V8.13.408.2025.11.13

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

docs/MAN_CISS_ISO_BOOT_CHAIN.md

@@ -79,12 +79,13 @@ end
 
 # 6. LUKS/dm-integrity Layering
 ```mermaid
-flowchart TD;
-%%
-A[Plain device (/live/rootfs.crypt)] --> B[dm-integrity (HMAC-SHA-512, 4 KiB)];
-B --> C[dm-crypt (AES-XTS-512)];
-C --> D[Mapped device /dev/mapper/crypt_liveiso];
-D --> E[SquashFS mount /run/live/rootfs];
+flowchart TD
+
+
+A["Plain device (/live/rootfs.crypt)"] --> B["dm-integrity (HMAC-SHA-512, 4 KiB)"];
+B --> C["dm-crypt (AES-XTS-512)"];
+C --> D["/dev/mapper/crypt_liveiso"];
+D --> E["SquashFS mount /run/live/rootfs"];
 ```
 
 **Note:** Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error.
@@ -186,15 +187,16 @@ dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
 # 13. Diagram: Trust Chain & Verification Paths
 
 ```mermaid
-flowchart TD;
-%%
-A[Build time: pin EXP_FPR + embed ISO key] --> B[ISO artifacts: sha512sum.txt + .sig];
-B --> C[Boot early (0030): gpgv verify + FPR pin];
-C -->|OK| D[LUKS open (0025)];
-D --> E[Mount RootFS];
-E --> F[Boot late (0045): gpgv verify + FPR pin (root key)];
-F --> G[dmsetup health: crypt(XTS) over integrity(HMAC-SHA-512)];
-C -- FAIL --> X[Abort];
+flowchart TD
+
+
+A["Build time: pin EXP_FPR + embed ISO key"] --> B["ISO artifacts: sha512sum.txt + .sig"];
+B --> C["Boot early (0030): gpgv verify + FPR pin"];
+C -->|OK| D["LUKS open (0025)"];
+D --> E["Mount RootFS"];
+E --> F["Boot late (0045): gpgv verify + FPR pin (root key)"];
+F --> G["dmsetup health: crypt(XTS) over integrity(HMAC-SHA-512)"];
+C -- FAIL --> X["Abort"];
 F -- FAIL --> X;
 G -- FAIL --> X;
 ```