clawdie/clawdie-iso
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
clawdie-iso/live/operator-session/clawdie-live-seed.README.txt

123 lines
4.9 KiB
Text
Raw Normal View History

Merge xfce-operator-usb: Track F Colibri, DeepSeek smoke, LLM provider harness
2026-05-24 23:21:02 +02:00
CLAWDIE LIVE USB — SEED PARTITION
=================================
Wire encrypted secrets: Vaultwarden fetch + per-agent seed import Two parallel, additive paths so a host gets its secrets out of the box; the manual setup wizard stays the floor (no config = no-op). clawdie-vault-fetch (new): language-neutral bw bridge. Reads a 0600 ~/.config/vault-bootstrap.env, pulls keys from the agent-secrets collection (item name = env var name, value in password field, so no jq), prints KEY=VALUE or --write-env upserts 0600. Exit codes distinguish skip (3, no bootstrap) / broken (1) / no bw (4). Pinned @bitwarden/cli@2026.5.0 for offline bundling; staged in configure_live_operator_session. clawdie-live-seed: extend the CLAWDIESEED FAT32 importer from the authorized_keys allowlist to a per-agent directory convention — /<agent>/ with env (merged 0600), harness.toml (pi|zot|local), soul/ (staged), ssh/authorized_keys. Live USB single-agent (first dir = active); extra dirs staged + flagged for deployed multi-agent. Optional consume-and-shred. Import core is unit-testable via CLAWDIE_SEED_TEST. README rewritten to document the per-agent contract and the operator decision to allow plaintext secrets on the seed (seeded sticks are secret-bearing media; 0600 landing + shred mitigations). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 08:46:01 +02:00
This FAT32 partition lets you customize the live USB BEFORE flashing or
between boots. On every boot, /usr/local/etc/rc.d/clawdie_live_seed imports
an allowlisted set of files from this partition. Editing a file and
Merge xfce-operator-usb: Track F Colibri, DeepSeek smoke, LLM provider harness
2026-05-24 23:21:02 +02:00
rebooting re-applies it — the importer is idempotent.
Wire encrypted secrets: Vaultwarden fetch + per-agent seed import Two parallel, additive paths so a host gets its secrets out of the box; the manual setup wizard stays the floor (no config = no-op). clawdie-vault-fetch (new): language-neutral bw bridge. Reads a 0600 ~/.config/vault-bootstrap.env, pulls keys from the agent-secrets collection (item name = env var name, value in password field, so no jq), prints KEY=VALUE or --write-env upserts 0600. Exit codes distinguish skip (3, no bootstrap) / broken (1) / no bw (4). Pinned @bitwarden/cli@2026.5.0 for offline bundling; staged in configure_live_operator_session. clawdie-live-seed: extend the CLAWDIESEED FAT32 importer from the authorized_keys allowlist to a per-agent directory convention — /<agent>/ with env (merged 0600), harness.toml (pi|zot|local), soul/ (staged), ssh/authorized_keys. Live USB single-agent (first dir = active); extra dirs staged + flagged for deployed multi-agent. Optional consume-and-shred. Import core is unit-testable via CLAWDIE_SEED_TEST. README rewritten to document the per-agent contract and the operator decision to allow plaintext secrets on the seed (seeded sticks are secret-bearing media; 0600 landing + shred mitigations). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 08:46:01 +02:00
USAGE FROM LINUX / macOS / WINDOWS
----------------------------------
Merge xfce-operator-usb: Track F Colibri, DeepSeek smoke, LLM provider harness
2026-05-24 23:21:02 +02:00
Wire encrypted secrets: Vaultwarden fetch + per-agent seed import Two parallel, additive paths so a host gets its secrets out of the box; the manual setup wizard stays the floor (no config = no-op). clawdie-vault-fetch (new): language-neutral bw bridge. Reads a 0600 ~/.config/vault-bootstrap.env, pulls keys from the agent-secrets collection (item name = env var name, value in password field, so no jq), prints KEY=VALUE or --write-env upserts 0600. Exit codes distinguish skip (3, no bootstrap) / broken (1) / no bw (4). Pinned @bitwarden/cli@2026.5.0 for offline bundling; staged in configure_live_operator_session. clawdie-live-seed: extend the CLAWDIESEED FAT32 importer from the authorized_keys allowlist to a per-agent directory convention — /<agent>/ with env (merged 0600), harness.toml (pi|zot|local), soul/ (staged), ssh/authorized_keys. Live USB single-agent (first dir = active); extra dirs staged + flagged for deployed multi-agent. Optional consume-and-shred. Import core is unit-testable via CLAWDIE_SEED_TEST. README rewritten to document the per-agent contract and the operator decision to allow plaintext secrets on the seed (seeded sticks are secret-bearing media; 0600 landing + shred mitigations). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 08:46:01 +02:00
1. Flash the image to USB (dd, or write the .img directly).
Merge xfce-operator-usb: Track F Colibri, DeepSeek smoke, LLM provider harness
2026-05-24 23:21:02 +02:00
2. Mount the CLAWDIESEED partition (typically the third partition on the
Wire encrypted secrets: Vaultwarden fetch + per-agent seed import Two parallel, additive paths so a host gets its secrets out of the box; the manual setup wizard stays the floor (no config = no-op). clawdie-vault-fetch (new): language-neutral bw bridge. Reads a 0600 ~/.config/vault-bootstrap.env, pulls keys from the agent-secrets collection (item name = env var name, value in password field, so no jq), prints KEY=VALUE or --write-env upserts 0600. Exit codes distinguish skip (3, no bootstrap) / broken (1) / no bw (4). Pinned @bitwarden/cli@2026.5.0 for offline bundling; staged in configure_live_operator_session. clawdie-live-seed: extend the CLAWDIESEED FAT32 importer from the authorized_keys allowlist to a per-agent directory convention — /<agent>/ with env (merged 0600), harness.toml (pi|zot|local), soul/ (staged), ssh/authorized_keys. Live USB single-agent (first dir = active); extra dirs staged + flagged for deployed multi-agent. Optional consume-and-shred. Import core is unit-testable via CLAWDIE_SEED_TEST. README rewritten to document the per-agent contract and the operator decision to allow plaintext secrets on the seed (seeded sticks are secret-bearing media; 0600 landing + shred mitigations). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 08:46:01 +02:00
stick, e.g. /dev/sdX3 on Linux):
Merge xfce-operator-usb: Track F Colibri, DeepSeek smoke, LLM provider harness
2026-05-24 23:21:02 +02:00
sudo mount -t vfat /dev/sdX3 /mnt/clawdie-seed
Wire encrypted secrets: Vaultwarden fetch + per-agent seed import Two parallel, additive paths so a host gets its secrets out of the box; the manual setup wizard stays the floor (no config = no-op). clawdie-vault-fetch (new): language-neutral bw bridge. Reads a 0600 ~/.config/vault-bootstrap.env, pulls keys from the agent-secrets collection (item name = env var name, value in password field, so no jq), prints KEY=VALUE or --write-env upserts 0600. Exit codes distinguish skip (3, no bootstrap) / broken (1) / no bw (4). Pinned @bitwarden/cli@2026.5.0 for offline bundling; staged in configure_live_operator_session. clawdie-live-seed: extend the CLAWDIESEED FAT32 importer from the authorized_keys allowlist to a per-agent directory convention — /<agent>/ with env (merged 0600), harness.toml (pi|zot|local), soul/ (staged), ssh/authorized_keys. Live USB single-agent (first dir = active); extra dirs staged + flagged for deployed multi-agent. Optional consume-and-shred. Import core is unit-testable via CLAWDIE_SEED_TEST. README rewritten to document the per-agent contract and the operator decision to allow plaintext secrets on the seed (seeded sticks are secret-bearing media; 0600 landing + shred mitigations). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 08:46:01 +02:00
3. Drop seed files (see the two layers below).
Merge xfce-operator-usb: Track F Colibri, DeepSeek smoke, LLM provider harness
2026-05-24 23:21:02 +02:00
4. Unmount and boot the USB:
sync
sudo umount /mnt/clawdie-seed
Wire encrypted secrets: Vaultwarden fetch + per-agent seed import Two parallel, additive paths so a host gets its secrets out of the box; the manual setup wizard stays the floor (no config = no-op). clawdie-vault-fetch (new): language-neutral bw bridge. Reads a 0600 ~/.config/vault-bootstrap.env, pulls keys from the agent-secrets collection (item name = env var name, value in password field, so no jq), prints KEY=VALUE or --write-env upserts 0600. Exit codes distinguish skip (3, no bootstrap) / broken (1) / no bw (4). Pinned @bitwarden/cli@2026.5.0 for offline bundling; staged in configure_live_operator_session. clawdie-live-seed: extend the CLAWDIESEED FAT32 importer from the authorized_keys allowlist to a per-agent directory convention — /<agent>/ with env (merged 0600), harness.toml (pi|zot|local), soul/ (staged), ssh/authorized_keys. Live USB single-agent (first dir = active); extra dirs staged + flagged for deployed multi-agent. Optional consume-and-shred. Import core is unit-testable via CLAWDIE_SEED_TEST. README rewritten to document the per-agent contract and the operator decision to allow plaintext secrets on the seed (seeded sticks are secret-bearing media; 0600 landing + shred mitigations). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 08:46:01 +02:00
LAYER 1 — SIMPLE ALLOWLIST (top level)
--------------------------------------
Merge xfce-operator-usb: Track F Colibri, DeepSeek smoke, LLM provider harness
2026-05-24 23:21:02 +02:00
/authorized_keys Public SSH keys for the operator account.
Installed to ~clawdie/.ssh/authorized_keys
(mode 0600, owner clawdie:clawdie). CRLF
line endings are stripped automatically.
/ssh/authorized_keys Same as above, in a nested ssh/ namespace.
Takes precedence over /authorized_keys.
Wire encrypted secrets: Vaultwarden fetch + per-agent seed import Two parallel, additive paths so a host gets its secrets out of the box; the manual setup wizard stays the floor (no config = no-op). clawdie-vault-fetch (new): language-neutral bw bridge. Reads a 0600 ~/.config/vault-bootstrap.env, pulls keys from the agent-secrets collection (item name = env var name, value in password field, so no jq), prints KEY=VALUE or --write-env upserts 0600. Exit codes distinguish skip (3, no bootstrap) / broken (1) / no bw (4). Pinned @bitwarden/cli@2026.5.0 for offline bundling; staged in configure_live_operator_session. clawdie-live-seed: extend the CLAWDIESEED FAT32 importer from the authorized_keys allowlist to a per-agent directory convention — /<agent>/ with env (merged 0600), harness.toml (pi|zot|local), soul/ (staged), ssh/authorized_keys. Live USB single-agent (first dir = active); extra dirs staged + flagged for deployed multi-agent. Optional consume-and-shred. Import core is unit-testable via CLAWDIE_SEED_TEST. README rewritten to document the per-agent contract and the operator decision to allow plaintext secrets on the seed (seeded sticks are secret-bearing media; 0600 landing + shred mitigations). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 08:46:01 +02:00
LAYER 2 — PER-AGENT DIRECTORIES
-------------------------------
Create one directory per agent. THE DIRECTORY NAME IS THE AGENT NAME.
Inside it, any of these are honored:
/<agent>/env Plaintext KEY=VALUE lines. Merged into the
agent's .env (mode 0600). Keys you list
replace existing values; keys you omit are
preserved. Blank/`#` lines are ignored.
Typical contents: provider API keys
(ANTHROPIC_API_KEY=..., ZAI_API_KEY=...),
fix(vault): bake Vaultwarden endpoint defaults into ISO (Sam & Pi) Stage a non-secret /usr/local/etc/colibri/provider.env with the Clawdie Vaultwarden endpoint so operators only add BW bootstrap credentials. Also teach clawdie-vault-fetch to honor BW_SERVER and fail closed if an existing bw login points at a different server.\n\nChecks: sh -n live/operator-session/clawdie-vault-fetch scripts/stage-colibri-iso.sh; ./scripts/check-format.sh; git diff --check; COLIBRI_REPO=/home/clawdie/ai/colibri scripts/stage-colibri-iso.sh <tmp>
2026-06-20 07:27:51 +02:00
or the Vaultwarden bootstrap
Wire encrypted secrets: Vaultwarden fetch + per-agent seed import Two parallel, additive paths so a host gets its secrets out of the box; the manual setup wizard stays the floor (no config = no-op). clawdie-vault-fetch (new): language-neutral bw bridge. Reads a 0600 ~/.config/vault-bootstrap.env, pulls keys from the agent-secrets collection (item name = env var name, value in password field, so no jq), prints KEY=VALUE or --write-env upserts 0600. Exit codes distinguish skip (3, no bootstrap) / broken (1) / no bw (4). Pinned @bitwarden/cli@2026.5.0 for offline bundling; staged in configure_live_operator_session. clawdie-live-seed: extend the CLAWDIESEED FAT32 importer from the authorized_keys allowlist to a per-agent directory convention — /<agent>/ with env (merged 0600), harness.toml (pi|zot|local), soul/ (staged), ssh/authorized_keys. Live USB single-agent (first dir = active); extra dirs staged + flagged for deployed multi-agent. Optional consume-and-shred. Import core is unit-testable via CLAWDIE_SEED_TEST. README rewritten to document the per-agent contract and the operator decision to allow plaintext secrets on the seed (seeded sticks are secret-bearing media; 0600 landing + shred mitigations). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 08:46:01 +02:00
(BW_CLIENTID/BW_CLIENTSECRET/BW_PASSWORD).
fix(vault): bake Vaultwarden endpoint defaults into ISO (Sam & Pi) Stage a non-secret /usr/local/etc/colibri/provider.env with the Clawdie Vaultwarden endpoint so operators only add BW bootstrap credentials. Also teach clawdie-vault-fetch to honor BW_SERVER and fail closed if an existing bw login points at a different server.\n\nChecks: sh -n live/operator-session/clawdie-vault-fetch scripts/stage-colibri-iso.sh; ./scripts/check-format.sh; git diff --check; COLIBRI_REPO=/home/clawdie/ai/colibri scripts/stage-colibri-iso.sh <tmp>
2026-06-20 07:27:51 +02:00
The Vaultwarden endpoint is baked into the
image; do not put it on the seed unless you
are deliberately overriding it.
Wire encrypted secrets: Vaultwarden fetch + per-agent seed import Two parallel, additive paths so a host gets its secrets out of the box; the manual setup wizard stays the floor (no config = no-op). clawdie-vault-fetch (new): language-neutral bw bridge. Reads a 0600 ~/.config/vault-bootstrap.env, pulls keys from the agent-secrets collection (item name = env var name, value in password field, so no jq), prints KEY=VALUE or --write-env upserts 0600. Exit codes distinguish skip (3, no bootstrap) / broken (1) / no bw (4). Pinned @bitwarden/cli@2026.5.0 for offline bundling; staged in configure_live_operator_session. clawdie-live-seed: extend the CLAWDIESEED FAT32 importer from the authorized_keys allowlist to a per-agent directory convention — /<agent>/ with env (merged 0600), harness.toml (pi|zot|local), soul/ (staged), ssh/authorized_keys. Live USB single-agent (first dir = active); extra dirs staged + flagged for deployed multi-agent. Optional consume-and-shred. Import core is unit-testable via CLAWDIE_SEED_TEST. README rewritten to document the per-agent contract and the operator decision to allow plaintext secrets on the seed (seeded sticks are secret-bearing media; 0600 landing + shred mitigations). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 08:46:01 +02:00
/<agent>/harness.toml Which agent harness to run + basic knobs:
harness = "zot" # zot | pi | local
model = "claude-opus-4-8"
cost_mode = "smart"
`harness` must be one of zot, pi, local
(Colibri's AgentRuntime). Recorded for the
runtime to launch the right harness.
/<agent>/soul/ A layered-soul backup tree (SOUL.md, USER.md,
IDENTITY.md, memories/, skills/, ...). Staged
under /var/db/clawdie/seed/<agent>/soul for
the agent workspace to load.
/<agent>/ssh/authorized_keys Public SSH keys for this agent.
Agent directory names may contain only A-Z a-z 0-9 . _ - (no spaces or
slashes). The name `ssh` is reserved for Layer 1.
Merge xfce-operator-usb: Track F Colibri, DeepSeek smoke, LLM provider harness
2026-05-24 23:21:02 +02:00
Wire encrypted secrets: Vaultwarden fetch + per-agent seed import Two parallel, additive paths so a host gets its secrets out of the box; the manual setup wizard stays the floor (no config = no-op). clawdie-vault-fetch (new): language-neutral bw bridge. Reads a 0600 ~/.config/vault-bootstrap.env, pulls keys from the agent-secrets collection (item name = env var name, value in password field, so no jq), prints KEY=VALUE or --write-env upserts 0600. Exit codes distinguish skip (3, no bootstrap) / broken (1) / no bw (4). Pinned @bitwarden/cli@2026.5.0 for offline bundling; staged in configure_live_operator_session. clawdie-live-seed: extend the CLAWDIESEED FAT32 importer from the authorized_keys allowlist to a per-agent directory convention — /<agent>/ with env (merged 0600), harness.toml (pi|zot|local), soul/ (staged), ssh/authorized_keys. Live USB single-agent (first dir = active); extra dirs staged + flagged for deployed multi-agent. Optional consume-and-shred. Import core is unit-testable via CLAWDIE_SEED_TEST. README rewritten to document the per-agent contract and the operator decision to allow plaintext secrets on the seed (seeded sticks are secret-bearing media; 0600 landing + shred mitigations). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 08:46:01 +02:00
LIVE USB vs DEPLOYED
--------------------
Merge xfce-operator-usb: Track F Colibri, DeepSeek smoke, LLM provider harness
2026-05-24 23:21:02 +02:00
Wire encrypted secrets: Vaultwarden fetch + per-agent seed import Two parallel, additive paths so a host gets its secrets out of the box; the manual setup wizard stays the floor (no config = no-op). clawdie-vault-fetch (new): language-neutral bw bridge. Reads a 0600 ~/.config/vault-bootstrap.env, pulls keys from the agent-secrets collection (item name = env var name, value in password field, so no jq), prints KEY=VALUE or --write-env upserts 0600. Exit codes distinguish skip (3, no bootstrap) / broken (1) / no bw (4). Pinned @bitwarden/cli@2026.5.0 for offline bundling; staged in configure_live_operator_session. clawdie-live-seed: extend the CLAWDIESEED FAT32 importer from the authorized_keys allowlist to a per-agent directory convention — /<agent>/ with env (merged 0600), harness.toml (pi|zot|local), soul/ (staged), ssh/authorized_keys. Live USB single-agent (first dir = active); extra dirs staged + flagged for deployed multi-agent. Optional consume-and-shred. Import core is unit-testable via CLAWDIE_SEED_TEST. README rewritten to document the per-agent contract and the operator decision to allow plaintext secrets on the seed (seeded sticks are secret-bearing media; 0600 landing + shred mitigations). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 08:46:01 +02:00
The live USB is single-agent: the FIRST agent directory (alphabetical) maps
to the clawdie user and becomes the active agent (recorded at
/var/db/clawdie/seed/active-agent). Additional agent directories are staged
and logged, but a second live identity is NOT provisioned here — multi-agent
provisioning is a deployed-host feature.
Merge xfce-operator-usb: Track F Colibri, DeepSeek smoke, LLM provider harness
2026-05-24 23:21:02 +02:00
Wire encrypted secrets: Vaultwarden fetch + per-agent seed import Two parallel, additive paths so a host gets its secrets out of the box; the manual setup wizard stays the floor (no config = no-op). clawdie-vault-fetch (new): language-neutral bw bridge. Reads a 0600 ~/.config/vault-bootstrap.env, pulls keys from the agent-secrets collection (item name = env var name, value in password field, so no jq), prints KEY=VALUE or --write-env upserts 0600. Exit codes distinguish skip (3, no bootstrap) / broken (1) / no bw (4). Pinned @bitwarden/cli@2026.5.0 for offline bundling; staged in configure_live_operator_session. clawdie-live-seed: extend the CLAWDIESEED FAT32 importer from the authorized_keys allowlist to a per-agent directory convention — /<agent>/ with env (merged 0600), harness.toml (pi|zot|local), soul/ (staged), ssh/authorized_keys. Live USB single-agent (first dir = active); extra dirs staged + flagged for deployed multi-agent. Optional consume-and-shred. Import core is unit-testable via CLAWDIE_SEED_TEST. README rewritten to document the per-agent contract and the operator decision to allow plaintext secrets on the seed (seeded sticks are secret-bearing media; 0600 landing + shred mitigations). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 08:46:01 +02:00
CONSUME-AND-SHRED (optional)
----------------------------
Drop an empty file named `shred` at the seed root to have the importer wipe
all `env` files from this partition AFTER importing them, so secrets do not
persist on the stick:
/shred
This needs a writable seed; if the remount fails the env files are left in
place and the importer logs it. Off unless you add the marker, per stick.
SECURITY — READ THIS
--------------------
- This is FAT32: UNENCRYPTED and readable by anyone who plugs the stick
into any machine. There is no access control on this partition.
- By operator decision, env files here MAY carry secrets (API keys, and
the Vaultwarden bootstrap, which includes the master password). That is a
deliberate trade-off: treat every seeded stick as SECRET-BEARING MEDIA.
Do not lose it; do not lend it; prefer `shred` for one-shot provisioning.
- Imported secrets land mode 0600 owned by the agent user. Public SSH keys
are not secret and are always safe to place here.
Merge xfce-operator-usb: Track F Colibri, DeepSeek smoke, LLM provider harness
2026-05-24 23:21:02 +02:00
- The importer runs at every boot. Removing a file from the seed and
Wire encrypted secrets: Vaultwarden fetch + per-agent seed import Two parallel, additive paths so a host gets its secrets out of the box; the manual setup wizard stays the floor (no config = no-op). clawdie-vault-fetch (new): language-neutral bw bridge. Reads a 0600 ~/.config/vault-bootstrap.env, pulls keys from the agent-secrets collection (item name = env var name, value in password field, so no jq), prints KEY=VALUE or --write-env upserts 0600. Exit codes distinguish skip (3, no bootstrap) / broken (1) / no bw (4). Pinned @bitwarden/cli@2026.5.0 for offline bundling; staged in configure_live_operator_session. clawdie-live-seed: extend the CLAWDIESEED FAT32 importer from the authorized_keys allowlist to a per-agent directory convention — /<agent>/ with env (merged 0600), harness.toml (pi|zot|local), soul/ (staged), ssh/authorized_keys. Live USB single-agent (first dir = active); extra dirs staged + flagged for deployed multi-agent. Optional consume-and-shred. Import core is unit-testable via CLAWDIE_SEED_TEST. README rewritten to document the per-agent contract and the operator decision to allow plaintext secrets on the seed (seeded sticks are secret-bearing media; 0600 landing + shred mitigations). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 08:46:01 +02:00
rebooting does NOT remove an already-installed copy from the live system;
re-flash the image to wipe state.
The importer logs to /var/log/clawdie-live-seed.log
(`service clawdie_live_seed status` tails it).
Merge xfce-operator-usb: Track F Colibri, DeepSeek smoke, LLM provider harness
2026-05-24 23:21:02 +02:00
CONTACT
-------
Wire encrypted secrets: Vaultwarden fetch + per-agent seed import Two parallel, additive paths so a host gets its secrets out of the box; the manual setup wizard stays the floor (no config = no-op). clawdie-vault-fetch (new): language-neutral bw bridge. Reads a 0600 ~/.config/vault-bootstrap.env, pulls keys from the agent-secrets collection (item name = env var name, value in password field, so no jq), prints KEY=VALUE or --write-env upserts 0600. Exit codes distinguish skip (3, no bootstrap) / broken (1) / no bw (4). Pinned @bitwarden/cli@2026.5.0 for offline bundling; staged in configure_live_operator_session. clawdie-live-seed: extend the CLAWDIESEED FAT32 importer from the authorized_keys allowlist to a per-agent directory convention — /<agent>/ with env (merged 0600), harness.toml (pi|zot|local), soul/ (staged), ssh/authorized_keys. Live USB single-agent (first dir = active); extra dirs staged + flagged for deployed multi-agent. Optional consume-and-shred. Import core is unit-testable via CLAWDIE_SEED_TEST. README rewritten to document the per-agent contract and the operator decision to allow plaintext secrets on the seed (seeded sticks are secret-bearing media; 0600 landing + shred mitigations). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 08:46:01 +02:00
clawdie.si — repository: clawdie-iso, files:
Merge xfce-operator-usb: Track F Colibri, DeepSeek smoke, LLM provider harness
2026-05-24 23:21:02 +02:00
live/operator-session/clawdie-live-seed
Wire encrypted secrets: Vaultwarden fetch + per-agent seed import Two parallel, additive paths so a host gets its secrets out of the box; the manual setup wizard stays the floor (no config = no-op). clawdie-vault-fetch (new): language-neutral bw bridge. Reads a 0600 ~/.config/vault-bootstrap.env, pulls keys from the agent-secrets collection (item name = env var name, value in password field, so no jq), prints KEY=VALUE or --write-env upserts 0600. Exit codes distinguish skip (3, no bootstrap) / broken (1) / no bw (4). Pinned @bitwarden/cli@2026.5.0 for offline bundling; staged in configure_live_operator_session. clawdie-live-seed: extend the CLAWDIESEED FAT32 importer from the authorized_keys allowlist to a per-agent directory convention — /<agent>/ with env (merged 0600), harness.toml (pi|zot|local), soul/ (staged), ssh/authorized_keys. Live USB single-agent (first dir = active); extra dirs staged + flagged for deployed multi-agent. Optional consume-and-shred. Import core is unit-testable via CLAWDIE_SEED_TEST. README rewritten to document the per-agent contract and the operator decision to allow plaintext secrets on the seed (seeded sticks are secret-bearing media; 0600 landing + shred mitigations). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 08:46:01 +02:00
live/operator-session/clawdie-live-seed.README.txt
Reference in a new issue Copy permalink