fix: panel-cwu50 timing fix from Rex's kernel - native 720x1280 mode

Swap H/V display mode to native panel resolution (720x1280) instead of
rotated (1280x720). The DRM/KMS pipeline handles rotation via connector
orientation property. Setting wrong horizontal resolution caused DSI
controller to send extra pixels per line, resulting in horizontal
repetition.

Add DCS-based panel detection in init_sequence2 as supplemental check.

Based on ak-rex/ClockworkPi-linux rpi-6.12.y branch panel-cwu50.c.

Replaces old 0008 patches (DSI_INIT0, BURST removal) that didn't fix
the issue.

flake.nix

@@ -12,10 +12,21 @@
       url = "git+https://git.lix.systems/lix-project/lix?ref=main";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    self.submodules = true;
+    nixpkgs-uconsole.url = "github:NixOS/nixpkgs/nixos-25.11";
+    nixos-uconsole = {
+      url = "github:nixos-uconsole/nixos-uconsole/v1.1.0";
+      inputs.nixpkgs.follows = "nixpkgs-uconsole";
+      inputs.nixos-raspberrypi.follows = "nixos-raspberrypi";
+    };
+    nixos-raspberrypi = {
+      url = "github:gortium/nixos-raspberrypi/cm5-cross-v1";
+      inputs.nixpkgs.follows = "nixpkgs-uconsole";
+    };
   };
 
-  outputs = { self, nixpkgs, agenix, lix, ... }@inputs:
+  outputs = { self, nixpkgs, agenix, lix
+            , nixpkgs-uconsole, nixos-uconsole, nixos-raspberrypi
+            , ... }@inputs:
     let
       system = "x86_64-linux";
       keys = import ./lib/keys.nix;
@@ -30,16 +41,12 @@
       pkgs = import nixpkgs {
         inherit system overlays;
         config.allowUnfree = true;
-        config.permittedInsecurePackages = [
+        config.permittedInsecurePackages = [ "openclaw-2026.3.12" ];
-          "openclaw-2026.3.12"
-        ];
       };
-
       devShell = import ./shells/nix_dev.nix {
         inherit pkgs system agenix;
       };
-    in
+    in {
-      {
       nixosConfigurations = {
         lazyworkhorse = nixpkgs.lib.nixosSystem {
           specialArgs = { inherit system self keys paths inputs; };
@@ -48,9 +55,7 @@
               nixpkgs.overlays = overlays;
               nixpkgs.config.allowUnfree = true;
               nixpkgs.config.rocmSupport = true;
-                nixpkgs.config.permittedInsecurePackages = [
+              nixpkgs.config.permittedInsecurePackages = [ "openclaw-2026.3.12" ];
-                  "openclaw-2026.3.12"
-                ];
               nix.package = lix.packages.${system}.default;
             }
             agenix.nixosModules.default
@@ -80,7 +85,72 @@
             ./hosts/cyt-pi/hardware-configuration.nix
           ];
         };
+
+        uconsole-cm5 = nixpkgs-uconsole.lib.nixosSystem {
+          system = "aarch64-linux";
+          specialArgs = {
+            inherit self keys paths inputs;
+            nixos-raspberrypi = nixos-raspberrypi;
+            isCM4 = false;
           };
+          modules = [
+            {
+              nixpkgs.buildPlatform = "x86_64-linux";
+              nixpkgs.hostPlatform = "aarch64-linux";
+              nixpkgs.config.allowUnfree = true;
+              boot.loader.raspberry-pi.bootloader = "kernel";
+            }
+            nixos-raspberrypi.nixosModules.nixpkgs-rpi
+            # Fix display timings from Rex's kernel: native 720x1280 instead of
+            # rotated 1280x720, plus DCS-based panel detection.
+            ({ lib, ... }: {
+              boot.kernelPatches = [{
+                name = "panel-cwu50-rex-timing-fix";
+                patch = ./patches/0008-panel-cwu50-rex-timing-fix.patch;
+              }];
+            })
+            nixos-raspberrypi.nixosModules.raspberry-pi-5.base
+            nixos-raspberrypi.lib.inject-overlays
+            nixos-raspberrypi.lib.inject-overlays-global
+            nixos-uconsole.nixosModules.uconsole-cm5
+            ({ config, lib, pkgs, inputs, ... }: let
+              lix-cross = import inputs.nixpkgs-uconsole {
+                localSystem = { system = "x86_64-linux"; };
+                crossSystem = { system = "aarch64-linux"; };
+                overlays = [ inputs.lix.overlays.default ];
+              };
+            in { nix.package = lix-cross.lix; })
+            agenix.nixosModules.default
+            ./hosts/uconsole-cm5/configuration.nix
+            ./hosts/uconsole-cm5/hardware-configuration.nix
+          ];
+        };
+      };
+
       devShells.${system}.default = devShell;
+
+      packages.${system} = {
+        uconsole-cm5-image = (nixos-raspberrypi.lib.nixosSystem {
+          system = "aarch64-linux";
+          specialArgs = {
+            inherit self keys inputs;
+            nixos-raspberrypi = nixos-raspberrypi;
+            isCM4 = false;
+          };
+          modules = [
+            {
+              nixpkgs.buildPlatform = system;
+              nixpkgs.hostPlatform = "aarch64-linux";
+            }
+            nixos-raspberrypi.nixosModules.nixpkgs-rpi
+            nixos-raspberrypi.nixosModules.raspberry-pi-5.base
+            nixos-raspberrypi.lib.inject-overlays-global
+            nixos-raspberrypi.nixosModules.sd-image
+            nixos-uconsole.nixosModules.uconsole-cm5
+            agenix.nixosModules.default
+            ./hosts/uconsole-cm5/configuration.nix
+          ];
+        }).config.system.build.sdImage;
+      };
     };
 }

hosts/lazyworkhorse/configuration.nix

@@ -11,6 +11,10 @@
   # Flakesss
   nix.settings.experimental-features = [ "nix-command" "flakes" "flake-self-attrs" ];
   nix.settings.trusted-users = [ "root" "gortium" ];
+  nix.settings.extra-platforms = [ "aarch64-linux" ];
+
+  # QEMU binfmt for cross-building aarch64 NixOS targets
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 
   # Garbage collection
   nix.gc = {

hosts/uConsole/configuration.nix

@@ -0,0 +1,171 @@
+{ config, lib, pkgs, paths, self, keys, ... }:
+
+{
+  # Basic Host Info
+  networking.hostName = "uConsole";
+  time.timeZone = "America/Montreal";
+  i18n.defaultLocale = "en_CA.UTF-8";
+
+  # System State
+  system.stateVersion = "25.05";
+
+  # Boot & Hardware (migrated to kernel bootloader per nixos-raspberrypi deprecation notice)
+  boot.loader.raspberry-pi.bootloader = "kernel";
+  # kernel managed by nixos-raspberrypi module — don't override, patches are version-specific
+  # boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  # Networking
+  networking.networkmanager.enable = true;
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = lib.mkForce "prohibit-password";
+    settings.PasswordAuthentication = lib.mkForce false;
+  };
+
+  # User
+  users.users.gortium = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" "networkmanager" "video" "dialout" "kismet" ];
+    openssh.authorizedKeys.keys = [
+      keys.users.gortium.main
+      keys.users.gortium.gitea
+    ];
+  };
+  security.sudo.extraRules = [
+    {
+      users = [ "gortium" ];
+      commands = [
+        {
+          command = "ALL";
+          options = [ "NOPASSWD" ];
+        }
+      ];
+    }
+  ];
+
+  # ============================================================
+  # Package groups
+  # ============================================================
+
+  environment.systemPackages = with pkgs; [
+    # ===== Base =====
+    emacs-pgtk
+    git
+    ripgrep
+    fd
+    htop
+    tmux
+    neovim
+
+    # ===== HAM Radio =====
+    js8call
+    wsjtx
+    fldigi
+    pat                        # Winlink client
+    direwolf                   # AX.25 packet modem
+    chirp                      # Radio programming tool
+    hamlib                     # Ham radio control libraries
+    trustedqsl                 # Logbook of the World (LoTW)
+
+    # ===== SDR / RF =====
+    sdrpp                      # SDR++ spectrum analyzer
+    gqrx                       # SDR receiver GUI
+    rtl-sdr                    # RTL-SDR drivers & utilities
+    inspectrum                # Offline signal analysis
+    soapysdr-with-plugins      # SoapySDR + hardware support plugins
+
+    # ===== Mesh / LoRa =====
+    meshtastic                 # Python CLI for Meshtastic devices
+    reticulumStack             # Reticulum Network Stack (rnsd, rnsh, rncp, rnx, rnpath, etc.)
+    lxmf                       # LXMF messaging protocol
+    nomadnet                   # Nomad Network client
+
+    # ===== Security =====
+    nmap
+    aircrack-ng
+    kismet                     # Wi-Fi monitor / IDS
+    bettercap                  # MITM/network attack framework
+    wireshark                  # Packet analyzer
+    hashcat                    # GPU password cracker
+    john                       # John the Ripper
+    sqlmap                     # SQL injection tool
+
+    # ===== GPS / Maps =====
+    foxtrotgps
+    viking                     # GPS map editor
+    gpsbabel                   # GPS data conversion
+  ];
+
+  # Packages noted but not in unstable nixpkgs:
+  #   - metasploit: unfree; install manually via Git clone
+  #   - burpsuite: unfree Java app (Community Edition available for download)
+  #   - sidechannel: not a distinct PyPI package; functionality covered by
+  #     the Reticulum stack. For LXMF GUI client, install Sideband manually
+  #     from github.com/markqvist/Sideband
+
+  # ============================================================
+  # Reticulum Service (rnsd)
+  # ============================================================
+  systemd.services.rnsd = {
+    description = "Reticulum Network Stack Daemon";
+    wants = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      User = "gortium";
+      Group = "gortium";
+      ExecStart = "${pkgs.reticulumStack}/bin/rnsd";
+      Restart = "always";
+      RestartSec = "10s";
+      LimitNOFILE = 65536;
+    };
+  };
+
+  # ============================================================
+  # Kismet Service (Wi-Fi monitoring / mesh node)
+  # ============================================================
+  systemd.services.kismet = {
+    description = "Kismet Wi-Fi Monitor & IDS";
+    wants = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      User = "gortium";
+      Group = "kismet";
+      ExecStart = "${pkgs.kismet}/bin/kismet -c wlan0 --log-base=/home/gortium/kismet_logs --no-nc-ui";
+      Restart = "always";
+      RestartSec = "10s";
+    };
+  };
+
+  # ============================================================
+  # Kernel modules for SDR and radio
+  # ============================================================
+  boot.kernelModules = [
+    "88x2bu"          # Realtek 8812/8821BU USB WiFi (common adapter)
+    "rtl8xxxu"        # RTL8188/8192/8723 USB WiFi
+    "rtl2832_sdr"     # RTL-SDR kernel module
+    "dvb_usb_rtl28xxu" # RTL-SDR DVB-T
+  ];
+
+  boot.blacklistedKernelModules = [ ];
+
+  # ============================================================
+  # Extra udev rules for SDR and HAM radio devices
+  # ============================================================
+  services.udev.packages = with pkgs; [ rtl-sdr ];
+
+  # ============================================================
+  # Enable IPv6 for Reticulum mesh
+  # ============================================================
+  networking.enableIPv6 = true;
+
+  # ============================================================
+  # Firewall: open ports for Reticulum (optional)
+  # ============================================================
+  networking.firewall.allowedTCPPorts = [ 22 ]; # SSH only
+  networking.firewall.allowedUDPPorts = [ ];
+  # Reticulum uses its own encryption and doesn't need open ports
+  # for basic mesh operations (peer-to-peer discovery).
+  # For TCP interfaces, open additional ports as needed.
+}

hosts/uConsole/hardware-configuration.nix

@@ -0,0 +1,26 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "sdhci_pci" "nvme" ];
+  boot.initrd.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # uConsole CM5 uses NVMe or eMMC for boot storage
+  # The uconsole-cm5 module sets up /boot/firmware and default /
+  # Override device label here if using different storage
+  fileSystems."/" = lib.mkDefault {
+    device = "/dev/disk/by-label/NIXOS_UCM5";
+    fsType = "ext4";
+    options = [ "noatime" ];
+  };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+  hardware.enableRedistributableFirmware = true;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}

modules/nixos/security/README-ai-worker.md

@@ -1,44 +1,10 @@
 # AI Worker Restricted Access
 
-This module provides SSH access for the AI worker (hermes-agent) to run docker commands on the host.
+This module provides SSH access for the AI worker (hermes-agent) to run ollama benchmarks on the host.
 
 ## Security Model
 
-### Overview
+The `ai-worker` user has:
-
-The `ai-worker` user has **no direct docker group access**. All docker commands must go through `sudo`, and only specific subcommands are whitelisted:
-
-- **Container lifecycle**: `docker ps`, `docker inspect`, `docker logs`, `docker images`, `docker info`, `docker version`, `docker stats`
-- **Control**: `docker start`, `docker stop`, `docker restart`, `docker rm`, `docker rmi`, `docker wait`
-- **Image management**: `docker pull`, `docker build`, `docker run`, `docker compose`
-- **Disk cleanup**: `docker system`
-- **Network/Volume**: `docker network ls`, `docker volume ls` (read-only)
-
-### EXPLICITLY BLOCKED (not in sudo whitelist)
-
-| Command | Risk | Result |
-|---------|------|--------|
-| `docker exec` | Execute arbitrary commands inside containers (FILE MODIFICATION) | Blocked by sudo |
-| `docker cp` | Copy files between containers and host | Blocked by sudo |
-| `docker commit` | Create images from running containers (data exfil) | Blocked by sudo |
-| `docker diff` | Inspect filesystem changes | Blocked by sudo |
-| `docker export` | Export container filesystem | Blocked by sudo |
-| `docker import` | Import filesystem archives | Blocked by sudo |
-| `docker load` | Load docker images | Blocked by sudo |
-| `docker save` | Save docker images to tar | Blocked by sudo |
-| `docker attach` | Interactive access to containers | Blocked by sudo |
-| `docker push` | Push images to registries | Blocked by sudo |
-| `docker tag` | Rename images | Blocked by sudo |
-
-### Why This Approach?
-
-Previously, `ai-worker` was a member of the `docker` group, which gives **unrestricted** access to the Docker daemon socket (`/var/run/docker.sock`). Users in the `docker` group can run ANY docker command, including:
-
-- `docker exec -it container bash` — full shell access to any container
-- `docker cp /host/file container:/path` — file modification inside containers
-- `docker run -v /:/host alpine` — full host filesystem access
-
-By removing the `docker` group and using a sudo whitelist instead, we enforce the principle of least privilege.
 
 ### Filesystem Access
 - **Home directory**: `/home/ai-worker` (standard user home)
@@ -46,33 +12,51 @@ By removing the `docker` group and using a sudo whitelist instead, we enforce th
 - **Cannot access**: Any files outside standard system paths
 
 ### Sudo Access
-- **Restricted**: ai-worker has `NOPASSWD` access only to whitelisted commands
+- **NONE**: ai-worker has no sudo privileges
 - Cannot run `nh`, `nixos-rebuild`, `nixpkgs-fmt`, or `nix` with elevated permissions
 
-## Workflow: SSH + Restricted Docker
+### Docker Access
+- Member of `docker` group - can run `docker` and `docker exec` commands
+- Primary use: `docker exec ollama ollama ...` for benchmarking
+- Can run `docker exec --privileged ollama rocm-smi ...` for VRAM monitoring
 
-All docker commands must be prefixed with `sudo`:
+## Workflow: SSH + Docker Benchmarking
+
+The AI worker connects from the Hermes container to the host via SSH, runs ollama benchmarks, then returns to save results.
+
+### Example Workflow
 
 ```bash
 # From Hermes container, SSH to host
 ssh -i /path/to/ssh/key ai-worker@host.docker.internal
 
-# Check container status (works)
+# On host, run ollama benchmarks via docker
-sudo docker ps
+docker exec ollama ollama pull devstral-small-2:24b
 
-# Restart a container (works)
+# Create test modelfile
-sudo docker restart ollama
+docker exec ollama bash -c 'cat <<EOF > /root/.ollama/test.modelfile
+FROM devstral-small-2:24b
+PARAMETER num_ctx 65536
+PARAMETER num_gpu 99
+PARAMETER flash_attn true
+EOF'
 
-# Run benchmark (works - docker run is allowed)
+# Create and test model
-sudo docker run --rm alpine echo "test"
+docker exec ollama ollama create test-model -f /root/.ollama/test.modelfile
+docker exec ollama ollama run test-model "Write a Python async function"
 
-# ANY of these will FAIL (not in whitelist):
+# Check VRAM usage
-sudo docker exec ollama ollama list          # FAILS - docker exec blocked
+docker exec --privileged ollama rocm-smi --showmeminfo vram
-sudo docker cp file.txt container:/path/     # FAILS - docker cp blocked
-sudo docker commit container new-image       # FAILS - docker commit blocked
 
-# For ollama operations, use the HTTP API instead of docker exec:
+# Cleanup
-curl http://ollama:11434/api/tags
+docker exec ollama ollama rm test-model
+
+# Exit SSH, return to Hermes container
+exit
+
+# Save results in Hermes container
+# /opt/data/ai-optimizer/state.json
+# /opt/data/ai-optimizer/results.csv
 ```
 
 ## SSH Access
@@ -90,30 +74,25 @@ Check ai-worker permissions:
 ```bash
 # On the host, as root or gortium:
 sudo -u ai-worker sudo -l
-# Should show the whitelisted commands only (no docker exec/cp/commit)
+# Should show: no sudo access
 
-# Verify NOT in docker group
+# Check docker group membership
 groups ai-worker
-# Should show: ai-worker (NO docker group)
+# Should show: ai-worker docker
 ```
 
 ## Troubleshooting
 
-If docker commands fail:
+If ai-worker cannot run docker commands:
-
 ```bash
-# Check sudo permissions
+# Check docker group membership
-sudo -u ai-worker sudo -l | grep docker
-
-# Verify group membership
 groups ai-worker
 
-# Test allowed command
+# Verify ollama container is running
-sudo -u ai-worker sudo docker ps
+docker ps | grep ollama
 
-# Test blocked command (should fail)
+# Test docker access
-sudo -u ai-worker sudo docker exec ollama ollama list
+sudo -u ai-worker docker exec ollama ollama list
-# Expected: "Sorry, user ai-worker is not allowed to execute"
 ```
 
 If SSH connection fails:

modules/nixos/security/ai-worker-restricted.nix

@@ -6,19 +6,12 @@ with lib;
   options.services.aiWorkerAccess = mkOption {
     type = types.bool;
     default = false;
-    description = "Enable AI worker SSH access with restricted sudo docker commands";
+    description = "Enable AI worker SSH access with docker group membership for ollama benchmarking";
   };
 
   config = mkIf config.services.aiWorkerAccess {
-    # SECURITY: ai-worker is NOT added to docker group.
+    # ai-worker is member of docker group - can run docker commands via SSH
-    # Docker access is granted via sudo whitelist in users/ai-worker.nix.
+    # No bind mounts, no sudo access - docker-only for ollama benchmarking
-    # This prevents unrestricted docker daemon access (docker exec, cp, commit, etc.)
+    users.groups.docker.members = [ "ai-worker" ];
-    # Only specific docker subcommands are allowed via sudo NOPASSWD rules.
-    
-    # The old approach (docker group membership) has been removed because:
-    # - Docker group gives UNRESTRICTED access to the docker daemon socket
-    # - No way to limit which docker subcommands a docker group member can run
-    # - Allowed: docker exec, docker cp, docker run -v /:/host, etc.
-    # users.groups.docker.members = [ "ai-worker" ];  // REMOVED
   };
 }

overlays/reticulum.nix

@@ -0,0 +1,81 @@
+final: prev: let
+  python3 = final.python3;
+  pyPkgs = python3.pkgs;
+in {
+  reticulumStack = python3.pkgs.buildPythonApplication rec {
+    pname = "reticulum";
+    version = "1.2.9";
+    format = "setuptools";
+    src = pyPkgs.fetchPypi {
+      pname = "rns";
+      inherit version;
+      sha256 = "554814231c237b9caacf8df669312e57dd7d3f84b6d4810125087d1a79a75d75";
+    };
+    propagatedBuildInputs = with pyPkgs; [ cryptography pyserial ];
+    doCheck = false;
+    pythonImportsCheck = [ "RNS" ];
+    meta = with final.lib; {
+      description = "Self-configuring, encrypted and resilient mesh networking stack";
+      homepage = "https://reticulum.network/";
+      license = licenses.mit;
+      platforms = platforms.linux;
+    };
+  };
+
+  lxmf = python3.pkgs.buildPythonApplication rec {
+    pname = "lxmf";
+    version = "0.9.8";
+    format = "setuptools";
+    src = pyPkgs.fetchPypi {
+      inherit pname version;
+      sha256 = "30f39f3a975a049c12ee2cfceb3261d24cb5adec881c6821f7354464b3f3650c";
+    };
+    propagatedBuildInputs = [ final.reticulumStack ];
+    doCheck = false;
+    pythonImportsCheck = [ "LXMF" ];
+    meta = with final.lib; {
+      description = "Lightweight Extensible Message Format for Reticulum";
+      homepage = "https://github.com/markqvist/lxmf";
+      license = licenses.mit;
+      platforms = platforms.linux;
+    };
+  };
+
+  nomadnet = python3.pkgs.buildPythonApplication rec {
+    pname = "nomadnet";
+    version = "1.1.1";
+    format = "setuptools";
+    src = pyPkgs.fetchPypi {
+      inherit pname version;
+      sha256 = "fa13b64a10e75b705a58024815ab72451700aa726af96d415ba99dec28dfc40a";
+    };
+    propagatedBuildInputs = with pyPkgs; [ final.reticulumStack final.lxmf urwid qrcode ];
+    doCheck = false;
+    pythonImportsCheck = [ "nomadnet" ];
+    meta = with final.lib; {
+      description = "Nomad Network — resilient mesh communications platform";
+      homepage = "https://github.com/markqvist/NomadNet";
+      license = licenses.mit;
+      platforms = platforms.linux;
+    };
+  };
+
+  rnsh = python3.pkgs.buildPythonApplication rec {
+    pname = "rnsh";
+    version = "0.1.7";
+    format = "setuptools";
+    src = pyPkgs.fetchPypi {
+      inherit pname version;
+      sha256 = "9cb72f25abb1c6d300f8014b264184ff78f592fe88e36094938012990b797c93";
+    };
+    propagatedBuildInputs = [ final.reticulumStack ];
+    doCheck = false;
+    pythonImportsCheck = [ "rnsh" ];
+    meta = with final.lib; {
+      description = "Remote shell over Reticulum";
+      homepage = "https://github.com/acehoss/rnsh";
+      license = licenses.mit;
+      platforms = platforms.linux;
+    };
+  };
+}

patches/0008-panel-cwu50-rex-timing-fix.patch

@@ -0,0 +1,45 @@
+--- a/drivers/gpu/drm/panel/panel-cwu50.c
++++ b/drivers/gpu/drm/panel/panel-cwu50.c
+@@ -27,12 +27,12 @@ static const struct drm_display_mode default_mode = {
+ 	.clock = 61020,
+-	.hdisplay = 1280,
+-	.hsync_start = 1280 + 8,
+-	.hsync_end = 1280 + 8 + 2,
+-	.htotal = 1280 + 8 + 2 + 16,
+-	.vdisplay = 720,
+-	.vsync_start = 720 + 30,
+-	.vsync_end = 720 + 30 + 15,
+-	.vtotal = 720 + 30 + 15 + 15,
++	.hdisplay = 720,
++	.hsync_start = 720 + 30,
++	.hsync_end = 720 + 30 + 15,
++	.htotal = 720 + 30 + 15 + 15,
++	.vdisplay = 1280,
++	.vsync_start = 1280 + 8,
++	.vsync_end = 1280 + 8 + 2,
++	.vtotal = 1280 + 8 + 2 + 16,
+ };
+ 
+ static inline struct cwu50 *panel_to_cwu50(struct drm_panel *panel)
+@@ -586,7 +586,8 @@ static int cwu50_init_sequence2(struct cwu50 *ctx)
+ {
+ 	struct mipi_dsi_device *dsi = to_mipi_dsi_device(ctx->dev);
+-	int err;
++	int err;
++	u8 buf[4];
+ 
+ 	dcs_write_seq(0xE0,0x00);
+ 
+@@ -633,6 +634,12 @@ static int cwu50_init_sequence2(struct cwu50 *ctx)
+ 
+ 	dcs_write_seq(0x11);// SLPOUT
+ 	msleep (200);
++	dcs_write_seq(0xE0,0x00);
++	mipi_dsi_dcs_read(dsi, 0x04, buf, 3);
++
++	if(buf[0] == 0x39) ctx->is_new_panel = 1;
++
++	dcs_write_seq(0xE0,0x00);
+ 
+ 	dcs_write_seq(0x29);// DSiPON
+ 	msleep (100);

users/ai-worker.nix

@@ -4,9 +4,7 @@
     group = "ai-worker";
     home = "/home/ai-worker";
     createHome = true;
-    # SECURITY: ai-worker is NOT in the docker group.
+    extraGroups = [ "docker" ];
-    # Docker access is restricted via sudo whitelist — only specific subcommands allowed.
-    # extraGroups = [ "docker" ]; — REMOVED: docker group gives unrestricted docker daemon access
     shell = pkgs.bashInteractive;
     openssh.authorizedKeys.keys = [
       keys.users.ai-worker.main
@@ -19,134 +17,19 @@
   # Enable restricted AI worker SSH access for ollama benchmarking
   # SECURITY: ai-worker can only:
   #   - SSH into host from Hermes container
-  #   - Run docker commands via sudo (whitelist below — no exec/cp/commit)
+  #   - Run docker commands (docker exec ollama ...) via docker group
   #   - Run specific security audit commands
   #   - NO access to infra repo (no bind mount)
-  #   - NO nix/nixos-rebuild/nh commands
+  #   - NO sudo access (no nh, nixos-rebuild, nixpkgs-fmt, nix)
-  # WORKFLOW: SSH from Hermes container, run docker commands via sudo, return and save results
+  # WORKFLOW: SSH from Hermes container, run docker benchmarks, return and save results to /opt/data/ai-optimizer/
   services.aiWorkerAccess = true;
   
-  # Restricted sudo for ai-worker
+  # Restricted sudo for ai-worker - security checks only
-  # IMPORTANT: ai-worker is NOT in docker group. All docker access goes through sudo.
-  # Only the subcommands listed below are allowed — everything else is denied.
-  # This prevents: docker exec, docker cp, docker commit, and other file-modifying operations.
   security.sudo.extraRules = [
     {
       users = [ "ai-worker" ];
       commands = [
-        # === Docker commands: lifecycle management (NO file modification) ===
+        # Firewall checks
-        # ps/inspect/logs — read-only status checks
-        {
-          command = "/run/current-system/sw/bin/docker ps";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker inspect *";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker logs *";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker images";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker info";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker version";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker stats *";
-          options = [ "NOPASSWD" ];
-        }
-
-        # start/stop/restart — container lifecycle
-        {
-          command = "/run/current-system/sw/bin/docker start *";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker stop *";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker restart *";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker rm *";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker rmi *";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker wait *";
-          options = [ "NOPASSWD" ];
-        }
-
-        # pull/build/run — image management and container creation
-        {
-          command = "/run/current-system/sw/bin/docker pull *";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker build *";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker run *";
-          options = [ "NOPASSWD" ];
-        }
-
-        # compose — orchestration
-        {
-          command = "/run/current-system/sw/bin/docker compose *";
-          options = [ "NOPASSWD" ];
-        }
-
-        # system — disk cleanup
-        {
-          command = "/run/current-system/sw/bin/docker system *";
-          options = [ "NOPASSWD" ];
-        }
-
-        # network — list only (create/modify not needed)
-        {
-          command = "/run/current-system/sw/bin/docker network ls";
-          options = [ "NOPASSWD" ];
-        }
-
-        # volume — list only (create/modify not needed)
-        {
-          command = "/run/current-system/sw/bin/docker volume ls";
-          options = [ "NOPASSWD" ];
-        }
-
-        # === EXPLICITLY DENIED docker commands (not in whitelist — sudo rejects them) ===
-        # docker exec     — executes arbitrary commands inside running containers (FILE MODIFICATION)
-        # docker cp       — copies files between containers and host (FILE ACCESS)
-        # docker commit   — creates images from running containers (DATA EXFIL)
-        # docker diff     — inspects filesystem changes (INFO LEAK)
-        # docker export   — exports container filesystem (DATA EXFIL)
-        # docker import   — imports filesystem archives
-        # docker load     — loads docker images
-        # docker save     — saves docker images to tar (DATA EXFIL)
-        # docker attach   — attaches to running containers (INTERACTIVE ACCESS)
-        # docker push     — pushes images to registries (DATA EXFIL)
-        # docker tag      — renames images
-        # docker create   — creates containers (use 'docker run' instead)
-        # docker plugin   — manages plugins
-        # docker network create/rm — network management
-        # docker volume create/rm  — volume management
-
-        # === Firewall checks ===
         {
           command = "/run/wrappers/bin/sudo iptables -L -n -v";
           options = [ "NOPASSWD" ];
@@ -155,8 +38,7 @@
           command = "/run/wrappers/bin/sudo iptables -S";
           options = [ "NOPASSWD" ];
         }
-
+        # Fail2ban status
-        # === Fail2ban status ===
         {
           command = "/run/current-system/sw/bin/fail2ban-client status";
           options = [ "NOPASSWD" ];
@@ -169,8 +51,7 @@
           command = "/run/current-system/sw/bin/fail2ban-client get * banned";
           options = [ "NOPASSWD" ];
         }
-
+        # Log inspection
-        # === Log inspection ===
         {
           command = "/run/current-system/sw/bin/journalctl -t kernel -n 100";
           options = [ "NOPASSWD" ];
@@ -183,14 +64,21 @@
           command = "/run/current-system/sw/bin/journalctl -u firewall -n 50";
           options = [ "NOPASSWD" ];
         }
-
+        # SSH config verification
-        # === SSH config verification ===
         {
           command = "/run/current-system/sw/bin/sshd -T";
           options = [ "NOPASSWD" ];
         }
-
+        # Docker service checks
-        # === Network diagnostics ===
+        {
+          command = "/run/current-system/sw/bin/docker ps";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker inspect *";
+          options = [ "NOPASSWD" ];
+        }
+        # Network diagnostics
         {
           command = "/run/current-system/sw/bin/ss -tlnp";
           options = [ "NOPASSWD" ];