fix(os): package elizaOS live runtime plugins

packages/os/DOWNLOADS.md

@@ -13,10 +13,11 @@ gaps, and a hardware-support matrix.
 
 Current hardening status:
 
-- A prior live-USB ISO passed QEMU greeter/desktop/app-service validation
-  and guarded USB flash/readback. Current HEAD still needs rebuild,
-  repeat QEMU, repeat flash/readback, real hardware boot, and real USB
-  persistence validation before stable release.
+- A recent live-USB ISO artifact passed QEMU greeter/desktop/app-service
+  validation, and a prior artifact passed guarded USB flash/readback. The
+  exact release commit still needs rebuild/repeat QEMU if HEAD moves,
+  repeat flash/readback, real hardware boot, and real USB persistence
+  validation before stable release.
 - v1 is USB-only; internal-disk install is deferred.
 - A guarded developer writer exists in the live-USB variant. Production
   still needs a signed GUI/CLI flasher for macOS, Windows, and Linux.

packages/os/linux/variants/milady-tails/Justfile

@@ -54,12 +54,46 @@ milady-app:
 
         echo "Building ${package_rel} runtime dist for elizaOS Live"
         case "${mode}" in
+            package-build)
+                if [ ! -x "${eliza_root}/node_modules/.bin/tsup" ] || [ ! -x "${eliza_root}/node_modules/.bin/tsc" ]; then
+                    echo "Installing workspace build dependencies for ${package_rel}"
+                    ( cd "${eliza_root}" && bun install --no-frozen-lockfile --ignore-scripts )
+                fi
+                ( cd "${package_dir}" && bun run build )
+                ;;
             package-js)
+                if [ ! -x "${eliza_root}/node_modules/.bin/tsup" ]; then
+                    echo "Installing workspace build dependencies for ${package_rel}"
+                    ( cd "${eliza_root}" && bun install --no-frozen-lockfile --ignore-scripts )
+                fi
                 ( cd "${package_dir}" && bun run build:js )
                 ;;
             tsup-index)
+                if [ ! -x "${eliza_root}/node_modules/.bin/tsup" ]; then
+                    echo "Installing workspace build dependencies for ${package_rel}"
+                    ( cd "${eliza_root}" && bun install --no-frozen-lockfile --ignore-scripts )
+                fi
                 ( cd "${package_dir}" && bunx tsup src/index.ts --format esm --clean )
                 ;;
+            bun-runtime-index)
+                ( cd "${package_dir}" && \
+                    rm -rf dist && \
+                    bun build src/index.ts \
+                        --outdir dist \
+                        --target=node \
+                        --format=esm \
+                        --sourcemap=external \
+                        --external '@elizaos/agent' \
+                        --external '@elizaos/app-core' \
+                        --external '@elizaos/app-core/*' \
+                        --external '@elizaos/core' \
+                        --external '@elizaos/plugin-registry' \
+                        --external '@elizaos/shared' \
+                        --external '@elizaos/vault' \
+                        --external dotenv \
+                        --external 'node:*' \
+                        --external 'bun:*' )
+                ;;
             *)
                 echo "Unknown runtime package build mode: ${mode}" >&2
                 exit 1
@@ -100,6 +134,8 @@ milady-app:
     test -x "${app_out}/bin/launcher" || { echo "missing ${app_out}/bin/launcher"; exit 1; }
     ensure_plugin_runtime_dist "plugins/plugin-health" package-js
     ensure_plugin_runtime_dist "plugins/plugin-calendly" tsup-index
+    ensure_plugin_runtime_dist "plugins/plugin-registry" package-js
+    ensure_plugin_runtime_dist "plugins/plugin-app-manager" bun-runtime-index
     if [ -e "${stage}" ] && ! rm -rf "${stage}"; then
         sudo -n rm -rf "${stage}"
     fi

packages/os/linux/variants/milady-tails/PLAN.md

@@ -16,16 +16,16 @@ turn-by-turn directions.
 
 ---
 
-## Current status (2026-05-17)
+## Current status (2026-05-19)
 
 | | |
 |---|---|
 | **Phase 0 — Scaffold** | ✅ Done |
 | **Phase 1 — Base ISO builds + boots** | ✅ Done — base image builds and boots through QEMU via `-cdrom` |
-| **Phase 2 — elizaOS system branding** | ✅ Source implemented; QEMU visual path passed on prior artifact; latest polish needs rebuild |
-| **Phase 3 — Privacy mode** | 🔨 Source implemented; needs current-HEAD network/Tor validation |
-| **Phase 4 — Bake elizaOS app** | ✅ App payload/install path QEMU-passed on prior artifact; clean checkout still must run `just milady-app` before a full build |
-| **Phase 5 — Autolaunch** | ✅ Desktop/systemd wrapper QEMU-passed on prior artifact |
+| **Phase 2 — elizaOS system branding** | ✅ Source implemented; latest validated artifact QEMU visual path passed |
+| **Phase 3 — Privacy mode** | 🔨 Source implemented; needs exact-release network/Tor validation |
+| **Phase 4 — Bake elizaOS app** | ✅ App payload/install path QEMU-passed on latest validated artifact; clean checkout still must run `just milady-app` before a full build |
+| **Phase 5 — Autolaunch** | ✅ Desktop/systemd wrapper QEMU-passed on latest validated artifact |
 | **Phase 6 — Agent/broker** | 🔨 OS broker/env path implemented; approval-gated privileged actions still need hardening |
 | **Phase 7 — Persistence** | 🔨 Tails Persistent Storage row/hooks implemented; real USB persistence validation still pending |
 | **Phases 8–9** | 📋 Spec/backlog ([`docs/specs/`](./docs/specs/)), not release-complete |
@@ -56,9 +56,10 @@ What exists right now:
   approval-gated policy layer exists.
 - Privacy-mode, autolaunch, and `~/.eliza` Persistent Storage overlays are
   implemented locally. QEMU has proven the normal greeter/desktop/app path
-  on a prior ISO, and USB flash/readback passed for that same artifact. The
-  current gate is rebuilding HEAD, re-running QEMU, then validating real USB
-  boot, persistence, and privacy behavior.
+  on the latest validated local ISO artifact, and USB flash/readback passed
+  on a prior artifact. The current gate is rebuilding/validating the exact
+  release commit if the branch moves, then repeat USB flash/readback, real
+  USB boot, persistence, and privacy behavior.
 - The old root-level usbeliza Linux prototype was removed from this branch;
   this variant is the active Linux distro path.
 

packages/os/linux/variants/milady-tails/README.md

@@ -54,9 +54,9 @@ sealed.
 
 The target contract is that all four combinations work with the same
 feature surface, except for speed and persistence. QEMU has proven the
-normal branded greeter/desktop/app path on a prior artifact, but the
-current HEAD still needs rebuild, QEMU, real-USB, persistence, and privacy
-validation before those rows can be treated as production evidence. See
+normal branded greeter/desktop/app path on the latest validated artifact, but
+real-USB boot, real-USB persistence, and Privacy Mode network behavior still
+need validation before those rows can be treated as production evidence. See
 [`docs/user-experience.md`](./docs/user-experience.md) for the boot-time
 walkthrough and [`docs/mode-parity.md`](./docs/mode-parity.md) for the
 acceptance matrix.
@@ -113,25 +113,25 @@ Apache-2.0 where possible, dual-licensed under both where required.
 
 ## Status: Demo Branch Versus Production
 
-**Current branch status, 2026-05-17:** the elizaOS Live source tree has
-passed a full ISO build, QEMU greeter/desktop/app-service validation, and
-guarded USB flash/readback on a prior artifact. Current HEAD includes
-additional source-only branding and docs polish, so it must be rebuilt and
-revalidated before that exact image is called final USB-ready. Real
-hardware USB boot and real USB Persistent Storage behavior remain pending.
+**Current branch status, 2026-05-19:** this branch has produced a fresh
+local ISO artifact that passed QEMU greeter/desktop/app onboarding
+validation. A prior artifact passed guarded USB flash/readback, but the
+latest validated artifact still needs repeat USB flash/readback, real
+hardware USB boot, and real USB Persistent Storage validation before it is
+called final USB-ready. Release promotion must rebuild and validate the
+exact release commit if the branch moves after the latest tested artifact.
 See [`docs/current-status.md`](./docs/current-status.md) for the exact
 validation state.
 
 **Phase 1 — done.** The containerized build pipeline produced a bootable
 base ISO, and Tails' normal live-OS boot path was verified through QEMU
 using `-cdrom`.
 
-**Phases 2–7 — implemented in source, QEMU demo path proven on a prior
-artifact.** Branding, Privacy Mode plumbing, bundled elizaOS app
+**Phases 2–7 — implemented in source, QEMU demo path proven on the latest
+validated artifact.** Branding, Privacy Mode plumbing, bundled elizaOS app
 install/autostart, the conservative elizaOS capability broker, and elizaOS
-Persistent Storage rows/hooks are in the tree. The current gate is a fresh
-HEAD rebuild plus QEMU, USB flash/readback, real hardware boot, privacy,
-and persistence validation.
+Persistent Storage rows/hooks are in the tree. The current gate is USB
+flash/readback, real hardware boot, privacy, and persistence validation.
 
 **Phases 8–9 — spec/backlog.** Mode-parity harness and customization
 actions are planned but not production-complete. Production also still

packages/os/linux/variants/milady-tails/ROADMAP.md

@@ -8,7 +8,7 @@ No optimism inflation. Where something is risky or unknown, it says so.
 
 ---
 
-## Where we are right now (2026-05-17)
+## Where we are right now (2026-05-19)
 
 **Done and proven:**
 - The **containerized build pipeline** works. A full elizaOS ISO
@@ -23,15 +23,15 @@ No optimism inflation. Where something is risky or unknown, it says so.
 - Local overlays now exist for elizaOS branding, Privacy Mode, elizaOS app
   install/systemd launch, a conservative elizaOS capability broker, elizaOS
   Persistent Storage, and a checked signed-runtime verifier foundation.
-- A prior full ISO artifact passed QEMU through the branded greeter,
-  desktop, and app-service path. The same artifact was flashed to a
+- A recent full ISO artifact passed QEMU through the branded greeter,
+  desktop, and app-service path. A prior artifact was flashed to a
   removable USB with guarded write/readback verification.
 - The old root-level usbeliza prototype has been removed from this branch;
   the active Linux distro work now lives under this live-build variant.
 
 **Not done:**
-- Current HEAD includes source-only branding/docs polish after the last
-  validated artifact. Rebuild and re-run QEMU before calling that exact
+- Rebuild and re-run QEMU if the branch moves after the latest validated
+  artifact; exact release-commit traceability is required before calling an
   artifact final USB-ready.
 - Privacy/direct networking and real USB Persistent Storage behavior still
   need proof inside the rebuilt live OS.
@@ -42,7 +42,8 @@ No optimism inflation. Where something is risky or unknown, it says so.
 
 So: the *build machine* is mostly complete. The *product* — elizaOS Live
 — has the core overlays in place, but the next heavy gate is still a
-fresh HEAD rebuild + QEMU + real USB boot + mode/persistence validation.
+exact release-commit rebuild if needed + QEMU + real USB boot +
+mode/persistence validation.
 
 Product identity rule: the boot, greeter, and desktop should read as
 elizaOS Live. Tails remains the underlying live-OS plumbing and is credited

packages/os/linux/variants/milady-tails/docs/current-status.md

@@ -1,6 +1,6 @@
 # Current elizaOS Live Status
 
-Last updated: 2026-05-17.
+Last updated: 2026-05-19.
 
 This branch is a working demo/productization branch, not a finished
 enterprise release.
@@ -15,61 +15,60 @@ enterprise release.
 6419dbee227317983ff2c6d02c3fd4bf97c6699ac1d26f0c98476f2ba58cfc10
 ```
 
-- The current HEAD source has now been rebuilt into a fresh canonical ISO at
-  `tails/binary.iso` / `out/binary.iso`. Do not use older named ISO copies in
-  `out/` for validation; they can be stale.
+- This branch has produced a fresh canonical ISO at `out/binary.iso`. Do
+  not use older named ISO copies in `out/` for validation; they can be
+  stale. If the branch moves after this artifact, rebuild and validate the
+  exact release commit before publishing or flashing it as final.
 
 ```text
-2ff679a74464dd1ad37c0202b58fc56c5dd64b6e9ce047945d6ee60fcb139faa
+fb706edd7016b415e53fc263c37d09ed26d7f0d8d3bced250bde5b1b3ea9bec8
 ```
 
-- Normal QEMU boot of that exact current-HEAD artifact reached the elizaOS
-  greeter, started a normal GNOME desktop, and showed the elizaOS app window
-  on the desktop.
+- Normal QEMU boot of that exact validated artifact reached the elizaOS
+  greeter, started a normal GNOME desktop, and showed the elizaOS app
+  onboarding screen. This specifically proves the previous app backend
+  timeout is gone for the packaged runtime in this artifact.
 
 ## Current HEAD Caveat
 
-Current HEAD has QEMU visual evidence for boot, greeter, desktop, and app
-window startup. It has not yet been flashed/readback-tested to USB, booted on
-real hardware, or validated for real USB Persistent Storage create/unlock/delete
-behavior.
+The latest validated artifact has QEMU visual evidence for boot, greeter,
+desktop, and app onboarding startup. The exact release commit must be
+rebuilt and revalidated if HEAD moves. It has not yet been
+flashed/readback-tested to USB, booted on real hardware, or validated for
+real USB Persistent Storage create/unlock/delete behavior.
 
 ## Fixed Tonight
 
-The latest boot blocker was not branding or the app runtime. Debug boots showed
-that the live root filesystem could be left mode `0700`, preventing non-root
-system services from traversing `/` and causing D-Bus, polkit, GDM, and
-Persistent Storage startup failures.
+The latest app blocker was packaged-runtime completeness: the app window
+opened but the backend timed out because `@elizaos/plugin-app-manager` and
+`@elizaos/plugin-registry` were copied as package folders without runtime
+`dist/index.js` artifacts.
 
-The current artifact contains the fix:
+The latest validated artifact contains the fix:
 
-- `run-nosymfollow.mount.d/elizaos-root-mode.conf` documents the intended
-  `0755` directory mode for the inherited nosymfollow bind mount.
-- `elizaos-root-mode.service` runs after `run-nosymfollow.mount` and
-  `systemd-tmpfiles-setup.service`, then restores `/` plus
-  `/run/nosymfollow` to `0755`.
-- The earlier D-Bus and polkit working-directory drop-ins were removed because
-  they were symptom workarounds, not the root cause.
-- `milady.path` no longer participates in an ordering cycle with
-  `elizaos-update-verify.service`; the path unit can arm normally while
-  `milady.service` waits for verifier setup.
+- `just milady-app` now builds runtime JS for those first-party plugin
+  packages when their `dist/index.js` files are absent.
+- `static-smoke.sh` now checks that the staged overlay and installed chroot
+  copy both contain those plugin runtime artifacts.
+- The rebuilt ISO squashfs contains both plugin runtime artifacts under
+  `/opt/milady/Resources/app/eliza-dist/node_modules/@elizaos/`.
 
 ## Tonight Validation Plan
 
 Completed so far:
 
-1. Synced the root-mode and ordering-cycle fixes into the existing build
-   chroot.
-2. Repacked the fixed chroot into a fresh `tails/binary.iso`.
-3. Pointed `out/binary.iso` at that exact artifact.
-4. Verified the built squashfs contains the root-mode drop-in,
-   `elizaos-root-mode.service`, update verifier, and health-check fixes.
-5. Booted the exact artifact in QEMU and visually confirmed greeter, desktop,
-   and app window startup.
+1. Built the missing first-party plugin runtime artifacts.
+2. Re-prepared the staged app overlay and synced it into the existing chroot.
+3. Proved the packaged backend reaches `/api/auth/status` from the staged
+   runtime.
+4. Repacked the fixed chroot into `out/binary.iso`.
+5. Verified the built squashfs contains both plugin runtime artifacts.
+6. Booted the exact artifact in QEMU and visually confirmed greeter, desktop,
+   and app onboarding startup.
 
 Still required before claiming a final USB demo:
 
-1. Repeat guarded USB flash/readback for the `2ff679a7...` artifact.
+1. Repeat guarded USB flash/readback for the `fb706edd...` artifact.
 2. Boot that USB on real hardware.
 3. Validate real USB Persistent Storage create/unlock/delete behavior.
 4. Validate privacy/direct networking behavior for the app, renderer, and any
@@ -139,7 +138,7 @@ proof for embedded browser/OAuth paths, and real USB persistence validation.
 
 ## Still Pending
 
-- Repeat guarded USB flash/readback for the current `2ff679a7...` artifact.
+- Repeat guarded USB flash/readback for the current `fb706edd...` artifact.
 - Boot the USB on real hardware.
 - Validate real USB Persistent Storage create/unlock/delete behavior.
 - Validate privacy/direct networking behavior for the app, renderer, and any

packages/os/linux/variants/milady-tails/docs/distribution-and-updates.md

@@ -32,9 +32,10 @@ The current branch is a demo/productization branch:
   a checked signed-runtime verifier foundation.
 - Static smoke checks are part of the demo gate and must pass before
   promotion.
-- A prior rebuilt ISO passed QEMU greeter/desktop/app-service validation and
-  guarded USB flash/readback. Current HEAD has source-only polish after that
-  artifact, so repeat rebuild/QEMU/USB readback before calling HEAD final.
+- The latest validated local ISO artifact has passed QEMU greeter/desktop/app
+  onboarding validation. A prior artifact passed guarded USB flash/readback,
+  so rebuild/revalidate the exact release commit if the branch moves and
+  repeat USB flash/readback before calling HEAD final.
 - Privacy behavior, real hardware USB boot, and real USB Persistent Storage
   behavior still need validation before production claims.
 - Production release infrastructure is missing: release keys, manifest

packages/os/linux/variants/milady-tails/docs/mode-parity.md

@@ -9,11 +9,11 @@ The product requirement is that the same capabilities are available in all
 four combinations. Mode changes can affect speed, persistence, and trace
 footprint, but they must not silently remove features.
 
-Status as of 2026-05-17: Phase 3-7 overlays are present in source, and a
-prior ISO passed the normal QEMU greeter/desktop/app-service path. Current
-HEAD needs rebuild and repeat validation. Treat the table below as the
-target acceptance matrix until Phase 8 produces evidence from QEMU and real
-USB across all four modes.
+Status as of 2026-05-19: Phase 3-7 overlays are present in source, and a
+recent ISO artifact passed the normal QEMU greeter/desktop/app-service path.
+Rebuild and repeat validation for the exact release commit if the branch
+moves. Treat the table below as the target acceptance matrix until Phase 8
+produces evidence from QEMU and real USB across all four modes.
 
 Evidence rule: mark a row as production-ready only after it is exercised
 in QEMU and on a real USB boot. Until then, "Yes" means required product

packages/os/linux/variants/milady-tails/docs/production-readiness.md

@@ -121,8 +121,8 @@ The production product should add these first:
 
 Clear near-term wins before marketing this as a production AI OS:
 
-1. Rebuild current HEAD and QEMU-test that exact ISO.
-2. Flash/readback the rebuilt ISO and boot it on real hardware.
+1. Repeat guarded USB flash/readback for the current QEMU-tested ISO.
+2. Boot the rebuilt ISO on real hardware.
 3. Prove Persistent Storage create/unlock/delete on a real USB.
 4. Prove Privacy Mode behavior for agent, renderer, embedded browser, and
    OAuth surfaces.

packages/os/linux/variants/milady-tails/docs/specs/README.md

@@ -4,10 +4,10 @@ File-level implementation plans for each phase of [`../../PLAN.md`](../../PLAN.m
 `PLAN.md` is the map (goals, success criteria, status); these specs are the
 turn-by-turn directions (exact files, exact changes, ordered checklists).
 
-Status note, 2026-05-17: Phase 2-7 OS/Tails overlays exist in source and a
-prior ISO passed the normal QEMU greeter/desktop/app-service path. Current
-HEAD includes later branding/docs polish and needs a fresh rebuild. Keep the
-specs as design/source-of-truth for intent, and use `PLAN.md` plus
+Status note, 2026-05-19: Phase 2-7 OS/Tails overlays exist in source and a
+recent local ISO artifact passed the normal QEMU greeter/desktop/app-service
+path. Rebuild and revalidate the exact release commit if the branch moves
+after that artifact. Keep the specs as design/source-of-truth for intent, and use `PLAN.md` plus
 `docs/current-status.md` for the current validation state.
 
 Each spec was produced by auditing the actual Tails source and the