fix(os): refresh USB persistence hardening

Author: NubsCarson

packages/agent/vitest.config.ts

@@ -34,6 +34,10 @@ export default defineConfig({
           "packages/app-core/src/account-pool.ts",
         ),
       },
+      {
+        find: /^@elizaos\/app-core\/(.+)$/,
+        replacement: path.join(monorepoRoot, "packages/app-core/src/$1"),
+      },
       {
         find: "@elizaos/app-core",
         replacement: path.join(monorepoRoot, "packages/app-core/src/index.ts"),

packages/os-homepage/tests/visual.spec.ts-snapshots/hardware-usb-plastic-desktop-desktop-linux.png

@@ -54,6 +54,11 @@ if [ ! -d "${TAILS_SRC}/config" ]; then
     exit 1
 fi
 
+if [ "${STAGE}" = "binary" ] && [ "${ELIZAOS_SYNC_CHROOT:-1}" = "1" ]; then
+    echo "=== syncing elizaOS overlay into existing chroot ==="
+    "${HERE}/scripts/sync-runtime-to-chroot.sh"
+fi
+
 echo "=== building image ${IMAGE} ==="
 # The image bakes in only Tails' live-build fork; the Dockerfile's build
 # context needs that source available as tails-live-build/. The vendored

packages/os-homepage/tests/visual.spec.ts-snapshots/hardware-usb-plastic-desktop-mobile-linux.png

@@ -256,6 +256,103 @@ export default plugin;
 
 const optionalStubPackages = new Map(
   Object.entries({
+    "@elizaos/app-model-tester": `
+export const modelTesterPlugin = {
+  name: "model-tester",
+  description: "Model tester routes are not bundled in elizaOS Live.",
+  routes: [],
+};
+export default modelTesterPlugin;
+`,
+    "@elizaos/plugin-companion": `
+export const appCompanionPlugin = {
+  name: "companion",
+  description: "Companion overlay placeholder for elizaOS Live. The full 3D companion bundle can be installed through app updates.",
+  actions: [],
+  providers: [],
+  services: [],
+  routes: [],
+};
+export const companionPlugin = appCompanionPlugin;
+export const registerCompanionApp = () => undefined;
+export default appCompanionPlugin;
+`,
+    "@elizaos/plugin-lifeops": `
+export const appLifeOpsPlugin = {
+  name: "lifeops",
+  description: "LifeOps placeholder for elizaOS Live. Cloud connectors and proactive workflows become available after provider setup.",
+  actions: [],
+  providers: [],
+  services: [],
+  routes: [],
+};
+export const lifeopsPlugin = {
+  name: "lifeops-routes",
+  routes: [],
+};
+export const BrowserBridgePluginService = undefined;
+export const browserBridgeProvider = undefined;
+export const detectHealthBackend = () => ({ available: false, backend: "none" });
+export const handleLifeOpsRoutes = async () => false;
+export const handleWebsiteBlockerRoutes = async () => false;
+export default appLifeOpsPlugin;
+`,
+    "@elizaos/plugin-documents": `
+export const documentsPlugin = {
+  name: "documents",
+  description: "Documents app routes are not bundled in the elizaOS Live base runtime.",
+  routes: [],
+};
+export const plugin = documentsPlugin;
+export default documentsPlugin;
+`,
+    "@elizaos/plugin-hyperliquid-app": `
+export const hyperliquidPlugin = {
+  name: "hyperliquid",
+  description: "Hyperliquid app routes are not bundled in the elizaOS Live base runtime.",
+  routes: [],
+};
+export const plugin = hyperliquidPlugin;
+export default hyperliquidPlugin;
+`,
+    "@elizaos/plugin-polymarket-app": `
+export const polymarketPlugin = {
+  name: "polymarket",
+  description: "Polymarket app routes are not bundled in the elizaOS Live base runtime.",
+  routes: [],
+};
+export const plugin = polymarketPlugin;
+export default polymarketPlugin;
+`,
+    "@elizaos/plugin-shopify-ui": `
+export const shopifyPlugin = {
+  name: "shopify",
+  routes: [],
+};
+export default shopifyPlugin;
+`,
+    "@elizaos/plugin-steward-app": `
+export const stewardPlugin = {
+  name: "steward",
+  routes: [],
+};
+export default stewardPlugin;
+`,
+    "@elizaos/plugin-training": `
+export const trainingPlugin = {
+  name: "training",
+  routes: [],
+};
+export const registerTrainingRuntimeHooks = async () => undefined;
+export default trainingPlugin;
+`,
+    "@elizaos/plugin-vincent": `
+export const vincentPlugin = {
+  name: "vincent",
+  routes: [],
+};
+export default vincentPlugin;
+`,
     "@elizaos/plugin-whatsapp": `
 const noop = () => undefined;
 const falseRoute = async () => false;
@@ -388,6 +485,15 @@ export default undefined;
   }).map(([packageName, source]) => [packageName, `${source.trimStart()}\n`]),
 );
 
+const forceLiveStubPackages = new Set([
+  "@elizaos/plugin-companion",
+  "@elizaos/plugin-documents",
+  "@elizaos/plugin-google",
+  "@elizaos/plugin-hyperliquid-app",
+  "@elizaos/plugin-lifeops",
+  "@elizaos/plugin-polymarket-app",
+]);
+
 const chromiumFlags = {
   "disable-gpu": true,
   "disable-gpu-compositing": true,
@@ -495,7 +601,11 @@ function isLiveStubPackage(packageJson) {
 
 function shouldWriteLiveFallbackPackage(packageName) {
   const packageJson = readPackageManifest(packageName);
-  return !packageJson || isLiveStubPackage(packageJson);
+  return (
+    forceLiveStubPackages.has(packageName) ||
+    !packageJson ||
+    isLiveStubPackage(packageJson)
+  );
 }
 
 function sourcePackageManifest(_packageName, packageJson) {
@@ -1007,7 +1117,10 @@ function collectPackageInventory(projectedPackages = []) {
 
 function packageStatus(packageName) {
   const packageJson = readPackageManifest(packageName);
-  const generated = !packageJson || isLiveStubPackage(packageJson);
+  const generated =
+    forceLiveStubPackages.has(packageName) ||
+    !packageJson ||
+    isLiveStubPackage(packageJson);
   return {
     packageName,
     packagePath: relativeToStage(packageManifestPath(packageName)),

packages/os-homepage/tests/visual.spec.ts-snapshots/hardware-usb-plastic-mobile-desktop-linux.png

@@ -878,6 +878,48 @@ for unit in \
 do
     grep -q '^ConditionPathExists=!/run/elizaos/persistence-maintenance$' "${unit}"
 done
+if [ "${SOURCE_ONLY}" != "1" ]; then
+    verify_materialized_file() {
+        local rel="$1"
+        local src="tails/config/chroot_local-includes/${rel}"
+        local chroot_path="tails/chroot/${rel}"
+        local squashfs="tails/binary/live/filesystem.squashfs"
+        local tmp
+
+        if [ -e "${chroot_path}" ] && ! cmp -s "${src}" "${chroot_path}"; then
+            echo "${chroot_path} is stale; run scripts/sync-runtime-to-chroot.sh before binary rebuilds." >&2
+            exit 1
+        fi
+
+        if [ -f "${squashfs}" ] && command -v unsquashfs >/dev/null 2>&1; then
+            tmp="$(mktemp)"
+            if ! unsquashfs -cat "${squashfs}" "${rel}" >"${tmp}" 2>/dev/null; then
+                rm -f "${tmp}"
+                echo "${squashfs} is missing ${rel}" >&2
+                exit 1
+            fi
+            if ! cmp -s "${src}" "${tmp}"; then
+                rm -f "${tmp}"
+                echo "${squashfs}:${rel} is stale; rebuild the binary image after syncing the chroot." >&2
+                exit 1
+            fi
+            rm -f "${tmp}"
+        fi
+    }
+
+    for rel in \
+        etc/systemd/user/elizaos-agent.service \
+        etc/systemd/user/elizaos-renderer.service \
+        etc/systemd/user/milady.service \
+        usr/lib/systemd/user/tails-create-persistent-storage.service \
+        usr/local/lib/elizaos/create-persistent-storage-session \
+        usr/local/lib/elizaos/persistence-maintenance \
+        usr/local/lib/persistent-storage/on-activated-hooks/MiladyData/20-restart-milady \
+        usr/local/lib/persistent-storage/on-deactivated-hooks/MiladyData/20-restart-milady
+    do
+        verify_materialized_file "${rel}"
+    done
+fi
 if grep -q 'systemctl --global enable elizaos-pill.service' \
     tails/config/chroot_local-hooks/52-update-systemd-units; then
     echo "Voice pill must stay installed but opt-in until the pill renderer is production-ready." >&2
@@ -1186,13 +1228,24 @@ for (const root of [
       throw new Error(`${distIndex}: required runtime plugin dist is missing`);
     }
   }
-  const googleStubPath = `${nodeModules}/@elizaos/plugin-google/index.js`;
-  const googlePackagePath = `${nodeModules}/@elizaos/plugin-google/package.json`;
-  const googlePackage = JSON.parse(fs.readFileSync(googlePackagePath, "utf8"));
-  if (googlePackage.version === "0.0.0-elizaos-live-stub") {
-    const googleStub = fs.readFileSync(googleStubPath, "utf8");
-    if (!googleStub.includes("googlePlugin")) {
-      throw new Error(`${googleStubPath}: Google connector stub is malformed`);
+  const forcedLiveStubs = new Map([
+    ["@elizaos/plugin-companion", "companion"],
+    ["@elizaos/plugin-documents", "documents"],
+    ["@elizaos/plugin-google", "google"],
+    ["@elizaos/plugin-hyperliquid-app", "hyperliquid"],
+    ["@elizaos/plugin-lifeops", "lifeops"],
+    ["@elizaos/plugin-polymarket-app", "polymarket"],
+  ]);
+  for (const [packageName, marker] of forcedLiveStubs) {
+    const stubPath = `${nodeModules}/${packageName}/index.js`;
+    const packagePath = `${nodeModules}/${packageName}/package.json`;
+    const packageJson = JSON.parse(fs.readFileSync(packagePath, "utf8"));
+    if (packageJson.version !== "0.0.0-elizaos-live-stub") {
+      throw new Error(`${packagePath}: ${packageName} must be a live-safe stub in the base USB runtime`);
+    }
+    const stub = fs.readFileSync(stubPath, "utf8");
+    if (!stub.includes(marker)) {
+      throw new Error(`${stubPath}: ${packageName} live-safe stub is malformed`);
     }
   }