From 4192574f74bc15ec93fe03a8cb6be8ab90a0b218 Mon Sep 17 00:00:00 2001
From: Sam & Claude <hello@clawdie.si>
Date: Sat, 20 Jun 2026 09:00:09 +0200
Subject: [PATCH] =?UTF-8?q?docs(hive):=20add=202026-06-20=20status=20block?=
 =?UTF-8?q?=20=E2=80=94=20MVP=20code-complete,=20first-proof=20path?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Persist the reconstructed plan: all four MVP steps code-complete on colibri main;
first proof is not code-blocked (interim manual runbook path); open work
categorized (hardening #100/#92, CLI-driveability #101/#102, naming #98/iso#70).
PR #90 (tenants table) closed as superseded — already on main.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 docs/HIVE-ONBOARDING.md | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/docs/HIVE-ONBOARDING.md b/docs/HIVE-ONBOARDING.md
index 49ad2b9..5701df6 100644
--- a/docs/HIVE-ONBOARDING.md
+++ b/docs/HIVE-ONBOARDING.md
@@ -9,6 +9,40 @@ invention. Sections are tagged `[LIVE]` / `[PLANNED]`.
 
 ---
 
+## Status — 2026-06-20
+
+The four MVP steps (§8) are **code-complete on colibri `main`**:
+
+| MVP step | Status | Landed via |
+| -------- | ------ | ---------- |
+| 1. `colibri-vault` crate | done; hardening in flight | #85 → #94 → PR #100 (server-match + serialize) |
+| 2. `tenants` table | on `main` | (PR #90 closed as superseded) |
+| 3. spawner → provision hook | done | #91 (root-verify) → #94 (wired) |
+| 4. `mother` skill | done (draft) | layered-soul |
+
+Supporting pieces merged: `agent-jail-bootstrap.sh` (#96 → #97 version-pin → #104
+cold-cache guard), `provider.env` staging (#69/#99), vault-fetch shell helper
+server-match (#67/#68/#69).
+
+**First proof is *not* code-blocked** — the chain works today via the interim manual
+path in [`../docs/VAULT-PROVISION-FIRST-PROOF.md`](https://code.smilepowered.org/clawdie/colibri)
+(colibri). Critical path: merge PR #100 + #103 → run the runbook (scratch jail + test
+collection, manual SQLite tenant insert, raw-socket jailed spawn) → verify `.env` at
+`0600` + tenant `active`.
+
+Open work, categorized:
+
+- **Hardening:** colibri PR #100 (closes #95), #92 (path canonicalization/containment).
+- **CLI-driveability (post-proof ergonomics, not proof blockers):** #101 (`register-tenant`
+  command), #102 (`--jail` on `spawn-agent`) — these replace the runbook's manual steps.
+- **Source-of-truth/naming:** #98 (`npm-node24` vs `npm`), clawdie-iso #70 (agent-jail
+  section in `pkg-list-jails.txt`).
+
+**One-line plan:** merge #100 + #103 → run the runbook for the first proof → then land
+#101/#102 for CLI driveability, and #92 before promoting past scratch.
+
+---
+
 ## 1. The core idea
 
 The Vaultwarden→`.env` fetch we proved is not a utility — it is the **onboarding