clawdie/clawdie-ai
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: clawdie:main
Branches Tags
clawdie:main
clawdie:fix/cms-docs-0.12-alignment
clawdie:fix/mask-tailscale-ips
clawdie:feat/freebsd-hermes-runtime-pkgs
clawdie:docs/vaultwarden-domedog-findings
clawdie:fix/vault-fetch-contract-docs
clawdie:docs/legacy-html-sources
clawdie:docs/skill-migration-plan
clawdie:incident/vaultwarden-clientsecret-leak
..
compare: clawdie:fix/mask-tailscale-ips
Branches Tags
clawdie:fix/cms-docs-0.12-alignment
clawdie:main
clawdie:fix/mask-tailscale-ips
clawdie:feat/freebsd-hermes-runtime-pkgs
clawdie:docs/vaultwarden-domedog-findings
clawdie:fix/vault-fetch-contract-docs
clawdie:docs/legacy-html-sources
clawdie:docs/skill-migration-plan
clawdie:incident/vaultwarden-clientsecret-leak

1 commit
main ... fix/mask-t

Author SHA1 Message Date
Sam & Claude
143eaaeb82 fix(docs): mask Tailscale IPs with placeholder variables 
Replace live 100.x IPs with , ,
 across docs and agent skills.

---
Build: pass | Tests: FAIL — 1 failed
 2026-06-21 20:14:14 +02:00
4 changed files with 10 additions and 64 deletions
Show stats Expand all files Collapse all files

14
.agent/skills/network-throughput/SKILL.md
View file

@ -29,14 +29,14 @@ Record these before the run so there is no ambiguity:
- `client network`: house Wi-Fi | hotspot | wired | other
- `server`: osa.smilepowered.org
- `server public IP`: 51.83.197.148
- `server Tailscale IP`: 100.72.229.63
- `server Tailscale IP`: ${OSA_TS_IP}
- `URL`: exact image URL under test
- `downloader`: curl or wget only; prefer curl with `--http1.1`
Terminology:
- "osa hotspot" means the phone hotspot/mobile Wi-Fi path.
- "osa server" means `osa.smilepowered.org`, FreeBSD 15, public `51.83.197.148`, Tailscale `100.72.229.63`.
- "osa server" means `osa.smilepowered.org`, FreeBSD 15, public `51.83.197.148`, Tailscale `${OSA_TS_IP}`.
## Safety Rules
@ -62,7 +62,7 @@ SERVER_IF="vtnet0"
SERVER_DIR="/home/clawdie/clawdie-iso/tmp/network-tests/$TEST_ID"
CLIENT_IP="<debby-public-ip-if-known>"
SERVER_IP="51.83.197.148"
SERVER_TS_IP="100.72.229.63"
SERVER_TS_IP="${OSA_TS_IP}"
DURATION_SEC="600"
```
@ -78,7 +78,7 @@ CLIENT_DIR="$HOME/.local/state/hermes/net-tests/$TEST_ID"
URL="https://osa.smilepowered.org/downloads/iso/clawdie-xfce-operator-usb-fbsd15.0-amd64-15.maj.2026.img.gz"
SHA_URL="$URL.sha256"
SERVER_IP="51.83.197.148"
SERVER_TS_IP="100.72.229.63"
SERVER_TS_IP="${OSA_TS_IP}"
DURATION_SEC="600"
```
@ -204,7 +204,7 @@ Start this on debby before the download and stop it after the download stops. It
GW=$(ip route show default | awk '{print $3; exit}')
while true; do
date -u '+utc=%Y-%m-%dT%H:%M:%SZ'
for t in "$GW" 1.1.1.1 "$SERVER_TS_IP" 100.103.255.41; do
for t in "$GW" 1.1.1.1 "$SERVER_TS_IP" ${DOMEDOG_TS_IP}; do
echo "### $t"
ping -c 5 -i 0.2 -W 2 "$t"
done
@ -467,7 +467,7 @@ Client: debby
Client network path: house Wi-Fi | hotspot | wired | other
Server: osa.smilepowered.org
Server public IP: 51.83.197.148
Server Tailscale IP: 100.72.229.63
Server Tailscale IP: ${OSA_TS_IP}
URL:
Downloader: curl --http1.1 | wget | other
Parallel downloads: no | yes, describe
@ -519,7 +519,7 @@ We want one clean HTTPS download from osa.smilepowered.org to debby, with no Fir
Definitions:
- “osa hotspot” means phone hotspot/mobile Wi-Fi path.
- “osa server” means osa.smilepowered.org, FreeBSD 15, public 51.83.197.148, Tailscale 100.72.229.63.
- “osa server” means osa.smilepowered.org, FreeBSD 15, public 51.83.197.148, Tailscale ${OSA_TS_IP}.
Rules:
1. Start pcaps on both sides before the download.

2
doc/INTERAGENT-RUN-CONTRACT.md
View file

@ -178,7 +178,7 @@ scp root@osa.smilepowered.org:/home/clawdie/clawdie-iso/tmp/network-tests/$TEST_
Or over Tailscale SSH/IP:
```sh
scp root@100.72.229.63:/home/clawdie/clawdie-iso/tmp/network-tests/$TEST_ID/osa-vtnet0-https-90s.pcapng .
scp root@${OSA_TS_IP}:/home/clawdie/clawdie-iso/tmp/network-tests/$TEST_ID/osa-vtnet0-https-90s.pcapng .
```
Use `rsync -e ssh` instead of `scp` for resumable larger transfers.

4
doc/NETWORK-SKILL-HANDOFF.md
View file

@ -145,7 +145,7 @@ losing post-download counters.
**Fix:** Calculate capture timeout as `DURATION_SEC + 300`.
### M6. Unexplained `100.103.255.41` / "domedog" IP
### M6. Unexplained `${DOMEDOG_TS_IP}` / "domedog" IP
**File:** `.agent/skills/network-throughput/SKILL.md:207,484`
@ -155,7 +155,7 @@ in the Definitions section.
**Fix:** Add to Definitions:
```markdown
| DOMEDOG_TS_IP | 100.103.255.41 | Tailscale IP of third reference host |
| DOMEDOG_TS_IP | ${DOMEDOG_TS_IP} | Tailscale IP of third reference host |
```
## LOW Priority

54
docs/VAULTWARDEN-SETUP.md
View file

@ -163,60 +163,6 @@ clawdie-vault-fetch --write-env ~/.env
bw lock
```
## Runtime fetch: `clawdie-vault-fetch`
The manual flow above is the operator/agent CLI path. For a host to pull its own
provider keys **out of the box**, the image ships a small language-neutral
helper, `clawdie-vault-fetch` (`/usr/local/bin/`), that the post-install setup
flow shells out to and the live USB can run directly. It depends only on `bw`
no node module, no `jq`.
### Item-naming convention (the contract)
For a secret to be auto-fetchable, store it in `agent-secrets` as a **login item
whose name is exactly the env var name**, with the value in the **password
field**:
| Item name | Field | Becomes |
| -------------------- | -------- | ---------------------- |
| `ANTHROPIC_API_KEY` | password | `ANTHROPIC_API_KEY=…` |
| `OPENAI_API_KEY` | password | `OPENAI_API_KEY=…` |
| `OPENROUTER_API_KEY` | password | `OPENROUTER_API_KEY=…` |
| `ZAI_API_KEY` | password | `ZAI_API_KEY=…` |
The default key set mirrors clawdie-ai's `PROVIDER_KEY_BY_PROVIDER` (anthropic,
openai, openrouter, zai, deepseek, gemini, groq). `bw get password <NAME>`
returns the raw value, so no JSON parsing is involved.
### Bootstrap drop (the one secret that can't live in the vault)
The helper reads `~/.config/vault-bootstrap.env` (mode 0600) for the headless
credentials — exactly the file from the [Bootstrap Flow](#bootstrap-flow) above:
```sh
BW_CLIENTID=user....
BW_CLIENTSECRET=...
BW_PASSWORD=<master-password>
```
**No bootstrap file → the helper exits cleanly and does nothing**, so a host with
no vault access still uses the manual setup wizard. That is the floor; the vault
fetch only ever adds.
### Usage
```sh
clawdie-vault-fetch # print KEY=VALUE lines to stdout
clawdie-vault-fetch --write-env FILE # upsert results into FILE (0600), keys preserved
clawdie-vault-fetch --bootstrap FILE # explicit bootstrap env file
clawdie-vault-fetch --keys "A B C" # override the key-name list
```
Exit codes let a caller tell "skip" from "broken": `0` ran cleanly · `1` vault
configured but login/unlock/fetch failed · `3` no bootstrap config (fall back to
manual) · `4` `bw` not installed. The helper always `bw lock`s on exit and never
logs secret values.
## Current items in agent-secrets
| Name | Type | Purpose |