2026-06-13 21:36:04 +02:00
13 changed files with 178 additions and 6 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@ -104,9 +104,10 @@ the ISO does **not** build Rust while the image is mounted.
  skill (§Colibri artifact preflight).
 - Staging layout (installed paths, rc.d, directory ownership) is owned by
  Colibri `docs/ISO-INTEGRATION-PLAN.md`.
- Required by ISO preflight: `colibri-daemon`, `colibri`, `colibri-smoke-agent`.
+- Required by ISO preflight: `colibri-daemon`, `colibri`, `colibri-smoke-agent`,
+  and `colibri-mcp`.
  `colibri-tui` is optional in staging code but desired for this USB target and
-  should be verified alongside the other three.
+  should be verified alongside the required binaries.

 **Invariant:** do not `cargo clean` `/home/clawdie/ai/colibri` until the ISO
 preflight/build has consumed `/home/clawdie/ai/colibri/target/release`.
--- a/BUILD.md
+++ b/BUILD.md
@ -83,6 +83,7 @@ Colibri-backed. The image includes:
 /usr/local/bin/colibri-daemon
 /usr/local/bin/colibri
 /usr/local/bin/colibri-smoke-agent
+/usr/local/bin/colibri-mcp              # MCP bridge for Zed/Claude Code/Cursor
 /usr/local/bin/colibri-tui              # if present in the artifact dir
 /usr/local/etc/rc.d/colibri_daemon
 /var/db/colibri
@ -95,6 +96,11 @@ values for `colibri_daemon_enable`, paths, and `colibri_cost_mode`. Operator USB
 validation builds enable `colibri_daemon_enable=YES`; the service starts after
 the login milestone and is the lightweight control plane for the live USB.

+`colibri-mcp` is staged out of the box for MCP-capable editors and assistants.
+It defaults to read-only tools; launch it with `COLIBRI_MCP_WRITE=1` only for a
+trusted write-capable MCP profile. Example MCP client configs are installed at
+`/usr/local/share/clawdie-iso/mcp-examples/`.
+
 ### Colibri vs. Clawdie service names

 ```text
--- a/README.md
+++ b/README.md
@ -52,6 +52,7 @@ Live operator USB
  SDDM/XFCE desktop
    └── colibri_daemon      # lightweight control plane, enabled on USB
          ├── colibri CLI / colibri-tui
+          ├── colibri-mcp       # MCP bridge for editor/assistant clients
          └── agent harness     # Colibri's bundled agent (staged with the
                                # daemon); pi available as a spawnable backend

--- a/build.sh
+++ b/build.sh
@ -325,7 +325,7 @@ preflight_colibri_artifacts() {
        echo "       Set COLIBRI_REPO=/path/to/colibri or FEATURE_COLIBRI=NO."
        exit 1
    fi
-    for _colibri_bin in colibri-daemon colibri colibri-smoke-agent; do
+    for _colibri_bin in colibri-daemon colibri colibri-smoke-agent colibri-mcp; do
        if [ ! -x "${_resolved_colibri_artifact_dir}/${_colibri_bin}" ]; then
            echo "ERROR: Colibri release binary missing: ${_resolved_colibri_artifact_dir}/${_colibri_bin}"
            echo "       Build first: (cd ${_resolved_colibri_repo} && cargo build --workspace --release)"
@ -802,7 +802,9 @@ install_colibri_service() {
    set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_host="$(hostname)"'
    set_config_line "${MOUNT_POINT}/etc/rc.conf" "colibri_cost_mode=\"${COLIBRI_COST_MODE:-smart}\""

-    if [ ! -x "${MOUNT_POINT}/usr/local/bin/colibri-daemon" ] || [ ! -x "${MOUNT_POINT}/usr/local/bin/colibri" ]; then
+    if [ ! -x "${MOUNT_POINT}/usr/local/bin/colibri-daemon" ] || \
+       [ ! -x "${MOUNT_POINT}/usr/local/bin/colibri" ] || \
+       [ ! -x "${MOUNT_POINT}/usr/local/bin/colibri-mcp" ]; then
        echo "ERROR: Colibri binaries missing from live image"
        exit 1
    fi
@ -1463,6 +1465,13 @@ EOF
    mkdir -p "${MOUNT_POINT}/usr/local/share/clawdie-iso/bootstrap"
    install -m 0644 "${LIVE_SESSION_DIR}/bootstrap.html" \
        "${MOUNT_POINT}/usr/local/share/clawdie-iso/bootstrap/index.html"
+    if [ -d "${LIVE_SESSION_DIR}/mcp-examples" ]; then
+        mkdir -p "${MOUNT_POINT}/usr/local/share/clawdie-iso/mcp-examples"
+        cp -R "${LIVE_SESSION_DIR}/mcp-examples/." \
+            "${MOUNT_POINT}/usr/local/share/clawdie-iso/mcp-examples/"
+        find "${MOUNT_POINT}/usr/local/share/clawdie-iso/mcp-examples" \
+            -type f -exec chmod 0644 {} +
+    fi
    chroot "$MOUNT_POINT" chown -R clawdie:clawdie /home/clawdie/Desktop
    chmod 0755 "${MOUNT_POINT}/home/clawdie/Desktop"
    chmod 0644 \
--- a/docs/POUDRIERE-BUILD-SERVER.md
+++ b/docs/POUDRIERE-BUILD-SERVER.md
@ -231,6 +231,7 @@ This gives us:
 - `colibri-daemon`
 - `colibri-tui`
 - `colibri-smoke-agent`
+- `colibri-mcp`

 All with proper pkg metadata, upgradeable, with dependencies tracked.

--- a/live/operator-session/bootstrap.html
+++ b/live/operator-session/bootstrap.html
@ -89,6 +89,7 @@
          <li>XFCE desktop — dual-monitor, panel, wallpaper</li>
          <li><code>colibri-daemon</code> — agent supervisor, skills catalog, Glasspane state machine</li>
          <li><code>colibri-tui</code> — live ratatui dashboard (agent states, spawn/kill, sessions)</li>
+          <li><code>colibri-mcp</code> — MCP bridge for Zed, Claude Code, Cursor, and other MCP clients</li>
          <li>Firefox browser</li>
          <li>Tailscale package (needs auth key)</li>
          <li><code>pi</code> coding agent harness (npm global)</li>
@ -117,8 +118,14 @@ colibri status
 colibri snapshot           # Glasspane agent states
 colibri list-tasks         # Coordination board
 colibri list-skills        # Skills catalog
+colibri-mcp tools          # MCP bridge, read-only by default
+COLIBRI_MCP_WRITE=1 colibri-mcp tools  # trusted write-capable profile
 colibri create-task --title "check network"
 colibri list-tasks --status queued</pre>
+      <p>
+        MCP client examples are installed under
+        <code>/usr/local/share/clawdie-iso/mcp-examples/</code>.
+      </p>

      <h2>pi assistant</h2>
      <pre>
--- a/live/operator-session/mcp-examples/README.md
+++ b/live/operator-session/mcp-examples/README.md
@ -0,0 +1,94 @@
+# Colibri MCP client examples
+
+The live USB includes `/usr/local/bin/colibri-mcp`, an MCP server that exposes
+Colibri status, glasspane snapshots, task lists, and skills to MCP-capable
+editors/assistants.
+
+Default posture is read-only. Colibri write tools are available only when the
+MCP server process is launched with `COLIBRI_MCP_WRITE=1`. External MCP tool
+calls are available only when launched with `COLIBRI_MCP_EXTERNAL_CALL=1`.
+
+## Generic MCP client config
+
+Most MCP clients accept a config shaped like `mcpServers`. Use one of:
+
+- `mcp-readonly.json` — safe default profile
+- `mcp-trusted-write.json` — explicit trusted profile with Colibri write tools enabled
+- `mcp-external-call.json` — explicit trusted profile for external MCP tool calls
+- `external-mcp.sample.json` — example external MCP server registry
+
+## Quick checks
+
+```sh
+colibri-mcp tools
+COLIBRI_MCP_WRITE=1 colibri-mcp tools
+colibri-mcp socket-path
+COLIBRI_MCP_EXTERNAL_CONFIG=/usr/local/share/clawdie-iso/mcp-examples/external-mcp.sample.json \
+  colibri-mcp tools
+```
+
+## Claude Code example
+
+If your Claude Code version supports `claude mcp add`, adapt:
+
+```sh
+claude mcp add colibri /usr/local/bin/colibri-mcp
+claude mcp add colibri-write --env COLIBRI_MCP_WRITE=1 /usr/local/bin/colibri-mcp
+```
+
+If your version uses a JSON config file instead, copy the matching object from
+`mcp-readonly.json` or `mcp-trusted-write.json`.
+
+## Zed / Cursor example
+
+Zed, Cursor, and other MCP-capable editors may use slightly different config
+file paths or wrapper keys by version. The server object is the important part:
+
+```json
+{
+  "command": "/usr/local/bin/colibri-mcp",
+  "args": [],
+  "env": {}
+}
+```
+
+For a write-capable profile, add:
+
+```json
+{
+  "env": { "COLIBRI_MCP_WRITE": "1" }
+}
+```
+
+Only enable the write profile for trusted workspaces/sessions.
+
+## External MCP server prototype
+
+Newer Colibri builds can also use `colibri-mcp` as a small MCP host/client for
+other stdio MCP servers. Copy the sample registry into the live config path and
+edit it for the servers you actually want:
+
+```sh
+mdo -u root mkdir -p /usr/local/etc/colibri
+mdo -u root cp /usr/local/share/clawdie-iso/mcp-examples/external-mcp.sample.json \
+  /usr/local/etc/colibri/external-mcp.json
+```
+
+Read-only discovery works by default through these tools:
+
+- `colibri_external_mcp_servers`
+- `colibri_external_mcp_list_tools`
+
+Calling external MCP tools requires an explicit trusted profile:
+
+```json
+{
+  "command": "/usr/local/bin/colibri-mcp",
+  "args": [],
+  "env": {
+    "COLIBRI_MCP_EXTERNAL_CALL": "1"
+  }
+}
+```
+
+External MCP tool calls are intentionally separate from `COLIBRI_MCP_WRITE=1`.
--- a/live/operator-session/mcp-examples/external-mcp.sample.json
+++ b/live/operator-session/mcp-examples/external-mcp.sample.json
@ -0,0 +1,16 @@
+{
+  "servers": {
+    "demo": {
+      "command": "/usr/local/bin/demo-mcp-server",
+      "args": ["--stdio"],
+      "env": {
+        "DEMO_MODE": "1"
+      }
+    },
+    "filesystem-example": {
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-filesystem", "/home/clawdie"],
+      "env": {}
+    }
+  }
+}
--- a/live/operator-session/mcp-examples/mcp-external-call.json
+++ b/live/operator-session/mcp-examples/mcp-external-call.json
@ -0,0 +1,11 @@
+{
+  "mcpServers": {
+    "colibri-external-call": {
+      "command": "/usr/local/bin/colibri-mcp",
+      "args": [],
+      "env": {
+        "COLIBRI_MCP_EXTERNAL_CALL": "1"
+      }
+    }
+  }
+}
--- a/live/operator-session/mcp-examples/mcp-readonly.json
+++ b/live/operator-session/mcp-examples/mcp-readonly.json
@ -0,0 +1,9 @@
+{
+  "mcpServers": {
+    "colibri": {
+      "command": "/usr/local/bin/colibri-mcp",
+      "args": [],
+      "env": {}
+    }
+  }
+}
--- a/live/operator-session/mcp-examples/mcp-trusted-write.json
+++ b/live/operator-session/mcp-examples/mcp-trusted-write.json
@ -0,0 +1,11 @@
+{
+  "mcpServers": {
+    "colibri-write": {
+      "command": "/usr/local/bin/colibri-mcp",
+      "args": [],
+      "env": {
+        "COLIBRI_MCP_WRITE": "1"
+      }
+    }
+  }
+}
--- a/scripts/stage-colibri-iso.sh
+++ b/scripts/stage-colibri-iso.sh
@ -61,6 +61,7 @@ mkdir -p "${BIN_DIR}" "${RC_DIR}" "${ETC_DIR}" "${NEWSYSLOG_DIR}" "${DB_DIR}" "$
 copy_bin colibri-daemon
 copy_bin colibri
 copy_bin colibri-smoke-agent
+copy_bin colibri-mcp

 if [ "${COLIBRI_STAGE_INCLUDE_TUI}" != "0" ] && [ -x "${COLIBRI_ARTIFACT_DIR}/colibri-tui" ]; then
    copy_bin colibri-tui
@ -142,6 +143,8 @@ Runtime validation:
  colibri status
  colibri create-task --title "iso smoke"
  colibri list-tasks --status queued
+  colibri-mcp tools
+  COLIBRI_MCP_WRITE=1 colibri-mcp tools   # trusted write-capable MCP profile
  service colibri_daemon stop
 EOF

--- a/skills/iso-build/SKILL.md
+++ b/skills/iso-build/SKILL.md
@ -151,11 +151,13 @@ cargo build --workspace --release
 ls -lh target/release/colibri-daemon \
       target/release/colibri \
       target/release/colibri-smoke-agent \
+       target/release/colibri-mcp \
       target/release/colibri-tui

 file target/release/colibri-daemon \
     target/release/colibri \
     target/release/colibri-smoke-agent \
+     target/release/colibri-mcp \
     target/release/colibri-tui

 target/release/colibri --help | head
@ -183,8 +185,9 @@ cargo clean
 rm -rf /tmp/colibri-*
 ```

-`colibri-tui` is optional in the staging script, but desired for this operator
-USB target and should be verified with the other three binaries.
+`colibri-mcp` is part of the out-of-the-box operator USB. `colibri-tui` is
+optional in the staging script, but desired for this operator USB target and
+should be verified with the required binaries.

 ### Deployed-system Clawdie service boundary