From 2af8a65cae2f1a345a1783ab637ac3758f0eca56 Mon Sep 17 00:00:00 2001 From: Sam & Claude Date: Mon, 22 Jun 2026 06:08:42 +0200 Subject: [PATCH 1/3] chore(zot): pin operator image to zot v0.2.42 (Sam & Pi) Update the ISO default Zot pin and build docs from v0.2.29 to v0.2.42 so the next image stages the current rebuilt FreeBSD zot binary instead of recording a mismatched checkout/binary pair. Also refresh the release runbook's 0.11.0 examples.\n\nValidation: ./scripts/check-format.sh; sh -n build.sh scripts/stage-zot-iso.sh; BUILD_CHANNEL=dev build.cfg default check; git diff --check. --- build.cfg | 4 ++-- docs/LIVE-COLIBRI-REBUILD.md | 4 ++-- docs/RELEASE-0.11.0-HANDOFF.md | 2 +- docs/RELEASE-BUILD-RUNBOOK.md | 30 +++++++++++++++--------------- scripts/stage-zot-iso.sh | 4 ++-- 5 files changed, 22 insertions(+), 22 deletions(-) diff --git a/build.cfg b/build.cfg index 6526e6e6..fe6375ed 100644 --- a/build.cfg +++ b/build.cfg @@ -113,7 +113,7 @@ COLIBRI_COST_MODE="${COLIBRI_COST_MODE:-smart}" # COLIBRI_STAGE_AGENT=NO stages the daemon without the agent (debug builds). # Pin a tag for reproducible images; the agent has no FreeBSD release, so the # build host compiles it: (cd $ZOT_REPO && git checkout $ZOT_VERSION && -# ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.29}" && VERSION="${ZOT_BUILD_VERSION#v}" make build) +# ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.42}" && VERSION="${ZOT_BUILD_VERSION#v}" make build) COLIBRI_STAGE_AGENT="${COLIBRI_STAGE_AGENT:-YES}" # Development-only local fake-agent binary. Auto mode includes it for dev # builds and omits it from release/prod images; override with YES/NO for @@ -125,7 +125,7 @@ if [ "${COLIBRI_STAGE_TEST_AGENT}" = "auto" ]; then *) COLIBRI_STAGE_TEST_AGENT="YES" ;; esac fi -ZOT_VERSION="${ZOT_VERSION:-v0.2.29}" +ZOT_VERSION="${ZOT_VERSION:-v0.2.42}" ZOT_REPO="${ZOT_REPO:-/home/clawdie/ai/zot}" ZOT_ARTIFACT_DIR="${ZOT_ARTIFACT_DIR:-}" # Optional: bake the operator's DeepSeek key into the agent's auth.json (0600). diff --git a/docs/LIVE-COLIBRI-REBUILD.md b/docs/LIVE-COLIBRI-REBUILD.md index 9d52a503..75487049 100644 --- a/docs/LIVE-COLIBRI-REBUILD.md +++ b/docs/LIVE-COLIBRI-REBUILD.md @@ -195,8 +195,8 @@ if [ ! -d zot-build/.git ]; then fi cd zot-build git fetch --prune origin -git checkout v0.2.29 # the zot tag this image ships (see build-manifest.json) -ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.29}" +git checkout v0.2.42 # the zot tag this image ships (see build-manifest.json) +ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.42}" VERSION="${ZOT_BUILD_VERSION#v}" make build ./bin/zot --version ``` diff --git a/docs/RELEASE-0.11.0-HANDOFF.md b/docs/RELEASE-0.11.0-HANDOFF.md index fc65e85e..ff0fd0a9 100644 --- a/docs/RELEASE-0.11.0-HANDOFF.md +++ b/docs/RELEASE-0.11.0-HANDOFF.md @@ -12,7 +12,7 @@ this build happens on FreeBSD. | clawdie-iso | `7f55770` | v0.11.0 | `ISO_VERSION=0.11.0` | | colibri | `b626082` | v0.11.0 | MIT; 230 tests green; fmt + clippy clean | | clawdie-ai | `393b0c7` | — | clean on forge main | -| zot | `1a24a20` | — | agent (front door); pinned by `ZOT_VERSION` | +| zot | `821f51a` | v0.2.42 | agent (front door); pinned by `ZOT_VERSION` | Locally-runnable gates pass on colibri + clawdie-iso (fmt, `CARGO_CRATES` and agent-jail drift checks, markdown). CI Actions are **dormant** (no runner) — gates diff --git a/docs/RELEASE-BUILD-RUNBOOK.md b/docs/RELEASE-BUILD-RUNBOOK.md index 869ea1b3..2572067f 100644 --- a/docs/RELEASE-BUILD-RUNBOOK.md +++ b/docs/RELEASE-BUILD-RUNBOOK.md @@ -1,6 +1,6 @@ # Release Build Runbook -**Current target:** `0.10.0` ("Operator Image") · **Channel:** `release` +**Current target:** `0.11.0` ("Operator Image") · **Channel:** `release` How to cut a reproducible, publishable operator image from merged sources. This is the `BUILD_CHANNEL=release` path — distinct from the everyday @@ -20,11 +20,11 @@ use `BUILD_CHANNEL=dev` and skip the pinning discipline below. commits are then written to `build-manifest.json`, so the image can be rebuilt from that record. - **Own product version.** `ISO_VERSION` is an explicit product number - (`0.10.0`), not a component's. Component versions are provenance, not identity. + (`0.11.0`), not a component's. Component versions are provenance, not identity. - **Fits the stick.** The build aborts before shipping if the live filesystem has less than `IMAGE_MIN_FREE_MB` (default 1024) free. -Output: `tmp/output/clawdie-quindecim-0.10.0.img` (`quindecim` = FreeBSD 15). +Output: `tmp/output/clawdie-quindecim-0.11.0.img` (`quindecim` = FreeBSD 15). --- @@ -68,7 +68,7 @@ Any output from `status --porcelain` (modified _or_ untracked) will fail the release gate. Clean it before continuing — do not `.gitignore` your way past it. > `zot` ships at a pinned tag. Check out the tag you intend to release -> (`ZOT_VERSION`, default `v0.2.29`) so the recorded commit is the tag's commit. +> (`ZOT_VERSION`, default `v0.2.42`) so the recorded commit is the tag's commit. --- @@ -83,10 +83,10 @@ cargo clippy --workspace --all-targets -- -D warnings # zot agent binary (native FreeBSD build) cd ../zot -git checkout v0.2.29 # the release tag -ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.29}" +git checkout v0.2.42 # the release tag +ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.42}" VERSION="${ZOT_BUILD_VERSION#v}" make build -./bin/zot --version # expect: zot 0.2.29 +./bin/zot --version # expect: zot 0.2.42 cd ../clawdie-iso ``` @@ -115,11 +115,11 @@ ls -l ../colibri/target/release/colibri-daemon \ ```sh cd ../clawdie-iso -sudo env BUILD_CHANNEL=release ISO_VERSION=0.10.0 \ +sudo env BUILD_CHANNEL=release ISO_VERSION=0.11.0 \ ./build.sh --clawdie-ref main ``` -- `ISO_VERSION=0.10.0` — also the `build.cfg` default; an empty/`auto` value +- `ISO_VERSION=0.11.0` — also the `build.cfg` default; an empty/`auto` value fails fast. - `--clawdie-ref main` bundles current `clawdie-ai` main (its commit is recorded as provenance). Use `--clawdie-version X.Y.Z` instead to pin a clawdie-ai tag. @@ -129,13 +129,13 @@ sudo env BUILD_CHANNEL=release ISO_VERSION=0.10.0 \ What you should see, in order: -1. **Banner** — `ISO : 0.10.0-release (zot v0.2.29)`. +1. **Banner** — `ISO : 0.11.0-release (zot v0.2.42)`. 2. **Release gate** — silent on success; on failure it lists each modified repo and exits. (Fix the tree; don't switch to `dev` for a real release.) 3. **Preflight** — confirms the colibri binaries and `zot/bin/zot` exist. 4. **Image space report** — `df`/`du` of the live filesystem, then `Free space OK (… MB, floor 1024 MB)` — or an abort if it won't fit. -5. **Output** — `Done : tmp/output/clawdie-quindecim-0.10.0.img`. +5. **Output** — `Done : tmp/output/clawdie-quindecim-0.11.0.img`. --- @@ -147,7 +147,7 @@ cat tmp/output/build-manifest.json # or USB_SHARE copy Confirm: -- `"iso_version": "0.10.0"`, `"version_scheme": "product"`, +- `"iso_version": "0.11.0"`, `"version_scheme": "product"`, `"build_channel": "release"`. - `zot_commit`, `colibri_commit`, `clawdie_ai_commit`, `iso_repo_commit` are all real SHAs (not `unknown`). @@ -184,7 +184,7 @@ If anything fails out of the box, this is not the cut — fix, rebuild, and the Follow `skills/iso-publish/SKILL.md`: compress to `.xz`, write the `.sha256`, and the publish manifest, then `scripts/publish.sh` to the CMS downloads jail. `FLASHING.md` is the operator-facing flashing guide (already references the -`0.10.0` artifact name). +`0.11.0` artifact name). --- @@ -192,7 +192,7 @@ the publish manifest, then `scripts/publish.sh` to the CMS downloads jail. - [ ] All four repos clean (`git status --porcelain` empty) and on the release ref. - [ ] `cargo test --workspace` + `cargo clippy -D warnings` green on colibri. -- [ ] `BUILD_CHANNEL=release ISO_VERSION=0.10.0 ./build.sh` completes; gate passed, +- [ ] `BUILD_CHANNEL=release ISO_VERSION=0.11.0 ./build.sh` completes; gate passed, preflight passed, free-space check passed. - [ ] `build-manifest.json`: channel `release`, all commits real, all `*_modified` `false`. @@ -203,7 +203,7 @@ the publish manifest, then `scripts/publish.sh` to the CMS downloads jail. ## Notes / gotchas -- **Future cuts:** bump `ISO_VERSION` in `build.cfg` (e.g. `0.10.1`, `1.0.0`). +- **Future cuts:** bump `ISO_VERSION` in `build.cfg` (e.g. `0.11.1`, `1.0.0`). Everything else here is unchanged. - **`dev` vs `release`:** `dev` skips the clean-tree gate — fine for proving a change, never for a published artifact. diff --git a/scripts/stage-zot-iso.sh b/scripts/stage-zot-iso.sh index 96126f45..1d45e3cc 100755 --- a/scripts/stage-zot-iso.sh +++ b/scripts/stage-zot-iso.sh @@ -4,7 +4,7 @@ # zot is the agent-harness consolidation target (one static Go binary). It has no # FreeBSD release, so build it on the host first and point ZOT_ARTIFACT_DIR here: # (cd ../zot && git checkout "$ZOT_VERSION" \ -# && ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.29}" \ +# && ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.42}" \ # && VERSION="${ZOT_BUILD_VERSION#v}" make build) # # Credentials: zot resolves provider keys as --api-key -> provider env var -> @@ -36,7 +36,7 @@ ZOT_HOME="${OP_HOME}/${ZOT_HOME_REL}" if [ ! -x "${BIN_SRC}" ]; then echo "missing executable zot artifact: ${BIN_SRC}" >&2 - echo "hint: (cd \$ZOT_REPO && ZOT_BUILD_VERSION=\"\${ZOT_VERSION:-v0.2.29}\" && VERSION=\"\${ZOT_BUILD_VERSION#v}\" make build)" >&2 + echo "hint: (cd \$ZOT_REPO && ZOT_BUILD_VERSION=\"\${ZOT_VERSION:-v0.2.42}\" && VERSION=\"\${ZOT_BUILD_VERSION#v}\" make build)" >&2 exit 66 fi From ec89eb58bd3881f67ef4723513ac6874b7373609 Mon Sep 17 00:00:00 2001 From: Sam & Claude Date: Mon, 22 Jun 2026 06:27:38 +0200 Subject: [PATCH 2/3] build: pin zot v0.2.29 -> v0.2.42 Bumps the zot agent tag the image ships, consistently across build.cfg, the preflight hint (build.sh), the staging hint (stage-zot-iso.sh), and the live-rebuild doc. Continues work started by Codex (chore/zot-0.2.42-pin). Co-Authored-By: Claude Opus 4.8 --- build.cfg | 4 ++-- build.sh | 4 ++-- docs/LIVE-COLIBRI-REBUILD.md | 4 ++-- scripts/stage-zot-iso.sh | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/build.cfg b/build.cfg index 6526e6e6..fe6375ed 100644 --- a/build.cfg +++ b/build.cfg @@ -113,7 +113,7 @@ COLIBRI_COST_MODE="${COLIBRI_COST_MODE:-smart}" # COLIBRI_STAGE_AGENT=NO stages the daemon without the agent (debug builds). # Pin a tag for reproducible images; the agent has no FreeBSD release, so the # build host compiles it: (cd $ZOT_REPO && git checkout $ZOT_VERSION && -# ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.29}" && VERSION="${ZOT_BUILD_VERSION#v}" make build) +# ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.42}" && VERSION="${ZOT_BUILD_VERSION#v}" make build) COLIBRI_STAGE_AGENT="${COLIBRI_STAGE_AGENT:-YES}" # Development-only local fake-agent binary. Auto mode includes it for dev # builds and omits it from release/prod images; override with YES/NO for @@ -125,7 +125,7 @@ if [ "${COLIBRI_STAGE_TEST_AGENT}" = "auto" ]; then *) COLIBRI_STAGE_TEST_AGENT="YES" ;; esac fi -ZOT_VERSION="${ZOT_VERSION:-v0.2.29}" +ZOT_VERSION="${ZOT_VERSION:-v0.2.42}" ZOT_REPO="${ZOT_REPO:-/home/clawdie/ai/zot}" ZOT_ARTIFACT_DIR="${ZOT_ARTIFACT_DIR:-}" # Optional: bake the operator's DeepSeek key into the agent's auth.json (0600). diff --git a/build.sh b/build.sh index 4f7eca92..4ca73db2 100755 --- a/build.sh +++ b/build.sh @@ -378,8 +378,8 @@ preflight_zot_artifacts() { command -v go >/dev/null 2>&1 || \ echo " NOTE: go toolchain not found on this host — install it: pkg install go" echo " The agent has no FreeBSD release — build it first:" - echo " (cd ${_resolved_zot_repo} && git checkout ${ZOT_VERSION:-v0.2.29} && \\" - echo " ZOT_BUILD_VERSION=\"\${ZOT_VERSION:-v0.2.29}\" && VERSION=\"\${ZOT_BUILD_VERSION#v}\" make build)" + echo " (cd ${_resolved_zot_repo} && git checkout ${ZOT_VERSION:-v0.2.42} && \\" + echo " ZOT_BUILD_VERSION=\"\${ZOT_VERSION:-v0.2.42}\" && VERSION=\"\${ZOT_BUILD_VERSION#v}\" make build)" echo " Or set COLIBRI_STAGE_AGENT=NO to skip agent staging." exit 1 fi diff --git a/docs/LIVE-COLIBRI-REBUILD.md b/docs/LIVE-COLIBRI-REBUILD.md index 9d52a503..75487049 100644 --- a/docs/LIVE-COLIBRI-REBUILD.md +++ b/docs/LIVE-COLIBRI-REBUILD.md @@ -195,8 +195,8 @@ if [ ! -d zot-build/.git ]; then fi cd zot-build git fetch --prune origin -git checkout v0.2.29 # the zot tag this image ships (see build-manifest.json) -ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.29}" +git checkout v0.2.42 # the zot tag this image ships (see build-manifest.json) +ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.42}" VERSION="${ZOT_BUILD_VERSION#v}" make build ./bin/zot --version ``` diff --git a/scripts/stage-zot-iso.sh b/scripts/stage-zot-iso.sh index 96126f45..1d45e3cc 100755 --- a/scripts/stage-zot-iso.sh +++ b/scripts/stage-zot-iso.sh @@ -4,7 +4,7 @@ # zot is the agent-harness consolidation target (one static Go binary). It has no # FreeBSD release, so build it on the host first and point ZOT_ARTIFACT_DIR here: # (cd ../zot && git checkout "$ZOT_VERSION" \ -# && ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.29}" \ +# && ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.42}" \ # && VERSION="${ZOT_BUILD_VERSION#v}" make build) # # Credentials: zot resolves provider keys as --api-key -> provider env var -> @@ -36,7 +36,7 @@ ZOT_HOME="${OP_HOME}/${ZOT_HOME_REL}" if [ ! -x "${BIN_SRC}" ]; then echo "missing executable zot artifact: ${BIN_SRC}" >&2 - echo "hint: (cd \$ZOT_REPO && ZOT_BUILD_VERSION=\"\${ZOT_VERSION:-v0.2.29}\" && VERSION=\"\${ZOT_BUILD_VERSION#v}\" make build)" >&2 + echo "hint: (cd \$ZOT_REPO && ZOT_BUILD_VERSION=\"\${ZOT_VERSION:-v0.2.42}\" && VERSION=\"\${ZOT_BUILD_VERSION#v}\" make build)" >&2 exit 66 fi From 67c8b9ee6d233ab4b2f8a407d21fcbaae1484184 Mon Sep 17 00:00:00 2001 From: Sam & Claude Date: Mon, 22 Jun 2026 06:27:38 +0200 Subject: [PATCH 3/3] docs: sync release runbook to 0.11.0 / zot v0.2.42 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit build.cfg already targets ISO_VERSION 0.11.0; the runbook still said 0.10.0. Scoped to the release-cutting doc only — download-URL docs (FLASHING/README/ TESTING) stay at 0.10.0 until 0.11.0 is actually published, and CHANGELOG history is untouched. Co-Authored-By: Claude Opus 4.8 --- docs/RELEASE-BUILD-RUNBOOK.md | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/docs/RELEASE-BUILD-RUNBOOK.md b/docs/RELEASE-BUILD-RUNBOOK.md index 869ea1b3..bddc51e9 100644 --- a/docs/RELEASE-BUILD-RUNBOOK.md +++ b/docs/RELEASE-BUILD-RUNBOOK.md @@ -1,6 +1,6 @@ # Release Build Runbook -**Current target:** `0.10.0` ("Operator Image") · **Channel:** `release` +**Current target:** `0.11.0` ("Operator Image") · **Channel:** `release` How to cut a reproducible, publishable operator image from merged sources. This is the `BUILD_CHANNEL=release` path — distinct from the everyday @@ -20,11 +20,11 @@ use `BUILD_CHANNEL=dev` and skip the pinning discipline below. commits are then written to `build-manifest.json`, so the image can be rebuilt from that record. - **Own product version.** `ISO_VERSION` is an explicit product number - (`0.10.0`), not a component's. Component versions are provenance, not identity. + (`0.11.0`), not a component's. Component versions are provenance, not identity. - **Fits the stick.** The build aborts before shipping if the live filesystem has less than `IMAGE_MIN_FREE_MB` (default 1024) free. -Output: `tmp/output/clawdie-quindecim-0.10.0.img` (`quindecim` = FreeBSD 15). +Output: `tmp/output/clawdie-quindecim-0.11.0.img` (`quindecim` = FreeBSD 15). --- @@ -68,7 +68,7 @@ Any output from `status --porcelain` (modified _or_ untracked) will fail the release gate. Clean it before continuing — do not `.gitignore` your way past it. > `zot` ships at a pinned tag. Check out the tag you intend to release -> (`ZOT_VERSION`, default `v0.2.29`) so the recorded commit is the tag's commit. +> (`ZOT_VERSION`, default `v0.2.42`) so the recorded commit is the tag's commit. --- @@ -83,10 +83,10 @@ cargo clippy --workspace --all-targets -- -D warnings # zot agent binary (native FreeBSD build) cd ../zot -git checkout v0.2.29 # the release tag -ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.29}" +git checkout v0.2.42 # the release tag +ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.42}" VERSION="${ZOT_BUILD_VERSION#v}" make build -./bin/zot --version # expect: zot 0.2.29 +./bin/zot --version # expect: zot 0.2.42 cd ../clawdie-iso ``` @@ -115,11 +115,11 @@ ls -l ../colibri/target/release/colibri-daemon \ ```sh cd ../clawdie-iso -sudo env BUILD_CHANNEL=release ISO_VERSION=0.10.0 \ +sudo env BUILD_CHANNEL=release ISO_VERSION=0.11.0 \ ./build.sh --clawdie-ref main ``` -- `ISO_VERSION=0.10.0` — also the `build.cfg` default; an empty/`auto` value +- `ISO_VERSION=0.11.0` — also the `build.cfg` default; an empty/`auto` value fails fast. - `--clawdie-ref main` bundles current `clawdie-ai` main (its commit is recorded as provenance). Use `--clawdie-version X.Y.Z` instead to pin a clawdie-ai tag. @@ -129,13 +129,13 @@ sudo env BUILD_CHANNEL=release ISO_VERSION=0.10.0 \ What you should see, in order: -1. **Banner** — `ISO : 0.10.0-release (zot v0.2.29)`. +1. **Banner** — `ISO : 0.11.0-release (zot v0.2.42)`. 2. **Release gate** — silent on success; on failure it lists each modified repo and exits. (Fix the tree; don't switch to `dev` for a real release.) 3. **Preflight** — confirms the colibri binaries and `zot/bin/zot` exist. 4. **Image space report** — `df`/`du` of the live filesystem, then `Free space OK (… MB, floor 1024 MB)` — or an abort if it won't fit. -5. **Output** — `Done : tmp/output/clawdie-quindecim-0.10.0.img`. +5. **Output** — `Done : tmp/output/clawdie-quindecim-0.11.0.img`. --- @@ -147,7 +147,7 @@ cat tmp/output/build-manifest.json # or USB_SHARE copy Confirm: -- `"iso_version": "0.10.0"`, `"version_scheme": "product"`, +- `"iso_version": "0.11.0"`, `"version_scheme": "product"`, `"build_channel": "release"`. - `zot_commit`, `colibri_commit`, `clawdie_ai_commit`, `iso_repo_commit` are all real SHAs (not `unknown`). @@ -184,7 +184,7 @@ If anything fails out of the box, this is not the cut — fix, rebuild, and the Follow `skills/iso-publish/SKILL.md`: compress to `.xz`, write the `.sha256`, and the publish manifest, then `scripts/publish.sh` to the CMS downloads jail. `FLASHING.md` is the operator-facing flashing guide (already references the -`0.10.0` artifact name). +`0.11.0` artifact name). --- @@ -192,7 +192,7 @@ the publish manifest, then `scripts/publish.sh` to the CMS downloads jail. - [ ] All four repos clean (`git status --porcelain` empty) and on the release ref. - [ ] `cargo test --workspace` + `cargo clippy -D warnings` green on colibri. -- [ ] `BUILD_CHANNEL=release ISO_VERSION=0.10.0 ./build.sh` completes; gate passed, +- [ ] `BUILD_CHANNEL=release ISO_VERSION=0.11.0 ./build.sh` completes; gate passed, preflight passed, free-space check passed. - [ ] `build-manifest.json`: channel `release`, all commits real, all `*_modified` `false`.