---
name: iso-flash-verify
description: Verify a published Clawdie operator USB artifact manifest, download and checksum the image, confirm the whole-disk USB target, flash it, and emit a Colibri flash manifest.
---

# iso-flash-verify

Use this skill for the Hermes USB/IMG Deployer lane. It consumes a published
`clawdie.iso.publish.v1` manifest and produces a `clawdie.iso.flash.v1`
manifest. Do not run it from this ISO developer host unless the operator
explicitly reassigns flashing.

## Safety rules

- Never flash from terminal scrollback alone; start from a manifest URL or path.
- Verify the SHA256 and run `xz -t` before writing bytes.
- Flash only a whole disk such as `/dev/sdX` or `/dev/daX`, never a partition
  such as `/dev/sdX1`.
- Record the selected device model, serial, and size before flashing.
- Abort if the target is smaller than the raw image size in the manifest.

## Manifest output

Write the result to:

```sh
tmp/colibri/iso-flash/<run_id>.json
tmp/colibri/iso-flash/latest.json
```

Schema: `clawdie.iso.flash.v1`. See `docs/ISO-MANIFESTS.md`.

## 1. Select the publish manifest

Set one of these:

```sh
MANIFEST_URL="https://osa.smilepowered.org/downloads/iso/<image>.manifest.json"
```

or:

```sh
MANIFEST_PATH="tmp/output/<image>.manifest.json"
```

## 2. Download artifacts

For a URL-based handoff:

```sh
mkdir -p tmp/flash-downloads
curl -fL -o tmp/flash-downloads/publish.manifest.json "$MANIFEST_URL"
```

Read the manifest and download the `image_url` and `sha256_url` it names. If
`jq` is available:

```sh
IMAGE_URL="$(jq -r .image_url tmp/flash-downloads/publish.manifest.json)"
SHA_URL="$(jq -r .sha256_url tmp/flash-downloads/publish.manifest.json)"
curl -fL -O --output-dir tmp/flash-downloads "$IMAGE_URL"
curl -fL -O --output-dir tmp/flash-downloads "$SHA_URL"
```

## 3. Verify checksum and xz integrity

```sh
cd tmp/flash-downloads
sha256sum -c "$(basename "$SHA_URL")"
xz -t "$(basename "$IMAGE_URL")"
cd -
```

If the checksum file is in FreeBSD `sha256(1)` format, compare manually:

```sh
sha256sum tmp/flash-downloads/*.img.xz
cat tmp/flash-downloads/*.img.xz.sha256
```

## 4. Identify the whole-disk target

On Linux:

```sh
lsblk -o NAME,TYPE,SIZE,MODEL,SERIAL,TRAN,RM,MOUNTPOINTS
```

Unmount any mounted partitions from the selected removable disk. Confirm the
whole-disk path with the operator before writing.

## 5. Flash

Example for Linux, replacing `/dev/sdX` with the confirmed whole disk:

```sh
xz -dc tmp/flash-downloads/<image>.img.xz | dd of=/dev/sdX bs=4M status=progress conv=fsync && sync
sync
```

## 6. Emit flash manifest

Record pass/fail checks, the artifact URLs, selected target disk facts, flash
command summary, and completion time in `clawdie.iso.flash.v1`. Print the
manifest path and a one-line summary for Colibri ingestion.