V8.13.432.2025.11.18

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

docs/MAN_CISS_ISO_BOOT_CHAIN.md

@@ -108,14 +108,18 @@ flowchart TD
 
 # 6. LUKS/dm-integrity Layering
 ```mermaid
+---
+config:
+      theme: forest
+---
 flowchart TD
-0{{"Plain device CD-ROM / USB "}} --> 1["ISO Image"];
-1 --> 2["Mounting ISO FS /live/filesystem.squashfs"];
-2 --> 3["Opening LUKS2 Container /live/ciss_rootfs.crypt"];
-3 --> 4["Layer dm-integrity HMAC-SHA-512, 4 KiB"];
-4 --> 5["Layer dm-crypt AES-XTS-512"];
-5 --> 6["Mounting LUKS2 FS /dev/mapper/crypt_liveiso"];
-6 --> 7["Mounting SquashFS /run/live/rootfs"];
+0{{"Plain device: CD-ROM / USB"}} --> 1["ISO image (ISO9660 + ESP)"];
+1 --> 2["Mount ISO9660 FS → /run/live/medium"];
+2 --> 3["Container file /run/live/medium/live/ciss_rootfs.crypt"];
+3 --> 4["dm-integrity layer (HMAC-SHA-512, 4 KiB)"];
+4 --> 5["dm-crypt LUKS2 (AES-XTS-512) → /dev/mapper/crypt_liveiso"];
+5 --> 6["Mount SquashFS from /dev/mapper/crypt_liveiso → /run/live/rootfs"];
+
 ```
 
 **Note:** Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error.