From d71c8ee08778c3bb3a56abcf04bdfaee937be41e Mon Sep 17 00:00:00 2001
From: Sam & Claude <samo.blatnik@gmail.com>
Date: Mon, 15 Jun 2026 17:33:15 +0200
Subject: [PATCH] fix(build): write_build_manifest uses git status --porcelain
 and tracks clawdie-ai modified

---
 build.sh | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/build.sh b/build.sh
index 584be5e2..a0b8cbe8 100755
--- a/build.sh
+++ b/build.sh
@@ -511,12 +511,25 @@ write_build_manifest() {
     _tailscale_auth_key_baked="${TAILSCALE_AUTH_KEY_BAKED:-false}"
     if command -v git >/dev/null 2>&1 && git -C "$SCRIPT_DIR" rev-parse --git-dir >/dev/null 2>&1; then
         _iso_repo_commit=$(git -C "$SCRIPT_DIR" rev-parse HEAD 2>/dev/null || echo unknown)
-        if git -C "$SCRIPT_DIR" diff --quiet 2>/dev/null && git -C "$SCRIPT_DIR" diff --cached --quiet 2>/dev/null; then
+        if [ -z "$(git -C "$SCRIPT_DIR" status --porcelain 2>/dev/null)" ]; then
             _iso_repo_modified="false"
         else
             _iso_repo_modified="true"
         fi
     fi
+    # Clawdie-AI provenance: the image stages a git checkout of the AI source,
+    # so record whether the tree is modified at build time.
+    _clawdie_ai_modified="null"
+    if command -v git >/dev/null 2>&1; then
+        resolve_clawdie_ai_repo
+        if git -C "${_resolved_clawdie_ai_repo}" rev-parse --git-dir >/dev/null 2>&1; then
+            if [ -z "$(git -C "${_resolved_clawdie_ai_repo}" status --porcelain 2>/dev/null)" ]; then
+                _clawdie_ai_modified="false"
+            else
+                _clawdie_ai_modified="true"
+            fi
+        fi
+    fi
     if [ -n "${LIVE_SSH_PUBKEY_FP:-}" ]; then
         _live_ssh_pubkey_fp_json="\"$(json_escape "${LIVE_SSH_PUBKEY_FP}")\""
     fi
@@ -528,8 +541,7 @@ write_build_manifest() {
         resolve_colibri_paths
         if git -C "${_resolved_colibri_repo}" rev-parse --git-dir >/dev/null 2>&1; then
             _colibri_commit=$(git -C "${_resolved_colibri_repo}" rev-parse HEAD 2>/dev/null || echo unknown)
-            if git -C "${_resolved_colibri_repo}" diff --quiet 2>/dev/null && \
-               git -C "${_resolved_colibri_repo}" diff --cached --quiet 2>/dev/null; then
+            if [ -z "$(git -C "${_resolved_colibri_repo}" status --porcelain 2>/dev/null)" ]; then
                 _colibri_modified="false"
             else
                 _colibri_modified="true"
@@ -541,8 +553,7 @@ write_build_manifest() {
     if [ "${FEATURE_COLIBRI:-NO}" = "YES" ] && [ "${COLIBRI_STAGE_AGENT:-YES}" = "YES" ]; then
         resolve_zot_paths
         if command -v git >/dev/null 2>&1 && git -C "${_resolved_zot_repo}" rev-parse --git-dir >/dev/null 2>&1; then
-            if git -C "${_resolved_zot_repo}" diff --quiet 2>/dev/null && \
-               git -C "${_resolved_zot_repo}" diff --cached --quiet 2>/dev/null; then
+            if [ -z "$(git -C "${_resolved_zot_repo}" status --porcelain 2>/dev/null)" ]; then
                 _zot_modified="false"
             else
                 _zot_modified="true"
@@ -564,6 +575,7 @@ write_build_manifest() {
   "freebsd_arch": "$(json_escape "${FREEBSD_ARCH}")",
   "clawdie_ai_ref": "$(json_escape "${CLAWDIE_REF}")",
   "clawdie_ai_commit": "$(json_escape "${CLAWDIE_AI_COMMIT:-unknown}")",
+  "clawdie_ai_modified": ${_clawdie_ai_modified:-null},
   "live_ssh_pubkey_fp": ${_live_ssh_pubkey_fp_json},
   "tailscale_auth_key_baked": ${_tailscale_auth_key_baked},
   "iso_repo_commit": "$(json_escape "${_iso_repo_commit}")",