fix(iso): remove remaining real IPs, add -F robustness, prettier format, known_hosts note

2026-06-24 11:25:18 +02:00 · 2026-06-24 11:25:18 +02:00 · 14dd2baa98
commit 14dd2baa98
parent dee76991de
4 changed files with 27 additions and 17 deletions
--- a/docs/SETUP-USB-TO-MOTHER.md
+++ b/docs/SETUP-USB-TO-MOTHER.md
@ -8,10 +8,10 @@ sent to mother, and stored in PostgreSQL `mother_hive.hive_nodes`.
 ## Hosts used in this guide
-| Host                   | IP (Tailscale)           | User for MCP | Role                                            |
+| Host                | IP (Tailscale)          | User for MCP | Role                                            |
-| ---------------------- | ------------------------ | ------------ | ----------------------------------------------- |
+| ------------------- | ----------------------- | ------------ | ----------------------------------------------- |
-| `mother` (OSA)         | `<mother-tailscale-ip>`  | `colibri`    | Mother — runs PostgreSQL, external MCP servers  |
+| `mother` (OSA)      | `<mother-tailscale-ip>` | `colibri`    | Mother — runs PostgreSQL, external MCP servers  |
-| `clawdie-usb` (USB)    | `<node-tailscale-ip>`    | `clawdie`    | Operator workstation — sends hw-probe to mother |
+| `clawdie-usb` (USB) | `<node-tailscale-ip>`   | `clawdie`    | Operator workstation — sends hw-probe to mother |
 ## How it works
@ -184,12 +184,12 @@ Once the daemon is restarted with `COLIBRI_AUTOSPAWN=YES` and
 ## Troubleshooting
-| Symptom                                               | Likely cause                                               | Fix                                                                                   |
+| Symptom                                               | Likely cause                                | Fix                                                                                             |
-| ----------------------------------------------------- | ---------------------------------------------------------- | ------------------------------------------------------------------------------------- |
+| ----------------------------------------------------- | ------------------------------------------- | ----------------------------------------------------------------------------------------------- |
-| `ssh mother` hangs                                      | Tailscale not up                                           | `sudo tailscale up` on USB                                                            |
+| `ssh mother` hangs                                    | Tailscale not up                            | `sudo tailscale up` on USB                                                                      |
-| `Permission denied (publickey)`                       | Key not in authorized_keys on mother                       | Verify: `cat /var/db/colibri/.ssh/authorized_keys` on mother                           |
+| `Permission denied (publickey)`                       | Key not in authorized_keys on mother        | Verify: `cat /var/db/colibri/.ssh/authorized_keys` on mother                                    |
-| `Permission denied (publickey)`                       | Key permissions wrong on USB                               | `chmod 600 /var/db/colibri/.ssh/mother-mcp` (daemon user) or `~/.ssh/mother-mcp` (clawdie user) |
+| `Permission denied (publickey)`                       | Key permissions wrong on USB                | `chmod 600 /var/db/colibri/.ssh/mother-mcp` (daemon user) or `~/.ssh/mother-mcp` (clawdie user) |
-| `daemon: open: Permission denied`                     | Log file ownership wrong                                   | `chown clawdie: /var/log/colibri/daemon.log`                                          |
+| `daemon: open: Permission denied`                     | Log file ownership wrong                    | `chown clawdie: /var/log/colibri/daemon.log`                                                    |
-| Daemon starts but no external tools                   | `COLIBRI_MCP_EXTERNAL_CALL` not set                        | Check provider.env, restart daemon                                                    |
+| Daemon starts but no external tools                   | `COLIBRI_MCP_EXTERNAL_CALL` not set         | Check provider.env, restart daemon                                                              |
-| Daemon starts, external tools visible, but calls fail | SSH key path wrong in external-mcp.json                    | Baked path: `/var/db/colibri/.ssh/mother-mcp`                                         |
+| Daemon starts, external tools visible, but calls fail | SSH key path wrong in external-mcp.json     | Baked path: `/var/db/colibri/.ssh/mother-mcp`                                                   |
-| `error: unrecognized subcommand`                      | SSH wrapper getting non-allowlisted command                | Wrapper only allows `""` (stdio) and `"tools"`; `ssh mother tools` is correct         |
+| `error: unrecognized subcommand`                      | SSH wrapper getting non-allowlisted command | Wrapper only allows `""` (stdio) and `"tools"`; `ssh mother tools` is correct                   |
--- a/docs/USB-MOTHER-MCP-CONNECTION.md
+++ b/docs/USB-MOTHER-MCP-CONNECTION.md
@ -47,7 +47,7 @@ chmod 600 ~/.ssh/mother-mcp
 # SSH config for Tailscale hostname
 cat >> ~/.ssh/config << 'SSH'
 Host mother
-    HostName 100.72.229.63
+    HostName <mother-tailscale-ip>
    User colibri
    IdentityFile ~/.ssh/mother-mcp
    IdentitiesOnly yes
@ -79,7 +79,7 @@ sudo tee /usr/local/etc/colibri/external-mcp.json << 'JSON'
      "args": [
        "-i", "/home/clawdie/.ssh/mother-mcp",
        "-o", "StrictHostKeyChecking=accept-new",
-        "colibri@100.72.229.63",
+        "colibri@<mother-tailscale-ip>",
        "colibri-mcp"
      ],
      "env": {}
--- a/live/operator-session/clawdie-live-seed.README.txt
+++ b/live/operator-session/clawdie-live-seed.README.txt
@ -109,8 +109,11 @@ Inside it, any of these are honored:
  /<agent>/ssh/known_hosts       OUTBOUND: merged into ~/.ssh/known_hosts (0644),
                                 de-duplicated. Pin the mother server's host key
                                 here so the first node -> mother connection does
-                                 not stop on an unknown-host prompt. Get the line
+                                 not stop on an unknown-host prompt. Scan the
-                                 with: ssh-keyscan osa.smilepowered.org
+                                 TARGET that ssh/config actually connects to
                                 (the Tailscale IP in HostName, not necessarily
                                 the DNS name):
                                     ssh-keyscan <mother-tailscale-ip>
  /<agent>/ssh/mother-mcp        DUAL-PURPOSE OUTBOUND KEY. This private key
                                 serves two roles with a single identity:
@ -136,6 +139,12 @@ Inside it, any of these are honored:
                                 destinations. No other key is needed for either
                                 purpose.
                                 The importer installs this material to TWO homes:
                                 /home/clawdie/.ssh/ (operator) and
                                 /var/db/colibri/.ssh/ (daemon). The daemon
                                 spawns the external-MCP SSH connection to mother,
                                 so it needs its own copy of the key + config.
 Agent directory names may contain only A-Z a-z 0-9 . _ - (no spaces or
 slashes). The name `ssh` is reserved for Layer 1.
--- a/scripts/stage-colibri-iso.sh
+++ b/scripts/stage-colibri-iso.sh
@ -146,6 +146,7 @@ cat > "${ETC_DIR}/external-mcp.json" <<'EOF'
      "command": "ssh",
      "args": [
        "-i", "/var/db/colibri/.ssh/mother-mcp",
        "-F", "/var/db/colibri/.ssh/config",
        "-o", "StrictHostKeyChecking=accept-new",
        "mother"
      ],