fix: atomic write of provider.env in enable-mother

Step 4 of clawdie-enable-mother.sh rewrote provider.env in place with
`cat "$tmp" >"$f"`, which truncates the live secrets file before
streaming the new content. A crash, signal, disk-full, or concurrent
read during that window leaves provider.env empty or partial — and the
colibri_daemon prestart sources it for the provider key + BW_* creds.

Switch to the write-temp-then-rename pattern already used for
external-mcp.json in step 3: mktemp in provider.env's own directory (so
the rename stays on one filesystem and is atomic), chmod 0600 before the
swap, then mv. A reader now always sees a complete file, old or new.

Also add jq to the disk-install extras so disk-deployed hosts can run
the script post-deploy (step 3 hard-requires jq; the live image already
ships it).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

live/operator-session/clawdie-enable-mother.sh

@@ -145,12 +145,11 @@ echo "[4/5] Enabling external MCP calls..."
 mdo -u root sh -c '
     set -eu
     f="$1"
-    tmp="$(mktemp)"
+    tmp="$(mktemp "$(dirname "$f")/.provider.env.XXXXXX")"
     grep -v "^COLIBRI_MCP_EXTERNAL_CALL=" "$f" >"$tmp" 2>/dev/null || :
     printf "COLIBRI_MCP_EXTERNAL_CALL=\"1\"\n" >>"$tmp"
-    cat "$tmp" >"$f"
+    chmod 0600 "$tmp"
-    rm -f "$tmp"
+    mv "$tmp" "$f"
-    chmod 0600 "$f"
 ' sh "$PROVIDER_ENV"
 
 # 5. Restart the daemon so the Pi inherits the new env + registry.

packages/pkg-list-disk-install-extras.txt

@@ -1,6 +1,10 @@
 # Disk-install extras — fetched into the offline repository, not installed on the live USB.
 # TODO: Installed by disk-install path, not live USB. See FIRSTBOOT.md when disk install lands.
 #
+# clawdie-enable-mother.sh uses jq to merge mother entries into external-mcp.json.
+# Include it here so disk-installed hosts can run the script post-deploy.
+jq
+#
 # Two categories live here. They share the same code path (fetched to the
 # offline repo, not installed on live) but have different long-term homes:
 #