3 commits

Author	SHA1	Message	Date
Sam & Claude	116277ba7a	docs(mother): add osa first-run verification checklist ... An ordered first-run checklist for deploying on osa (or any new mother), covering the things that can only be validated against a live PostgreSQL + FreeBSD host: - build 0.12 on FreeBSD from current main + ci-checks (Linux binaries won't run) - record any pre-existing node-register before install - post-install integrity: installed node-register is the hardened hive_nodes version (grep -c "E'" == 0; grep hive_nodes > 0) — not the injectable copy - schema migrated in place (usb_nodes renamed, not duplicated; node_type present) - peer auth works; pg_hba peer rule present AND precedes generic local rules - external-mcp has all three servers (jq-merge preserved existing) - SSH forced-command wrapper rejects non-allowlisted commands - daemon env + service live; key hygiene (private key → seed only) Captures the operational risks flagged during the mother-infra review.	2026-06-24 10:56:56 +02:00
Sam & Claude	e941fdd494	mother: rename usb_nodes→hive_nodes (+node_type), harden setup/register ... Review pass on the mother MCP infra: - Rename usb_nodes → hive_nodes: a node is any host that joined the hive (live-usb/disk/vps/mother), not just a USB boot. Add a first-class node_type column (live-usb|disk|vps|mother|unknown). The schema migrates an existing osa DB in place (ALTER TABLE + ALTER SEQUENCE, guarded by to_regclass) and ADD COLUMN IF NOT EXISTS for already-renamed tables — data preserved, idempotent. FKs/trigger/indexes follow. - node-register-mcp: accepts + validates node_type, UPSERTs into hive_nodes. Add ON_ERROR_STOP=1 (psql otherwise exits 0 on SQL error → false success) and fold stderr into the captured result so failures are reported. - setup-mother.sh: apply schema BEFORE granting on its tables (fresh installs had no tables when grants ran); pipe the schema via stdin so the postgres user need not read the repo checkout; locate pg_hba via SHOW hba_file (was hardcoded) and PREPEND the peer rule (pg_hba is first-match); grants target hive_nodes/hive_nodes_id_seq. - build-colibri.sh: fast-forward a checked-out branch to origin so it builds current upstream code, not a stale local copy. Validated: prettier + sh -n green. Schema migration/UPSERT to be exercised on osa (no local postgres server here). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-24 09:45:39 +02:00
Sam & Claude	7b3e757817	feat(mother): idempotent MCP setup, injection-proof node-register, hardened wrapper + builder ... Consolidates mother MCP infrastructure into packaging/mother/: - setup-mother.sh: idempotent deploy script (binaries, MCP tools, SSH keys, PostgreSQL peer auth, jq-merge external-mcp.json, daemon env update) - node-register-mcp: UPSERT hw-probe JSON into mother_hive.usb_nodes using psql -v :variable heredoc (bound parameter, no SQL interpolation) - colibri-mcp-ssh: SSH forced-command wrapper with allowlist (only "" → stdio MCP mode, "tools" → discovery; everything else rejected) - build-colibri.sh: branch-allowlisted builder (main + semver tags + COLIBRI_BUILD_ALLOW_BRANCHES), features validated, array-quoted cargo args - MOTHER-SETUP.md: architecture document with security properties Security fixes vs. the clawdie-iso versions: - node-register-mcp: was E${ESCAPED} (vulnerable to E backslash interpretation); now psql -v :variable in a heredoc - colibri-mcp-ssh: was unquoted ${SSH_ORIGINAL_COMMAND} passthrough; now case-match allowlist - build-colibri.sh: was arbitrary git checkout + unquoted cargo flags; now branch allowlist + features validation + array args - USB spawn args: no trailing "colibri-mcp" remote command; forced-command wrapper handles empty command - Key management: one key per trust domain (mother-mcp != Forgejo); key lives on seed partition, not baked into image	2026-06-24 09:31:04 +02:00