fix(iso-visuals): sync hardened helpers and guidance (Sam & Pi)

Mirror the Clawdie ISO Join Hive and wallpaper helper hardening in the iso-visuals skill, fix the desktop Exec path, and clarify staged-helper versus wired-default behavior.\n\nValidation: sh -n skills/iso-visuals/scripts/clawdie-join-hive.sh skills/iso-visuals/scripts/clawdie-wallpaper-gen.sh; npx --yes prettier@3 --check skills/iso-visuals/SKILL.md; python3 scripts/layered_soul.py validate .
2026-06-20 12:05:08 +02:00 · 2026-06-20 12:05:08 +02:00 · eddea0b4e9
commit eddea0b4e9
parent fe328efb84
4 changed files with 228 additions and 92 deletions
--- a/skills/iso-visuals/SKILL.md
+++ b/skills/iso-visuals/SKILL.md
@ -14,65 +14,87 @@ triggers:
 # ISO Visuals — Out-of-Box Desktop Experience
 Three improvements that replace the "boot to a terminal" feeling with a calm,
-informative desktop: a panel health indicator, a machine-identity wallpaper,
+informative desktop: a panel health indicator helper, a machine-identity wallpaper
-and a one-click Join Hive launcher.
+helper, and a one-click Join Hive launcher.
-## 1. Panel Health Indicator
+Keep this skill honest: scripts can be staged before every script is wired into
 the default panel/session. Do not claim default-panel or first-login behavior until
 it is proven in the live ISO or by mounted-image plus runtime checks.
-Shows Colibri daemon status in the Xfce panel. Green/red dot with agent count.
+## 1. Panel Health Indicator Helper
-Click to open a terminal with full `colibri status` output.
+
 Shows Colibri daemon status as Xfce genmon markup. When wired into a Generic Monitor
 panel item, it displays a green/red dot with agent count and started-task count;
 clicking opens a terminal with full `colibri status` output.
 **Script:** `scripts/colibri-panel-indicator.sh`
-**ISO integration:**
+**ISO staging:**
 ```bash
-# Copy the script into the live filesystem
+install -m 755 scripts/colibri-panel-indicator.sh \
-cp scripts/colibri-panel-indicator.sh /usr/local/bin/colibri-panel-indicator
+  "${LIVE_ROOT}/usr/local/bin/colibri-panel-indicator"
-chmod 755 /usr/local/bin/colibri-panel-indicator
+```
-# Add to Xfce panel via xfconf (or manually: Panel → Add New Items → Generic Monitor)
+**Optional runtime/manual panel wiring:**
 ```bash
 # Requires xfce4-genmon-plugin. Add manually from Panel → Add New Items → Generic Monitor,
 # or wire into seeded panel XML only after that plugin is in the ISO package list.
 xfconf-query -c xfce4-panel -p /plugins/plugin-20 -n -t string -s genmon
 xfconf-query -c xfce4-panel -p /plugins/plugin-20/command -n -t string -s /usr/local/bin/colibri-panel-indicator
 ```
-The indicator polls every 30s, uses `<txt>`/`<tool>`/`<txtclick>` genmon markup.
+The indicator uses `<txt>`/`<tool>`/`<txtclick>` genmon markup. It depends on
-Zero dependencies beyond `nc` and `python3` (both in the base jail bootstrap).
+`nc` and `python3`; the Clawdie ISO stages Python 3.12 and creates `python3` /
 `python` symlinks.
-## 2. Identity Wallpaper
+## 2. Identity Wallpaper Helper
-Generates a desktop background with machine identity overlaid:
+Generates a desktop background with machine identity overlaid: hostname,
-hostname, Tailscale IP, Colibri port, and FreeBSD release.
+Tailscale IP when available, Colibri socket/port status, and FreeBSD release.
 **Script:** `scripts/clawdie-wallpaper-gen.sh`
-**ISO integration:**
+**ISO staging:**
 ```bash
-# Run on first boot, set as wallpaper
+install -m 755 scripts/clawdie-wallpaper-gen.sh \
-cp scripts/clawdie-wallpaper-gen.sh /usr/local/bin/clawdie-wallpaper-gen
+  "${LIVE_ROOT}/usr/local/bin/clawdie-wallpaper-gen"
 chmod 755 /usr/local/bin/clawdie-wallpaper-gen
 # In clawdie-bootstrap-launch.sh or xfce-session:
 /usr/local/bin/clawdie-wallpaper-gen /usr/local/share/backgrounds/clawdie-default.png
 # Set as wallpaper (Xfce):
 xfconf-query -c xfce4-desktop -p /backdrop/screen0/monitor0/workspace0/last-image \
    -s /usr/local/share/backgrounds/clawdie-default.png
 ```
-Requires ImageMagick (`pkg install ImageMagick` — add to ISO package list).
+**Preferred base wallpaper:**
-Falls back to a solid dark background if no default wallpaper exists.
+
 ```text
 /usr/local/share/clawdie-iso/wallpapers/clawdie-operator-bg.png
 ```
 The helper falls back to the stock XFCE background, then to a generated dark solid
 background under `/tmp`. It should not try to create files under `/usr/local/share`
 at runtime unless explicitly requested by the operator.
 **Optional runtime/session wiring:**
 ```bash
 /usr/local/bin/clawdie-wallpaper-gen /tmp/clawdie-wallpaper.png
 xfconf-query -c xfce4-desktop -p /backdrop/screen0/monitor0/workspace0/last-image \
  -s /tmp/clawdie-wallpaper.png
 ```
 Requires ImageMagick (`ImageMagick7` in the ISO package list; `magick` or
 `convert` command accepted). Tailscale is optional; absence should produce
 `tailscale offline`, not an error.
 **Format:**
-```
+
 ```text
 ┌────────────────────────────────────┐
 │                                    │
 │          Clawdie OS                │
 │                                    │
 │   hostname    osa                  │
 │   tailscale   100.72.229.63        │
-│   colibri     9190                 │
+│   colibri     socket 9190          │
 │   jail        15.0-RELEASE-p4      │
 │                                    │
 └────────────────────────────────────┘
@ -80,48 +102,71 @@ Falls back to a solid dark background if no default wallpaper exists.
 ## 3. Join Hive Launcher
-Desktop icon that runs the full agent registration flow in a visible terminal:
+Desktop icon that runs agent registration in a visible terminal: check daemon →
-check daemon → verify vault creds → detect capabilities → register → done.
+check Vaultwarden bootstrap fields without printing secrets → detect capabilities →
 register → pause for operator review.
 **Script:** `scripts/clawdie-join-hive.sh`
 **Desktop entry:** `scripts/clawdie-join-hive.desktop`
-**ISO integration:**
+**ISO staging:**
 ```bash
-cp scripts/clawdie-join-hive.sh /usr/local/bin/clawdie-join-hive.sh
+install -m 755 scripts/clawdie-join-hive.sh \
-cp scripts/clawdie-join-hive.desktop /usr/local/share/applications/
+  "${LIVE_ROOT}/usr/local/bin/clawdie-join-hive"
-cp scripts/clawdie-join-hive.desktop /home/clawdie/Desktop/
+install -m 644 scripts/clawdie-join-hive.desktop \
-chmod 755 /usr/local/bin/clawdie-join-hive.sh
+  "${LIVE_ROOT}/usr/local/share/applications/Clawdie Join Hive.desktop"
 install -m 644 scripts/clawdie-join-hive.desktop \
  "${LIVE_ROOT}/home/clawdie/Desktop/Join Hive.desktop"
 ```
-The launcher runs in `xfce4-terminal` with geometry 80x24, pauses on "Press Enter"
+The desktop entry must call the installed binary path, without a `.sh` suffix:
 so the operator reads the result before the window closes.
-**Idempotent** — safe to double-click multiple times. Already-registered agents
+```ini
-are detected and skipped.
+Exec=xfce4-terminal --title "Join Hive" --geometry=80x24 --command "/usr/local/bin/clawdie-join-hive"
 ```
-## Build integration (clawdie-iso build.sh)
+The launcher runs in `xfce4-terminal` with geometry 80x24 and pauses on
 "Press Enter" so the operator reads the result before the window closes.
-Add these lines to the ISO build script:
+**Idempotency expectations:**
 - safe to double-click multiple times;
 - treats already-registered / `UNIQUE constraint` agent-name responses as an
  idempotent success;
 - does not fail just because `/usr/local/etc/colibri/provider.env` is mode `0600`;
 - uses `mdo -u root` for privileged checks/start where available;
 - never prints Vaultwarden credentials or provider keys.
 ## Build integration (`clawdie-iso` `build.sh`)
 Current staging pattern:
 ```bash
 # --- ISO Visuals ---
 install -m 755 scripts/colibri-panel-indicator.sh  "${LIVE_ROOT}/usr/local/bin/colibri-panel-indicator"
 install -m 755 scripts/clawdie-wallpaper-gen.sh     "${LIVE_ROOT}/usr/local/bin/clawdie-wallpaper-gen"
 install -m 755 scripts/clawdie-join-hive.sh         "${LIVE_ROOT}/usr/local/bin/clawdie-join-hive"
-install -m 644 scripts/clawdie-join-hive.desktop    "${LIVE_ROOT}/usr/local/share/applications/"
+install -m 644 scripts/clawdie-join-hive.desktop    "${LIVE_ROOT}/usr/local/share/applications/Clawdie Join Hive.desktop"
-install -m 644 scripts/clawdie-join-hive.desktop    "${LIVE_ROOT}/home/clawdie/Desktop/"
+install -m 644 scripts/clawdie-join-hive.desktop    "${LIVE_ROOT}/home/clawdie/Desktop/Join Hive.desktop"
 ```
-And add `ImageMagick` to the ISO package list for the wallpaper generator.
+Add/keep `ImageMagick7` in the ISO package list for the wallpaper generator.
 ## Verification
 After booting the ISO:
-1. **Panel:** green dot with agent count visible in the Xfce panel.
+1. **Mounted-image:** `/usr/local/bin/clawdie-join-hive`,
-   Clicking opens `colibri status` in a terminal.
+   `/usr/local/bin/clawdie-wallpaper-gen`, and `/usr/local/bin/colibri-panel-indicator`
-2. **Wallpaper:** identity text in the bottom-left corner.
+   exist and are executable.
-3. **Desktop:** "Join Hive" icon present. Double-click → terminal opens,
+2. **Desktop launcher:** `Join Hive.desktop` exists; its `Exec=` points to
-   walks through registration, pauses for operator to read.
+   `/usr/local/bin/clawdie-join-hive` with no `.sh` suffix.
 3. **Join Hive:** double-click opens a terminal, starts/checks `colibri_daemon`,
   reports provider.env status without exposing secrets, registers or reports
   already registered, then waits for Enter.
 4. **Wallpaper helper:** running `/usr/local/bin/clawdie-wallpaper-gen` writes an
   image to `/tmp/clawdie-wallpaper.png` using the Clawdie wallpaper as base.
 5. **Panel indicator helper:** running `/usr/local/bin/colibri-panel-indicator`
   prints genmon XML. Only claim panel visibility after genmon is packaged and
   wired into the seeded panel or configured manually.
--- a/skills/iso-visuals/scripts/clawdie-join-hive.desktop
+++ b/skills/iso-visuals/scripts/clawdie-join-hive.desktop
@ -3,7 +3,7 @@ Type=Application
 Version=1.0
 Name=Join Hive
 Comment=Register this machine as a Colibri agent
-Exec=xfce4-terminal --title "Join Hive" --geometry=80x24 --command "/usr/local/bin/clawdie-join-hive.sh"
+Exec=xfce4-terminal --title "Join Hive" --geometry=80x24 --command "/usr/local/bin/clawdie-join-hive"
 Icon=network-server
 Terminal=false
 Categories=System;Utility;
--- a/skills/iso-visuals/scripts/clawdie-join-hive.sh
+++ b/skills/iso-visuals/scripts/clawdie-join-hive.sh
@ -2,11 +2,33 @@
 # One-click "Join Hive" — registers this machine as a Colibri agent.
 # Runs in a visible terminal so the operator sees the result.
 # Idempotent: safe to re-run on an already-registered agent.
 set -e
 SOCKET="${COLIBRI_SOCKET:-/var/run/colibri/colibri.sock}"
 PROVIDER_ENV="/usr/local/etc/colibri/provider.env"
 finish() {
    _code="${1:-0}"
    echo ""
    echo "Press Enter to close."
    read -r _
    exit "${_code}"
 }
 have() {
    command -v "$1" >/dev/null 2>&1
 }
 provider_env_has_bw_creds() {
    _check='test -f "$1" && grep -Eq "^BW_CLIENTID=.+" "$1" && grep -Eq "^BW_CLIENTSECRET=.+" "$1" && grep -Eq "^BW_PASSWORD=.+" "$1"'
    if have mdo; then
        mdo -u root sh -c "${_check}" sh "${PROVIDER_ENV}" >/dev/null 2>&1
        return $?
    fi
    sh -c "${_check}" sh "${PROVIDER_ENV}" >/dev/null 2>&1
 }
 echo "========================================"
 echo "  Clawdie — Join Hive"
 echo "========================================"
@ -15,48 +37,90 @@ echo ""
 # 1. Check daemon
 if [ ! -S "$SOCKET" ]; then
    echo "[1/4] Starting colibri daemon..."
-    mdo -u root service colibri_daemon start
+    if have mdo; then
-    sleep 2
+        if ! mdo -u root service colibri_daemon start; then
            echo "       WARNING: could not start colibri_daemon via mdo."
        fi
    elif [ "$(id -u)" -eq 0 ]; then
        if ! service colibri_daemon start; then
            echo "       WARNING: could not start colibri_daemon."
        fi
    else
        echo "       WARNING: mdo is unavailable and this user is not root."
    fi
    _tries=0
    while [ "$_tries" -lt 5 ] && [ ! -S "$SOCKET" ]; do
        sleep 1
        _tries=$(( _tries + 1 ))
    done
 else
    echo "[1/4] Daemon already running."
 fi
-# 2. Vault creds
+if [ ! -S "$SOCKET" ]; then
    echo "       ERROR: Colibri socket is still missing: ${SOCKET}"
    echo "       Check: mdo -u root service colibri_daemon status"
    finish 1
 fi
 # 2. Vault creds. provider.env is intentionally 0600, so check via mdo when possible.
 echo "[2/4] Checking vault credentials..."
-if [ -f "$PROVIDER_ENV" ] && grep -q 'BW_CLIENTID=.' "$PROVIDER_ENV" 2>/dev/null; then
+if provider_env_has_bw_creds; then
-    echo "       provider.env present with credentials."
+    echo "       provider.env contains Vaultwarden bootstrap credential fields."
 else
-    echo "       WARNING: provider.env missing or empty."
+    echo "       WARNING: provider.env is missing, unreadable, or lacks BW_CLIENTID/BW_CLIENTSECRET/BW_PASSWORD."
-    echo "       Vault provisioning will be skipped."
+    echo "       Vault provisioning will be skipped until the operator adds them."
-    echo "       Edit ${PROVIDER_ENV} and re-run."
+    echo "       Edit ${PROVIDER_ENV} and keep it mode 0600, then re-run."
 fi
 # 3. Detect capabilities
-HOST=$(hostname)
+HOST=$(hostname 2>/dev/null || echo "clawdie-live")
-OS=$(uname -s | tr '[:upper:]' '[:lower:]')
+OS=$(uname -s 2>/dev/null | tr '[:upper:]' '[:lower:]')
 [ -n "$OS" ] || OS="unknown"
 CAPS="$OS,shell"
 # Add optional capabilities
-which colibri >/dev/null 2>&1 && CAPS="$CAPS,colibri"
+have colibri && CAPS="$CAPS,colibri"
-which hermes >/dev/null 2>&1 && CAPS="$CAPS,hermes"
+have hermes && CAPS="$CAPS,hermes"
-which pi >/dev/null 2>&1 && CAPS="$CAPS,pi"
+have pi && CAPS="$CAPS,pi"
-tailscale status >/dev/null 2>&1 && CAPS="$CAPS,tailscale"
+if have tailscale && tailscale status >/dev/null 2>&1; then
    CAPS="$CAPS,tailscale"
 fi
 [ "$OS" = "freebsd" ] && CAPS="$CAPS,rc.d,jail,zfs"
 if have python3; then
    CAPS_JSON=$(printf '%s' "$CAPS" | python3 -c 'import json,sys; print(json.dumps(sys.stdin.read().strip().split(",")))' 2>/dev/null)
 else
    CAPS_JSON='["shell"]'
 fi
 [ -n "$CAPS_JSON" ] || CAPS_JSON='["shell"]'
 AGENT_NAME="${HOST}"
 echo "[3/4] Registering agent: ${AGENT_NAME}"
 echo "       capabilities: ${CAPS}"
 if ! have nc; then
    echo "       ERROR: nc is not installed; cannot talk to ${SOCKET}."
    finish 1
 fi
 RESP=$(printf '{"cmd":"register-agent","name":"%s","capabilities":%s}\n' \
-    "$AGENT_NAME" "$(echo "$CAPS" | python3 -c "import sys; print(__import__('json').dumps(sys.stdin.read().strip().split(',')))")" \
+    "$AGENT_NAME" "$CAPS_JSON" \
    | nc -U "$SOCKET" -w 3 2>/dev/null)
 if echo "$RESP" | grep -q '"ok":true'; then
    echo "       registered."
-elif echo "$RESP" | grep -q 'already exists'; then
+elif echo "$RESP" | grep -Eiq 'already exists|unique constraint|constraint failed|agents\.name'; then
    echo "       already registered (idempotent)."
 else
-    echo "       registration note: ${RESP}"
+    echo "       registration did not complete cleanly."
    if [ -n "$RESP" ]; then
        echo "       response: ${RESP}"
    else
        echo "       no response from ${SOCKET}"
    fi
    finish 1
 fi
 # 4. Start poll loop
@ -66,5 +130,5 @@ echo "  Check:  colibri status"
 echo "  Tasks:  colibri list-tasks --status started"
 echo "  Board:  colibri list-agents"
 echo ""
-echo "Hive joined. Press Enter to close."
+echo "Hive joined."
-read -r _
+finish 0
--- a/skills/iso-visuals/scripts/clawdie-wallpaper-gen.sh
+++ b/skills/iso-visuals/scripts/clawdie-wallpaper-gen.sh
@ -1,33 +1,60 @@
 #!/bin/sh
 # Generate a wallpaper with machine identity overlaid.
-# Run once on first boot, caches result in /tmp/clawdie-wallpaper.png.
+# Safe to run on first boot; caches result in /tmp/clawdie-wallpaper.png.
-# Requires: ImageMagick (convert), tailscale, colibri socket.
+# Requires ImageMagick (magick or convert). Tailscale is optional.
 set -e
 OUT="${1:-/tmp/clawdie-wallpaper.png}"
-BG="/usr/local/share/backgrounds/xfce/default.png"
+CLAWDIE_BG="/usr/local/share/clawdie-iso/wallpapers/clawdie-operator-bg.png"
 XFCE_BG="/usr/local/share/backgrounds/xfce/default.png"
 FALLBACK_BG="/tmp/clawdie-wallpaper-base.png"
-HOST=$(hostname)
+have() {
-TS_IP=$(tailscale ip -4 2>/dev/null || echo "offline")
+    command -v "$1" >/dev/null 2>&1
-COLIBRI_SOCK="/var/run/colibri/colibri.sock"
+}
 COLIBRI_PORT="9190"
 JAIL_RELEASE=$(freebsd-version 2>/dev/null || uname -r)
-# Fall back to a solid colour if no background image exists
+if have magick; then
-if [ ! -f "$BG" ]; then
+    im() { magick "$@"; }
-    convert -size 1920x1080 xc:'#1a1a2e' "$BG" 2>/dev/null || true
+elif have convert; then
    im() { convert "$@"; }
 else
    echo "ERROR: ImageMagick is not installed; expected magick or convert." >&2
    exit 1
 fi
-# One-liner draw: place identity text in the bottom-left corner
+HOST=$(hostname 2>/dev/null || echo "clawdie-live")
-convert "$BG" \
+if have tailscale; then
-    -font Helvetica -pointsize 18 -fill '#e0e0e0' \
+    TS_IP=$(tailscale ip -4 2>/dev/null | head -n 1)
 fi
 [ -n "${TS_IP:-}" ] || TS_IP="offline"
 COLIBRI_SOCK="/var/run/colibri/colibri.sock"
 COLIBRI_PORT="9190"
 JAIL_RELEASE=$(freebsd-version 2>/dev/null || uname -r 2>/dev/null || echo "unknown")
 if [ -f "$CLAWDIE_BG" ]; then
    BG="$CLAWDIE_BG"
 elif [ -f "$XFCE_BG" ]; then
    BG="$XFCE_BG"
 else
    BG="$FALLBACK_BG"
    im -size 1920x1080 xc:'#1a1a2e' "$BG"
 fi
 SOCK_STATUS="down"
 [ -S "$COLIBRI_SOCK" ] && SOCK_STATUS="socket ${COLIBRI_PORT}"
 # Overlay identity text in the bottom-left corner. Do not require a specific
 # font: ImageMagick's default font is more portable across FreeBSD package sets.
 if ! im "$BG" \
    -pointsize 18 -fill '#e0e0e0' \
    -annotate +40+900 "hostname    ${HOST}" \
    -annotate +40+930 "tailscale   ${TS_IP}" \
-    -annotate +40+960 "colibri     ${COLIBRI_PORT}" \
+    -annotate +40+960 "colibri     ${SOCK_STATUS}" \
    -annotate +40+990 "jail        ${JAIL_RELEASE}" \
-    -font Helvetica-Bold -pointsize 28 -fill '#8b5cf6' \
+    -pointsize 28 -fill '#8b5cf6' \
    -annotate +40+850 "Clawdie OS" \
-    "$OUT"
+    "$OUT"; then
    echo "WARNING: identity overlay failed; copying base wallpaper instead." >&2
    cp "$BG" "$OUT"
 fi
 echo "Wallpaper: ${OUT}"