Follow-up to #17. Two issues with the daemon(8) `-r` + child-pidfile pattern:
1. Stop semantics (both services): with `-r`, rc.subr's default stop sends
SIGTERM to the *child* pid — and the still-running daemon(8) supervisor
respawns it ~1s later, so `service … stop` never actually stops it. Fix:
add a `-P` supervisor pidfile and a custom stop_cmd that SIGTERMs the
supervisor (which forwards to the child and exits without restarting),
waits up to 30s, SIGKILL fallback, then cleans pidfiles. Child pidfile +
unique procname are kept for accurate start/status.
2. clawdie.in parity: it still carried the pre-#17 pattern (`-P ${pidfile}`
as the only pidfile + procname="/usr/sbin/daemon"), so `service clawdie
status` could match tailscaled/colibri_daemon on a stale pidfile. Brought
it to the same shape as colibri_daemon.in: child pidfile, procname="clawdie",
supervisor pidfile, stop_cmd, socket-ready poststart, socket cleanup
poststop, and a `health` command.
Packaging-only — no Rust touched, no rebuild needed. `sh -n` clean on both;
stop algorithm exercised standalone (kills supervisor, idempotent). FreeBSD
start/stop/status/restart validation still owed on OSA.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Fix three bugs identified in live USB diagnostics (COLIBRI-XFCE-HANDOFF-04.JUN.2026):
1. procname collision: 'colibri-daemon' instead of '/usr/sbin/daemon'
so service status finds OUR process, not tailscaled or any other
daemon(8)-managed service.
2. pidfile flag: -p (child pidfile) instead of -P (supervisor pidfile)
so the pidfile holds the colibri-daemon PID, which rc.subr can
match against the unique procname.
3. Cascading bypass: fixing procname prevents rc.subr from skipping
daemon(8) entirely. Process tree should now be:
rc.d → daemon(8) → colibri-daemon (with crash restart)
clawdie.in exported COLIBRI_DAEMON_DATA_DIR/SOCKET/HOST but not COLIBRI_DB_PATH.
On FreeBSD, default_db_path() then falls back to /var/db/colibri/colibri.sqlite
— the full Colibri daemon's DB, owned colibri:colibri (0750). clawdie runs as
the clawdie user, so Store::open() hits EACCES; DaemonState::new() panics
(daemon.rs:35) and daemon(8) -r restart-loops forever. The service would never
serve, despite a correct-looking rc.d.
Fix: add a clawdie_db_path var (default ${clawdie_data_dir}/clawdie.sqlite) and
export COLIBRI_DB_PATH from prestart, keeping clawdie's DB in its own
clawdie-owned dir. No collision with the colibri daemon's DB.
Reproduced + verified on Linux:
- COLIBRI_DB_PATH unwritable → panic "failed to open coordination store … Permission denied", exit 101
- COLIBRI_DB_PATH in data dir → sqlite created, runs clean
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
New `clawdie` crate: the operator-friendly face of Colibri. One small Rust
binary that reuses the proven control-plane core (glasspane supervision +
Herdr Unix-socket API + coordination loop — the "split brain") and puts a
DeepSeek-backed Telegram bot in front of it. That is the entire out-of-the-box
surface.
Deliberately lifted vs. the full control plane: cost modes, quota accounting,
context budgets, multi-provider fallback (OpenRouter/Anthropic), per-user
limits. One DeepSeek key serves both the chat lane and the daemon routing.
- crates/clawdie: main (core + bridge wiring), telegram (long-poll bridge),
deepseek (minimal one-key chat), build.rs (bakes CLAWDIE_TG_TOKEN +
CLAWDIE_DEEPSEEK_KEY build flags; runtime env overrides).
- packaging/freebsd/clawdie.in: rc.d service, daemon(8)-supervised, restart on
crash, dedicated clawdie user — starts as a service like Clawdie-AI.
- release profile strips symbols (binary ~7.6 MB stripped).
- docs/CLAWDIE-AGENT-WIKI.md (mindmap), docs/CLAWDIE-BUILD.md (build + ISO +
next-build XFCE USB fixes), README workspace table.
Build/clippy/fmt green; headless start smoke-tested (socket + sessions bind).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Hardens the FreeBSD service for production readiness:
- rc.d: post-start socket health check (waits up to 10s), post-stop
socket cleanup, 'health' extra command that probes socket with
a status command via nc.
- newsyslog: log rotation at 1MB, 7 compressed archives,
colibri:colibri ownership.
- staging: copies newsyslog config into image root, updated
staging report to list all installed files.
- docs/ISO-SERVICE-LAYOUT.md: filesystem layout, boot/shutdown
behavior, startup validation commands, config knobs, secrets
policy, log rotation details.
Shell syntax: sh -n clean on both scripts.
Workspace tests: all green.
colibri-daemon runs in the foreground and writes no pidfile, so the previous
`command=/usr/local/bin/colibri-daemon` would hang `service start` and leave
status/stop unable to track it. Run it under daemon(8): -P supervisor pidfile,
-r restart on crash, -u colibri privilege drop, -o logfile for the tracing
stdout. start_precmd recreates the colibri-owned /var/run/colibri (tmpfs),
/var/db/colibri, and the log dir each start. Still review-only / not installed;
needs an on-FreeBSD `service` test (osa-smoke rec #4).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
packaging/freebsd/colibri_daemon.in: FreeBSD rc.d service file
for review only, not installed. Uses /var/db/colibri,
/var/run/colibri, COLIBRI_DB_PATH. /tmp smoke test comes first.
