Restore post-build GRUB and isolinux sync

audit/cmd/bee/main.go

@@ -64,6 +64,8 @@ func run(args []string, stdout, stderr io.Writer) (exitCode int) {
 		return runExport(args[1:], stdout, stderr)
 	case "preflight":
 		return runPreflight(args[1:], stdout, stderr)
+	case "install-to-ram":
+		return runInstallToRAM(args[1:], stdout, stderr)
 	case "support-bundle":
 		return runSupportBundle(args[1:], stdout, stderr)
 	case "web":
@@ -90,6 +92,7 @@ func printRootUsage(w io.Writer) {
 	fmt.Fprintln(w, `bee commands:
   bee audit   --runtime auto|local|livecd --output stdout|file:<path>
   bee preflight --output stdout|file:<path>
+  bee install-to-ram
   bee export  --target <device>
   bee support-bundle --output stdout|file:<path>
   bee web     --listen :80 [--audit-path `+app.DefaultAuditJSONPath+`]
@@ -109,6 +112,8 @@ func runHelp(args []string, stdout, stderr io.Writer) int {
 		return runExport([]string{"--help"}, stdout, stdout)
 	case "preflight":
 		return runPreflight([]string{"--help"}, stdout, stdout)
+	case "install-to-ram":
+		return runInstallToRAM([]string{"--help"}, stdout, stdout)
 	case "support-bundle":
 		return runSupportBundle([]string{"--help"}, stdout, stdout)
 	case "web":
@@ -252,6 +257,32 @@ func runPreflight(args []string, stdout, stderr io.Writer) int {
 	return 0
 }
 
+func runInstallToRAM(args []string, stdout, stderr io.Writer) int {
+	fs := flag.NewFlagSet("install-to-ram", flag.ContinueOnError)
+	fs.SetOutput(stderr)
+	fs.Usage = func() {
+		fmt.Fprintln(stderr, "usage: bee install-to-ram")
+	}
+	if err := fs.Parse(args); err != nil {
+		if err == flag.ErrHelp {
+			return 0
+		}
+		return 2
+	}
+	if fs.NArg() != 0 {
+		fs.Usage()
+		return 2
+	}
+
+	application := app.New(platform.New())
+	logLine := func(s string) { fmt.Fprintln(stdout, s) }
+	if err := application.RunInstallToRAM(context.Background(), logLine); err != nil {
+		slog.Error("run install-to-ram", "err", err)
+		return 1
+	}
+	return 0
+}
+
 func runSupportBundle(args []string, stdout, stderr io.Writer) int {
 	fs := flag.NewFlagSet("support-bundle", flag.ContinueOnError)
 	fs.SetOutput(stderr)

audit/internal/app/support_bundle.go

@@ -24,6 +24,8 @@ var supportBundleServices = []string{
 	"bee-selfheal.service",
 	"bee-selfheal.timer",
 	"bee-sshsetup.service",
+	"display-manager.service",
+	"lightdm.service",
 	"nvidia-dcgm.service",
 	"nvidia-fabricmanager.service",
 }
@@ -44,12 +46,128 @@ var supportBundleCommands = []struct {
 	{name: "system/mount.txt", cmd: []string{"mount"}},
 	{name: "system/df-h.txt", cmd: []string{"df", "-h"}},
 	{name: "system/dmesg.txt", cmd: []string{"dmesg"}},
+	{name: "system/dmesg-gui-video-input.txt", cmd: []string{"sh", "-c", `
+if command -v dmesg >/dev/null 2>&1; then
+  dmesg | grep -iE 'nvidia|drm|fb|framebuffer|vesa|efi|lightdm|Xorg|input|hid|usb|keyboard|mouse|virtual keyboard|virtual mouse|ami|aspeed|ast' || echo "no GUI/video/input kernel messages found"
+else
+  echo "dmesg not found"
+fi
+`}},
 	{name: "system/kernel-aer-nvidia.txt", cmd: []string{"sh", "-c", `
 if command -v dmesg >/dev/null 2>&1; then
   dmesg | grep -iE 'AER|NVRM|Xid|pcieport|nvidia' || echo "no AER/NVRM/Xid kernel messages found"
 else
   echo "dmesg not found"
 fi
+`}},
+	{name: "system/loginctl-sessions.txt", cmd: []string{"sh", "-c", `
+if command -v loginctl >/dev/null 2>&1; then
+  loginctl list-sessions 2>&1 || true
+else
+  echo "loginctl not found"
+fi
+`}},
+	{name: "system/loginctl-seats.txt", cmd: []string{"sh", "-c", `
+if command -v loginctl >/dev/null 2>&1; then
+  loginctl list-seats 2>&1 || true
+  echo
+  for seat in $(loginctl list-seats --no-legend 2>/dev/null | awk '{print $1}'); do
+    echo "=== $seat ==="
+    loginctl seat-status "$seat" 2>&1 || true
+    echo
+  done
+else
+  echo "loginctl not found"
+fi
+`}},
+	{name: "system/ps-gui.txt", cmd: []string{"sh", "-c", `
+ps -ef | grep -iE 'lightdm|Xorg|X$|openbox|chromium|chrome|xinit|xsession' | grep -v grep || echo "no GUI processes found"
+`}},
+	{name: "system/lspci-video-vv.txt", cmd: []string{"sh", "-c", `
+if ! command -v lspci >/dev/null 2>&1; then
+  echo "lspci not found"
+  exit 0
+fi
+found=0
+for dev in $(lspci -Dn | awk '$2 ~ /^03(00|02):$/ {print $1}'); do
+  found=1
+  echo "=== $dev ==="
+  lspci -s "$dev" -vv 2>&1 || true
+  echo
+done
+if [ "$found" -eq 0 ]; then
+  echo "no display-class PCI devices found"
+fi
+`}},
+	{name: "system/proc-fb.txt", cmd: []string{"cat", "/proc/fb"}},
+	{name: "system/drm-cards.txt", cmd: []string{"sh", "-c", `
+if [ -d /sys/class/drm ]; then
+  for path in /sys/class/drm/card*; do
+    [ -e "$path" ] || continue
+    card=$(basename "$path")
+    echo "=== $card ==="
+    for f in status enabled dpms modes; do
+      [ -r "$path/$f" ] && printf "  %-8s %s\n" "$f" "$(cat "$path/$f" 2>/dev/null)"
+    done
+    device=$(readlink -f "$path/device" 2>/dev/null || true)
+    [ -n "$device" ] && echo "  device   ${device##*/}"
+    echo
+  done
+else
+  echo "/sys/class/drm not present"
+fi
+`}},
+	{name: "system/input-devices.txt", cmd: []string{"sh", "-c", `
+if [ -r /proc/bus/input/devices ]; then
+  cat /proc/bus/input/devices
+else
+  echo "/proc/bus/input/devices not readable"
+fi
+`}},
+	{name: "system/udevadm-input.txt", cmd: []string{"sh", "-c", `
+if ! command -v udevadm >/dev/null 2>&1; then
+  echo "udevadm not found"
+  exit 0
+fi
+found=0
+for dev in /dev/input/event*; do
+  [ -e "$dev" ] || continue
+  found=1
+  echo "=== $dev ==="
+  udevadm info --query=all --name="$dev" 2>&1 || true
+  echo
+done
+if [ "$found" -eq 0 ]; then
+  echo "no /dev/input/event* devices found"
+fi
+`}},
+	{name: "system/xinput-list.txt", cmd: []string{"sh", "-c", `
+if command -v xinput >/dev/null 2>&1; then
+  DISPLAY=:0 xinput --list 2>&1 || true
+else
+  echo "xinput not found"
+fi
+`}},
+	{name: "system/libinput-list-devices.txt", cmd: []string{"sh", "-c", `
+if command -v libinput >/dev/null 2>&1; then
+  libinput list-devices 2>&1 || true
+else
+  echo "libinput not found"
+fi
+`}},
+	{name: "system/systemctl-gui-units.txt", cmd: []string{"sh", "-c", `
+if ! command -v systemctl >/dev/null 2>&1; then
+  echo "systemctl not found"
+  exit 0
+fi
+echo "=== unit files ==="
+systemctl list-unit-files --no-pager --all 'lightdm*' 'display-manager*' 2>&1 || true
+echo
+echo "=== active units ==="
+systemctl list-units --no-pager --all 'lightdm*' 'display-manager*' 2>&1 || true
+echo
+echo "=== failed units ==="
+systemctl --failed --no-pager 2>&1 | grep -iE 'lightdm|display-manager|Xorg' || echo "no failed GUI units"
 `}},
 	{name: "system/nvidia-smi-q.txt", cmd: []string{"nvidia-smi", "-q"}},
 	{name: "system/nvidia-smi-topo.txt", cmd: []string{"sh", "-c", `
@@ -236,6 +354,13 @@ var supportBundleOptionalFiles = []struct {
 }{
 	{name: "system/kern.log", src: "/var/log/kern.log"},
 	{name: "system/syslog.txt", src: "/var/log/syslog"},
+	{name: "system/Xorg.0.log", src: "/var/log/Xorg.0.log"},
+	{name: "system/Xorg.0.log.old", src: "/var/log/Xorg.0.log.old"},
+	{name: "system/lightdm/lightdm.log", src: "/var/log/lightdm/lightdm.log"},
+	{name: "system/lightdm/x-0.log", src: "/var/log/lightdm/x-0.log"},
+	{name: "system/lightdm/x-0-greeter.log", src: "/var/log/lightdm/x-0-greeter.log"},
+	{name: "system/home-bee-xsession-errors.log", src: "/home/bee/.xsession-errors"},
+	{name: "system/home-bee-chromium-debug.log", src: "/tmp/bee-chrome/chrome_debug.log"},
 	{name: "system/fabricmanager.log", src: "/var/log/fabricmanager.log"},
 	{name: "system/nvlsm.log", src: "/var/log/nvlsm.log"},
 	{name: "system/fabricmanager/fabricmanager.log", src: "/var/log/fabricmanager/fabricmanager.log"},

audit/internal/platform/install_to_ram.go

@@ -14,6 +14,22 @@ import (
 const installToRAMDir = "/dev/shm/bee-live"
 const copyProgressLogStep int64 = 100 * 1024 * 1024
 
+var liveMediumSquashfsGlob = func() ([]string, error) {
+	return filepath.Glob("/run/live/medium/live/*.squashfs")
+}
+
+var runRemountMedium = func() ([]byte, error) {
+	return exec.Command("bee-remount-medium").CombinedOutput()
+}
+
+var umountLiveMedium = func() error {
+	return exec.Command("umount", "/run/live/medium").Run()
+}
+
+var ejectDevice = func(device string) error {
+	return exec.Command("eject", device).Run()
+}
+
 func (s *System) IsLiveMediaInRAM() bool {
 	return s.LiveMediaRAMState().InRAM
 }
@@ -140,8 +156,7 @@ func (s *System) RunInstallToRAM(ctx context.Context, logFunc func(string)) (ret
 		return nil
 	}
 
-	squashfsFiles, err := filepath.Glob("/run/live/medium/live/*.squashfs")
-	sourceAvailable := err == nil && len(squashfsFiles) > 0
+	squashfsFiles, sourceAvailable := ensureLiveMediumAvailable(log)
 
 	dstDir := installToRAMDir
 
@@ -171,7 +186,7 @@ func (s *System) RunInstallToRAM(ctx context.Context, logFunc func(string)) (ret
 			}
 			goto bindMedium
 		}
-		return fmt.Errorf("no squashfs files found in /run/live/medium/live/ and no prior RAM copy in %s — reconnect the installation medium and retry", dstDir)
+		return fmt.Errorf("no squashfs files found in /run/live/medium/live/ and no prior RAM copy in %s — reconnect the installation medium and retry (or run bee-remount-medium as root)", dstDir)
 	}
 
 	{
@@ -254,10 +269,83 @@ bindMedium:
 	if status.InRAM {
 		log(fmt.Sprintf("Verification passed: live medium now served from %s.", describeLiveBootSource(status)))
 	}
-	log("Done. Squashfs files are in RAM. Installation media can be safely disconnected.")
+	detachInstallMedium(status, log)
+	log("Done. Squashfs files are in RAM. Installation media has been detached when possible.")
 	return nil
 }
 
+func tryRemountLiveMedium(log func(string)) error {
+	output, err := runRemountMedium()
+	trimmed := strings.TrimSpace(string(output))
+	if err != nil {
+		if trimmed != "" && log != nil {
+			for _, line := range strings.Split(trimmed, "\n") {
+				log("bee-remount-medium: " + line)
+			}
+		}
+		return err
+	}
+	if trimmed != "" && log != nil {
+		for _, line := range strings.Split(trimmed, "\n") {
+			log("bee-remount-medium: " + line)
+		}
+	}
+	return nil
+}
+
+func ensureLiveMediumAvailable(log func(string)) ([]string, bool) {
+	squashfsFiles, err := liveMediumSquashfsGlob()
+	sourceAvailable := err == nil && len(squashfsFiles) > 0
+	if sourceAvailable {
+		return squashfsFiles, true
+	}
+
+	if log != nil {
+		log("Live medium not mounted at /run/live/medium — attempting automatic remount scan...")
+	}
+	if remountErr := tryRemountLiveMedium(log); remountErr != nil {
+		if log != nil {
+			log(fmt.Sprintf("Automatic remount did not restore the live medium: %v", remountErr))
+		}
+		return squashfsFiles, false
+	}
+
+	squashfsFiles, err = liveMediumSquashfsGlob()
+	sourceAvailable = err == nil && len(squashfsFiles) > 0
+	if sourceAvailable && log != nil {
+		log("Live medium restored after remount scan.")
+	}
+	return squashfsFiles, sourceAvailable
+}
+
+func detachInstallMedium(status LiveBootSource, log func(string)) {
+	if log == nil {
+		log = func(string) {}
+	}
+
+	log("Detaching original installation medium...")
+	if err := umountLiveMedium(); err != nil {
+		log(fmt.Sprintf("Warning: could not unmount /run/live/medium: %v", err))
+	} else {
+		log("Unmounted /run/live/medium.")
+	}
+
+	device := strings.TrimSpace(status.Device)
+	if device == "" {
+		device = strings.TrimSpace(status.Source)
+	}
+	if device == "" || !strings.HasPrefix(device, "/dev/") {
+		log("No block device identified for eject; skipping media eject.")
+		return
+	}
+
+	if err := ejectDevice(device); err != nil {
+		log(fmt.Sprintf("Warning: could not eject %s: %v", device, err))
+		return
+	}
+	log(fmt.Sprintf("Ejected %s.", device))
+}
+
 func verifyInstallToRAMStatus(status LiveBootSource, dstDir string, mediumRebound bool, log func(string)) error {
 	if status.InRAM {
 		return nil

audit/internal/platform/install_to_ram_test.go

@@ -1,6 +1,9 @@
 package platform
 
-import "testing"
+import (
+	"fmt"
+	"testing"
+)
 
 func TestInferLiveBootKind(t *testing.T) {
 	t.Parallel()
@@ -124,3 +127,156 @@ func TestShouldLogCopyProgress(t *testing.T) {
 		t.Fatal("expected final completion log")
 	}
 }
+
+func TestTryRemountLiveMedium(t *testing.T) {
+	t.Parallel()
+
+	orig := runRemountMedium
+	t.Cleanup(func() {
+		runRemountMedium = orig
+	})
+
+	t.Run("success", func(t *testing.T) {
+		runRemountMedium = func() ([]byte, error) {
+			return []byte("[10:57:31] Mounted /dev/sr1 on /run/live/medium\n"), nil
+		}
+		var logs []string
+		if err := tryRemountLiveMedium(func(msg string) { logs = append(logs, msg) }); err != nil {
+			t.Fatalf("tryRemountLiveMedium() error = %v", err)
+		}
+		if len(logs) != 1 || logs[0] != "bee-remount-medium: [10:57:31] Mounted /dev/sr1 on /run/live/medium" {
+			t.Fatalf("logs=%v", logs)
+		}
+	})
+
+	t.Run("failure", func(t *testing.T) {
+		runRemountMedium = func() ([]byte, error) {
+			return []byte("must be run as root\n"), fmt.Errorf("exit status 1")
+		}
+		var logs []string
+		err := tryRemountLiveMedium(func(msg string) { logs = append(logs, msg) })
+		if err == nil {
+			t.Fatal("expected error")
+		}
+		if len(logs) != 1 || logs[0] != "bee-remount-medium: must be run as root" {
+			t.Fatalf("logs=%v", logs)
+		}
+	})
+}
+
+func TestEnsureLiveMediumAvailableRemountsSource(t *testing.T) {
+	t.Parallel()
+
+	origGlob := liveMediumSquashfsGlob
+	origRemount := runRemountMedium
+	t.Cleanup(func() {
+		liveMediumSquashfsGlob = origGlob
+		runRemountMedium = origRemount
+	})
+
+	callCount := 0
+	liveMediumSquashfsGlob = func() ([]string, error) {
+		callCount++
+		if callCount == 1 {
+			return nil, nil
+		}
+		return []string{"/run/live/medium/live/filesystem.squashfs"}, nil
+	}
+	runRemountMedium = func() ([]byte, error) {
+		return []byte("Mounted /dev/sr1 on /run/live/medium\n"), nil
+	}
+
+	var logs []string
+	files, ok := ensureLiveMediumAvailable(func(msg string) { logs = append(logs, msg) })
+	if !ok {
+		t.Fatal("expected live medium to become available after remount")
+	}
+	if callCount < 2 {
+		t.Fatalf("liveMediumSquashfsGlob called %d times, want at least 2", callCount)
+	}
+	if len(files) != 1 || files[0] != "/run/live/medium/live/filesystem.squashfs" {
+		t.Fatalf("files=%v", files)
+	}
+	found := false
+	for _, msg := range logs {
+		if msg == "Live medium restored after remount scan." {
+			found = true
+			break
+		}
+	}
+	if !found {
+		t.Fatalf("expected remount success log, logs=%v", logs)
+	}
+}
+
+func TestDetachInstallMedium(t *testing.T) {
+	t.Parallel()
+
+	origUmount := umountLiveMedium
+	origEject := ejectDevice
+	t.Cleanup(func() {
+		umountLiveMedium = origUmount
+		ejectDevice = origEject
+	})
+
+	t.Run("success", func(t *testing.T) {
+		var umountCalled bool
+		var ejected string
+		umountLiveMedium = func() error {
+			umountCalled = true
+			return nil
+		}
+		ejectDevice = func(device string) error {
+			ejected = device
+			return nil
+		}
+		var logs []string
+		detachInstallMedium(LiveBootSource{Kind: "cdrom", Device: "/dev/sr1"}, func(msg string) { logs = append(logs, msg) })
+		if !umountCalled {
+			t.Fatal("expected umountLiveMedium to be called")
+		}
+		if ejected != "/dev/sr1" {
+			t.Fatalf("ejected=%q want /dev/sr1", ejected)
+		}
+		if len(logs) < 3 {
+			t.Fatalf("logs=%v", logs)
+		}
+	})
+
+	t.Run("no device", func(t *testing.T) {
+		umountLiveMedium = func() error { return nil }
+		ejectDevice = func(device string) error {
+			t.Fatalf("unexpected eject for %q", device)
+			return nil
+		}
+		var logs []string
+		detachInstallMedium(LiveBootSource{Kind: "ram", Source: "tmpfs"}, func(msg string) { logs = append(logs, msg) })
+		found := false
+		for _, msg := range logs {
+			if msg == "No block device identified for eject; skipping media eject." {
+				found = true
+				break
+			}
+		}
+		if !found {
+			t.Fatalf("logs=%v", logs)
+		}
+	})
+
+	t.Run("eject failure is warning only", func(t *testing.T) {
+		umountLiveMedium = func() error { return nil }
+		ejectDevice = func(device string) error { return fmt.Errorf("exit status 1") }
+		var logs []string
+		detachInstallMedium(LiveBootSource{Kind: "usb", Device: "/dev/sdb1"}, func(msg string) { logs = append(logs, msg) })
+		found := false
+		for _, msg := range logs {
+			if msg == "Warning: could not eject /dev/sdb1: exit status 1" {
+				found = true
+				break
+			}
+		}
+		if !found {
+			t.Fatalf("logs=%v", logs)
+		}
+	})
+}

audit/internal/webui/jobs.go

@@ -91,6 +91,7 @@ func (j *jobState) writeLogLineLocked(line string) {
 		j.logBuf = bufio.NewWriterSize(f, 64*1024)
 	}
 	_, _ = j.logBuf.WriteString(line + "\n")
+	_ = j.logBuf.Flush()
 }
 
 // closeLog flushes and closes the log file. Called after all task output is done.

audit/internal/webui/page_export_tools.go

@@ -431,7 +431,7 @@ fetch('/api/system/ram-status').then(r=>r.json()).then(d=>{
   else if (kind === 'disk') label = 'disk (' + source + ')';
   else label = source;
   boot.textContent = 'Current boot source: ' + label + '.';
-  txt.textContent = d.message || 'Checking...';
+  txt.textContent = d.blocked_reason || d.message || 'Checking...';
   if (d.status === 'ok' || d.in_ram) {
     txt.style.color = 'var(--ok, green)';
   } else if (d.status === 'failed') {

audit/internal/webui/server.go

@@ -1294,8 +1294,8 @@ const loadingPageHTML = `<!DOCTYPE html>
 *{margin:0;padding:0;box-sizing:border-box}
 html,body{height:100%;background:#0f1117;display:flex;align-items:center;justify-content:center;font-family:'Courier New',monospace;color:#e2e8f0}
 .wrap{text-align:center;width:420px}
-.logo{font-size:11px;line-height:1.4;color:#f6c90e;margin-bottom:6px;white-space:pre;text-align:left}
-.subtitle{font-size:12px;color:#a0aec0;text-align:left;margin-bottom:24px;padding-left:2px}
+.brand{font-size:22px;letter-spacing:.18em;color:#f6c90e;margin-bottom:6px;text-align:left}
+.subtitle{font-size:12px;color:#a0aec0;text-align:left;margin-bottom:24px}
 .spinner{width:36px;height:36px;border:3px solid #2d3748;border-top-color:#f6c90e;border-radius:50%;animation:spin .8s linear infinite;margin:0 auto 14px}
 .spinner.hidden{display:none}
 @keyframes spin{to{transform:rotate(360deg)}}
@@ -1313,12 +1313,7 @@ td:first-child{color:#718096;width:55%}
 </head>
 <body>
 <div class="wrap">
-  <div class="logo">  ███████╗ █████╗ ███████╗██╗   ██╗      ██████╗ ███████╗███████╗
-  ██╔════╝██╔══██╗██╔════╝╚██╗ ██╔╝      ██╔══██╗██╔════╝██╔════╝
-  █████╗  ███████║███████╗ ╚████╔╝ █████╗██████╔╝█████╗  █████╗
-  ██╔══╝  ██╔══██║╚════██║  ╚██╔╝  ╚════╝██╔══██╗██╔══╝  ██╔══╝
-  ███████╗██║  ██║███████║   ██║         ██████╔╝███████╗███████╗
-  ╚══════╝╚═╝  ╚═╝╚══════╝   ╚═╝         ╚═════╝ ╚══════╝╚══════╝</div>
+  <div class="brand">EASY BEE</div>
   <div class="subtitle">Hardware Audit LiveCD</div>
   <div class="spinner" id="spin"></div>
   <div class="status" id="st">Connecting to bee-web...</div>
@@ -1328,8 +1323,20 @@ td:first-child{color:#718096;width:55%}
 <script>
 (function(){
 var gone = false;
+var pollStarted = false;
+var fallbackOpenTimer = null;
+var AUTO_OPEN_DELAY_MS = 15000;
 function go(){ if(!gone){gone=true;window.location.replace('/');} }
 
+function scheduleFallbackOpen(){
+  if(fallbackOpenTimer!==null) return;
+  fallbackOpenTimer=setTimeout(function(){
+    document.getElementById('spin').className='spinner hidden';
+    document.getElementById('st').textContent='Startup checks are taking too long — opening app...';
+    go();
+  },AUTO_OPEN_DELAY_MS);
+}
+
 function icon(s){
   if(s==='active')   return '<span class="ok">&#9679; active</span>';
   if(s==='failed')   return '<span class="fail">&#10005; failed</span>';
@@ -1361,6 +1368,7 @@ function pollServices(){
       tbl.innerHTML=html;
       if(allSettled(svcs)){
         clearInterval(pollTimer);
+        if(fallbackOpenTimer!==null) clearTimeout(fallbackOpenTimer);
         document.getElementById('spin').className='spinner hidden';
         document.getElementById('st').textContent='Ready \u2014 opening...';
         setTimeout(go,800);
@@ -1375,8 +1383,12 @@ function probe(){
       if(r.ok){
         document.getElementById('st').textContent='bee-web running \u2014 checking services...';
         document.getElementById('btn').style.display='';
-        pollServices();
-        pollTimer=setInterval(pollServices,1500);
+        scheduleFallbackOpen();
+        if(!pollStarted){
+          pollStarted=true;
+          pollServices();
+          pollTimer=setInterval(pollServices,1500);
+        }
       } else {
         document.getElementById('st').textContent='bee-web starting (status '+r.status+')...';
         setTimeout(probe,500);

audit/internal/webui/server_test.go

@@ -604,6 +604,25 @@ func TestReadyIsOKWhenAuditPathIsUnset(t *testing.T) {
 	}
 }
 
+func TestLoadingPageHasFallbackAutoOpen(t *testing.T) {
+	handler := NewHandler(HandlerOptions{})
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/loading", nil))
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status=%d body=%s", rec.Code, rec.Body.String())
+	}
+	body := rec.Body.String()
+	for _, needle := range []string{
+		`var AUTO_OPEN_DELAY_MS = 15000;`,
+		`function scheduleFallbackOpen(){`,
+		`Startup checks are taking too long — opening app...`,
+	} {
+		if !strings.Contains(body, needle) {
+			t.Fatalf("loading page missing %q: %s", needle, body)
+		}
+	}
+}
+
 func TestAuditPageRendersViewerFrameAndActions(t *testing.T) {
 	dir := t.TempDir()
 	path := filepath.Join(dir, "audit.json")

audit/internal/webui/tasks.go

@@ -600,6 +600,17 @@ func (q *taskQueue) startRecoveredTaskMonitorLocked(t *Task, j *jobState) {
 }
 
 func (q *taskQueue) runTaskExternal(t *Task, j *jobState) {
+	startedKmsgWatch := false
+	if q.kmsgWatcher != nil && isSATTarget(t.Target) {
+		q.kmsgWatcher.NotifyTaskStarted(t.ID, t.Target)
+		startedKmsgWatch = true
+	}
+	defer func() {
+		if startedKmsgWatch && q.kmsgWatcher != nil {
+			q.kmsgWatcher.NotifyTaskFinished(t.ID)
+		}
+	}()
+
 	stopTail := make(chan struct{})
 	doneTail := make(chan struct{})
 	defer func() {

audit/internal/webui/tasks_test.go

@@ -126,6 +126,23 @@ func TestNewTaskJobStateLoadsExistingLog(t *testing.T) {
 	}
 }
 
+func TestJobAppendFlushesTaskLogImmediately(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "task.log")
+	j := newTaskJobState(path)
+
+	j.append("live-line")
+
+	data, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if string(data) != "live-line\n" {
+		t.Fatalf("log=%q want live-line newline", string(data))
+	}
+	j.closeLog()
+}
+
 func TestTaskQueueSnapshotSortsNewestFirst(t *testing.T) {
 	now := time.Date(2026, 4, 2, 12, 0, 0, 0, time.UTC)
 	q := &taskQueue{
@@ -849,3 +866,82 @@ func TestExecuteTaskMarksPanicsAsFailedAndClosesKmsgWindow(t *testing.T) {
 		t.Fatalf("expected kmsg window to be cleared, got %+v", window)
 	}
 }
+
+func TestRunTaskExternalOpensAndClosesKmsgWindow(t *testing.T) {
+	dir := t.TempDir()
+	releasePath := filepath.Join(dir, "release")
+	readyPath := filepath.Join(dir, "ready")
+	q := &taskQueue{
+		opts:        &HandlerOptions{ExportDir: dir},
+		logsDir:     filepath.Join(dir, "tasks"),
+		kmsgWatcher: newKmsgWatcher(nil),
+		trigger:     make(chan struct{}, 1),
+	}
+	if err := os.MkdirAll(q.logsDir, 0755); err != nil {
+		t.Fatal(err)
+	}
+	tk := &Task{
+		ID:        "cpu-external-1",
+		Name:      "CPU SAT",
+		Target:    "cpu",
+		Status:    TaskRunning,
+		CreatedAt: time.Now(),
+	}
+	q.assignTaskLogPathLocked(tk)
+	j := newTaskJobState(tk.LogPath)
+
+	orig := externalTaskRunnerCommand
+	externalTaskRunnerCommand = func(exportDir, taskID string) (*exec.Cmd, error) {
+		script := "printf ready > \"$1\"; while [ ! -f \"$2\" ]; do sleep 0.05; done"
+		return exec.Command("sh", "-c", script, "sh", readyPath, releasePath), nil
+	}
+	defer func() { externalTaskRunnerCommand = orig }()
+
+	done := make(chan struct{})
+	go func() {
+		q.runTaskExternal(tk, j)
+		close(done)
+	}()
+
+	deadline := time.Now().Add(2 * time.Second)
+	for time.Now().Before(deadline) {
+		if _, err := os.Stat(readyPath); err == nil {
+			break
+		}
+		time.Sleep(20 * time.Millisecond)
+	}
+	if _, err := os.Stat(readyPath); err != nil {
+		t.Fatalf("external runner did not start: %v", err)
+	}
+
+	q.kmsgWatcher.mu.Lock()
+	activeCount := q.kmsgWatcher.activeCount
+	window := q.kmsgWatcher.window
+	q.kmsgWatcher.mu.Unlock()
+	if activeCount != 1 {
+		t.Fatalf("activeCount while running=%d want 1", activeCount)
+	}
+	if window == nil || len(window.targets) != 1 || window.targets[0] != "cpu" {
+		t.Fatalf("window while running=%+v", window)
+	}
+
+	if err := os.WriteFile(releasePath, []byte("1\n"), 0644); err != nil {
+		t.Fatal(err)
+	}
+	select {
+	case <-done:
+	case <-time.After(2 * time.Second):
+		t.Fatal("runTaskExternal did not return")
+	}
+
+	q.kmsgWatcher.mu.Lock()
+	activeCount = q.kmsgWatcher.activeCount
+	window = q.kmsgWatcher.window
+	q.kmsgWatcher.mu.Unlock()
+	if activeCount != 0 {
+		t.Fatalf("activeCount after finish=%d want 0", activeCount)
+	}
+	if window != nil {
+		t.Fatalf("expected kmsg window to be cleared, got %+v", window)
+	}
+}

iso/builder/auto/config

@@ -16,6 +16,12 @@ else
     LB_LINUX_PACKAGES="linux-image"
 fi
 
+if [ -n "${BEE_ISO_VOLUME:-}" ]; then
+    LB_ISO_VOLUME="${BEE_ISO_VOLUME}"
+else
+    LB_ISO_VOLUME="EASY_BEE_${BEE_GPU_VENDOR_UPPER:-NVIDIA}"
+fi
+
 lb config noauto \
     --distribution bookworm \
     --architectures amd64 \
@@ -30,9 +36,9 @@ lb config noauto \
     --linux-flavours "amd64" \
     --linux-packages "${LB_LINUX_PACKAGES}" \
     --memtest memtest86+ \
-    --iso-volume "EASY_BEE_${BEE_GPU_VENDOR_UPPER:-NVIDIA}" \
+    --iso-volume "${LB_ISO_VOLUME}" \
     --iso-application "EASY-BEE-${BEE_GPU_VENDOR_UPPER:-NVIDIA}" \
-    --bootappend-live "boot=live components video=1920x1080 console=ttyS0,115200n8 console=tty0 loglevel=3 systemd.show_status=1 username=bee user-fullname=Bee modprobe.blacklist=nouveau,snd_hda_intel,snd_hda_codec_realtek,snd_hda_codec_generic,soundcore" \
+    --bootappend-live "boot=live live-media-label=${LB_ISO_VOLUME} components video=1920x1080 console=ttyS0,115200n8 console=tty0 loglevel=3 systemd.show_status=1 username=bee user-fullname=Bee modprobe.blacklist=nouveau,snd_hda_intel,snd_hda_codec_realtek,snd_hda_codec_generic,soundcore" \
     --debootstrap-options "--include=ca-certificates" \
     --apt-recommends false \
     --chroot-squashfs-compression-type zstd \

iso/builder/build.sh

@@ -69,12 +69,27 @@ mkdir -p "${CACHE_ROOT}"
 : "${GOMODCACHE:=${CACHE_ROOT}/go-mod}"
 export GOCACHE GOMODCACHE
 
-resolve_audit_version() {
+resolve_project_version() {
+    if [ -n "${BEE_VERSION:-}" ]; then
+        echo "${BEE_VERSION}"
+        return 0
+    fi
+
+    if [ -n "${BEE_AUDIT_VERSION:-}" ] && [ -n "${BEE_ISO_VERSION:-}" ] && [ "${BEE_AUDIT_VERSION}" != "${BEE_ISO_VERSION}" ]; then
+        echo "ERROR: BEE_AUDIT_VERSION (${BEE_AUDIT_VERSION}) and BEE_ISO_VERSION (${BEE_ISO_VERSION}) differ; versioning must stay synchronized" >&2
+        exit 1
+    fi
+
     if [ -n "${BEE_AUDIT_VERSION:-}" ]; then
         echo "${BEE_AUDIT_VERSION}"
         return 0
     fi
 
+    if [ -n "${BEE_ISO_VERSION:-}" ]; then
+        echo "${BEE_ISO_VERSION}"
+        return 0
+    fi
+
     tag="$(git -C "${REPO_ROOT}" describe --tags --match 'v[0-9]*' --abbrev=7 --dirty 2>/dev/null || true)"
     case "${tag}" in
         v*)
@@ -97,35 +112,6 @@ resolve_audit_version() {
     date +%Y%m%d
 }
 
-# ISO image versioned separately from the audit binary (iso/v* tags).
-resolve_iso_version() {
-    if [ -n "${BEE_ISO_VERSION:-}" ]; then
-        echo "${BEE_ISO_VERSION}"
-        return 0
-    fi
-
-    # Plain v* tags (e.g. v2.7) take priority — this is the current tagging scheme
-    tag="$(git -C "${REPO_ROOT}" describe --tags --match 'v[0-9]*' --abbrev=7 --dirty 2>/dev/null || true)"
-    case "${tag}" in
-        v*)
-            echo "${tag#v}"
-            return 0
-            ;;
-    esac
-
-    # Legacy iso/v* tags fallback
-    tag="$(git -C "${REPO_ROOT}" describe --tags --match 'iso/v*' --abbrev=7 --dirty 2>/dev/null || true)"
-    case "${tag}" in
-        iso/v*)
-            echo "${tag#iso/v}"
-            return 0
-            ;;
-    esac
-
-    # Fall back to audit version so the name is still meaningful
-    resolve_audit_version
-}
-
 sync_builder_workdir() {
     src_dir="$1"
     dst_dir="$2"
@@ -550,6 +536,11 @@ validate_iso_live_boot_entries() {
         rm -f "$grub_cfg" "$isolinux_cfg"
         exit 1
     }
+    grep -q 'linux .*live-media-label=EASY_BEE_' "$grub_cfg" || {
+        echo "ERROR: GRUB live entry is missing live-media-label pinning" >&2
+        rm -f "$grub_cfg" "$isolinux_cfg"
+        exit 1
+    }
 
     grep -q 'append .*boot=live ' "$isolinux_cfg" || {
         echo "ERROR: isolinux live entry is missing boot=live" >&2
@@ -561,11 +552,52 @@ validate_iso_live_boot_entries() {
         rm -f "$grub_cfg" "$isolinux_cfg"
         exit 1
     }
+    grep -q 'append .*live-media-label=EASY_BEE_' "$isolinux_cfg" || {
+        echo "ERROR: isolinux live entry is missing live-media-label pinning" >&2
+        rm -f "$grub_cfg" "$isolinux_cfg"
+        exit 1
+    }
 
     rm -f "$grub_cfg" "$isolinux_cfg"
     echo "=== live boot validation OK ==="
 }
 
+validate_iso_grub_theme_assets() {
+    iso_path="$1"
+    echo "=== validating GRUB theme assets in ISO ==="
+
+    [ -f "$iso_path" ] || {
+        echo "ERROR: ISO not found for GRUB theme validation: $iso_path" >&2
+        exit 1
+    }
+    require_iso_reader "$iso_path" >/dev/null 2>&1 || {
+        echo "ERROR: ISO reader unavailable for GRUB theme validation" >&2
+        exit 1
+    }
+
+    iso_files="$(mktemp)"
+    iso_list_files "$iso_path" > "$iso_files" || {
+        echo "ERROR: failed to list ISO files for GRUB theme validation" >&2
+        rm -f "$iso_files"
+        exit 1
+    }
+
+    for required in \
+        boot/grub/config.cfg \
+        boot/grub/theme.cfg \
+        boot/grub/live-theme/theme.txt \
+        boot/grub/live-theme/bee-logo.tga; do
+        grep -q "^${required}$" "$iso_files" || {
+            echo "ERROR: missing GRUB theme asset in ISO: ${required}" >&2
+            rm -f "$iso_files"
+            exit 1
+        }
+    done
+
+    rm -f "$iso_files"
+    echo "=== GRUB theme validation OK ==="
+}
+
 validate_iso_nvidia_runtime() {
     iso_path="$1"
     [ "$BEE_GPU_VENDOR" = "nvidia" ] || return 0
@@ -698,26 +730,20 @@ write_canonical_grub_cfg() {
     cat > "$cfg" <<EOF
 source /boot/grub/config.cfg
 
-echo ""
-echo "  ███████╗ █████╗ ███████╗██╗   ██╗      ██████╗ ███████╗███████╗"
-echo "  ██╔════╝██╔══██╗██╔════╝╚██╗ ██╔╝      ██╔══██╗██╔════╝██╔════╝"
-echo "  █████╗  ███████║███████╗ ╚████╔╝ █████╗██████╔╝█████╗  █████╗"
-echo "  ██╔══╝  ██╔══██║╚════██║  ╚██╔╝  ╚════╝██╔══██╗██╔══╝  ██╔══╝"
-echo "  ███████╗██║  ██║███████║   ██║         ██████╔╝███████╗███████╗"
-echo "  ╚══════╝╚═╝  ╚═╝╚══════╝   ╚═╝         ╚═════╝ ╚══════╝╚══════╝"
-echo "  Hardware Audit LiveCD"
-echo ""
-
 menuentry "EASY-BEE" {
-    linux   ${kernel} ${append_live} bee.display=kms bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+    linux   ${kernel} ${append_live} nomodeset bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
     initrd  ${initrd}
 }
 
 menuentry "EASY-BEE -- load to RAM (toram)" {
-    linux   ${kernel} ${append_live} toram bee.display=kms bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+    linux   ${kernel} ${append_live} toram nomodeset bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
     initrd  ${initrd}
 }
 
+menuentry "EASY-BEE -- no GUI / no X11" {
+    linux   ${kernel} ${append_live} nomodeset bee.gui=off bee.nvidia.mode=gsp-off pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+    initrd  ${initrd}
+}
 
 if [ "\${grub_platform}" = "efi" ]; then
     menuentry "Memory Test (memtest86+)" {
@@ -746,17 +772,23 @@ write_canonical_isolinux_cfg() {
     cat > "$cfg" <<EOF
 label live-@FLAVOUR@-normal
     menu label ^EASY-BEE
-    menu default
     linux ${kernel}
     initrd ${initrd}
     append ${append_live} nomodeset bee.nvidia.mode=normal net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
 
 label live-@FLAVOUR@-toram
     menu label EASY-BEE (^load to RAM)
+    menu default
     linux ${kernel}
     initrd ${initrd}
     append ${append_live} toram nomodeset bee.nvidia.mode=normal net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
 
+label live-@FLAVOUR@-console
+    menu label EASY-BEE (^no GUI / no X11)
+    linux ${kernel}
+    initrd ${initrd}
+    append ${append_live} nomodeset bee.gui=off bee.nvidia.mode=gsp-off net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+
 label live-@FLAVOUR@-gsp-off
     menu label EASY-BEE (^NVIDIA GSP=off)
     linux ${kernel}
@@ -992,11 +1024,11 @@ recover_iso_memtest() {
     fi
 }
 
-AUDIT_VERSION_EFFECTIVE="$(resolve_audit_version)"
-ISO_VERSION_EFFECTIVE="$(resolve_iso_version)"
-ISO_BASENAME="easy-bee-${BUILD_VARIANT}-v${ISO_VERSION_EFFECTIVE}-amd64"
+PROJECT_VERSION_EFFECTIVE="$(resolve_project_version)"
+ISO_BASENAME="easy-bee-${BUILD_VARIANT}-v${PROJECT_VERSION_EFFECTIVE}-amd64"
 # Versioned output directory: dist/easy-bee-v4.1/ — all final artefacts live here.
-OUT_DIR="${DIST_DIR}/easy-bee-v${ISO_VERSION_EFFECTIVE}"
+OUT_DIR="${DIST_DIR}/easy-bee-v${PROJECT_VERSION_EFFECTIVE}"
+ISO_VERSION_LABEL_TOKEN="$(printf '%s' "${PROJECT_VERSION_EFFECTIVE}" | tr '[:lower:].-' '[:upper:]__')"
 mkdir -p "${OUT_DIR}"
 LOG_DIR="${OUT_DIR}/${ISO_BASENAME}.logs"
 LOG_ARCHIVE="${OUT_DIR}/${ISO_BASENAME}.logs.tar.gz"
@@ -1172,7 +1204,7 @@ fi
 
 echo "=== bee ISO build (variant: ${BUILD_VARIANT}) ==="
 echo "Debian: ${DEBIAN_VERSION}, Kernel ABI: ${DEBIAN_KERNEL_ABI}, Go: ${GO_VERSION}"
-echo "Audit version: ${AUDIT_VERSION_EFFECTIVE}, ISO version: ${ISO_VERSION_EFFECTIVE}"
+echo "Project version: ${PROJECT_VERSION_EFFECTIVE}"
 echo ""
 
 run_step "sync git submodules" "05-git-submodules" \
@@ -1192,7 +1224,7 @@ if [ "$NEED_BUILD" = "1" ]; then
         "cd '${REPO_ROOT}/audit' && \
         env GOOS=linux GOARCH=amd64 CGO_ENABLED=0 \
             go build \
-            -ldflags '-s -w -X main.Version=${AUDIT_VERSION_EFFECTIVE}' \
+            -ldflags '-s -w -X main.Version=${PROJECT_VERSION_EFFECTIVE}' \
             -o '${BEE_BIN}' \
             ./cmd/bee"
     echo "binary: $BEE_BIN"
@@ -1467,8 +1499,10 @@ else
 fi
 
 cat > "${OVERLAY_STAGE_DIR}/etc/bee-release" <<EOF
-BEE_ISO_VERSION=${ISO_VERSION_EFFECTIVE}
-BEE_AUDIT_VERSION=${AUDIT_VERSION_EFFECTIVE}
+BEE_VERSION=${PROJECT_VERSION_EFFECTIVE}
+export BEE_VERSION
+BEE_ISO_VERSION=${PROJECT_VERSION_EFFECTIVE}
+BEE_AUDIT_VERSION=${PROJECT_VERSION_EFFECTIVE}
 BEE_BUILD_VARIANT=${BUILD_VARIANT}
 BEE_GPU_VENDOR=${BEE_GPU_VENDOR}
 BUILD_DATE=${BUILD_DATE}
@@ -1561,6 +1595,7 @@ if ! needs_full_build; then
     fast_path_rebuild_iso
     ISO_RAW="${LB_DIR}/live-image-amd64.hybrid.iso"
     validate_iso_live_boot_entries "$ISO_RAW"
+    validate_iso_grub_theme_assets "$ISO_RAW"
     validate_iso_nvidia_runtime "$ISO_RAW"
     cp "$ISO_RAW" "$ISO_OUT"
     echo ""
@@ -1575,7 +1610,8 @@ echo "=== building ISO (variant: ${BUILD_VARIANT}) ==="
 
 # Export for auto/config
 BEE_GPU_VENDOR_UPPER="$(echo "${BUILD_VARIANT}" | tr 'a-z-' 'A-Z_')"
-export BEE_GPU_VENDOR_UPPER
+BEE_ISO_VOLUME="EASY_BEE_${BEE_GPU_VENDOR_UPPER}_V${ISO_VERSION_LABEL_TOKEN}"
+export BEE_GPU_VENDOR_UPPER BEE_ISO_VOLUME
 
 cd "${LB_DIR}"
 run_step_sh "live-build clean" "80-lb-clean" "lb clean --all 2>&1 | tail -3"
@@ -1615,6 +1651,7 @@ if [ -f "$ISO_RAW" ]; then
     fi
     validate_iso_memtest "$ISO_RAW"
     validate_iso_live_boot_entries "$ISO_RAW"
+    validate_iso_grub_theme_assets "$ISO_RAW"
     validate_iso_nvidia_runtime "$ISO_RAW"
     cp "$ISO_RAW" "$ISO_OUT"
     touch "${FULL_BUILD_MARKER}"

iso/builder/config/bootloaders/grub-efi/config.cfg

@@ -1,5 +1,5 @@
-set default=0
-set timeout=5
+set default=1
+set timeout=10
 
 if [ x$feature_default_font_path = xy ] ; then
     font=unicode
@@ -8,7 +8,7 @@ else
 fi
 
 if loadfont $font ; then
-    set gfxmode=1920x1080,1280x1024,auto
+    set gfxmode=1280x1024,auto
     set gfxpayload=keep
     insmod efi_gop
     insmod efi_uga

iso/builder/config/bootloaders/grub-efi/grub.cfg

@@ -1,12 +1,17 @@
 source /boot/grub/config.cfg
 
 menuentry "EASY-BEE" {
-    linux   @KERNEL_LIVE@ @APPEND_LIVE@ bee.display=kms bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+    linux   @KERNEL_LIVE@ @APPEND_LIVE@ nomodeset bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
     initrd  @INITRD_LIVE@
 }
 
 menuentry "EASY-BEE -- load to RAM (toram)" {
-    linux   @KERNEL_LIVE@ @APPEND_LIVE@ toram bee.display=kms bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+    linux   @KERNEL_LIVE@ @APPEND_LIVE@ toram nomodeset bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+    initrd  @INITRD_LIVE@
+}
+
+menuentry "EASY-BEE -- no GUI / no X11" {
+    linux   @KERNEL_LIVE@ @APPEND_LIVE@ nomodeset bee.gui=off bee.nvidia.mode=gsp-off pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
     initrd  @INITRD_LIVE@
 }
 

iso/builder/config/bootloaders/grub-efi/live-theme/theme.txt

@@ -5,13 +5,6 @@ title-text: ""
 message-font: "Unifont Regular 16"
 terminal-font: "Unifont Regular 16"
 
-#bee logo - centered, upper third of screen
-+ image {
-        top = 4%
-        left = 50%-200
-        file = "bee-logo.tga"
-}
-
 #help bar at the bottom
 + label {
         top = 100%-50

iso/builder/config/bootloaders/isolinux/live.cfg.in

@@ -1,16 +1,22 @@
 label live-@FLAVOUR@-normal
     menu label ^EASY-BEE
-    menu default
     linux @LINUX@
     initrd @INITRD@
     append @APPEND_LIVE@ nomodeset bee.nvidia.mode=normal net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
 
 label live-@FLAVOUR@-toram
     menu label EASY-BEE (^load to RAM)
+    menu default
     linux @LINUX@
     initrd @INITRD@
     append @APPEND_LIVE@ toram nomodeset bee.nvidia.mode=normal net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
 
+label live-@FLAVOUR@-console
+    menu label EASY-BEE (^no GUI / no X11)
+    linux @LINUX@
+    initrd @INITRD@
+    append @APPEND_LIVE@ nomodeset bee.gui=off bee.nvidia.mode=gsp-off net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+
 label live-@FLAVOUR@-gsp-off
     menu label EASY-BEE (^NVIDIA GSP=off)
     linux @LINUX@

iso/builder/config/hooks/normal/9000-bee-setup.hook.chroot

@@ -67,6 +67,7 @@ chmod +x /usr/local/bin/bee-log-run    2>/dev/null || true
 chmod +x /usr/local/bin/bee-selfheal        2>/dev/null || true
 chmod +x /usr/local/bin/bee-boot-status    2>/dev/null || true
 chmod +x /usr/local/bin/bee-install        2>/dev/null || true
+chmod +x /usr/local/bin/bee-gui-gate       2>/dev/null || true
 chmod +x /usr/local/bin/bee-remount-medium 2>/dev/null || true
 if [ "$GPU_VENDOR" = "nvidia" ]; then
     chmod +x /usr/local/bin/bee-nvidia-load 2>/dev/null || true

iso/overlay/etc/motd

@@ -1,11 +1,4 @@
-
-  ███████╗ █████╗ ███████╗██╗   ██╗      ██████╗ ███████╗███████╗
-  ██╔════╝██╔══██╗██╔════╝╚██╗ ██╔╝      ██╔══██╗██╔════╝██╔════╝
-  █████╗  ███████║███████╗ ╚████╔╝ █████╗██████╔╝█████╗  █████╗
-  ██╔══╝  ██╔══██║╚════██║  ╚██╔╝  ╚════╝██╔══██╗██╔══╝  ██╔══╝
-  ███████╗██║  ██║███████║   ██║         ██████╔╝███████╗███████╗
-  ╚══════╝╚═╝  ╚═╝╚══════╝   ╚═╝         ╚═════╝ ╚══════╝╚══════╝
-
+  EASY BEE
   Hardware Audit LiveCD
   Build: %%BUILD_INFO%%
 

iso/overlay/etc/systemd/system/bee-audit.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=Bee: hardware audit
-After=bee-preflight.service bee-network.service bee-nvidia.service bee-blackbox.service
+After=bee-preflight.service bee-nvidia.service bee-blackbox.service
 
 [Service]
 Type=oneshot

iso/overlay/etc/systemd/system/bee-network.service

@@ -1,7 +1,6 @@
 [Unit]
 Description=Bee: bring up network interfaces via DHCP
-After=local-fs.target bee-blackbox.service
-Before=network-online.target bee-audit.service
+After=bee-web.service bee-audit.service
 
 [Service]
 Type=oneshot

iso/overlay/etc/systemd/system/bee-preflight.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=Bee: runtime preflight self-check
-After=bee-network.service bee-nvidia.service bee-blackbox.service
+After=bee-nvidia.service bee-blackbox.service
 Before=bee-audit.service
 
 [Service]

iso/overlay/etc/systemd/system/bee-selfheal.timer

@@ -3,7 +3,7 @@ Description=Bee: run self-heal checks periodically
 
 [Timer]
 OnBootSec=45sec
-OnUnitActiveSec=60sec
+OnUnitActiveSec=3min
 AccuracySec=15sec
 Unit=bee-selfheal.service
 

iso/overlay/etc/systemd/system/lightdm.service.d/bee-gui-gate.conf

@@ -0,0 +1,2 @@
+[Service]
+ExecCondition=/usr/local/bin/bee-gui-gate

iso/overlay/usr/local/bin/bee-boot-status

@@ -51,12 +51,7 @@ while true; do
     printf '\033[H\033[2J'
 
     printf '\n'
-    printf '  \033[33m███████╗ █████╗ ███████╗██╗   ██╗      ██████╗ ███████╗███████╗\033[0m\n'
-    printf '  \033[33m██╔════╝██╔══██╗██╔════╝╚██╗ ██╔╝      ██╔══██╗██╔════╝██╔════╝\033[0m\n'
-    printf '  \033[33m█████╗  ███████║███████╗ ╚████╔╝ █████╗██████╔╝█████╗  █████╗\033[0m\n'
-    printf '  \033[33m██╔══╝  ██╔══██║╚════██║  ╚██╔╝  ╚════╝██╔══██╗██╔══╝  ██╔══╝\033[0m\n'
-    printf '  \033[33m███████╗██║  ██║███████║   ██║         ██████╔╝███████╗███████╗\033[0m\n'
-    printf '  \033[33m╚══════╝╚═╝  ╚═╝╚══════╝   ╚═╝         ╚═════╝ ╚══════╝╚══════╝\033[0m\n'
+    printf '  \033[33mEASY BEE\033[0m\n'
     printf '  Hardware Audit LiveCD\n'
     printf '\n'
 

iso/overlay/usr/local/bin/bee-gui-gate

@@ -0,0 +1,27 @@
+#!/bin/sh
+# bee-gui-gate — skip starting the local GUI when bee.gui=off is set.
+
+set -eu
+
+cmdline_param() {
+    key="$1"
+    for token in $(cat /proc/cmdline 2>/dev/null); do
+        case "$token" in
+            "$key"=*)
+                echo "${token#*=}"
+                return 0
+                ;;
+        esac
+    done
+    return 1
+}
+
+mode="$(cmdline_param bee.gui || true)"
+case "${mode}" in
+    off|false|0|tty|console|text|nogui)
+        echo "bee-gui-gate: bee.gui=${mode}; skipping lightdm"
+        exit 1
+        ;;
+esac
+
+exit 0

iso/overlay/usr/local/bin/bee-network.sh

@@ -1,8 +1,9 @@
 #!/bin/sh
 # bee-network.sh — bring up all physical network interfaces via DHCP
-# Unattended: runs silently, logs results, never blocks.
+# Unattended: starts later in boot, runs quietly, and gives up after a bounded timeout.
 
 LOG_PREFIX="bee-network"
+DHCP_TIMEOUT_SECS=300
 
 log() { echo "[$LOG_PREFIX] $*"; }
 
@@ -19,9 +20,50 @@ if command -v udevadm >/dev/null 2>&1; then
     udevadm settle --timeout=5 >/dev/null 2>&1 || log "WARN: udevadm settle timed out"
 fi
 
+start_dhcp() {
+    iface="$1"
+    if ! ip link set "$iface" up; then
+        log "WARN: could not bring up $iface"
+        return 1
+    fi
+
+    carrier=$(cat "/sys/class/net/$iface/carrier" 2>/dev/null || true)
+    if [ "$carrier" = "1" ]; then
+        log "carrier detected on $iface"
+    else
+        log "carrier not detected on $iface"
+    fi
+
+    dhclient -r "$iface" >/dev/null 2>&1 || true
+
+    if timeout "${DHCP_TIMEOUT_SECS}" dhclient -4 -q -1 "$iface" >/dev/null 2>&1; then
+        addr="$(ip -4 -o addr show dev "$iface" scope global 2>/dev/null | awk '{print $4}' | head -1)"
+        if [ -n "$addr" ]; then
+            log "DHCP lease acquired on $iface ($addr)"
+        else
+            log "DHCP lease acquired on $iface"
+        fi
+        return 0
+    fi
+
+    rc=$?
+    case "$rc" in
+        124)
+            log "DHCP timed out on $iface after ${DHCP_TIMEOUT_SECS}s"
+            ;;
+        *)
+            log "DHCP failed on $iface (exit $rc)"
+            ;;
+    esac
+    dhclient -r "$iface" >/dev/null 2>&1 || true
+    return 1
+}
+
 started_ifaces=""
 started_count=0
 scan_pass=1
+pids=""
+pid_ifaces=""
 
 # Some server NICs appear a bit later after module/firmware init. Do a small
 # bounded rescan window without turning network bring-up into a boot blocker.
@@ -34,22 +76,11 @@ while [ "$scan_pass" -le 3 ]; do
                 *" $iface "*) continue ;;
             esac
 
-            log "bringing up $iface"
-            if ! ip link set "$iface" up; then
-                log "WARN: could not bring up $iface"
-                continue
-            fi
-
-            carrier=$(cat "/sys/class/net/$iface/carrier" 2>/dev/null || true)
-            if [ "$carrier" = "1" ]; then
-                log "carrier detected on $iface"
-            else
-                log "carrier not detected yet on $iface"
-            fi
-
-            # DHCP in background — non-blocking, keep dhclient verbose output in the service log.
-            dhclient -4 -v -nw "$iface" &
-            log "DHCP started for $iface (pid $!)"
+            log "starting DHCP on $iface (timeout ${DHCP_TIMEOUT_SECS}s)"
+            start_dhcp "$iface" &
+            pid="$!"
+            pids="$pids $pid"
+            pid_ifaces="$pid_ifaces $pid:$iface"
 
             started_ifaces="$started_ifaces $iface"
             started_count=$((started_count + 1))
@@ -68,4 +99,15 @@ if [ "$started_count" -eq 0 ]; then
     exit 0
 fi
 
-log "done (interfaces started: $started_count)"
+success_count=0
+for pid_iface in $pid_ifaces; do
+    pid="${pid_iface%%:*}"
+    iface="${pid_iface#*:}"
+    if wait "$pid"; then
+        success_count=$((success_count + 1))
+    else
+        log "DHCP did not complete successfully on $iface"
+    fi
+done
+
+log "done (interfaces scanned: $started_count, leases acquired: $success_count)"

iso/overlay/usr/local/bin/bee-remount-medium

@@ -28,6 +28,10 @@ done
 log() { echo "[$(date +%H:%M:%S)] $*"; }
 die() { log "ERROR: $*" >&2; exit 1; }
 
+if [ "$(id -u)" -ne 0 ]; then
+    die "bee-remount-medium must be run as root (use sudo or a root shell)"
+fi
+
 # Return all candidate block devices (optical + removable USB mass storage)
 find_candidates() {
     # CD/DVD drives

iso/overlay/usr/local/bin/bee-selfheal

@@ -8,11 +8,17 @@ EXPORT_DIR="/appdata/bee/export"
 AUDIT_JSON="${EXPORT_DIR}/bee-audit.json"
 RUNTIME_JSON="${EXPORT_DIR}/runtime-health.json"
 LOCK_DIR="/run/bee-selfheal.lock"
+EVENTS=0
 
 log() {
     echo "[${LOG_PREFIX}] $*"
 }
 
+log_event() {
+    EVENTS=$((EVENTS + 1))
+    log "$*"
+}
+
 have_nvidia_gpu() {
     lspci -Dn 2>/dev/null | awk '$2 ~ /^03(00|02):$/ && $3 ~ /^10de:/ { found=1; exit } END { exit(found ? 0 : 1) }'
 }
@@ -56,24 +62,22 @@ web_healthy() {
 mkdir -p "${EXPORT_DIR}" /run
 
 if ! mkdir "${LOCK_DIR}" 2>/dev/null; then
-    log "another self-heal run is already active"
+    log_event "another self-heal run is already active"
     exit 0
 fi
 trap 'rmdir "${LOCK_DIR}" >/dev/null 2>&1 || true' EXIT
 
-log "start"
-
 if have_nvidia_gpu && [ ! -e /dev/nvidia0 ]; then
-    log "NVIDIA GPU detected but /dev/nvidia0 is missing"
+    log_event "NVIDIA GPU detected but /dev/nvidia0 is missing"
     restart_service bee-nvidia.service || true
 fi
 
 runtime_state="$(artifact_state "${RUNTIME_JSON}")"
 if [ "${runtime_state}" != "ready" ]; then
     if [ "${runtime_state}" = "interrupted" ]; then
-        log "runtime-health.json.tmp exists — interrupted runtime-health write detected"
+        log_event "runtime-health.json.tmp exists — interrupted runtime-health write detected"
     else
-        log "runtime-health.json missing or empty"
+        log_event "runtime-health.json missing or empty"
     fi
     restart_service bee-preflight.service || true
 fi
@@ -81,19 +85,17 @@ fi
 audit_state="$(artifact_state "${AUDIT_JSON}")"
 if [ "${audit_state}" != "ready" ]; then
     if [ "${audit_state}" = "interrupted" ]; then
-        log "bee-audit.json.tmp exists — interrupted audit write detected"
+        log_event "bee-audit.json.tmp exists — interrupted audit write detected"
     else
-        log "bee-audit.json missing or empty"
+        log_event "bee-audit.json missing or empty"
     fi
     restart_service bee-audit.service || true
 fi
 
 if ! service_active bee-web.service; then
-    log "bee-web.service is not active"
+    log_event "bee-web.service is not active"
     restart_service bee-web.service || true
 elif ! web_healthy; then
-    log "bee-web health check failed"
+    log_event "bee-web health check failed"
     restart_service bee-web.service || true
 fi
-
-log "done"