Round 5 in the handoff doc captures the five agreed adopt-mode
decisions (INSTALL_MODE field, fill-blanks default, identity
mismatch blocks, Telegram identity changes require explicit flag,
fingerprint gate) so they survive into Codex's design doc.
Implementation doc gets an "Adopt Mode (V1.1)" section with the
proposed 4-task split + per-field freeze contract table, plus a
task-4 followup subsection naming the legacy `operators` table
sync gap and the unification plan with Codex's
setup/operator-auth.ts. scripts/set-operator.ts gets a TODO(unify)
header pointing at the same gap.
first-boot.md notes adopt mode is V1.1 and to back up before
reflashing until then.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
Build: pass | Tests: FAIL — Tests 3 failed | 1972 passed (1975)
Lands task 4 from the ISO first-boot implementation split as a
standalone scripts/set-operator.ts (matches existing scripts/
convention — no clawdie-admin umbrella). Reuses
ensureControlplaneBootstrapOperator() for the Better Auth signUp
path. Prompts password via stdin with echo suppressed; refuses
non-TTY runs; updates OPERATOR_PASSWORD in .env (mode 0600).
First-set only — rotation goes through the dashboard.
Both planning docs updated to drop "notional" references and point
at the real npm run set-operator -- <email> command.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
Build: pass | Tests: FAIL — Tests 3 failed | 1972 passed (1975)
Reads JSON status files written by scripts/write-test-build-status.sh
so /testreport reflects the last real build/test run instead of model
memory. Missing or stale status degrades to "unknown" with an action
note rather than fabricating success.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
Build: pass | Tests: pass — Tests 1914 passed (1914)
---
Build: pass | Tests: pass — Tests 1917 passed (1917)
---
Build: pass | Tests: pass — Tests 1921 passed (1921)
Drop the allowedResources field from TenantApplyPlan — it was derived
field-for-field from resourceChecklist already, which was exactly the
"triplicate representation" flagged in the handoff's consolidation list.
Update scripts/tenant-lifecycle.ts to compute the same lists from the
checklist when it prints, and drop the tautological equality assertions
from the test (resourceChecklist is now the single source).
---
Build: pass | Tests: pass — 33 passed (1 file)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Fix the remaining operator-surface drift after the naming cutover. This aligns controlplane defaults around ai.<base>, makes the dashboard use the shared display-date helper and approved controlplane host, reuses the derived code-service hostname in Forgejo config, and fixes local-host syncing so underscore-form tenant jails are no longer skipped.
---
Build: pass | Tests: pass — 67 passed (5 files)
Explain in tenant-apply output when an existing tenant still carries declared non-default state, so operators can distinguish current tenant-specific carryover from the smaller V2 default for new tenants.
---
Build: pass | Tests: pass — 31 passed (1 file)
Reduce duplication in planTenantApply by treating the resource checklist as the canonical resource list, deriving blockers from preflight state, and trimming redundant action-policy payloads.
---
Build: pass | Tests: pass — 31 passed (1 file)
Refine tenant-apply dry runs with per-resource status entries so databases, worker jails, and datasets are reported as explicit future-create candidates instead of only appearing inside summary sections.
---
Build: pass | Tests: pass — 31 passed (1 file)
Turn tenant-apply into a structured preflight contract that marks what already passes in the declarative model, what remains manual, and what still blocks any future automatic host mutation.
---
Build: pass | Tests: pass — 31 passed (1 file)
Introduce a separate tenant-apply contract that describes what a future live apply would be allowed to touch, what prerequisites it would require, and what stays explicitly manual or out of scope.
---
Build: pass | Tests: pass — 28 passed (1 file)
- platform record now accepts internal_domain and internal_base; tenant
internal-domain derivation honors platform.internal_base instead of
hard-coding home.arpa
- validateTenantRecord now rejects a tenant whose internal_domain
collides with the platform internal_domain
- tenant-lifecycle CLI now accepts --internal-domain, --service, and
repeatable --dataset flags; tenant-list now prints
id\\tservice\\tinternal-domain\\tdisplay-name
- writeTenantRegistry preserves YAML comments and key order via the
yaml Document API instead of parse/stringify round-tripping
- platformHostd{SocketPath,PidFile} now use normalizeResourceId
directly so platform-side helpers stop calling normalizeTenantId
Build: pass | Tests: pass — 1783 passed (114 files); two failing
suites (vision.test.ts, controlplane-api.test.ts) are pre-existing
on origin/multitenant and unrelated to this change.
Turn tenant planning into an explicit declarative contract that states which logical resources belong to a tenant and which host-level concerns remain intentionally out of scope.
---
Build: pass | Tests: pass — 20 passed (1 file)
Keep tenants as logical platform identities, preserve human display names while normalizing system ids, and add a dry-run removal path plus stronger registry validation.
---
Build: pass | Tests: pass — 28 passed (3 files)
Replace ambiguous AGENT_NAME usage across runtime, setup, and helper scripts with explicit TENANT_ID or platform runtime identity where appropriate. Keep AGENT_NAME as a compatibility boundary instead of the primary source for shared runtime naming.
---
Build: pass | Tests: pass — 138 passed (10 files)
Introduce a shared controlplane paths helper and use it in runtime plus operator tooling. This removes another tenant-derived path assumption and aligns controlplane session logs with the actual tmp-based layout used by the platform.
---
Build: pass | Tests: pass — 105 passed (7 files)
Move controlplane worker jail naming off tenant identity and onto the shared platform service identity. Also update operator-facing controlplane scripts so their error messages describe the platform service instead of implying tenant ownership.
---
Build: pass | Tests: pass — 103 passed (6 files)
Continue the platform runtime split by moving shared watchdog and controlplane defaults off tenant-derived names. Operator-facing dashboard and controlplane defaults now use the platform service identity, with tests covering the new config and socket behavior.
---
Build: pass | Tests: pass — 103 passed (6 files)
Remove duplicate JailRow type in scripts/dashboard.ts and clarify that the pi extension keeps a local bastille parser copy. Also trims extra blank line.
---
Build: pass | Tests: pass — agent-runner
Repairs memory_chunks rows missing vector embeddings — useful after
embedding API outages, provider switches, or fresh installs. Has
dry-run mode and rate-limit backoff. Not a skill; run manually when
semantic memory search degrades.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
data17 path and postgresql17 package refs were never updated when PG was
upgraded to 18. Fixes setup scripts, skills, docs, tests, and archived
playbooks to match the running system (PG 18.3, /var/db/postgres/data).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
All hardcoded 'clawdie' references in production code now derive from
AGENT_NAME (default: 'clawdie'). This makes the mevy canary strategy
reliable — changing AGENT_NAME is all that's needed.
Changes:
- Hardcoded paths: CMS_WEBROOT, ASTRO_SITE_PATH, verify checks,
controlplane dashboard dir, sessions dir, output dir, chown user
- Prometheus metrics: prefixed with AGENT_NAME for multi-install dashboards
- hostd log strings: use AGENT_NAME instead of 'clawdie-hostd'
- MCP server name: derived from AGENT_NAME
- Skill modify patches: container image and mount allowlist use AGENT_NAME
- SQL migration file renamed: clawdie-brain-hybrid-upgrade → brain-hybrid-upgrade
- Temp dir prefixes: all use AGENT_NAME
Kept as-is (correct pattern):
- 'clawdie' as default fallback when AGENT_NAME is unset
- .pi/extensions/clawdie-harness/ directory (pi package identity)
- html/docs-clawdie-si/ (public docs site URL)
---
Build: pass | Tests: pass — 1527 passed, 3 failed (2 files, pre-existing)
Adds src/system-state.ts which collects jail/ZFS/PF/budget/task status
into a compact summary string. Injects that summary into every pi agent
session via --append-system-prompt so agents know what's running before
acting. Adds scripts/dashboard.ts which generates a self-contained HTML
operator dashboard (no LLM — plain TypeScript). Wires dashboard regen
into the controlplane heartbeat loop via CONTROLPLANE_DASHBOARD_INTERVAL.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
Build: pass | Tests: FAIL — Tests 40 failed | 766 passed (806)
---
Build: pass | Tests: FAIL — Tests 40 failed | 766 passed (806)
The controlplane harness now uses Aider as the multi-agent orchestrator
instead of Codex. Aider launches via --message for non-interactive task
execution, with the same tmux glass-pane and log streaming as before.
Runtime changes:
- src/config.ts: ControlplaneRunner 'codex' -> 'aider', env vars renamed
- src/controlplane-codex-runner.ts -> controlplane-aider-runner.ts:
CodexRunOptions -> AiderRunOptions, runCodexTask -> runAiderTask,
adjusted CLI args for Aider (--message, --model)
- src/controlplane-heartbeat.ts: updated imports and branch logic
- setup/agent-cli-check.ts: pi and aider first, others optional
- setup/install.ts: added printAiderTip()
- scripts/glass.sh: right pane now launches aider instead of shell
Config:
- .env.example: CONTROLPLANE_CODEX_* -> CONTROLPLANE_AIDER_*
Docs:
- AGENTS.md: updated agent identity and CLI prerequisite
- README.md: Aider+Pi as primary driver
- doc/CONTROLPLANE-MESSAGE-CONTRACT.md: runner modes updated
Codex, Claude Code, and other CLIs remain installed and available
as optional tools. Only the harness default changed.
---
Build: pass | Tests: not run (Linux)