From 16252fb67cd2c51d2cafd1ffd055f6671d78e81a Mon Sep 17 00:00:00 2001
From: Sam & Claude <hello@clawdie.si>
Date: Fri, 3 Apr 2026 10:06:44 +0000
Subject: [PATCH] iso: sync clawdie-ai v1.0.2 + codex baseline (Sam & Codex)

---
 BUILD.md                      |  8 +--
 README.md                     | 21 ++++----
 build.cfg                     |  2 +-
 build.sh                      |  2 +-
 firstboot/MODULE-MANIFEST.md  | 21 ++++----
 firstboot/firstboot.sh        |  4 +-
 firstboot/integration-test.sh | 20 +++++---
 firstboot/shell-deploy.sh     | 14 ++++++
 firstboot/shell-env.sh        | 95 +++++++----------------------------
 packages/pkg-list-host.txt    |  1 +
 10 files changed, 75 insertions(+), 113 deletions(-)

diff --git a/BUILD.md b/BUILD.md
index f610dbce..dafcceaa 100644
--- a/BUILD.md
+++ b/BUILD.md
@@ -1,4 +1,4 @@
-# Clawdie Shell v0.9.0 — ISO Builder
+# Clawdie Shell (bundles Clawdie-AI v1.0.2) — ISO Builder
 
 Building a bootable Clawdie Shell installer ISO with offline package support.
 
@@ -27,7 +27,7 @@ pkg install curl
 This downloads:
 - FreeBSD 15.0-RELEASE memstick
 - All packages (host + jails + desktop + GPU)
-- Clawdie-AI v0.8.2 tarball
+- Clawdie-AI v1.0.2 tarball
 
 Takes ~30 min on fast connection. Can be interrupted/resumed.
 
@@ -74,12 +74,12 @@ DEFAULT_PKG_BRANCH="latest"         # Package branch (latest or quarterly)
 ./build.sh --skip-fetch
 
 # Override Clawdie version
-./build.sh --clawdie-version 0.9.0
+./build.sh --clawdie-version 1.0.2
 
 # Combine flags
 ./build.sh --fetch-only
 # ... later, on another system ...
-./build.sh --skip-fetch --clawdie-version 0.9.0
+./build.sh --skip-fetch --clawdie-version 1.0.2
 ```
 
 ## Build Process (7 steps)
diff --git a/README.md b/README.md
index 824de405..646852d8 100644
--- a/README.md
+++ b/README.md
@@ -34,8 +34,8 @@ Boot a USB, answer a 3-screen wizard, and you have a fully configured Clawdie-AI
 ```bash
 # Requirements: FreeBSD 15.0+, pkg, curl, 30 GB free disk space
 
-git clone https://codeberg.org/Clawdie/clawdie-shell.git
-cd clawdie-shell
+git clone https://codeberg.org/Clawdie/Clawdie-ISO.git
+cd Clawdie-ISO
 
 # Fetch FreeBSD memstick + all packages (non-root)
 ./build.sh --fetch-only
@@ -43,14 +43,14 @@ cd clawdie-shell
 # Assemble ISO (requires root for mdconfig/mount)
 doas ./build.sh
 
-# Output: clawdie-shell-YYYYMMDD.img (~2-2.5 GB)
+# Output: clawdie-iso-<variant>-DD.mmm.YYYY.img (~50 GB, configurable in build.cfg)
 ```
 
 ### Install on Hardware
 
 1. **Write to USB:**
    ```bash
-   doas dd if=clawdie-shell-YYYYMMDD.img of=/dev/da0 bs=1M
+   doas dd if=clawdie-iso-<variant>-DD.mmm.YYYY.img of=/dev/da0 bs=1M
    # (replace da0 with your USB device)
    ```
 
@@ -62,9 +62,10 @@ doas ./build.sh
 
 4. **First boot from HDD** (reboot 1)
    - rc.firstboot wizard appears
-   - Answer 3 questions: assistant name, domain, timezone
+   - Answer: assistant name, public domain, timezone
+   - Optional: local LLM runtime (Ollama or llama-cpp)
+   - Optional: SSH public key (for later Ansible/jail SSH baselines)
    - Optional: enable Forgejo web git UI (adds disk usage)
-   - Optional: LLM provider, Telegram bot
    - Setup runs automatically (5–10 min)
 
 5. **Lumina desktop boots**
@@ -156,7 +157,7 @@ Modular, reusable, testable:
 
 ## Contributing
 
-- **Issues:** [Codeberg Issues](https://codeberg.org/Clawdie/clawdie-shell/issues)
+- **Issues:** [Codeberg Issues](https://codeberg.org/Clawdie/Clawdie-ISO/issues)
 - **Philosophy:** Keep focused (one DE, one purpose). Inherit, don't reinvent.
 
 ---
@@ -164,8 +165,8 @@ Modular, reusable, testable:
 ## Building
 
 ```bash
-git clone https://codeberg.org/Clawdie/clawdie-shell.git
-cd clawdie-shell
+git clone https://codeberg.org/Clawdie/Clawdie-ISO.git
+cd Clawdie-ISO
 
 # Fetch packages (non-root)
 ./build.sh --fetch-only
@@ -173,7 +174,7 @@ cd clawdie-shell
 # Build ISO (requires root)
 doas ./build.sh
 
-# Output: clawdie-shell-YYYYMMDD.img
+# Output: clawdie-iso-<variant>-DD.mmm.YYYY.img
 ```
 
 See [CLAWDIE-SHELL.md](CLAWDIE-SHELL.md) for full specification.
diff --git a/build.cfg b/build.cfg
index de353280..0d04d1a1 100644
--- a/build.cfg
+++ b/build.cfg
@@ -22,7 +22,7 @@ IMAGE_SIZE="50G"
 IMAGE_NAME="clawdie-iso-$(date +%d.%b.%Y | tr 'A-Z' 'a-z').img"
 
 # Clawdie-AI release to bundle (fetched from Codeberg)
-CLAWDIE_VERSION="0.9.0"
+CLAWDIE_VERSION="1.0.2"
 CLAWDIE_TARBALL_URL="https://codeberg.org/Clawdie/Clawdie-AI/archive/v${CLAWDIE_VERSION}.tar.gz"
 
 # Default installer choices (can be overridden by clawdie.conf on USB)
diff --git a/build.sh b/build.sh
index 5447affa..902107e8 100755
--- a/build.sh
+++ b/build.sh
@@ -7,7 +7,7 @@
 #   ./build.sh                          # full build (fetch + assemble)
 #   ./build.sh --fetch-only             # fetch packages/memstick only (no root needed)
 #   ./build.sh --skip-fetch             # assemble only (use cached packages)
-#   ./build.sh --clawdie-version 0.9.0  # pin Clawdie-AI version
+#   ./build.sh --clawdie-version 1.0.2  # pin Clawdie-AI version
 #
 # Requirements (run on FreeBSD host):
 #   pkg install curl         # for fetching
diff --git a/firstboot/MODULE-MANIFEST.md b/firstboot/MODULE-MANIFEST.md
index 3c140e84..241b04fe 100644
--- a/firstboot/MODULE-MANIFEST.md
+++ b/firstboot/MODULE-MANIFEST.md
@@ -27,11 +27,11 @@
 
 ### **1.1: clawdie-shell-env.sh**
 
-**Purpose:** Generate .env with 65+ environment variables (identity + structural)
+**Purpose:** Generate a minimal `.env` seed (identity + feature flags)
 
 **Wizard Inputs (Tier 1 - Required):**
 - `ASSISTANT_NAME` — Human name (e.g., "Clawdie Smith")
-- `AGENT_DOMAIN` — FQDN (e.g., "clawdie.local")
+- `AGENT_DOMAIN` — public FQDN (e.g., "clawdie.invalid")
 - `TZ` — Timezone (e.g., "Europe/Ljubljana")
 
 **Wizard Inputs (Tier 2 - Optional):**
@@ -40,10 +40,10 @@
 - `TELEGRAM_BOT_TOKEN` — Telegram integration (optional)
 
 **Outputs (Created):**
-- `$ENV_FILE` — `/home/clawdie/clawdie-ai/.env` (chmod 600)
-  - Contains: ASSISTANT_NAME, AGENT_NAME, AGENT_DOMAIN, TZ, all 65 vars
-  - Sourced by: clawdie-shell-deploy (1.5)
-  - Sourced by: clawdie-shell-system (1.4) implicitly
+- `$ENV_FILE` — `/home/clawdie/.env` (chmod 600)
+  - Contains: identity + feature flags from the firstboot wizard
+  - Copied into: `/home/clawdie/clawdie-ai/.env` by clawdie-shell-deploy (1.5)
+  - Completed by: Clawdie-AI onboarding (secrets + derived defaults)
 
 **Exports (for downstream modules):**
 - `AGENT_NAME` — derived from ASSISTANT_NAME (e.g., "clawdie-smith")
@@ -56,8 +56,7 @@
 
 **Error Handling:**
 - Fails if ASSISTANT_NAME, AGENT_DOMAIN, or TZ missing
-- Creates /home/clawdie/clawdie-ai directory if needed
-- Validates .env has 50+ variables before marking complete
+- Validates `.env` has the minimal required variables before marking complete
 
 **Recovery Note:**
 - If 1.1 fails, user runs `clawdie-firstboot --resume`
@@ -207,7 +206,7 @@
 
 **Wizard Inputs (from [1.1]):**
 - `TZ` — Timezone (e.g., "Europe/Ljubljana")
-- `AGENT_DOMAIN` — FQDN (e.g., "clawdie.local")
+- `AGENT_DOMAIN` — public FQDN (e.g., "clawdie.invalid")
 
 **Inputs from [1.3 gpu]:**
 - rc.conf already updated by [1.3] (this module appends to it)
@@ -223,7 +222,7 @@
   - Idempotent: uses sysrc pattern
 
 - `/etc/hostname`:
-  - Contains single line: `clawdie.local`
+  - Contains single line: `clawdie.invalid`
 
 - `/etc/profile.d/clawdie.sh`:
   - npm environment (PATH, npm_config_prefix)
@@ -268,7 +267,7 @@
 - nvidia_driver_version (used for jail package selection)
 
 **Outputs (Created):**
-- `/home/clawdie/clawdie-ai/.env` — **sourced from [1.1]**
+- `/home/clawdie/clawdie-ai/.env` — **seeded from [1.1]**
 - Clawdie-AI directory structure extracted
 - `node_modules/` installed (npm install)
 - Jails created (worker, db, cms, optional mgmt)
diff --git a/firstboot/firstboot.sh b/firstboot/firstboot.sh
index 7256ef50..6f6635ba 100644
--- a/firstboot/firstboot.sh
+++ b/firstboot/firstboot.sh
@@ -111,7 +111,7 @@ By continuing, you assume all risks." 12 60
     "m" "Male" off \
     "n" "Neutral" off)
   AGENT_DOMAIN=$(_dialog --inputbox \
-    "Agent domain (e.g. clawdie.internal):" 8 50 "clawdie.internal")
+    "Public domain (e.g. clawdie.invalid):" 8 50 "clawdie.invalid")
   TZ=$(_dialog --inputbox \
     "Timezone (e.g. Europe/Ljubljana):" 8 50 "UTC")
   _dialog --msgbox "\
@@ -175,3 +175,5 @@ run_step "system" clawdie_shell_system_config "Hostname, rc.conf, services"
 run_step "deploy" clawdie_shell_deploy        "Extract tarball + npm install-all"
 
 log_msg "[firstboot] Complete."
+log_msg "[firstboot] Codex CLI (headless): codex login --device-auth"
+log_msg "[firstboot] Codex CLI (API key): printenv OPENAI_API_KEY | codex login --with-api-key"
diff --git a/firstboot/integration-test.sh b/firstboot/integration-test.sh
index 23381d9a..63ec9791 100755
--- a/firstboot/integration-test.sh
+++ b/firstboot/integration-test.sh
@@ -1,11 +1,12 @@
 #!/bin/sh
 # Integration Test: Full Clawdie Shell Firstboot Flow
 # Simulates: 6 modules executing sequentially with state handoff
-# Scenario: Cloud/VM with Intel integrated GPU (real v0.9.0 target)
+# Scenario: Cloud/VM with Intel integrated GPU
 
 set -u
 
-TESTDIR="/tmp/clawdie-int-$$"
+SCRIPT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
+TESTDIR="${SCRIPT_DIR}/tmp/clawdie-int-$$"
 mkdir -p "$TESTDIR"
 cd "$TESTDIR"
 
@@ -23,7 +24,7 @@ touch "$TESTDIR/mnt/media/packages/bash.pkg"
 
 # Mock Clawdie-AI
 cat > "$TESTDIR/home/clawdie/clawdie-ai/package.json" <<'EOF'
-{"name":"clawdie-ai","version":"0.9.0","scripts":{"install-all":"echo '[npm] Services ready'"}}
+{"name":"clawdie-ai","version":"1.0.2","scripts":{"install-all":"echo '[npm] Services ready'"}}
 EOF
 
 # Prevent modules from auto-running when sourced (each guard checks its own var)
@@ -64,7 +65,7 @@ touch "$LOG_FILE" "$PROGRESS_FILE" "$RC_CONF"
 
 echo ""
 echo "╔════════════════════════════════════════════════════════════════╗"
-echo "║ Clawdie Shell v0.9.0 Integration Test                          ║"
+echo "║ Clawdie Shell v1.0.2 Integration Test                          ║"
 echo "║ 6-module sequential execution (cloud/VM scenario)              ║"
 echo "╚════════════════════════════════════════════════════════════════╝"
 echo ""
@@ -73,7 +74,12 @@ echo ""
 echo "[1/6] clawdie-shell-env.sh → Identity + .env"
 . /home/clawdie/clawdie-iso/firstboot/shell-env.sh 2>/dev/null
 clawdie_shell_env_generate 2>/dev/null
-[ -f "$ENV_FILE" ] && echo "  ✓ .env created (68 variables)" || echo "  ✗ .env missing"
+if [ -f "$ENV_FILE" ]; then
+  VARS=$(grep -c "^" "$ENV_FILE" || true)
+  echo "  ✓ .env created ($VARS lines)"
+else
+  echo "  ✗ .env missing"
+fi
 
 # STAGE 2: PKG
 echo "[2/6] clawdie-shell-pkg.sh → Repos (online + offline USB)"
@@ -122,7 +128,7 @@ echo "║ System State:                                                  ║"
 [ -d "$CLAWDIE_AI_DIR" ] && echo "║   Clawdie-AI: deployed                                   ║" || echo "║   Clawdie-AI: MISSING                                  ║"
 
 echo "║                                                                ║"
-echo "║ GPU Support (v0.9.0):                                          ║"
+echo "║ GPU Support (v1.0.2):                                          ║"
 echo "║   ✓ Intel integrated (i915kms)                                 ║"
 echo "║   ✓ AMD AMDGPU                                                 ║"
 echo "║   ✓ VESA fallback                                              ║"
@@ -131,7 +137,7 @@ echo "║                                                                ║"
 echo "║ GPU Passthrough (v1.0 roadmap):                                ║"
 echo "║   → Requires bhyve patches (Beckhoff FreeBSD repository)        ║"
 echo "║   → Requires kernel configuration                              ║"
-echo "║   → Not in v0.9.0 scope (bare-metal + cloud focus)             ║"
+echo "║   → Not in current scope                                       ║"
 
 echo "╚════════════════════════════════════════════════════════════════╝"
 
diff --git a/firstboot/shell-deploy.sh b/firstboot/shell-deploy.sh
index a1ac9202..73188d61 100755
--- a/firstboot/shell-deploy.sh
+++ b/firstboot/shell-deploy.sh
@@ -52,6 +52,20 @@ clawdie_shell_deploy() {
 
   log_msg "[deploy] Package.json verified"
 
+  # Step 3.5: Copy firstboot .env seed into the repo root for install-all.
+  # Clawdie-AI reads .env from its project root; firstboot generates ENV_FILE
+  # outside the tarball extraction path to avoid interfering with extraction.
+  if [ -f "$ENV_FILE" ]; then
+    cp "$ENV_FILE" "$CLAWDIE_AI_DIR/.env" 2>/dev/null || {
+      log_msg "[deploy] WARNING: Failed to copy $ENV_FILE to $CLAWDIE_AI_DIR/.env"
+    }
+    chmod 600 "$CLAWDIE_AI_DIR/.env" 2>/dev/null || true
+    chown clawdie:clawdie "$CLAWDIE_AI_DIR/.env" 2>/dev/null || true
+    log_msg "[deploy] Seeded $CLAWDIE_AI_DIR/.env from firstboot"
+  else
+    log_msg "[deploy] WARNING: ENV_FILE not found at $ENV_FILE (install-all will generate defaults)"
+  fi
+
   # Step 3: Change to Clawdie directory for install
   cd "$CLAWDIE_AI_DIR" || {
     log_msg "[deploy] ERROR: Failed to cd to $CLAWDIE_AI_DIR"
diff --git a/firstboot/shell-env.sh b/firstboot/shell-env.sh
index ac4eeebe..a3915983 100755
--- a/firstboot/shell-env.sh
+++ b/firstboot/shell-env.sh
@@ -66,22 +66,15 @@ clawdie_shell_env_generate() {
 # ============================================================================
 
 clawdie_shell_env_write_file() {
-  # Write complete .env file with all required variables
-
-  local db_ip mgmt_ip git_ip cms_ip ollama_ip worker_start
+  # Write a minimal .env seed file.
+  #
+  # This file is copied into the Clawdie-AI repo by the deploy module and then
+  # completed by Clawdie-AI onboarding (secrets, derived defaults, URLs, etc).
 
   # Derive agent name from assistant name (lowercase, strip non-alnum)
   local agent_name
   agent_name=$(echo "$ASSISTANT_NAME" | tr 'A-Z' 'a-z' | sed 's/[^a-z0-9]//g')
 
-  # Derive jail IPs from subnet base
-  db_ip="${AGENT_SUBNET_BASE}.3"
-  mgmt_ip="${AGENT_SUBNET_BASE}.2"
-  cms_ip="${AGENT_SUBNET_BASE}.4"
-  ollama_ip="${AGENT_SUBNET_BASE}.5"
-  git_ip="${AGENT_SUBNET_BASE}.6"
-  worker_start="${AGENT_SUBNET_BASE}.101"
-
   # Remove existing .env if present
   rm -f "$ENV_FILE" 2>/dev/null || true
 
@@ -90,68 +83,42 @@ clawdie_shell_env_write_file() {
   chmod 600 "$ENV_FILE"
   chown clawdie:clawdie "$ENV_FILE" 2>/dev/null || true
 
-  # Generate secrets
-  local jwt_secret api_key db_password redis_password
-  jwt_secret=$(clawdie_shell_env_gen_secret)
-  api_key=$(clawdie_shell_env_gen_secret)
-  db_password=$(clawdie_shell_env_gen_secret)
-  redis_password=$(clawdie_shell_env_gen_secret)
-
   # Write .env file
   cat > "$ENV_FILE" <<EOF
-# Clawdie-AI v0.9.0 Environment Configuration
-# Auto-generated by firstboot installer
-# Date: $(date '+%Y-%m-%d %H:%M:%S')
+# Clawdie-AI environment configuration (seed)
+# Auto-generated by clawdie-iso firstboot installer.
+# Secrets and derived defaults are generated by Clawdie-AI onboarding.
 
 # === Identity ===
 ASSISTANT_NAME="$ASSISTANT_NAME"
 AGENT_NAME="$agent_name"
 AGENT_GENDER="${AGENT_GENDER:-f}"
 AGENT_DOMAIN="$AGENT_DOMAIN"
+AGENT_INTERNAL_DOMAIN="${agent_name}.home.arpa"
 TZ="$TZ"
 
-# === Secrets (auto-generated) ===
-JWT_SECRET="$jwt_secret"
-DB_PASSWORD="$db_password"
-REDIS_PASSWORD="$redis_password"
-
 # === LLM Provider ===
 PI_TUI_PROVIDER="${PI_TUI_PROVIDER:-zai}"
 PI_TUI_MODEL="${PI_TUI_MODEL:-glm-5}"
 ZAI_API_KEY="${ZAI_API_KEY:-}"
 OPENROUTER_API_KEY="${OPENROUTER_API_KEY:-}"
-ANTHROPIC_API_KEY="${ANTHROPIC_API_KEY:-$api_key}"
+ANTHROPIC_API_KEY="${ANTHROPIC_API_KEY:-}"
 
 # === Embeddings ===
 EMBED_BASE_URL="${EMBED_BASE_URL:-https://openrouter.ai/api/v1}"
 EMBED_MODEL="${EMBED_MODEL:-BAAI/bge-m3}"
 
-# === Network Configuration ===
+# === Network Configuration (warden0) ===
 AGENT_SUBNET_BASE="$AGENT_SUBNET_BASE"
-AGENT_GATEWAY_IP="${AGENT_SUBNET_BASE}.1"
-MGMT_JAIL_IP="$mgmt_ip"
-DB_JAIL_IP="$db_ip"
-GIT_JAIL_IP="$git_ip"
-CMS_JAIL_IP="$cms_ip"
-WORKER_JAIL_IP_START="$worker_start"
-WARDEN_DB_IP="$db_ip"
-WARDEN_GIT_IP="$git_ip"
-WARDEN_OLLAMA_IP="$ollama_ip"
-WARDEN_LLAMA_CPP_IP="$ollama_ip"
-
-# === Database ===
-DB_HOST="$db_ip"
-DB_PORT="5432"
-DB_NAME="$agent_name"
-DB_USER="$agent_name"
-DB_PASSWORD="$db_password"
+WARDEN_SUBNET_BASE="$AGENT_SUBNET_BASE"
+WARDEN_SUBNET="${AGENT_SUBNET_BASE}.0/24"
+WARDEN_GATEWAY="${AGENT_SUBNET_BASE}.1"
 
 # === Features (optional) ===
-FEATURE_MANAGEMENT_JAIL="true"
-FEATURE_TELEGRAM="${FEATURE_TELEGRAM:-false}"
+FEATURE_TELEGRAM="${FEATURE_TELEGRAM:-NO}"
 FEATURE_GIT="${FEATURE_GIT:-YES}"
-FEATURE_GITEA="${FEATURE_GITEA:-YES}"
-CODE_HOSTING_MODE="${CODE_HOSTING_MODE:-gitea}"
+FEATURE_GITEA="${FEATURE_GITEA:-NO}"
+CODE_HOSTING_MODE="${CODE_HOSTING_MODE:-git}"
 LOCAL_LLM_PROVIDER="${LOCAL_LLM_PROVIDER:-none}"
 FEATURE_OLLAMA="${FEATURE_OLLAMA:-NO}"
 FEATURE_LLAMA_CPP="${FEATURE_LLAMA_CPP:-NO}"
@@ -163,40 +130,12 @@ TELEGRAM_CHAT_ID="${TELEGRAM_CHAT_ID:-}"
 
 # === Optional: SSH Public Key (if provided at install) ===
 SSH_PUBLIC_KEY="${SSH_PUBLIC_KEY:-}"
-
-# === System ===
-FREEBSD_VERSION="15.0-RELEASE"
-INSTALL_DATE="$(date '+%Y-%m-%d')"
 EOF
 
   log_msg "[env] Wrote .env with $(wc -l < "$ENV_FILE") configuration lines"
   return 0
 }
 
-# ============================================================================
-# SECRET GENERATION
-# ============================================================================
-
-clawdie_shell_env_gen_secret() {
-  # Generate a random 32-character secret suitable for JWT/API keys
-  # Uses /dev/urandom + base64 encoding
-
-  # Try openssl first (more portable)
-  if command -v openssl >/dev/null 2>&1; then
-    openssl rand -base64 32 | tr -d '\n' | head -c 32
-    return 0
-  fi
-
-  # Fallback: dd from /dev/urandom
-  if [ -r /dev/urandom ]; then
-    dd if=/dev/urandom bs=1 count=24 2>/dev/null | base64 | tr -d '\n' | head -c 32
-    return 0
-  fi
-
-  # Last resort: use /dev/random with longer read (slower)
-  dd if=/dev/random bs=1 count=24 2>/dev/null | base64 | tr -d '\n' | head -c 32
-}
-
 # ============================================================================
 # VALIDATION
 # ============================================================================
@@ -217,7 +156,7 @@ clawdie_shell_env_validate() {
   fi
 
   # Check for required variables
-  local required_vars="ASSISTANT_NAME AGENT_NAME AGENT_DOMAIN TZ JWT_SECRET DB_PASSWORD"
+  local required_vars="ASSISTANT_NAME AGENT_NAME AGENT_DOMAIN AGENT_INTERNAL_DOMAIN TZ"
   local missing=0
   for var in $required_vars; do
     if ! grep -q "^$var=" "$ENV_FILE" 2>/dev/null; then
diff --git a/packages/pkg-list-host.txt b/packages/pkg-list-host.txt
index f92633cf..9725af0b 100644
--- a/packages/pkg-list-host.txt
+++ b/packages/pkg-list-host.txt
@@ -10,6 +10,7 @@ node24
 npm
 tmux
 bsddialog
+codex
 
 # Python / tooling
 python311