Addresses HOST-MATRIX §4 backup-independence: the Vultr box (Forgejo+Vaultwarden)
is a single point of failure for backups AND secrets. This pulls its dumps to
domedog (already paid, on-tailnet, 51G free) — zero new cost.
- PULL direction: a compromised Vultr can't reach into / destroy the backup history
- verifies integrity (forgejo dump zip + vault sqlite PRAGMA integrity_check)
- encrypts at rest with age (vault dump = secret material; private key stays off-host)
- dated snapshots + retention (versioned, not a single overwritten mirror)
- opt-in Colibri board status (transition a task done/failed = backup health signal)
- config (host + age recipient) lives in ~/.config (gitignored); no hosts/keys in repo
Vultr side stays responsible only for producing consistent dumps (forgejo dump +
sqlite .backup) and exposing them read-only. bash -n clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Six bugs found in deep-dive analysis of FreeBSD rc.d/rc.conf after the
live-copy-safe fix (7d23905):
1. colibri_cost_mode → colibri_daemon_cost_mode: naming broke rc.subr
${name}_ convention — operator setting colibri_daemon_cost_mode=fast
in rc.conf was silently ignored. Fixed in rc.d, staging script,
rc.conf.sample, and all docs.
2. Removed redundant chmod 660 on socket in poststart: Rust code already
sets 0770 with documented rationale. The poststart override to 0660
was conflicting, fragile, and had no comment.
3. Removed unnecessary chmod 644 on pidfile in poststart: pidfile lives
in a 0750 directory — world-readable permission is pointless and
security-negative.
4. Fixed ISO-SERVICE-LAYOUT.md: socket perms were wrong (said 750, actual
770), colibri-daemon.pid was labeled supervisor pidfile (it's the
child), supervisor pidfile was missing entirely, shutdown behavior
didn't mention custom stop_cmd targeting the supervisor.
5. health_cmd now checks for non-empty daemon response instead of just
connectvity — a hung daemon accepting connections but returning
garbage was reported healthy.
6. rc.conf.sample hostname path: $ (hostname) → $(/bin/hostname) for
consistency with rc.d script and early-boot PATH safety.
Checks: sh -n OK, cargo fmt --check OK, cargo clippy clean,
cargo test --workspace 207 passed.
Rename the local deterministic launch helper from colibri-smoke-agent to colibri-test-agent, update CLI/TUI/tests/docs, and teach the FreeBSD rc.d service to source /usr/local/etc/colibri/provider.env plus set a service PATH for local spawns.\n\nChecks: cargo fmt --check; ./scripts/check-format.sh; git diff --check; cargo check -p colibri-daemon -p colibri-client -p colibri-glasspane-tui; cargo check -p colibri-client --bins; cargo test -p colibri-client --test live_socket_check -- --nocapture.
The layered-soul skills importer globbed skills/**/*.md, pulling references/ and
templates/ in as separate skills. Import each skills/**/SKILL.md instead
(frontmatter name/description, category 'soul'); supporting files are not skills.
Verified against the populated layered-soul: 9 skills imported, idempotent,
curated memory deferred. Doc updated to match.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- scripts/headroom-sidecar.py: Unix socket server (from headroom import compress)
- cost.rs: HeadroomSidecar struct with connect/compress methods
- session.rs: build_prompt_messages() now accepts optional sidecar
- daemon.rs: spawns sidecar on startup if COLIBRI_HEADROOM_ENABLED=true
- config.rs: headroom_enabled + headroom_socket_path config fields
- socket.rs: cmd_status reports headroom status, cmd_get_session uses sidecar
- All test fixtures updated with new DaemonConfig fields
40-50% token savings on tool outputs with zero accuracy loss.
Disabled by default (COLIBRI_HEADROOM_ENABLED=false).
Works identically on Linux and FreeBSD.
Wires clawdie/layered-soul (the portable identity/context source) into Colibri.
scripts/import-layered-soul.sh reads its reviewed skills/**/*.md into the existing
`skills` catalog (mirrors import-clawdie-skills.sh; idempotent, frontmatter
name/description, category from the skill's parent dir).
Honest scope: only skills are wired. The adapter's "Layered Memory Fabric"
(system_brain / system_ops + a richer system_skills) is design-only
(COLIBRI-SKILLS-PLAN.md), so curated memory is reported-but-not-imported and the
gap is documented in docs/INTEGRATION-LAYERED-SOUL.md.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
colibri had no CI, so a non-compiling main slipped through (the build-break PR
#23 had to fix) and the markdown gate from #22 was honor-system only.
- .forgejo/workflows/ci.yml: runs on push-to-main + PRs. Two jobs — rust
(cargo fmt --check, clippy -D warnings, cargo test --workspace) and markdown
(./scripts/check-format.sh).
- scripts/ci-checks.sh: same gates in one script, runnable locally before
pushing (the workflow and humans share it).
Validated: scripts/ci-checks.sh passes end-to-end on this branch (exit 0).
NOTE: requires a registered Forgejo Actions runner with an `ubuntu-latest`
label that can pull the rust/node images. Adjust runs-on to match the runner.
Stacked on `all-checks-green` (the fmt fix) so the first CI run is green; merge
that PR first.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
colibri had no Prettier config or gate, so its markdown drifted freely (22/31
files failed Prettier). Mirror the clawdie-iso gate so docs stay consistent:
- .prettierrc: same as clawdie-iso — proseWrap=preserve, printWidth=80, and
embeddedLanguageFormatting=off for *.md so fenced code (JSON/mermaid/shell in
the graph + design docs) is left exactly as written.
- .prettierignore: target/, scratch dirs, CHANGELOG.
- scripts/check-format.sh: `prettier@3 --check '**/*.md'` (run before pushing).
- AGENTS.md: "Markdown Formatting Gate" section documenting the workflow.
- One-shot `prettier --write` across all markdown. Pure formatting — only
emphasis-marker (*x* -> _x_), list-bullet, table-padding, and blank-line
normalization; no prose/command/code-fence content changed.
Gate now green (`./scripts/check-format.sh` → all matched files pass).
Docs-only + tooling — no Rust touched, no rebuild.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Hardens the FreeBSD service for production readiness:
- rc.d: post-start socket health check (waits up to 10s), post-stop
socket cleanup, 'health' extra command that probes socket with
a status command via nc.
- newsyslog: log rotation at 1MB, 7 compressed archives,
colibri:colibri ownership.
- staging: copies newsyslog config into image root, updated
staging report to list all installed files.
- docs/ISO-SERVICE-LAYOUT.md: filesystem layout, boot/shutdown
behavior, startup validation commands, config knobs, secrets
policy, log rotation details.
Shell syntax: sh -n clean on both scripts.
Workspace tests: all green.
Validates: Colibri spawns agent process (fake-pi-agent.py) → reads
JSONL stdout → glasspane ingests → snapshot shows Done state with
correct session ID.
Uses scripts/fake-pi-agent.py which emits the colibri-pi-events
JSONL taxonomy (session, agent_start, turn_start, turn_end,
agent_end). Proves the spawn→ingest→glasspane pipeline without
requiring the real pi binary.
The real Pi binary path (when installed) follows the same pattern:
pi --mode json is spawned with identical spawner code.
Build: pass | Tests: 1/1 green | Workspace: all green
