diff --git a/build.sh b/build.sh index 584be5e2..e1d4cd31 100755 --- a/build.sh +++ b/build.sh @@ -511,12 +511,25 @@ write_build_manifest() { _tailscale_auth_key_baked="${TAILSCALE_AUTH_KEY_BAKED:-false}" if command -v git >/dev/null 2>&1 && git -C "$SCRIPT_DIR" rev-parse --git-dir >/dev/null 2>&1; then _iso_repo_commit=$(git -C "$SCRIPT_DIR" rev-parse HEAD 2>/dev/null || echo unknown) - if git -C "$SCRIPT_DIR" diff --quiet 2>/dev/null && git -C "$SCRIPT_DIR" diff --cached --quiet 2>/dev/null; then + if [ -z "$(git -C "$SCRIPT_DIR" status --porcelain 2>/dev/null)" ]; then _iso_repo_modified="false" else _iso_repo_modified="true" fi fi + # Clawdie-AI provenance: the image stages a git checkout of the AI source, + # so record whether the tree is modified at build time. + _clawdie_ai_modified="null" + if command -v git >/dev/null 2>&1; then + resolve_clawdie_ai_repo + if git -C "${_resolved_clawdie_ai_repo}" rev-parse --git-dir >/dev/null 2>&1; then + if [ -z "$(git -C "${_resolved_clawdie_ai_repo}" status --porcelain 2>/dev/null)" ]; then + _clawdie_ai_modified="false" + else + _clawdie_ai_modified="true" + fi + fi + fi if [ -n "${LIVE_SSH_PUBKEY_FP:-}" ]; then _live_ssh_pubkey_fp_json="\"$(json_escape "${LIVE_SSH_PUBKEY_FP}")\"" fi @@ -528,8 +541,7 @@ write_build_manifest() { resolve_colibri_paths if git -C "${_resolved_colibri_repo}" rev-parse --git-dir >/dev/null 2>&1; then _colibri_commit=$(git -C "${_resolved_colibri_repo}" rev-parse HEAD 2>/dev/null || echo unknown) - if git -C "${_resolved_colibri_repo}" diff --quiet 2>/dev/null && \ - git -C "${_resolved_colibri_repo}" diff --cached --quiet 2>/dev/null; then + if [ -z "$(git -C "${_resolved_colibri_repo}" status --porcelain 2>/dev/null)" ]; then _colibri_modified="false" else _colibri_modified="true" @@ -541,8 +553,7 @@ write_build_manifest() { if [ "${FEATURE_COLIBRI:-NO}" = "YES" ] && [ "${COLIBRI_STAGE_AGENT:-YES}" = "YES" ]; then resolve_zot_paths if command -v git >/dev/null 2>&1 && git -C "${_resolved_zot_repo}" rev-parse --git-dir >/dev/null 2>&1; then - if git -C "${_resolved_zot_repo}" diff --quiet 2>/dev/null && \ - git -C "${_resolved_zot_repo}" diff --cached --quiet 2>/dev/null; then + if [ -z "$(git -C "${_resolved_zot_repo}" status --porcelain 2>/dev/null)" ]; then _zot_modified="false" else _zot_modified="true" @@ -564,6 +575,7 @@ write_build_manifest() { "freebsd_arch": "$(json_escape "${FREEBSD_ARCH}")", "clawdie_ai_ref": "$(json_escape "${CLAWDIE_REF}")", "clawdie_ai_commit": "$(json_escape "${CLAWDIE_AI_COMMIT:-unknown}")", + "clawdie_ai_modified": ${_clawdie_ai_modified:-null}, "live_ssh_pubkey_fp": ${_live_ssh_pubkey_fp_json}, "tailscale_auth_key_baked": ${_tailscale_auth_key_baked}, "iso_repo_commit": "$(json_escape "${_iso_repo_commit}")", @@ -871,7 +883,10 @@ install_colibri_service() { /var/db/colibri \ /var/run/colibri \ /var/log/colibri - chmod 0755 \ + # 0750 matches the rc.d prestart (install -d -m 0750); the daemon dirs hold + # the SQLite DB and logs and should not be world-readable. The operator + # reaches them via the colibri group, not "other". + chmod 0750 \ "${MOUNT_POINT}/var/db/colibri" \ "${MOUNT_POINT}/var/run/colibri" \ "${MOUNT_POINT}/var/log/colibri" @@ -890,7 +905,7 @@ install_colibri_service() { set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_db_path="/var/db/colibri/colibri.sqlite"' set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_logfile="/var/log/colibri/daemon.log"' set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_provider_env="/usr/local/etc/colibri/provider.env"' - set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_host="$(hostname)"' + set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_host="$(/bin/hostname)"' set_config_line "${MOUNT_POINT}/etc/rc.conf" "colibri_daemon_cost_mode=\"${COLIBRI_COST_MODE:-smart}\"" if [ ! -x "${MOUNT_POINT}/usr/local/bin/colibri-daemon" ] || \ @@ -1148,7 +1163,7 @@ seed_live_ai_source_repo() { printf '%s\n' '.clawdie-source.json' >> "${_repo_dest}/.git/info/exclude" _repo_modified=false - if ! git -C "${_repo_src}" diff --quiet 2>/dev/null || ! git -C "${_repo_src}" diff --cached --quiet 2>/dev/null; then + if [ -n "$(git -C "${_repo_src}" status --porcelain 2>/dev/null)" ]; then _repo_modified=true fi