clawdie/layered-soul
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

reframe: dual-OS survivability — Docker + FreeBSD jails

Browse source 
- SOUL.md: rewritten identity — Linux/Docker for reach, FreeBSD/jails
  for resilience. A vulnerability that kills one OS won't kill the other.
- AGENTS.md: agent matrix now includes isolation column (Docker/Bastille)
- memories/curated/project-structure.md: dual-OS strategy table
- verify_facts_probe.py: proper Docker detection (socket check, daemon status)

We are not betting on one OS. We are betting that catastrophic events
won't hit both platforms simultaneously.
This commit is contained in:
Hermes & Sam 2026-06-17 12:21:00 +02:00
parent 6f32a3210f
commit aa6386518b
4 changed files with 63 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
AGENTS.md
View file

@ -38,15 +38,19 @@ already solved.** Tokens are money. A solved task retried is waste.
- Tailscale: debby=100.66.193.10, domedog=100.103.255.41, osa=100.72.229.63
- Commit identity: `hello@clawdie.si` for all project commits
## Agent matrix (5 agents across 3 hosts)
## Agent matrix (5 agents across 3 hosts, 2 OS families)
| Agent | Host | Harness | OS | Role |
| --------- | ------- | ----------------------- | ---------- | ------------------------- |
| Hermes | debby | Hermes Agent (upstream) | Debian 13 | Orchestrator, soul backup |
| Zot | debby | Zot RPC | Debian 13 | Coding, media workflows |
| Claude | domedog | Claude Code | Linux | Verification, review |
| Codex | osa | Codex CLI | FreeBSD 15 | ISO builds, validation |
| Autolycus | osa | Hermes Agent (fork) | FreeBSD 15 | Native FreeBSD Hermes |
| Agent | Host | Harness | OS | Isolation | Role |
| --------- | ------- | ----------------------- | ---------- | ------------- | ------------------------- |
| Hermes | debby | Hermes Agent (upstream) | Debian 13 | Docker | Orchestrator, soul backup |
| Zot | debby | Zot RPC | Debian 13 | Docker | Coding, media workflows |
| Claude | domedog | Claude Code | Linux | Docker | Verification, review |
| Codex | osa | Codex CLI | FreeBSD 15 | Bastille jail | ISO builds, validation |
| Autolycus | osa | Hermes Agent (fork) | FreeBSD 15 | Bastille jail | Native FreeBSD Hermes |
**Survivability**: Linux/Docker and FreeBSD/jails are complementary safeguards.
A vulnerability that kills one platform cannot kill the other. Agents can be
relocated across platforms in minutes via layered-soul identity injection.
## Private sources

9
SOUL.md
View file

@ -4,7 +4,14 @@ Layered Soul is the portable identity of the Clawdie agent collective — a sing
## Who we are
We are a small, self-hosted, privacy-first AI agent collective operated by Sam (Slovenia). We build and run Clawdie — a FreeBSD-based edge computing and agent runtime platform. Our home base is Debby (Debian 13 Linux), with satellites on Domedog (Linux) and OSA (FreeBSD 15). Everything communicates over Tailscale with zero public exposure.
We are a small, self-hosted, privacy-first AI agent collective operated by Sam (Slovenia). We build and run Clawdie — a dual-OS agent runtime designed for survivability.
- **Linux + Docker** (debby, domedog): our daily driver. Docker gives us instant access to the entire open-source ecosystem — any tool, any language, any service, in seconds. This is where we prototype, build, and orchestrate.
- **FreeBSD + jails** (OSA): our safeguard. FreeBSD runs a fundamentally different kernel, a different TCP stack, a different filesystem (ZFS), and a different container model (jails). A Linux-specific vulnerability — a Docker escape, a kernel exploit, a supply-chain attack targeting glibc or systemd — cannot touch FreeBSD. And vice versa: a FreeBSD-specific bug cannot touch Linux.
We are not betting on one OS. We are betting that **a vulnerability that kills one OS will not kill the other.** This dual-OS strategy means the Clawdie agent collective survives catastrophic events that would wipe out a single-platform system. If Docker goes down, OSA keeps running. If a FreeBSD jail escape emerges, debby keeps orchestrating. Our agents span both worlds and can be relocated in minutes.
Everything communicates over Tailscale with zero public exposure.
## How we operate

30
memories/curated/project-structure.md
View file

@ -1,16 +1,26 @@
# Clawdie Project Structure
Clawdie is a FreeBSD-based edge computing and agent runtime platform. The project spans multiple repositories, each with a distinct role.
Clawdie is a dual-OS agent runtime designed for survivability — Linux+Docker for reach, FreeBSD+jails (Bastille) for resilience.
## Core repos
| Repo | Language | Purpose |
| -------------- | ---------------- | ----------------------------------------------------------------------------------- |
| `colibri` | Rust (12 crates) | Cross-platform control plane: daemon, task board, skills catalog, store, MCP bridge |
| `clawdie-ai` | Docs/config | Agent runtime, control plane channels, handoff docs, session archives |
| `clawdie-iso` | Shell/BSD | FreeBSD ISO builder, firstboot wizard, installer, ZFS layout |
| `hermes-soul` | Backup | Hermes-native runtime backup (private) |
| `layered-soul` | Identity | Cross-harness portable identity (this repo) |
| Repo | Language | Purpose |
|------|---------|---------|
| `colibri` | Rust (12+ crates) | Cross-platform control plane: daemon, task board, skills catalog, store, MCP bridge |
| `clawdie-ai` | Docs/config | Agent runtime, control plane channels, handoff docs, session archives |
| `clawdie-iso` | Shell/BSD | FreeBSD ISO builder, firstboot wizard, installer, ZFS layout |
| `hermes-bsd` | Python | MIT-licensed FreeBSD Hermes patches (public) |
| `hermes-soul` | Backup | Hermes-native runtime backup (private) |
| `layered-soul` | Identity | Cross-harness portable identity (public) |
## Dual-OS strategy
| Platform | Container | Strengths | Safeguards against |
|----------|-----------|-----------|--------------------|
| Linux (debby, domedog) | Docker | Instant ecosystem access, any tool/language | FreeBSD/jails catch Linux-specific exploits (glibc, systemd, kernel) |
| FreeBSD (OSA) | Bastille jails | ZFS integrity, different TCP stack, jail isolation | Linux/Docker catches FreeBSD-specific bugs |
If Docker goes down, OSA keeps running. If a FreeBSD jail escape emerges, debby keeps orchestrating.
## Key binaries (colibri workspace)
@ -26,6 +36,10 @@ Clawdie is a FreeBSD-based edge computing and agent runtime platform. The projec
- Rust Tier-2 target: `x86_64-unknown-freebsd`, TLS via rustls (no openssl-sys)
- Zig 0.15.2 at `~/.local/bin/zig` (required for herdr builds)
## Docker infrastructure
Docker 29.5+ on Linux hosts. Containers for Hermes gateway, Zot RPC, Vaultwarden, Forgejo. Docker Desktop socket at `~/.docker/desktop/docker.sock` or system socket at `/var/run/docker.sock`. Probe with `verify_facts_probe.py --jails-containers`.
## Herdr
Terminal workspace manager at `~/ai/herdr` (v0.6.2, local patches). Binary at `~/ai/herdr/target/release/herdr`.

24
scripts/verify_facts_probe.py
View file

@ -232,11 +232,29 @@ def probe_storage() -> dict:
def probe_jails_containers() -> dict:
jails = run(["jls", "-n"]) if shutil.which("jls") else None
docker = run(["docker", "ps", "--format", "table {{.Names}}\t{{.Status}}"]) if shutil.which("docker") else None
jails = run_raw(["jls", "-n"]) if shutil.which("jls") else None
docker = {}
docker_bin = shutil.which("docker")
if docker_bin:
docker["binary"] = docker_bin
docker["version"] = run_raw(["docker", "--version"])
# Try both system socket and Docker Desktop socket
for sock in ["/var/run/docker.sock", os.path.expanduser("~/.docker/desktop/docker.sock")]:
if os.path.exists(sock):
docker["socket"] = sock
break
containers = run_raw(["docker", "ps", "-a", "--format", "table {{.Names}}\t{{.Image}}\t{{.Status}}"])
if containers and "ERROR" not in containers:
docker["containers"] = containers
else:
docker["containers"] = "daemon not running"
else:
docker["installed"] = False
return {
"freebsd_jails": jails,
"docker_containers": docker,
"docker": docker or None,
}