Home PI Integration Bastille + Warden

Reduced AI Dependency During Bootstrap

Turn fragile host bootstrap knowledge into explicit Warden skills, deterministic scripts, and narrow operator playbooks.

Goal

The objective is not to remove AI from operations. The objective is to stop depending on improvisation during bootstrap. Clawdie should operate from fixed infrastructure playbooks.

Progress Snapshot

✓ Completed warden-pf skill added

✓ Completed warden-zfs skill added

✓ Completed bastille-network skill added

✓ Completed warden-bootstrap skill added

✓ Completed sanoid skill added

✓ Completed nginx-glasspane skill added

✓ Completed telegram-admin skill added

✓ Completed warden-health skill added

✓ Completed browser-vm skill added

✓ Completed freebsd-admin skill added

Completed Skills

Status	Skill	Purpose
✓	`warden-pf`	Canonical Warden bridge/subnet model, minimal NAT, pf validation, connectivity troubleshooting.
✓	`warden-zfs`	ZFS dataset layout for `clawdie-runtime`, snapshots, rollback-safe control-plane storage.
✓	`sanoid`	Policy-driven automated ZFS snapshots for `clawdie-runtime`, starting with the persistent `clawdie-cp` control-plane dataset.
✓	`warden-health`	Canonical doctor workflow, host and pipeline health interpretation, Warden failure triage, and operator SQL/log command bundles.
✓	`browser-vm`	Future Linux VM executor profiles, Debian Trixie `base-tmux` source image, default `4G` RAM and `30G` disk sizing, and canonical clone and snapshot naming.
✓	`freebsd-admin`	Host-level FreeBSD changes, including `sysrc`, `service`, `sysctl`, `gateway_enable`, forwarding, and other machine-wide state that should stay outside jail and VM skills.

Planned Skills

Status	Skill	Why it matters
✓	`bastille-network`	Persist `warden0`, encode reboot-safe host networking, and validate bridge state before control-plane creation.
✓	`warden-bootstrap`	Release check, control-plane jail creation, canonical hostname application, package bootstrap, and first jailed runtime validation.
✓	`nginx-glasspane`	Serve the tmux glasspane on `ai.clawdie.si` from static screenshot artifacts, `latest.json`, and UUID archive views.
✓	`telegram-admin`	Bot token validation, chat discovery, admin/main registration, and operator routing through Telegram.
✓	`warden-health`	Bridge runtime health, Bastille state, jail state, app doctor checks, and failure triage in one operator workflow.
✓	`browser-vm`	Future Linux desktop/browser executor with `base-tmux`, `browser`, `xfce`, `i3`, and `kde` profiles, separate from jail provisioning.
✓	`freebsd-admin`	Machine-wide FreeBSD admin tasks such as routing, forwarding, persistent `sysrc` changes, and host validation checks.

Current Canonical Model

clawdie-cp = thick, persistent, VNET control-plane jail
warden0 = host bridge for Warden jails
10.0.0.1 = host gateway
10.0.0.100 = control-plane jail
10.0.0.101+ = worker range
Workers later split into thin/shared and thin/vnet
Browser automation later moves to a separate bhyve Linux VM class

How This Reduces Bootstrap AI Dependency

Host setup stops depending on live reconstruction of Bastille, pf, and ZFS decisions.
Repeated infrastructure fixes become scripts and reference files, not chat memory.
The AI still helps, but it executes explicit playbooks instead of improvising host bootstrap.
Future deployments become reproducible on new FreeBSD machines.