build.sh

@@ -583,6 +583,15 @@ write_build_manifest() {
             fi
         fi
     fi
+    # Pi version provenance. Pi is fetched as @latest (see packages/npm-globals.txt),
+    # so the concrete version floats — derive it from the bundled tarball name
+    # (earendil-works-pi-coding-agent-<version>.tgz) and record it. This runs after
+    # fetch-npm-globals.sh + install_live_npm_globals, so the tarball is present.
+    _pi_version="unknown"
+    _pi_tgz=$(ls "${NPM_GLOBALS_DIR}"/earendil-works-pi-coding-agent-*.tgz 2>/dev/null | head -1)
+    if [ -n "${_pi_tgz}" ]; then
+        _pi_version=$(basename "${_pi_tgz}" .tgz | sed 's/^earendil-works-pi-coding-agent-//')
+    fi
     mkdir -p "$(dirname "$_manifest_path")"
     cat > "$_manifest_path" <<EOF
 {
@@ -599,6 +608,7 @@ write_build_manifest() {
   "clawdie_ai_ref": "$(json_escape "${CLAWDIE_REF}")",
   "clawdie_ai_commit": "$(json_escape "${CLAWDIE_AI_COMMIT:-unknown}")",
   "clawdie_ai_modified": ${_clawdie_ai_modified:-null},
+  "pi_version": "$(json_escape "${_pi_version:-unknown}")",
   "live_ssh_pubkey_fp": ${_live_ssh_pubkey_fp_json},
   "tailscale_auth_key_baked": ${_tailscale_auth_key_baked},
   "iso_repo_commit": "$(json_escape "${_iso_repo_commit}")",

packages/npm-globals.txt

@@ -1,10 +1,14 @@
 # Bundled npm global CLIs for offline firstboot/live operator use.
-# Pin exact versions to prevent build-to-build drift.
+# Pin exact versions to prevent build-to-build drift — EXCEPT where a line uses
+# a dist-tag (e.g. @latest) on purpose.
 #
-# Keep Pi current through coordinated version-sync work; do not rely on
-# npm's moving latest dist-tag during ISO builds.
+# Pi tracks `@latest` deliberately: each image ships the newest Pi. The version
+# that actually got resolved at fetch time is recorded in build-manifest.json
+# (`pi_version`), so the artifact stays traceable even though the spec floats.
+# Pin a concrete version here instead if a build must be reproducible
+# byte-for-byte.
 
-@earendil-works/pi-coding-agent@0.78.0
+@earendil-works/pi-coding-agent@latest
 
 # Bitwarden CLI (`bw`) — headless access to the Clawdie Vaultwarden instance,
 # used by clawdie-vault-fetch. Bundled offline so a booted image can pull agent

scripts/fetch-npm-globals.sh

@@ -2,8 +2,10 @@
 # Fetch npm-global CLIs as .tgz tarballs for offline install on the ISO target.
 #
 # These packages are installed by firstboot with `npm install -g` from local
-# tarballs (no network needed on the target). Exact versions are pinned in
-# packages/npm-globals.txt to prevent build-to-build drift.
+# tarballs (no network needed on the target). Versions are pinned in
+# packages/npm-globals.txt to prevent build-to-build drift, except lines that
+# use a dist-tag on purpose (Pi tracks @latest; the resolved version is recorded
+# in build-manifest.json as `pi_version`).
 #
 # Notes:
 #   - Codex is shipped via the FreeBSD `codex` pkg (see pkg-list-host.txt),
@@ -49,10 +51,13 @@ while IFS= read -r pkg || [ -n "$pkg" ]; do
         ''|'#'*) continue ;;
     esac
     echo "    npm pack ${pkg}"
-    # `npm pack <name>@<version>` downloads the pinned published tarball without
-    # installing it. Output is `<name>-<version>.tgz` (scoped names get
-    # their slash flattened to a dash).
-    npm pack "$pkg" >/dev/null
+    # `npm pack <name>@<version|dist-tag>` downloads the published tarball without
+    # installing it. Output is `<name>-<resolved-version>.tgz` (scoped names get
+    # their slash flattened to a dash). npm prints that filename on stdout — echo
+    # it so the build log shows exactly which version a dist-tag (e.g. @latest)
+    # resolved to.
+    _packed=$(npm pack "$pkg" 2>/dev/null | tail -1)
+    [ -n "${_packed}" ] && echo "      → ${_packed}"
 done < "$NPM_GLOBALS_LIST"
 
 echo ""