fix(os): refresh USB persistence hardening

Author: NubsCarson

packages/os/linux/variants/milady-tails/build.sh

@@ -54,6 +54,11 @@ if [ ! -d "${TAILS_SRC}/config" ]; then
     exit 1
 fi
 
+if [ "${STAGE}" = "binary" ] && [ "${ELIZAOS_SYNC_CHROOT:-1}" = "1" ]; then
+    echo "=== syncing elizaOS overlay into existing chroot ==="
+    "${HERE}/scripts/sync-runtime-to-chroot.sh"
+fi
+
 echo "=== building image ${IMAGE} ==="
 # The image bakes in only Tails' live-build fork; the Dockerfile's build
 # context needs that source available as tails-live-build/. The vendored

packages/os/linux/variants/milady-tails/scripts/prepare-milady-app-overlay.mjs

@@ -256,6 +256,103 @@ export default plugin;
 
 const optionalStubPackages = new Map(
   Object.entries({
+    "@elizaos/app-model-tester": `
+export const modelTesterPlugin = {
+  name: "model-tester",
+  description: "Model tester routes are not bundled in elizaOS Live.",
+  routes: [],
+};
+export default modelTesterPlugin;
+`,
+    "@elizaos/plugin-companion": `
+export const appCompanionPlugin = {
+  name: "companion",
+  description: "Companion overlay placeholder for elizaOS Live. The full 3D companion bundle can be installed through app updates.",
+  actions: [],
+  providers: [],
+  services: [],
+  routes: [],
+};
+export const companionPlugin = appCompanionPlugin;
+export const registerCompanionApp = () => undefined;
+export default appCompanionPlugin;
+`,
+    "@elizaos/plugin-lifeops": `
+export const appLifeOpsPlugin = {
+  name: "lifeops",
+  description: "LifeOps placeholder for elizaOS Live. Cloud connectors and proactive workflows become available after provider setup.",
+  actions: [],
+  providers: [],
+  services: [],
+  routes: [],
+};
+export const lifeopsPlugin = {
+  name: "lifeops-routes",
+  routes: [],
+};
+export const BrowserBridgePluginService = undefined;
+export const browserBridgeProvider = undefined;
+export const detectHealthBackend = () => ({ available: false, backend: "none" });
+export const handleLifeOpsRoutes = async () => false;
+export const handleWebsiteBlockerRoutes = async () => false;
+export default appLifeOpsPlugin;
+`,
+    "@elizaos/plugin-documents": `
+export const documentsPlugin = {
+  name: "documents",
+  description: "Documents app routes are not bundled in the elizaOS Live base runtime.",
+  routes: [],
+};
+export const plugin = documentsPlugin;
+export default documentsPlugin;
+`,
+    "@elizaos/plugin-hyperliquid-app": `
+export const hyperliquidPlugin = {
+  name: "hyperliquid",
+  description: "Hyperliquid app routes are not bundled in the elizaOS Live base runtime.",
+  routes: [],
+};
+export const plugin = hyperliquidPlugin;
+export default hyperliquidPlugin;
+`,
+    "@elizaos/plugin-polymarket-app": `
+export const polymarketPlugin = {
+  name: "polymarket",
+  description: "Polymarket app routes are not bundled in the elizaOS Live base runtime.",
+  routes: [],
+};
+export const plugin = polymarketPlugin;
+export default polymarketPlugin;
+`,
+    "@elizaos/plugin-shopify-ui": `
+export const shopifyPlugin = {
+  name: "shopify",
+  routes: [],
+};
+export default shopifyPlugin;
+`,
+    "@elizaos/plugin-steward-app": `
+export const stewardPlugin = {
+  name: "steward",
+  routes: [],
+};
+export default stewardPlugin;
+`,
+    "@elizaos/plugin-training": `
+export const trainingPlugin = {
+  name: "training",
+  routes: [],
+};
+export const registerTrainingRuntimeHooks = async () => undefined;
+export default trainingPlugin;
+`,
+    "@elizaos/plugin-vincent": `
+export const vincentPlugin = {
+  name: "vincent",
+  routes: [],
+};
+export default vincentPlugin;
+`,
     "@elizaos/plugin-whatsapp": `
 const noop = () => undefined;
 const falseRoute = async () => false;
@@ -388,6 +485,15 @@ export default undefined;
   }).map(([packageName, source]) => [packageName, `${source.trimStart()}\n`]),
 );
 
+const forceLiveStubPackages = new Set([
+  "@elizaos/plugin-companion",
+  "@elizaos/plugin-documents",
+  "@elizaos/plugin-google",
+  "@elizaos/plugin-hyperliquid-app",
+  "@elizaos/plugin-lifeops",
+  "@elizaos/plugin-polymarket-app",
+]);
+
 const chromiumFlags = {
   "disable-gpu": true,
   "disable-gpu-compositing": true,
@@ -495,7 +601,11 @@ function isLiveStubPackage(packageJson) {
 
 function shouldWriteLiveFallbackPackage(packageName) {
   const packageJson = readPackageManifest(packageName);
-  return !packageJson || isLiveStubPackage(packageJson);
+  return (
+    forceLiveStubPackages.has(packageName) ||
+    !packageJson ||
+    isLiveStubPackage(packageJson)
+  );
 }
 
 function sourcePackageManifest(_packageName, packageJson) {
@@ -1007,7 +1117,10 @@ function collectPackageInventory(projectedPackages = []) {
 
 function packageStatus(packageName) {
   const packageJson = readPackageManifest(packageName);
-  const generated = !packageJson || isLiveStubPackage(packageJson);
+  const generated =
+    forceLiveStubPackages.has(packageName) ||
+    !packageJson ||
+    isLiveStubPackage(packageJson);
   return {
     packageName,
     packagePath: relativeToStage(packageManifestPath(packageName)),

packages/os/linux/variants/milady-tails/scripts/static-smoke.sh

@@ -878,6 +878,48 @@ for unit in \
 do
     grep -q '^ConditionPathExists=!/run/elizaos/persistence-maintenance$' "${unit}"
 done
+if [ "${SOURCE_ONLY}" != "1" ]; then
+    verify_materialized_file() {
+        local rel="$1"
+        local src="tails/config/chroot_local-includes/${rel}"
+        local chroot_path="tails/chroot/${rel}"
+        local squashfs="tails/binary/live/filesystem.squashfs"
+        local tmp
+
+        if [ -e "${chroot_path}" ] && ! cmp -s "${src}" "${chroot_path}"; then
+            echo "${chroot_path} is stale; run scripts/sync-runtime-to-chroot.sh before binary rebuilds." >&2
+            exit 1
+        fi
+
+        if [ -f "${squashfs}" ] && command -v unsquashfs >/dev/null 2>&1; then
+            tmp="$(mktemp)"
+            if ! unsquashfs -cat "${squashfs}" "${rel}" >"${tmp}" 2>/dev/null; then
+                rm -f "${tmp}"
+                echo "${squashfs} is missing ${rel}" >&2
+                exit 1
+            fi
+            if ! cmp -s "${src}" "${tmp}"; then
+                rm -f "${tmp}"
+                echo "${squashfs}:${rel} is stale; rebuild the binary image after syncing the chroot." >&2
+                exit 1
+            fi
+            rm -f "${tmp}"
+        fi
+    }
+
+    for rel in \
+        etc/systemd/user/elizaos-agent.service \
+        etc/systemd/user/elizaos-renderer.service \
+        etc/systemd/user/milady.service \
+        usr/lib/systemd/user/tails-create-persistent-storage.service \
+        usr/local/lib/elizaos/create-persistent-storage-session \
+        usr/local/lib/elizaos/persistence-maintenance \
+        usr/local/lib/persistent-storage/on-activated-hooks/MiladyData/20-restart-milady \
+        usr/local/lib/persistent-storage/on-deactivated-hooks/MiladyData/20-restart-milady
+    do
+        verify_materialized_file "${rel}"
+    done
+fi
 if grep -q 'systemctl --global enable elizaos-pill.service' \
     tails/config/chroot_local-hooks/52-update-systemd-units; then
     echo "Voice pill must stay installed but opt-in until the pill renderer is production-ready." >&2
@@ -1186,13 +1228,24 @@ for (const root of [
       throw new Error(`${distIndex}: required runtime plugin dist is missing`);
     }
   }
-  const googleStubPath = `${nodeModules}/@elizaos/plugin-google/index.js`;
-  const googlePackagePath = `${nodeModules}/@elizaos/plugin-google/package.json`;
-  const googlePackage = JSON.parse(fs.readFileSync(googlePackagePath, "utf8"));
-  if (googlePackage.version === "0.0.0-elizaos-live-stub") {
-    const googleStub = fs.readFileSync(googleStubPath, "utf8");
-    if (!googleStub.includes("googlePlugin")) {
-      throw new Error(`${googleStubPath}: Google connector stub is malformed`);
+  const forcedLiveStubs = new Map([
+    ["@elizaos/plugin-companion", "companion"],
+    ["@elizaos/plugin-documents", "documents"],
+    ["@elizaos/plugin-google", "google"],
+    ["@elizaos/plugin-hyperliquid-app", "hyperliquid"],
+    ["@elizaos/plugin-lifeops", "lifeops"],
+    ["@elizaos/plugin-polymarket-app", "polymarket"],
+  ]);
+  for (const [packageName, marker] of forcedLiveStubs) {
+    const stubPath = `${nodeModules}/${packageName}/index.js`;
+    const packagePath = `${nodeModules}/${packageName}/package.json`;
+    const packageJson = JSON.parse(fs.readFileSync(packagePath, "utf8"));
+    if (packageJson.version !== "0.0.0-elizaos-live-stub") {
+      throw new Error(`${packagePath}: ${packageName} must be a live-safe stub in the base USB runtime`);
+    }
+    const stub = fs.readFileSync(stubPath, "utf8");
+    if (!stub.includes(marker)) {
+      throw new Error(`${stubPath}: ${packageName} live-safe stub is malformed`);
     }
   }
 

packages/os/linux/variants/milady-tails/scripts/sync-runtime-to-chroot.sh

@@ -8,6 +8,14 @@ OVERLAY="${ROOT}/tails/config/chroot_local-includes"
 CHROOT="${ROOT}/tails/chroot"
 APP_STAGE="${OVERLAY}/usr/share/elizaos/milady-app"
 
+run_root() {
+    if [ "$(id -u)" -eq 0 ]; then
+        "$@"
+    else
+        sudo "$@"
+    fi
+}
+
 if [ ! -d "${CHROOT}" ]; then
     echo "ERROR: ${CHROOT} does not exist; run a full build first." >&2
     exit 1
@@ -26,27 +34,40 @@ sync_file() {
         echo "ERROR: missing overlay file ${src}" >&2
         exit 1
     fi
-    sudo mkdir -p "$(dirname "${dst}")"
-    sudo rsync -a --chown=root:root "${src}" "${dst}"
+    run_root mkdir -p "$(dirname "${dst}")"
+    run_root rsync -a --chown=root:root "${src}" "${dst}"
 }
 
 copy_perl_module() {
     local src_rel="$1"
     local module_rel="$2"
     local src="${OVERLAY}/${src_rel}"
     local dst
-    dst="$(sudo find "${CHROOT}/usr/local/share/perl" -path "*/${module_rel}" -print -quit)"
+    dst="$(run_root find "${CHROOT}/usr/local/share/perl" -path "*/${module_rel}" -print -quit)"
     if [ -z "${dst}" ]; then
         echo "ERROR: installed Perl module ${module_rel} not found in ${CHROOT}" >&2
         exit 1
     fi
-    sudo rsync -a --chown=root:root "${src}" "${dst}"
+    run_root rsync -a --chown=root:root "${src}" "${dst}"
 }
 
 runtime_files=(
+    etc/gdm3/PostLogin/Default
+    etc/generate-sudoers.d/elizaos-capability-runner.toml
+    etc/generate-sudoers.d/elizaos-persistence-maintenance.toml
+    etc/systemd/system/elizaos-root-mode.service
+    etc/systemd/system/elizaos-update-health-check.service
+    etc/systemd/system/elizaos-update-verify.service
+    etc/systemd/system/milady.path
+    etc/systemd/system/milady.service
+    etc/systemd/user/elizaos-agent.service
+    etc/systemd/user/elizaos-pill.service
+    etc/systemd/user/elizaos-renderer.service
+    etc/systemd/user/milady.service
     etc/whisperback/config.py
     usr/lib/systemd/user/tails-additional-software-install.service
     usr/lib/systemd/user/tails-configure-keyboard.service
+    usr/lib/systemd/user/tails-create-persistent-storage.service
     usr/lib/systemd/user/tails-htpdate-notify-user.service
     usr/lib/systemd/user/tails-low-ram-notify-user.service
     usr/lib/systemd/user/tails-post-greeter-docs.service
@@ -58,11 +79,39 @@ runtime_files=(
     usr/lib/systemd/user/tails-upgrade-frontend.service
     usr/lib/systemd/user/tails-virt-notify-user.service
     usr/lib/systemd/user/tails-wait-until-tor-has-bootstrapped.service
+    usr/lib/python3/dist-packages/tps/configuration/features.py
+    usr/lib/python3/dist-packages/tps_frontend/views/features_view.py
+    usr/local/bin/milady
     usr/local/bin/tails-about
     usr/local/bin/tails-security-check
     usr/local/bin/tails-upgrade-frontend-wrapper
+    usr/local/lib/elizaos/capability-runner
+    usr/local/lib/elizaos/create-persistent-storage-session
+    usr/local/lib/elizaos/elizaos-webkit-shell
+    usr/local/lib/elizaos/milady-keeper
+    usr/local/lib/elizaos/persistence-maintenance
+    usr/local/lib/elizaos/renderer-server.mjs
+    usr/local/lib/elizaos/runtime-env
+    usr/local/lib/elizaos/start-elizaos-agent-user
+    usr/local/lib/elizaos/start-elizaos-browser-user
+    usr/local/lib/elizaos/start-elizaos-pill-user
+    usr/local/lib/elizaos/start-elizaos-renderer-user
+    usr/local/lib/elizaos/start-milady-user
+    usr/local/lib/elizaos/update-health-check
+    usr/local/lib/elizaos/update-manager
+    usr/local/lib/persistent-storage/on-activated-hooks/MiladyData/10-clean-runtime-state
+    usr/local/lib/persistent-storage/on-activated-hooks/MiladyData/20-restart-milady
+    usr/local/lib/persistent-storage/on-deactivated-hooks/MiladyData/20-restart-milady
     usr/local/lib/tails-boot-device-can-have-persistence
+    usr/share/applications/milady.desktop
+    usr/share/applications/org.boum.tails.PersistentStorage.desktop.in
+    usr/share/pixmaps/elizaos-persistent-storage.svg
+    usr/share/tails/persistent-storage/features_view.ui.in
+    usr/share/tails/persistent-storage/locked_view.ui.in
+    usr/share/tails/persistent-storage/passphrase_view.ui.in
     usr/share/tails/persistent-storage/style.css
+    usr/share/tails/persistent-storage/welcome_view.ui.in
+    usr/share/tails/persistent-storage/window.ui.in
     usr/share/whisperback/whisperback.ui.in
 )
 
@@ -74,10 +123,11 @@ copy_perl_module usr/src/iuk/lib/Tails/IUK/Frontend.pm Tails/IUK/Frontend.pm
 copy_perl_module usr/src/iuk/lib/Tails/IUK/Install.pm Tails/IUK/Install.pm
 copy_perl_module usr/src/perl5lib/lib/Tails/RunningSystem.pm Tails/RunningSystem.pm
 
-sudo rm -rf "${CHROOT}/usr/share/elizaos/milady-app"
-sudo mkdir -p "${CHROOT}/usr/share/elizaos"
-sudo rsync -a --delete --chown=root:root "${APP_STAGE}/" \
+run_root rm -rf "${CHROOT}/usr/share/elizaos/milady-app"
+run_root mkdir -p "${CHROOT}/usr/share/elizaos"
+run_root rsync -a --delete --chown=root:root "${APP_STAGE}/" \
     "${CHROOT}/usr/share/elizaos/milady-app/"
-sudo chroot "${CHROOT}" /bin/sh -s < "${ROOT}/tails/config/chroot_local-hooks/9100-install-milady"
+run_root chroot "${CHROOT}" /bin/sh -s < "${ROOT}/tails/config/chroot_local-hooks/9100-install-milady"
+run_root chroot "${CHROOT}" /bin/sh -s < "${ROOT}/tails/config/chroot_local-hooks/99-zzzzzz_permissions"
 
 echo "Synced elizaOS runtime overlay into ${CHROOT}"

packages/os/linux/variants/milady-tails/scripts/usb-write.sh

@@ -85,15 +85,16 @@ if ! printf '%s' "${file_out}" | grep -qiE "ISO 9660|boot sector|partition|disk
     exit 2
 fi
 
-if printf '%s' "${file_out}" | grep -qi "ISO 9660"; then
-    yellow "WARNING: writing an ISO directly is for explicit override/testing only."
-    yellow "Persistent Storage may reject devices that were not created from the USB image."
-fi
 image_is_iso=0
 if printf '%s' "${file_out}" | grep -qi "ISO 9660"; then
     image_is_iso=1
 fi
 
+if [ "${image_is_iso}" = "1" ]; then
+    yellow "WARNING: writing an ISO directly is for explicit override/testing only."
+    yellow "Persistent Storage may reject devices that were not created from the USB image."
+fi
+
 if [ "${image_is_iso}" != "1" ] && ! command -v sgdisk >/dev/null 2>&1; then
     red "sgdisk is required to prepare a cloned USB image for Persistent Storage."
     red "Install gdisk, then rerun this writer."

packages/os/linux/variants/milady-tails/tails/auto/scripts/create-usb-image-from-iso

@@ -362,8 +362,15 @@ class ImageCreator:
             # Unmount in reverse order of setup so the chroot-visible image is
             # gone before we tear down the procfs mount used by syslinux. Track
             # successful mounts so setup failures do not leak chroot state.
+            unmount_errors = []
             for mountpoint in reversed(mounted):
-                unmount(mountpoint)
+                try:
+                    unmount(mountpoint)
+                except subprocess.CalledProcessError as err:
+                    logger.error("Failed to unmount %s: %s", mountpoint, err)
+                    unmount_errors.append(err)
+            if unmount_errors:
+                raise unmount_errors[0]
 
     def install_syslinux(self):
         logger.info("Installing bootloader")

packages/os/release/schema/elizaos-os-release-manifest.schema.json

@@ -182,6 +182,7 @@
               "required": ["status"]
             },
             "then": {
+              "required": ["downloadUrl"],
               "properties": {
                 "downloadUrl": { "type": "string", "minLength": 1 }
               }