clawdie-iso

clawdie/clawdie-iso

Fork 0

Commit graph

Author	SHA1	Message	Date
Sam & Claude	3a2228a6b7	feat(enable-mother): publish colibri pubkey to Vaultwarden for hive auth Vault-mediated key exchange (direction B — we call mother). After ensuring the colibri SSH identity, enable-mother now upserts the pubkey into Vaultwarden as `hive-pubkey-<hostname>` (via bw, run as root so it can read the BW_* bootstrap creds from provider.env). Mother's mother-sync-hive-keys rebuilds its authorized_keys from these items, so no operator copy-paste between machines. The printed pubkey + restricted command= line remain as a manual fallback when the vault publish is unavailable. Uses the bitwarden-cli-vault skill's session+upsert pattern. sh -n clean; embedded JSON/id-extraction tested. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-21 20:18:27 +02:00
Sam & Claude	c49fe82ea8	feat(enable-mother): jq-merge the mother entry instead of overwriting Track C's enable-mother overwrote external-mcp.json with a single mother server. Use jq to merge the mother entry into the existing registry so other configured servers are preserved, written atomically (mktemp in same dir + mv). This is the concrete consumer that makes jq a real dependency of the MCP path; fails loudly if jq is absent. (Re-applied: the original commit was lost to a branch-recreation race when #97 merged at the packages-only commit.) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-21 19:30:40 +02:00
Sam & Claude	a788d99967	feat(iso): wire Colibri OOTB defaults + opt-in Mother MCP link Workstream C of the next ISO rebuild. C1 — Auto-spawn lit up out of the box: provider.env now ships COLIBRI_AUTOSPAWN_PI="YES", so colibri#137 fires on the booted image once a DeepSeek key is present (pulled by Join Hive, A). C2 — External MCP registry staged: /usr/local/etc/colibri/external-mcp.json shipped as {"servers":{}} at the path colibri-mcp reads by default. Empty = mother off by default. C3 — Opt-in "Enable Mother Link" (clawdie-enable-mother + desktop entry): Direction is "our Pi calls mother's tools" — colibri-mcp dials OUT to mother over SSH-stdio and proxies mother's tools to the Pi via its external-call path. The toggle: - provisions an SSH identity for the colibri service account (/var/db/colibri/.ssh — the daemon and its Pi run as `colibri`), - writes the mother entry into external-mcp.json (ssh -i <key> ... mother), - upserts COLIBRI_MCP_EXTERNAL_CALL=1 into provider.env, - restarts the daemon and prints colibri's pubkey to authorize on mother. provider.env.sample documents the new toggles. sh -n clean on all scripts; the empty default and the emitted mother entry validate as JSON and match the ExternalMcpRegistry {servers:{command,args,env}} shape. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-21 18:53:41 +02:00

Author

SHA1

Message

Date

Sam & Claude

3a2228a6b7

feat(enable-mother): publish colibri pubkey to Vaultwarden for hive auth

Vault-mediated key exchange (direction B — we call mother). After ensuring the
colibri SSH identity, enable-mother now upserts the pubkey into Vaultwarden as
`hive-pubkey-<hostname>` (via bw, run as root so it can read the BW_* bootstrap
creds from provider.env). Mother's mother-sync-hive-keys rebuilds its
authorized_keys from these items, so no operator copy-paste between machines.

The printed pubkey + restricted command= line remain as a manual fallback when
the vault publish is unavailable. Uses the bitwarden-cli-vault skill's
session+upsert pattern. sh -n clean; embedded JSON/id-extraction tested.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-21 20:18:27 +02:00

Sam & Claude

c49fe82ea8

feat(enable-mother): jq-merge the mother entry instead of overwriting

Track C's enable-mother overwrote external-mcp.json with a single mother
server. Use jq to merge the mother entry into the existing registry so other
configured servers are preserved, written atomically (mktemp in same dir + mv).
This is the concrete consumer that makes jq a real dependency of the MCP path;
fails loudly if jq is absent.

(Re-applied: the original commit was lost to a branch-recreation race when #97
merged at the packages-only commit.)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-21 19:30:40 +02:00

Sam & Claude

a788d99967

feat(iso): wire Colibri OOTB defaults + opt-in Mother MCP link

Workstream C of the next ISO rebuild.

C1 — Auto-spawn lit up out of the box:
  provider.env now ships COLIBRI_AUTOSPAWN_PI="YES", so colibri#137 fires on
  the booted image once a DeepSeek key is present (pulled by Join Hive, A).

C2 — External MCP registry staged:
  /usr/local/etc/colibri/external-mcp.json shipped as {"servers":{}} at the
  path colibri-mcp reads by default. Empty = mother off by default.

C3 — Opt-in "Enable Mother Link" (clawdie-enable-mother + desktop entry):
  Direction is "our Pi calls mother's tools" — colibri-mcp dials OUT to mother
  over SSH-stdio and proxies mother's tools to the Pi via its external-call
  path. The toggle:
   - provisions an SSH identity for the colibri service account
     (/var/db/colibri/.ssh — the daemon and its Pi run as `colibri`),
   - writes the mother entry into external-mcp.json (ssh -i <key> ... mother),
   - upserts COLIBRI_MCP_EXTERNAL_CALL=1 into provider.env,
   - restarts the daemon and prints colibri's pubkey to authorize on mother.

provider.env.sample documents the new toggles. sh -n clean on all scripts;
the empty default and the emitted mother entry validate as JSON and match the
ExternalMcpRegistry {servers:{command,args,env}} shape.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-21 18:53:41 +02:00

3 commits