clawdie/colibri
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 48

docs(mother): add Python deps + RPC_PROMPT to first-run checklist
Some checks failed
CI / port (pull_request) Has been cancelled
Details
CI / agent-jail-pkgs (pull_request) Has been cancelled
Details
CI / rust (pull_request) Has been cancelled
Details
CI / markdown (pull_request) Has been cancelled
Details

Browse source
This commit is contained in:
Sam & Claude 2026-06-24 19:19:08 +02:00
parent 655b15f2f2
commit 8f2f7993ff
1 changed files with 29 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
packaging/mother/MOTHER-SETUP.md
View file

@ -113,14 +113,22 @@ copy. `setup-mother.sh` overwrites it, but record what was there:
ls -l /usr/local/bin/node-register-mcp 2>/dev/null || echo "(none installed yet)"
```
**3. Run the canonical setup.** Copy the printed private key straight to the
node seed (step 8) — do not leave it in shell scrollback or a logged session.
**3. Install Python dependencies for MCP servers.** `geodesic-dome-mcp` needs
numpy and Pillow at runtime. Install them before running setup so the MCP tool
is functional immediately:
```sh
sudo pkg install -y py311-numpy py311-Pillow
```
**4. Run the canonical setup.** Copy the printed private key straight to the
node seed (step 9) — do not leave it in shell scrollback or a logged session.
```sh
sudo ./packaging/mother/setup-mother.sh
```
**4. The installed `node-register-mcp` is the hardened version.**
**5. The installed `node-register-mcp` is the hardened version.**
The safe tool uses parameterized `psql -v :'var'` against `hive_nodes`; the old
one used `E'${...}'` string interpolation (SQL-injectable). Verify:
@ -129,7 +137,7 @@ grep -c "E'" /usr/local/bin/node-register-mcp # expect 0
grep -c hive_nodes /usr/local/bin/node-register-mcp # expect > 0
```
**5. The schema migrated, data preserved.** On an existing DB, `usb_nodes`
**6. The schema migrated, data preserved.** On an existing DB, `usb_nodes`
should be renamed to `hive_nodes` (not duplicated), with the `node_type` column:
```sh
@ -138,7 +146,7 @@ sudo -u postgres psql -d mother_hive -c "SELECT to_regclass('public.hive_nodes')
sudo -u postgres psql -d mother_hive -c "\d hive_nodes" | grep node_type # column present
```
**6. Peer auth works for the `colibri` role.** This is what `node-register-mcp`
**7. Peer auth works for the `colibri` role.** This is what `node-register-mcp`
relies on (no password):
```sh
@ -152,7 +160,7 @@ any generic `local all all` line (pg_hba is first-match):
HBA=$(sudo -u postgres psql -tAc 'SHOW hba_file'); sudo grep -n 'mother_hive .*colibri .*peer' "$HBA"
```
**7. External MCP registry has all three servers** (jq-merge preserved any
**8. External MCP registry has all three servers** (jq-merge preserved any
existing entries):
```sh
@ -160,7 +168,7 @@ jq '.servers | keys' /usr/local/etc/colibri/external-mcp.json
# expect: build-colibri (mother-build) / geodesic-dome / node-register present
```
**8. The SSH forced-command boundary allowlists.** A non-allowlisted command
**9. The SSH forced-command boundary allowlists.** A non-allowlisted command
must be rejected, not run:
```sh
@ -168,18 +176,29 @@ ssh colibri@localhost 'rm -rf /' # expect: rejected (exit 1), nothing runs
ssh colibri@localhost tools # expect: MCP tool list
```
**9. Daemon picked up the env and is live:**
**10. Daemon picked up the env and is live:**
```sh
grep -E 'COLIBRI_AUTOSPAWN|COLIBRI_MCP_EXTERNAL_CALL' /usr/local/etc/colibri/provider.env
service colibri_daemon status
```
**10. End-to-end (optional, with a real DEEPSEEK key present):** register a
**11. COLIBRI_AUTOSPAWN_RPC_PROMPT for spawned zot agents.** When a
USB node spawns a zot agent, the agent needs to call `node_register` on
boot. Set this in `provider.env` so autospawned zot processes pick it up:
```sh
grep -q 'COLIBRI_AUTOSPAWN_RPC_PROMPT' /usr/local/etc/colibri/provider.env || \
echo 'COLIBRI_AUTOSPAWN_RPC_PROMPT="call node_register with current hw-probe output"' \
| tee -a /usr/local/etc/colibri/provider.env
service colibri_daemon restart
```
**12. End-to-end (optional, with a real DEEPSEEK key present):** register a
sample node and confirm the `derive_capabilities()` trigger populated
`capabilities` — see the [Verification](#verification) section below.
**11. Key hygiene:** the mother-mcp private key from step 3 is on the node seed
**13. Key hygiene:** the mother-mcp private key from step 4 is on the node seed
(`CLAWDIESEED/colibri/ssh/mother-mcp`) and nowhere else persistent. See
[Key management](#key-management).