Fix bridge naming to warden0 and correct setup token wording (Sam & Claude)

- shell-pf.sh: BRIDGE is now always warden0 (matches jail-config.ts and AGENTS.md) - CompletePage.qml: token text now says will be generated after first boot - NETWORKING.md: updated to reflect warden0 fix
2026-05-12 18:18:12 +02:00 · 2026-05-12 18:18:12 +02:00 · a9ac0013e2
commit a9ac0013e2
parent e690b49d27
3 changed files with 6 additions and 6 deletions
--- a/NETWORKING.md
+++ b/NETWORKING.md
@ -65,7 +65,7 @@ debug issues visually, and verify behavior — all without exposing VNC to the p
 `shell-pf.sh` runs during firstboot and:

 1. **Detects ext_if** via `route -n get default` — no hardcoded interface names
-2. **Creates agent bridge** — currently `${ASSISTANT_NAME}0` (e.g., `clawdie0`), **must be `warden0`** (see alignment note below)
+2. **Creates agent bridge** `warden0` at `192.168.100.1/24` (matches Clawdie-AI `jail-config.ts`)
 3. **Writes `/etc/pf.conf`** with block-all default, SSH protection, jail NAT
 4. **Installs `pf_reload`** rc.d service — see cold boot race below
 5. **Enables PF** via rc.conf
--- a/firstboot/gui/qml-installer/pages/CompletePage.qml
+++ b/firstboot/gui/qml-installer/pages/CompletePage.qml
@ -82,7 +82,7 @@ ColumnLayout {
            }

            Text {
-                text: tracker.success ? "The setup token lives on the installed host at /var/db/clawdie-installer/setup-token. Do not expose port 3100 directly to tailscale0 or the public internet before setup completes." : ""
+                text: tracker.success ? "After first boot, a setup token will be generated at /var/db/clawdie-installer/setup-token. Do not expose port 3100 directly to tailscale0 or the public internet before setup completes." : ""
                font.pixelSize: 12
                color: "#8a4f00"
                wrapMode: Text.WordWrap
--- a/firstboot/shell-pf.sh
+++ b/firstboot/shell-pf.sh
@ -13,7 +13,7 @@ PF_CONF="${PF_CONF:-/etc/pf.conf}"
 PF_RELOAD_RCD="${PF_RELOAD_RCD:-/usr/local/etc/rc.d/pf_reload}"

 # Inputs (caller sets these)
-# ASSISTANT_NAME  - used for bridge naming (e.g., "clawdie" → "clawdie0")
+# ASSISTANT_NAME  - used for jail identity (not bridge naming; bridge is always warden0)
 # AGENT_NET       - jail subnet (default: 192.168.100.0/24)

 # ============================================================================
@ -28,8 +28,8 @@ clawdie_shell_pf() {

  log_msg "[pf] Setting up firewall..."

-  # Derive bridge name and gateway IP from agent name and subnet
-  local BRIDGE="${ASSISTANT_NAME:-clawdie}0"
+  # Bridge is always warden0 (matches AGENTS.md convention and jail-config.ts)
+  local BRIDGE="warden0"
  local NET_ADDR="${AGENT_NET%/*}"
  local NET_PREFIX="${AGENT_NET#*/}"
  local BRIDGE_IP
@ -45,7 +45,7 @@ clawdie_shell_pf() {
  log_msg "[pf] ext_if=${EXT_IF}, bridge=${BRIDGE}, net=${AGENT_NET}"

  # Configure agent bridge interface
-  # Bridge named after agent (e.g., clawdie0) — multi-tenant: each agent gets its own bridge + /24
+  # Bridge warden0 — multi-tenant: each agent gets its own bridge + /24 (warden0, warden1, ...)
  printf 'cloned_interfaces="bridge0"\n'          >> "$RC_CONF"
  printf 'ifconfig_bridge0_name="%s"\n' \
      "$BRIDGE"                                   >> "$RC_CONF"