diff --git a/.gitignore b/.gitignore index d66b159..d5045fd 100644 --- a/.gitignore +++ b/.gitignore @@ -122,6 +122,7 @@ usr/share/* !/usr/share/mios/** # AI files, knowledge, logs, user data belong in mios-bootstrap.git usr/share/mios/ai/ +usr/share/mios/knowledge/ usr/share/mios/memory/ usr/share/mios/user-preferences.md !/usr/share/containers/ diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md index fcd29d4..c636bfd 100644 --- a/ARCHITECTURE.md +++ b/ARCHITECTURE.md @@ -14,16 +14,43 @@ USBGuard, CrowdSec sovereign-mode IPS, kernel-lockdown integrity. See `SECURITY.md`. +## Base image — uCore HCI + +MiOS builds `FROM ghcr.io/ublue-os/ucore-hci:stable-nvidia` (`MIOS_BASE_IMAGE`). +uCore HCI is a Universal Blue derivative of Fedora CoreOS targeting +hyperconverged infrastructure: + +| Layer | What it provides | +|---|---| +| Fedora CoreOS foundation | Immutable ostree rootfs, composefs `/usr`, SELinux enforcing, podman, ZFS kernel modules | +| uCore additions | cockpit, firewalld, tailscale, mergerfs, samba, NFS | +| HCI additions | libvirt/KVM, QEMU, VFIO-PCI tooling, virtiofs | +| NVIDIA variant (`stable-nvidia`) | Proprietary driver akmods pre-built and MOK-signed; NVIDIA Container Toolkit | +| Stable stream kernel | LTS Linux 6.12 — server-grade stability, consistent ABI across updates | + +MiOS adds: GNOME 50 desktop, Looking Glass B7, KVM passthrough, k3s, Ceph, +full AI surface, and defense-in-depth hardening on top. + +Upstream: + ## Filesystem layout (FHS 3.0 + bootc) Spec: . -| Path | Type | Source-of-truth in repo | -|---|---|---| -| `/usr` | Immutable image content | `usr/` (overlaid by `automation/08-system-files-overlay.sh`) | -| `/etc` | Persistent admin-override surface; build-time writes are upstream-contract only | `etc/` | -| `/var` | Persistent state; declared via `tmpfiles.d` | `usr/lib/tmpfiles.d/mios*.conf` | -| `/srv` | Sidecar service data (models, databases) | `srv/`, `usr/lib/tmpfiles.d/mios.conf` | +bootc disposition reflects FHS 3.0's intent: `/usr` is explicitly +"shareable, read-only" in the spec — the composefs/ostree model enforces this +at the kernel level. `/etc` is the host-specific config surface; bootc applies +a 3-way merge (image default + previous state + admin edits) on upgrade so +local changes survive. `/var` is never touched by an upgrade. + +| Path | FHS character | bootc disposition | Source-of-truth in repo | +|---|---|---|---| +| `/usr` | Read-only, shareable | Immutable composefs mount; change = new OCI image | `usr/` overlaid by `automation/08-system-files-overlay.sh` | +| `/etc` | Host-specific config | 3-way merge overlay; admin edits survive upgrades | `etc/` | +| `/var` | Mutable, persistent | Fully writable; never replaced on upgrade | `usr/lib/tmpfiles.d/mios*.conf` (LAW 2) | +| `/srv` | Data served by the system | Persistent; AI model weights, Ceph data | `usr/lib/tmpfiles.d/mios.conf` | +| `/run` | Ephemeral runtime (FHS 3.0) | tmpfs; cleared at boot; never in image layers | — | +| `/home` | User home directories | Persistent via `/var/home/` + symlink | `usr/lib/sysusers.d/` | Build-time writes to `/var/` are forbidden (LAW 2). The overlay step at `automation/08-system-files-overlay.sh:49-67` writes home dotfiles to @@ -43,17 +70,23 @@ in-image (`automation/53-bake-lookingglass-client.sh`). ## AI surface +All agents and tooling target `MIOS_AI_ENDPOINT` (`http://localhost:8080/v1`). +The endpoint implements the OpenAI v1 REST protocol — core surfaces: +`GET /v1/models`, `POST /v1/chat/completions` (streaming SSE supported), +`POST /v1/embeddings`. Auth: `Authorization: Bearer $MIOS_AI_KEY` (empty key +accepted by the local stack). Tool calling (`tools` array, +`finish_reason: tool_calls`) is supported for capable models. + | Service | Protocol | Path | |---|---|---| -| Inference | OpenAI-compatible REST | `http://localhost:8080/v1` (LocalAI Quadlet `etc/containers/systemd/mios-ai.container`) | +| Inference | OpenAI v1 REST | `MIOS_AI_ENDPOINT` (`http://localhost:8080/v1`) — Quadlet `etc/containers/systemd/mios-ai.container` | | Discovery | MCP | `usr/share/mios/ai/v1/mcp.json` | | Metadata | JSON | `usr/share/mios/ai/v1/models.json` | | System prompt | markdown | `usr/share/mios/ai/system.md` (canonical), `etc/mios/ai/system-prompt.md` (host override) | References: -- bootc: +- bootc: - bootc-image-builder: -- Universal Blue (uCore base): +- Universal Blue uCore HCI: - rechunk: - cosign: -- LocalAI: diff --git a/ENGINEERING.md b/ENGINEERING.md index 6d51361..fb776a1 100644 --- a/ENGINEERING.md +++ b/ENGINEERING.md @@ -95,6 +95,21 @@ fcontexts are declared via `semanage` calls in `automation/37-selinux.sh`. `/var/lib/mios/memory/journal/` via `usr/lib/tmpfiles.d/mios.conf`. - Declarative state: `tmpfiles.d` and `sysusers.d` only. +## Upstream base image constraints (bootc) + +`bootc container lint` (LAW 4) enforces at build time: +- Kernel present and detectable at `/usr/lib/modules//vmlinuz` +- No files written under `/var` or `/run` in image layers — these are + runtime-mutable and never part of the composefs rootfs +- `/usr` structurally valid (no dangling symlinks, no unexpected setuid files) +- OCI config has `architecture` and `os` fields set +- `systemd` must be PID 1 (init at `/sbin/init`) + +kargs.d constraint (also enforced by lint): flat `kargs = [...]` TOML array +only. No `[kargs]` section header, no `delete` sub-key. Files processed in +lexicographic order; earlier entries cannot be removed by later files in the +same image — use runtime `bootc kargs --delete` for removal. + ## Toolchain | Tool | Use | diff --git a/usr/share/mios/knowledge/mios-knowledge-graph.json b/usr/share/mios/knowledge/mios-knowledge-graph.json deleted file mode 100644 index 1f731e1..0000000 --- a/usr/share/mios/knowledge/mios-knowledge-graph.json +++ /dev/null @@ -1,126 +0,0 @@ -{ - "project": "MiOS", - "version": "0.2.2", - "type": "bootc-immutable-os", - "base": "Fedora CoreOS 44 + ucore-hci:stable-nvidia", - "ai_endpoint": "http://localhost:8080/v1", - - "repos": { - "system": "https://github.com/mios-dev/mios", - "bootstrap": "https://github.com/mios-dev/mios-bootstrap" - }, - - "architectural_laws": [ - "USR-OVER-ETC: static config in /usr/lib/.d/; /etc/ = admin overrides only", - "NO-MKDIR-IN-VAR: every /var/ path declared via usr/lib/tmpfiles.d/*.conf", - "BOUND-IMAGES: every Quadlet sidecar image symlinked in /usr/lib/bootc/bound-images.d/", - "BOOTC-CONTAINER-LINT: RUN bootc container lint is the final Containerfile instruction", - "UNIFIED-AI-REDIRECTS: MIOS_AI_ENDPOINT/MODEL/KEY target http://localhost:8080/v1; zero vendor URLs in committed files", - "UNPRIVILEGED-QUADLETS: every Quadlet defines User=, Group=, Delegate=yes; exceptions: mios-k3s.container, mios-ceph.container" - ], - - "directory_map": { - "/usr/bin/mios": "OpenAI-compatible CLI client", - "/usr/share/mios/PACKAGES.md": "SSOT for all RPM packages (fenced packages- blocks)", - "/usr/share/mios/env.defaults": "all MIOS_* variable definitions — single definition point", - "/usr/share/mios/profile.toml": "vendor identity/locale/feature defaults", - "/usr/share/mios/ai/system.md": "canonical agent system prompt", - "/usr/share/mios/ai/models.json": "OpenAI /v1/models catalog", - "/usr/share/mios/ai/mcp.json": "MCP server registry", - "/usr/share/mios/ai/vars.json": "global variables index (all version pins, ports, paths)", - "/etc/mios/profile.toml": "host/admin profile overrides", - "/etc/mios/install.env": "runtime identity (MIOS_USER, MIOS_HOSTNAME, mode 0640)", - "/etc/mios/ai/system-prompt.md": "host-local system prompt override", - "/etc/mios/ai/config.json": "host-local AI inference config", - "/var/lib/mios/ai/memory/": "persistent agent memory (sqlite WAL)", - "/var/lib/mios/ai/scratch/": "volatile inter-agent scratchpad (rotated daily)", - "/var/lib/mios/ai/journal.md": "chronological action log (append-only)", - "/srv/ai/models/": "GGUF/safetensors model weights" - }, - - "variables": { - "MIOS_VERSION": "0.2.2", - "MIOS_DEFAULT_USER": "mios", - "MIOS_DEFAULT_HOST": "mios", - "MIOS_IMAGE_REF": "ghcr.io/mios-dev/mios:latest", - "MIOS_BASE_IMAGE": "ghcr.io/ublue-os/ucore-hci:stable-nvidia", - "MIOS_LOCALAI_VERSION": "v2.20.0", - "MIOS_LOCALAI_IMAGE": "localai/localai:v2.20.0", - "MIOS_K3S_VERSION": "v1.32.1-k3s1", - "MIOS_K3S_IMAGE": "rancher/k3s:v1.32.1-k3s1", - "MIOS_CEPH_VERSION": "v18", - "MIOS_CEPH_IMAGE": "quay.io/ceph/ceph:v18", - "MIOS_AI_ENDPOINT": "http://localhost:8080/v1", - "MIOS_AI_MODEL": "qwen2.5-coder:7b", - "MIOS_AI_EMBED_MODEL": "nomic-embed-text", - "MIOS_AI_PORT": "8080", - "MIOS_QUADLET_SUBNET": "10.89.0.0/24", - "MIOS_SSH_PORT": "22", - "MIOS_COCKPIT_PORT": "9090", - "MIOS_K3S_API_PORT": "6443", - "MIOS_RECHUNK_MAX_LAYERS": "67", - "MIOS_WSL_DISTRO": "MiOS", - "MIOS_BUILDER_DISTRO": "MiOS-BUILDER" - }, - - "env_cascade": { - "order": "~/.config/mios/env > /etc/mios/install.env > /etc/mios/env.d/*.env > /usr/share/mios/env.defaults", - "all_vars_defined_at": "/usr/share/mios/env.defaults" - }, - - "system_prompt_cascade": { - "order": "$MIOS_AI_SYSTEM_PROMPT > ~/.config/mios/system-prompt.md > /etc/mios/ai/system-prompt.md > /usr/share/mios/ai/system.md" - }, - - "profile_cascade": { - "order": "~/.config/mios/profile.toml > /etc/mios/profile.toml > /usr/share/mios/profile.toml" - }, - - "ai_stack": { - "base_url": "http://localhost:8080/v1", - "model": "qwen2.5-coder:7b", - "embed_model": "nomic-embed-text", - "quadlet_unit": "mios-ai.container", - "port": 8080, - "model_volume": "/srv/ai/models" - }, - - "quadlet_sidecars": { - "network": "mios.network", - "subnet": "10.89.0.0/24", - "units": [ - {"name": "mios-ai.container", "image": "localai/localai:v2.20.0", "port": 8080, "condition": "PathIsDirectory=/etc/mios/ai"}, - {"name": "mios-k3s.container", "image": "rancher/k3s:v1.32.1-k3s1", "port": 6443, "condition": "!wsl !container", "privileged": true}, - {"name": "mios-ceph.container", "image": "quay.io/ceph/ceph:v18", "port": null, "condition": "PathExists=/etc/ceph/ceph.conf !container", "privileged": true} - ] - }, - - "build_pipeline": { - "entry": "Containerfile -> 08-system-files-overlay.sh -> automation/build.sh -> numbered scripts -> bootc container lint", - "package_ssot": "/usr/share/mios/PACKAGES.md (fenced packages- blocks)", - "script_count": 45, - "containerfile_only_scripts": ["08-system-files-overlay", "37-ollama-prep", "99-postcheck"], - "non_fatal_scripts": ["05","13","19","21","22","23","26","36-akmod","37-aichat","38","42","43","44","50","52","53"] - }, - - "install_surfaces": { - "windows": "install.ps1 via irm | iex", - "linux_bootc": "bootc switch ghcr.io/mios-dev/mios:latest", - "linux_fhs": "install.sh via curl | bash (Total Root Merge)" - }, - - "day2_operations": [ - "sudo bootc upgrade && sudo systemctl reboot", - "sudo bootc switch ", - "sudo bootc rollback", - "sudo bootc status", - "mios \"\"" - ], - - "core_concepts": { - "bootc": "OCI image → bootable OS, atomic updates, composefs backend", - "immutability": "/usr read-only at runtime, /etc + /var mutable, composefs integrity", - "multi_surface":"WSL2, Hyper-V, QEMU, bare metal, k3s nodes from single OCI image", - "security": "SELinux enforcing, fapolicyd, composefs-verity, cosign signing" - } -} diff --git a/usr/share/mios/knowledge/script-inventory.json b/usr/share/mios/knowledge/script-inventory.json deleted file mode 100644 index 8764232..0000000 --- a/usr/share/mios/knowledge/script-inventory.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "version": "0.2.2", - "note": "Scripts run by automation/build.sh in numeric order. Containerfile-only scripts are skipped by the orchestrator.", - "containerfile_only": ["08-system-files-overlay.sh", "37-ollama-prep.sh", "99-postcheck.sh"], - "non_fatal": ["05-enable-external-repos.sh","13-ceph-k3s.sh","19-k3s-selinux.sh","21-moby-engine.sh","22-freeipa-client.sh","23-uki-render.sh","26-gnome-remote-desktop.sh","36-akmod-guards.sh","37-aichat.sh","38-vm-gating.sh","42-cosign-policy.sh","43-uupd-installer.sh","44-podman-machine-compat.sh","50-enable-log-copy-service.sh","52-bake-kvmfr.sh","53-bake-lookingglass-client.sh"], - "scripts": [ - {"script": "01-repos.sh", "purpose": "RPMFusion, Terra, CrowdSec repos; DNF optimization"}, - {"script": "02-kernel.sh", "purpose": "kernel-devel, kernel-headers, kernel-tools"}, - {"script": "05-enable-external-repos.sh", "purpose": "COPR repos", "fatal": false}, - {"script": "08-system-files-overlay.sh", "purpose": "FHS overlay copy; bound-images symlinks", "containerfile_only": true}, - {"script": "10-gnome.sh", "purpose": "GNOME 50, GDM, PipeWire, Bluetooth, Flatpak, Geist font"}, - {"script": "11-hardware.sh", "purpose": "GPU drivers, sensors, hardware packages"}, - {"script": "12-virt.sh", "purpose": "KVM/QEMU/libvirt/Cockpit/Podman stack"}, - {"script": "13-ceph-k3s.sh", "purpose": "Ceph + K3s packages", "fatal": false}, - {"script": "18-apply-boot-fixes.sh", "purpose": "Kernel/bootloader configuration"}, - {"script": "19-k3s-selinux.sh", "purpose": "Build K3s SELinux policy module", "fatal": false}, - {"script": "20-fapolicyd-trust.sh", "purpose": "fapolicyd whitelist init"}, - {"script": "20-services.sh", "purpose": "Enable systemd units via preset"}, - {"script": "21-moby-engine.sh", "purpose": "Docker-compatible moby-engine", "fatal": false}, - {"script": "22-freeipa-client.sh", "purpose": "FreeIPA/SSSD enrollment setup", "fatal": false}, - {"script": "23-uki-render.sh", "purpose": "UKI (Unified Kernel Image) prep", "fatal": false}, - {"script": "25-firewall-ports.sh", "purpose": "Open ports for services"}, - {"script": "26-gnome-remote-desktop.sh", "purpose": "GNOME RDP/VNC setup", "fatal": false}, - {"script": "30-locale-theme.sh", "purpose": "Timezone, locale, dconf color-scheme=prefer-dark"}, - {"script": "31-user.sh", "purpose": "sysusers user creation, PAM, sudoers, home from /etc/skel"}, - {"script": "32-hostname.sh", "purpose": "hostnamectl set"}, - {"script": "33-firewall.sh", "purpose": "Default zone=drop, allow SSH/Cockpit/libvirt"}, - {"script": "34-gpu-detect.sh", "purpose": "GPU detection service setup"}, - {"script": "35-gpu-passthrough.sh", "purpose": "VFIO/PCI passthrough config"}, - {"script": "35-gpu-pv-shim.sh", "purpose": "GPU paravirt shim"}, - {"script": "35-init-service.sh", "purpose": "mios-role.service init"}, - {"script": "36-akmod-guards.sh", "purpose": "akmod-nvidia build safety", "fatal": false}, - {"script": "36-tools.sh", "purpose": "btop, jq, yq, git, tmux, vim, distrobox, just, strace"}, - {"script": "37-aichat.sh", "purpose": "aichat + aichat-ng binary install", "fatal": false}, - {"script": "37-flatpak-env.sh", "purpose": "Flatpak remote setup"}, - {"script": "37-ollama-prep.sh", "purpose": "Model pull prep", "containerfile_only": true}, - {"script": "37-selinux.sh", "purpose": "Build + install SELinux policy modules"}, - {"script": "38-vm-gating.sh", "purpose": "VM-specific service config", "fatal": false}, - {"script": "39-desktop-polish.sh", "purpose": "GNOME extensions, dconf settings"}, - {"script": "40-composefs-verity.sh", "purpose": "composefs + dm-verity (immutable rootfs)"}, - {"script": "42-cosign-policy.sh", "purpose": "Container signing policy", "fatal": false}, - {"script": "43-uupd-installer.sh", "purpose": "uupd + greenboot auto-update", "fatal": false}, - {"script": "44-podman-machine-compat.sh", "purpose": "Podman machine compat mode", "fatal": false}, - {"script": "45-nvidia-cdi-refresh.sh", "purpose": "NVIDIA CDI generation"}, - {"script": "46-greenboot.sh", "purpose": "Greenboot health-check + auto-rollback (3 failures)"}, - {"script": "47-hardening.sh", "purpose": "USBGuard, auditd, fapolicyd enforcement"}, - {"script": "49-finalize.sh", "purpose": "Final cleanup, image optimization"}, - {"script": "50-enable-log-copy-service.sh", "purpose": "Build log accessibility", "fatal": false}, - {"script": "52-bake-kvmfr.sh", "purpose": "kvmfr kmod compile + MOK sign", "fatal": false}, - {"script": "53-bake-lookingglass-client.sh", "purpose": "Looking Glass B7 build", "fatal": false}, - {"script": "90-generate-sbom.sh", "purpose": "CycloneDX SBOM via syft"}, - {"script": "98-boot-config.sh", "purpose": "Final boot configuration"}, - {"script": "99-cleanup.sh", "purpose": "dnf cache, temp, docs, logs cleanup"}, - {"script": "99-postcheck.sh", "purpose": "Technical invariant validation", "containerfile_only": true} - ] -} diff --git a/usr/share/mios/knowledge/upstream-gaps.json b/usr/share/mios/knowledge/upstream-gaps.json deleted file mode 100644 index b1ddf9d..0000000 --- a/usr/share/mios/knowledge/upstream-gaps.json +++ /dev/null @@ -1,153 +0,0 @@ -{ - "object": "knowledge", - "version": "0.2.2", - "description": "Upstream tooling gaps, hardware workarounds, and open implementation items. Decisions documented here override upstream defaults in the MiOS build pipeline.", - - "tooling_gaps": [ - { - "id": "cosign-v3-incompatibility", - "area": "supply-chain", - "severity": "blocking", - "summary": "rpm-ostree cannot consume OCI 1.1 bundle format produced by cosign v3", - "workaround": "Pin cosign to v2.x. Enforced in automation/42-cosign-policy.sh and PACKAGES.md packages-supply-chain block.", - "affected_vars": ["MIOS_COSIGN_VERSION"], - "status": "active-workaround" - }, - { - "id": "bib-squash-all-metadata-loss", - "area": "build", - "severity": "blocking", - "summary": "--squash-all on podman build or bootc-image-builder strips ostree.final-diffid OCI metadata, breaking the bootc update chain", - "workaround": "Never pass --squash-all. Enforced in Hard Rules (system.md) and Containerfile.", - "status": "active-workaround" - }, - { - "id": "bootc-fetch-apply-updates-narrow", - "area": "update", - "severity": "functional", - "summary": "bootc-fetch-apply-updates.timer ignores Flatpaks and Distrobox containers", - "workaround": "Replaced with uupd (Universal Blue unified updater). Installed in automation/43-uupd-installer.sh.", - "status": "resolved-by-uupd" - }, - { - "id": "dnf5-weak-deps-syntax", - "area": "build", - "severity": "silent-failure", - "summary": "DNF4 install_weakdeps option is silently ignored by DNF5; correct DNF5 form is install_weak_deps (underscore)", - "workaround": "All automation scripts use install_weak_deps=False. Enforced in system.md hard rules and .cursorrules.", - "status": "active-workaround" - }, - { - "id": "fedora44-filesystem-scriptlet-bug", - "area": "build", - "severity": "build-failure", - "summary": "Fedora 44 filesystem package %posttrans Lua scriptlet fails in containerized OCI builds", - "workaround": "Two-phase distro-sync: phase 1 installs core libs, phase 2 installs userspace. Implemented in automation/01-repos.sh.", - "status": "active-workaround" - } - ], - - "hardware_gaps": [ - { - "id": "nvidia-blackwell-vfio-reset", - "area": "gpu", - "severity": "functional", - "summary": "NVIDIA RTX 50-series (Blackwell) reset bug with VFIO passthrough", - "workaround": "Kernel arg vfio_pci.disable_idle_d3=1 injected via usr/lib/bootc/kargs.d/13-rtx50-vfio-workaround.toml.", - "status": "active-workaround" - }, - { - "id": "wsl2-nftables-missing", - "area": "networking", - "severity": "functional", - "summary": "WSL2 kernel lacks nftables support; firewalld nftables backend fails silently in WSL2", - "workaround": "Image includes iptables-legacy. WSL2 deployments fall back to iptables-legacy backend automatically.", - "status": "active-workaround" - }, - { - "id": "gtk4-theme-env-broken", - "area": "desktop", - "severity": "ui", - "summary": "GTK_THEME environment variable does not apply to GTK4/libadwaita apps", - "workaround": "Use ADW_DEBUG_COLOR_SCHEME=prefer-dark and dconf color-scheme='prefer-dark'. GTK_THEME=Adwaita-dark is banned in all MiOS scripts.", - "status": "resolved-by-convention" - }, - { - "id": "gnome-malcontent-hard-dep", - "area": "desktop", - "severity": "packaging", - "summary": "malcontent parental control package is a hard dependency of gnome-shell; removing it uninstalls the entire GNOME desktop", - "workaround": "malcontent is retained in the image. Do not remove it from PACKAGES.md packages-gnome block.", - "status": "active-workaround" - } - ], - - "planned_integrations": [ - { - "id": "uki-composefs-boot", - "area": "boot", - "target_version": "0.3.0", - "summary": "Full composefs + UKI (Unified Kernel Image) boot chain", - "current_state": "Prep script exists (automation/23-uki-render.sh, non-fatal). Awaiting upstream bootloader stabilization.", - "status": "partial" - }, - { - "id": "tpm2-measured-boot", - "area": "security", - "target_version": "0.3.0", - "summary": "Full measured boot attestation via sbsigntools and tpm2-tss", - "current_state": "TPM2 tooling present in image. Full attestation partially implemented; awaiting upstream stabilization.", - "status": "partial" - }, - { - "id": "ai-model-staging-ci", - "area": "ai", - "target_version": "0.3.0", - "summary": "Automated model pull (LocalAI/Ollama) in CI pipeline", - "current_state": "Skipped in CI due to runner resource constraints (automation/37-ollama-prep.sh Containerfile-only). Models are a Day-2 post-install step.", - "affected_vars": ["MIOS_LOCALAI_VERSION", "MIOS_AI_MODEL", "MIOS_AI_EMBED_MODEL"], - "status": "day2-only" - } - ], - - "openai_api_surface": { - "description": "All AI API endpoints follow OpenAI v1 spec. No vendor-specific extensions.", - "base_url": "http://localhost:8080/v1", - "endpoints": { - "GET /v1/models": "static catalog from /usr/share/mios/ai/v1/models.json", - "POST /v1/chat/completions": "LocalAI container on MIOS_AI_PORT=8080", - "POST /v1/embeddings": "LocalAI container, model=MIOS_AI_EMBED_MODEL", - "MCP": "/usr/share/mios/ai/v1/mcp.json -> /usr/bin/mios-status --mcp-mode" - }, - "resolution_chain": { - "system_prompt": [ - "$MIOS_AI_SYSTEM_PROMPT", - "~/.config/mios/system-prompt.md", - "/etc/mios/ai/system-prompt.md", - "/usr/share/mios/ai/system.md" - ], - "env_vars": [ - "~/.config/mios/env", - "/etc/mios/install.env", - "/etc/mios/env.d/*.env", - "/usr/share/mios/env.defaults" - ], - "profile": [ - "~/.config/mios/profile.toml", - "/etc/mios/profile.toml", - "/usr/share/mios/profile.toml" - ] - }, - "fhs_paths": { - "/usr/share/mios/ai/system.md": "canonical system prompt (image-baked)", - "/usr/share/mios/ai/v1/models.json": "GET /v1/models static catalog", - "/usr/share/mios/ai/v1/mcp.json": "MCP server registry", - "/usr/share/mios/ai/v1/config.json": "client config (base_url, model, embed_model)", - "/usr/share/mios/ai/vars.json": "global variables index (all MIOS_* definitions)", - "/etc/mios/ai/system-prompt.md": "host-local system prompt override", - "/etc/mios/ai/config.json": "host-local inference config override", - "~/.config/mios/system-prompt.md": "per-user system prompt override (highest precedence)", - "~/.config/mios/env": "per-user MIOS_* variable overrides" - } - } -}