diff --git a/images/chromium-headful/Dockerfile b/images/chromium-headful/Dockerfile
index 4be552d4..b33716d5 100644
--- a/images/chromium-headful/Dockerfile
+++ b/images/chromium-headful/Dockerfile
@@ -1,96 +1,114 @@
-# webrtc client
+###############################################################################
+# Stage 1 ─────────────────────────────────────────────────────────────────────
+# Build WebRTC client frontend
+###############################################################################
 FROM node:22-bullseye-slim AS client
+
 WORKDIR /src
 COPY client/package*.json ./
 RUN npm install
 COPY client/ .
 RUN npm run build
 
-# xorg dependencies
-FROM docker.io/ubuntu:22.04 AS xorg-deps
+
+###############################################################################
+# Stage 2 ─────────────────────────────────────────────────────────────────────
+# Build custom Xorg dummy video driver (xf86-video-dummy v0.3.8 + RandR patch)
+# and the custom input driver (xf86-input-neko)
+###############################################################################
+FROM ubuntu:22.04 AS xorg-deps
 WORKDIR /xorg
 ENV DEBIAN_FRONTEND=noninteractive
+
+
+# Build-time dependencies for Xorg modules
 RUN set -eux; \
     apt-get update; \
     apt-get install -y \
     git gcc pkgconf autoconf automake libtool make xorg-dev xutils-dev \
     && rm -rf /var/lib/apt/lists/*;
+
 COPY xorg-deps/ /xorg/
-# build xf86-video-dummy v0.3.8 with RandR support
-RUN set -eux; \
-    cd xf86-video-dummy/v0.3.8; \
-    patch -p1 < ../01_v0.3.8_xdummy-randr.patch; \
-    autoreconf -v --install; \
-    ./configure; \
-    make -j$(nproc); \
-    make install;
-# build custom input driver
-RUN set -eux; \
-    cd xf86-input-neko; \
-    ./autogen.sh --prefix=/usr; \
-    ./configure; \
-    make -j$(nproc); \
-    make install;
 
+# Build xf86-video-dummy v0.3.8 with RandR support
+RUN cd xf86-video-dummy/v0.3.8 && \
+    patch -p1 < ../01_v0.3.8_xdummy-randr.patch && \
+    autoreconf -v --install && \
+    ./configure && \
+    make -j"$(nproc)" && \
+    make install
+
+# Build custom input driver
+RUN cd xf86-input-neko && \
+    ./autogen.sh --prefix=/usr && \
+    ./configure && \
+    make -j"$(nproc)" && \
+    make install
+
+
+###############################################################################
+# Stage 3 ─────────────────────────────────────────────────────────────────────
+# Extract neko executable from upstream image
+###############################################################################
 FROM ghcr.io/onkernel/neko/base:3.0.6-v1.0.1 AS neko
-# ^--- now has event.SYSTEM_PONG with legacy support to keepalive
+
+
+###############################################################################
+# Stage 4 ─────────────────────────────────────────────────────────────────────
+# Final runtime image
+###############################################################################
 FROM docker.io/ubuntu:22.04
 
 ENV DEBIAN_FRONTEND=noninteractive
 ENV DEBIAN_PRIORITY=high
 
-RUN apt-get update && \
-    apt-get -y upgrade && \
+###############################################################################
+# Base OS & core toolchain & apps
+###############################################################################
+RUN set -eux; \
+    apt-get update; \
+    apt-get -y upgrade; \
     apt-get -y install \
-    # UI Requirements
-    xvfb \
-    xterm \
-    xdotool \
-    scrot \
-    imagemagick \
-    sudo \
-    mutter \
-    x11vnc \
-    # Python/pyenv reqs
-    build-essential \
-    libssl-dev  \
-    zlib1g-dev \
-    libbz2-dev \
-    libreadline-dev \
-    libsqlite3-dev \
-    curl \
-    git \
-    libncursesw5-dev \
-    xz-utils \
-    tk-dev \
-    libxml2-dev \
-    libxmlsec1-dev \
-    libffi-dev \
-    liblzma-dev \
-    # Network tools
-    net-tools \
-    netcat \
-    # PPA req
-    software-properties-common && \
-    # Userland apps
-    sudo add-apt-repository ppa:mozillateam/ppa && \
+        xvfb xterm xdotool scrot imagemagick sudo mutter x11vnc upower \
+        build-essential libssl-dev zlib1g-dev libbz2-dev libreadline-dev libsqlite3-dev \
+        curl git libncursesw5-dev xz-utils tk-dev libxml2-dev libxmlsec1-dev libffi-dev liblzma-dev \
+        net-tools netcat software-properties-common; \
+    \
+    sudo add-apt-repository ppa:mozillateam/ppa; \
     sudo apt-get install -y --no-install-recommends \
-    chromium-browser \
-    libreoffice \
-    x11-apps \
-    xpdf \
-    gedit \
-    xpaint \
-    tint2 \
-    galculator \
-    pcmanfm \
-    wget \
-    xdg-utils \
-    libvulkan1 \
-    fonts-liberation \
-    unzip && \
+        chromium-browser libreoffice x11-apps xpdf gedit xpaint tint2 galculator pcmanfm \
+        wget xdg-utils libvulkan1 fonts-liberation unzip; \
     apt-get clean
 
+
+###############################################################################
+# Locales & fonts
+###############################################################################
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends locales && \
+    printf "%s\n" \
+        "en_US.UTF-8 UTF-8" "en_GB.UTF-8 UTF-8" "es_ES.UTF-8 UTF-8" \
+        "es_MX.UTF-8 UTF-8" "fr_FR.UTF-8 UTF-8" "de_DE.UTF-8 UTF-8" \
+        "it_IT.UTF-8 UTF-8" "pt_PT.UTF-8 UTF-8" "pt_BR.UTF-8 UTF-8" \
+        "nl_NL.UTF-8 UTF-8" "sv_SE.UTF-8 UTF-8" "no_NO.UTF-8 UTF-8" \
+        "da_DK.UTF-8 UTF-8" "fi_FI.UTF-8 UTF-8" "tr_TR.UTF-8 UTF-8" \
+        "vi_VN.UTF-8 UTF-8" "id_ID.UTF-8 UTF-8" "bn_IN.UTF-8 UTF-8" \
+        "pa_IN.UTF-8 UTF-8" "zh_CN.UTF-8 UTF-8" "zh_TW.UTF-8 UTF-8" \
+        "ja_JP.UTF-8 UTF-8" "ko_KR.UTF-8 UTF-8" "ar_SA.UTF-8 UTF-8" \
+        "hi_IN.UTF-8 UTF-8" "ru_RU.UTF-8 UTF-8" "th_TH.UTF-8 UTF-8" \
+        "el_GR.UTF-8 UTF-8" "he_IL.UTF-8 UTF-8" \
+        > /etc/locale.gen && \
+    locale-gen && \
+    update-locale LANG=en_US.UTF-8 && \
+    apt-get install -y --no-install-recommends \
+        fonts-noto-core fonts-noto-ui-core fonts-noto-cjk fonts-noto-cjk-extra && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+
+###############################################################################
+# FFmpeg (static build, latest 7.x)
+###############################################################################
 # install ffmpeg manually since the version available in apt is from the 4.x branch due to #drama.
 # as of writing these static builds will be the latest 7.0.x release.
 RUN set -eux; \
@@ -102,72 +120,133 @@ RUN set -eux; \
     install -m755 /tmp/ffmpeg-*/ffprobe /usr/local/bin/ffprobe; \
     rm -rf /tmp/ffmpeg*
 
-# runtime
-ENV USERNAME=root
-RUN set -eux; \
-    apt-get update; \
+
+###############################################################################
+# Runtime dependencies, libxcvt, user creation, directory setup
+###############################################################################
+ARG KERNEL_USER=kernel
+ARG KERNEL_UID=1000
+ARG KERNEL_GID=$KERNEL_UID
+
+RUN apt-get update && \
     apt-get install -y --no-install-recommends \
-    wget ca-certificates python2 supervisor xclip xdotool \
-    pulseaudio dbus-x11 xserver-xorg-video-dummy \
-    libcairo2 libxcb1 libxrandr2 libxv1 libopus0 libvpx7 \
-    gstreamer1.0-plugins-base gstreamer1.0-plugins-good \
-    gstreamer1.0-plugins-bad gstreamer1.0-plugins-ugly \
-    gstreamer1.0-pulseaudio gstreamer1.0-omx; \
-    #
-    # install libxcvt0 (not available in debian:bullseye)
-    ARCH=$(dpkg --print-architecture); \
-    wget http://ftp.de.debian.org/debian/pool/main/libx/libxcvt/libxcvt0_0.1.2-1_${ARCH}.deb; \
-    apt-get install --no-install-recommends ./libxcvt0_0.1.2-1_${ARCH}.deb; \
-    rm ./libxcvt0_0.1.2-1_${ARCH}.deb; \
-    #
+        wget ca-certificates python2 supervisor xclip xdotool \
+        pulseaudio dbus-x11 xserver-xorg-video-dummy rtkit \
+        libcairo2 libxcb1 libxrandr2 libxv1 libopus0 libvpx7 \
+        gstreamer1.0-plugins-base gstreamer1.0-plugins-good \
+        gstreamer1.0-plugins-bad gstreamer1.0-plugins-ugly \
+        gstreamer1.0-pulseaudio gstreamer1.0-omx && \
+    \
+    # libxcvt0 (Debian package, not in Ubuntu repo)
+    ARCH=$(dpkg --print-architecture) && \
+    curl -fsSL http://ftp.de.debian.org/debian/pool/main/libx/libxcvt/libxcvt0_0.1.2-1_${ARCH}.deb \
+        -o /tmp/libxcvt.deb && \
+    apt-get install -y --no-install-recommends /tmp/libxcvt.deb && \
+    rm /tmp/libxcvt.deb && \
+    \
+    # Non-root user with audio/video privileges
+    groupadd --gid "$KERNEL_GID" "$KERNEL_USER" && \
+    useradd  --uid "$KERNEL_UID" --gid "$KERNEL_GID" \
+             --shell /bin/bash --create-home "$KERNEL_USER" && \
+    for g in audio video pulse pulse-access; do adduser "$KERNEL_USER" "$g"; done && \
+    \
     # workaround for an X11 problem: http://blog.tigerteufel.de/?p=476
-    mkdir /tmp/.X11-unix; \
-    chmod 1777 /tmp/.X11-unix; \
-    chown $USERNAME /tmp/.X11-unix/; \
-    #
-    # make directories for neko
+    mkdir -p /tmp/.X11-unix && \
+    chmod 1777 /tmp/.X11-unix && \
+    chown "$KERNEL_USER:$KERNEL_USER" /tmp/.X11-unix && \
+    \
+    # Make directories for neko
     mkdir -p /etc/neko /var/www /var/log/neko \
-    /tmp/runtime-$USERNAME \
-    /home/$USERNAME/.config/pulse  \
-    /home/$USERNAME/.local/share/xorg; \
-    chmod 1777 /var/log/neko; \
-    chown $USERNAME /var/log/neko/ /tmp/runtime-$USERNAME; \
-    chown -R $USERNAME:$USERNAME /home/$USERNAME; \
-    # clean up
-    apt-get clean -y; \
+             /tmp/runtime-"$KERNEL_USER" \
+             /home/"$KERNEL_USER"/.config \
+             /home/"$KERNEL_USER"/.local/share/xorg && \
+    chmod 1777 /var/log/neko && \
+    chown -R "$KERNEL_USER:$KERNEL_USER" \
+           /var/log/neko /tmp/runtime-"$KERNEL_USER" /home/"$KERNEL_USER" && \
+    chmod 777 /etc/pulse || true && \
+    apt-get clean && \
     rm -rf /var/lib/apt/lists/* /var/cache/apt/
 
-# install chromium & ncat for proxying the remote debugging port
-RUN add-apt-repository -y ppa:xtradeb/apps
-RUN apt update -y && apt install -y chromium ncat
 
-# Install noVNC
+###############################################################################
+# Chromium (via xtradeb) & ncat
+###############################################################################
+RUN add-apt-repository -y ppa:xtradeb/apps && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends chromium ncat && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+
+###############################################################################
+# noVNC (v1.5.0) + Websockify (v0.12.0)
+###############################################################################
 RUN git clone --branch v1.5.0 https://github.com/novnc/noVNC.git /opt/noVNC && \
     git clone --branch v0.12.0 https://github.com/novnc/websockify /opt/noVNC/utils/websockify && \
     ln -s /opt/noVNC/vnc.html /opt/noVNC/index.html
 
-# setup desktop env & app
-ENV DISPLAY_NUM=1
-ENV HEIGHT=768
-ENV WIDTH=1024
-ENV WITHDOCKER=true
 
-COPY xorg.conf /etc/neko/xorg.conf
-COPY neko.yaml /etc/neko/neko.yaml
-COPY --from=neko /usr/bin/neko /usr/bin/neko
-COPY --from=client /src/dist/ /var/www
-COPY --from=xorg-deps /usr/local/lib/xorg/modules/drivers/dummy_drv.so /usr/lib/xorg/modules/drivers/dummy_drv.so
-COPY --from=xorg-deps /usr/local/lib/xorg/modules/input/neko_drv.so /usr/lib/xorg/modules/input/neko_drv.so
+###############################################################################
+# Environment
+###############################################################################
+ENV DISPLAY_NUM=1 \
+    HEIGHT=768 \
+    WIDTH=1024 \
+    WITHDOCKER=true
 
+
+###############################################################################
+# Copy build artefacts & configurations
+###############################################################################
+COPY xorg.conf            /etc/neko/xorg.conf
+COPY default.pa           /etc/pulse/default.pa
+COPY daemon.conf          /etc/pulse/daemon.conf
+COPY dbus-pulseaudio.conf /etc/dbus-1/system.d/pulseaudio.conf
+COPY dbus-mpris.conf      /etc/dbus-1/system.d/mpris.conf
+COPY neko.yaml            /etc/neko/neko.yaml
+
+# Executables & drivers from previous stages
+COPY --from=neko   /usr/bin/neko /usr/bin/neko
+COPY --from=client /src/dist/    /var/www
+COPY --from=xorg-deps /usr/local/lib/xorg/modules/drivers/dummy_drv.so \
+                      /usr/lib/xorg/modules/drivers/dummy_drv.so
+COPY --from=xorg-deps /usr/local/lib/xorg/modules/input/neko_drv.so  \
+                      /usr/lib/xorg/modules/input/neko_drv.so
+
+RUN chown -R "$KERNEL_USER:$KERNEL_USER" /var/www /etc/neko
+
+
+###############################################################################
+# Additional assets & wrapper
+###############################################################################
 COPY image-chromium/ /
-COPY ./wrapper.sh /wrapper.sh
+COPY wrapper.sh      /wrapper.sh
 
-# copy the kernel-images API binary built externally
+
+###############################################################################
+# Copy the kernel-images API binary built externally
+###############################################################################
 COPY bin/kernel-images-api /usr/local/bin/kernel-images-api
 ENV WITH_KERNEL_IMAGES_API=false
 
-RUN useradd -m -s /bin/bash kernel
+
+###############################################################################
+# Set user data
+###############################################################################
 RUN cp -r ./user-data /home/kernel/user-data
 
-ENTRYPOINT [ "/wrapper.sh" ]
 
+###############################################################################
+# Runtime environment variables
+###############################################################################
+ENV USER=kernel \
+    XDG_RUNTIME_DIR=/tmp/runtime-kernel \
+    PULSE_SERVER=unix:${XDG_RUNTIME_DIR}/pulse/native \
+    XDG_CONFIG_HOME=/tmp/.chromium \
+    XDG_CACHE_HOME=/tmp/.chromium
+
+
+###############################################################################
+# Entrypoint
+###############################################################################
+ENTRYPOINT ["/wrapper.sh"]
\ No newline at end of file
diff --git a/images/chromium-headful/client/src/components/video.vue b/images/chromium-headful/client/src/components/video.vue
index 4c4fe0f8..ecbcb263 100644
--- a/images/chromium-headful/client/src/components/video.vue
+++ b/images/chromium-headful/client/src/components/video.vue
@@ -1,6 +1,6 @@
 <template>
   <div ref="component" class="video">
-    <div ref="player" class="player">
+    <div ref="player" class="player" :class="{ 'is-muted': muted }">
       <div ref="container" class="player-container">
         <video ref="video" playsinline />
         <div class="emotes">
@@ -85,6 +85,19 @@
 </template>
 
 <style lang="scss" scoped>
+  /* KERNEL MODIFICATION: Keyframes for the mute indicator pulse effect */
+  @keyframes mute-pulse {
+    0% {
+      box-shadow: inset 0 0 0 2px rgba(255, 80, 80, 0.2);
+    }
+    50% {
+      box-shadow: inset 0 0 0 2px rgba(255, 80, 80, 0.4);
+    }
+    100% {
+      box-shadow: inset 0 0 0 2px rgba(255, 80, 80, 0.2);
+    }
+  }
+
   .video {
     width: 100%;
     height: 100%;
@@ -96,6 +109,11 @@
       align-items: center;
       background: #000;
 
+      /* KERNEL MODIFICATION: Style for the mute indicator */
+      &.is-muted {
+        animation: mute-pulse 2s infinite;
+      }
+
       .video-menu {
         position: absolute;
         right: 20px;
@@ -259,6 +277,10 @@
     private fullscreen = false
     private mutedOverlay = true
 
+    /* KERNEL MODIFICATION: State flag to ensure unmute happens only once. */
+    private hasInteracted = false
+    private unmuteHandler: (() => void) | null = null
+
     get admin() {
       return this.$accessor.user.admin
     }
@@ -470,6 +492,23 @@
       }
     }
 
+    /* KERNEL MODIFICATION: Centralized one-time unmute logic. */
+    _unmuteOnFirstInteraction() {
+      if (this.hasInteracted || !this.muted) {
+        return
+      }
+
+      this.hasInteracted = true
+      this.unmute()
+      this.$accessor.video.setVolume(100)
+
+      // Clean up global listeners if they were set
+      if (this.unmuteHandler) {
+        document.documentElement.removeEventListener('mousedown', this.unmuteHandler)
+        document.documentElement.removeEventListener('keydown', this.unmuteHandler)
+      }
+    }
+
     mounted() {
       this._container.addEventListener('resize', this.onResize)
       this.onVolumeChanged(this.volume)
@@ -533,12 +572,23 @@
         this.$client.sendData('keyup', { key: this.keyMap(key) })
       }
       this.keyboard.listenTo(this._overlay)
+
+      /* KERNEL MODIFICATION: Set up listeners for the first interaction. */
+      this.unmuteHandler = this._unmuteOnFirstInteraction.bind(this)
+      document.documentElement.addEventListener('mousedown', this.unmuteHandler, { once: true })
+      document.documentElement.addEventListener('keydown', this.unmuteHandler, { once: true })
     }
 
     beforeDestroy() {
       this.observer.disconnect()
       this.$accessor.video.setPlayable(false)
       /* Guacamole Keyboard does not provide destroy functions */
+
+      /* KERNEL MODIFICATION: Clean up listeners on component destruction. */
+      if (this.unmuteHandler) {
+        document.documentElement.removeEventListener('mousedown', this.unmuteHandler)
+        document.documentElement.removeEventListener('keydown', this.unmuteHandler)
+      }
     }
 
     get hasMacOSKbd() {
@@ -761,6 +811,9 @@
     }
 
     onMouseDown(e: MouseEvent) {
+      /* KERNEL MODIFICATION: Trigger unmute on first video click. */
+      this._unmuteOnFirstInteraction()
+
       if (!this.hosting) {
         this.$emit('control-attempt', e)
       }
@@ -846,4 +899,4 @@
       this._overlay.focus()
     }
   }
-</script>
+</script>
\ No newline at end of file
diff --git a/images/chromium-headful/daemon.conf b/images/chromium-headful/daemon.conf
new file mode 100644
index 00000000..efccf92f
--- /dev/null
+++ b/images/chromium-headful/daemon.conf
@@ -0,0 +1,43 @@
+# /etc/pulse/daemon.conf
+# OPTIMIZED FOR LOW-LATENCY WEBRTC
+
+# General settings
+daemonize = no
+fail = yes
+allow-module-loading = yes
+high-priority = no
+realtime-scheduling = no
+exit-idle-time = -1
+
+# Disable SHM which triggered errors in container
+enable-shm = no
+; enable-memfd = yes
+
+# Resource limits
+rlimit-fsize = -1
+rlimit-data = -1
+rlimit-stack = -1
+rlimit-core = -1
+rlimit-as = -1
+rlimit-rss = -1
+rlimit-nproc = -1
+rlimit-nofile = 256
+rlimit-memlock = -1
+rlimit-locks = -1
+rlimit-sigpending = -1
+rlimit-msgqueue = -1
+rlimit-nice = 31
+rlimit-rtprio = 9
+rlimit-rttime = 200000
+
+# Low-latency audio settings
+default-sample-format = s16le
+default-sample-rate = 48000
+alternate-sample-rate = 44100
+default-sample-channels = 2
+default-channel-map = front-left,front-right
+resample-method = speex-float-1
+
+# Critical changes for low-latency
+default-fragments = 5
+default-fragment-size-msec = 5
\ No newline at end of file
diff --git a/images/chromium-headful/dbus-mpris.conf b/images/chromium-headful/dbus-mpris.conf
new file mode 100644
index 00000000..2ed00b6d
--- /dev/null
+++ b/images/chromium-headful/dbus-mpris.conf
@@ -0,0 +1,27 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <!-- Allow any user to own the MPRIS service for Chromium and all its media player variants -->
+  <policy context="default">
+    <!-- Standard Chromium MPRIS service -->
+    <allow own_prefix="org.mpris.MediaPlayer2.chromium"/>
+    <!-- Chromium Snap package variant -->
+    <allow own_prefix="org.mpris.MediaPlayer2.chromium_chromium"/>
+    <!-- Chromium Flatpak variant -->
+    <allow own_prefix="org.mpris.MediaPlayer2.org.chromium.Chromium"/>
+    <!-- Chromium-browser (Debian/Ubuntu) -->
+    <allow own_prefix="org.mpris.MediaPlayer2.chromium-browser"/>
+    <!-- Chromium (generic, fallback) -->
+    <allow own_prefix="org.mpris.MediaPlayer2.Chromium"/>
+    <!-- Chrome (in case of Chrome being used) -->
+    <allow own_prefix="org.mpris.MediaPlayer2.google-chrome"/>
+    <allow own_prefix="org.mpris.MediaPlayer2.Google-chrome"/>
+    <allow own_prefix="org.mpris.MediaPlayer2.chrome"/>
+    <!-- Chromium-based Edge (for completeness) -->
+    <allow own_prefix="org.mpris.MediaPlayer2.microsoft-edge"/>
+    <!-- Brave (another Chromium-based browser) -->
+    <allow own_prefix="org.mpris.MediaPlayer2.brave"/>
+    <!-- Vivaldi (another Chromium-based browser) -->
+    <allow own_prefix="org.mpris.MediaPlayer2.vivaldi"/>
+  </policy>
+</busconfig>
\ No newline at end of file
diff --git a/images/chromium-headful/dbus-pulseaudio.conf b/images/chromium-headful/dbus-pulseaudio.conf
new file mode 100644
index 00000000..ae378b25
--- /dev/null
+++ b/images/chromium-headful/dbus-pulseaudio.conf
@@ -0,0 +1,27 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <!--
+    This file allows the user in the 'pulse', 'pulse-access', or 'audio'
+    groups to own the PulseAudio D-Bus services.
+  -->
+
+  <!-- Policy for 'pulse' group -->
+  <policy group="pulse">
+    <allow own="org.PulseAudio1"/>
+    <allow own="org.pulseaudio.Server"/>
+  </policy>
+
+  <!-- Policy for 'pulse-access' group -->
+  <policy group="pulse-access">
+    <allow own="org.PulseAudio1"/>
+    <allow own="org.pulseaudio.Server"/>
+  </policy>
+
+  <!-- Policy for 'audio' group -->
+  <policy group="audio">
+    <allow own="org.PulseAudio1"/>
+    <allow own="org.pulseaudio.Server"/>
+  </policy>
+
+</busconfig>
\ No newline at end of file
diff --git a/images/chromium-headful/default.pa b/images/chromium-headful/default.pa
new file mode 100644
index 00000000..518545d1
--- /dev/null
+++ b/images/chromium-headful/default.pa
@@ -0,0 +1,17 @@
+#!/usr/bin/pulseaudio -nF
+
+### Create virtual output device sink
+load-module module-null-sink sink_name=audio_output sink_properties=device.description="Virtual_Audio_Output"
+
+### Create virtual input device sink
+load-module module-null-sink sink_name=audio_input sink_properties=device.description="Virtual_Audio_Input"
+
+### Create a virtual audio source linked up to the virtual input device
+load-module module-virtual-source source_name=microphone master=audio_input.monitor source_properties=device.description="Virtual_Microphone"
+
+### Allow pulse audio to be accessed via a unix socket
+### Important to _not_ specify socket (socket=/tmp/runtime-kernel/pulse/native)
+load-module module-native-protocol-unix auth-anonymous=1
+
+### Make sure we always have a sink around, even if it is a null sink.
+load-module module-always-sink
\ No newline at end of file
diff --git a/images/chromium-headful/run-unikernel.sh b/images/chromium-headful/run-unikernel.sh
index 5911d653..380df0a7 100755
--- a/images/chromium-headful/run-unikernel.sh
+++ b/images/chromium-headful/run-unikernel.sh
@@ -34,7 +34,8 @@ echo "$CHROMIUM_FLAGS" > "$FLAGS_DIR/flags"
 kraft cloud volume rm "$volume_name" || true
 kraft cloud volume create -n "$volume_name" -s 16M
 # Import the flags directory into the freshly created volume
-kraft cloud volume import --image onkernel/utils/volimport:1.0 -s "$FLAGS_DIR" -v "$volume_name"
+# kraft cloud volume import --image onkernel/utils/volimport:1.0 -s "$FLAGS_DIR" -v "$volume_name"
+kraft cloud volume import -s "$FLAGS_DIR" -v "$volume_name"
 
 # Ensure the temp directory is cleaned up on exit
 trap 'rm -rf "$FLAGS_DIR"' EXIT
diff --git a/images/chromium-headful/wrapper.sh b/images/chromium-headful/wrapper.sh
index 7da22c79..55e2aa3c 100755
--- a/images/chromium-headful/wrapper.sh
+++ b/images/chromium-headful/wrapper.sh
@@ -1,57 +1,144 @@
-#!/bin/bash
+#!/usr/bin/env bash
+# ------------------------------------------------------------------------------
+# wrapper.sh – container entrypoint
+# ------------------------------------------------------------------------------
 
-set -o pipefail -o errexit -o nounset
+set -o errexit -o nounset -o pipefail
 
+# ------------------------------------------------------------------------------
+# Environment ──────────────────────────────────────────────────────────────────
+# ------------------------------------------------------------------------------
+export PULSE_SERVER="/tmp/runtime-kernel/pulse/native"
+export XDG_CONFIG_HOME="/tmp/.chromium"
+export XDG_CACHE_HOME="/tmp/.chromium"
+export XDG_RUNTIME_DIR="/tmp/runtime-kernel"
+export DISPLAY=":1"
+
+# ------------------------------------------------------------------------------
+# /dev/shm (only outside Docker) ───────────────────────────────────────────────
 # If the WITHDOCKER environment variable is not set, it means we are not running inside a Docker container.
 # Docker manages /dev/shm itself, and attempting to mount or modify it can cause permission or device errors.
 # However, in a unikernel container environment (non-Docker), we need to manually create and mount /dev/shm as a tmpfs
 # to support shared memory operations.
-if [ -z "${WITHDOCKER:-}" ]; then
+# ------------------------------------------------------------------------------
+if [[ -z "${WITHDOCKER:-}" ]]; then
   mkdir -p /dev/shm
   chmod 777 /dev/shm
   mount -t tmpfs tmpfs /dev/shm
 fi
 
+# ------------------------------------------------------------------------------
+# Scale-to-zero control ────────────────────────────────────────────────────────
 # We disable scale-to-zero for the lifetime of this script and restore
 # the original setting on exit.
+# ------------------------------------------------------------------------------
 SCALE_TO_ZERO_FILE="/uk/libukp/scale_to_zero_disable"
+
 scale_to_zero_write() {
-  local char="$1"
   # Skip when not running inside Unikraft Cloud (control file absent)
-  if [[ -e "$SCALE_TO_ZERO_FILE" ]]; then
-    # Write the character, but do not fail the whole script if this errors out
-    echo -n "$char" > "$SCALE_TO_ZERO_FILE" 2>/dev/null || \
-      echo "Failed to write to scale-to-zero control file" >&2
-  fi
+  [[ -e "$SCALE_TO_ZERO_FILE" ]] || return 0
+  # Write the character, but do not fail the whole script if this errors out
+  echo -n "$1" >"$SCALE_TO_ZERO_FILE" 2>/dev/null || \
+    echo "[wrapper] WARN: cannot write scale-to-zero flag" >&2
 }
+
 disable_scale_to_zero() { scale_to_zero_write "+"; }
 enable_scale_to_zero()  { scale_to_zero_write "-"; }
 
 # Disable scale-to-zero for the duration of the script when not running under Docker
 if [[ -z "${WITHDOCKER:-}" ]]; then
-  echo "Disabling scale-to-zero"
+  echo "[wrapper] Disabling scale-to-zero"
   disable_scale_to_zero
 fi
 
-export DISPLAY=:1
-
+# ------------------------------------------------------------------------------
+# Xorg ─────────────────────────────────────────────────────────────────────────
+# ------------------------------------------------------------------------------
 /usr/bin/Xorg :1 -config /etc/neko/xorg.conf -noreset -nolisten tcp &
 
+# ------------------------------------------------------------------------------
+# Input-socket permission fix : Force-change after creation ────────────────────
+# ------------------------------------------------------------------------------
+echo "[wrapper] Waiting for xf86-input socket"
+for i in $(seq 1 10); do
+  if [[ -S /tmp/xf86-input-neko.sock ]]; then
+    chmod 666 /tmp/xf86-input-neko.sock
+    echo "[wrapper] Socket chmod 666 applied"
+    break
+  fi
+  sleep 0.5
+done
+[[ -S /tmp/xf86-input-neko.sock ]] || echo "[wrapper] WARN: socket not found" >&2
+
+# ------------------------------------------------------------------------------
+# Mutter ───────────────────────────────────────────────────────────────────────
+# ------------------------------------------------------------------------------
 ./mutter_startup.sh
 
+# ------------------------------------------------------------------------------
+# system D-Bus Setup ───────────────────────────────────────────────────────────
+# ------------------------------------------------------------------------------
+echo "[wrapper] Starting system D-Bus"
+mkdir -p /run/dbus
+dbus-uuidgen --ensure
+dbus-daemon --system \
+  --address="unix:path=/run/dbus/system_bus_socket" \
+  --nopidfile --nosyslog --nofork &
+dbus_pid=$!
+
+echo "[wrapper] Waiting for D-Bus socket"
+for i in $(seq 1 20); do
+  [[ -S /run/dbus/system_bus_socket ]] && break
+  sleep 0.5
+done
+export DBUS_SESSION_BUS_ADDRESS="unix:path=/run/dbus/system_bus_socket"
+
+# ------------------------------------------------------------------------------
+# PulseAudio Setup ─────────────────────────────────────────────────────────────
+# ------------------------------------------------------------------------------
+echo "[pulse] Setting up permissions"
+chown -R kernel:kernel /home/kernel/ /home/kernel/.config /etc/pulse
+chmod 777 /home/kernel/.config /etc/pulse
+chown -R kernel:kernel /tmp/runtime-kernel
+
+echo "[pulse] Starting daemon"
+runuser -u kernel -- env \
+  XDG_RUNTIME_DIR=/tmp/runtime-kernel \
+  XDG_CONFIG_HOME=/home/kernel/.config \
+  XDG_CACHE_HOME=/home/kernel/.cache \
+  pulseaudio --log-level=error \
+             --disallow-module-loading \
+             --disallow-exit \
+             --exit-idle-time=-1 &
+pulse_pid=$!
+
+echo "[pulse] Waiting for server"
+for i in $(seq 1 20); do
+  runuser -u kernel -- pactl info >/dev/null 2>&1 && break
+  if [ "$i" -eq 20 ]; then
+    echo "[pulse] ERROR: failed to start"
+    exit 1
+  fi
+  sleep 0.5
+done
+
+# ------------------------------------------------------------------------------
+# VNC / WebRTC ─────────────────────────────────────────────────────────────────
+# ------------------------------------------------------------------------------
 if [[ "${ENABLE_WEBRTC:-}" != "true" ]]; then
   ./x11vnc_startup.sh
 fi
 
-# -----------------------------------------------------------------------------
-# House-keeping for the unprivileged "kernel" user --------------------------------
+# ------------------------------------------------------------------------------
+# Filesystem housekeeping for kernel user ──────────────────────────────────────
 # Some Chromium subsystems want to create files under $HOME (NSS cert DB, dconf
 # cache).  If those directories are missing or owned by root Chromium emits
 # noisy error messages such as:
 #   [ERROR:crypto/nss_util.cc:48] Failed to create /home/kernel/.pki/nssdb ...
 #   dconf-CRITICAL **: unable to create directory '/home/kernel/.cache/dconf'
 # Pre-create them and hand ownership to the user so the messages disappear.
-
+# Also critical to avoid Permission Denied when running as kernel user
+# ------------------------------------------------------------------------------
 dirs=(
   /home/kernel/user-data
   /home/kernel/.config/chromium
@@ -59,113 +146,93 @@ dirs=(
   /home/kernel/.cache/dconf
   /tmp
   /var/log
+  /tmp/runtime-kernel/dconf
+  /tmp/.chromium
 )
-
-for dir in "${dirs[@]}"; do
-  if [ ! -d "$dir" ]; then
-    mkdir -p "$dir"
-  fi
+for d in "${dirs[@]}"; do
+  [[ -d "$d" ]] || mkdir -p "$d"
 done
+chown -R kernel:kernel /home/kernel/user-data /home/kernel/.config \
+  /home/kernel/.pki /home/kernel/.cache /tmp/runtime-kernel /tmp/.chromium 2>/dev/null || true
 
-# Ensure correct ownership (ignore errors if already correct)
-chown -R kernel:kernel /home/kernel/user-data /home/kernel/.config /home/kernel/.pki /home/kernel/.cache 2>/dev/null || true
-
-# -----------------------------------------------------------------------------
-# System-bus setup --------------------------------------------------------------
-# -----------------------------------------------------------------------------
-# Start a lightweight system D-Bus daemon if one is not already running.  We
-# will later use this very same bus as the *session* bus as well, avoiding the
-# autolaunch fallback that produced many "Connection refused" errors.
-# Start a lightweight system D-Bus daemon if one is not already running (Chromium complains otherwise)
-if [ ! -S /run/dbus/system_bus_socket ]; then
-  echo "Starting system D-Bus daemon"
-  mkdir -p /run/dbus
-  # Ensure a machine-id exists (required by dbus-daemon)
-  dbus-uuidgen --ensure
-  # Launch dbus-daemon in the background and remember its PID for cleanup
-  dbus-daemon --system \
-    --address=unix:path=/run/dbus/system_bus_socket \
-    --nopidfile --nosyslog --nofork >/dev/null 2>&1 &
-  dbus_pid=$!
-fi
-
-# We will point DBUS_SESSION_BUS_ADDRESS at the system bus socket to suppress
-# autolaunch attempts that failed and spammed logs.
-export DBUS_SESSION_BUS_ADDRESS="unix:path=/run/dbus/system_bus_socket"
-
-# Start Chromium with display :1 and remote debugging, loading our recorder extension.
-# Use ncat to listen on 0.0.0.0:9222 since chromium does not let you listen on 0.0.0.0 anymore: https://github.com/pyppeteer/pyppeteer/pull/379#issuecomment-217029626
-cleanup () {
-  echo "Cleaning up..."
-  # Re-enable scale-to-zero if the script terminates early
+# ------------------------------------------------------------------------------
+# Cleanup handler ──────────────────────────────────────────────────────────────
+# ------------------------------------------------------------------------------
+cleanup() {
+  echo "[wrapper] Cleaning up"
   enable_scale_to_zero
-  kill -TERM $pid
-  kill -TERM $pid2
-  # Kill the API server if it was started
-  if [[ -n "${pid3:-}" ]]; then
-    kill -TERM $pid3 || true
-  fi
-  if [ -n "${dbus_pid:-}" ]; then
-    kill -TERM $dbus_pid 2>/dev/null || true
-  fi
+  kill -TERM "$pid" "$pid2"
+  [[ -n "${pid3:-}" ]] && kill -TERM "$pid3" || true
+  [[ -n "${dbus_pid:-}" ]] && kill -TERM "$dbus_pid" || true
 }
 trap cleanup TERM INT
 pid=
 pid2=
 pid3=
-INTERNAL_PORT=9223
-CHROME_PORT=9222  # External port mapped to host
-echo "Starting Chromium on internal port $INTERNAL_PORT"
+export INTERNAL_PORT=9223
+export CHROME_PORT=9222  
+
+# ------------------------------------------------------------------------------
+# Chromium ─────────────────────────────────────────────────────────────────────
+# Start Chromium with display :1 and remote debugging, loading our recorder extension.
+# Use ncat to listen on 0.0.0.0:9222
+# since chromium does not let you listen on 0.0.0.0 anymore :
+# https://github.com/pyppeteer/pyppeteer/pull/379#issuecomment-217029626
+# ------------------------------------------------------------------------------
 
 # Load additional Chromium flags from /chromium/flags if present
+echo "[chromium] Preparing flags"
 CHROMIUM_FLAGS="${CHROMIUM_FLAGS:-}"
-if [[ -f /chromium/flags ]]; then
-  CHROMIUM_FLAGS="$CHROMIUM_FLAGS $(cat /chromium/flags)"
-fi
-echo "CHROMIUM_FLAGS: $CHROMIUM_FLAGS"
+[[ -f /chromium/flags ]] && CHROMIUM_FLAGS+=" $(< /chromium/flags)"
+echo "[chromium] Flags: $CHROMIUM_FLAGS"
+
+INTERNAL_PORT="${INTERNAL_PORT:-9223}"
+CHROME_PORT="${CHROME_PORT:-9222}" # External port mapped to host
+RUN_AS_ROOT="${RUN_AS_ROOT:-false}"
 
-RUN_AS_ROOT=${RUN_AS_ROOT:-false}
+echo "[chromium] Launching on display ${DISPLAY}"
 if [[ "$RUN_AS_ROOT" == "true" ]]; then
-  DISPLAY=:1 DBUS_SESSION_BUS_ADDRESS="$DBUS_SESSION_BUS_ADDRESS" chromium \
-    --remote-debugging-port=$INTERNAL_PORT \
-    ${CHROMIUM_FLAGS:-} >&2 & pid=$!
+  DISPLAY="$DISPLAY" DBUS_SESSION_BUS_ADDRESS="$DBUS_SESSION_BUS_ADDRESS" chromium \
+    --remote-debugging-port="$INTERNAL_PORT" \
+    $CHROMIUM_FLAGS >&2 & pid=$!
 else
+  # required environment variables (DISPLAY, DBUS_SESSION_BUS_ADDRESS) are already exported
+  # in this script's environment, so runuser will pass them to the child process.
   runuser -u kernel -- env \
-    DISPLAY=:1 \
-    DBUS_SESSION_BUS_ADDRESS="$DBUS_SESSION_BUS_ADDRESS" \
-    XDG_CONFIG_HOME=/home/kernel/.config \
-    XDG_CACHE_HOME=/home/kernel/.cache \
+    XDG_CONFIG_HOME=/tmp/.chromium \
+    XDG_CACHE_HOME=/tmp/.chromium \
     HOME=/home/kernel \
-    chromium \
-    --remote-debugging-port=$INTERNAL_PORT \
-    ${CHROMIUM_FLAGS:-} >&2 & pid=$!
+    chromium --remote-debugging-port="$INTERNAL_PORT" $CHROMIUM_FLAGS \
+    > /tmp/chromium.log 2>&1 & pid=$!
 fi
 
-echo "Setting up ncat proxy on port $CHROME_PORT"
-ncat \
-  --sh-exec "ncat 0.0.0.0 $INTERNAL_PORT" \
-  -l "$CHROME_PORT" \
-  --keep-open & pid2=$!
+# ncat proxy → expose INTERNAL_PORT as CHROME_PORT
+echo "[chromium] Starting ncat proxy :$CHROME_PORT → :$INTERNAL_PORT"
+ncat --sh-exec "ncat 0.0.0.0 $INTERNAL_PORT" \
+     -l "$CHROME_PORT" --keep-open & pid2=$!
 
+# ------------------------------------------------------------------------------
+# Start Neko WebRTC / noVNC ────────────────────────────────────────────────────
+# ------------------------------------------------------------------------------
 if [[ "${ENABLE_WEBRTC:-}" == "true" ]]; then
-  # use webrtc
-  echo "✨ Starting neko (webrtc server)."
-  /usr/bin/neko serve --server.static /var/www --server.bind 0.0.0.0:8080 >&2 &
-
-  # Wait for neko to be ready.
-  echo "Waiting for neko port 0.0.0.0:8080..."
-  while ! nc -z 127.0.0.1 8080 2>/dev/null; do
-    sleep 0.5
-  done
-  echo "Port 8080 is open"
+  echo "[neko] Starting WebRTC server"
+  runuser -u kernel -- /usr/bin/neko serve \
+    --server.static /var/www \
+    --server.bind 0.0.0.0:8080 >/dev/null 2>&1 &
+  neko_pid=$!
+
+  echo "[neko] Waiting on port 8080"
+  until nc -z 127.0.0.1 8080; do sleep 0.5; done
 else
-  # use novnc
   ./novnc_startup.sh
-  echo "✨ noVNC demo is ready to use!"
+  echo "[novnc] Ready"
 fi
 
+# ------------------------------------------------------------------------------
+# Start kernel-images API ──────────────────────────────────────────────────────
+# ------------------------------------------------------------------------------
 if [[ "${WITH_KERNEL_IMAGES_API:-}" == "true" ]]; then
-  echo "✨ Starting kernel-images API."
+  echo "[kernel-images:api] Starting service"
 
   API_PORT="${KERNEL_IMAGES_API_PORT:-10001}"
   API_FRAME_RATE="${KERNEL_IMAGES_API_FRAME_RATE:-10}"
@@ -181,9 +248,12 @@ if [[ "${WITH_KERNEL_IMAGES_API:-}" == "true" ]]; then
   MAX_SIZE_MB="$API_MAX_SIZE_MB" \
   OUTPUT_DIR="$API_OUTPUT_DIR" \
   /usr/local/bin/kernel-images-api & pid3=$!
+
   # close the "--no-sandbox unsupported flag" warning when running as root
-  # in the unikernel runtime we haven't been able to get chromium to launch as non-root without cryptic crashpad errors
-  # and when running as root you must use the --no-sandbox flag, which generates a warning
+  # in the unikernel runtime we haven't been able to get chromium to launch as non-root
+  # without cryptic crashpad errors
+  # and when running as root you must use the --no-sandbox flag,
+  # which generates a warning
   if [[ "${RUN_AS_ROOT:-}" == "true" ]]; then
     echo "Running as root, attempting to dismiss the --no-sandbox unsupported flag warning"
     if read -r WIDTH HEIGHT <<< "$(xdotool getdisplaygeometry 2>/dev/null)"; then
@@ -235,9 +305,14 @@ if [[ "${WITH_KERNEL_IMAGES_API:-}" == "true" ]]; then
   fi
 fi
 
+# ------------------------------------------------------------------------------
+# Scale-to-zero flag ───────────────────────────────────────────────────────────
+# ------------------------------------------------------------------------------
 if [[ -z "${WITHDOCKER:-}" ]]; then
   enable_scale_to_zero
 fi
 
-# Keep the container running
+# ------------------------------------------------------------------------------
+# Keep the container running ───────────────────────────────────────────────────
+# ------------------------------------------------------------------------------
 tail -f /dev/null
diff --git a/images/chromium-headful/xorg.conf b/images/chromium-headful/xorg.conf
index ed0e8488..05744578 100644
--- a/images/chromium-headful/xorg.conf
+++ b/images/chromium-headful/xorg.conf
@@ -27,6 +27,8 @@ Section "InputDevice"
   Identifier "dummy_touchscreen"
   Option "SendCoreEvents" "On"
   Option "SocketName" "/tmp/xf86-input-neko.sock"
+  # allow user kernel to connect to root-owned socket
+  Option "SocketMode" "0666"
   Driver "neko"
 EndSection
 
@@ -115,4 +117,4 @@ Section "ServerLayout"
   InputDevice  "dummy_mouse"
   InputDevice  "dummy_keyboard"
   InputDevice  "dummy_touchscreen" "CorePointer"
-EndSection
+EndSection
\ No newline at end of file