docs/README.md

@@ -16,5 +16,5 @@ A quick-reference guide to every document in this folder.
 | [`ISO-SERVICE-LAYOUT.md`](ISO-SERVICE-LAYOUT.md)                               | `rc.conf` service layout for the ISO image                                 | All             |
 | [`MULTI-AGENT-HOST-PLAN.md`](MULTI-AGENT-HOST-PLAN.md)                         | **Current sprint**: multi-agent task-board tests + CLI surface gaps        | All agents      |
 | [`PRIORITY-HANDOFF-ISO-SPAWN-COST.md`](PRIORITY-HANDOFF-ISO-SPAWN-COST.md)     | ISO boot validation, Pi spawn path, cost mode enforcement (P2/P3 done)     | All agents      |
-| [`TRUSS-SPAWN-ANALYSIS.md`](TRUSS-SPAWN-ANALYSIS.md)                             | truss trace of jail-spawn Permission Denied — root cause + fix             | Debugging       |
-| [`VAULT-PROVISION-FIRST-PROOF.md`](VAULT-PROVISION-FIRST-PROOF.md)               | First-proof runbook: vault → jail → `.env` chain (clean CLI)              | Agents, Sam     |
+| [`TRUSS-SPAWN-ANALYSIS.md`](TRUSS-SPAWN-ANALYSIS.md)                           | truss trace of jail-spawn Permission Denied — root cause + fix             | Debugging       |
+| [`VAULT-PROVISION-FIRST-PROOF.md`](VAULT-PROVISION-FIRST-PROOF.md)             | First-proof runbook: vault → jail → `.env` chain (clean CLI)               | Agents, Sam     |

packaging/freebsd/check-agent-jail-pkgs.sh

@@ -1,11 +1,11 @@
 #!/bin/sh
-# Run as:  sh check-agent-jail-pkgs.sh   (or ./check-agent-jail-pkgs.sh)
+# Run as:  sh check-agent-jail-pkgs.sh [path-or-url-to-pkg-list-jails.txt]
 #
 # Cross-repo drift guard for the agent-jail package set. It must match between:
 #   - this repo's agent-jail-bootstrap.sh   (the PKGS= line, the runtime truth)
 #   - clawdie-iso's pkg-list-jails.txt       (the "# agent-jail" section)
-# Run after changing either set (and in CI). Override the fetched list with
-# ISO_PKG_LIST_URL to compare against a different ref.
+# Run after changing either set (and in CI). Pass a local file path for
+# cross-repo preflight, or override ISO_PKG_LIST_URL to compare another ref.
 #
 # Exit: 0 = in sync, 1 = drift (prints the delta), 2 = fetch / IO error.
 
@@ -13,6 +13,7 @@ set -u
 
 HERE=$(cd "$(dirname "$0")" && pwd)
 BOOTSTRAP="${HERE}/agent-jail-bootstrap.sh"
+ISO_PKG_LIST="${1:-}"
 ISO_PKG_LIST_URL="${ISO_PKG_LIST_URL:-https://code.smilepowered.org/clawdie/clawdie-iso/raw/branch/main/packages/pkg-list-jails.txt}"
 
 [ -f "$BOOTSTRAP" ] || { echo "ERROR: bootstrap not found: $BOOTSTRAP" >&2; exit 2; }
@@ -27,11 +28,24 @@ grep -E '^PKGS=' "$BOOTSTRAP" | head -1 | sed -E 's/^PKGS=//; s/"//g' \
 [ -s "$_tmp/bootstrap" ] || { echo "ERROR: no PKGS= line in $BOOTSTRAP" >&2; exit 2; }
 
 # clawdie-iso set: the "# agent-jail" section of pkg-list-jails.txt, up to the
-# next blank line or next "#" header, sorted/unique.
-if ! curl -fsS "$ISO_PKG_LIST_URL" > "$_tmp/jl" 2>"$_tmp/err"; then
-    echo "ERROR: failed to fetch ${ISO_PKG_LIST_URL}" >&2; cat "$_tmp/err" >&2; exit 2
-fi
-awk '/^# agent-jail/{f=1;next} f&&/^#/{exit} f&&/^[[:space:]]*$/{exit} f{print}' "$_tmp/jl" \
+# next blank line. Comments inside the section are allowed and ignored.
+case "$ISO_PKG_LIST" in
+    "")
+        if ! curl -fsS "$ISO_PKG_LIST_URL" > "$_tmp/jl" 2>"$_tmp/err"; then
+            echo "ERROR: failed to fetch ${ISO_PKG_LIST_URL}" >&2; cat "$_tmp/err" >&2; exit 2
+        fi
+        ;;
+    http://*|https://*|file://*)
+        if ! curl -fsS "$ISO_PKG_LIST" > "$_tmp/jl" 2>"$_tmp/err"; then
+            echo "ERROR: failed to fetch ${ISO_PKG_LIST}" >&2; cat "$_tmp/err" >&2; exit 2
+        fi
+        ;;
+    *)
+        [ -f "$ISO_PKG_LIST" ] || { echo "ERROR: pkg-list-jails.txt not found: $ISO_PKG_LIST" >&2; exit 2; }
+        cp "$ISO_PKG_LIST" "$_tmp/jl"
+        ;;
+esac
+awk '/^# agent-jail/{f=1;next} f&&/^[[:space:]]*$/{exit} f&&!/^[[:space:]]*#/{print}' "$_tmp/jl" \
     | sed 's/[[:space:]]//g' | sed '/^$/d' | sort -u > "$_tmp/iso"
 [ -s "$_tmp/iso" ] || { echo "ERROR: no '# agent-jail' section in fetched pkg-list-jails.txt" >&2; exit 2; }