docs(seed): document dual-purpose mother-mcp key for Forgejo + mother MCP
- Update ssh/config example to show mother-mcp key with both Host entries (mother MCP and code.smilepowered.org with IdentitiesOnly yes) - Add dedicated mother-mcp section explaining the key serves two roles: 1. MCP calls to mother (command=colibri-mcp,restrict) 2. Git pull from Forgejo as a read-only deploy key - Note that read-only is sufficient and limits blast radius - Update START-HERE.txt to mention git pull works OOTB with seeded key
This commit is contained in:
parent
cc5ced46d4
commit
6173e185ec
2 changed files with 37 additions and 3 deletions
|
|
@ -60,6 +60,11 @@ agent's keys were loaded before the daemon started, so Colibri auto-spawns
|
|||
the agent on boot. Check with:
|
||||
colibri status
|
||||
|
||||
If a mother-mcp key was seeded, git pull from Forgejo works out-of-the-box:
|
||||
cd ~/ai/clawdie-iso && git pull
|
||||
cd ~/ai/clawdie-ai && git pull
|
||||
The key is wired via ~/.ssh/config for both mother MCP and code.smilepowered.org.
|
||||
|
||||
Readable operator guide:
|
||||
/usr/local/share/clawdie-iso/seed/README.txt
|
||||
|
||||
|
|
|
|||
|
|
@ -94,12 +94,17 @@ Inside it, any of these are honored:
|
|||
/<agent>/ssh/<name>.pub OUTBOUND: installed to ~/.ssh/<name>.pub (0644).
|
||||
|
||||
/<agent>/ssh/config OUTBOUND: installed to ~/.ssh/config (0600).
|
||||
Typical use — a host alias for the mother server:
|
||||
Typical use — host entries for the dual-purpose
|
||||
mother-mcp key (see next section):
|
||||
|
||||
Host mother
|
||||
HostName osa.smilepowered.org
|
||||
User clawdie
|
||||
IdentityFile ~/.ssh/osa-mother-2026
|
||||
User colibri
|
||||
IdentityFile ~/.ssh/mother-mcp
|
||||
|
||||
Host code.smilepowered.org
|
||||
IdentityFile ~/.ssh/mother-mcp
|
||||
IdentitiesOnly yes
|
||||
|
||||
/<agent>/ssh/known_hosts OUTBOUND: merged into ~/.ssh/known_hosts (0644),
|
||||
de-duplicated. Pin the mother server's host key
|
||||
|
|
@ -107,6 +112,30 @@ Inside it, any of these are honored:
|
|||
not stop on an unknown-host prompt. Get the line
|
||||
with: ssh-keyscan osa.smilepowered.org
|
||||
|
||||
/<agent>/ssh/mother-mcp DUAL-PURPOSE OUTBOUND KEY. This private key
|
||||
serves two roles with a single identity:
|
||||
|
||||
1. MCP calls to mother via colibri-mcp.
|
||||
The mother server's authorized_keys entry
|
||||
forces command="colibri-mcp",restrict —
|
||||
this key can ONLY invoke the MCP tool,
|
||||
never a shell session.
|
||||
|
||||
2. Git pull from Forgejo (code.smilepowered.org).
|
||||
Add this same key as a read-only deploy key
|
||||
in the Forgejo repository settings (repo →
|
||||
Settings → Deploy Keys → Add Deploy Key,
|
||||
with "Enable write access" OFF). Read-only
|
||||
is sufficient for `git pull` and limits
|
||||
blast radius if the key is ever compromised.
|
||||
|
||||
Placing a key named mother-mcp here gives the
|
||||
agent git pull from Forgejo out-of-the-box with
|
||||
no additional configuration — the accompanying
|
||||
ssh/config Host entries route it for both
|
||||
destinations. No other key is needed for either
|
||||
purpose.
|
||||
|
||||
Agent directory names may contain only A-Z a-z 0-9 . _ - (no spaces or
|
||||
slashes). The name `ssh` is reserved for Layer 1.
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue