The rc.conf.sample on the live USB now sets require_secured=YES.
Together with the paired colibri change, this ensures the daemon
disables autospawn until the console gate writes .secured.
A. ZOT_VERSION drift: build.cfg defaulted to v0.2.42 while build.sh
preflight hint said v0.2.47. Now both default to v0.2.47.
B. AGENTS.md hw-probe phrasing: told zot to run clawdie-hw-probe,
but the daemon already collects it into CLAWDIE_HW_PROFILE at
autospawn time. zot should read the env var, not shell out.
C. RPC_PROMPT missing: COLIBRI_AUTOSPAWN=YES starts zot in RPC mode,
but without RPC_PROMPT, zot blocks on stdin and idles. Added
a prompt telling zot to read CLAWDIE_HW_PROFILE, call node_register
on mother, and report its assigned capabilities.
Three blockers fixed from review of fix/ootb-mother-mcp:
1. Real Tailscale IP removed from image/repo.
- external-mcp.json uses "mother" host alias (resolved by SSH config).
- Key path: /var/db/colibri/.ssh/mother-mcp (daemon user home).
- The real IP lives only on the offline seed (ssh/config), never in
the repo or the shipped image.
2. Cross-user key access fixed.
- The daemon runs as colibri (home /var/db/colibri), not clawdie.
- Seed importer now installs SSH material to both clawdie AND
colibri homes (same seed material, same key, separate ~/.ssh).
- build.sh dev convenience also copies to both homes.
- clawdie-live-seed.README.txt already documents the seed layout.
3. Doc fully de-obfuscated.
- All m0th3r/c0l1br1/n0d3_r3g1st3r → mother/colibri/node_register.
- All real IPs → <mother-tailscale-ip> placeholder.
- Removed Step 2 (manual external MCP) + Step 3 (register) — both
are now baked into the ISO.
- Removed trailing "colibri-mcp" remote command from examples
(hardened wrapper rejects non-allowlisted commands).
Two changes so the USB connects to mother on first boot with no manual steps:
1. stage-colibri-iso.sh: external-mcp.json is now pre-configured with the
mother server entry (colibri@100.72.229.63, no remote command — the
hardened wrapper starts colibri-mcp in stdio MCP mode). Previously
staged as empty {}; the operator had to create it manually or run
clawdie-enable-mother.
2. provider.env now includes COLIBRI_MCP_EXTERNAL_CALL=1 by default
(already set on osa; missing from the ISO defaults).
3. SETUP-USB-TO-MOTHER.md: removed Step 3 (manual external-mcp.json),
fixed the diagram to match the hardened wrapper (no remote command),
corrected the server name from "m0th3r"/"c0l1br1" to the real names.
The SSH key, config, and known_hosts still come from the CLAWDIESEED
seed partition — the image carries no secrets. Without the seed the
connection fails gracefully.
The image shipped a hard pin (@earendil-works/pi-coding-agent@0.78.0) while
'pi upgrade' on hosts had moved to 0.80.2, so builds lagged. Switch Pi to the
@latest dist-tag so every image bundles the newest Pi.
To keep the floating spec traceable, record the version that actually got
fetched in build-manifest.json as pi_version, derived from the bundled tarball
name (earendil-works-pi-coding-agent-<version>.tgz) after fetch+install.
fetch-npm-globals.sh now also echoes the resolved tarball so the build log
shows the version a dist-tag resolved to.
Other globals (bw) stay pinned. Image is node24, compatible with current Pi
(the legacy-node20 dist-tag is for node20 only).
Verified: fetch resolves @latest → 0.80.2; version extraction matches npm.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Pi-era residue in current-tense docs/strings (CHANGELOG history left intact):
- ONBOARDING-SIMPLIFICATION: COLIBRI_AUTOSPAWN_PI -> COLIBRI_AUTOSPAWN; 'Pi
agent' -> 'agent'.
- clawdie-join-hive.sh: user-facing 'Pi agent is live' / 'no Pi agent' ->
harness-neutral (default agent is now zot).
- clawdie-live-seed.README.txt: COLIBRI_AUTOSPAWN_PI -> COLIBRI_AUTOSPAWN.
- stage-colibri-iso.sh provider.env.sample: the AUTOSPAWN_ARGS example showed
'--mode json' (invalid for the zot default); note the default is
harness-derived (zot -> rpc, pi -> --mode json).
Also restore the markdown format gate: 5 docs from the 0.12.0 work were
prettier-dirty, so ./scripts/check-format.sh was already failing on main (the
gate was red and unenforced — same pattern as the colibri build break).
prettier --write brings them to style; gate is green again. No prose changes
in those 5 — formatting only.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Stage hermes-bsd as shallow clone in /home/clawdie/ai/ (next to colibri/zot)
- Switch default harness from pi to zot (COLIBRI_PI_BINARY=zot)
- Add TELEGRAM_BOT_TOKEN placeholder to provider.env and sample
- Removes stale zot-rpc-driver blocker comment (colibri#143 resolved)
Update the ISO default Zot pin and build docs from v0.2.29 to v0.2.42 so the next image stages the current rebuilt FreeBSD zot binary instead of recording a mismatched checkout/binary pair. Also refresh the release runbook's 0.11.0 examples.\n\nValidation: ./scripts/check-format.sh; sh -n build.sh scripts/stage-zot-iso.sh; BUILD_CHANNEL=dev build.cfg default check; git diff --check.
The spawner uses stdin(Stdio::null()); zot's --json and rpc modes
both require input. Pi's --mode json is autonomous. Document the
blocker inline so nobody tries the pi→zot config flip without the
driver. Ref: colibri issue zot-rpc-driver + ADR-agent-harness-consolidation.md.
Workstream C of the next ISO rebuild.
C1 — Auto-spawn lit up out of the box:
provider.env now ships COLIBRI_AUTOSPAWN_PI="YES", so colibri#137 fires on
the booted image once a DeepSeek key is present (pulled by Join Hive, A).
C2 — External MCP registry staged:
/usr/local/etc/colibri/external-mcp.json shipped as {"servers":{}} at the
path colibri-mcp reads by default. Empty = mother off by default.
C3 — Opt-in "Enable Mother Link" (clawdie-enable-mother + desktop entry):
Direction is "our Pi calls mother's tools" — colibri-mcp dials OUT to mother
over SSH-stdio and proxies mother's tools to the Pi via its external-call
path. The toggle:
- provisions an SSH identity for the colibri service account
(/var/db/colibri/.ssh — the daemon and its Pi run as `colibri`),
- writes the mother entry into external-mcp.json (ssh -i <key> ... mother),
- upserts COLIBRI_MCP_EXTERNAL_CALL=1 into provider.env,
- restarts the daemon and prints colibri's pubkey to authorize on mother.
provider.env.sample documents the new toggles. sh -n clean on all scripts;
the empty default and the emitted mother entry validate as JSON and match the
ExternalMcpRegistry {servers:{command,args,env}} shape.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add COLIBRI_STAGE_TEST_AGENT with dev/release defaults so validation builds can include colibri-test-agent while production/release operator USB images omit it by default. Keep poudriere guidance test-friendly and document binary roles in BUILD.md.\n\nValidation: sh -n build.sh scripts/stage-colibri-iso.sh live/operator-session/colibri-live-rebuild; ./scripts/check-format.sh; ./scripts/test-release-gate.sh; build.cfg default/override checks.
The canonical Colibri FreeBSD port lives in the colibri repo
(packaging/freebsd/port/sysutils/colibri), kept with the code it builds and
guarded by a CARGO_CRATES drift check in colibri CI. The copy here was a
divergent duplicate (wrong LICENSE=MIT vs AGPLv3, CARGO_BUILD=no skeleton that
could not build, different binary set) that the drift check could not protect.
- delete ports/sysutils/colibri/ (no longer maintained here)
- build.sh release gate: fail if ports/sysutils/colibri/ reappears, pointing at
the canonical location — keeps the cleanup structural, not just one-time
- docs/POUDRIERE-BUILD-SERVER.md + scripts/poudriere/README.md: state colibri
owns the port, copy it into the ports tree, this repo keeps no duplicate
Validation: build.sh sh -n clean; release-gate self-test passes; guard fires on
a reintroduced dir; markdown gate clean. Nothing references the deleted path.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Turns the manual Phase 2–3 runbook (docs/POUDRIERE-BUILD-SERVER.md) into
repeatable, idempotent steps for the mother-build host — the package half of
the trusted supply chain (layered-soul HIVE-ONBOARDING §10).
- poudriere-setup.sh: verify-then-act setup. Validates root, FreeBSD version
format, pkg/openssl, and that the ZFS pool exists BEFORE acting; then installs
poudriere, generates the repo signing key (0400), writes poudriere.conf (only
if absent), and creates the build jail + ports tree. Re-running skips anything
already present.
- poudriere-build.sh: validates jail, ports tree, and each origin (category/name
+ Makefile present) before `poudriere bulk`; repo is signed automatically via
PKG_REPO_SIGNING_KEY.
- clawdie-repo.conf.in: client repo template (signature_type pubkey) + the
first-party-only priority note.
- README.md: the three-step flow and conventions.
Style matches live/operator-session/hw-report: POSIX sh, set -u, fixed PATH,
strict arg parsing, minimal checks (only what is acted upon). Host provisioning
(ZFS/base/network) stays in the runbook — these assume a FreeBSD host with a
pool. sh -n clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Stage a non-secret /usr/local/etc/colibri/provider.env with the Clawdie Vaultwarden endpoint so operators only add BW bootstrap credentials. Also teach clawdie-vault-fetch to honor BW_SERVER and fail closed if an existing bw login points at a different server.\n\nChecks: sh -n live/operator-session/clawdie-vault-fetch scripts/stage-colibri-iso.sh; ./scripts/check-format.sh; git diff --check; COLIBRI_REPO=/home/clawdie/ai/colibri scripts/stage-colibri-iso.sh <tmp>
Standardize the ISO on the agreed Python 3.12 floor (operator + Hermes +
Claude consensus; see layered-soul/docs/TOOLCHAIN.md).
- pkg lists: python311->python312, py311-{pip,aider_chat,pillow}->py312-*
- build.sh: derive the installed python3.N for the python3/python symlink so a
future bump needs only a pkg-list change, never an edit here
- shell-deploy.sh: create the Aider venv with 'python3 -m venv' (resolves via
the symlink) instead of a hardcoded python3.11
- import-clawdie-skills.sh: python3 fallback instead of python3.11
- BUILD.md: doc references
Aider kept (bumped, not dropped): redundant coding tooling is intentional per
the agent matrix.
Pre-merge gate: confirm FreeBSD pkg coverage on osa —
pkg search '^py312-aider_chat' '^py312-pygobject'
(common modules pillow/pip are safe).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Replace stale colibri-smoke-agent references with colibri-test-agent, mark colibri-tui optional/desirable, update image-name comments, and avoid smoke wording in current build handoff docs.\n\nChecks: sh -n build.sh; sh -n scripts/test-release-gate.sh; ./scripts/check-format.sh; git diff --check.
Use zot's Makefile VERSION hook in release/live rebuild instructions and preflight hints so the staged binary reports 0.2.29 instead of the local-build 0.0.0 default.\n\nChecks: sh -n build.sh; sh -n scripts/stage-zot-iso.sh; sh -n scripts/stage-colibri-iso.sh; ./scripts/check-format.sh; git diff --check; stage-zot-iso dummy-artifact smoke; VERSION=0.2.29 make build in zot produced 'zot 0.2.29'.
Drop the "dirty" terminology in favor of "modified" (same boolean sense:
true = working tree has uncommitted or untracked changes). Pure rename — no
logic change. Safe now: nothing consumes these keys yet (checked colibri too).
- build-manifest.json keys: zot_dirty/colibri_dirty/iso_repo_dirty
→ zot_modified/colibri_modified/iso_repo_modified
- .clawdie-source.json: dirty_at_build → modified_at_build
- iso-publish manifest (write-artifact-manifest.sh): repo_dirty → repo_modified
- gate messages, comments, shell vars, and docs (BUILD/CHANGELOG/ISO-MANIFESTS/
PLAN) reworded.
Checks: sh -n on all three scripts; release-gate smoke test PASS; prettier clean
on changed docs.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Codex's release gate (96fc1d3) had the right idea but two issues that the
verified gates (sh -n / prettier / git diff) structurally could not catch,
because none exercise the BUILD_CHANNEL=release path:
1. Blocker: check_release_gate was *called* at line ~105 but *defined* (and its
resolve_* dependencies defined) far below. In POSIX sh that's a call before
definition — with `set -e`, a release build aborted at exit 127
("check_release_gate: not found") before the gate ran. Moved the invocation
into the preflight section, after all helpers are defined.
2. Unsatisfiable + asymmetric: the gate required clawdie-ai to be on a vX.Y.Z
tag, but clawdie-ai has no v-tag and is being pruned — so release was
impossible. Replaced with reproducibility-by-record: every staged source
(clawdie-iso, clawdie-ai, colibri, zot) must be a clean, committed tree; the
manifest's recorded commits then fully describe the artifact. A recorded SHA
is as pinned as a tag. Dropped the tag requirement.
Also:
- "clean" now uses `git status --porcelain`, so untracked files (which a
diff-only check misses but which still change the build) fail the gate.
- Factored the repeated resolve+dirty boilerplate into assert_clean_repo.
- New scripts/test-release-gate.sh smoke test: asserts the porcelain semantics
and that the gate is invoked after its definition (guards the exit-127
regression). A 5-line test that the three "verified gates" could not provide.
Checks: sh -n build.sh; sh -n + run scripts/test-release-gate.sh (PASS);
git diff --check.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Accept the PR #75 colibri_daemon rc.d contract, write colibri_daemon_cost_mode, and update the live rebuild doc now that /home/clawdie/ai sources are shallow git checkouts.\n\nChecks: sh -n build.sh; sh -n scripts/stage-colibri-iso.sh; ./scripts/check-format.sh; git diff --check; scripts/stage-colibri-iso.sh dummy-artifact smoke against Colibri PR #75 rc.d.
Switch ISO staging/docs from colibri-smoke-agent to colibri-test-agent, include rust/pkgconf for live Colibri rebuilds, stage provider.env.sample, wire the provider env rc.conf path, and document LLM key setup on the Firefox bootstrap page.\n\nChecks: npx --yes prettier@3 --check docs/LIVE-COLIBRI-REBUILD.md live/operator-session/bootstrap.html BUILD.md TESTING.md README.md; sh -n scripts/stage-colibri-iso.sh; sh -n build.sh; fake Colibri staging + sh -n staged rc.d script; git diff --check.
Keep staging validation focused on the current rc.d contract and avoid legacy variable references in the live rebuild lane branch.\n\nChecks: sh -n scripts/stage-colibri-iso.sh; fake Colibri staging + sh -n staged rc.d script; git diff --check.
Remove historical fix-it wording from the live rebuild runbook and make ISO staging validate the corrected Colibri rc.d contract directly instead of rewriting older variants.\n\nChecks: npx --yes prettier@3 --check docs/LIVE-COLIBRI-REBUILD.md; sh -n scripts/stage-colibri-iso.sh; fake Colibri staging + sh -n staged rc.d script; git diff --check.
Keep ISO staging compatible with Colibri rc.d sources that already use colibri_daemon_binary and include pid/socket chmods. This lets the source rc.d file be copied directly for live USB repair while preserving compatibility with older Colibri sources.\n\nChecks: sh -n scripts/stage-colibri-iso.sh; fake staging against old and corrected Colibri rc sources; sh -n staged rc.d scripts; git diff --check.
Replace fragile BSD sed append usage with awk when adding poststart chmods to the staged colibri_daemon rc.d script. The previous sed form appended the socket chmod after every line, corrupting the live USB service script.\n\nChecks: sh -n scripts/stage-colibri-iso.sh; fake COLIBRI_ARTIFACT_DIR staging; sh -n staged usr/local/etc/rc.d/colibri_daemon; git diff --check.
Smaller downloads that Rufus/balenaEtcher/RPi-Imager still read directly (zstd
would break Windows flashers). Switches the image artifact, flashing commands
(xz -dc | dd, xz -t, unxz), publish flow (xz -T0 -c), the artifact-manifest
script, and all skills + docs to .img.xz. Adds a Windows (Rufus/Etcher) flashing
section + README pointer. Source tarballs (clawdie-ai *.tar.gz) unchanged.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Makes colibri-mcp a required Colibri artifact for the live operator USB, copies it into the image, documents the read-only default and explicit trusted COLIBRI_MCP_WRITE profile, and updates ISO build handoff docs.\n\nChecks: ./scripts/check-format.sh; sh -n build.sh scripts/stage-colibri-iso.sh; git diff --check
Keeps service clawdie as a deployed-system contract only, removes the old mini-binary FEATURE_CLAWDIE staging lane from the ISO build, and adds explicit Linux-vs-FreeBSD proof boundaries for provider/runtime claims.\n\nChecks: ./scripts/check-format.sh; git diff --check; sh -n over scripts/ firstboot/ live/operator-session/ executables
Removes stale Herdr references, reserves service clawdie for deployed disk/server targets, and keeps the live USB on colibri_daemon. Drops the baseline live rc.d/clawdie wrapper so the mounted-image contract matches the docs.\n\nChecks: ./scripts/check-format.sh; git diff --check; sh -n over scripts/ firstboot/ live/operator-session/ executables
First concrete step of the zot consolidation (colibri ADR). Opt-in FEATURE_ZOT
(default NO; Pi stays default during migration).
- build.cfg: FEATURE_ZOT, ZOT_VERSION (pinned v0.2.29), ZOT_REPO,
ZOT_ARTIFACT_DIR, ZOT_DEEPSEEK_KEY (optional bake).
- scripts/stage-zot-iso.sh: install the prebuilt zot binary -> /usr/local/bin/zot;
populate the operator's $ZOT_HOME (~/.local/state/zot) with auth.json
({"deepseek":{"api_key":...}}, 0600) when a key is given, else an
auth.json.sample template + README (telegram via `zot telegram-bot setup`).
- build.sh: status line, resolve_zot_paths, preflight_zot_artifacts (errors with
the GOOS=freebsd go-build hint — zot has no FreeBSD release), install_zot_agent
(+ chown operator state), wired into preflight + install sequences.
zot is built on the FreeBSD host from the pinned tag:
(cd $ZOT_REPO && git checkout v0.2.29 && GOOS=freebsd GOARCH=amd64 \
go build -trimpath -o bin/zot ./cmd/zot)
sh -n clean; staging smoke-tested (binary staged, auth.json 0600 valid).
Credentials use zot's own resolution (--api-key -> env -> auth.json), replacing
baked-into-binary keys. Default build unchanged (FEATURE_ZOT=NO).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
User-facing timestamps in run-bhyve-test.sh used the ambiguous numeric form
%Y-%m-%d. Switch to European display (date +%d.%b.%Y %H:%M:%S). Log filename
keeps sortable ISO 8601 basic (machine artifact, per the rule's internal-storage
exemption).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
bhyve-test.sh captures the guest serial console; this adds a QA gate over that
log so the harness can be used as a build gate (appliance runbook §3):
- CRITICAL (gate the exit): no kernel panic, no reboot loop, boot reached
login/sddm, and no "permission denied" (regression guard for the colibri
socket EACCES we just fixed).
- INFO (best-effort console markers): colibri socket ready, no store-open panic,
clawdie-live-gpu ran.
- Prints the deeper in-guest checklist (socket mode, glasspane query, GPU
branch) that lives in guest logs, not the console.
Exit is non-zero if the boot harness failed OR any critical assert failed.
Also pass-through args to bhyve-test.sh (ISO path / --name).
sh -n clean; gate logic unit-tested (clean boot → pass/exit0; panic+EACCES+no-login
→ fail). INFO/CRITICAL patterns should be confirmed against a real boot console
on first run.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Use packages/npm-globals.txt as the source of truth for offline npm CLI tarballs, update Pi to 0.75.5, and keep Claude Code out of the XFCE USB path.
---
Build: not run — ISO build not requested
Tests: pass — sh -n fetch-npm-globals and shell-npm-globals; pinned npm pack smoke passed
