From df73740e599b5815fa80cd296394c6ee787798ed Mon Sep 17 00:00:00 2001 From: Sam & Claude Date: Sun, 14 Jun 2026 00:45:02 +0200 Subject: [PATCH] docs: record FreeBSD clawdie installer findings (Sam & Codex) Add real FreeBSD 15 read-only validation output and the hardening findings so Linux-side reviewers can evaluate the installer follow-up without needing host access.\n\nChecks: ./scripts/check-format.sh; git diff --check --- docs/CLAWDIE-INSTALLER-HANDOFF.md | 48 +++++++++++++++++++++++++++++-- 1 file changed, 45 insertions(+), 3 deletions(-) diff --git a/docs/CLAWDIE-INSTALLER-HANDOFF.md b/docs/CLAWDIE-INSTALLER-HANDOFF.md index e66bc75..5d502e3 100644 --- a/docs/CLAWDIE-INSTALLER-HANDOFF.md +++ b/docs/CLAWDIE-INSTALLER-HANDOFF.md @@ -59,10 +59,52 @@ clawdie apply --pool tank --create-pool /dev/sdX --yes # DESTROYS /dev/sdX Verify `zpool create` + datasets + systemd unit (`systemctl status clawdie`). Confirm the guard: `--create-pool` on a **non-empty** disk is refused without `--force`. -## 5. Acceptance — delete this doc when all are true +## 5. FreeBSD read-only validation notes (2026-06-13, Codex/Pi) -- [ ] `cargo test -p clawdie` passes on FreeBSD 15 (output + versions reported). -- [ ] `discover` + `plan` correct against a real FreeBSD ZFS host. +Host/version evidence: + +```text +FreeBSD osa.smilepowered.org 15.0-RELEASE-p10 GENERIC amd64 +rustc 1.94.0 (4a4ef493e 2026-03-02) +cargo 1.94.0 (85eff7c80 2026-01-15) +``` + +Checks run on a real FreeBSD 15 host: + +```sh +cargo fmt --check +./scripts/check-format.sh +git diff --check +cargo test -p clawdie -- --nocapture +cargo clippy -p clawdie --all-targets -- -D warnings +cargo build -p clawdie --release +target/release/clawdie discover +target/release/clawdie plan +target/release/clawdie apply --pool zroot # dry-run only +target/release/clawdie plan --pool does-not-exist # expected error +``` + +Observed results: + +- `cargo test -p clawdie -- --nocapture`: 15 tests passed. +- `discover`: detected `os: FreeBsd`, `zfs available: true`, and pool `zroot [ONLINE]`. +- `plan`: resolved to `ZFS on existing pool zroot` and rendered rc.d provisioning. +- bare `apply --pool zroot`: printed the same plan and exited as a dry-run (`DRY-RUN — nothing written`). +- `plan --pool does-not-exist`: now errors before rendering/apply: `ZFS pool \`does-not-exist\` not found; available pools: zroot`. + +Findings filed for Linux-side review in branch +`fix/clawdie-installer-freebsd-hardening`: + +- generated FreeBSD rc.d now runs `/usr/local/bin/colibri-daemon` through `/usr/sbin/daemon -u clawdie` instead of root; +- service installation chowns `/var/db/clawdie` and `/var/log/clawdie` after creating the `clawdie` user; +- existing-pool plans validate the named pool before rendering/applying. + +Not done: no destructive `apply --yes`; still requires scratch pool/VM. + +## 6. Acceptance — delete this doc when all are true + +- [x] `cargo test -p clawdie` passes on FreeBSD 15 (output + versions reported). +- [x] `discover` + `plan` correct against a real FreeBSD ZFS host for read-only/dry-run paths. - [ ] `apply --yes` on a scratch pool creates the datasets, user, and rc.d service as specified; teardown verified. - [ ] (if tested) Linux `--create-pool` works on a spare disk and the empty-disk guard refuses non-empty disks. - [ ] Any FreeBSD-specific differences from the Linux-built behavior are filed as a PR and reported back.