Match the colibri relicense (AGPL-3.0 -> MIT, same as layered-soul) in the
build-server doc's port key-facts.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- build.cfg: ISO_VERSION 0.10.0 -> 0.11.0; reword the version note — clawdie-iso
and colibri now share one unified Clawdie release version (zot/clawdie-ai stay
provenance in build-manifest.json).
- CHANGELOG: [0.11.0] entry (date in EU format DD.mon.YYYY per AGENTS rule)
covering the versioning unify, operator-session hardening, poudriere
build-server scripts, and the duplicate-port retirement.
colibri Cargo.toml + port DISTVERSION bump to 0.11.0 lands in the colibri repo
(separate branch). Tags held until both bumps merge.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The canonical Colibri FreeBSD port lives in the colibri repo
(packaging/freebsd/port/sysutils/colibri), kept with the code it builds and
guarded by a CARGO_CRATES drift check in colibri CI. The copy here was a
divergent duplicate (wrong LICENSE=MIT vs AGPLv3, CARGO_BUILD=no skeleton that
could not build, different binary set) that the drift check could not protect.
- delete ports/sysutils/colibri/ (no longer maintained here)
- build.sh release gate: fail if ports/sysutils/colibri/ reappears, pointing at
the canonical location — keeps the cleanup structural, not just one-time
- docs/POUDRIERE-BUILD-SERVER.md + scripts/poudriere/README.md: state colibri
owns the port, copy it into the ports tree, this repo keeps no duplicate
Validation: build.sh sh -n clean; release-gate self-test passes; guard fires on
a reintroduced dir; markdown gate clean. Nothing references the deleted path.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Replace GH_ACCOUNT+GH_PROJECT with MASTER_SITES pointing at
code.smilepowered.org/clawdie/colibri/archive/
- Fix distinfo to match Forgejo archive naming (v0.0.1.tar.gz)
clawdie_live_power is a one-shot boot script that applies the power_profile
C-state policy once (FreeBSD's power_profile is nostart and otherwise only
runs on a devd AC-line transition). Comment-only clarification — no behavior
change:
- Move the PROVIDE/REQUIRE/BEFORE/KEYWORD rcorder block to the top (convention;
rcorder scans the whole file, so behavior is identical).
- Document scope explicitly: this selects a CPU C-state/freq profile ONLY —
never suspend/sleep/blank/DPMS (screen-blank is the separate no-blank stack).
- Record the wake-safety invariant: both AC (0x01) and battery (0x00) branches
are safe because rc.conf pins performance_cx_lowest AND economy_cx_lowest to
C3, so neither can select a deeper C-state that breaks USB resume. Guard-rail
for future editors: do not deepen on the live USB.
sh -n clean; rcorder tags intact.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The inline Makefile example claimed LICENSE=MIT (wrong — colibri is
AGPL-3.0-only) and duplicated what now lives canonically in
colibri/packaging/freebsd/port/. Replace the snippet with a pointer + the
corrected key facts (license, binaries shipped, generated files).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Turns the manual Phase 2–3 runbook (docs/POUDRIERE-BUILD-SERVER.md) into
repeatable, idempotent steps for the mother-build host — the package half of
the trusted supply chain (layered-soul HIVE-ONBOARDING §10).
- poudriere-setup.sh: verify-then-act setup. Validates root, FreeBSD version
format, pkg/openssl, and that the ZFS pool exists BEFORE acting; then installs
poudriere, generates the repo signing key (0400), writes poudriere.conf (only
if absent), and creates the build jail + ports tree. Re-running skips anything
already present.
- poudriere-build.sh: validates jail, ports tree, and each origin (category/name
+ Makefile present) before `poudriere bulk`; repo is signed automatically via
PKG_REPO_SIGNING_KEY.
- clawdie-repo.conf.in: client repo template (signature_type pubkey) + the
first-party-only priority note.
- README.md: the three-step flow and conventions.
Style matches live/operator-session/hw-report: POSIX sh, set -u, fixed PATH,
strict arg parsing, minimal checks (only what is acted upon). Host provisioning
(ZFS/base/network) stays in the runbook — these assume a FreeBSD host with a
pool. sh -n clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Build installs /usr/local/bin/clawdie-join-hive (no .sh).
Desktop Exec had the .sh suffix — launcher would fail silently.
One-character fix: drop .sh from Exec line.
Stage a non-secret /usr/local/etc/colibri/provider.env with the Clawdie Vaultwarden endpoint so operators only add BW bootstrap credentials. Also teach clawdie-vault-fetch to honor BW_SERVER and fail closed if an existing bw login points at a different server.\n\nChecks: sh -n live/operator-session/clawdie-vault-fetch scripts/stage-colibri-iso.sh; ./scripts/check-format.sh; git diff --check; COLIBRI_REPO=/home/clawdie/ai/colibri scripts/stage-colibri-iso.sh <tmp>
bw config server refuses with 'Logout required before server config update'
when the CLI is already authenticated. The helper treated that as fatal
(exit 1), which broke every repeat run on an already-logged-in host — exactly
the 'refresh .env from vault' case the helper exists for.
The bw login block already tolerates 'already logged in'; mirror that for
bw config: capture stderr/stdout and tolerate 'logout required' /
'already configured' / 'already set', failing only on a real error.
Verified on domedog: fixed helper runs cleanly from the logged-in state
(previously exited 1 at the config step).
Checks: sh -n; git diff --check; ./scripts/check-format.sh (prettier clean).
Co-Authored-By: Hermes & Sam <hello@clawdie.si>
Address the 5 review concerns on the secrets-out-of-the-box feature:
1. Seed↔fetch path alignment: _seed_split_env routes BW_* creds out of .env
into ~/.config/vault-bootstrap.env (SEED_VAULT_BOOTSTRAP_REL), the path
clawdie-vault-fetch actually reads — so 'seed bootstrap → fetch out of
the box' now lines up without an explicit --bootstrap arg.
2. Drop unused COLLECTION_ID from clawdie-vault-fetch. Items are fetched by
name via 'bw get password', which is fail-closed on ambiguity; document
that item names must be unique in the visible vault.
3. Agent dir validation: _seed_agent_name_ok rejects leading-dot dirs
(.Spotlight-V100, .fseventsd) and traversal; _seed_agent_has_payload
requires a recognized payload so an empty/stray dir can't become active.
4. No phantom homes: extra agent dirs stage under /var/db/clawdie/seed/<agent>
only — _seed_stage_agent never writes a home or SSH keys.
5. Bootstrap file mode enforcement: clawdie-vault-fetch now stat-checks the
bootstrap file and refuses group/world-readable unless
VAULT_ALLOW_INSECURE_BOOTSTRAP is set.
Also renames _seed_import_env → _seed_merge_env + _seed_split_env and adds
_seed_key_ok to guard env var names.
Checks: sh -n on vault-fetch/live-seed/build.sh; git diff --check;
./scripts/check-format.sh (prettier clean); 5 concerns verified present.
Co-Authored-By: Hermes & Sam <hello@clawdie.si>
Two parallel, additive paths so a host gets its secrets out of the box;
the manual setup wizard stays the floor (no config = no-op).
clawdie-vault-fetch (new): language-neutral bw bridge. Reads a 0600
~/.config/vault-bootstrap.env, pulls keys from the agent-secrets
collection (item name = env var name, value in password field, so no jq),
prints KEY=VALUE or --write-env upserts 0600. Exit codes distinguish
skip (3, no bootstrap) / broken (1) / no bw (4). Pinned
@bitwarden/cli@2026.5.0 for offline bundling; staged in
configure_live_operator_session.
clawdie-live-seed: extend the CLAWDIESEED FAT32 importer from the
authorized_keys allowlist to a per-agent directory convention —
/<agent>/ with env (merged 0600), harness.toml (pi|zot|local), soul/
(staged), ssh/authorized_keys. Live USB single-agent (first dir = active);
extra dirs staged + flagged for deployed multi-agent. Optional
consume-and-shred. Import core is unit-testable via CLAWDIE_SEED_TEST.
README rewritten to document the per-agent contract and the operator
decision to allow plaintext secrets on the seed (seeded sticks are
secret-bearing media; 0600 landing + shred mitigations).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Standardize the ISO on the agreed Python 3.12 floor (operator + Hermes +
Claude consensus; see layered-soul/docs/TOOLCHAIN.md).
- pkg lists: python311->python312, py311-{pip,aider_chat,pillow}->py312-*
- build.sh: derive the installed python3.N for the python3/python symlink so a
future bump needs only a pkg-list change, never an edit here
- shell-deploy.sh: create the Aider venv with 'python3 -m venv' (resolves via
the symlink) instead of a hardcoded python3.11
- import-clawdie-skills.sh: python3 fallback instead of python3.11
- BUILD.md: doc references
Aider kept (bumped, not dropped): redundant coding tooling is intentional per
the agent matrix.
Pre-merge gate: confirm FreeBSD pkg coverage on osa —
pkg search '^py312-aider_chat' '^py312-pygobject'
(common modules pillow/pip are safe).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Replace stale colibri-smoke-agent references with colibri-test-agent, mark colibri-tui optional/desirable, update image-name comments, and avoid smoke wording in current build handoff docs.\n\nChecks: sh -n build.sh; sh -n scripts/test-release-gate.sh; ./scripts/check-format.sh; git diff --check.
Use zot's Makefile VERSION hook in release/live rebuild instructions and preflight hints so the staged binary reports 0.2.29 instead of the local-build 0.0.0 default.\n\nChecks: sh -n build.sh; sh -n scripts/stage-zot-iso.sh; sh -n scripts/stage-colibri-iso.sh; ./scripts/check-format.sh; git diff --check; stage-zot-iso dummy-artifact smoke; VERSION=0.2.29 make build in zot produced 'zot 0.2.29'.
Drop the "dirty" terminology in favor of "modified" (same boolean sense:
true = working tree has uncommitted or untracked changes). Pure rename — no
logic change. Safe now: nothing consumes these keys yet (checked colibri too).
- build-manifest.json keys: zot_dirty/colibri_dirty/iso_repo_dirty
→ zot_modified/colibri_modified/iso_repo_modified
- .clawdie-source.json: dirty_at_build → modified_at_build
- iso-publish manifest (write-artifact-manifest.sh): repo_dirty → repo_modified
- gate messages, comments, shell vars, and docs (BUILD/CHANGELOG/ISO-MANIFESTS/
PLAN) reworded.
Checks: sh -n on all three scripts; release-gate smoke test PASS; prettier clean
on changed docs.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Codex's release gate (96fc1d3) had the right idea but two issues that the
verified gates (sh -n / prettier / git diff) structurally could not catch,
because none exercise the BUILD_CHANNEL=release path:
1. Blocker: check_release_gate was *called* at line ~105 but *defined* (and its
resolve_* dependencies defined) far below. In POSIX sh that's a call before
definition — with `set -e`, a release build aborted at exit 127
("check_release_gate: not found") before the gate ran. Moved the invocation
into the preflight section, after all helpers are defined.
2. Unsatisfiable + asymmetric: the gate required clawdie-ai to be on a vX.Y.Z
tag, but clawdie-ai has no v-tag and is being pruned — so release was
impossible. Replaced with reproducibility-by-record: every staged source
(clawdie-iso, clawdie-ai, colibri, zot) must be a clean, committed tree; the
manifest's recorded commits then fully describe the artifact. A recorded SHA
is as pinned as a tag. Dropped the tag requirement.
Also:
- "clean" now uses `git status --porcelain`, so untracked files (which a
diff-only check misses but which still change the build) fail the gate.
- Factored the repeated resolve+dirty boilerplate into assert_clean_repo.
- New scripts/test-release-gate.sh smoke test: asserts the porcelain semantics
and that the gate is invoked after its definition (guards the exit-127
regression). A 5-line test that the three "verified gates" could not provide.
Checks: sh -n build.sh; sh -n + run scripts/test-release-gate.sh (PASS);
git diff --check.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Decouple the ISO identity from zot and cut the first numbered milestone.
Versioning schema (decided 2026-06-15):
- ISO_VERSION is now an explicit product version (build.cfg: 0.10.0); the
"auto"/zot-tracking path is removed and a build with no version fails fast.
The image no longer borrows zot's number — component versions are provenance.
- build-manifest.json: "iso_version_tracks":"zot" -> "version_scheme":"product",
and add colibri_commit/colibri_dirty (the image stages adjacent colibri
binaries; record which commit produced them — the main reproducibility gap).
Docs/version consistency (from docs to flashing/testing/skill):
- CHANGELOG: new [0.10.0] "Operator Image" milestone (stable XFCE + colibri
service fixes + self-rebuild lane); reword the version model and repo table.
- README/BUILD/FLASHING/TESTING/iso-publish: artifact examples 0.2.29 -> 0.10.0;
version-scheme prose updated to product-version, not zot-tracking.
Stacked on the live-rebuild branch (PR #56); merge after it.
Checks: sh -n build.sh OK; prettier clean on all changed docs.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Accept the PR #75 colibri_daemon rc.d contract, write colibri_daemon_cost_mode, and update the live rebuild doc now that /home/clawdie/ai sources are shallow git checkouts.\n\nChecks: sh -n build.sh; sh -n scripts/stage-colibri-iso.sh; ./scripts/check-format.sh; git diff --check; scripts/stage-colibri-iso.sh dummy-artifact smoke against Colibri PR #75 rc.d.
