diff --git a/config/includes.chroot/root/.ciss/alias b/config/includes.chroot/root/.ciss/alias
index 35aa022..9acdcd2 100644
--- a/config/includes.chroot/root/.ciss/alias
+++ b/config/includes.chroot/root/.ciss/alias
@@ -81,6 +81,8 @@ alias ssa='systemctl status'
 alias ssf='systemctl status --failed'
 alias sysdr='systemctl daemon-reload'
 alias syses='systemctl edit'
+alias sysliboot='systemctl list-unit-files --state=enabled --type=service'
+alias syslirun='systemctl list-units --type=service --state=running'
 alias sysrl='systemctl reload'
 alias sysrs='systemctl restart'
 alias syssp='systemctl stop'
diff --git a/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh b/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs
similarity index 100%
rename from config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh
rename to config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs
diff --git a/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl.sh b/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl
similarity index 100%
rename from config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl.sh
rename to config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 15410e1..6113935 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -15,9 +15,9 @@ include_toc: true
 ## V8.13.408.2025.11.13
 * **Added**: [0002_hardening_overlay_tmpfs.chroot](../config/hooks/live/0002_hardening_overlay_tmpfs.chroot) + Remount overlay root with ``nosuid,nodev``.
 * **Added**: [0100_ciss_mem_wipe.chroot](../config/hooks/live/0100_ciss_mem_wipe.chroot) + adding Tails-like memory wiping.
-* **Added**: [0022-ciss-overlay-tmpfs.sh](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh) + Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
+* **Added**: [0022-ciss-overlay-tmpfs.sh](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs) + Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
 * **Added**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) + Open ``/live/ciss_rootfs.crypt`` (LUKS) and present its SquashFS as ``/run/live/rootfs``.
-* **Added**: [0026-ciss-early-sysctl.sh](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl.sh) + Enforce early sysctls before services start.
+* **Added**: [0026-ciss-early-sysctl.sh](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl) + Enforce early sysctls before services start.
 * **Added**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest) + Late rootfs attestation and dmsetup health checking.
 * **Added**: [MAN_CISS_ISO_BOOT_CHAIN.md](MAN_CISS_ISO_BOOT_CHAIN.md)
 * **Added**: [lib_ciss_signatures.sh](../lib/lib_ciss_signatures.sh) + integrated dynamic GPG FPR injection.
diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
index c47d7b3..a78ddba 100644
--- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md
+++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
@@ -41,38 +41,53 @@ include_toc: true
 # 5. End-to-End Boot Flow
 ```mermaid
 sequenceDiagram
-  autonumber
-  participant FW as UEFI/BIOS
-  participant GRUB as GRUB
-  participant K as Kernel
-  participant I as initramfs + live-boot
-  participant D as Dropbear (optional)
-  participant C25 as CISS 0025 (live-premount)
-  participant C30 as CISS 0030 (live-bottom, early)
-  participant LUKS as LUKS2 + dm-integrity
-  participant RS as RootFS (SquashFS/Overlay)
-  participant C45 as CISS 0045 (live-bottom, late)
+autonumber
+participant FW as UEFI/BIOS
+participant GRUB as GRUB
+participant K as Kernel
+participant I as initramfs + live-boot
+participant D as Dropbear (optional)
+participant C30 as CISS 0030 (early verify)
+participant C25 as CISS 0025 (unlock)
+participant LUKS as LUKS2 + dm-integrity
+participant RS as RootFS (SquashFS/Overlay)
+participant C45 as CISS 0045 (late verify)
 
-  FW->>GRUB: Load kernel + initramfs
-  GRUB->>K: Boot kernel
-  K->>I: Pivot to initramfs (live-boot phases)
-  I->>D: (optional) Start Dropbear (remote unlock)
-  I->>C25: Run 0025: LUKS open (dm-crypt+integrity), mount SquashFS
-  C25->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC)
-  I->>C30: Run 0030: Verify ISO edge (gpgv, FPR pin, optional self-hash)
-  C30-->>I: OK → continue; FAIL → abort
-  I->>RS: Assemble overlay, switch_root
-  I->>C45: Run 0045: Verify root fs (gpgv, FPR pin) + dmsetup health
-  C45-->>I: OK → handoff to userspace; FAIL → abort
+
+FW->>GRUB: Load kernel + initramfs
+GRUB->>K: Boot kernel
+K->>I: Pivot to initramfs (live-boot phases)
+I->>D: (optional) Start Dropbear (remote unlock)
+
+
+I->>C30: Run 0030: Verify ISO edge (gpgv, FPR pin)
+alt 0030 OK
+C30-->>I: Verified
+else 0030 FAIL
+C30-x I: Abort boot
+end
+
+
+I->>C25: Run 0025: LUKS open (dm-crypt + integrity), mount SquashFS
+C25->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC)
+
+
+I->>RS: Assemble overlay, switch_root
+I->>C45: Run 0045: Verify root FS (gpgv, FPR pin) + dmsetup health
+alt 0045 OK
+C45-->>I: Verified
+else 0045 FAIL
+C45-x I: Abort boot
+end
 ```
 
 # 6. LUKS/dm-integrity Layering
 ```mermaid
 graph TD
-  A[Plain device (rootfs.crypt)] --> B[dm-integrity<br/>HMAC-SHA-512, 4 KiB]
-  B --> C[dm-crypt<br/>AES-XTS-512]
-  C --> D[Mapped device /dev/mapper/crypt_liveiso]
-  D --> E[SquashFS mount /run/live/rootfs]
+A[Plain device (rootfs.crypt)] --> B[dm-integrity<br/>HMAC-SHA-512, 4 KiB]
+B --> C[dm-crypt<br/>AES-XTS-512]
+C --> D[Mapped device /dev/mapper/crypt_liveiso]
+D --> E[SquashFS mount /run/live/rootfs]
 ```
 
 **Note:** Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error.
@@ -136,11 +151,11 @@ dmsetup table --showkeys /dev/mapper/crypt_liveiso
 dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
 ```
 
-# 9. Failure Policy (fail-closed, deterministic)
+# 10. Failure Policy (fail-closed, deterministic)
 
 * **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key/signature, or a deviating `dmsetup` topology.
 
-# 10. Dropbear (Hardened Remotely Unlock)
+# 11. Dropbear (Hardened Remotely Unlock)
 
 ```text
 • Public-key auth only, no passwords
@@ -152,31 +167,41 @@ dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
 
 *Concrete selection compiled via your `localoptions.h` at ISO build time.*
 
-# 11. Integration Points & Paths
+# 12. Integration Points & Paths
 
-* **Hooks (build view):** `/usr/lib/live/boot/0025-...`, `/usr/lib/live/boot/0030-...`, `/usr/lib/live/boot/0045-...`
-* **Hooks (boot view):** `/scripts/live-premount/0025-...`, `/scripts/live-bottom/0030-...`, `/scripts/live-bottom/0045-...`
+* **Hooks (build view):** 
+  * `/usr/lib/live/boot/0022-ciss-overlay-tmpfs`,
+  * `/usr/lib/live/boot/0024-ciss-crypt-squash`,
+  * `/usr/lib/live/boot/0026-ciss-early-sysctl`,
+  * `/usr/lib/live/boot/0030-ciss-verify-checksums`,
+  * `/usr/lib/live/boot/0042-ciss-post-decrypt-attest`,
+* **Hooks (boot view):** 
+  * `/scripts/live-premount/0022-ciss-overlay-tmpfs`, 
+  * `/scripts/live-premount/0024-ciss-crypt-squash`,
+  * `/scripts/live-premount/0026-ciss-early-sysctl`,
+  * `/scripts/live-bottom/0030-ciss-verify-checksums`,
+  * `/scripts/live-bottom/0042-ciss-post-decrypt-attest`
 * **Key files:**
-  * ISO edge (for 0030): embedded public key blob (project-specific name)
-  * Root FS (for 0045): `/etc/ciss/keys/*.gpg`
+  * ISO edge (for 0030): embedded public key blob (project-specific fpr)
+  * Root FS (for 0042): `/etc/ciss/keys/<FPR>.gpg`
 * **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay`
 
-# 12. Diagram: Trust Chain & Verification Paths
+# 13. Diagram: Trust Chain & Verification Paths
 
 ```mermaid
 flowchart TD
-  A[Build time<br/>pin EXP_FPR + embed ISO key] --> B[ISO artifacts<br/>sha512sum.txt + .sig]
-  B --> C[Boot early (0030)<br/>gpgv verify + FPR pin]
-  C -->|OK| D[LUKS open (0025)]
-  D --> E[Mount RootFS]
-  E --> F[Boot late (0045)<br/>gpgv verify + FPR pin (root key)]
-  F --> G[dmsetup health<br/>crypt(XTS) over integrity(HMAC-SHA512)]
-  C -- FAIL --> X[Abort]
-  F -- FAIL --> X
-  G -- FAIL --> X
+A[Build time<br/>pin EXP_FPR + embed ISO key] --> B[ISO artifacts<br/>sha512sum.txt + .sig]
+B --> C[Boot early (0030)<br/>gpgv verify + FPR pin]
+C -->|OK| D[LUKS open (0025)]
+D --> E[Mount RootFS]
+E --> F[Boot late (0045)<br/>gpgv verify + FPR pin (root key)]
+F --> G[dmsetup health<br/>crypt(XTS) over integrity(HMAC-SHA-512)]
+C -- FAIL --> X[Abort]
+F -- FAIL --> X
+G -- FAIL --> X
 ```
 
-# 13. Closing Remark
+# 14. Closing Remark
 
 This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases plus `dmsetup` health make the state transparent and deterministic.