clawdie-iso

History

Sam & Claude 0cd59efa6d feat(firstboot): force root + operator password on first boot (console gate) Adds clawdie_firstboot_rootpw, an rc.d gate ordered BEFORE sddm and colibri_daemon. On the text console (operator present at first boot) it runs a 15s countdown to engage; if engaged it forces a root AND operator (clawdie) password, echo-off, applied via 'pw usermod -h 0' over stdin (secret never in argv/ps, never near the agent). Idempotent via a persistent success marker /var/db/colibri/.secured (/var persists: varmfs=NO). Skipping leaves the node open and re-prompts next boot — never bricks an unattended/headless boot. Running before the daemon means the security decision is always made before any agent can autospawn/node_register, so no cross-component interlock is needed (rc ordering replaces it). The .secured marker is also the signal a future colibri change can read to label an unsecured node to mother. Tests: tests/firstboot-rootpw-test.sh proves marker skip, password validation, and that the secret is delivered on stdin and NEVER appears in argv (10/10). Console interactivity (read -t countdown, stty echo-off on /dev/console) must be verified by booting on osa/bhyve before merge. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-25 05:54:13 +02:00
..
operator-session	feat(firstboot): force root + operator password on first boot (console gate)	2026-06-25 05:54:13 +02:00

Sam & Claude 0cd59efa6d feat(firstboot): force root + operator password on first boot (console gate)

Adds clawdie_firstboot_rootpw, an rc.d gate ordered BEFORE sddm and
colibri_daemon. On the text console (operator present at first boot) it runs a
15s countdown to engage; if engaged it forces a root AND operator (clawdie)
password, echo-off, applied via 'pw usermod -h 0' over stdin (secret never in
argv/ps, never near the agent). Idempotent via a persistent success marker
/var/db/colibri/.secured (/var persists: varmfs=NO). Skipping leaves the node
open and re-prompts next boot — never bricks an unattended/headless boot.

Running before the daemon means the security decision is always made before any
agent can autospawn/node_register, so no cross-component interlock is needed
(rc ordering replaces it). The .secured marker is also the signal a future
colibri change can read to label an unsecured node to mother.

Tests: tests/firstboot-rootpw-test.sh proves marker skip, password validation,
and that the secret is delivered on stdin and NEVER appears in argv (10/10).

Console interactivity (read -t countdown, stty echo-off on /dev/console) must be
verified by booting on osa/bhyve before merge.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-25 05:54:13 +02:00

operator-session

feat(firstboot): force root + operator password on first boot (console gate)

2026-06-25 05:54:13 +02:00