clawdie/colibri
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 43

docs(mother): osa first-run verification checklist #166

Merged
clawdie merged 1 commit from mother-firstrun-checklist into main 2026-06-24 10:58:19 +02:00
Conversation 0 Commits 1 Files changed 1 +94
clawdie commented 2026-06-24 10:57:02 +02:00
Owner
Copy link

Adds an ordered first-run verification checklist to MOTHER-SETUP.md for deploying on osa (or any new mother). It captures the operational risks flagged during the mother-infra review — the things that can't be validated until a live PostgreSQL + FreeBSD host is in front of you:

  1. Build 0.12 on FreeBSD from current main + ci-checks.sh (Linux binaries won't run on osa).
  2. Record any pre-existing node-register-mcp before install.
  3. Run setup-mother.sh (key → seed, not scrollback).
  4. Integrity: installed node-register-mcp is the hardened hive_nodes version — grep -c "E'" == 0, grep hive_nodes > 0 (not the injectable copy).
  5. Schema migrated in place (usb_nodes renamed not duplicated; node_type present).
  6. Peer auth works for colibri; pg_hba peer rule present and precedes generic local all all (first-match).
  7. external-mcp.json has all three servers (jq-merge preserved existing).
  8. SSH forced-command wrapper rejects non-allowlisted commands.
  9. Daemon env + service live.
  10. Key hygiene: private key on the node seed only.

Doc-only; markdown gate + wiki-lint green.

🤖 Generated with Claude Code

Adds an ordered **first-run verification checklist** to `MOTHER-SETUP.md` for deploying on osa (or any new mother). It captures the operational risks flagged during the mother-infra review — the things that can't be validated until a live PostgreSQL + FreeBSD host is in front of you: 1. Build 0.12 on **FreeBSD from current `main`** + `ci-checks.sh` (Linux binaries won't run on osa). 2. Record any pre-existing `node-register-mcp` before install. 3. Run `setup-mother.sh` (key → seed, not scrollback). 4. **Integrity:** installed `node-register-mcp` is the hardened `hive_nodes` version — `grep -c "E'"` == 0, `grep hive_nodes` > 0 (not the injectable copy). 5. Schema migrated **in place** (`usb_nodes` renamed not duplicated; `node_type` present). 6. Peer auth works for `colibri`; pg_hba peer rule present **and precedes** generic `local all all` (first-match). 7. `external-mcp.json` has all three servers (jq-merge preserved existing). 8. SSH forced-command wrapper **rejects** non-allowlisted commands. 9. Daemon env + service live. 10. Key hygiene: private key on the node seed only. Doc-only; markdown gate + `wiki-lint` green. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
clawdie added 1 commit 2026-06-24 10:57:06 +02:00
docs(mother): add osa first-run verification checklist
Some checks failed
CI / rust (pull_request) Has been cancelled
Details
CI / markdown (pull_request) Has been cancelled
Details
CI / port (pull_request) Has been cancelled
Details
CI / agent-jail-pkgs (pull_request) Has been cancelled
Details
116277ba7a 
An ordered first-run checklist for deploying on osa (or any new mother),
covering the things that can only be validated against a live PostgreSQL +
FreeBSD host:

- build 0.12 on FreeBSD from current main + ci-checks (Linux binaries won't run)
- record any pre-existing node-register before install
- post-install integrity: installed node-register is the hardened hive_nodes
  version (grep -c "E'" == 0; grep hive_nodes > 0) — not the injectable copy
- schema migrated in place (usb_nodes renamed, not duplicated; node_type present)
- peer auth works; pg_hba peer rule present AND precedes generic local rules
- external-mcp has all three servers (jq-merge preserved existing)
- SSH forced-command wrapper rejects non-allowlisted commands
- daemon env + service live; key hygiene (private key → seed only)

Captures the operational risks flagged during the mother-infra review.
clawdie merged commit 6ab86275e2 into main 2026-06-24 10:58:19 +02:00
clawdie deleted branch mother-firstrun-checklist 2026-06-24 10:58:19 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
first-proof blocker

gates the first proven end-to-end

  
hardening

security/robustness follow-up, not a first-proof gate

No labels
first-proof blocker
hardening
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: clawdie/colibri#166
No description provided.
Delete branch "mother-firstrun-checklist"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?