clawdie/clawdie-iso
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs(seed): document dual-purpose mother-mcp key for Forgejo + mother MCP

Browse source 
- Update ssh/config example to show mother-mcp key with both Host entries
  (mother MCP and code.smilepowered.org with IdentitiesOnly yes)
- Add dedicated mother-mcp section explaining the key serves two roles:
  1. MCP calls to mother (command=colibri-mcp,restrict)
  2. Git pull from Forgejo as a read-only deploy key
- Note that read-only is sufficient and limits blast radius
- Update START-HERE.txt to mention git pull works OOTB with seeded key
This commit is contained in:
Sam & Claude 2026-06-23 11:36:10 +02:00
parent cc5ced46d4
commit 6173e185ec
2 changed files with 37 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
live/operator-session/START-HERE.txt
View file

@ -60,6 +60,11 @@ agent's keys were loaded before the daemon started, so Colibri auto-spawns
the agent on boot. Check with: the agent on boot. Check with:
colibri status colibri status
If a mother-mcp key was seeded, git pull from Forgejo works out-of-the-box:
cd ~/ai/clawdie-iso && git pull
cd ~/ai/clawdie-ai && git pull
The key is wired via ~/.ssh/config for both mother MCP and code.smilepowered.org.
Readable operator guide: Readable operator guide:
/usr/local/share/clawdie-iso/seed/README.txt /usr/local/share/clawdie-iso/seed/README.txt

35
live/operator-session/clawdie-live-seed.README.txt
View file

@ -94,12 +94,17 @@ Inside it, any of these are honored:
/<agent>/ssh/<name>.pub OUTBOUND: installed to ~/.ssh/<name>.pub (0644). /<agent>/ssh/<name>.pub OUTBOUND: installed to ~/.ssh/<name>.pub (0644).
/<agent>/ssh/config OUTBOUND: installed to ~/.ssh/config (0600). /<agent>/ssh/config OUTBOUND: installed to ~/.ssh/config (0600).
Typical use — a host alias for the mother server: Typical use — host entries for the dual-purpose
mother-mcp key (see next section):
Host mother Host mother
HostName osa.smilepowered.org HostName osa.smilepowered.org
User clawdie User colibri
IdentityFile ~/.ssh/osa-mother-2026 IdentityFile ~/.ssh/mother-mcp
Host code.smilepowered.org
IdentityFile ~/.ssh/mother-mcp
IdentitiesOnly yes
/<agent>/ssh/known_hosts OUTBOUND: merged into ~/.ssh/known_hosts (0644), /<agent>/ssh/known_hosts OUTBOUND: merged into ~/.ssh/known_hosts (0644),
de-duplicated. Pin the mother server's host key de-duplicated. Pin the mother server's host key
@ -107,6 +112,30 @@ Inside it, any of these are honored:
not stop on an unknown-host prompt. Get the line not stop on an unknown-host prompt. Get the line
with: ssh-keyscan osa.smilepowered.org with: ssh-keyscan osa.smilepowered.org
/<agent>/ssh/mother-mcp DUAL-PURPOSE OUTBOUND KEY. This private key
serves two roles with a single identity:
1. MCP calls to mother via colibri-mcp.
The mother server's authorized_keys entry
forces command="colibri-mcp",restrict —
this key can ONLY invoke the MCP tool,
never a shell session.
2. Git pull from Forgejo (code.smilepowered.org).
Add this same key as a read-only deploy key
in the Forgejo repository settings (repo →
Settings → Deploy Keys → Add Deploy Key,
with "Enable write access" OFF). Read-only
is sufficient for `git pull` and limits
blast radius if the key is ever compromised.
Placing a key named mother-mcp here gives the
agent git pull from Forgejo out-of-the-box with
no additional configuration — the accompanying
ssh/config Host entries route it for both
destinations. No other key is needed for either
purpose.
Agent directory names may contain only A-Z a-z 0-9 . _ - (no spaces or Agent directory names may contain only A-Z a-z 0-9 . _ - (no spaces or
slashes). The name `ssh` is reserved for Layer 1. slashes). The name `ssh` is reserved for Layer 1.