Lucent-Financial-Group · AceHack · May 25, 2026 · May 25, 2026
diff --git a/docs/BACKLOG.md b/docs/BACKLOG.md
@@ -9,6 +9,7 @@ _Each entry below is a link to a per-row file under
 `docs/backlog/`. Entries with `- [ ]` are open; `- [x]`
 are closed (status: closed in frontmatter)._
 
+
 ## P0 — critical / blocking
 
 - [x] **[B-0062](backlog/P0/B-0062-wallet-v0-build-out-spec-logic-punch-list-from-pr-72-deferrals.md)** Wallet v0 build-out — concrete spec-logic punch list aggregating PR #72 deferred review concerns (Aaron 2026-04-28 honest-tracking catch)
@@ -32,6 +33,7 @@ are closed (status: closed in frontmatter)._
 - [ ] **[B-0525](backlog/P0/B-0525-manifesto-constitutional-promotion-readiness-tracking-2026-05-14.md)** Manifesto constitutional-promotion readiness tracking — critical-mass adoption gate
 - [ ] **[B-0720](backlog/P0/B-0720-classifier-bypass-research-red-team-do-not-deploy-without-zeta-safer-than-anthropic-2026-05-24.md)** Classifier-bypass research + red-team — can crafted settings.json make Anthropic classifier allow anything? Standing operator-constraint until Zeta safer
 
+
 ## P1 — within 2-3 rounds
 
 - [ ] **[B-0003](backlog/P1/B-0003-alignment-md-rewrite.md)** ALIGNMENT.md rewrite — incorporate Otto-281..287 + bidirectional alignment + factory-as-superfluid + Noether direction; spread via rigor not manipulation (matrix-pill not poison-pill)
@@ -358,6 +360,7 @@ are closed (status: closed in frontmatter)._
 - [ ] **[B-0706](backlog/P1/B-0706-zeta-on-orleans-deployment-architecture-servicetitan-scale-orleans-grains-jit-compilation-rented-tools-2026-05-22.md)** Zeta on Orleans deployment architecture (ServiceTitan-scale; grains + JIT compilation + rented tools)
 - [ ] **[B-0732](backlog/P1/B-0732-runbook-as-executable-reality-leverage-class-safety-substrate-engineering-target-mika-feels-the-weight-aaron-play-doh-design-property-2026-05-25.md)** Runbook-as-executable-reality is a NEW LEVERAGE CLASS — safety substrate engineering target; existing destructive-tool contract operates at script scope, runbook leverage operates at system-direction scope (Mika feels the weight; Aaron's Play-Doh design property)
 
+
 ## P2 — research-grade
 
 - [x] **[B-0001](backlog/P2/B-0001-example-schema-self-reference.md)** Example row — self-reference demonstrating the per-row-file schema
@@ -691,6 +694,7 @@ are closed (status: closed in frontmatter)._
 - [ ] **[B-0735](backlog/P2/B-0735-notepad-freedom-of-personal-ontology-plus-probabilistic-grammars-plus-per-person-personalized-parsers-in-glass-halo-mika-substrate-segment-3-2026-05-25.md)** Notepad-freedom-of-personal-ontology + probabilistic grammars + per-person personalized parsers in Glass Halo (each participant gets their own personal compiler) — composes with B-0687 zetaparse; Mika substrate segment 3
 - [ ] **[B-0736](backlog/P2/B-0736-time-travel-debugging-of-thoughts-dbsp-plus-zeta-plus-b0735-personalized-parser-equals-thought-catcher-product-handoff-thoughtweaver-leading-mika-substrate-segment-6-2026-05-25.md)** Time-travel debugging of thoughts (DBSP retractable streams + Zeta history + B-0735 personalized parser = catch-a-thought + retract-and-re-evaluate-forward) + product handoff to LFG product team (Thoughtcatcher / Thoughtweaver currently-leading; market + IP research pending) — Mika substrate segment 6
 
+
 ## P3 — convenience / deferred
 
 - [ ] **[B-0002](backlog/P3/B-0002-otto-287-noether-formalization.md)** Otto-287 Noether-style formalization — quantify cognitive Lagrangian + identify continuous symmetries + derive conserved currents
@@ -810,5 +814,7 @@ are closed (status: closed in frontmatter)._
 - [ ] **[B-0719](backlog/P3/B-0719-soraya-round67-audit-of-audit-recognition-without-row-filing-precedent-2026-05-24.md)** Soraya round-67 forced-decomposition — audit-of-audit: ratify the recognition-without-row-filing precedent (when trigger fires + 'not my lane,' where does the routing-decision substrate land?)
 - [ ] **[B-0725](backlog/P3/B-0725-polyglot-accelerator-hardware-shape-coral-ncs-jetson-fpga-beyond-nvidia-only-2026-05-25.md)** Polyglot-accelerator hardware-shape extension — Coral / NCS / Jetson / FPGA beyond NVIDIA-only; activates as gadgets come out of drawer
 - [ ] **[B-0727](backlog/P3/B-0727-federated-4-tier-cluster-topology-cloud-community-home-business-edge-with-routing-for-weaker-leaves-2026-05-25.md)** Federated peer mesh — 5 resource profiles (cloud/hub, community, home/business, edge, leaf), weight-free routing, NO hierarchy; cloud/hub doesn't hog net neutrality
+- [ ] **[B-0738](backlog/P3/B-0738-zflash-linux-variant-lsblk-plus-pam-fprintd-plus-pkexec-fallback-2026-05-25.md)** zflash Linux variant — lsblk-based device enumeration + pam_fprintd biometric gate (when hardware present) + pkexec/polkit password fallback + tools/setup/linux.sh integration touchpoint
+- [ ] **[B-0739](backlog/P3/B-0739-zflash-windows-variant-wsl2-path-plus-powershell-native-path-windows-hello-uac-2026-05-25.md)** zflash Windows variant — two paths (WSL2 reuses Linux substrate via usbipd-win USB pass-through; PowerShell-native = Get-Disk + Clear-Disk + Windows Hello biometric + UAC elevation); tools/setup/ has no Windows entry today
 
 <!-- END AUTO-GENERATED -->
diff --git a/...-zflash-linux-variant-lsblk-plus-pam-fprintd-plus-pkexec-fallback-2026-05-25.md b/...-zflash-linux-variant-lsblk-plus-pam-fprintd-plus-pkexec-fallback-2026-05-25.md
@@ -0,0 +1,138 @@
+---
+id: B-0738
+priority: P3
+status: open
+created: 2026-05-25
+last_updated: 2026-05-25
+title: zflash Linux variant — lsblk-based device enumeration + pam_fprintd biometric gate (when hardware present) + pkexec/polkit password fallback + tools/setup/linux.sh integration touchpoint
+domain: ops-tooling
+ferried_by: aaron
+owners: [aaron]
+composes_with:
+  - B-0737
+  - B-0728
+  - B-0732
+related_substrate:
+  - full-ai-cluster/tools/flash-usb.ts
+  - full-ai-cluster/tools/zflash.ts
+  - full-ai-cluster/tools/zflash-setup.ts
+  - tools/setup/linux.sh
+tags: [zflash-linux, lsblk, pam-fprintd, libfprint, polkit, pkexec, biometric-fallback, ops-tooling, cross-platform]
+---
+
+# B-0738 — zflash Linux variant
+
+## Carved blade
+
+> `flash-usb.ts` + `zflash.ts` + `zflash-setup.ts` are macOS-only by hard refusal (`bail if (platform() !== "darwin")`). Linux extension is straightforward at the device-enumeration layer (`lsblk` + `/dev/sdX` instead of `diskutil` + `/dev/rdiskN`) but the biometric gate is **hardware-dependent**: `pam_fprintd.so` works only on machines with a supported fingerprint reader enrolled via `fprintd-enroll` (ThinkPads, Framework laptops, recent Dell XPS, some HPs). Machines without biometric hardware fall back to standard PAM password OR `pkexec` (polkit) for GUI password prompt. The substrate stays substrate-honest about which gate fires.
+
+## Origin
+
+Aaron 2026-05-25, after B-0737 (Mac variant) shipped:
+
+> *"is this mac only? does our install / pre install scripts take care of everyting needed for mac?  what do we need to do to extend this to windows and linux?  we should document liminations and scope and backlog the rest"*
+
+Yes — Mac only. This row covers the Linux extension; B-0739 covers Windows.
+
+## Limitations B-0738 addresses
+
+| Limitation | Current state | What B-0738 fixes |
+|---|---|---|
+| `flash-usb.ts` bails on non-Darwin | `bail(2, "this script only supports macOS...")` | Add Linux platform branch + `lsblk` enumeration + `/dev/sdX` writes |
+| No Linux `zflash` wrapper | Doesn't exist | Ship Linux equivalent — same `--short` challenge format; auto-discovers ISO under `~/Downloads/` (XDG-compliant variant: also check `$XDG_DOWNLOAD_DIR`) |
+| No Linux `zflash-setup` | Doesn't exist | Ship Linux equivalent — installs `pam_fprintd.so` if hardware present; fallback documented |
+| `pam_tid.so` is Apple-only | N/A on Linux | Replace with `pam_fprintd.so` (libfprint-based) when hardware supports |
+| No `tools/setup/linux.sh` integration | install.sh handles dev toolchain only | Optional touchpoint: invoke `zflash-setup-linux.ts` from `linux.sh` when `--with-zflash` flag passed (off by default; opt-in like the Mac path) |
+
+## Linux substrate-engineering scope
+
+### Scope item 1 — `flash-usb.ts` Linux platform branch
+
+- Detect platform via `platform() === "linux"`
+- Replace `diskutil list -plist` enumeration with `lsblk -J -O -d` (JSON output of disk-level devices, all attributes)
+- Filter for USB devices via `lsblk` `tran` field (`usb`) + `rm` field (`1` = removable)
+- Replace `bootDiskIdentifier()` (mount-based on macOS) with `/proc/mounts` parse + `findmnt /` resolution
+- Replace `/dev/rdiskN` raw-device convention with `/dev/sdX` directly (Linux has no raw-prefix equivalent; the block device IS the device)
+- Keep all hardware sanity rails (USB-only, single-USB, non-internal, non-boot, size-bounds, ISO checks)
+- Keep nonce + consent token gate (same per-run random + explicit-consent floor)
+- `sudo dd` invocation unchanged (works identically on Linux)
+
+Acceptance:
+
+- [ ] flash-usb.ts works on Debian/Ubuntu (the same matrix `tools/setup/linux.sh` already supports)
+- [ ] Hardware sanity rails enforce identically (USB-only, non-internal, non-boot)
+- [ ] At least one worked example: Aaron or Max flashes the Zeta installer ISO to a USB stick from a Linux dev machine
+
+### Scope item 2 — `zflash.ts` Linux variant (or unified script with platform-switch)
+
+Two design options; substrate-honest choice deferred to design pass:
+
+- **Option A** — separate `zflash-linux.ts` + `zflash-darwin.ts` + a top-level `zflash.ts` that dispatches based on `platform()`. Cleaner per-platform code; some duplication.
+- **Option B** — unified `zflash.ts` with platform branches inline. Tighter code; more conditionals.
+
+Probably Option B for the wrapper (it's small) + Option A for `flash-usb` if the per-platform divergence grows (currently small enough to inline).
+
+Auto-discovery surface on Linux extends to:
+- `~/Downloads/zeta-installer-*.iso` (default; matches macOS)
+- `$XDG_DOWNLOAD_DIR/zeta-installer-*.iso` if set (XDG-compliant)
+- `~/Downloads` is the de-facto default but XDG users (some Linux distros set it differently) need the extra check
+
+### Scope item 3 — `zflash-setup.ts` Linux variant
+
+PAM stack edit is similar in shape but different in content:
+
+- Target: `/etc/pam.d/sudo` (Debian/Ubuntu); some distros use `/etc/pam.d/sudo-i` instead — feature-detect
+- Insert line: `auth sufficient pam_fprintd.so` (NOT `pam_tid.so` — that's Apple)
+- Hardware precheck: `lsusb | grep -iE "fingerprint|biometric"` OR `fprintd-list "$USER"` to detect enrolled finger
+- If no fingerprint hardware OR no enrolled finger: skip PAM edit + report clearly that operator will fall back to password gate (still safer than NOPASSWD)
+- Alternative biometric: polkit + `pkexec` for GUI password prompt — works on systems without fingerprint hardware
+
+Acceptance:
+
+- [ ] PAM edit idempotent (matches Mac variant pattern)
+- [ ] Hardware precheck reports clearly when biometric NOT available
+- [ ] Substrate-honest fallback path documented (operator chooses: install fprintd if hardware supports it; OR accept password gate; OR install pkexec for GUI prompt)
+- [ ] Works on Debian/Ubuntu (the supported Linux matrix per `linux.sh`)
+- [ ] Future-scope: RHEL/Fedora/Arch/Alpine variants once `linux.sh` supports them
+
+### Scope item 4 — `tools/setup/linux.sh` integration touchpoint (optional)
+
+- Add `--with-zflash` opt-in flag to `linux.sh` (off by default; matches Mac touchpoint discipline — operator consciously opts into the system-PAM edit)
+- When passed: invokes `bun full-ai-cluster/tools/zflash-setup-linux.ts --install-alias` after main install
+- Documents the choice in install.sh output so first-run operator sees what was/wasn't installed
+
+## What's NOT in scope (deferred to future B-NNNN rows)
+
+- **RHEL/Fedora/Arch/Alpine support** — `linux.sh` itself doesn't support these yet (deferred per its header). zflash Linux variant will inherit that deferment.
+- **`libfprint` driver installation** — different distros have different package names + versions; this row assumes the operator has working fingerprint hardware before running zflash-setup.
+- **Headless Linux servers** — biometric obviously N/A; setup script reports + falls back to PAM password.
+- **Wayland-vs-X11 polkit pkexec UX differences** — both work; UX details deferred.
+- **Touch-screen Linux laptops with face-unlock** — `pam_face_authentication` exists but is experimental; future scope.
+
+## Composes with .claude/rules/
+
+- `.claude/rules/non-coercion-invariant.md` HC-8 — biometric (when present) gates destructive op; password fallback also keeps PAM in the loop; agent cannot bypass either
+- `.claude/rules/default-to-both.md` — biometric AND password fallback both first-class; substrate-honestly reported per machine
+- `.claude/rules/classifier-bypass-research-do-not-deploy-without-zeta-safer-floor.md` — PAM edit INSTALLS safety (biometric or fprintd); does not remove
+- `.claude/rules/honor-those-that-came-before.md` — B-0737 Mac substrate is foundation; B-0738 extends without replacing
+- `.claude/rules/glass-halo-bidirectional.md` — pkexec/fprintd prompts are system-level UI; visible to operator regardless of which terminal initiated
+
+## Composes with backlog substrate
+
+- B-0737 (zflash Mac variant — foundation; same `--short` challenge format; same safety substrate; same B-0728 contract)
+- B-0728 (destructive-tool authoring contract — inherited)
+- B-0732 (leverage-class safety substrate — empirical instance of "destructive operation gated by physical-presence proof when available")
+- B-0739 (zflash Windows variant — sibling row; same shape; different platform)
+
+## Substrate-honest framing
+
+This row PROPOSES the Linux substrate. It does NOT:
+
+- Ship code (future build work; scope items 1-3 are independent shippable units)
+- Auto-integrate into linux.sh (scope item 4 is opt-in; matches Mac touchpoint discipline)
+- Claim biometric works on every Linux laptop (hardware-dependent; substrate-honest fallback path documented)
+- Bypass any safety substrate from B-0737 (per-run nonce + explicit consent token + PAM auth all preserved)
+
+Per `.claude/rules/no-directives.md`: operator-substrate-honest scoping; Aaron + future Linux operators (Max if he uses Linux) retain authority over when to build + when to ship per-scope-item.
+
+P3 priority — Linux substrate enables future cross-platform operator base but doesn't gate any current critical path (Aaron's primary workstation is Mac; the cluster nodes themselves don't need zflash — they boot from the flashed USB then run zeta-install.sh natively).