fix(iso): pre-configure mother MCP OOTB + fix docs

Two changes so the USB connects to mother on first boot with no manual steps:

1. stage-colibri-iso.sh: external-mcp.json is now pre-configured with the
   mother server entry (colibri@100.72.229.63, no remote command — the
   hardened wrapper starts colibri-mcp in stdio MCP mode). Previously
   staged as empty {}; the operator had to create it manually or run
   clawdie-enable-mother.

2. provider.env now includes COLIBRI_MCP_EXTERNAL_CALL=1 by default
   (already set on osa; missing from the ISO defaults).

3. SETUP-USB-TO-MOTHER.md: removed Step 3 (manual external-mcp.json),
   fixed the diagram to match the hardened wrapper (no remote command),
   corrected the server name from "m0th3r"/"c0l1br1" to the real names.

The SSH key, config, and known_hosts still come from the CLAWDIESEED
seed partition — the image carries no secrets. Without the seed the
connection fails gracefully.

docs/SETUP-USB-TO-MOTHER.md

@@ -20,15 +20,14 @@ sent to mother, and stored in PostgreSQL `mother_hive.hive_nodes`.
 │                                                               │
 │  colibri-daemon                                               │
 │    │                                                          │
-│    │ external-mcp.json:                                       │
+│    │ external-mcp.json (baked):                               │
 │    │   "mother": {                                            │
 │    │     "command": "ssh",                                    │
-│    │     "args": ["-i", "~/.ssh/m0th3r-mcp",                 │
-│    │              "c0l1br1@100.72.229.63",                   │
-│    │              "colibri-mcp"]                              │
+│    │     "args": ["-i", "~/.ssh/mother-mcp",                 │
+│    │              "colibri@100.72.229.63"]                    │
 │    │   }                                                      │
 │    │                                                          │
-│    │ spawns persistent SSH child process                      │
+│    │ spawns persistent SSH child (no remote command)          │
 │    │ JSON-RPC flows over stdin/stdout ──────────────────────┐ │
 │    │                                                         │ │
 │    │ clawdie-hw-probe → JSON →                              │ │
@@ -45,8 +44,7 @@ sent to mother, and stored in PostgreSQL `mother_hive.hive_nodes`.
 │  /var/db/colibri/.ssh/authorized_keys:                        │ │
 │    command="/usr/local/bin/colibri-mcp-ssh",restrict,... ◄────┘ │
 │                                                               │
-│  colibri-mcp-ssh → strips forced-command wrapper              │
-│                  → passes "tools" subcommand to colibri-mcp    │
+│  colibri-mcp-ssh → starts colibri-mcp in stdio MCP mode       │
 │                                                               │
 │  PostgreSQL mother_hive.hive_nodes ← hw-probe JSON stored       │
 │                                                               │
@@ -112,37 +110,12 @@ grep EXTERNAL_CALL /usr/local/etc/colibri/provider.env
 
 ## Step 3: Register mother as external MCP server (on USB)
 
-```bash
-# === ON USB, as clawdie ===
+external-mcp.json is now baked into the ISO image by
+`scripts/stage-colibri-iso.sh` with the mother server pre-configured.
+No manual step is needed — the daemon picks it up on first boot.
 
-sudo tee /usr/local/etc/colibri/external-mcp.json << 'JSON'
-{
-  "servers": {
-    "m0th3r": {
-      "command": "ssh",
-      "args": [
-        "-i", "/home/clawdie/.ssh/m0th3r-mcp",
-        "-o", "StrictHostKeyChecking=accept-new",
-        "c0l1br1@100.72.229.63",
-        "colibri-mcp"
-      ],
-      "env": {}
-    }
-  }
-}
-JSON
-
-# Verify JSON syntax:
-python3.11 -m json.tool /usr/local/etc/colibri/external-mcp.json > /dev/null \
-    && echo "OK" || echo "INVALID JSON"
-```
-
-**What happens at daemon startup**: the daemon reads `external-mcp.json`,
-spawns `ssh c0l1br1@100.72.229.63 colibri-mcp` as a persistent child process,
-and pipes JSON-RPC over stdin/stdout. The mother-side `colibri-mcp-ssh`
-wrapper (in `authorized_keys` via `command=`) strips the SSH forced-command
-layer and passes subcommands directly to `colibri-mcp`. One SSH connection
-per daemon lifetime — no reconnect overhead.
+To add additional external MCP servers post-install, edit
+`/usr/local/etc/colibri/external-mcp.json` and restart the daemon.
 
 ## Step 4: Install clawdie-hw-probe (on USB)
 

scripts/stage-colibri-iso.sh

@@ -124,16 +124,32 @@ COLIBRI_AUTOSPAWN_BINARY="zot"
 # Telegram bot token — set this to enable the bot channel (@your_bot).
 # Leave blank to use CLI/TUI/Dashboard channels only.
 # TELEGRAM_BOT_TOKEN=""
+
+# Enable external MCP server calls so the daemon can connect to mother
+# (OSA) for hive-node registration. The SSH key comes from the seed
+# partition; without it the connection fails gracefully.
+COLIBRI_MCP_EXTERNAL_CALL="1"
 EOF
 chmod 0600 "${ETC_DIR}/provider.env" 2>/dev/null || true
 
-# External MCP server registry — empty by default. The "Enable Mother Link"
-# action (clawdie-enable-mother) adds a server entry here; colibri-mcp reads it
-# when launched with COLIBRI_MCP_EXTERNAL_CALL=1. Path matches colibri-mcp's
-# default COLIBRI_MCP_EXTERNAL_CONFIG.
+# External MCP server registry. The mother server entry is pre-configured so
+# the daemon connects to mother OOTB; the SSH key, known_hosts, and config
+# come from the CLAWDIESEED seed partition (see clawdie-live-seed.README.txt).
+# Without the seed, the connection fails gracefully — the daemon keeps running.
+# Path matches colibri-mcp's default COLIBRI_MCP_EXTERNAL_CONFIG.
 cat > "${ETC_DIR}/external-mcp.json" <<'EOF'
 {
-  "servers": {}
+  "servers": {
+    "mother": {
+      "command": "ssh",
+      "args": [
+        "-i", "/home/clawdie/.ssh/mother-mcp",
+        "-o", "StrictHostKeyChecking=accept-new",
+        "colibri@100.72.229.63"
+      ],
+      "env": {}
+    }
+  }
 }
 EOF
 chmod 0644 "${ETC_DIR}/external-mcp.json" 2>/dev/null || true