Clawdie Operator USB

Live USB workstation for the Clawdie operator. Colibri daemon manages agent supervision, skills, and tasks. This HTML page is deeper reference; the desktop now opens with a short START-HERE note in Mousepad and leaves the dashboard/browser as explicit operator choices.

Included in this build:

XFCE desktop — dual-monitor, panel, wallpaper
colibri-daemon — agent supervisor, skills catalog, Glasspane state machine
colibri-tui — live ratatui dashboard (agent states, spawn/kill, sessions)
colibri-mcp — MCP bridge for Zed, Claude Code, Cursor, and other MCP clients
colibri-test-agent — optional dev/validation helper when explicitly staged
Firefox browser
Tailscale package (needs auth key)
pi coding agent harness (npm global)
DeepSeek prefix caching (~3,500 free tokens per request)
FreeBSD mac_do for kernel-enforced privilege escalation
Python 3.12 (application default; 3.11 present as system-package dep)

Primary dashboard

The colibri-tui dashboard is launched explicitly from the desktop or terminal. If closed, restart with:

colibri-tui

Colibri daemon must be running:

service colibri_daemon status
mdo -u root service colibri_daemon start

Colibri quick checks

colibri status
colibri snapshot           # Glasspane agent states
colibri list-tasks         # Coordination board
colibri list-skills        # Skills catalog
colibri-mcp tools          # MCP bridge, read-only by default
COLIBRI_MCP_WRITE=1 colibri-mcp tools  # trusted write-capable profile
[ -x /usr/local/bin/colibri-test-agent ] && \
  colibri spawn-local /usr/local/bin/colibri-test-agent --session-id local-check
colibri create-task --title "check network"
colibri list-tasks --status queued

MCP client examples are installed under /usr/local/share/clawdie-iso/mcp-examples/.

LLM provider keys + Vaultwarden bootstrap

Colibri can run local checks without a key. The ISO prepopulates the non-secret Vaultwarden endpoint in /usr/local/etc/colibri/provider.env. To let agents populate their own provider secrets from Vaultwarden, add only the bootstrap credentials there. Keep this file root-owned and mode 0600; it is read when colibri_daemon starts.

mdo -u root ee /usr/local/etc/colibri/provider.env
mdo -u root chmod 600 /usr/local/etc/colibri/provider.env
mdo -u root service colibri_daemon restart

The endpoint is already present. Add the three Vaultwarden bootstrap values:

BW_CLIENTID="..."
BW_CLIENTSECRET="..."
BW_PASSWORD="..."

Direct provider keys are optional fallback entries:

DEEPSEEK_API_KEY="sk-..."
OPENROUTER_API_KEY="sk-or-..."
ANTHROPIC_API_KEY="sk-ant-..."

pi assistant

pi                         # interactive session
pi --help                  # options
pi --provider deepseek --model deepseek-v4-pro

Tailscale

If this USB was built without an auth key, join later with:

mdo -u root tailscale up

Privilege escalation

This USB uses FreeBSD's native mac_do instead of sudo. Wheel group members escalate with mdo:

mdo -u root <command>
mdo -u root service tailscaled restart
mdo -u root service colibri_daemon start

Disk deployment

Disk deployment is intentionally deferred. This milestone is a stable operator USB with full agent supervision and skills catalog.