diff --git a/BUILD.md b/BUILD.md index 23d1f549..40a1afc8 100644 --- a/BUILD.md +++ b/BUILD.md @@ -22,7 +22,7 @@ The ISO carries its own product version, independent of any component (zot, Colibri, Clawdie-AI). Component versions are recorded in `build-manifest.json`. ```sh -ISO_VERSION="0.10.0" # explicit product version (required; no zot-tracking) +ISO_VERSION="0.11.0" # explicit product version (required; no zot-tracking) BUILD_CHANNEL="dev" # dev | release CLAWDIE_REF="main" # validation default ``` @@ -139,14 +139,14 @@ sudo ./build.sh Output: ```text -tmp/output/clawdie-quindecim-0.10.0.img +tmp/output/clawdie-quindecim-0.11.0.img ``` Published/downloaded artifacts are compressed as `.img.xz`. Stream the compressed image directly into `dd`: ```sh -xz -dc clawdie-quindecim-0.10.0.img.xz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync +xz -dc clawdie-quindecim-0.11.0.img.xz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync sync ``` @@ -155,15 +155,15 @@ For Linux or FreeBSD downloads from the published HTTPS path, prefer resumable ```sh curl -fL --continue-at - --retry 5 --retry-delay 5 --progress-bar -O \ - https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.10.0.img.xz + https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.11.0.img.xz curl -fL --retry 5 --retry-delay 5 -O \ - https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.10.0.img.xz.sha256 + https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.11.0.img.xz.sha256 ``` For a build-local uncompressed image, plain `dd` is also fine: ```sh -sudo dd if=tmp/output/clawdie-quindecim-0.10.0.img of=/dev/daX bs=1M status=progress conv=fsync +sudo dd if=tmp/output/clawdie-quindecim-0.11.0.img of=/dev/daX bs=1M status=progress conv=fsync sync ``` @@ -431,7 +431,7 @@ The final size output distinguishes: Edit `build.cfg` for persistent defaults: ```sh -ISO_VERSION="${ISO_VERSION:-0.10.0}" +ISO_VERSION="${ISO_VERSION:-0.11.0}" BUILD_CHANNEL="${BUILD_CHANNEL:-dev}" IMAGE_SIZE="28G" CLAWDIE_REF="${CLAWDIE_REF:-main}" diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e3ea93c..ca034977 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,8 +19,24 @@ _Nothing yet._ ship together. zot and clawdie-ai keep their own versions, recorded as provenance in `build-manifest.json`. +### Added + +- **Out-of-the-box Join Hive provisioning.** Entering Bitwarden credentials + pulls the DeepSeek key from Vaultwarden, restarts the daemon, and confirms the + auto-spawned agent — the live image now provisions itself from the vault on + first boot (`COLIBRI_AUTOSPAWN_PI` staged in `provider.env`). +- **Tailscale auto-join from Vaultwarden.** Join Hive fetches a + `tailscale-auth-key` item and brings the tailnet up once on first boot; the + key is consumed after use (not cached locally), with Vaultwarden as the source + of truth. +- **Opt-in Mother MCP link** (`clawdie-enable-mother`): publishes the node's + Colibri pubkey to Vaultwarden for hive authorization and registers `mother` in + the external MCP registry (jq-merged so existing servers survive). +- `jq` added to the live-operator and jail package lists for the MCP config path. + ### Changed +- zot agent pinned to **v0.2.42** (was v0.2.29). - Live operator-session scripts hardened: identity wallpaper off host-global `/tmp` with multi-monitor apply; Join Hive captures the generator's output path; vault fetch work dir moved to a `0700` runtime dir; scratch/tmp policy diff --git a/FLASHING.md b/FLASHING.md index 4ea4ede8..d986fe5c 100644 --- a/FLASHING.md +++ b/FLASHING.md @@ -3,7 +3,7 @@ Published Clawdie operator USB artifacts are compressed: ```text -clawdie-quindecim-0.10.0.img.xz +clawdie-quindecim-0.11.0.img.xz ``` Default policy: @@ -47,15 +47,15 @@ Download with resume and retries: ```sh curl -fL --continue-at - --retry 5 --retry-delay 5 --progress-bar -O \ - https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.10.0.img.xz + https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.11.0.img.xz curl -fL --retry 5 --retry-delay 5 -O \ - https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.10.0.img.xz.sha256 + https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.11.0.img.xz.sha256 ``` Verify the downloaded artifact: ```sh -sha256sum -c clawdie-quindecim-0.10.0.img.xz.sha256 +sha256sum -c clawdie-quindecim-0.11.0.img.xz.sha256 ``` Unmount mounted USB partitions if needed: @@ -68,7 +68,7 @@ Flash by streaming xz into `dd`: ```sh set -o pipefail 2>/dev/null || true -xz -dc clawdie-quindecim-0.10.0.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync +xz -dc clawdie-quindecim-0.11.0.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync sync ``` @@ -89,22 +89,22 @@ Download with resume and retries: ```sh curl -fL --continue-at - --retry 5 --retry-delay 5 --progress-bar -O \ - https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.10.0.img.xz + https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.11.0.img.xz curl -fL --retry 5 --retry-delay 5 -O \ - https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.10.0.img.xz.sha256 + https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.11.0.img.xz.sha256 ``` Verify the downloaded artifact: ```sh -HASH=$(awk '{print $1}' clawdie-quindecim-0.10.0.img.xz.sha256) -sha256 -c "$HASH" clawdie-quindecim-0.10.0.img.xz +HASH=$(awk '{print $1}' clawdie-quindecim-0.11.0.img.xz.sha256) +sha256 -c "$HASH" clawdie-quindecim-0.11.0.img.xz ``` If `sha256sum` is installed, this GNU-style form is also OK: ```sh -sha256sum -c clawdie-quindecim-0.10.0.img.xz.sha256 +sha256sum -c clawdie-quindecim-0.11.0.img.xz.sha256 ``` Unmount mounted USB partitions if needed: @@ -116,7 +116,7 @@ sudo umount /dev/daXs* 2>/dev/null Flash by streaming xz into `dd`: ```sh -xz -dc clawdie-quindecim-0.10.0.img.xz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync +xz -dc clawdie-quindecim-0.11.0.img.xz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync sync ``` @@ -129,11 +129,11 @@ Replace `/dev/daX` with the actual whole USB disk. No decompression step needed — both tools read `.img.xz` directly. 1. Download both files (same folder): - - `clawdie-quindecim-0.10.0.img.xz` - - `clawdie-quindecim-0.10.0.img.xz.sha256` + - `clawdie-quindecim-0.11.0.img.xz` + - `clawdie-quindecim-0.11.0.img.xz.sha256` 2. (Recommended) verify the checksum in PowerShell: ```powershell - (Get-FileHash .\clawdie-quindecim-0.10.0.img.xz -Algorithm SHA256).Hash.ToLower() + (Get-FileHash .\clawdie-quindecim-0.11.0.img.xz -Algorithm SHA256).Hash.ToLower() # compare against the value in the .sha256 file ``` 3. **Rufus:** open Rufus → **SELECT** the `.img.xz` → choose the USB drive under "Device" → **START**. Rufus decompresses and writes in one step. (Use "DD Image" mode if prompted.) @@ -152,21 +152,21 @@ For a local build artifact that already exists as a raw image: ### Linux ```sh -sudo dd if=clawdie-quindecim-0.10.0.img of=/dev/sdX bs=4M status=progress conv=fsync +sudo dd if=clawdie-quindecim-0.11.0.img of=/dev/sdX bs=4M status=progress conv=fsync sync ``` ### FreeBSD ```sh -sudo dd if=clawdie-quindecim-0.10.0.img of=/dev/daX bs=1M status=progress conv=fsync +sudo dd if=clawdie-quindecim-0.11.0.img of=/dev/daX bs=1M status=progress conv=fsync sync ``` Only unxz first if you specifically need the raw file for inspection or reuse: ```sh -unxz -k clawdie-quindecim-0.10.0.img.xz +unxz -k clawdie-quindecim-0.11.0.img.xz ``` --- diff --git a/README.md b/README.md index 007b8d13..4317f935 100644 --- a/README.md +++ b/README.md @@ -170,14 +170,14 @@ Artifact names use a short Latin codename for the FreeBSD major line they were built on. For FreeBSD `15`, that codename is `quindecim`, so: ```text -clawdie-quindecim-0.10.0.img +clawdie-quindecim-0.11.0.img ``` means: - `clawdie` — project name - `quindecim` — Latin for `15`, matching the FreeBSD 15 build line -- `0.10.0` — the ISO product version (set in `build.cfg`) +- `0.11.0` — the ISO product version (set in `build.cfg`) Per-build provenance (build date and the `clawdie-iso`, `colibri`, `zot`, and `clawdie-ai` commits) lives in `build-manifest.json`, not the filename. @@ -233,26 +233,26 @@ Download on Linux or FreeBSD with resume and retries: ```sh curl -fL --continue-at - --retry 5 --retry-delay 5 --progress-bar -O \ - https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.10.0.img.xz + https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.11.0.img.xz curl -fL --retry 5 --retry-delay 5 -O \ - https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.10.0.img.xz.sha256 + https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.11.0.img.xz.sha256 ``` Linux: ```sh -sha256sum -c clawdie-quindecim-0.10.0.img.xz.sha256 +sha256sum -c clawdie-quindecim-0.11.0.img.xz.sha256 set -o pipefail 2>/dev/null || true -xz -dc clawdie-quindecim-0.10.0.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync +xz -dc clawdie-quindecim-0.11.0.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync sync ``` FreeBSD: ```sh -HASH=$(awk '{print $1}' clawdie-quindecim-0.10.0.img.xz.sha256) -sha256 -c "$HASH" clawdie-quindecim-0.10.0.img.xz -xz -dc clawdie-quindecim-0.10.0.img.xz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync +HASH=$(awk '{print $1}' clawdie-quindecim-0.11.0.img.xz.sha256) +sha256 -c "$HASH" clawdie-quindecim-0.11.0.img.xz +xz -dc clawdie-quindecim-0.11.0.img.xz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync sync ``` diff --git a/TESTING.md b/TESTING.md index b5a11992..1a7ddbe4 100644 --- a/TESTING.md +++ b/TESTING.md @@ -1,7 +1,7 @@ # Clawdie Operator USB Testing Guide **Branch:** `xfce-operator-usb` -**Target artifact:** `clawdie-quindecim-0.10.0.img` +**Target artifact:** `clawdie-quindecim-0.11.0.img` **Current desktop path:** XFCE via SDDM, interactive login as `clawdie` --- @@ -105,7 +105,7 @@ Run this on the FreeBSD build host after `build.sh` finishes. ### Useful verification commands ```sh -sudo mdconfig -a -t vnode -f tmp/output/clawdie-quindecim-0.10.0.img +sudo mdconfig -a -t vnode -f tmp/output/clawdie-quindecim-0.11.0.img sudo mount -o ro /dev/md0s2a /mnt egrep 'hostname|root_rw_mount|tmpmfs|varmfs|sshd|avahi|powerd|powerdxx|pf_enable|sddm|display_manager|clawdie_live_gpu|clawdie_tailscale_up|linux_enable|zfs_enable|kld_list' /mnt/etc/rc.conf @@ -428,12 +428,12 @@ FreeBSD. For a published compressed image on Linux, the default path is: ```sh curl -fL --continue-at - --retry 5 --retry-delay 5 --progress-bar -O \ - https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.10.0.img.xz + https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.11.0.img.xz curl -fL --retry 5 --retry-delay 5 -O \ - https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.10.0.img.xz.sha256 -sha256sum -c clawdie-quindecim-0.10.0.img.xz.sha256 + https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.11.0.img.xz.sha256 +sha256sum -c clawdie-quindecim-0.11.0.img.xz.sha256 set -o pipefail 2>/dev/null || true -xz -dc clawdie-quindecim-0.10.0.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync +xz -dc clawdie-quindecim-0.11.0.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync sync ``` diff --git a/skills/iso-publish/SKILL.md b/skills/iso-publish/SKILL.md index 00fcf826..ca6f87fd 100644 --- a/skills/iso-publish/SKILL.md +++ b/skills/iso-publish/SKILL.md @@ -61,7 +61,7 @@ steps that write beside the artifact, or use the `sudo` variants shown below. Set `IMG` to the raw image produced by the current build. Example: ```sh -IMG="tmp/output/clawdie-quindecim-0.10.0.img" +IMG="tmp/output/clawdie-quindecim-0.11.0.img" ``` ```sh