diff --git a/doc/HANDOFF-ISO-AGENT.md b/doc/HANDOFF-ISO-AGENT.md
index 421694e..ef78e3b 100644
--- a/doc/HANDOFF-ISO-AGENT.md
+++ b/doc/HANDOFF-ISO-AGENT.md
@@ -1,8 +1,21 @@
-# Handoff: FreeBSD → ISO/Linux Agent
+# ISO Agent Handoff
 
-**Date:** 2026-04-18
-**Commits:** dba0b69..7a0d388 (3 commits on main)
-**Branch:** main, pushed to codeberg.org:Clawdie/Clawdie-AI.git
+**From:** Codex (FreeBSD)
+**Date:** 18.apr.2026
+**Status:** IN-PROGRESS
+
+## Deletion Criteria
+
+- [ ] ISO repo consumes `agent/library.yaml` + `--no-skills` changes
+- [ ] ISO repo updated for PostgreSQL 18 paths/packages
+- [ ] ISO flow generates `run-${AGENT_NAME}.sh` at install time (no tracked `run-*.sh`)
+- [ ] Phase 7 jail agents reach hostd via `POST /api/controlplane/hostd`
+
+## Scope
+
+- **Repo:** `codeberg.org:Clawdie/Clawdie-AI.git`
+- **Branch:** `main`
+- **Commit range:** `dba0b69..7a0d388`
 
 ## Breaking changes to propagate
 
@@ -84,3 +97,18 @@
 - Pi CLI upgrade 0.58→0.67 has breaking API changes (session_start, getApiKeyAndHeaders, sourceInfo, promptSnippet) — not yet applied
 - Phase 7 jail isolation validation checklist not yet verified on deploy
 - Forgejo DB connection in git jail needs `sslmode=disable` or cert config — empty DB, errors intermittent
+
+## Results (fill in when done)
+
+- Build: (TBD)
+- Tests: (TBD)
+- Bugs found: (TBD)
+
+## Open Questions
+
+- Does the ISO want to provision `FEATURE_GIT=YES` + Forgejo by default, or keep it optional?
+- Should the ISO pin a specific pi version, or install “latest” at build time?
+
+## Delete After
+
+`git rm doc/HANDOFF-ISO-AGENT.md`
diff --git a/src/controlplane-runner.ts b/src/controlplane-runner.ts
index ccab6e0..de1245c 100644
--- a/src/controlplane-runner.ts
+++ b/src/controlplane-runner.ts
@@ -58,6 +58,11 @@ const AGENT_IDENTITY_FILES: Record<string, string> = {
 };
 
 export const AGENT_JAIL_MAP: Record<string, string | null> = {
+  // Phase 6 canonical IDs (as defined in agent/library.yaml)
+  sysadmin: null,
+  'db-admin': 'db-worker',
+  'git-admin': 'git-worker',
+  // Legacy agent IDs (pre-Phase 6)
   sysadmin_agent: null,
   db_admin_agent: 'db-worker',
   git_admin_agent: 'git-worker',