docs/skills: switch published image + flashing from .gz to .xz

Smaller downloads that Rufus/balenaEtcher/RPi-Imager still read directly (zstd
would break Windows flashers). Switches the image artifact, flashing commands
(xz -dc | dd, xz -t, unxz), publish flow (xz -T0 -c), the artifact-manifest
script, and all skills + docs to .img.xz. Adds a Windows (Rufus/Etcher) flashing
section + README pointer. Source tarballs (clawdie-ai *.tar.gz) unchanged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

AGENTS.md

@@ -159,7 +159,7 @@ ISO builds use repo-local `tmp/` for large caches and output artifacts:
 
 - `tmp/cache` — build cache
 - `tmp/cache/mnt` — temporary md(4) work-image mountpoint
-- `tmp/output` — generated `.img.gz` artifacts and checksums
+- `tmp/output` — generated `.img.xz` artifacts and checksums
 - `tmp/packages` — fetched package archives
 
 `tmp/cache/mnt` is an ISO-builder-specific mountpoint exception. Do not mount

BUILD.md

@@ -140,11 +140,11 @@ Output:
 tmp/output/clawdie-quindecim-0.2.29.img
 ```
 
-Published/downloaded artifacts are compressed as `.img.gz`. Stream the
+Published/downloaded artifacts are compressed as `.img.xz`. Stream the
 compressed image directly into `dd`:
 
 ```sh
-gzip -dc clawdie-quindecim-0.2.29.img.gz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.2.29.img.xz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync
 sync
 ```
 
@@ -153,9 +153,9 @@ For Linux or FreeBSD downloads from the published HTTPS path, prefer resumable
 
 ```sh
 curl -fL --continue-at - --retry 5 --retry-delay 5 --progress-bar -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz
 curl -fL --retry 5 --retry-delay 5 -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz.sha256
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz.sha256
 ```
 
 For a build-local uncompressed image, plain `dd` is also fine:

FLASHING.md

@@ -3,13 +3,13 @@
 Published Clawdie operator USB artifacts are compressed:
 
 ```text
-clawdie-quindecim-0.2.29.img.gz
+clawdie-quindecim-0.2.29.img.xz
 ```
 
 Default policy:
 
 ```text
-Downloaded .img.gz  -> stream gzip directly into dd
+Downloaded .img.xz  -> stream xz directly into dd
 Build-local .img    -> plain dd is OK
 Always write to the whole USB disk, never to a partition
 ```
@@ -35,7 +35,7 @@ A wrong device name can destroy the host OS or another data disk.
 
 ---
 
-## Linux: Flash a Downloaded `.img.gz`
+## Linux: Flash a Downloaded `.img.xz`
 
 Find the USB disk:
 
@@ -47,15 +47,15 @@ Download with resume and retries:
 
 ```sh
 curl -fL --continue-at - --retry 5 --retry-delay 5 --progress-bar -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz
 curl -fL --retry 5 --retry-delay 5 -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz.sha256
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz.sha256
 ```
 
 Verify the downloaded artifact:
 
 ```sh
-sha256sum -c clawdie-quindecim-0.2.29.img.gz.sha256
+sha256sum -c clawdie-quindecim-0.2.29.img.xz.sha256
 ```
 
 Unmount mounted USB partitions if needed:
@@ -64,11 +64,11 @@ Unmount mounted USB partitions if needed:
 sudo umount /dev/sdX* 2>/dev/null
 ```
 
-Flash by streaming gzip into `dd`:
+Flash by streaming xz into `dd`:
 
 ```sh
 set -o pipefail 2>/dev/null || true
-gzip -dc clawdie-quindecim-0.2.29.img.gz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.2.29.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
 sync
 ```
 
@@ -76,7 +76,7 @@ Replace `/dev/sdX` with the actual whole USB disk.
 
 ---
 
-## FreeBSD: Flash a Downloaded `.img.gz`
+## FreeBSD: Flash a Downloaded `.img.xz`
 
 Find the USB disk:
 
@@ -89,22 +89,22 @@ Download with resume and retries:
 
 ```sh
 curl -fL --continue-at - --retry 5 --retry-delay 5 --progress-bar -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz
 curl -fL --retry 5 --retry-delay 5 -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz.sha256
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz.sha256
 ```
 
 Verify the downloaded artifact:
 
 ```sh
-HASH=$(awk '{print $1}' clawdie-quindecim-0.2.29.img.gz.sha256)
+HASH=$(awk '{print $1}' clawdie-quindecim-0.2.29.img.xz.sha256)
-sha256 -c "$HASH" clawdie-quindecim-0.2.29.img.gz
+sha256 -c "$HASH" clawdie-quindecim-0.2.29.img.xz
 ```
 
 If `sha256sum` is installed, this GNU-style form is also OK:
 
 ```sh
-sha256sum -c clawdie-quindecim-0.2.29.img.gz.sha256
+sha256sum -c clawdie-quindecim-0.2.29.img.xz.sha256
 ```
 
 Unmount mounted USB partitions if needed:
@@ -113,10 +113,10 @@ Unmount mounted USB partitions if needed:
 sudo umount /dev/daXs* 2>/dev/null
 ```
 
-Flash by streaming gzip into `dd`:
+Flash by streaming xz into `dd`:
 
 ```sh
-gzip -dc clawdie-quindecim-0.2.29.img.gz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.2.29.img.xz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync
 sync
 ```
 
@@ -124,6 +124,27 @@ Replace `/dev/daX` with the actual whole USB disk.
 
 ---
 
+## Windows: Flash with Rufus or balenaEtcher
+
+No decompression step needed — both tools read `.img.xz` directly.
+
+1. Download both files (same folder):
+   - `clawdie-quindecim-0.2.29.img.xz`
+   - `clawdie-quindecim-0.2.29.img.xz.sha256`
+2. (Recommended) verify the checksum in PowerShell:
+   ```powershell
+   (Get-FileHash .\clawdie-quindecim-0.2.29.img.xz -Algorithm SHA256).Hash.ToLower()
+   # compare against the value in the .sha256 file
+   ```
+3. **Rufus:** open Rufus → **SELECT** the `.img.xz` → choose the USB drive under "Device" → **START**. Rufus decompresses and writes in one step. (Use "DD Image" mode if prompted.)
+   **balenaEtcher:** Flash from file → pick the `.img.xz` → Select target → Flash.
+4. Write to the **whole USB device**, not a partition. This erases the drive.
+
+> If your flasher is old and rejects `.xz`, extract first with 7-Zip (≥21.07) to
+> get the raw `.img`, then flash that.
+
+---
+
 ## If You Already Have an Uncompressed `.img`
 
 For a local build artifact that already exists as a raw image:
@@ -142,10 +163,10 @@ sudo dd if=clawdie-quindecim-0.2.29.img of=/dev/daX bs=1M status=progress conv=f
 sync
 ```
 
-Only gunzip first if you specifically need the raw file for inspection or reuse:
+Only unxz first if you specifically need the raw file for inspection or reuse:
 
 ```sh
-gunzip -k clawdie-quindecim-0.2.29.img.gz
+unxz -k clawdie-quindecim-0.2.29.img.xz
 ```
 
 ---

PLAN-OPERATOR-USB-NEXT.md

@@ -229,7 +229,7 @@ contract between agents.
 | ------------------ | ------------------------------ | ---------------------------------- | ----------------------------------------------------- |
 | Build result       | `iso-build`                    | `clawdie.iso.build.v1`             | Commit, flags, log path, output files, static checks  |
 | Publish result     | `iso-publish`                  | `clawdie.iso.publish.v1`           | Public URLs, checksums, manifest path, symlink state  |
-| Flash verification | `iso-flash-verify`             | `clawdie.iso.flash.v1`             | Download, checksum, gzip test, target disk fit, flash |
+| Flash verification | `iso-flash-verify`             | `clawdie.iso.flash.v1`             | Download, checksum, xz test, target disk fit, flash |
 | Mounted validation | `iso-validate-image`           | `clawdie.iso.validation.v1`        | SDDM, CLIs, `mdo`, seed slice, no-blank, panel assets |
 | Hardware report    | `iso-hardware-report-ingest`   | `clawdie.iso.hardware.v1`          | GPU/KMS, GL renderer, input, audio, Wi-Fi, SDDM/XFCE  |
 | Package audit      | `iso-package-audit`            | `clawdie.iso.package-audit.v1`     | Category, size, flat size, reason kept, deferral risk |

README.md

@@ -226,38 +226,41 @@ Notes:
 
 ## Write to USB
 
-Published artifacts are compressed as `.img.gz`. Stream them directly into
+Published artifacts are compressed as `.img.xz`. Stream them directly into
-`dd`; do not gunzip first unless you specifically need the raw image file.
+`dd`; do not unxz first unless you specifically need the raw image file.
 
 Download on Linux or FreeBSD with resume and retries:
 
 ```sh
 curl -fL --continue-at - --retry 5 --retry-delay 5 --progress-bar -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz
 curl -fL --retry 5 --retry-delay 5 -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz.sha256
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz.sha256
 ```
 
 Linux:
 
 ```sh
-sha256sum -c clawdie-quindecim-0.2.29.img.gz.sha256
+sha256sum -c clawdie-quindecim-0.2.29.img.xz.sha256
 set -o pipefail 2>/dev/null || true
-gzip -dc clawdie-quindecim-0.2.29.img.gz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.2.29.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
 sync
 ```
 
 FreeBSD:
 
 ```sh
-HASH=$(awk '{print $1}' clawdie-quindecim-0.2.29.img.gz.sha256)
+HASH=$(awk '{print $1}' clawdie-quindecim-0.2.29.img.xz.sha256)
-sha256 -c "$HASH" clawdie-quindecim-0.2.29.img.gz
+sha256 -c "$HASH" clawdie-quindecim-0.2.29.img.xz
-gzip -dc clawdie-quindecim-0.2.29.img.gz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.2.29.img.xz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync
 sync
 ```
 
 Replace `/dev/sdX` or `/dev/daX` with the whole USB device, not a partition.
-For the full safety checklist and raw `.img` variant, see [FLASHING.md](FLASHING.md).
+
+On **Windows**, use Rufus or balenaEtcher — both read `.img.xz` directly (no
+manual decompression). See [FLASHING.md](FLASHING.md) for the step-by-step, the
+full safety checklist, and the raw `.img` variant.
 
 If you built with `--live-default-password`, both the tty and the SDDM greeter
 accept `clawdie` / `quindecim`. The live USB expects an interactive login at
@@ -304,7 +307,7 @@ on this branch.
 ## Documentation
 
 - **[BUILD.md](BUILD.md)** — build flags, cache behavior, and test flow
-- **[FLASHING.md](FLASHING.md)** — Linux and FreeBSD USB flashing commands
+- **[FLASHING.md](FLASHING.md)** — Linux, FreeBSD, and Windows (Rufus/Etcher) USB flashing
 - **[REQUIREMENTS.md](REQUIREMENTS.md)** — build host and deployment requirements
 - **[NETWORKING.md](NETWORKING.md)** — PF, Tailscale, `warden0`, and setup access
 - **[TESTING.md](TESTING.md)** — bhyve and hardware validation procedures

TESTING.md

@@ -426,12 +426,12 @@ FreeBSD. For a published compressed image on Linux, the default path is:
 
 ```sh
 curl -fL --continue-at - --retry 5 --retry-delay 5 --progress-bar -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz
 curl -fL --retry 5 --retry-delay 5 -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz.sha256
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz.sha256
-sha256sum -c clawdie-quindecim-0.2.29.img.gz.sha256
+sha256sum -c clawdie-quindecim-0.2.29.img.xz.sha256
 set -o pipefail 2>/dev/null || true
-gzip -dc clawdie-quindecim-0.2.29.img.gz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.2.29.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
 sync
 ```
 

docs/ISO-MANIFESTS.md

@@ -79,7 +79,7 @@ Use for Hermes USB/IMG Deployer verification and flashing. Include:
 
 - consumed publish manifest URL/path
 - downloaded image/checksum paths
-- checksum and `gzip -t` results
+- checksum and `xz -t` results
 - selected whole-disk device, model, serial when available, and size
 - explicit confirmation that the target is a whole disk, not a partition
 - flash command summary and post-flash sync/eject result

scripts/write-artifact-manifest.sh

@@ -8,7 +8,7 @@ export PATH
 
 usage() {
     cat <<'EOF'
-Usage: scripts/write-artifact-manifest.sh <image.img|image.img.gz> [--base-url URL]
+Usage: scripts/write-artifact-manifest.sh <image.img|image.img.xz> [--base-url URL]
 
 Writes <image>.manifest.json next to the image artifacts. The manifest is the
 handoff contract for Hermes USB/IMG Deployer and other non-git artifact users.
@@ -52,27 +52,27 @@ while [ "$#" -gt 0 ]; do
 done
 
 case "${_artifact}" in
-    *.img.gz)
+    *.img.xz)
-        _gz="${_artifact}"
+        _xz="${_artifact}"
-        _raw="${_artifact%.gz}"
+        _raw="${_artifact%.xz}"
-        _stem="${_artifact%.img.gz}"
+        _stem="${_artifact%.img.xz}"
         ;;
     *.img)
         _raw="${_artifact}"
-        _gz="${_artifact}.gz"
+        _xz="${_artifact}.xz"
         _stem="${_artifact%.img}"
         ;;
     *)
-        echo "ERROR: artifact must end in .img or .img.gz: ${_artifact}" >&2
+        echo "ERROR: artifact must end in .img or .img.xz: ${_artifact}" >&2
         exit 2
         ;;
 esac
 
-_sha="${_gz}.sha256"
+_sha="${_xz}.sha256"
 _manifest="${_stem}.manifest.json"
 
-if [ ! -f "${_gz}" ]; then
+if [ ! -f "${_xz}" ]; then
-    echo "ERROR: compressed image missing: ${_gz}" >&2
+    echo "ERROR: compressed image missing: ${_xz}" >&2
     exit 1
 fi
 
@@ -117,17 +117,17 @@ sha_from_file() {
     fi
 }
 
-_gz_hash="$(file_sha256 "${_gz}")"
+_xz_hash="$(file_sha256 "${_xz}")"
 _sha_hash="$(sha_from_file "${_sha}")"
-if [ "${_gz_hash}" != "${_sha_hash}" ]; then
+if [ "${_xz_hash}" != "${_sha_hash}" ]; then
     echo "ERROR: checksum file does not match compressed image" >&2
-    echo "       computed: ${_gz_hash}" >&2
+    echo "       computed: ${_xz_hash}" >&2
     echo "       file:     ${_sha_hash}" >&2
     exit 1
 fi
 
 _raw_base="$(basename "${_raw}")"
-_gz_base="$(basename "${_gz}")"
+_xz_base="$(basename "${_xz}")"
 _sha_base="$(basename "${_sha}")"
 _manifest_base="$(basename "${_manifest}")"
 
@@ -136,7 +136,7 @@ if [ -f "${_raw}" ]; then
 else
     _raw_size="null"
 fi
-_gz_size="$(file_size "${_gz}")"
+_xz_size="$(file_size "${_xz}")"
 
 _branch="$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo unknown)"
 _commit="$(git rev-parse --short HEAD 2>/dev/null || echo unknown)"
@@ -155,7 +155,7 @@ _builder="${BUILT_BY:-Codex ISO Builder}"
 _build_command="${BUILD_COMMAND:-unknown}"
 
 if [ -n "${_base_url}" ]; then
-    _image_url="${_base_url}/${_gz_base}"
+    _image_url="${_base_url}/${_xz_base}"
     _sha_url="${_base_url}/${_sha_base}"
     _manifest_url="${_base_url}/${_manifest_base}"
 else
@@ -184,12 +184,12 @@ cat > "${_tmp}" <<EOF
   "build_host": "$(json_escape "${_host}")",
   "built_by": "$(json_escape "${_builder}")",
   "image": "$(json_escape "${_raw_base}")",
-  "compressed_image": "$(json_escape "${_gz_base}")",
+  "compressed_image": "$(json_escape "${_xz_base}")",
   "sha256_file": "$(json_escape "${_sha_base}")",
   "manifest": "$(json_escape "${_manifest_base}")",
-  "sha256": "$(json_escape "${_gz_hash}")",
+  "sha256": "$(json_escape "${_xz_hash}")",
   "raw_size_bytes": ${_raw_size},
-  "compressed_size_bytes": ${_gz_size},
+  "compressed_size_bytes": ${_xz_size},
   "manifest_written_at": "$(json_escape "${_written_at}")",
   "freebsd_version": "$(json_escape "${_freebsd}")",
   "build_command": "$(json_escape "${_build_command}")",
@@ -197,14 +197,14 @@ cat > "${_tmp}" <<EOF
   "sha256_url": $(json_string_or_null "${_sha_url}"),
   "manifest_url": $(json_string_or_null "${_manifest_url}"),
   "inputs": {
-    "compressed_image_path": "$(json_escape "${_gz}")",
+    "compressed_image_path": "$(json_escape "${_xz}")",
     "sha256_path": "$(json_escape "${_sha}")"
   },
   "checks": [
     {
       "name": "checksum_file_matches_compressed_image",
       "status": "pass",
-      "sha256": "$(json_escape "${_gz_hash}")"
+      "sha256": "$(json_escape "${_xz_hash}")"
     }
   ],
   "outputs": {
@@ -214,8 +214,8 @@ cat > "${_tmp}" <<EOF
     "manifest_url": $(json_string_or_null "${_manifest_url}")
   },
   "logs": [],
-  "summary": "Published artifact manifest is ready for Hermes checksum/gzip verification and flashing.",
+  "summary": "Published artifact manifest is ready for Hermes checksum/xz verification and flashing.",
-  "notes": "Built on FreeBSD; ready for Hermes USB/IMG Deployer after checksum and gzip verification."
+  "notes": "Built on FreeBSD; ready for Hermes USB/IMG Deployer after checksum and xz verification."
 }
 EOF
 

skills/build-iso/scripts/build-iso.sh

@@ -5,7 +5,7 @@
 # - repo-local build from /home/clawdie/ai/clawdie-iso
 # - tmp/ caches and output artifacts in this repo
 # - default tmux window clawdie:3 named "iso"
-# - commit-suffixed raw .img, .img.gz, and .img.gz.sha256 artifacts
+# - commit-suffixed raw .img, .img.xz, and .img.xz.sha256 artifacts
 #
 # Use skills/iso-build/SKILL.md instead.
 

skills/iso-build-cleanup/SKILL.md

@@ -91,12 +91,12 @@ sudo rm -f /home/clawdie/ai/clawdie-iso/tmp/cache/work.img
 ## 5. Safe delete list
 
 These are safe to delete when you need space, but confirm with the operator
-before removing the newest commit-suffixed `.img.gz` artifact if it may be the
+before removing the newest commit-suffixed `.img.xz` artifact if it may be the
 current test image:
 
 ```sh
 sudo rm -f /home/clawdie/ai/clawdie-iso/tmp/output/*.img
-sudo rm -f /home/clawdie/ai/clawdie-iso/tmp/output/*.img.gz
+sudo rm -f /home/clawdie/ai/clawdie-iso/tmp/output/*.img.xz
 sudo rm -f /home/clawdie/ai/clawdie-iso/tmp/output/*.sha256
 sudo rm -f /home/clawdie/ai/clawdie-iso/tmp/cache/memstick-s2.img
 sudo rm -f /home/clawdie/ai/clawdie-iso/tmp/cache/memstick-s2a.img

skills/iso-build/SKILL.md

@@ -267,8 +267,8 @@ find tmp/output -maxdepth 1 -type f -ls
 Typical artifacts are:
 
 - raw `.img`
-- compressed `.img.gz`
+- compressed `.img.xz`
-- matching `.img.gz.sha256`
+- matching `.img.xz.sha256`
 
 Public/test artifact names should include the source commit suffix.
 

skills/iso-flash-verify/SKILL.md

@@ -13,7 +13,7 @@ explicitly reassigns flashing.
 ## Safety rules
 
 - Never flash from terminal scrollback alone; start from a manifest URL or path.
-- Verify the SHA256 and run `gzip -t` before writing bytes.
+- Verify the SHA256 and run `xz -t` before writing bytes.
 - Flash only a whole disk such as `/dev/sdX` or `/dev/daX`, never a partition
   such as `/dev/sdX1`.
 - Record the selected device model, serial, and size before flashing.
@@ -63,20 +63,20 @@ curl -fL -O --output-dir tmp/flash-downloads "$IMAGE_URL"
 curl -fL -O --output-dir tmp/flash-downloads "$SHA_URL"
 ```
 
-## 3. Verify checksum and gzip integrity
+## 3. Verify checksum and xz integrity
 
 ```sh
 cd tmp/flash-downloads
 sha256sum -c "$(basename "$SHA_URL")"
-gzip -t "$(basename "$IMAGE_URL")"
+xz -t "$(basename "$IMAGE_URL")"
 cd -
 ```
 
 If the checksum file is in FreeBSD `sha256(1)` format, compare manually:
 
 ```sh
-sha256sum tmp/flash-downloads/*.img.gz
+sha256sum tmp/flash-downloads/*.img.xz
-cat tmp/flash-downloads/*.img.gz.sha256
+cat tmp/flash-downloads/*.img.xz.sha256
 ```
 
 ## 4. Identify the whole-disk target
@@ -95,7 +95,7 @@ whole-disk path with the operator before writing.
 Example for Linux, replacing `/dev/sdX` with the confirmed whole disk:
 
 ```sh
-gzip -dc tmp/flash-downloads/<image>.img.gz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
+xz -dc tmp/flash-downloads/<image>.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
 sync
 ```
 

skills/iso-publish/SKILL.md

@@ -69,37 +69,37 @@ test -f "$IMG"
 ```
 
 ```sh
-GZ="${IMG}.gz"
+XZ="${IMG}.xz"
 ```
 
 ```sh
-SHA="${GZ}.sha256"
+SHA="${XZ}.sha256"
 ```
 
 ## 2. Compress if needed
 
-If `${GZ}` already exists for the same raw image, inspect it before reusing it:
+If `${XZ}` already exists for the same raw image, inspect it before reusing it:
 
 ```sh
-ls -lh "$IMG" "$GZ"
+ls -lh "$IMG" "$XZ"
 ```
 
-If `${GZ}` is missing or stale, create it:
+If `${XZ}` is missing or stale, create it:
 
 ```sh
-gzip -c "$IMG" > "$GZ"
+xz -T0 -c "$IMG" > "$XZ"
 ```
 
 Record the published file size:
 
 ```sh
-stat -f '%z %N' "$GZ"
+stat -f '%z %N' "$XZ"
 ```
 
 ## 3. Generate checksum and manifest
 
 ```sh
-sha256 "$GZ" > "$SHA"
+sha256 "$XZ" > "$SHA"
 ```
 
 ```sh
@@ -107,7 +107,7 @@ cat "$SHA"
 ```
 
 ```sh
-MANIFEST="$(scripts/write-artifact-manifest.sh "$GZ" --base-url https://osa.smilepowered.org/downloads/iso)"
+MANIFEST="$(scripts/write-artifact-manifest.sh "$XZ" --base-url https://osa.smilepowered.org/downloads/iso)"
 ```
 
 ```sh
@@ -118,7 +118,7 @@ If `tmp/output` artifacts are root-owned, run the manifest step with `sudo` and
 preserve the base URL:
 
 ```sh
-MANIFEST="$(sudo env BUILT_BY="Codex ISO Builder" scripts/write-artifact-manifest.sh "$GZ" --base-url https://osa.smilepowered.org/downloads/iso)"
+MANIFEST="$(sudo env BUILT_BY="Codex ISO Builder" scripts/write-artifact-manifest.sh "$XZ" --base-url https://osa.smilepowered.org/downloads/iso)"
 ```
 
 ## 4. Inspect current public links
@@ -131,11 +131,11 @@ Remove only the old public Clawdie image/checksum symlinks, not the new output
 files under `tmp/output`:
 
 ```sh
-sudo find /usr/local/www/osa/downloads/iso -maxdepth 1 -type l -name 'clawdie-*.img.gz' -delete
+sudo find /usr/local/www/osa/downloads/iso -maxdepth 1 -type l -name 'clawdie-*.img.xz' -delete
 ```
 
 ```sh
-sudo find /usr/local/www/osa/downloads/iso -maxdepth 1 -type l -name 'clawdie-*.img.gz.sha256' -delete
+sudo find /usr/local/www/osa/downloads/iso -maxdepth 1 -type l -name 'clawdie-*.img.xz.sha256' -delete
 ```
 
 ```sh
@@ -145,7 +145,7 @@ sudo find /usr/local/www/osa/downloads/iso -maxdepth 1 -type l -name 'clawdie-*.
 ## 5. Link the new artifacts
 
 ```sh
-sudo ln -s "$(pwd)/$GZ" "/usr/local/www/osa/downloads/iso/$(basename "$GZ")"
+sudo ln -s "$(pwd)/$XZ" "/usr/local/www/osa/downloads/iso/$(basename "$XZ")"
 ```
 
 ```sh
@@ -157,7 +157,7 @@ sudo ln -s "$(pwd)/$MANIFEST" "/usr/local/www/osa/downloads/iso/$(basename "$MAN
 ```
 
 ```sh
-sudo chgrp -h webmaster "/usr/local/www/osa/downloads/iso/$(basename "$GZ")"
+sudo chgrp -h webmaster "/usr/local/www/osa/downloads/iso/$(basename "$XZ")"
 ```
 
 ```sh
@@ -173,7 +173,7 @@ sudo chgrp -h webmaster "/usr/local/www/osa/downloads/iso/$(basename "$MANIFEST"
 Set helper variables:
 
 ```sh
-GZ_BASE="$(basename "$GZ")"
+XZ_BASE="$(basename "$XZ")"
 ```
 
 ```sh
@@ -197,7 +197,7 @@ sudo sh -c "cat > /usr/local/www/osa/downloads/iso/index.html" <<EOF
 <body>
   <h1>Clawdie ISO Downloads</h1>
   <ul>
-    <li><a href="${GZ_BASE}">${GZ_BASE}</a></li>
+    <li><a href="${XZ_BASE}">${XZ_BASE}</a></li>
     <li><a href="${SHA_BASE}">${SHA_BASE}</a></li>
     <li><a href="${MANIFEST_BASE}">${MANIFEST_BASE}</a></li>
   </ul>
@@ -221,7 +221,7 @@ ls -l /usr/local/www/osa/downloads/iso
 ```
 
 ```sh
-readlink "/usr/local/www/osa/downloads/iso/$(basename "$GZ")"
+readlink "/usr/local/www/osa/downloads/iso/$(basename "$XZ")"
 ```
 
 ```sh
@@ -254,7 +254,7 @@ This downloads the full compressed image to `/dev/null`; run it so the direct
 image URL is proven, but expect it to take time:
 
 ```sh
-fetch -o /dev/null "https://osa.smilepowered.org/downloads/iso/$(basename "$GZ")"
+fetch -o /dev/null "https://osa.smilepowered.org/downloads/iso/$(basename "$XZ")"
 ```
 
 ## 9. Report back
@@ -274,8 +274,8 @@ Example:
 
 ```text
 Published:
-- https://osa.smilepowered.org/downloads/iso/<image>.img.gz
+- https://osa.smilepowered.org/downloads/iso/<image>.img.xz
-- https://osa.smilepowered.org/downloads/iso/<image>.img.gz.sha256
+- https://osa.smilepowered.org/downloads/iso/<image>.img.xz.sha256
 - https://osa.smilepowered.org/downloads/iso/<image>.manifest.json
 - https://osa.smilepowered.org/downloads/iso/
 
@@ -283,8 +283,8 @@ Checksum: <sha256>
 Size: <bytes> bytes
 
 HERMES_USB_DEPLOY_READY=1
-IMAGE_URL=https://osa.smilepowered.org/downloads/iso/<image>.img.gz
+IMAGE_URL=https://osa.smilepowered.org/downloads/iso/<image>.img.xz
-SHA256_URL=https://osa.smilepowered.org/downloads/iso/<image>.img.gz.sha256
+SHA256_URL=https://osa.smilepowered.org/downloads/iso/<image>.img.xz.sha256
 MANIFEST_URL=https://osa.smilepowered.org/downloads/iso/<image>.manifest.json
 COMMIT=<short-commit>
 SIZE_BYTES=<compressed-size-bytes>