fix(os): harden elizaOS live USB integration

[NubsCarson]

Summary

• hardens the elizaOS Live USB app/runtime integration after the merged distro PR (elizaOS Live USB distro #7754)
• keeps inherited launcher labels branded as elizaOS, adds the missing UDisks typelib required by the greeter, and updates release CI to validate the current live-build source path
• makes the packaged app path more robust: generated lucide-react stubs now include the packaged UI icon set (Feather, Maximize2, etc.), optional plugin fallbacks avoid replacing real packaged packages, and the live overlay emits an explicit fallback manifest
• tightens runtime behavior: close-to-tray defaults, safer CEF profile compatibility handling, fixed loopback API/renderer binding, and strict API port mode for the Live USB app
• hardens root/user boundaries around the keeper, persistence maintenance, systemd units, permissions, and persistence hooks
• refreshes production docs for privacy/amnesia behavior, persistence, update strategy, USB distribution, and remaining enterprise hardening gates

Validation

• ELIZAOS_STATIC_SOURCE_ONLY=1 ./scripts/static-smoke.sh from packages/os/linux/variants/milady-tails
• ./scripts/static-smoke.sh against the local build tree after the fresh binary rebuild
• packaged backend proof against tails/chroot/opt/milady: /api/auth/status ready on 127.0.0.1:31337 in 28s
• node --check packages/os/linux/variants/milady-tails/scripts/prepare-milady-app-overlay.mjs
• node --check packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/local/lib/elizaos/renderer-server.mjs
• sh -n on the edited elizaOS Live shell hooks/wrappers
• git diff --check
• rebuilt ISO locally with 6 CPU repack: out/binary.iso
• ISO checksum: 23f6d3bb18f85ca598ea680b252f8be9aec0ded55a481888d7f1eaf22de9be3e
• QEMU boot of that ISO: branded greeter visible, session starts, GNOME desktop visible, elizaOS app window appears and remains up without BACKEND TIMEOUT
• subagent security re-audit confirmed the root/user path boundary and process-kill fixes

Notes

• PR elizaOS Live USB distro #7754 is already merged into develop; this PR is the post-merge hardening/fixup branch.
• Mobile smoke jobs may still fail independently on missing full Bun iOS/Android engine artifacts; this PR does not touch mobile build scripts or mobile app sources.
• Remaining production gates are tracked in the docs: signed update channels, SBOM/provenance, full hardware USB validation, and a deeper security review before public enterprise release.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 417d979e-376a-4ffd-97a6-bc30610ad57b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch nubs/messylinux

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}