Turns the manual Phase 2–3 runbook (docs/POUDRIERE-BUILD-SERVER.md) into
repeatable, idempotent steps for the mother-build host — the package half of
the trusted supply chain (layered-soul HIVE-ONBOARDING §10).
- poudriere-setup.sh: verify-then-act setup. Validates root, FreeBSD version
format, pkg/openssl, and that the ZFS pool exists BEFORE acting; then installs
poudriere, generates the repo signing key (0400), writes poudriere.conf (only
if absent), and creates the build jail + ports tree. Re-running skips anything
already present.
- poudriere-build.sh: validates jail, ports tree, and each origin (category/name
+ Makefile present) before `poudriere bulk`; repo is signed automatically via
PKG_REPO_SIGNING_KEY.
- clawdie-repo.conf.in: client repo template (signature_type pubkey) + the
first-party-only priority note.
- README.md: the three-step flow and conventions.
Style matches live/operator-session/hw-report: POSIX sh, set -u, fixed PATH,
strict arg parsing, minimal checks (only what is acted upon). Host provisioning
(ZFS/base/network) stays in the runbook — these assume a FreeBSD host with a
pool. sh -n clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2dac2d108d