docs/skills: switch published image + flashing from .gz to .xz

Smaller downloads that Rufus/balenaEtcher/RPi-Imager still read directly (zstd would break Windows flashers). Switches the image artifact, flashing commands (xz -dc | dd, xz -t, unxz), publish flow (xz -T0 -c), the artifact-manifest script, and all skills + docs to .img.xz. Adds a Windows (Rufus/Etcher) flashing section + README pointer. Source tarballs (clawdie-ai *.tar.gz) unchanged. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-14 12:04:56 +02:00 · 2026-06-14 12:04:56 +02:00 · f3f47c8cdd
commit f3f47c8cdd
parent bc2fcd437d
13 changed files with 120 additions and 96 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@ -159,7 +159,7 @@ ISO builds use repo-local `tmp/` for large caches and output artifacts:

 - `tmp/cache` — build cache
 - `tmp/cache/mnt` — temporary md(4) work-image mountpoint
- `tmp/output` — generated `.img.gz` artifacts and checksums
+- `tmp/output` — generated `.img.xz` artifacts and checksums
 - `tmp/packages` — fetched package archives

 `tmp/cache/mnt` is an ISO-builder-specific mountpoint exception. Do not mount
--- a/BUILD.md
+++ b/BUILD.md
@ -140,11 +140,11 @@ Output:
 tmp/output/clawdie-quindecim-0.2.29.img
 ```

-Published/downloaded artifacts are compressed as `.img.gz`. Stream the
+Published/downloaded artifacts are compressed as `.img.xz`. Stream the
 compressed image directly into `dd`:

 ```sh
-gzip -dc clawdie-quindecim-0.2.29.img.gz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.2.29.img.xz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync
 sync
 ```

@ -153,9 +153,9 @@ For Linux or FreeBSD downloads from the published HTTPS path, prefer resumable

 ```sh
 curl -fL --continue-at - --retry 5 --retry-delay 5 --progress-bar -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz
 curl -fL --retry 5 --retry-delay 5 -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz.sha256
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz.sha256
 ```

 For a build-local uncompressed image, plain `dd` is also fine:
--- a/FLASHING.md
+++ b/FLASHING.md
@ -3,13 +3,13 @@
 Published Clawdie operator USB artifacts are compressed:

 ```text
-clawdie-quindecim-0.2.29.img.gz
+clawdie-quindecim-0.2.29.img.xz
 ```

 Default policy:

 ```text
-Downloaded .img.gz  -> stream gzip directly into dd
+Downloaded .img.xz  -> stream xz directly into dd
 Build-local .img    -> plain dd is OK
 Always write to the whole USB disk, never to a partition
 ```
@ -35,7 +35,7 @@ A wrong device name can destroy the host OS or another data disk.

 ---

-## Linux: Flash a Downloaded `.img.gz`
+## Linux: Flash a Downloaded `.img.xz`

 Find the USB disk:

@ -47,15 +47,15 @@ Download with resume and retries:

 ```sh
 curl -fL --continue-at - --retry 5 --retry-delay 5 --progress-bar -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz
 curl -fL --retry 5 --retry-delay 5 -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz.sha256
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz.sha256
 ```

 Verify the downloaded artifact:

 ```sh
-sha256sum -c clawdie-quindecim-0.2.29.img.gz.sha256
+sha256sum -c clawdie-quindecim-0.2.29.img.xz.sha256
 ```

 Unmount mounted USB partitions if needed:
@ -64,11 +64,11 @@ Unmount mounted USB partitions if needed:
 sudo umount /dev/sdX* 2>/dev/null
 ```

-Flash by streaming gzip into `dd`:
+Flash by streaming xz into `dd`:

 ```sh
 set -o pipefail 2>/dev/null || true
-gzip -dc clawdie-quindecim-0.2.29.img.gz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.2.29.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
 sync
 ```

@ -76,7 +76,7 @@ Replace `/dev/sdX` with the actual whole USB disk.

 ---

-## FreeBSD: Flash a Downloaded `.img.gz`
+## FreeBSD: Flash a Downloaded `.img.xz`

 Find the USB disk:

@ -89,22 +89,22 @@ Download with resume and retries:

 ```sh
 curl -fL --continue-at - --retry 5 --retry-delay 5 --progress-bar -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz
 curl -fL --retry 5 --retry-delay 5 -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz.sha256
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz.sha256
 ```

 Verify the downloaded artifact:

 ```sh
-HASH=$(awk '{print $1}' clawdie-quindecim-0.2.29.img.gz.sha256)
-sha256 -c "$HASH" clawdie-quindecim-0.2.29.img.gz
+HASH=$(awk '{print $1}' clawdie-quindecim-0.2.29.img.xz.sha256)
+sha256 -c "$HASH" clawdie-quindecim-0.2.29.img.xz
 ```

 If `sha256sum` is installed, this GNU-style form is also OK:

 ```sh
-sha256sum -c clawdie-quindecim-0.2.29.img.gz.sha256
+sha256sum -c clawdie-quindecim-0.2.29.img.xz.sha256
 ```

 Unmount mounted USB partitions if needed:
@ -113,10 +113,10 @@ Unmount mounted USB partitions if needed:
 sudo umount /dev/daXs* 2>/dev/null
 ```

-Flash by streaming gzip into `dd`:
+Flash by streaming xz into `dd`:

 ```sh
-gzip -dc clawdie-quindecim-0.2.29.img.gz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.2.29.img.xz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync
 sync
 ```

@ -124,6 +124,27 @@ Replace `/dev/daX` with the actual whole USB disk.

 ---

+## Windows: Flash with Rufus or balenaEtcher
+
+No decompression step needed — both tools read `.img.xz` directly.
+
+1. Download both files (same folder):
+   - `clawdie-quindecim-0.2.29.img.xz`
+   - `clawdie-quindecim-0.2.29.img.xz.sha256`
+2. (Recommended) verify the checksum in PowerShell:
+   ```powershell
+   (Get-FileHash .\clawdie-quindecim-0.2.29.img.xz -Algorithm SHA256).Hash.ToLower()
+   # compare against the value in the .sha256 file
+   ```
+3. **Rufus:** open Rufus → **SELECT** the `.img.xz` → choose the USB drive under "Device" → **START**. Rufus decompresses and writes in one step. (Use "DD Image" mode if prompted.)
+   **balenaEtcher:** Flash from file → pick the `.img.xz` → Select target → Flash.
+4. Write to the **whole USB device**, not a partition. This erases the drive.
+
+> If your flasher is old and rejects `.xz`, extract first with 7-Zip (≥21.07) to
+> get the raw `.img`, then flash that.
+
+---
+
 ## If You Already Have an Uncompressed `.img`

 For a local build artifact that already exists as a raw image:
@ -142,10 +163,10 @@ sudo dd if=clawdie-quindecim-0.2.29.img of=/dev/daX bs=1M status=progress conv=f
 sync
 ```

-Only gunzip first if you specifically need the raw file for inspection or reuse:
+Only unxz first if you specifically need the raw file for inspection or reuse:

 ```sh
-gunzip -k clawdie-quindecim-0.2.29.img.gz
+unxz -k clawdie-quindecim-0.2.29.img.xz
 ```

 ---
--- a/PLAN-OPERATOR-USB-NEXT.md
+++ b/PLAN-OPERATOR-USB-NEXT.md
@ -229,7 +229,7 @@ contract between agents.
 | ------------------ | ------------------------------ | ---------------------------------- | ----------------------------------------------------- |
 | Build result       | `iso-build`                    | `clawdie.iso.build.v1`             | Commit, flags, log path, output files, static checks  |
 | Publish result     | `iso-publish`                  | `clawdie.iso.publish.v1`           | Public URLs, checksums, manifest path, symlink state  |
-| Flash verification | `iso-flash-verify`             | `clawdie.iso.flash.v1`             | Download, checksum, gzip test, target disk fit, flash |
+| Flash verification | `iso-flash-verify`             | `clawdie.iso.flash.v1`             | Download, checksum, xz test, target disk fit, flash |
 | Mounted validation | `iso-validate-image`           | `clawdie.iso.validation.v1`        | SDDM, CLIs, `mdo`, seed slice, no-blank, panel assets |
 | Hardware report    | `iso-hardware-report-ingest`   | `clawdie.iso.hardware.v1`          | GPU/KMS, GL renderer, input, audio, Wi-Fi, SDDM/XFCE  |
 | Package audit      | `iso-package-audit`            | `clawdie.iso.package-audit.v1`     | Category, size, flat size, reason kept, deferral risk |
--- a/README.md
+++ b/README.md
@ -226,38 +226,41 @@ Notes:

 ## Write to USB

-Published artifacts are compressed as `.img.gz`. Stream them directly into
-`dd`; do not gunzip first unless you specifically need the raw image file.
+Published artifacts are compressed as `.img.xz`. Stream them directly into
+`dd`; do not unxz first unless you specifically need the raw image file.

 Download on Linux or FreeBSD with resume and retries:

 ```sh
 curl -fL --continue-at - --retry 5 --retry-delay 5 --progress-bar -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz
 curl -fL --retry 5 --retry-delay 5 -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz.sha256
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz.sha256
 ```

 Linux:

 ```sh
-sha256sum -c clawdie-quindecim-0.2.29.img.gz.sha256
+sha256sum -c clawdie-quindecim-0.2.29.img.xz.sha256
 set -o pipefail 2>/dev/null || true
-gzip -dc clawdie-quindecim-0.2.29.img.gz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.2.29.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
 sync
 ```

 FreeBSD:

 ```sh
-HASH=$(awk '{print $1}' clawdie-quindecim-0.2.29.img.gz.sha256)
-sha256 -c "$HASH" clawdie-quindecim-0.2.29.img.gz
-gzip -dc clawdie-quindecim-0.2.29.img.gz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync
+HASH=$(awk '{print $1}' clawdie-quindecim-0.2.29.img.xz.sha256)
+sha256 -c "$HASH" clawdie-quindecim-0.2.29.img.xz
+xz -dc clawdie-quindecim-0.2.29.img.xz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync
 sync
 ```

 Replace `/dev/sdX` or `/dev/daX` with the whole USB device, not a partition.
-For the full safety checklist and raw `.img` variant, see [FLASHING.md](FLASHING.md).
+
+On **Windows**, use Rufus or balenaEtcher — both read `.img.xz` directly (no
+manual decompression). See [FLASHING.md](FLASHING.md) for the step-by-step, the
+full safety checklist, and the raw `.img` variant.

 If you built with `--live-default-password`, both the tty and the SDDM greeter
 accept `clawdie` / `quindecim`. The live USB expects an interactive login at
@ -304,7 +307,7 @@ on this branch.
 ## Documentation

 - **[BUILD.md](BUILD.md)** — build flags, cache behavior, and test flow
- **[FLASHING.md](FLASHING.md)** — Linux and FreeBSD USB flashing commands
+- **[FLASHING.md](FLASHING.md)** — Linux, FreeBSD, and Windows (Rufus/Etcher) USB flashing
 - **[REQUIREMENTS.md](REQUIREMENTS.md)** — build host and deployment requirements
 - **[NETWORKING.md](NETWORKING.md)** — PF, Tailscale, `warden0`, and setup access
 - **[TESTING.md](TESTING.md)** — bhyve and hardware validation procedures
--- a/TESTING.md
+++ b/TESTING.md
@ -426,12 +426,12 @@ FreeBSD. For a published compressed image on Linux, the default path is:

 ```sh
 curl -fL --continue-at - --retry 5 --retry-delay 5 --progress-bar -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz
 curl -fL --retry 5 --retry-delay 5 -O \
-  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.gz.sha256
-sha256sum -c clawdie-quindecim-0.2.29.img.gz.sha256
+  https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.2.29.img.xz.sha256
+sha256sum -c clawdie-quindecim-0.2.29.img.xz.sha256
 set -o pipefail 2>/dev/null || true
-gzip -dc clawdie-quindecim-0.2.29.img.gz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.2.29.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
 sync
 ```

--- a/docs/ISO-MANIFESTS.md
+++ b/docs/ISO-MANIFESTS.md
@ -79,7 +79,7 @@ Use for Hermes USB/IMG Deployer verification and flashing. Include:

 - consumed publish manifest URL/path
 - downloaded image/checksum paths
- checksum and `gzip -t` results
+- checksum and `xz -t` results
 - selected whole-disk device, model, serial when available, and size
 - explicit confirmation that the target is a whole disk, not a partition
 - flash command summary and post-flash sync/eject result
--- a/scripts/write-artifact-manifest.sh
+++ b/scripts/write-artifact-manifest.sh
@ -8,7 +8,7 @@ export PATH

 usage() {
    cat <<'EOF'
-Usage: scripts/write-artifact-manifest.sh <image.img|image.img.gz> [--base-url URL]
+Usage: scripts/write-artifact-manifest.sh <image.img|image.img.xz> [--base-url URL]

 Writes <image>.manifest.json next to the image artifacts. The manifest is the
 handoff contract for Hermes USB/IMG Deployer and other non-git artifact users.
@ -52,27 +52,27 @@ while [ "$#" -gt 0 ]; do
 done

 case "${_artifact}" in
-    *.img.gz)
-        _gz="${_artifact}"
-        _raw="${_artifact%.gz}"
-        _stem="${_artifact%.img.gz}"
+    *.img.xz)
+        _xz="${_artifact}"
+        _raw="${_artifact%.xz}"
+        _stem="${_artifact%.img.xz}"
        ;;
    *.img)
        _raw="${_artifact}"
-        _gz="${_artifact}.gz"
+        _xz="${_artifact}.xz"
        _stem="${_artifact%.img}"
        ;;
    *)
-        echo "ERROR: artifact must end in .img or .img.gz: ${_artifact}" >&2
+        echo "ERROR: artifact must end in .img or .img.xz: ${_artifact}" >&2
        exit 2
        ;;
 esac

-_sha="${_gz}.sha256"
+_sha="${_xz}.sha256"
 _manifest="${_stem}.manifest.json"

-if [ ! -f "${_gz}" ]; then
-    echo "ERROR: compressed image missing: ${_gz}" >&2
+if [ ! -f "${_xz}" ]; then
+    echo "ERROR: compressed image missing: ${_xz}" >&2
    exit 1
 fi

@ -117,17 +117,17 @@ sha_from_file() {
    fi
 }

-_gz_hash="$(file_sha256 "${_gz}")"
+_xz_hash="$(file_sha256 "${_xz}")"
 _sha_hash="$(sha_from_file "${_sha}")"
-if [ "${_gz_hash}" != "${_sha_hash}" ]; then
+if [ "${_xz_hash}" != "${_sha_hash}" ]; then
    echo "ERROR: checksum file does not match compressed image" >&2
-    echo "       computed: ${_gz_hash}" >&2
+    echo "       computed: ${_xz_hash}" >&2
    echo "       file:     ${_sha_hash}" >&2
    exit 1
 fi

 _raw_base="$(basename "${_raw}")"
-_gz_base="$(basename "${_gz}")"
+_xz_base="$(basename "${_xz}")"
 _sha_base="$(basename "${_sha}")"
 _manifest_base="$(basename "${_manifest}")"

@ -136,7 +136,7 @@ if [ -f "${_raw}" ]; then
 else
    _raw_size="null"
 fi
-_gz_size="$(file_size "${_gz}")"
+_xz_size="$(file_size "${_xz}")"

 _branch="$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo unknown)"
 _commit="$(git rev-parse --short HEAD 2>/dev/null || echo unknown)"
@ -155,7 +155,7 @@ _builder="${BUILT_BY:-Codex ISO Builder}"
 _build_command="${BUILD_COMMAND:-unknown}"

 if [ -n "${_base_url}" ]; then
-    _image_url="${_base_url}/${_gz_base}"
+    _image_url="${_base_url}/${_xz_base}"
    _sha_url="${_base_url}/${_sha_base}"
    _manifest_url="${_base_url}/${_manifest_base}"
 else
@ -184,12 +184,12 @@ cat > "${_tmp}" <<EOF
  "build_host": "$(json_escape "${_host}")",
  "built_by": "$(json_escape "${_builder}")",
  "image": "$(json_escape "${_raw_base}")",
-  "compressed_image": "$(json_escape "${_gz_base}")",
+  "compressed_image": "$(json_escape "${_xz_base}")",
  "sha256_file": "$(json_escape "${_sha_base}")",
  "manifest": "$(json_escape "${_manifest_base}")",
-  "sha256": "$(json_escape "${_gz_hash}")",
+  "sha256": "$(json_escape "${_xz_hash}")",
  "raw_size_bytes": ${_raw_size},
-  "compressed_size_bytes": ${_gz_size},
+  "compressed_size_bytes": ${_xz_size},
  "manifest_written_at": "$(json_escape "${_written_at}")",
  "freebsd_version": "$(json_escape "${_freebsd}")",
  "build_command": "$(json_escape "${_build_command}")",
@ -197,14 +197,14 @@ cat > "${_tmp}" <<EOF
  "sha256_url": $(json_string_or_null "${_sha_url}"),
  "manifest_url": $(json_string_or_null "${_manifest_url}"),
  "inputs": {
-    "compressed_image_path": "$(json_escape "${_gz}")",
+    "compressed_image_path": "$(json_escape "${_xz}")",
    "sha256_path": "$(json_escape "${_sha}")"
  },
  "checks": [
    {
      "name": "checksum_file_matches_compressed_image",
      "status": "pass",
-      "sha256": "$(json_escape "${_gz_hash}")"
+      "sha256": "$(json_escape "${_xz_hash}")"
    }
  ],
  "outputs": {
@ -214,8 +214,8 @@ cat > "${_tmp}" <<EOF
    "manifest_url": $(json_string_or_null "${_manifest_url}")
  },
  "logs": [],
-  "summary": "Published artifact manifest is ready for Hermes checksum/gzip verification and flashing.",
-  "notes": "Built on FreeBSD; ready for Hermes USB/IMG Deployer after checksum and gzip verification."
+  "summary": "Published artifact manifest is ready for Hermes checksum/xz verification and flashing.",
+  "notes": "Built on FreeBSD; ready for Hermes USB/IMG Deployer after checksum and xz verification."
 }
 EOF

--- a/skills/build-iso/scripts/build-iso.sh
+++ b/skills/build-iso/scripts/build-iso.sh
@ -5,7 +5,7 @@
 # - repo-local build from /home/clawdie/ai/clawdie-iso
 # - tmp/ caches and output artifacts in this repo
 # - default tmux window clawdie:3 named "iso"
-# - commit-suffixed raw .img, .img.gz, and .img.gz.sha256 artifacts
+# - commit-suffixed raw .img, .img.xz, and .img.xz.sha256 artifacts
 #
 # Use skills/iso-build/SKILL.md instead.

--- a/skills/iso-build-cleanup/SKILL.md
+++ b/skills/iso-build-cleanup/SKILL.md
@ -91,12 +91,12 @@ sudo rm -f /home/clawdie/ai/clawdie-iso/tmp/cache/work.img
 ## 5. Safe delete list

 These are safe to delete when you need space, but confirm with the operator
-before removing the newest commit-suffixed `.img.gz` artifact if it may be the
+before removing the newest commit-suffixed `.img.xz` artifact if it may be the
 current test image:

 ```sh
 sudo rm -f /home/clawdie/ai/clawdie-iso/tmp/output/*.img
-sudo rm -f /home/clawdie/ai/clawdie-iso/tmp/output/*.img.gz
+sudo rm -f /home/clawdie/ai/clawdie-iso/tmp/output/*.img.xz
 sudo rm -f /home/clawdie/ai/clawdie-iso/tmp/output/*.sha256
 sudo rm -f /home/clawdie/ai/clawdie-iso/tmp/cache/memstick-s2.img
 sudo rm -f /home/clawdie/ai/clawdie-iso/tmp/cache/memstick-s2a.img
--- a/skills/iso-build/SKILL.md
+++ b/skills/iso-build/SKILL.md
@ -267,8 +267,8 @@ find tmp/output -maxdepth 1 -type f -ls
 Typical artifacts are:

 - raw `.img`
- compressed `.img.gz`
- matching `.img.gz.sha256`
+- compressed `.img.xz`
+- matching `.img.xz.sha256`

 Public/test artifact names should include the source commit suffix.

--- a/skills/iso-flash-verify/SKILL.md
+++ b/skills/iso-flash-verify/SKILL.md
@ -13,7 +13,7 @@ explicitly reassigns flashing.
 ## Safety rules

 - Never flash from terminal scrollback alone; start from a manifest URL or path.
- Verify the SHA256 and run `gzip -t` before writing bytes.
+- Verify the SHA256 and run `xz -t` before writing bytes.
 - Flash only a whole disk such as `/dev/sdX` or `/dev/daX`, never a partition
  such as `/dev/sdX1`.
 - Record the selected device model, serial, and size before flashing.
@ -63,20 +63,20 @@ curl -fL -O --output-dir tmp/flash-downloads "$IMAGE_URL"
 curl -fL -O --output-dir tmp/flash-downloads "$SHA_URL"
 ```

-## 3. Verify checksum and gzip integrity
+## 3. Verify checksum and xz integrity

 ```sh
 cd tmp/flash-downloads
 sha256sum -c "$(basename "$SHA_URL")"
-gzip -t "$(basename "$IMAGE_URL")"
+xz -t "$(basename "$IMAGE_URL")"
 cd -
 ```

 If the checksum file is in FreeBSD `sha256(1)` format, compare manually:

 ```sh
-sha256sum tmp/flash-downloads/*.img.gz
-cat tmp/flash-downloads/*.img.gz.sha256
+sha256sum tmp/flash-downloads/*.img.xz
+cat tmp/flash-downloads/*.img.xz.sha256
 ```

 ## 4. Identify the whole-disk target
@ -95,7 +95,7 @@ whole-disk path with the operator before writing.
 Example for Linux, replacing `/dev/sdX` with the confirmed whole disk:

 ```sh
-gzip -dc tmp/flash-downloads/<image>.img.gz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
+xz -dc tmp/flash-downloads/<image>.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
 sync
 ```

--- a/skills/iso-publish/SKILL.md
+++ b/skills/iso-publish/SKILL.md
@ -69,37 +69,37 @@ test -f "$IMG"
 ```

 ```sh
-GZ="${IMG}.gz"
+XZ="${IMG}.xz"
 ```

 ```sh
-SHA="${GZ}.sha256"
+SHA="${XZ}.sha256"
 ```

 ## 2. Compress if needed

-If `${GZ}` already exists for the same raw image, inspect it before reusing it:
+If `${XZ}` already exists for the same raw image, inspect it before reusing it:

 ```sh
-ls -lh "$IMG" "$GZ"
+ls -lh "$IMG" "$XZ"
 ```

-If `${GZ}` is missing or stale, create it:
+If `${XZ}` is missing or stale, create it:

 ```sh
-gzip -c "$IMG" > "$GZ"
+xz -T0 -c "$IMG" > "$XZ"
 ```

 Record the published file size:

 ```sh
-stat -f '%z %N' "$GZ"
+stat -f '%z %N' "$XZ"
 ```

 ## 3. Generate checksum and manifest

 ```sh
-sha256 "$GZ" > "$SHA"
+sha256 "$XZ" > "$SHA"
 ```

 ```sh
@ -107,7 +107,7 @@ cat "$SHA"
 ```

 ```sh
-MANIFEST="$(scripts/write-artifact-manifest.sh "$GZ" --base-url https://osa.smilepowered.org/downloads/iso)"
+MANIFEST="$(scripts/write-artifact-manifest.sh "$XZ" --base-url https://osa.smilepowered.org/downloads/iso)"
 ```

 ```sh
@ -118,7 +118,7 @@ If `tmp/output` artifacts are root-owned, run the manifest step with `sudo` and
 preserve the base URL:

 ```sh
-MANIFEST="$(sudo env BUILT_BY="Codex ISO Builder" scripts/write-artifact-manifest.sh "$GZ" --base-url https://osa.smilepowered.org/downloads/iso)"
+MANIFEST="$(sudo env BUILT_BY="Codex ISO Builder" scripts/write-artifact-manifest.sh "$XZ" --base-url https://osa.smilepowered.org/downloads/iso)"
 ```

 ## 4. Inspect current public links
@ -131,11 +131,11 @@ Remove only the old public Clawdie image/checksum symlinks, not the new output
 files under `tmp/output`:

 ```sh
-sudo find /usr/local/www/osa/downloads/iso -maxdepth 1 -type l -name 'clawdie-*.img.gz' -delete
+sudo find /usr/local/www/osa/downloads/iso -maxdepth 1 -type l -name 'clawdie-*.img.xz' -delete
 ```

 ```sh
-sudo find /usr/local/www/osa/downloads/iso -maxdepth 1 -type l -name 'clawdie-*.img.gz.sha256' -delete
+sudo find /usr/local/www/osa/downloads/iso -maxdepth 1 -type l -name 'clawdie-*.img.xz.sha256' -delete
 ```

 ```sh
@ -145,7 +145,7 @@ sudo find /usr/local/www/osa/downloads/iso -maxdepth 1 -type l -name 'clawdie-*.
 ## 5. Link the new artifacts

 ```sh
-sudo ln -s "$(pwd)/$GZ" "/usr/local/www/osa/downloads/iso/$(basename "$GZ")"
+sudo ln -s "$(pwd)/$XZ" "/usr/local/www/osa/downloads/iso/$(basename "$XZ")"
 ```

 ```sh
@ -157,7 +157,7 @@ sudo ln -s "$(pwd)/$MANIFEST" "/usr/local/www/osa/downloads/iso/$(basename "$MAN
 ```

 ```sh
-sudo chgrp -h webmaster "/usr/local/www/osa/downloads/iso/$(basename "$GZ")"
+sudo chgrp -h webmaster "/usr/local/www/osa/downloads/iso/$(basename "$XZ")"
 ```

 ```sh
@ -173,7 +173,7 @@ sudo chgrp -h webmaster "/usr/local/www/osa/downloads/iso/$(basename "$MANIFEST"
 Set helper variables:

 ```sh
-GZ_BASE="$(basename "$GZ")"
+XZ_BASE="$(basename "$XZ")"
 ```

 ```sh
@ -197,7 +197,7 @@ sudo sh -c "cat > /usr/local/www/osa/downloads/iso/index.html" <<EOF
 <body>
  <h1>Clawdie ISO Downloads</h1>
  <ul>
-    <li><a href="${GZ_BASE}">${GZ_BASE}</a></li>
+    <li><a href="${XZ_BASE}">${XZ_BASE}</a></li>
    <li><a href="${SHA_BASE}">${SHA_BASE}</a></li>
    <li><a href="${MANIFEST_BASE}">${MANIFEST_BASE}</a></li>
  </ul>
@ -221,7 +221,7 @@ ls -l /usr/local/www/osa/downloads/iso
 ```

 ```sh
-readlink "/usr/local/www/osa/downloads/iso/$(basename "$GZ")"
+readlink "/usr/local/www/osa/downloads/iso/$(basename "$XZ")"
 ```

 ```sh
@ -254,7 +254,7 @@ This downloads the full compressed image to `/dev/null`; run it so the direct
 image URL is proven, but expect it to take time:

 ```sh
-fetch -o /dev/null "https://osa.smilepowered.org/downloads/iso/$(basename "$GZ")"
+fetch -o /dev/null "https://osa.smilepowered.org/downloads/iso/$(basename "$XZ")"
 ```

 ## 9. Report back
@ -274,8 +274,8 @@ Example:

 ```text
 Published:
- https://osa.smilepowered.org/downloads/iso/<image>.img.gz
- https://osa.smilepowered.org/downloads/iso/<image>.img.gz.sha256
+- https://osa.smilepowered.org/downloads/iso/<image>.img.xz
+- https://osa.smilepowered.org/downloads/iso/<image>.img.xz.sha256
 - https://osa.smilepowered.org/downloads/iso/<image>.manifest.json
 - https://osa.smilepowered.org/downloads/iso/

@ -283,8 +283,8 @@ Checksum: <sha256>
 Size: <bytes> bytes

 HERMES_USB_DEPLOY_READY=1
-IMAGE_URL=https://osa.smilepowered.org/downloads/iso/<image>.img.gz
-SHA256_URL=https://osa.smilepowered.org/downloads/iso/<image>.img.gz.sha256
+IMAGE_URL=https://osa.smilepowered.org/downloads/iso/<image>.img.xz
+SHA256_URL=https://osa.smilepowered.org/downloads/iso/<image>.img.xz.sha256
 MANIFEST_URL=https://osa.smilepowered.org/downloads/iso/<image>.manifest.json
 COMMIT=<short-commit>
 SIZE_BYTES=<compressed-size-bytes>