From e5aceb47568b41217d3d830fd40fd18c0f1d9f8a Mon Sep 17 00:00:00 2001
From: Sam & Claude <hello@clawdie.si>
Date: Sun, 14 Jun 2026 23:24:41 +0200
Subject: [PATCH 1/2] docs: keep live rebuild lane action-focused (Sam & Codex)

Remove historical fix-it wording from the live rebuild runbook and make ISO staging validate the corrected Colibri rc.d contract directly instead of rewriting older variants.\n\nChecks: npx --yes prettier@3 --check docs/LIVE-COLIBRI-REBUILD.md; sh -n scripts/stage-colibri-iso.sh; fake Colibri staging + sh -n staged rc.d script; git diff --check.
---
 docs/LIVE-COLIBRI-REBUILD.md | 16 +++++------
 scripts/stage-colibri-iso.sh | 53 ++++++++----------------------------
 2 files changed, 19 insertions(+), 50 deletions(-)

diff --git a/docs/LIVE-COLIBRI-REBUILD.md b/docs/LIVE-COLIBRI-REBUILD.md
index d91f2a7d..b6da912c 100644
--- a/docs/LIVE-COLIBRI-REBUILD.md
+++ b/docs/LIVE-COLIBRI-REBUILD.md
@@ -132,9 +132,8 @@ mdo -u root service colibri_daemon start
 ```
 
 `service colibri_daemon start` should return to the shell after a few seconds. If
-it stays in the foreground, check that the rc.d script uses
-`colibri_daemon_binary`, not `colibri_daemon_program`, and that `command=` is
-`/usr/sbin/daemon`.
+it does not, stop the command, collect the service file and daemon log, and hand
+those back through git before continuing.
 
 ## Validate runtime
 
@@ -197,15 +196,16 @@ mdo -u root service colibri_daemon restart
 Sanity checks:
 
 ```sh
-grep -n 'colibri_daemon_program\|colibri_daemon_binary\|^command=\|^command_args=' /usr/local/etc/rc.d/colibri_daemon
+sh -n /usr/local/etc/rc.d/colibri_daemon
+service colibri_daemon status
+colibri status
 ```
 
 Expected:
 
-- `colibri_daemon_binary` exists.
-- `command="/usr/sbin/daemon"` exists.
-- no `colibri_daemon_program` remains.
-- no `-u ${colibri_daemon_user}` remains in `command_args`.
+- the rc.d script has valid shell syntax.
+- `service colibri_daemon start` returns to the shell.
+- `colibri status` can connect to `/var/run/colibri/colibri.sock`.
 
 ## Future ISO improvement
 
diff --git a/scripts/stage-colibri-iso.sh b/scripts/stage-colibri-iso.sh
index 11abd799..fdc78c36 100755
--- a/scripts/stage-colibri-iso.sh
+++ b/scripts/stage-colibri-iso.sh
@@ -71,51 +71,20 @@ install -m 0555 "${RC_SOURCE}" "${RC_DIR}/colibri_daemon"
 install -m 0644 "${NEWSYSLOG_SOURCE}" "${NEWSYSLOG_DIR}/colibri.conf"
 
 if ! grep -q '^command="/usr/sbin/daemon"' "${RC_DIR}/colibri_daemon" || \
-   ! grep -Eq -- '-o .*colibri_daemon_(program|binary)' "${RC_DIR}/colibri_daemon"; then
-    echo "ERROR: staged colibri_daemon rc.d script does not supervise colibri-daemon with daemon(8)" >&2
-    echo "       Update COLIBRI_REPO (${COLIBRI_REPO}) before building; the live USB must not block boot in rc.d." >&2
+   ! grep -q -- '-o .*colibri_daemon_binary' "${RC_DIR}/colibri_daemon" || \
+   ! grep -q 'rm -f "${colibri_daemon_socket}" "${pidfile}" "${supervisor_pidfile}"' "${RC_DIR}/colibri_daemon" || \
+   ! grep -q 'chmod 644 "${pidfile}"' "${RC_DIR}/colibri_daemon" || \
+   ! grep -q 'chmod 660 "${colibri_daemon_socket}"' "${RC_DIR}/colibri_daemon"; then
+    echo "ERROR: staged colibri_daemon rc.d script is missing required live USB supervision hooks" >&2
+    echo "       Update COLIBRI_REPO (${COLIBRI_REPO}) before building." >&2
     exit 66
 fi
 
-# Fix procname: the upstream procname="/usr/sbin/daemon" doesn't match
-# daemon(8)'s process title ("daemon: name[pid] (daemon)"). Match the
-# first word instead. Since check_pidfile uses the pidfile (PID-scoped),
-# there's no collision with other daemon(8) instances.
-sed -i '' 's/^procname="\/usr\/sbin\/daemon"$/procname="daemon:"/' \
-    "${RC_DIR}/colibri_daemon"
-
-# Fix ${name}_program override: rc.subr line 1120 silently replaces
-# command= with ${name}_program if set, so colibri_daemon_program=
-# overrode command="/usr/sbin/daemon" — daemon(8) was never invoked.
-# Rename the variable so rc.subr leaves command= alone. Newer Colibri sources
-# may already use colibri_daemon_binary; this replacement is intentionally
-# harmless when there is no old variable left.
-sed -i '' 's/colibri_daemon_program/colibri_daemon_binary/g' \
-    "${RC_DIR}/colibri_daemon"
-
-# Remove -u from daemon(8) args: rc.subr already runs as colibri via su,
-# so daemon(8)'s own privilege drop double-drops and fails with
-# "failed to set user environment".
-sed -i '' 's/ -u \${colibri_daemon_user} //' \
-    "${RC_DIR}/colibri_daemon"
-
-# Fix pidfile permissions: daemon(8) -P creates the pidfile as 0600
-# owned by the target user, which blocks non-root users (clawdie) from
-# running 'service colibri_daemon status'. Chmod in poststart.
-# Use awk instead of sed append syntax: BSD sed's multi-line append form is
-# easy to get wrong and can corrupt the rc.d script by appending to every line.
-# Newer Colibri sources may already carry these chmods; do not duplicate them.
-if ! grep -q 'chmod 644 "${pidfile}"' "${RC_DIR}/colibri_daemon"; then
-    _rc_tmp="${RC_DIR}/colibri_daemon.tmp"
-    awk '
-        { print }
-        /socket ready/ {
-            print "    chmod 644 \"${pidfile}\" 2>/dev/null || true"
-            print "    chmod 660 \"${colibri_daemon_socket}\" 2>/dev/null || true"
-        }
-    ' "${RC_DIR}/colibri_daemon" > "${_rc_tmp}"
-    mv "${_rc_tmp}" "${RC_DIR}/colibri_daemon"
-    chmod 0555 "${RC_DIR}/colibri_daemon"
+if grep -q 'colibri_daemon_program' "${RC_DIR}/colibri_daemon" || \
+   grep -q -- '-u \${colibri_daemon_user}' "${RC_DIR}/colibri_daemon"; then
+    echo "ERROR: staged colibri_daemon rc.d script has unsupported live USB command wiring" >&2
+    echo "       Update COLIBRI_REPO (${COLIBRI_REPO}) before building." >&2
+    exit 66
 fi
 
 # Add DeepSeek API key and cache warming to daemon environment.
-- 
2.45.3


From 1f8e1f0614082f9491ececc31108c51750907eb5 Mon Sep 17 00:00:00 2001
From: Sam & Claude <hello@clawdie.si>
Date: Sun, 14 Jun 2026 23:25:22 +0200
Subject: [PATCH 2/2] docs: remove legacy rc wording from staging checks (Sam &
 Codex)

Keep staging validation focused on the current rc.d contract and avoid legacy variable references in the live rebuild lane branch.\n\nChecks: sh -n scripts/stage-colibri-iso.sh; fake Colibri staging + sh -n staged rc.d script; git diff --check.
---
 scripts/stage-colibri-iso.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/scripts/stage-colibri-iso.sh b/scripts/stage-colibri-iso.sh
index fdc78c36..7d258122 100755
--- a/scripts/stage-colibri-iso.sh
+++ b/scripts/stage-colibri-iso.sh
@@ -80,8 +80,7 @@ if ! grep -q '^command="/usr/sbin/daemon"' "${RC_DIR}/colibri_daemon" || \
     exit 66
 fi
 
-if grep -q 'colibri_daemon_program' "${RC_DIR}/colibri_daemon" || \
-   grep -q -- '-u \${colibri_daemon_user}' "${RC_DIR}/colibri_daemon"; then
+if grep -q -- '-u \${colibri_daemon_user}' "${RC_DIR}/colibri_daemon"; then
     echo "ERROR: staged colibri_daemon rc.d script has unsupported live USB command wiring" >&2
     echo "       Update COLIBRI_REPO (${COLIBRI_REPO}) before building." >&2
     exit 66
-- 
2.45.3