feat(iso): stage colibri test agent and provider key help (Sam & Codex)

Switch ISO staging/docs from colibri-smoke-agent to colibri-test-agent, include rust/pkgconf for live Colibri rebuilds, stage provider.env.sample, wire the provider env rc.conf path, and document LLM key setup on the Firefox bootstrap page.\n\nChecks: npx --yes prettier@3 --check docs/LIVE-COLIBRI-REBUILD.md live/operator-session/bootstrap.html BUILD.md TESTING.md README.md; sh -n scripts/stage-colibri-iso.sh; sh -n build.sh; fake Colibri staging + sh -n staged rc.d script; git diff --check.

BUILD.md

@@ -82,7 +82,7 @@ Colibri-backed. The image includes:
 ```text
 /usr/local/bin/colibri-daemon
 /usr/local/bin/colibri
-/usr/local/bin/colibri-smoke-agent
+/usr/local/bin/colibri-test-agent
 /usr/local/bin/colibri-mcp              # MCP bridge for Zed/Claude Code/Cursor
 /usr/local/bin/colibri-tui              # if present in the artifact dir
 /usr/local/etc/rc.d/colibri_daemon

TESTING.md

@@ -334,7 +334,7 @@ sudo mdconfig -d -u md0
 ## Level 2: bhyve Verification Gate
 
 Use bhyve as the standard pre-hardware gate when the ML350p lane is available.
-This is no longer just an opportunistic smoke test; it is the default
+This is no longer just an opportunistic startup check; it is the default
 middle-stage verification between static artifact checks and physical hardware.
 
 Treat bhyve as authoritative for boot/runtime plumbing and still treat real
@@ -558,7 +558,7 @@ proprietary NVIDIA stack.
 Linux baseline probe:
 [linux-hardware.org/?probe=efd5b5b389](https://linux-hardware.org/?probe=efd5b5b389)
 
-This is a real deploy target. First-boot smoke set for this machine
+This is a real deploy target. First-boot check set for this machine
 (or any AMD Ryzen U-series laptop) once the image lands:
 
 ```sh
@@ -783,7 +783,7 @@ mdo -u root fwget -n                       # dry run
 ### What to do when the chipset is unsupported
 
 The live USB image is still useful — all daemons bind to `lo0` too, so
-`sshd`, Avahi, and the local stack can be smoke-tested without network.
+`sshd`, Avahi, and the local stack can be validated without network.
 For end-to-end validation, swap to a supported dongle from the lists
 above.
 
@@ -1069,7 +1069,7 @@ Mark the image good only when all of these are true:
 - [ ] `/` is read-write, `/tmp` and `/var/log` are tmpfs, and `/var/tmp` stays on disk
 - [ ] `~/.cache` points at `/tmp/clawdie/cache`
 - [ ] `/usr/local/etc/xdg/xfce4/xinitrc` and `clawdie` xinitrc fallbacks are executable
-- [ ] `xinit`/`startx`, `clawdie-startx`, `clawdie-gui`, and `xterm` are present for minimal Xorg rescue/smoke testing
+- [ ] `xinit`/`startx`, `clawdie-startx`, `clawdie-gui`, and `xterm` are present for minimal Xorg rescue/startup checking
 - [ ] `/var/lib/xkb` exists and XKB keymap compilation succeeds
 - [ ] `XDG_RUNTIME_DIR` resolves to `/var/run/user/<uid>`
 - [ ] `clawdie_live_gpu` log shows a sensible path or a clear fallback

build.sh

@@ -337,7 +337,7 @@ preflight_colibri_artifacts() {
         echo "       Set COLIBRI_REPO=/path/to/colibri or FEATURE_COLIBRI=NO."
         exit 1
     fi
-    for _colibri_bin in colibri-daemon colibri colibri-smoke-agent colibri-mcp; do
+    for _colibri_bin in colibri-daemon colibri colibri-test-agent colibri-mcp; do
         if [ ! -x "${_resolved_colibri_artifact_dir}/${_colibri_bin}" ]; then
             echo "ERROR: Colibri release binary missing: ${_resolved_colibri_artifact_dir}/${_colibri_bin}"
             command -v cargo >/dev/null 2>&1 || \
@@ -818,6 +818,7 @@ install_colibri_service() {
     set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_socket="/var/run/colibri/colibri.sock"'
     set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_db_path="/var/db/colibri/colibri.sqlite"'
     set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_logfile="/var/log/colibri/daemon.log"'
+    set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_provider_env="/usr/local/etc/colibri/provider.env"'
     set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_host="$(hostname)"'
     set_config_line "${MOUNT_POINT}/etc/rc.conf" "colibri_cost_mode=\"${COLIBRI_COST_MODE:-smart}\""
 
@@ -851,7 +852,7 @@ install_colibri_service() {
         _now=$(date -u +%Y-%m-%dT%H:%M:%SZ)
         sqlite3 "${_colibri_db}" "INSERT OR IGNORE INTO skills (id, name, description, category, created_at) VALUES
             ('$(uuidgen || echo 00000000-0000-0000-0000-000000000001)', 'freebsd-live-usb', 'FreeBSD live USB operator workstation procedures', 'freebsd', '${_now}'),
-            ('$(uuidgen || echo 00000000-0000-0000-0000-000000000002)', 'colibri-smoke', 'Colibri daemon smoke test and validation', 'colibri', '${_now}'),
+            ('$(uuidgen || echo 00000000-0000-0000-0000-000000000002)', 'colibri-test', 'Colibri daemon startup check and validation', 'colibri', '${_now}'),
             ('$(uuidgen || echo 00000000-0000-0000-0000-000000000003)', 'iso-build', 'Clawdie ISO build and staging workflow', 'iso', '${_now}'),
             ('$(uuidgen || echo 00000000-0000-0000-0000-000000000004)', 'tailscale-join', 'Tailscale mesh join procedure for operator USB', 'networking', '${_now}'),
             ('$(uuidgen || echo 00000000-0000-0000-0000-000000000005)', 'disk-deploy', 'Deploy from USB live to permanent disk install. Provisions ZFS pool, installs FreeBSD boot environment, migrates config, and prepares for the future deployed-system clawdie service.', 'clawdie', '${_now}'),

docs/LIVE-COLIBRI-REBUILD.md

@@ -25,7 +25,7 @@ For rebuilds, clone a fresh working checkout into a separate directory such as
 
 ## Required live packages
 
-Future ISOs should include these packages to make this path available out of the
+Live operator ISOs include these packages to make this path available out of the
 box:
 
 ```text
@@ -102,7 +102,7 @@ Expected outputs:
 ```text
 target/release/colibri-daemon
 target/release/colibri
-target/release/colibri-smoke-agent
+target/release/colibri-test-agent
 target/release/colibri-mcp
 target/release/colibri-tui
 ```
@@ -122,7 +122,7 @@ mdo -u root rm -f /var/run/colibri/colibri-daemon-supervisor.pid
 
 mdo -u root install -m 0555 target/release/colibri-daemon /usr/local/bin/colibri-daemon
 mdo -u root install -m 0555 target/release/colibri /usr/local/bin/colibri
-mdo -u root install -m 0555 target/release/colibri-smoke-agent /usr/local/bin/colibri-smoke-agent
+mdo -u root install -m 0555 target/release/colibri-test-agent /usr/local/bin/colibri-test-agent
 mdo -u root install -m 0555 target/release/colibri-mcp /usr/local/bin/colibri-mcp
 mdo -u root install -m 0555 target/release/colibri-tui /usr/local/bin/colibri-tui
 mdo -u root install -m 0555 packaging/freebsd/colibri_daemon.in /usr/local/etc/rc.d/colibri_daemon
@@ -209,8 +209,8 @@ Expected:
 
 ## Future ISO improvement
 
-Add a helper script, tentatively `/usr/local/bin/colibri-live-rebuild`, that
-automates this runbook:
+A future helper script, tentatively `/usr/local/bin/colibri-live-rebuild`, should
+automate this runbook:
 
 1. clone/update `/home/clawdie/ai/colibri-build`
 2. checkout requested branch or commit

live/operator-session/bootstrap.html

@@ -90,6 +90,7 @@
           <li><code>colibri-daemon</code> — agent supervisor, skills catalog, Glasspane state machine</li>
           <li><code>colibri-tui</code> — live ratatui dashboard (agent states, spawn/kill, sessions)</li>
           <li><code>colibri-mcp</code> — MCP bridge for Zed, Claude Code, Cursor, and other MCP clients</li>
+          <li><code>colibri-test-agent</code> — local no-network Colibri launch check</li>
           <li>Firefox browser</li>
           <li>Tailscale package (needs auth key)</li>
           <li><code>pi</code> coding agent harness (npm global)</li>
@@ -120,6 +121,7 @@ colibri list-tasks         # Coordination board
 colibri list-skills        # Skills catalog
 colibri-mcp tools          # MCP bridge, read-only by default
 COLIBRI_MCP_WRITE=1 colibri-mcp tools  # trusted write-capable profile
+colibri spawn-local /usr/local/bin/colibri-test-agent --session-id local-check
 colibri create-task --title "check network"
 colibri list-tasks --status queued</pre>
       <p>
@@ -127,6 +129,24 @@ colibri list-tasks --status queued</pre>
         <code>/usr/local/share/clawdie-iso/mcp-examples/</code>.
       </p>
 
+      <h2>LLM provider keys</h2>
+      <p>
+        Colibri can run local checks without a key. Remote providers need a key
+        in <code>/usr/local/etc/colibri/provider.env</code>. Keep this file
+        root-owned and mode <code>0600</code>; it is read when
+        <code>colibri_daemon</code> starts.
+      </p>
+      <pre>
+mdo -u root cp /usr/local/etc/colibri/provider.env.sample /usr/local/etc/colibri/provider.env
+mdo -u root chmod 600 /usr/local/etc/colibri/provider.env
+mdo -u root ee /usr/local/etc/colibri/provider.env
+mdo -u root service colibri_daemon restart</pre>
+      <p>Put only the providers you use in that file:</p>
+      <pre>
+DEEPSEEK_API_KEY="sk-..."
+OPENROUTER_API_KEY="sk-or-..."
+ANTHROPIC_API_KEY="sk-ant-..."</pre>
+
       <h2>pi assistant</h2>
       <pre>
 pi                         # interactive session

packages/pkg-list-live-operator.txt

@@ -21,6 +21,10 @@ bash
 zsh
 ohmyzsh
 git
+# Live Colibri rebuild lane: lets the running USB rebuild and redeploy Colibri
+# without a full ISO rebuild for every small service/runtime iteration.
+rust
+pkgconf
 tailscale
 avahi-app
 nss_mdns

scripts/stage-colibri-iso.sh

@@ -60,7 +60,7 @@ mkdir -p "${BIN_DIR}" "${RC_DIR}" "${ETC_DIR}" "${NEWSYSLOG_DIR}" "${DB_DIR}" "$
 
 copy_bin colibri-daemon
 copy_bin colibri
-copy_bin colibri-smoke-agent
+copy_bin colibri-test-agent
 copy_bin colibri-mcp
 
 if [ "${COLIBRI_STAGE_INCLUDE_TUI}" != "0" ] && [ -x "${COLIBRI_ARTIFACT_DIR}/colibri-tui" ]; then
@@ -72,6 +72,7 @@ install -m 0644 "${NEWSYSLOG_SOURCE}" "${NEWSYSLOG_DIR}/colibri.conf"
 
 if ! grep -q '^command="/usr/sbin/daemon"' "${RC_DIR}/colibri_daemon" || \
    ! grep -q -- '-o .*colibri_daemon_binary' "${RC_DIR}/colibri_daemon" || \
+   ! grep -q 'colibri_daemon_provider_env' "${RC_DIR}/colibri_daemon" || \
    ! grep -q 'rm -f "${colibri_daemon_socket}" "${pidfile}" "${supervisor_pidfile}"' "${RC_DIR}/colibri_daemon" || \
    ! grep -q 'chmod 644 "${pidfile}"' "${RC_DIR}/colibri_daemon" || \
    ! grep -q 'chmod 660 "${colibri_daemon_socket}"' "${RC_DIR}/colibri_daemon"; then
@@ -86,15 +87,6 @@ if grep -q -- '-u \${colibri_daemon_user}' "${RC_DIR}/colibri_daemon"; then
     exit 66
 fi
 
-# Add DeepSeek API key and cache warming to daemon environment.
-# These are injected into the rc.d prestart so the daemon picks them up
-# without needing a separate config file.
-sed -i '' '/export COLIBRI_COST_MODE/a\
-    export DEEPSEEK_API_KEY="${DEEPSEEK_API_KEY:-}"\
-    export COLIBRI_CACHE_WARMING="true"\
-    export COLIBRI_CACHE_WARMING_INTERVAL_HOURS="6"' \
-    "${RC_DIR}/colibri_daemon"
-
 cat > "${ETC_DIR}/rc.conf.sample" <<EOF
 # Colibri control plane service defaults for the Clawdie ISO.
 # Merge into /etc/rc.conf or /etc/rc.conf.d/colibri_daemon.
@@ -106,10 +98,24 @@ colibri_daemon_run_dir="/var/run/colibri"
 colibri_daemon_socket="/var/run/colibri/colibri.sock"
 colibri_daemon_db_path="/var/db/colibri/colibri.sqlite"
 colibri_daemon_logfile="/var/log/colibri/daemon.log"
+colibri_daemon_provider_env="/usr/local/etc/colibri/provider.env"
 colibri_daemon_host="\$(hostname)"
 colibri_cost_mode="${COLIBRI_COST_MODE}"
 EOF
 
+cat > "${ETC_DIR}/provider.env.sample" <<'EOF'
+# Optional provider keys for colibri_daemon. Copy this file to provider.env,
+# chmod it 0600, fill in only the providers you use, then restart the service.
+#
+# DEEPSEEK_API_KEY="sk-..."
+# OPENROUTER_API_KEY="sk-or-..."
+# ANTHROPIC_API_KEY="sk-ant-..."
+#
+# Optional endpoints/models:
+# DEEPSEEK_ENDPOINT="https://api.deepseek.com/chat/completions"
+# DEEPSEEK_MODEL="deepseek-chat"
+EOF
+
 cat > "${ETC_DIR}/README.iso" <<'EOF'
 Colibri ISO staging notes
 =========================
@@ -117,11 +123,15 @@ Colibri ISO staging notes
 The ISO build creates the colibri user/group and stages the rc.d service.
 The colibri-daemon runs under daemon(8) supervision and is enabled at boot.
 If the daemon fails, it restarts automatically without blocking SDDM/XFCE.
+Provider keys are optional and live in /usr/local/etc/colibri/provider.env.
+Keep that file root-owned and mode 0600, then restart colibri_daemon.
+
 Runtime validation:
 
   service colibri_daemon start
   colibri status
-  colibri create-task --title "iso smoke"
+  colibri spawn-local /usr/local/bin/colibri-test-agent --session-id iso-check
+  colibri create-task --title "iso check"
   colibri list-tasks --status queued
   colibri-mcp tools
   COLIBRI_MCP_WRITE=1 colibri-mcp tools   # trusted write-capable MCP profile