clawdie/clawdie-iso
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Generate personalized CLAWDIESEED payload (zero-touch operator stick) — Hermes #111

New issue
Closed
opened 2026-06-22 09:02:20 +02:00 by clawdie · 1 comment
clawdie commented 2026-06-22 09:02:20 +02:00
Owner
Copy link

Assigned: Hermes (OSA agent). Tracking issue / paste-ready brief.

Task

Generate a personalized CLAWDIESEED payload for a zero-touch Clawdie operator stick.

Context

clawdie-iso #110 (merged → main, commit ba2f09f) makes the live seed importer route an active agent's provider keys into colibri_daemon's provider.env, so a seeded stick boots straight into a live auto-spawned agent — no operator input. The image stays generic; the seed (FAT32, plaintext) is the personalization layer and stays offline. This stick will not be hosted online.

Boot ordering guarantees zero-touch: clawdie_live_seed runs as root BEFORE: LOGIN; colibri_daemon runs REQUIRE: LOGIN, so the daemon starts after the keys land and auto-spawns the agent (COLIBRI_AUTOSPAWN_PI=YES, already baked).

Dependency: the stick must be built from main after #110 (it is merged now), or the importer won't route keys to provider.env.

Steps

  1. Mount the stick's FAT32 CLAWDIESEED partition (3rd partition). On FreeBSD: mdo -u root mount -t msdosfs /dev/daXs3 /mnt/clawdie-seed.
  2. Create one agent directory named for the identity this stick should boot as (the live USB activates the first alphabetical dir): <agent-name>/.
  3. Populate it:
    • <agent-name>/env — plaintext KEY=VALUE, one per line:
      • real provider key from Vaultwarden: DEEPSEEK_API_KEY=… (plus any others, e.g. OPENROUTER_API_KEY=…)
      • optional TAILSCALE_AUTH_KEY=tskey-auth-… for first-boot tailnet join
      • do not add BW_* here — those are only for the vault-fetch path we're skipping
    • <agent-name>/harness.toml: 
      harness = "pi"
model = "deepseek-chat"
cost_mode = "smart"
    • <agent-name>/soul/ — the full layered-soul tree (SOUL.md, USER.md, IDENTITY.md, memories/, skills/, …)
    • <agent-name>/ssh/authorized_keys — Sam's operator public key (ask Sam; public keys are not secret)
    • optional: empty file shred at the seed root (/mnt/clawdie-seed/shred) so the importer wipes env files off the stick after first import
  4. sync and unmount: mdo -u root umount /mnt/clawdie-seed.

Security

Plaintext FAT32 — treat the stick as secret-bearing media. Never print resolved key values to logs/transcripts; redact them. Confirm structure only.

Report back

  • the agent dir name
  • the list of env keys present (names only, no values)
  • whether soul/, ssh/authorized_keys, and shred were written

Fixes during seed generation can be pushed to the retained branch seed-zero-touch-provisioning; we'll cut a follow-up PR from it.

**Assigned: Hermes (OSA agent).** Tracking issue / paste-ready brief. ## Task Generate a personalized `CLAWDIESEED` payload for a zero-touch Clawdie operator stick. ## Context clawdie-iso #110 (merged → `main`, commit `ba2f09f`) makes the live seed importer route an active agent's provider keys into `colibri_daemon`'s `provider.env`, so a seeded stick boots straight into a live auto-spawned agent — no operator input. The image stays generic; the seed (FAT32, plaintext) is the personalization layer and stays offline. This stick will **not** be hosted online. Boot ordering guarantees zero-touch: `clawdie_live_seed` runs as root `BEFORE: LOGIN`; `colibri_daemon` runs `REQUIRE: LOGIN`, so the daemon starts after the keys land and auto-spawns the agent (`COLIBRI_AUTOSPAWN_PI=YES`, already baked). > Dependency: the stick must be built from `main` **after** #110 (it is merged now), or the importer won't route keys to `provider.env`. ## Steps 1. Mount the stick's FAT32 `CLAWDIESEED` partition (3rd partition). On FreeBSD: `mdo -u root mount -t msdosfs /dev/daXs3 /mnt/clawdie-seed`. 2. Create **one** agent directory named for the identity this stick should boot as (the live USB activates the first alphabetical dir): `<agent-name>/`. 3. Populate it: - `<agent-name>/env` — plaintext `KEY=VALUE`, one per line: - real provider key from Vaultwarden: `DEEPSEEK_API_KEY=…` (plus any others, e.g. `OPENROUTER_API_KEY=…`) - optional `TAILSCALE_AUTH_KEY=tskey-auth-…` for first-boot tailnet join - do **not** add `BW_*` here — those are only for the vault-fetch path we're skipping - `<agent-name>/harness.toml`: ```toml harness = "pi" model = "deepseek-chat" cost_mode = "smart" ``` - `<agent-name>/soul/` — the full layered-soul tree (`SOUL.md`, `USER.md`, `IDENTITY.md`, `memories/`, `skills/`, …) - `<agent-name>/ssh/authorized_keys` — Sam's operator public key (ask Sam; public keys are not secret) - optional: empty file `shred` at the **seed root** (`/mnt/clawdie-seed/shred`) so the importer wipes `env` files off the stick after first import 4. `sync` and unmount: `mdo -u root umount /mnt/clawdie-seed`. ## Security Plaintext FAT32 — treat the stick as secret-bearing media. Never print resolved key **values** to logs/transcripts; redact them. Confirm structure only. ## Report back - the agent dir name - the list of `env` keys present (**names only**, no values) - whether `soul/`, `ssh/authorized_keys`, and `shred` were written Fixes during seed generation can be pushed to the retained branch `seed-zero-touch-provisioning`; we'll cut a follow-up PR from it.
clawdie commented 2026-06-24 16:59:59 +02:00
Author
Owner
Copy link

Closing as superseded. This brief (22.jun.2026) predates the seed/OOTB work that has since shipped — #115 (seed-delivered SSH client material), the dual-purpose mother-mcp key, and #133 (OOTB mother-MCP). The canonical, up-to-date procedure for building a personalized seed now lives in:

  • live/operator-session/clawdie-live-seed.README.txt — the seed layout (env, ssh/, soul, harness.toml, mother-mcp key)
  • colibri packaging/mother/MOTHER-SETUP.md first-run checklist — mother side + key→seed

Actually provisioning a stick is an on-demand operational step against those docs, not a standing tracking issue. Reopen if a tracked provisioning run is wanted.

Closing as superseded. This brief (22.jun.2026) predates the seed/OOTB work that has since shipped — #115 (seed-delivered SSH client material), the dual-purpose mother-mcp key, and #133 (OOTB mother-MCP). The canonical, up-to-date procedure for building a personalized seed now lives in: - `live/operator-session/clawdie-live-seed.README.txt` — the seed layout (env, ssh/, soul, harness.toml, mother-mcp key) - colibri `packaging/mother/MOTHER-SETUP.md` first-run checklist — mother side + key→seed Actually provisioning a stick is an on-demand operational step against those docs, not a standing tracking issue. Reopen if a tracked provisioning run is wanted.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix/retire-clawdie-ai
v0.11.0
v0.9.1
v0.9.0
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: clawdie/clawdie-iso#111
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?