From 796070605b89f6305944bc655519c318ada75ff7 Mon Sep 17 00:00:00 2001 From: Sam & Claude Date: Thu, 25 Jun 2026 07:04:59 +0200 Subject: [PATCH] fix(daemon): gate autospawn on .secured marker when require_secured=YES MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds colibri_daemon_require_secured knob (default NO). When enabled, the daemon refuses to autospawn an agent until /var/db/colibri/.secured exists. This interlock pairs with the clawdie-iso firstboot password gate (#139): the gate writes .secured after the operator sets passwords, the daemon reads it to gate autospawn + node_register. Must run AFTER the provider.env block — otherwise COLIBRI_AUTOSPAWN=YES from provider.env would override the NO set here. Defaults to NO so deployed/disk hosts (which never run the firstboot gate) are unaffected. Paired with: clawdie-iso PR #139 (force-root-password-on-first-boot). --- packaging/freebsd/colibri_daemon.in | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/packaging/freebsd/colibri_daemon.in b/packaging/freebsd/colibri_daemon.in index ac9a571..bc6c05a 100644 --- a/packaging/freebsd/colibri_daemon.in +++ b/packaging/freebsd/colibri_daemon.in @@ -50,6 +50,7 @@ load_rc_config $name : ${colibri_daemon_provider_env:="/usr/local/etc/colibri/provider.env"} : ${colibri_daemon_host:="$(/bin/hostname)"} : ${colibri_daemon_cost_mode:="smart"} +: ${colibri_daemon_require_secured:="NO"} pidfile="${colibri_daemon_run_dir}/colibri-daemon.pid" # Supervisor pidfile (the daemon(8) parent). Kept distinct from the child @@ -102,6 +103,22 @@ colibri_daemon_prestart() set +a fi + # Require-secured gate. When enabled (default NO), the daemon refuses to + # autospawn an agent until the first-boot password gate has written the + # .secured marker (/var/db/colibri/.secured). This ensures an unsecured + # USB node does not register with mother or run tasks until the operator + # has set root+clawdie passwords. Deployed/disk hosts that never run the + # firstboot gate should leave this at NO (the default). + # + # Must run AFTER the provider.env block above — otherwise a + # COLIBRI_AUTOSPAWN=YES in provider.env would override this. + if checkyesno colibri_daemon_require_secured; then + if [ ! -e "${colibri_daemon_data_dir}/.secured" ]; then + echo "colibri_daemon: node unsecured — autospawn disabled" + export COLIBRI_AUTOSPAWN=NO + fi + fi + # Config is passed to the child via the environment. export COLIBRI_DAEMON_DATA_DIR="${colibri_daemon_data_dir}" export COLIBRI_DAEMON_SOCKET="${colibri_daemon_socket}" -- 2.45.3