- shell-system.sh (runs last, step 6): rewrite .profile with agent launcher,
full .bashrc with sudo() shell function that fire-and-forget snapshots
zroot@cli-<ts> before mdo -u root. PATH, prompt, history, aliases (ll/la/lt).
Agent fallback for non-login shells via ~/.ssh-agent-env.
- shell-ssh.sh (step 4): strip to ~/.ssh/config only. Agent/profile/tmux
seeding moved to shell-system.sh so it is not overwritten.
- AGENTS.md: document sudo→mdo decision with rationale table (ISO size,
audit surface, single privilege path, ZFS rollback safety).
- Tier 1: seed ~/.profile with eval $(ssh-agent -s) launcher (FreeBSD,
no systemd). AddKeysToAgent alone does not start an agent; without a
launcher headless/SSH-in shells still get "Could not open connection".
- Tier 3: drop set-option -g update-environment from tmux.conf seed.
tmux default already includes SSH_AUTH_SOCK + DISPLAY/XAUTHORITY.
set -g replaces the entire list, breaking X11 GUI apps on XFCE.
- Remove .graphifyignore per project policy (graph artifacts not
committed, tool not integrated into ISO repo).
shell-ssh.sh now seeds ~/.ssh/config (AddKeysToAgent yes) and
~/.tmux.conf (SSH_AUTH_SOCK persistence) after SSH key install.
Idempotent — appends to existing configs if already present.
Fixes agent-dead-after-tmux-restart for every fresh Clawdie install.
- Create new shell-ssh.sh module for SSH key installation and password setup
* Install SSH public keys to authorized_keys (root + clawdie)
* Configure sshd: disable password auth if key provided, enable if not
* Set system user passwords (auto-generate or use provided)
* Save emergency root password to root/.firstboot-emergency-password
- Restore shell-system.sh (was accidentally overwritten during rename)
Enables secure SSH-key-first access with password fallback.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
