V8.13.408.2025.11.13

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

docs/MAN_CISS_ISO_BOOT_CHAIN.md

@@ -79,11 +79,12 @@ end
 
 # 6. LUKS/dm-integrity Layering
 ```mermaid
-graph TD
-A[Plain device (rootfs.crypt)] --> B[dm-integrity (HMAC-SHA-512, 4 KiB)]
-B --> C[dm-crypt (AES-XTS-512)]
-C --> D[Mapped device /dev/mapper/crypt_liveiso]
-D --> E[SquashFS mount /run/live/rootfs]
+flowchart TD;
+%%
+A[Plain device (/live/rootfs.crypt)] --> B[dm-integrity (HMAC-SHA-512, 4 KiB)];
+B --> C[dm-crypt (AES-XTS-512)];
+C --> D[Mapped device /dev/mapper/crypt_liveiso];
+D --> E[SquashFS mount /run/live/rootfs];
 ```
 
 **Note:** Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error.
@@ -185,16 +186,17 @@ dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
 # 13. Diagram: Trust Chain & Verification Paths
 
 ```mermaid
-graph TD
-A[Build time: pin EXP_FPR + embed ISO key] --> B[ISO artifacts: sha512sum.txt + .sig]
-B --> C[Boot early (0030): gpgv verify + FPR pin]
-C -->|OK| D[LUKS open (0025)]
-D --> E[Mount RootFS]
-E --> F[Boot late (0045): gpgv verify + FPR pin (root key)]
-F --> G[dmsetup health: crypt(XTS) over integrity(HMAC-SHA-512)]
-C -- FAIL --> X[Abort]
-F -- FAIL --> X
-G -- FAIL --> X
+flowchart TD;
+%%
+A[Build time: pin EXP_FPR + embed ISO key] --> B[ISO artifacts: sha512sum.txt + .sig];
+B --> C[Boot early (0030): gpgv verify + FPR pin];
+C -->|OK| D[LUKS open (0025)];
+D --> E[Mount RootFS];
+E --> F[Boot late (0045): gpgv verify + FPR pin (root key)];
+F --> G[dmsetup health: crypt(XTS) over integrity(HMAC-SHA-512)];
+C -- FAIL --> X[Abort];
+F -- FAIL --> X;
+G -- FAIL --> X;
 ```
 
 # 14. Closing Remark