From 14dd2baa98911a6693e2996212e0cc44f533d836 Mon Sep 17 00:00:00 2001 From: Sam & Claude Date: Wed, 24 Jun 2026 11:25:18 +0200 Subject: [PATCH] fix(iso): remove remaining real IPs, add -F robustness, prettier format, known_hosts note --- docs/SETUP-USB-TO-MOTHER.md | 26 +++++++++---------- docs/USB-MOTHER-MCP-CONNECTION.md | 4 +-- .../clawdie-live-seed.README.txt | 13 ++++++++-- scripts/stage-colibri-iso.sh | 1 + 4 files changed, 27 insertions(+), 17 deletions(-) diff --git a/docs/SETUP-USB-TO-MOTHER.md b/docs/SETUP-USB-TO-MOTHER.md index e7b5e30..cb8b9a6 100644 --- a/docs/SETUP-USB-TO-MOTHER.md +++ b/docs/SETUP-USB-TO-MOTHER.md @@ -8,10 +8,10 @@ sent to mother, and stored in PostgreSQL `mother_hive.hive_nodes`. ## Hosts used in this guide -| Host | IP (Tailscale) | User for MCP | Role | -| ---------------------- | ------------------------ | ------------ | ----------------------------------------------- | -| `mother` (OSA) | `` | `colibri` | Mother — runs PostgreSQL, external MCP servers | -| `clawdie-usb` (USB) | `` | `clawdie` | Operator workstation — sends hw-probe to mother | +| Host | IP (Tailscale) | User for MCP | Role | +| ------------------- | ----------------------- | ------------ | ----------------------------------------------- | +| `mother` (OSA) | `` | `colibri` | Mother — runs PostgreSQL, external MCP servers | +| `clawdie-usb` (USB) | `` | `clawdie` | Operator workstation — sends hw-probe to mother | ## How it works @@ -184,12 +184,12 @@ Once the daemon is restarted with `COLIBRI_AUTOSPAWN=YES` and ## Troubleshooting -| Symptom | Likely cause | Fix | -| ----------------------------------------------------- | ---------------------------------------------------------- | ------------------------------------------------------------------------------------- | -| `ssh mother` hangs | Tailscale not up | `sudo tailscale up` on USB | -| `Permission denied (publickey)` | Key not in authorized_keys on mother | Verify: `cat /var/db/colibri/.ssh/authorized_keys` on mother | -| `Permission denied (publickey)` | Key permissions wrong on USB | `chmod 600 /var/db/colibri/.ssh/mother-mcp` (daemon user) or `~/.ssh/mother-mcp` (clawdie user) | -| `daemon: open: Permission denied` | Log file ownership wrong | `chown clawdie: /var/log/colibri/daemon.log` | -| Daemon starts but no external tools | `COLIBRI_MCP_EXTERNAL_CALL` not set | Check provider.env, restart daemon | -| Daemon starts, external tools visible, but calls fail | SSH key path wrong in external-mcp.json | Baked path: `/var/db/colibri/.ssh/mother-mcp` | -| `error: unrecognized subcommand` | SSH wrapper getting non-allowlisted command | Wrapper only allows `""` (stdio) and `"tools"`; `ssh mother tools` is correct | +| Symptom | Likely cause | Fix | +| ----------------------------------------------------- | ------------------------------------------- | ----------------------------------------------------------------------------------------------- | +| `ssh mother` hangs | Tailscale not up | `sudo tailscale up` on USB | +| `Permission denied (publickey)` | Key not in authorized_keys on mother | Verify: `cat /var/db/colibri/.ssh/authorized_keys` on mother | +| `Permission denied (publickey)` | Key permissions wrong on USB | `chmod 600 /var/db/colibri/.ssh/mother-mcp` (daemon user) or `~/.ssh/mother-mcp` (clawdie user) | +| `daemon: open: Permission denied` | Log file ownership wrong | `chown clawdie: /var/log/colibri/daemon.log` | +| Daemon starts but no external tools | `COLIBRI_MCP_EXTERNAL_CALL` not set | Check provider.env, restart daemon | +| Daemon starts, external tools visible, but calls fail | SSH key path wrong in external-mcp.json | Baked path: `/var/db/colibri/.ssh/mother-mcp` | +| `error: unrecognized subcommand` | SSH wrapper getting non-allowlisted command | Wrapper only allows `""` (stdio) and `"tools"`; `ssh mother tools` is correct | diff --git a/docs/USB-MOTHER-MCP-CONNECTION.md b/docs/USB-MOTHER-MCP-CONNECTION.md index 4f8efdd..0b3c67e 100644 --- a/docs/USB-MOTHER-MCP-CONNECTION.md +++ b/docs/USB-MOTHER-MCP-CONNECTION.md @@ -47,7 +47,7 @@ chmod 600 ~/.ssh/mother-mcp # SSH config for Tailscale hostname cat >> ~/.ssh/config << 'SSH' Host mother - HostName 100.72.229.63 + HostName User colibri IdentityFile ~/.ssh/mother-mcp IdentitiesOnly yes @@ -79,7 +79,7 @@ sudo tee /usr/local/etc/colibri/external-mcp.json << 'JSON' "args": [ "-i", "/home/clawdie/.ssh/mother-mcp", "-o", "StrictHostKeyChecking=accept-new", - "colibri@100.72.229.63", + "colibri@", "colibri-mcp" ], "env": {} diff --git a/live/operator-session/clawdie-live-seed.README.txt b/live/operator-session/clawdie-live-seed.README.txt index c8fe03d..b30d312 100644 --- a/live/operator-session/clawdie-live-seed.README.txt +++ b/live/operator-session/clawdie-live-seed.README.txt @@ -109,8 +109,11 @@ Inside it, any of these are honored: //ssh/known_hosts OUTBOUND: merged into ~/.ssh/known_hosts (0644), de-duplicated. Pin the mother server's host key here so the first node -> mother connection does - not stop on an unknown-host prompt. Get the line - with: ssh-keyscan osa.smilepowered.org + not stop on an unknown-host prompt. Scan the + TARGET that ssh/config actually connects to + (the Tailscale IP in HostName, not necessarily + the DNS name): + ssh-keyscan //ssh/mother-mcp DUAL-PURPOSE OUTBOUND KEY. This private key serves two roles with a single identity: @@ -136,6 +139,12 @@ Inside it, any of these are honored: destinations. No other key is needed for either purpose. + The importer installs this material to TWO homes: + /home/clawdie/.ssh/ (operator) and + /var/db/colibri/.ssh/ (daemon). The daemon + spawns the external-MCP SSH connection to mother, + so it needs its own copy of the key + config. + Agent directory names may contain only A-Z a-z 0-9 . _ - (no spaces or slashes). The name `ssh` is reserved for Layer 1. diff --git a/scripts/stage-colibri-iso.sh b/scripts/stage-colibri-iso.sh index f84ae0c..10b73e3 100755 --- a/scripts/stage-colibri-iso.sh +++ b/scripts/stage-colibri-iso.sh @@ -146,6 +146,7 @@ cat > "${ETC_DIR}/external-mcp.json" <<'EOF' "command": "ssh", "args": [ "-i", "/var/db/colibri/.ssh/mother-mcp", + "-F", "/var/db/colibri/.ssh/config", "-o", "StrictHostKeyChecking=accept-new", "mother" ],