feat(seed): populate CLAWDIESEED partition with agent operational files

Adds seed/ directory with:
- AGENTS.md: zot operational rules (mother, verbs, capabilities)
- harness.toml: harness="zot", model="deepseek-v4-pro"
- env.placeholder: template for API key injection

build.sh seed population step reads provider keys from the build host's
/usr/local/etc/colibri/provider.env and writes them to the seed partition's
env file. Also installs AGENTS.md, harness.toml, and the layered-soul backup.

Keys are NEVER committed — only placeholders. Real keys are injected at build
time from the build host's provider.env (DEEPSEEK_API_KEY, OPENROUTER_API_KEY).

build.sh

@@ -2442,6 +2442,49 @@ if [ ! -f "$WORK_IMG" ]; then
     mount_msdosfs /dev/${MD}s3 "${_seed_mount}"
     install -m 0644 "${LIVE_SESSION_DIR}/clawdie-live-seed.README.txt" \
         "${_seed_mount}/README.txt"
+
+    # Seed agent directory with operational files.
+    # The seed importer (clawdie-live-seed) reads these at boot:
+    #   env → merged into ~/.env + /usr/local/etc/colibri/provider.env
+    #   AGENTS.md → /var/db/colibri/.local/state/zot/AGENTS.md (zot global slot)
+    #   harness.toml → recorded for Colibri runtime.
+    #   soul/ → staged for Hermes (dormant, loaded when Hermes is installed).
+    _seed_agent_dir="${_seed_mount}/clawdie"
+    mkdir -p "${_seed_agent_dir}"
+
+    # Operational rules for the autospawned zot agent.
+    if [ -f "${LIVE_SESSION_DIR}/seed/AGENTS.md" ]; then
+        install -m 0644 "${LIVE_SESSION_DIR}/seed/AGENTS.md" \
+            "${_seed_agent_dir}/AGENTS.md"
+    fi
+
+    # Harness config.
+    if [ -f "${LIVE_SESSION_DIR}/seed/harness.toml" ]; then
+        install -m 0644 "${LIVE_SESSION_DIR}/seed/harness.toml" \
+            "${_seed_agent_dir}/harness.toml"
+    fi
+
+    # Provider keys: read from the build host's provider.env, write only
+    # the API key lines to the seed.  The seed importer merges them into
+    # both the operator's ~/.env and the daemon's provider.env at boot.
+    if [ -f /usr/local/etc/colibri/provider.env ]; then
+        grep -E '^(DEEPSEEK_API_KEY|OPENROUTER_API_KEY)=' \
+            /usr/local/etc/colibri/provider.env \
+            > "${_seed_agent_dir}/env" 2>/dev/null || true
+        if [ -s "${_seed_agent_dir}/env" ]; then
+            chmod 0600 "${_seed_agent_dir}/env"
+            echo "    Seeded $(wc -l < "${_seed_agent_dir}/env") API key(s) from provider.env"
+        fi
+    fi
+
+    # Layered-soul identity files (dormant — for Hermes later).
+    if [ -d /home/clawdie/ai/layered-soul ]; then
+        mkdir -p "${_seed_agent_dir}/soul"
+        cp -R /home/clawdie/ai/layered-soul/. "${_seed_agent_dir}/soul/" 2>/dev/null || true
+        rm -rf "${_seed_agent_dir}/soul/.git" 2>/dev/null || true
+        echo "    Seeded soul backup (layered-soul)"
+    fi
+
     sync
     umount "${_seed_mount}"
     rmdir "${_seed_mount}" 2>/dev/null || true

live/operator-session/seed/AGENTS.md

@@ -0,0 +1,48 @@
+# Clawdie USB operator node — zot agent rules
+#
+# Read by zot at boot via $ZOT_HOME/AGENTS.md (global slot).
+# Installed by the seed importer from the CLAWDIESEED partition.
+# LLM reads this as project context in the system prompt.
+
+## You are running on
+
+A Clawdie USB operator node booted from a live image.
+Hardware: detected at boot by clawdie-hw-probe.
+Agent harness: zot (Colibri RPC mode).
+Primary provider: DeepSeek (deepseek-v4-pro).
+Fallback provider: OpenRouter.
+
+## Mother
+
+The mother node is OSA (osa.smilepowered.org), reachable via SSH as the
+colibri user. The private key is on this seed at colibri/ssh/mother-mcp
+and was installed to both /home/clawdie/.ssh/ and /var/db/colibri/.ssh/
+at boot.
+
+Mother runs the Colibri MCP host. Use these verbs:
+- node_register: UPSERT this node's hardware profile to PostgreSQL.
+- create-task: create a coordination task on the board.
+- intake-task: submit a task with capability requirements.
+
+External MCP tools are discoverable via colibri status.
+
+## This node's capabilities
+
+- freebsd: native FreeBSD operator and system administration.
+- colibri: can query and manage the Colibri daemon.
+- zot: this agent itself.
+
+## After self-configuration
+
+1. Verify the daemon is running: service colibri_daemon status
+2. Register with mother: use the node_register MCP tool with output from
+   clawdie-hw-probe.
+3. Install Hermes from /home/clawdie/ai/hermes-bsd per
+   README-FreeBSD.md for persistent agent identity.
+
+## Colibri CLI
+
+Commands available on this node:
+- colibri status: daemon status, cost mode, scheduler, tasks.
+- colibri list-tasks: coordination task board.
+- colibri --help: all subcommands.

live/operator-session/seed/env.placeholder

@@ -0,0 +1,12 @@
+# Provider API keys — seeded onto the CLAWDIESEED partition.
+# build.sh copies this template and replaces the placeholder values
+# with real keys from /usr/local/etc/colibri/provider.env on the build host.
+# 
+# The seed importer merges these into both ~/.env (operator) and
+# /usr/local/etc/colibri/provider.env (daemon), so the autospawned zot
+# boots with working API keys.
+#
+# DO NOT commit real keys to this file.  Placeholders only.
+
+DEEPSEEK_API_KEY=SEED_DEEPSEEK_API_KEY_PLACEHOLDER
+OPENROUTER_API_KEY=SEED_OPENROUTER_API_KEY_PLACEHOLDER

live/operator-session/seed/harness.toml

@@ -0,0 +1,6 @@
+# Agent harness configuration — seeded onto the CLAWDIESEED partition.
+# Read by colibri at boot to determine which agent binary to launch.
+
+harness = "zot"
+model = "deepseek-v4-pro"
+cost_mode = "smart"