd64.hybrid.iso"
     _new="${BUILD_WORK_DIR}/live-image-amd64.hybrid.iso.new"
     echo "=== fast-path: rebuilding ISO with xorriso ==="
     rm -f "$_new"
+    # Remove any old squashfs entries from the prior ISO before adding the new one
+    _old_entries=$(xorriso -indev "$_prior" -find /live -name 'filesystem*.squashfs' -- 2>/dev/null \
+        | grep -E '^/live/filesystem.*\.squashfs$' || true)
+    _rm_args=""
+    for _e in $_old_entries; do
+        _rm_args="$_rm_args -rm $_e --"
+    done
+    # shellcheck disable=SC2086
     xorriso \
         -indev  "$_prior" \
         -outdev "$_new" \
-        -map    "$_sq" /live/filesystem.squashfs \
+        ${_rm_args} \
+        -map    "$_sq" /live/${SQUASHFS_FILENAME} \
         -boot_image any replay \
         -commit
     mv "$_new" "$_prior"
     echo "=== fast-path: ISO rebuilt ==="
 }
 
+dir_has_entries() {
+    _dir="$1"
+    [ -d "$_dir" ] || return 1
+    find "$_dir" -mindepth 1 -print -quit 2>/dev/null | grep -q .
+}
+
+move_tree_to_layer() {
+    _src_root="$1"
+    _rel="$2"
+    _dst_root="$3"
+    [ -e "${_src_root}/${_rel}" ] || return 0
+    mkdir -p "${_dst_root}/$(dirname "$_rel")"
+    mv "${_src_root}/${_rel}" "${_dst_root}/${_rel}"
+}
+
+split_live_squashfs_layers() {
+    lb_dir="$1"
+    live_dir="${lb_dir}/binary/live"
+    base_sq="${live_dir}/filesystem.squashfs"
+    usr_sq="${live_dir}/10-usr.squashfs"
+    fw_sq="${live_dir}/20-firmware.squashfs"
+
+    [ -f "$base_sq" ] || return 0
+    command -v unsquashfs >/dev/null 2>&1 || return 0
+    command -v mksquashfs >/dev/null 2>&1 || return 0
+
+    tmp_root="$(mktemp -d)"
+    tmp_usr="$(mktemp -d)"
+    tmp_fw="$(mktemp -d)"
+
+    echo "=== splitting live squashfs into smaller layers ==="
+    unsquashfs -d "$tmp_root/root" "$base_sq" >/dev/null
+    mkdir -p "$tmp_usr/root" "$tmp_fw/root"
+
+    move_tree_to_layer "$tmp_root/root" "usr" "$tmp_usr/root"
+    move_tree_to_layer "$tmp_root/root" "lib/firmware" "$tmp_fw/root"
+    move_tree_to_layer "$tmp_root/root" "usr/lib/firmware" "$tmp_fw/root"
+    move_tree_to_layer "$tmp_root/root" "boot/firmware" "$tmp_fw/root"
+
+    rm -f "$usr_sq" "$fw_sq"
+    mksquashfs "$tmp_root/root" "${base_sq}.new" -comp zstd -b 1048576 -noappend -no-progress -no-xattrs >/dev/null
+    mv "${base_sq}.new" "$base_sq"
+
+    if dir_has_entries "$tmp_usr/root"; then
+        mksquashfs "$tmp_usr/root" "${usr_sq}.new" -comp zstd -b 1048576 -noappend -no-progress -no-xattrs >/dev/null
+        mv "${usr_sq}.new" "$usr_sq"
+    fi
+    if dir_has_entries "$tmp_fw/root"; then
+        mksquashfs "$tmp_fw/root" "${fw_sq}.new" -comp zstd -b 1048576 -noappend -no-progress -no-xattrs >/dev/null
+        mv "${fw_sq}.new" "$fw_sq"
+    fi
+
+    echo "=== live squashfs layers ==="
+    find "$live_dir" -maxdepth 1 -type f -name '*.squashfs' -exec du -sh {} \; | sort
+    rm -rf "$tmp_root" "$tmp_usr" "$tmp_fw"
+}
+
 recover_iso_memtest() {
     lb_dir="$1"
     iso_path="$2"
@@ -846,6 +1102,7 @@ recover_iso_memtest() {
 }
 
 PROJECT_VERSION_EFFECTIVE="$(resolve_project_version)"
+SQUASHFS_FILENAME="filesystem-v${PROJECT_VERSION_EFFECTIVE}.squashfs"
 ISO_BASENAME="easy-bee-${BUILD_VARIANT}-v${PROJECT_VERSION_EFFECTIVE}-amd64"
 # Versioned output directory: dist/easy-bee-v4.1/ — all final artefacts live here.
 OUT_DIR="${DIST_DIR}/easy-bee-v${PROJECT_VERSION_EFFECTIVE}"
@@ -1416,7 +1673,7 @@ if ! needs_full_build; then
     fast_path_rebuild_iso
     ISO_RAW="${LB_DIR}/live-image-amd64.hybrid.iso"
     validate_iso_live_boot_entries "$ISO_RAW"
-    validate_iso_grub_theme_assets "$ISO_RAW"
+    validate_iso_grub_assets "$ISO_RAW"
     validate_iso_nvidia_runtime "$ISO_RAW"
     cp "$ISO_RAW" "$ISO_OUT"
     echo ""
@@ -1438,7 +1695,24 @@ cd "${LB_DIR}"
 run_step_sh "live-build clean" "80-lb-clean" "lb clean --all 2>&1 | tail -3"
 run_step_sh "live-build config" "81-lb-config" "lb config 2>&1 | tail -5"
 dump_memtest_debug "pre-build" "${LB_DIR}"
+export MKSQUASHFS_OPTIONS="-no-xattrs"
 run_step_sh "live-build build" "90-lb-build" "lb build 2>&1"
+echo "=== enforcing canonical bootloader assets ==="
+enforce_live_build_bootloader_assets "${LB_DIR}"
+# Rename lb's default filesystem.squashfs to the versioned filename so the
+# ISO contains a version-stamped squashfs (e.g. filesystem-v10.15.squashfs).
+_std_sq="${LB_DIR}/binary/live/filesystem.squashfs"
+_ver_sq="${LB_DIR}/binary/live/${SQUASHFS_FILENAME}"
+if [ -f "${_std_sq}" ] && [ "${_std_sq}" != "${_ver_sq}" ]; then
+    mv "${_std_sq}" "${_ver_sq}"
+    echo "=== squashfs renamed: filesystem.squashfs → ${SQUASHFS_FILENAME} ==="
+fi
+reset_live_build_stage "${LB_DIR}" "binary_checksums"
+reset_live_build_stage "${LB_DIR}" "binary_iso"
+reset_live_build_stage "${LB_DIR}" "binary_zsync"
+run_step_sh "rebuild live-build checksums after bootloader sync" "91b-lb-checksums" "lb binary_checksums 2>&1"
+run_step_sh "rebuild ISO after bootloader sync" "91c-lb-binary-iso" "lb binary_iso 2>&1"
+run_step_sh "rebuild zsync after bootloader sync" "91d-lb-zsync" "lb binary_zsync 2>&1"
 
 # --- persist deb package cache back to shared location ---
 # This allows the second variant to reuse all downloaded packages.
@@ -1464,7 +1738,7 @@ if [ -f "$ISO_RAW" ]; then
     fi
     validate_iso_memtest "$ISO_RAW"
     validate_iso_live_boot_entries "$ISO_RAW"
-    validate_iso_grub_theme_assets "$ISO_RAW"
+    validate_iso_grub_assets "$ISO_RAW"
     validate_iso_nvidia_runtime "$ISO_RAW"
     cp "$ISO_RAW" "$ISO_OUT"
     touch "${FULL_BUILD_MARKER}"

iso/builder/config/bootloaders/grub-efi/config.cfg

@@ -1,5 +1,7 @@
 set default=1
 set timeout=10
+set color_normal=yellow/black
+set color_highlight=white/brown
 
 if [ x$feature_default_font_path = xy ] ; then
     font=unicode
@@ -26,6 +28,3 @@ insmod gfxterm
 
 terminal_input console serial
 terminal_output gfxterm serial
-
-insmod tga
-source /boot/grub/theme.cfg

iso/builder/config/bootloaders/grub-efi/grub.cfg

@@ -1,21 +1,26 @@
 source /boot/grub/config.cfg
 
-menuentry "EASY-BEE" {
+menuentry "EASY-BEE v@VERSION@" {
     linux   @KERNEL_LIVE@ @APPEND_LIVE@ nomodeset bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
     initrd  @INITRD_LIVE@
 }
 
-menuentry "EASY-BEE -- load to RAM (toram)" {
+menuentry "EASY-BEE v@VERSION@ -- load to RAM (toram)" {
     linux   @KERNEL_LIVE@ @APPEND_LIVE@ toram nomodeset bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
     initrd  @INITRD_LIVE@
 }
 
-menuentry "EASY-BEE -- no GUI / no X11" {
+menuentry "EASY-BEE v@VERSION@ -- no GUI / no X11" {
     linux   @KERNEL_LIVE@ @APPEND_LIVE@ nomodeset bee.gui=off bee.nvidia.mode=gsp-off pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
     initrd  @INITRD_LIVE@
 }
 
 
+menuentry "*** WIPE ALL DISKS (irreversible!) ***" {
+    linux   @KERNEL_LIVE@ @APPEND_LIVE@ toram nomodeset bee.gui=off bee.wipe=all net.ifnames=0 biosdevname=0
+    initrd  @INITRD_LIVE@
+}
+
 if [ "${grub_platform}" = "efi" ]; then
     menuentry "Memory Test (memtest86+)" {
         chainloader /boot/memtest86+x64.efi

iso/builder/config/bootloaders/isolinux/live.cfg.in

@@ -1,18 +1,18 @@
 label live-@FLAVOUR@-normal
-    menu label ^EASY-BEE
+    menu label ^EASY-BEE v@VERSION@
     linux @LINUX@
     initrd @INITRD@
     append @APPEND_LIVE@ nomodeset bee.nvidia.mode=normal net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
 
 label live-@FLAVOUR@-toram
-    menu label EASY-BEE (^load to RAM)
+    menu label EASY-BEE v@VERSION@ (^load to RAM)
     menu default
     linux @LINUX@
     initrd @INITRD@
     append @APPEND_LIVE@ toram nomodeset bee.nvidia.mode=normal net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
 
 label live-@FLAVOUR@-console
-    menu label EASY-BEE (^no GUI / no X11)
+    menu label EASY-BEE v@VERSION@ (^no GUI / no X11)
     linux @LINUX@
     initrd @INITRD@
     append @APPEND_LIVE@ nomodeset bee.gui=off bee.nvidia.mode=gsp-off net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
@@ -41,6 +41,12 @@ label live-@FLAVOUR@-failsafe
     initrd @INITRD@
     append @APPEND_LIVE@ nomodeset bee.nvidia.mode=gsp-off noapic noapm nodma nomce nolapic nosmp vga=normal net.ifnames=0 biosdevname=0
 
+label wipe-disks
+    menu label *** WIPE ALL DISKS (irreversible!) ***
+    linux @LINUX@
+    initrd @INITRD@
+    append @APPEND_LIVE@ toram nomodeset bee.gui=off bee.wipe=all net.ifnames=0 biosdevname=0
+
 label memtest
     menu label ^Memory Test (memtest86+)
     linux /boot/memtest86+x64.bin

iso/builder/config/hooks/normal/9012-wipe.hook.chroot

@@ -0,0 +1,57 @@
+#!/bin/sh
+# 9012-wipe.hook.chroot
+#
+# Adds bee-initramfs-wipe to the initramfs so that selecting the
+# "WIPE ALL DISKS" boot menu entry runs the wipe tool before squashfs
+# is mounted — i.e. it works even when live boot fails.
+#
+# Two files are installed inside the chroot:
+#   /etc/initramfs-tools/hooks/bee-wipe         — copies binaries into initrd
+#   /etc/initramfs-tools/scripts/local-premount/bee-wipe — runs at boot
+
+set -e
+
+HOOK_DIR="/etc/initramfs-tools/hooks"
+SCRIPT_DIR="/etc/initramfs-tools/scripts/local-premount"
+
+mkdir -p "${HOOK_DIR}" "${SCRIPT_DIR}"
+
+# ── initramfs hook: copy binaries ────────────────────────────────────────────
+cat > "${HOOK_DIR}/bee-wipe" << 'EOF'
+#!/bin/sh
+PREREQ=""
+prereqs() { echo "$PREREQ"; }
+case "$1" in prereqs) prereqs; exit 0 ;; esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+for bin in lsblk blkid blkdiscard blockdev; do
+    b=$(command -v "$bin" 2>/dev/null) && copy_exec "$b" /bin
+done
+
+[ -x /usr/sbin/nvme ] && copy_exec /usr/sbin/nvme /sbin
+
+copy_exec /usr/local/bin/bee-initramfs-wipe /bin/bee-wipe
+EOF
+
+chmod +x "${HOOK_DIR}/bee-wipe"
+
+# ── initramfs premount script: trigger on bee.wipe=all ───────────────────────
+cat > "${SCRIPT_DIR}/bee-wipe" << 'EOF'
+#!/bin/sh
+PREREQ=""
+prereqs() { echo "$PREREQ"; }
+case "$1" in prereqs) prereqs; exit 0 ;; esac
+
+grep -qw 'bee.wipe=all' /proc/cmdline 2>/dev/null || exit 0
+exec /bin/bee-wipe
+EOF
+
+chmod +x "${SCRIPT_DIR}/bee-wipe"
+
+echo "9012-wipe: installed initramfs hook and premount script"
+
+KVER=$(ls /lib/modules | sort -V | tail -1)
+echo "9012-wipe: rebuilding initramfs for kernel ${KVER}"
+update-initramfs -u -k "${KVER}"
+echo "9012-wipe: done"

iso/builder/config/hooks/normal/9998-strip-xattrs.hook.chroot

@@ -0,0 +1,37 @@
+#!/usr/bin/env python3
+# 9998-strip-xattrs.hook.chroot
+#
+# mksquashfs 4.5.1 (Debian bookworm) writes a non-INVALID xattr_id_table_start
+# even with -no-xattrs when the source tree contains POSIX ACL xattrs set by
+# dpkg/install-time.  Linux 6.1 squashfs driver then fails with
+# "unable to read xattr id index table" and aborts the mount.
+#
+# Strip all xattrs from the live chroot before mksquashfs sees the tree so the
+# resulting squashfs has SQUASHFS_INVALID_BLK in xattr_id_table_start.
+
+import os
+
+def strip(path):
+    try:
+        for attr in os.listxattr(path, follow_symlinks=False):
+            try:
+                os.removexattr(path, attr, follow_symlinks=False)
+            except OSError:
+                pass
+    except OSError:
+        pass
+
+removed = 0
+for root, dirs, files in os.walk('/', topdown=True, followlinks=False):
+    for name in dirs + files:
+        p = os.path.join(root, name)
+        try:
+            attrs = os.listxattr(p, follow_symlinks=False)
+            if attrs:
+                strip(p)
+                removed += len(attrs)
+        except OSError:
+            pass
+    strip(root)
+
+print(f"9998-strip-xattrs: removed xattrs from {removed} entries")

iso/overlay/usr/local/bin/bee-initramfs-wipe

@@ -0,0 +1,166 @@
+#!/bin/sh
+# bee-initramfs-wipe — interactive disk wipe running entirely in the initramfs.
+# Triggered by bee.wipe=all on the kernel cmdline (via local-premount hook).
+# Works before squashfs is mounted, so it runs even when live boot fails.
+
+RED='\033[1;31m'
+YEL='\033[1;33m'
+GRN='\033[1;32m'
+CYN='\033[1;36m'
+NC='\033[0m'
+
+p()  { printf '%b\n' "$*"; }
+pp() { printf '%b'   "$*"; }
+
+banner() {
+    p ""
+    p "${RED}╔══════════════════════════════════════════════════════════╗${NC}"
+    p "${RED}║            BEE DRIVE WIPE — initramfs stage              ║${NC}"
+    p "${RED}╚══════════════════════════════════════════════════════════╝${NC}"
+    p ""
+}
+
+# ── find boot device ─────────────────────────────────────────────────────────
+boot_dev() {
+    local label token
+    for token in $(cat /proc/cmdline 2>/dev/null); do
+        case "$token" in
+            live-media-label=*) label="${token#*=}" ;;
+        esac
+    done
+    [ -z "$label" ] && return
+
+    local dev
+    dev=$(blkid -L "$label" 2>/dev/null) || return
+    # strip partition suffix: /dev/sdb1 → /dev/sdb, /dev/nvme0n1p1 → /dev/nvme0n1
+    echo "$dev" | sed 's/p\?[0-9]\+$//'
+}
+
+# ── enumerate candidate disks ─────────────────────────────────────────────────
+list_disks() {
+    local boot
+    boot=$(boot_dev)
+
+    lsblk -d -n -o NAME,TYPE,SIZE,MODEL 2>/dev/null | while read -r name type size model; do
+        [ "$type" = "disk" ] || continue
+        [ "$size" = "0B"  ] && continue
+        local dev="/dev/$name"
+        [ "$dev" = "$boot" ] && continue
+        printf '%s\t%s\t%s\n' "$dev" "$size" "${model:-}"
+    done
+}
+
+# ── wipe one disk ─────────────────────────────────────────────────────────────
+wipe_one() {
+    local dev="$1"
+    p ""
+    p "=== ${YEL}${dev}${NC} ==="
+
+    if echo "$dev" | grep -q '^/dev/nvme'; then
+        if nvme format --ses=1 "$dev" 2>&1; then
+            p "  ${GRN}nvme format OK${NC}"
+            blockdev --flushbufs "$dev" 2>/dev/null || true
+            return
+        fi
+        p "  nvme format failed — falling back to blkdiscard"
+    fi
+
+    if blkdiscard -f "$dev" 2>&1; then
+        p "  ${GRN}blkdiscard OK${NC}"
+        blockdev --flushbufs "$dev" 2>/dev/null || true
+        return
+    fi
+
+    p "  blkdiscard not supported — zeroing partition tables (HDD fallback)"
+    local size_bytes mb32 skip
+    size_bytes=$(blockdev --getsize64 "$dev" 2>/dev/null || echo 0)
+    mb32=$(( 32 * 1024 * 1024 ))
+
+    dd if=/dev/zero of="$dev" bs=4M count=8 conv=fsync status=progress 2>&1 || true
+
+    if [ "$size_bytes" -gt $(( mb32 * 2 )) ]; then
+        skip=$(( (size_bytes - mb32) / (4 * 1024 * 1024) ))
+        dd if=/dev/zero of="$dev" bs=4M count=8 seek="$skip" conv=fsync status=progress 2>&1 || true
+    fi
+
+    blockdev --flushbufs "$dev" 2>/dev/null || true
+    p "  ${GRN}done (partition tables zeroed)${NC}"
+}
+
+# ── main ──────────────────────────────────────────────────────────────────────
+banner
+
+BOOT=$(boot_dev)
+[ -n "$BOOT" ] && p "Boot device (excluded): ${CYN}${BOOT}${NC}\n"
+
+# build indexed list
+i=0
+DEVS=""
+IFS='
+'
+for line in $(list_disks); do
+    i=$(( i + 1 ))
+    dev=$(echo "$line" | cut -f1)
+    size=$(echo "$line" | cut -f2)
+    model=$(echo "$line" | cut -f3)
+    DEVS="${DEVS}${i}:${dev}:${size}:${model}
+"
+    printf "  ${CYN}[%d]${NC}  %-16s %8s  %s\n" "$i" "$dev" "$size" "$model"
+done
+IFS='
+'
+
+if [ "$i" -eq 0 ]; then
+    p "\nNo physical disks found (boot device excluded)."
+    p "Dropping to shell — type 'exit' to continue boot."
+    exec /bin/sh
+fi
+
+p ""
+pp "Enter numbers to wipe (space-separated), ${YEL}all${NC} for all, ${YEL}q${NC} to abort: "
+read -r SELECTION
+
+case "$SELECTION" in
+    q|Q|'') p "\nAborted."; exec /bin/sh ;;
+esac
+
+# resolve selection → list of devs
+SELECTED=""
+if [ "$SELECTION" = "all" ] || [ "$SELECTION" = "ALL" ]; then
+    SELECTED=$(echo "$DEVS" | grep -v '^$' | cut -d: -f2 | tr '\n' ' ')
+else
+    for num in $SELECTION; do
+        match=$(echo "$DEVS" | grep "^${num}:" | cut -d: -f2)
+        if [ -z "$match" ]; then
+            p "${RED}Unknown index: ${num}${NC}"; exec /bin/sh
+        fi
+        SELECTED="${SELECTED}${match} "
+    done
+fi
+
+SELECTED=$(echo "$SELECTED" | tr -s ' ' | sed 's/ $//')
+
+p ""
+p "Selected for wipe: ${YEL}${SELECTED}${NC}"
+p "${RED}WARNING: This is IRREVERSIBLE. All data on the selected disks will be lost.${NC}"
+p ""
+pp "Type  YES  to confirm, anything else to abort: "
+read -r CONFIRM
+
+if [ "$CONFIRM" != "YES" ]; then
+    p "\nAborted — no disks were touched."
+    exec /bin/sh
+fi
+
+p "\nStarting wipe..."
+for dev in $SELECTED; do
+    wipe_one "$dev"
+done
+
+sync
+p ""
+p "${GRN}=== All selected disks wiped and flushed. ===${NC}"
+p ""
+pp "Press Enter to reboot..."
+read -r _
+reboot

iso/overlay/usr/local/bin/bee-install

@@ -8,7 +8,7 @@
 # Layout (UEFI):  GPT, /dev/sdX1=EFI 512MB vfat, /dev/sdX2=root ext4
 # Layout (BIOS):  MBR, /dev/sdX1=root ext4
 #
-# Squashfs source: /run/live/medium/live/filesystem.squashfs
+# Squashfs sources: /run/live/medium/live/*.squashfs
 
 set -euo pipefail
 
@@ -62,9 +62,9 @@ for tool in parted mkfs.vfat mkfs.ext4 unsquashfs grub-install update-grub; do
     fi
 done
 
-SQUASHFS="/run/live/medium/live/filesystem.squashfs"
-if [ ! -f "$SQUASHFS" ]; then
-    echo "ERROR: squashfs not found at $SQUASHFS" >&2
+mapfile -t SQUASHFS_FILES < <(find /run/live/medium/live -maxdepth 1 -type f -name '*.squashfs' | sort)
+if [ "${#SQUASHFS_FILES[@]}" -eq 0 ]; then
+    echo "ERROR: no squashfs files found under /run/live/medium/live" >&2
     echo "  The live medium may have been disconnected." >&2
     echo "  Reconnect the disc and run:  bee-remount-medium --wait" >&2
     echo "  Then re-run bee-install." >&2
@@ -106,7 +106,10 @@ log "=== BEE DISK INSTALLER ==="
 log "Target device : $DEVICE"
 log "Root partition: $PART_ROOT"
 [ "$UEFI" = "1" ] && log "EFI partition : $PART_EFI"
-log "Squashfs      : $SQUASHFS ($(du -sh "$SQUASHFS" | cut -f1))"
+log "Squashfs      : ${#SQUASHFS_FILES[@]} layer(s)"
+for sf in "${SQUASHFS_FILES[@]}"; do
+    log "  - $sf ($(du -sh "$sf" | cut -f1))"
+done
 log "Log           : $LOGFILE"
 log ""
 
@@ -163,7 +166,9 @@ log "  Mounted."
 
 # ------------------------------------------------------------------
 log "--- Step 5/7: Unpacking filesystem (this takes 10-20 minutes) ---"
-log "  Source: $SQUASHFS"
+for sf in "${SQUASHFS_FILES[@]}"; do
+    log "  Source: $sf"
+done
 log "  Target: $MOUNT_ROOT"
 
 # unsquashfs does not support resume, so retry the entire unpack step if the
@@ -177,9 +182,9 @@ while true; do
     fi
     [ "$UNPACK_ATTEMPTS" -gt 1 ] && log "  Retry attempt $UNPACK_ATTEMPTS / $UNPACK_MAX ..."
 
-    # Re-check squashfs is reachable before each attempt
-    if [ ! -f "$SQUASHFS" ]; then
-        log "  SOURCE LOST: $SQUASHFS not found."
+    mapfile -t SQUASHFS_FILES < <(find /run/live/medium/live -maxdepth 1 -type f -name '*.squashfs' | sort)
+    if [ "${#SQUASHFS_FILES[@]}" -eq 0 ]; then
+        log "  SOURCE LOST: no squashfs files found under /run/live/medium/live."
         log "  Reconnect the disc and run 'bee-remount-medium --wait' in another terminal,"
         log "  then press Enter here to retry."
         read -r _
@@ -194,12 +199,17 @@ while true; do
     fi
 
     UNPACK_OK=0
-    unsquashfs -f -d "$MOUNT_ROOT" "$SQUASHFS" 2>&1 | \
-        grep -E '^\[|^inod|^created|^extract|^ERROR|failed' | \
-        while IFS= read -r line; do log "  $line"; done || UNPACK_OK=$?
+    for sf in "${SQUASHFS_FILES[@]}"; do
+        log "  Unpacking $(basename "$sf") ..."
+        unsquashfs -f -d "$MOUNT_ROOT" "$sf" 2>&1 | \
+            grep -E '^\[|^inod|^created|^extract|^ERROR|failed' | \
+            while IFS= read -r line; do log "  $line"; done || UNPACK_OK=$?
+        [ "$UNPACK_OK" -eq 0 ] || break
+    done
 
     # Check squashfs is still reachable (gone = disc pulled during copy)
-    if [ ! -f "$SQUASHFS" ]; then
+    mapfile -t SQUASHFS_FILES < <(find /run/live/medium/live -maxdepth 1 -type f -name '*.squashfs' | sort)
+    if [ "${#SQUASHFS_FILES[@]}" -eq 0 ]; then
         log "  WARNING: source medium lost during unpack — will retry after remount."
         log "  Run 'bee-remount-medium --wait' in another terminal, then press Enter."
         read -r _

iso/overlay/usr/local/bin/bee-remount-medium

@@ -2,7 +2,7 @@
 # bee-remount-medium — find and remount the live ISO medium to /run/live/medium
 #
 # Run this after reconnecting the ISO source disc (USB/CD) if the live medium
-# was lost and /run/live/medium/live/filesystem.squashfs is missing.
+# was lost and /run/live/medium/live/*.squashfs are missing.
 #
 # Usage: bee-remount-medium [--wait]
 #   --wait  keep retrying every 5 seconds until the medium is found (useful
@@ -11,7 +11,7 @@
 set -euo pipefail
 
 MEDIUM_DIR="/run/live/medium"
-SQUASHFS_REL="live/filesystem.squashfs"
+SQUASHFS_GLOB="live/*.squashfs"
 WAIT_MODE=0
 
 for arg in "$@"; do
@@ -56,7 +56,7 @@ try_mount() {
     local tmpdir
     tmpdir=$(mktemp -d /tmp/bee-probe-XXXXXX)
     if mount -o ro "$dev" "$tmpdir" 2>/dev/null; then
-        if [ -f "${tmpdir}/${SQUASHFS_REL}" ]; then
+        if find "${tmpdir}/live" -maxdepth 1 -type f -name '*.squashfs' 2>/dev/null | grep -q .; then
             # Unmount probe mount and mount properly onto live path
             umount "$tmpdir" 2>/dev/null || true
             rmdir "$tmpdir"  2>/dev/null || true
@@ -82,8 +82,9 @@ attempt() {
     for dev in $(find_candidates); do
         log "  Trying $dev ..."
         if try_mount "$dev"; then
-            local sq="${MEDIUM_DIR}/${SQUASHFS_REL}"
-            log "SUCCESS: squashfs available at $sq ($(du -sh "$sq" | cut -f1))"
+            local count
+            count=$(find "${MEDIUM_DIR}/live" -maxdepth 1 -type f -name '*.squashfs' 2>/dev/null | wc -l | tr -d ' ')
+            log "SUCCESS: ${count} squashfs layer(s) available under ${MEDIUM_DIR}/live"
             return 0
         fi
     done
@@ -100,5 +101,5 @@ if [ "$WAIT_MODE" = "1" ]; then
         sleep 5
     done
 else
-    attempt || die "No ISO medium with ${SQUASHFS_REL} found. Reconnect the disc and re-run, or use --wait."
+    attempt || die "No ISO medium with ${SQUASHFS_GLOB} found. Reconnect the disc and re-run, or use --wait."
 fi

iso/overlay/usr/local/bin/bee-wipe-disks

@@ -0,0 +1,132 @@
+#!/bin/bash
+# bee-wipe-disks — erase all physical disks (interactive, confirmation required)
+#
+# Triggered automatically when the kernel cmdline contains bee.wipe=all.
+# Can also be run manually from a root shell.
+#
+# Wipe strategy:
+#   NVMe  — nvme format (ATA-style secure erase, fast)
+#   Other — blkdiscard -f (TRIM/UNMAP, fast on SSDs)
+#           dd if=/dev/zero  (fallback for HDDs, zeros first+last 32 MB)
+
+set -euo pipefail
+
+RED=$'\033[1;31m'
+YEL=$'\033[1;33m'
+GRN=$'\033[1;32m'
+NC=$'\033[0m'
+
+banner() {
+    echo ""
+    echo "${RED}╔══════════════════════════════════════════════════════════╗${NC}"
+    echo "${RED}║      BEE DISK WIPE — ALL DATA WILL BE DESTROYED          ║${NC}"
+    echo "${RED}╚══════════════════════════════════════════════════════════╝${NC}"
+    echo ""
+}
+
+# ── find boot device to skip ──────────────────────────────────────────────────
+live_dev() {
+    local src
+    src=$(findmnt -n -o SOURCE /run/live/medium 2>/dev/null || true)
+    [ -z "$src" ] && return
+    # Strip partition suffix: /dev/sdb1 → /dev/sdb, /dev/nvme0n1p1 → /dev/nvme0n1
+    echo "$src" | sed 's/p\?[0-9]\+$//'
+}
+
+# ── enumerate target disks ────────────────────────────────────────────────────
+find_disks() {
+    local boot_dev
+    boot_dev=$(live_dev)
+
+    lsblk -d -n -o NAME,TYPE,SIZE,MODEL | while read -r name type size model; do
+        [ "$type" = "disk" ] || continue
+        [ "$size" = "0B"  ] && continue           # empty virtual media
+
+        local dev="/dev/$name"
+        [ "$dev" = "$boot_dev" ] && continue      # skip boot device
+
+        printf '%s\t%s\t%s\n' "$dev" "$size" "$model"
+    done
+}
+
+# ── wipe one disk ─────────────────────────────────────────────────────────────
+wipe_disk() {
+    local dev="$1"
+    echo ""
+    echo "=== ${YEL}${dev}${NC} ==="
+
+    if echo "$dev" | grep -q '^/dev/nvme'; then
+        # NVMe format (ses=1 = user data erase)
+        if nvme format --ses=1 "$dev" 2>&1; then
+            echo "  ${GRN}nvme format OK${NC}"
+            return
+        fi
+        echo "  nvme format failed, falling back to blkdiscard"
+    fi
+
+    if blkdiscard -f "$dev" 2>&1; then
+        echo "  ${GRN}blkdiscard OK${NC}"
+        return
+    fi
+
+    echo "  blkdiscard not supported — zeroing partition tables (HDD fallback)"
+    local size_bytes
+    size_bytes=$(blockdev --getsize64 "$dev")
+    local mb32=$(( 32 * 1024 * 1024 ))
+
+    # Zero first 32 MB (MBR, GPT, filesystem superblocks)
+    dd if=/dev/zero of="$dev" bs=4M count=8 conv=fsync status=progress 2>&1 || true
+
+    # Zero last 32 MB (backup GPT)
+    if [ "$size_bytes" -gt $(( mb32 * 2 )) ]; then
+        local skip=$(( (size_bytes - mb32) / (4 * 1024 * 1024) ))
+        dd if=/dev/zero of="$dev" bs=4M count=8 seek="$skip" conv=fsync status=progress 2>&1 || true
+    fi
+
+    echo "  ${GRN}done (partition tables zeroed)${NC}"
+}
+
+# ── main ──────────────────────────────────────────────────────────────────────
+banner
+
+mapfile -t DISKS < <(find_disks | awk '{print $1}')
+
+if [ ${#DISKS[@]} -eq 0 ]; then
+    echo "No physical disks found (boot device excluded)."
+    echo "Nothing to wipe."
+    exit 0
+fi
+
+echo "Disks to be ${RED}COMPLETELY ERASED${NC}:"
+echo ""
+find_disks | while IFS=$'\t' read -r dev size model; do
+    printf "  ${YEL}%-16s${NC} %8s  %s\n" "$dev" "$size" "$model"
+done
+echo ""
+echo "${RED}WARNING: This is IRREVERSIBLE. All data on the listed disks will be lost.${NC}"
+echo ""
+printf "Type  YES  to confirm wipe, anything else to abort: "
+read -r CONFIRM
+
+if [ "$CONFIRM" != "YES" ]; then
+    echo ""
+    echo "Aborted — no disks were touched."
+    exit 0
+fi
+
+echo ""
+echo "Starting wipe..."
+
+for dev in "${DISKS[@]}"; do
+    wipe_disk "$dev"
+done
+
+echo ""
+echo "${GRN}=== All disks wiped. ===${NC}"
+echo ""
+printf "Reboot now to return to the boot menu? [Y/n] "
+read -r REBOOT
+case "${REBOOT:-Y}" in
+    [Nn]*) echo "You can reboot manually when ready." ;;
+    *)     echo "Rebooting..."; sleep 2; reboot ;;
+esac