From a12595999111abdb62e1123f8312af956bf5f264 Mon Sep 17 00:00:00 2001
From: Sam & Claude <hello@clawdie.si>
Date: Sun, 21 Jun 2026 20:38:39 +0200
Subject: [PATCH] fix(packaging): make agent-jail pkg drift check
 local-friendly (Sam & Pi)

Honor an optional pkg-list-jails path/URL argument, allow comments inside the agent-jail section, and apply Prettier to docs/README.md. This preserves the cross-repo gate for the jq addition.\n\nValidation: ./scripts/check-format.sh; cargo fmt --check; ./packaging/freebsd/port/check-cargo-crates.sh; ./packaging/freebsd/check-agent-jail-pkgs.sh /home/clawdie/ai/clawdie-iso/packages/pkg-list-jails.txt; sh -n packaging/freebsd/agent-jail-bootstrap.sh packaging/freebsd/mother-sync-hive-keys.sh; cargo check -p colibri-daemon -p colibri-client -p colibri-mcp.
---
 docs/README.md                             |  4 +--
 packaging/freebsd/check-agent-jail-pkgs.sh | 30 ++++++++++++++++------
 2 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/docs/README.md b/docs/README.md
index dfba82d..8c33a11 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -16,5 +16,5 @@ A quick-reference guide to every document in this folder.
 | [`ISO-SERVICE-LAYOUT.md`](ISO-SERVICE-LAYOUT.md)                               | `rc.conf` service layout for the ISO image                                 | All             |
 | [`MULTI-AGENT-HOST-PLAN.md`](MULTI-AGENT-HOST-PLAN.md)                         | **Current sprint**: multi-agent task-board tests + CLI surface gaps        | All agents      |
 | [`PRIORITY-HANDOFF-ISO-SPAWN-COST.md`](PRIORITY-HANDOFF-ISO-SPAWN-COST.md)     | ISO boot validation, Pi spawn path, cost mode enforcement (P2/P3 done)     | All agents      |
-| [`TRUSS-SPAWN-ANALYSIS.md`](TRUSS-SPAWN-ANALYSIS.md)                             | truss trace of jail-spawn Permission Denied — root cause + fix             | Debugging       |
-| [`VAULT-PROVISION-FIRST-PROOF.md`](VAULT-PROVISION-FIRST-PROOF.md)               | First-proof runbook: vault → jail → `.env` chain (clean CLI)              | Agents, Sam     |
+| [`TRUSS-SPAWN-ANALYSIS.md`](TRUSS-SPAWN-ANALYSIS.md)                           | truss trace of jail-spawn Permission Denied — root cause + fix             | Debugging       |
+| [`VAULT-PROVISION-FIRST-PROOF.md`](VAULT-PROVISION-FIRST-PROOF.md)             | First-proof runbook: vault → jail → `.env` chain (clean CLI)               | Agents, Sam     |
diff --git a/packaging/freebsd/check-agent-jail-pkgs.sh b/packaging/freebsd/check-agent-jail-pkgs.sh
index 53bc777..86591f8 100755
--- a/packaging/freebsd/check-agent-jail-pkgs.sh
+++ b/packaging/freebsd/check-agent-jail-pkgs.sh
@@ -1,11 +1,11 @@
 #!/bin/sh
-# Run as:  sh check-agent-jail-pkgs.sh   (or ./check-agent-jail-pkgs.sh)
+# Run as:  sh check-agent-jail-pkgs.sh [path-or-url-to-pkg-list-jails.txt]
 #
 # Cross-repo drift guard for the agent-jail package set. It must match between:
 #   - this repo's agent-jail-bootstrap.sh   (the PKGS= line, the runtime truth)
 #   - clawdie-iso's pkg-list-jails.txt       (the "# agent-jail" section)
-# Run after changing either set (and in CI). Override the fetched list with
-# ISO_PKG_LIST_URL to compare against a different ref.
+# Run after changing either set (and in CI). Pass a local file path for
+# cross-repo preflight, or override ISO_PKG_LIST_URL to compare another ref.
 #
 # Exit: 0 = in sync, 1 = drift (prints the delta), 2 = fetch / IO error.
 
@@ -13,6 +13,7 @@ set -u
 
 HERE=$(cd "$(dirname "$0")" && pwd)
 BOOTSTRAP="${HERE}/agent-jail-bootstrap.sh"
+ISO_PKG_LIST="${1:-}"
 ISO_PKG_LIST_URL="${ISO_PKG_LIST_URL:-https://code.smilepowered.org/clawdie/clawdie-iso/raw/branch/main/packages/pkg-list-jails.txt}"
 
 [ -f "$BOOTSTRAP" ] || { echo "ERROR: bootstrap not found: $BOOTSTRAP" >&2; exit 2; }
@@ -27,11 +28,24 @@ grep -E '^PKGS=' "$BOOTSTRAP" | head -1 | sed -E 's/^PKGS=//; s/"//g' \
 [ -s "$_tmp/bootstrap" ] || { echo "ERROR: no PKGS= line in $BOOTSTRAP" >&2; exit 2; }
 
 # clawdie-iso set: the "# agent-jail" section of pkg-list-jails.txt, up to the
-# next blank line or next "#" header, sorted/unique.
-if ! curl -fsS "$ISO_PKG_LIST_URL" > "$_tmp/jl" 2>"$_tmp/err"; then
-    echo "ERROR: failed to fetch ${ISO_PKG_LIST_URL}" >&2; cat "$_tmp/err" >&2; exit 2
-fi
-awk '/^# agent-jail/{f=1;next} f&&/^#/{exit} f&&/^[[:space:]]*$/{exit} f{print}' "$_tmp/jl" \
+# next blank line. Comments inside the section are allowed and ignored.
+case "$ISO_PKG_LIST" in
+    "")
+        if ! curl -fsS "$ISO_PKG_LIST_URL" > "$_tmp/jl" 2>"$_tmp/err"; then
+            echo "ERROR: failed to fetch ${ISO_PKG_LIST_URL}" >&2; cat "$_tmp/err" >&2; exit 2
+        fi
+        ;;
+    http://*|https://*|file://*)
+        if ! curl -fsS "$ISO_PKG_LIST" > "$_tmp/jl" 2>"$_tmp/err"; then
+            echo "ERROR: failed to fetch ${ISO_PKG_LIST}" >&2; cat "$_tmp/err" >&2; exit 2
+        fi
+        ;;
+    *)
+        [ -f "$ISO_PKG_LIST" ] || { echo "ERROR: pkg-list-jails.txt not found: $ISO_PKG_LIST" >&2; exit 2; }
+        cp "$ISO_PKG_LIST" "$_tmp/jl"
+        ;;
+esac
+awk '/^# agent-jail/{f=1;next} f&&/^[[:space:]]*$/{exit} f&&!/^[[:space:]]*#/{print}' "$_tmp/jl" \
     | sed 's/[[:space:]]//g' | sed '/^$/d' | sort -u > "$_tmp/iso"
 [ -s "$_tmp/iso" ] || { echo "ERROR: no '# agent-jail' section in fetched pkg-list-jails.txt" >&2; exit 2; }
 
-- 
2.45.3