CLAWDIE LIVE USB — SEED PARTITION
=================================

This FAT32 partition lets you customize the live USB BEFORE flashing.
On every boot, /usr/local/etc/rc.d/clawdie_live_seed imports a small,
allowlisted set of files from this partition. Editing a file and
rebooting re-applies it — the importer is idempotent.

USAGE FROM LINUX
----------------

1. Flash the image to USB with dd (or write the .img directly).
2. Mount the CLAWDIESEED partition (typically the third partition on the
   stick, e.g. /dev/sdX3):

       sudo mount -t vfat /dev/sdX3 /mnt/clawdie-seed

3. Drop seed files (see ALLOWLIST below).
4. Unmount and boot the USB:

       sync
       sudo umount /mnt/clawdie-seed

ALLOWLIST — files honored by the importer
-----------------------------------------

  /authorized_keys      Public SSH keys for the operator account.
                        Installed to ~clawdie/.ssh/authorized_keys
                        (mode 0600, owner clawdie:clawdie). CRLF
                        line endings are stripped automatically.

  /ssh/authorized_keys  Same as above, in a nested ssh/ namespace.
                        Takes precedence over /authorized_keys.

Anything else on this partition is IGNORED on purpose. The importer logs
to /var/log/clawdie-live-seed.log on the live system.

PLANNED (not yet active)
------------------------

These paths are reserved for future work; do not rely on them yet:

  /hostname             Override the live hostname (default: clawdie-live).
  /tailscale-authkey    One-shot Tailscale auth key for headless bring-up.
  /wifi.env             WiFi SSID + PSK for first-boot wpa_supplicant.

SECURITY NOTES
--------------

  - This is FAT32 — any user with physical access can read and write it.
  - Public SSH keys are not secret; this is the right place for them.
  - Do NOT put private keys, long-lived API tokens, or passwords here.
    A future encrypted-seed format is the right home for that.
  - The importer runs at every boot. Removing a file from the seed and
    rebooting does NOT remove the previously-installed copy from the
    live system; re-flash the image to wipe state.

CONTACT
-------

clawdie.si — repository: clawdie-iso, file:
  live/operator-session/clawdie-live-seed
