From 8f2f7993ff3fd5a8c8df8e3ede74911c7b3dba91 Mon Sep 17 00:00:00 2001 From: Sam & Claude Date: Wed, 24 Jun 2026 19:19:08 +0200 Subject: [PATCH] docs(mother): add Python deps + RPC_PROMPT to first-run checklist --- packaging/mother/MOTHER-SETUP.md | 39 ++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 10 deletions(-) diff --git a/packaging/mother/MOTHER-SETUP.md b/packaging/mother/MOTHER-SETUP.md index 7a7721c..b43612d 100644 --- a/packaging/mother/MOTHER-SETUP.md +++ b/packaging/mother/MOTHER-SETUP.md @@ -113,14 +113,22 @@ copy. `setup-mother.sh` overwrites it, but record what was there: ls -l /usr/local/bin/node-register-mcp 2>/dev/null || echo "(none installed yet)" ``` -**3. Run the canonical setup.** Copy the printed private key straight to the -node seed (step 8) — do not leave it in shell scrollback or a logged session. +**3. Install Python dependencies for MCP servers.** `geodesic-dome-mcp` needs +numpy and Pillow at runtime. Install them before running setup so the MCP tool +is functional immediately: + +```sh +sudo pkg install -y py311-numpy py311-Pillow +``` + +**4. Run the canonical setup.** Copy the printed private key straight to the +node seed (step 9) — do not leave it in shell scrollback or a logged session. ```sh sudo ./packaging/mother/setup-mother.sh ``` -**4. The installed `node-register-mcp` is the hardened version.** +**5. The installed `node-register-mcp` is the hardened version.** The safe tool uses parameterized `psql -v :'var'` against `hive_nodes`; the old one used `E'${...}'` string interpolation (SQL-injectable). Verify: @@ -129,7 +137,7 @@ grep -c "E'" /usr/local/bin/node-register-mcp # expect 0 grep -c hive_nodes /usr/local/bin/node-register-mcp # expect > 0 ``` -**5. The schema migrated, data preserved.** On an existing DB, `usb_nodes` +**6. The schema migrated, data preserved.** On an existing DB, `usb_nodes` should be renamed to `hive_nodes` (not duplicated), with the `node_type` column: ```sh @@ -138,7 +146,7 @@ sudo -u postgres psql -d mother_hive -c "SELECT to_regclass('public.hive_nodes') sudo -u postgres psql -d mother_hive -c "\d hive_nodes" | grep node_type # column present ``` -**6. Peer auth works for the `colibri` role.** This is what `node-register-mcp` +**7. Peer auth works for the `colibri` role.** This is what `node-register-mcp` relies on (no password): ```sh @@ -152,7 +160,7 @@ any generic `local all all` line (pg_hba is first-match): HBA=$(sudo -u postgres psql -tAc 'SHOW hba_file'); sudo grep -n 'mother_hive .*colibri .*peer' "$HBA" ``` -**7. External MCP registry has all three servers** (jq-merge preserved any +**8. External MCP registry has all three servers** (jq-merge preserved any existing entries): ```sh @@ -160,7 +168,7 @@ jq '.servers | keys' /usr/local/etc/colibri/external-mcp.json # expect: build-colibri (mother-build) / geodesic-dome / node-register present ``` -**8. The SSH forced-command boundary allowlists.** A non-allowlisted command +**9. The SSH forced-command boundary allowlists.** A non-allowlisted command must be rejected, not run: ```sh @@ -168,18 +176,29 @@ ssh colibri@localhost 'rm -rf /' # expect: rejected (exit 1), nothing runs ssh colibri@localhost tools # expect: MCP tool list ``` -**9. Daemon picked up the env and is live:** +**10. Daemon picked up the env and is live:** ```sh grep -E 'COLIBRI_AUTOSPAWN|COLIBRI_MCP_EXTERNAL_CALL' /usr/local/etc/colibri/provider.env service colibri_daemon status ``` -**10. End-to-end (optional, with a real DEEPSEEK key present):** register a +**11. COLIBRI_AUTOSPAWN_RPC_PROMPT for spawned zot agents.** When a +USB node spawns a zot agent, the agent needs to call `node_register` on +boot. Set this in `provider.env` so autospawned zot processes pick it up: + +```sh +grep -q 'COLIBRI_AUTOSPAWN_RPC_PROMPT' /usr/local/etc/colibri/provider.env || \ + echo 'COLIBRI_AUTOSPAWN_RPC_PROMPT="call node_register with current hw-probe output"' \ + | tee -a /usr/local/etc/colibri/provider.env +service colibri_daemon restart +``` + +**12. End-to-end (optional, with a real DEEPSEEK key present):** register a sample node and confirm the `derive_capabilities()` trigger populated `capabilities` — see the [Verification](#verification) section below. -**11. Key hygiene:** the mother-mcp private key from step 3 is on the node seed +**13. Key hygiene:** the mother-mcp private key from step 4 is on the node seed (`CLAWDIESEED/colibri/ssh/mother-mcp`) and nowhere else persistent. See [Key management](#key-management).