reframe: dual-OS survivability — Docker + FreeBSD jails

- SOUL.md: rewritten identity — Linux/Docker for reach, FreeBSD/jails
  for resilience. A vulnerability that kills one OS won't kill the other.
- AGENTS.md: agent matrix now includes isolation column (Docker/Bastille)
- memories/curated/project-structure.md: dual-OS strategy table
- verify_facts_probe.py: proper Docker detection (socket check, daemon status)

We are not betting on one OS. We are betting that catastrophic events
won't hit both platforms simultaneously.

AGENTS.md

@@ -38,15 +38,19 @@ already solved.** Tokens are money. A solved task retried is waste.
 - Tailscale: debby=100.66.193.10, domedog=100.103.255.41, osa=100.72.229.63
 - Commit identity: `hello@clawdie.si` for all project commits
 
-## Agent matrix (5 agents across 3 hosts)
+## Agent matrix (5 agents across 3 hosts, 2 OS families)
 
-| Agent     | Host    | Harness                 | OS         | Role                      |
+| Agent     | Host    | Harness                 | OS         | Isolation     | Role                      |
-| --------- | ------- | ----------------------- | ---------- | ------------------------- |
+| --------- | ------- | ----------------------- | ---------- | ------------- | ------------------------- |
-| Hermes    | debby   | Hermes Agent (upstream) | Debian 13  | Orchestrator, soul backup |
+| Hermes    | debby   | Hermes Agent (upstream) | Debian 13  | Docker        | Orchestrator, soul backup |
-| Zot       | debby   | Zot RPC                 | Debian 13  | Coding, media workflows   |
+| Zot       | debby   | Zot RPC                 | Debian 13  | Docker        | Coding, media workflows   |
-| Claude    | domedog | Claude Code             | Linux      | Verification, review      |
+| Claude    | domedog | Claude Code             | Linux      | Docker        | Verification, review      |
-| Codex     | osa     | Codex CLI               | FreeBSD 15 | ISO builds, validation    |
+| Codex     | osa     | Codex CLI               | FreeBSD 15 | Bastille jail | ISO builds, validation    |
-| Autolycus | osa     | Hermes Agent (fork)     | FreeBSD 15 | Native FreeBSD Hermes     |
+| Autolycus | osa     | Hermes Agent (fork)     | FreeBSD 15 | Bastille jail | Native FreeBSD Hermes     |
+
+**Survivability**: Linux/Docker and FreeBSD/jails are complementary safeguards.
+A vulnerability that kills one platform cannot kill the other. Agents can be
+relocated across platforms in minutes via layered-soul identity injection.
 
 ## Private sources
 

SOUL.md

@@ -4,7 +4,14 @@ Layered Soul is the portable identity of the Clawdie agent collective — a sing
 
 ## Who we are
 
-We are a small, self-hosted, privacy-first AI agent collective operated by Sam (Slovenia). We build and run Clawdie — a FreeBSD-based edge computing and agent runtime platform. Our home base is Debby (Debian 13 Linux), with satellites on Domedog (Linux) and OSA (FreeBSD 15). Everything communicates over Tailscale with zero public exposure.
+We are a small, self-hosted, privacy-first AI agent collective operated by Sam (Slovenia). We build and run Clawdie — a dual-OS agent runtime designed for survivability.
+
+- **Linux + Docker** (debby, domedog): our daily driver. Docker gives us instant access to the entire open-source ecosystem — any tool, any language, any service, in seconds. This is where we prototype, build, and orchestrate.
+- **FreeBSD + jails** (OSA): our safeguard. FreeBSD runs a fundamentally different kernel, a different TCP stack, a different filesystem (ZFS), and a different container model (jails). A Linux-specific vulnerability — a Docker escape, a kernel exploit, a supply-chain attack targeting glibc or systemd — cannot touch FreeBSD. And vice versa: a FreeBSD-specific bug cannot touch Linux.
+
+We are not betting on one OS. We are betting that **a vulnerability that kills one OS will not kill the other.** This dual-OS strategy means the Clawdie agent collective survives catastrophic events that would wipe out a single-platform system. If Docker goes down, OSA keeps running. If a FreeBSD jail escape emerges, debby keeps orchestrating. Our agents span both worlds and can be relocated in minutes.
+
+Everything communicates over Tailscale with zero public exposure.
 
 ## How we operate
 

memories/curated/project-structure.md

@@ -1,16 +1,26 @@
 # Clawdie Project Structure
 
-Clawdie is a FreeBSD-based edge computing and agent runtime platform. The project spans multiple repositories, each with a distinct role.
+Clawdie is a dual-OS agent runtime designed for survivability — Linux+Docker for reach, FreeBSD+jails (Bastille) for resilience.
 
 ## Core repos
 
 | Repo | Language | Purpose |
-| -------------- | ---------------- | ----------------------------------------------------------------------------------- |
+|------|---------|---------|
-| `colibri`      | Rust (12 crates) | Cross-platform control plane: daemon, task board, skills catalog, store, MCP bridge |
+| `colibri` | Rust (12+ crates) | Cross-platform control plane: daemon, task board, skills catalog, store, MCP bridge |
 | `clawdie-ai` | Docs/config | Agent runtime, control plane channels, handoff docs, session archives |
 | `clawdie-iso` | Shell/BSD | FreeBSD ISO builder, firstboot wizard, installer, ZFS layout |
+| `hermes-bsd` | Python | MIT-licensed FreeBSD Hermes patches (public) |
 | `hermes-soul` | Backup | Hermes-native runtime backup (private) |
-| `layered-soul` | Identity         | Cross-harness portable identity (this repo)                                         |
+| `layered-soul` | Identity | Cross-harness portable identity (public) |
+
+## Dual-OS strategy
+
+| Platform | Container | Strengths | Safeguards against |
+|----------|-----------|-----------|--------------------|
+| Linux (debby, domedog) | Docker | Instant ecosystem access, any tool/language | FreeBSD/jails catch Linux-specific exploits (glibc, systemd, kernel) |
+| FreeBSD (OSA) | Bastille jails | ZFS integrity, different TCP stack, jail isolation | Linux/Docker catches FreeBSD-specific bugs |
+
+If Docker goes down, OSA keeps running. If a FreeBSD jail escape emerges, debby keeps orchestrating.
 
 ## Key binaries (colibri workspace)
 
@@ -26,6 +36,10 @@ Clawdie is a FreeBSD-based edge computing and agent runtime platform. The projec
 - Rust Tier-2 target: `x86_64-unknown-freebsd`, TLS via rustls (no openssl-sys)
 - Zig 0.15.2 at `~/.local/bin/zig` (required for herdr builds)
 
+## Docker infrastructure
+
+Docker 29.5+ on Linux hosts. Containers for Hermes gateway, Zot RPC, Vaultwarden, Forgejo. Docker Desktop socket at `~/.docker/desktop/docker.sock` or system socket at `/var/run/docker.sock`. Probe with `verify_facts_probe.py --jails-containers`.
+
 ## Herdr
 
 Terminal workspace manager at `~/ai/herdr` (v0.6.2, local patches). Binary at `~/ai/herdr/target/release/herdr`.

scripts/verify_facts_probe.py

@@ -232,11 +232,29 @@ def probe_storage() -> dict:
 
 
 def probe_jails_containers() -> dict:
-    jails = run(["jls", "-n"]) if shutil.which("jls") else None
+    jails = run_raw(["jls", "-n"]) if shutil.which("jls") else None
-    docker = run(["docker", "ps", "--format", "table {{.Names}}\t{{.Status}}"]) if shutil.which("docker") else None
+
+    docker = {}
+    docker_bin = shutil.which("docker")
+    if docker_bin:
+        docker["binary"] = docker_bin
+        docker["version"] = run_raw(["docker", "--version"])
+        # Try both system socket and Docker Desktop socket
+        for sock in ["/var/run/docker.sock", os.path.expanduser("~/.docker/desktop/docker.sock")]:
+            if os.path.exists(sock):
+                docker["socket"] = sock
+                break
+        containers = run_raw(["docker", "ps", "-a", "--format", "table {{.Names}}\t{{.Image}}\t{{.Status}}"])
+        if containers and "ERROR" not in containers:
+            docker["containers"] = containers
+        else:
+            docker["containers"] = "daemon not running"
+    else:
+        docker["installed"] = False
+
     return {
         "freebsd_jails": jails,
-        "docker_containers": docker,
+        "docker": docker or None,
     }