docs: strip consensus to pure decisions, move research to red-team, add Ubuntu install prompt

[B67687]

Cleans up consensus doc to only contain decisions. Moves GGUF comparison, model benchmarks, and quant research to agent-seed-red-team.md. Adds ubuntu-install-prompt.md for the MiniPC setup.

Summary by Sourcery

Refine the agent-seed architecture doc to focus on decisions and runtime loop behavior, move detailed model and quantization research into the red-team document, and add a guided Ubuntu installation prompt for the Minisforum AI Pro-370 MiniPC.

Documentation:

• Clarify hardware, OS, model choice, agent loop, safety layers, and observer setup in the architecture/decisions document while trimming research detail.
• Extend the red-team document with structured GGUF provider and quantization research, alternative model comparisons, and Qwen chat template guidance for agentic workloads.
• Add an Ubuntu 26.04 LTS installation prompt document for step-by-step MiniPC setup via an assisting agent.

Summary by CodeRabbit

• Documentation
  • Refined system architecture documentation with updated hardware specifications, expanded LLM runtime configuration details, improved model selection guidance, and enhanced agent execution platform workflow
  • Added comprehensive red-team and adversarial analysis documentation for security threat assessment and mitigation analysis
  • Created detailed step-by-step Ubuntu 26.04 LTS installation guide including BIOS configuration, kernel parameters, and server setup procedures

[sourcery-ai]

Reviewer's Guide

Refactors the main architecture/consensus doc to focus on high-level decisions, pushes model/quant/benchmark research into the red-team document, expands implementation details for the daemon and safety layers, and adds a new Ubuntu 26.04 LTS install prompt for the Minisforum AI Pro-370 MiniPC.

File-Level Changes

Change	Details	Files
Refocus the architecture/consensus document on decisions and tighten descriptions of hardware, runtime, model choice, agent loop, and safety layers.	Rename the document to emphasize architecture & decisions and point research references to the red-team doc instead of the old research doc. Simplify and clarify hardware/OS rationale, explicitly listing accepted and rejected distros plus firmware caveats. Split and expand the runtime/model sections to describe llama.cpp CPU backend performance, preferred Q6_K quant, GGUF sourcing, and the fixed Qwen chat template. Clarify agent platform choice (mini-SWE-agent), daemon loop behavior, SCAN markers, summarization, and schema validation/rollback steps. Restructure sections on substrate, loop, observer, architecture diagram, model swapping, safety architecture, and key design decisions to be more concise and decision-focused while keeping implementation hooks (scripts, paths, configs) explicit.	agent-seed-architecture.md
Enrich the red-team document with structured safety-gap tracking and detailed model/quantization research that was removed from the consensus doc.	Reformat the safety gap table for readability while keeping the same gaps, severities, and fixes. Add a new section describing GGUF provider comparison, quant selection for 32GB, alternative models, licensing, chat template bug/fix, and expected performance for different quants. Keep existing red-team analysis context but move detailed model/quant research out of the main architecture doc into this dedicated section.	agent-seed-red-team.md
Introduce a reusable Ubuntu 26.04 LTS install prompt tailored for the Minisforum AI Pro-370 headless setup.	Create a new install guide that is written as a prompt for an agent, covering ISO download and verification, bootable USB creation, BIOS configuration, server-only Ubuntu install, kernel parameter setup, base package and Tailscale installation, and SSH verification. Emphasize step-by-step, confirm-before-acting interaction style and assumptions about the hardware (HX 370, 32GB RAM, 1TB NVMe, Radeon 890M).	ubuntu-install-prompt.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Warning

Review limit reached

@B67687, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 50 minutes and 33 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 312a5d51-f4a4-4560-a294-4264f14e9be9

📥 Commits

Reviewing files that changed from the base of the PR and between 295e8d3 and 4016e8f.

📒 Files selected for processing (2)

• agent-seed-architecture.md
• agent-seed-red-team.md

📝 Walkthrough

Walkthrough

The PR refreshes the agent-seed system documentation across three files. The main agent-seed-architecture.md is substantially revised to specify Ubuntu 26.04 LTS headless, update hardware kernel requirements, refocus the LLM runtime on Qwen 3.6-27B with explicit GGUF quantization and chat template fixes, restructure the daemon loop execution steps, clarify observer responsibilities, and rewrite the safety architecture. The agent-seed-red-team.md expands the critical gaps analysis with detailed model & quantization research and provider comparisons. A new ubuntu-install-prompt.md provides step-by-step installation automation for the Minisforum hardware.

Changes

Agent Seed System Documentation

Layer / File(s)	Summary
Architecture document framing and research references agent-seed-architecture.md (1–5)	Document heading and research pointers are updated to direct readers to the updated agent-seed-red-team.md for adversarial analysis and retitle the section as "architecture & decisions."
Hardware setup and Ubuntu installation automation agent-seed-architecture.md (17–23), ubuntu-install-prompt.md	Hardware section specifies Ubuntu 26.04 LTS headless, Kernel 6.18+ HWE, kernel parameters, and firmware guidance. New ubuntu-install-prompt.md provides step-by-step agent automation for ISO verification, USB creation, BIOS configuration, GRUB edits, Tailscale setup, and SSH verification.
LLM runtime and model configuration agent-seed-architecture.md (24–60)	LLM runtime is described as CPU-first (AVX-512) with iGPU Vulkan as non-production contingency. Model selection updated to Qwen 3.6-27B with primary/fallback GGUF quantization choices. Chat template approach addresses empty tool-call bugs in unclosed <think> tags. Token drift mitigations (KV cache precision, SCAN markers, sliding-window summarization, git session boundaries) and known limitations are reorganized.
Agent execution loop and operational safety agent-seed-architecture.md (61–105)	Daemon loop documentation includes new operational steps: SCAN marker, run agent, git commit, schema validation, health check/rollback, sleep. Safety layers enforced outside the AI are documented with clearer protocol and evidence framing.
Observer implementation and monitoring architecture agent-seed-architecture.md (107–128)	Observer responsibilities are clarified: read git log + CHANGELOG, detect stuck patterns, never write to agent-seed. Architecture diagram labels and scripts/observer-daemon.sh implementation details are updated to reflect observational-only role.
Safety architecture and key design decisions agent-seed-architecture.md (130–160)	Five-layer safety architecture rewritten with explicit daemon.py/config references and clearer rollback mechanics. Model swapping instructions revised, prompt principles retained, and key design decisions updated for platform stability, inference choice, restarts, and autonomy/observation.
Red-team adversarial analysis and model research expansion agent-seed-red-team.md (92, 132–202)	Critical gaps mitigation table reformatted. "Safety: Critical gaps remain" section expands with detailed "Gap / Severity / Fix" table. New "Model & Quantization Research" section includes GGUF provider comparisons, quant selection for 32GB, alternative model fit analysis, license statement, chat template fix notes, and expected performance (llama.cpp CPU) comparison tables.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A system refined from seed to scene,
Hardware specs and quants so keen,
Safety layers, observers astute,
Ubuntu scripts with a steady route,
Agent-seed hops forth with grace!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is substantially incomplete. It lacks verification steps, dependencies, migration guidance, and residual risk assessment required by the repository template.	Add verification checklist results (CI/lint status, secret checks), document any dependencies, clarify migration needs, and identify known risks or limitations from the documentation changes.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main changes: consolidating documentation into decisions, reorganizing research content, and adding a new installation guide.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/consensus-cleanup

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• In ubuntu-install-prompt.md, avoid hard-coding the username namikaz and instead have the agent explicitly ask the user for their preferred username to keep the prompt reusable across setups.
• The safety architecture described in agent-seed-architecture.md (5 layers implemented, 19 blocked patterns, 4 protected paths) appears to conflict with some items still listed as gaps in agent-seed-red-team.md (narrow blocklist, missing disk monitoring, etc.); consider reconciling these so the current state vs. remaining gaps is unambiguous.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `ubuntu-install-prompt.md`, avoid hard-coding the username `namikaz` and instead have the agent explicitly ask the user for their preferred username to keep the prompt reusable across setups.
- The safety architecture described in `agent-seed-architecture.md` (5 layers implemented, 19 blocked patterns, 4 protected paths) appears to conflict with some items still listed as gaps in `agent-seed-red-team.md` (narrow blocklist, missing disk monitoring, etc.); consider reconciling these so the current state vs. remaining gaps is unambiguous.

## Individual Comments

### Comment 1
<location path="ubuntu-install-prompt.md" line_range="13" />
<code_context>
+
+1. **Download Ubuntu 26.04 LTS ISO** --- from ubuntu.com/download/server. Tell me where to get it and how to verify the checksum.
+
+2. **Create bootable USB** --- on my current machine (tell me the command, I'll tell you what OS I'm on if needed). Use `dd` or `balena-etcher`.
+
+3. **BIOS setup** --- boot the MiniPC, enter BIOS (tell me the key), and set:
</code_context>
<issue_to_address>
**nitpick (typo):** Consider using the official "balenaEtcher" capitalization/name instead of "balena-etcher".

This matches the product’s branding and avoids suggesting there is a `balena-etcher` command-line tool.

```suggestion
2. **Create bootable USB** --- on my current machine (tell me the command, I'll tell you what OS I'm on if needed). Use `dd` or `balenaEtcher`.
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

nitpick (typo): Consider using the official "balenaEtcher" capitalization/name instead of "balena-etcher".

This matches the product’s branding and avoids suggesting there is a balena-etcher command-line tool.

Suggested change

	2. **Create bootable USB** --- on my current machine (tell me the command, I'll tell you what OS I'm on if needed). Use `dd` or `balena-etcher`.
	2. **Create bootable USB** --- on my current machine (tell me the command, I'll tell you what OS I'm on if needed). Use `dd` or `balenaEtcher`.

[gemini-code-assist]

Code Review

This pull request updates the agent-seed architecture documentation, adds model and quantization research to the red-team document, and introduces an Ubuntu 26.04 LTS installation guide. Feedback on these changes highlights several inconsistencies: the LLM API endpoint port is incorrectly listed as 11434 instead of 8080 in multiple places; the GGUF provider table contains a logical contradiction regarding KLD rankings; the RAM usage estimates for the 32K context contradict other sections; and the installation guide contains missing sudo commands and a redundant Tailscale installation step.

[gemini-code-assist]

The LLM API endpoint is listed as using port 11434. However, port 11434 is the default port for Ollama, whereas the architecture has explicitly switched to llama.cpp server (which defaults to port 8080). This should be updated to localhost:8080/v1 to match the runtime choice.

Suggested change

	| LLM API endpoint | localhost:11434/v1 |
	| LLM API endpoint | localhost:8080/v1 |

[gemini-code-assist]

The ASCII diagram still references localhost:11434 for llama.cpp. This should be updated to localhost:8080 to align with the default port of llama.cpp server instead of Ollama.

Suggested change

	├── llama.cpp <- localhost:11434
	├── llama.cpp <- localhost:8080

[gemini-code-assist]

There is a logical contradiction in the GGUF Provider Comparison table. The table header states that for KLD 99.9%, 'lower=better'. However, Unsloth (~0.548) is ranked 1st and bartowski (~0.577) is ranked 2nd, while lmstudio-community (~0.329) and mradermacher (~0.260) are ranked 4th and 3rd respectively. If lower KLD is indeed better, the rankings or the KLD values themselves appear to be swapped.

[gemini-code-assist]

The 'RAM Used (32K ctx)' column in the Quant Selection table lists values that only add ~2.5 GB of overhead to the model size (e.g., ~25 GB for Q6_K at 22.5 GB). This contradicts the 'Critical failures' section of the same document (lines 31-34), which states that the KV cache at 32K context alone takes ~6 GB and OS/services take ~3-4 GB (totaling ~9-10 GB of overhead). Please reconcile these values to ensure accurate hardware planning.

[gemini-code-assist]

The apt commands in step 6 are missing sudo. Since the system is configured with a non-root user namikaz in step 4, running these commands without sudo will fail with permission errors.

Suggested change

	- `apt update && apt upgrade -y`
	- sudo apt update && sudo apt upgrade -y

[gemini-code-assist]

In step 6, tailscale is listed for installation via apt. However, the Tailscale repository is not yet configured at this stage, so this command will fail. Furthermore, step 7 explicitly installs Tailscale using its official bootstrap script, making this entry redundant. It should be removed from step 6.

Suggested change

	- Install: `build-essential`, `git`, `curl`, `wget`, `tailscale`
	- Install: build-essential, git, curl, wget

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[coderabbitai]

Actionable comments posted: 7

🧹 Nitpick comments (1)

agent-seed-red-team.md (1)

208-208: ⚡ Quick win

Sandbox guidance conflicts with earlier recommendation.

Line 208 says systemd hardening gives “zero-config sandboxing without Docker or bubblewrap,” but earlier guidance (Line 128 in this same doc section context) positions bubblewrap as the preferred sandbox. Clarify whether systemd hardening is baseline defense or a full replacement.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@agent-seed-red-team.md` at line 208, The sentence about "systemd
ProtectSystem/ReadWritePaths" claiming “zero-config sandboxing without Docker or
bubblewrap” conflicts with earlier guidance that recommends bubblewrap as the
preferred sandbox; update the text to clarify that systemd hardening
(ProtectSystem/ReadWritePaths, ProtectHome, etc.) is a lightweight baseline
defense and not a full replacement for an untrusted-code sandbox like
bubblewrap, and explicitly state that bubblewrap remains the recommended
isolation tool for executing untrusted agents while systemd hardening should be
applied as complementary, default protection.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@agent-seed-architecture.md`:
- Around line 93-103: In agent-seed-architecture.md the two unlabeled fenced
code blocks (the numbered steps block beginning "1. Read GOAL.md..." and the
ASCII diagram block beginning "Your laptop                    MiniPC") must be
annotated with a language to satisfy markdownlint MD040; change the opening
fences from ``` to ```text for both blocks (and similarly for the other
occurrence around lines 113-128) so the fences are labeled while preserving the
block contents and closing fences.
- Line 26: The doc references a "llama.cpp server" but uses the
Ollama-associated port localhost:11434; either explicitly document that 11434 is
a remapped/proxied port (add a note describing the proxy/remap and how to
configure it) or change all occurrences of localhost:11434 to the actual
llama.cpp API endpoint/port your setup uses; update every instance of
"llama.cpp" and "localhost:11434" in the document so the port and description
are consistent (e.g., adjust the entries around the current mentions of
localhost:11434 and the "llama.cpp server" text).

In `@agent-seed-red-team.md`:
- Around line 149-157: The KLD direction/ranking mismatch must be fixed: decide
whether KLD is "lower=better" or "higher=better" and update the table values and
the verdict accordingly; specifically, either invert the note "lower=better" or
correct the KLD numbers for the rows Unsloth (~0.548), lmstudio-community
(~0.329), and mradermacher (~0.260) so that the quality ranks (1st for Unsloth,
3rd for mradermacher, 4th for lmstudio-community) match the metric direction,
and make the concluding sentence about Unsloth Dynamic 2.0 consistent with the
corrected metric and ranks.
- Line 93: The doc references inconsistent chat templates: change the Line 93
usage of "qwen3.6-enhanced.jinja" to the canonical template used elsewhere (the
froggeric fixed template referenced via the --chat-template-file invocation) so
all docs use the same template string; update any mention of
qwen3.6-enhanced.jinja to the canonical template name and ensure
agent-seed-architecture.md and lines around 193 use that same template reference
so deployment uses a single canonical chat template.

In `@ubuntu-install-prompt.md`:
- Around line 29-31: Split the kernel-parameter step into two explicit phases:
(1) Temporary one-boot change — instruct the user to interrupt the boot/GRUB
menu and edit the boot entry (e.g., press "e") to append `amd_iommu=off
amdgpu.gttsize=40960 ttm.pages_limit=14680064` for this single boot; and (2)
Persistent change — after confirming the kernel parameters work, edit
`/etc/default/grub` and add the same flags to GRUB_CMDLINE_LINUX_DEFAULT, then
run `update-grub` to make them permanent. Mention both steps clearly and label
them "Temporary (single boot)" and "Persistent (post-install)" so users don’t
perform the wrong action at the wrong time.
- Around line 35-39: There are two conflicting Tailscale install methods: the
inline install list item "Install: `build-essential`, `git`, `curl`, `wget`,
`tailscale`" and the separate curl installer block "`curl -fsSL
https://tailscale.com/install.sh | sh`" / `sudo tailscale up`; pick and keep one
authoritative method (either remove `tailscale` from the install list and retain
the curl installer block, or remove the curl installer block and keep the apt
package in the install list), and update the remaining text so it references
only the chosen method and the `sudo tailscale up` step consistently.
- Line 39: Replace the unsafe "curl -fsSL https://tailscale.com/install.sh | sh"
instruction with explicit apt/keyring steps: instruct adding Tailscale's GPG key
and apt repository (instead of the pipe-to-sh), running apt-get update and then
apt-get install tailscale, and keep the post-install command "sudo tailscale
up"; update the line that currently contains "curl -fsSL
https://tailscale.com/install.sh | sh" so it describes the keyring + apt repo +
apt-get install workflow and then "sudo tailscale up".

---

Nitpick comments:
In `@agent-seed-red-team.md`:
- Line 208: The sentence about "systemd ProtectSystem/ReadWritePaths" claiming
“zero-config sandboxing without Docker or bubblewrap” conflicts with earlier
guidance that recommends bubblewrap as the preferred sandbox; update the text to
clarify that systemd hardening (ProtectSystem/ReadWritePaths, ProtectHome, etc.)
is a lightweight baseline defense and not a full replacement for an
untrusted-code sandbox like bubblewrap, and explicitly state that bubblewrap
remains the recommended isolation tool for executing untrusted agents while
systemd hardening should be applied as complementary, default protection.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: ee4b9adb-e5f3-40f2-800c-a4a79ad59ea2

📥 Commits

Reviewing files that changed from the base of the PR and between 6a65fbf and 295e8d3.

📒 Files selected for processing (3)

• agent-seed-architecture.md
• agent-seed-red-team.md
• ubuntu-install-prompt.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Clarify the llama.cpp API port to avoid setup breakage.

This doc says llama.cpp (Line 26) but uses localhost:11434 (Lines 80, 118), which is commonly associated with Ollama. If 11434 is intentional, document the explicit remap/proxy; otherwise align to the actual llama.cpp endpoint throughout.

Also applies to: 80-80, 118-119

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@agent-seed-architecture.md` at line 26, The doc references a "llama.cpp
server" but uses the Ollama-associated port localhost:11434; either explicitly
document that 11434 is a remapped/proxied port (add a note describing the
proxy/remap and how to configure it) or change all occurrences of
localhost:11434 to the actual llama.cpp API endpoint/port your setup uses;
update every instance of "llama.cpp" and "localhost:11434" in the document so
the port and description are consistent (e.g., adjust the entries around the
current mentions of localhost:11434 and the "llama.cpp server" text).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add languages to fenced code blocks to satisfy markdownlint (MD040).

Both fences are unlabeled; please mark them (for example, text) so lint passes and rendering is clearer.

Proposed patch

-```
+```text
 1. Read GOAL.md + run scripts/improve + scripts/eval --json
 2. Inject SCAN marker (~300t self-check)
 3. Sliding-window summarization (>4KB -> collapse)
 4. Run DefaultAgent (max 25 steps, $0.50, 300s wall)
 5. git commit agent changes
 6. Update CHANGELOG.md, git commit again
 7. Schema-validate modified JSON files (auto-revert)
 8. Health check (3 checks) + auto-rollback on failure
 9. Adaptive sleep (30s-15min)
-```
+```

-```
+```text
 Your laptop                    MiniPC
 ──────────                    ────────
 SSH via Tailscale ──►         Ubuntu 26.04 LTS
                                 ├── Tailscale
                                 ├── llama.cpp <- localhost:11434
                                 │   └── Qwen 3.6-27B Q6_K (CPU AVX-512)
                                 └── agent-seed/
                                     ├── AGENTS.md, GOAL.md, daemon.py
                                     ├── scripts/ (eval, route, improve)
                                     ├── tests/smoke.sh
                                     └── CHANGELOG.md

 Observer: git pull -> read log  Daemon: survey -> think -> do -> verify -> commit -> sleep
 + CHANGELOG -> detect stuck     Restart=always + daily cron
-```
+```

Also applies to: 113-128

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 93-93: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@agent-seed-architecture.md` around lines 93 - 103, In
agent-seed-architecture.md the two unlabeled fenced code blocks (the numbered
steps block beginning "1. Read GOAL.md..." and the ASCII diagram block beginning
"Your laptop                    MiniPC") must be annotated with a language to
satisfy markdownlint MD040; change the opening fences from ``` to ```text for
both blocks (and similarly for the other occurrence around lines 113-128) so the
fences are labeled while preserving the block contents and closing fences.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

KLD metric and quality ranking are internally inconsistent.

Line 149 says “lower=better,” but Line 153 (~0.329) and Line 154 (~0.260) are lower than Line 151 (~0.548) while still ranked worse, and Line 157 concludes Unsloth leads at every bit level. Please reconcile either the metric definition, the values, or the ranking/verdict.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@agent-seed-red-team.md` around lines 149 - 157, The KLD direction/ranking
mismatch must be fixed: decide whether KLD is "lower=better" or "higher=better"
and update the table values and the verdict accordingly; specifically, either
invert the note "lower=better" or correct the KLD numbers for the rows Unsloth
(~0.548), lmstudio-community (~0.329), and mradermacher (~0.260) so that the
quality ranks (1st for Unsloth, 3rd for mradermacher, 4th for
lmstudio-community) match the metric direction, and make the concluding sentence
about Unsloth Dynamic 2.0 consistent with the corrected metric and ranks.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Clarify temporary vs persistent kernel-parameter flow.

Line 29 says to edit GRUB “before boot finishes,” but Lines 30–31 describe persistent post-install changes in /etc/default/grub. Please split this into explicit phases (temporary one-boot edit vs persistent config) to avoid incorrect execution order.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ubuntu-install-prompt.md` around lines 29 - 31, Split the kernel-parameter
step into two explicit phases: (1) Temporary one-boot change — instruct the user
to interrupt the boot/GRUB menu and edit the boot entry (e.g., press "e") to
append `amd_iommu=off amdgpu.gttsize=40960 ttm.pages_limit=14680064` for this
single boot; and (2) Persistent change — after confirming the kernel parameters
work, edit `/etc/default/grub` and add the same flags to
GRUB_CMDLINE_LINUX_DEFAULT, then run `update-grub` to make them permanent.
Mention both steps clearly and label them "Temporary (single boot)" and
"Persistent (post-install)" so users don’t perform the wrong action at the wrong
time.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove conflicting Tailscale installation methods.

Line 35 installs tailscale via apt, while Line 39 installs again via curl ... | sh. Keep one authoritative method to prevent drift and troubleshooting ambiguity.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ubuntu-install-prompt.md` around lines 35 - 39, There are two conflicting
Tailscale install methods: the inline install list item "Install:
`build-essential`, `git`, `curl`, `wget`, `tailscale`" and the separate curl
installer block "`curl -fsSL https://tailscale.com/install.sh | sh`" / `sudo
tailscale up`; pick and keep one authoritative method (either remove `tailscale`
from the install list and retain the curl installer block, or remove the curl
installer block and keep the apt package in the install list), and update the
remaining text so it references only the chosen method and the `sudo tailscale
up` step consistently.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What is Tailscale’s current recommended Ubuntu installation method for Ubuntu 26.04 LTS, and do they still recommend curl -fsSL https://tailscale.com/install.sh | sh for production/server provisioning?

💡 Result:

For Ubuntu 26.04 LTS (“Resolute Raccoon”), Tailscale’s current recommended installation method is to install the client from their APT repository (i.e., add Tailscale’s GPG key + apt repo, then apt-get install the package). The Tailscale “Install Tailscale on Linux” docs explicitly show that for distributions with apt (including Ubuntu-based distros), you can install using the automated install script, but they also state you can do manual installation via the “Tailscale Packages - stable track page” instead of using curl | sh for those who prefer not to. [1] Regarding whether they still recommend curl -fsSL https://tailscale.com/install.sh | sh for production/server provisioning: the docs still list that exact one-command install as the “apt-based” (mainstream) method on Linux, and they describe the script as the same script available on their Download page. [1] The same URL (tailscale.com/install.sh) is still in use and includes logic to add the APT repository and install the tailscale package. [2] So: yes, Tailscale still provides and documents curl -fsSL https://tailscale.com/install.sh | sh as an install method for Ubuntu servers (production included), but they do not force that approach; for production/server provisioning they acknowledge a manual APT-repo route via the Tailscale Packages stable track for users who prefer not to use curl | sh. [1] Concrete Ubuntu 26.04 APT-repo example from the stable packages page: - Add key: curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/resolute.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null - Add repo: curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/resolute.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list - Install: sudo apt-get update && sudo apt-get install tailscale [3]

Citations:

• 1: https://tailscale.com/docs/install/linux
• 2: https://tailscale.com/install.sh
• 3: https://dl.tailscale.com/stable/

---

Avoid curl | sh in baseline server provisioning; use Tailscale’s apt repo/keyring steps instead.

Tailscale still documents curl -fsSL https://tailscale.com/install.sh | sh as the Ubuntu (apt-based) install method, but they also provide a manual install path (add Tailscale GPG key + apt repo, then apt-get install tailscale). Update ubuntu-install-prompt.md line 39 to use the keyring/apt repo method instead of piping to sh.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ubuntu-install-prompt.md` at line 39, Replace the unsafe "curl -fsSL
https://tailscale.com/install.sh | sh" instruction with explicit apt/keyring
steps: instruct adding Tailscale's GPG key and apt repository (instead of the
pipe-to-sh), running apt-get update and then apt-get install tailscale, and keep
the post-install command "sudo tailscale up"; update the line that currently
contains "curl -fsSL https://tailscale.com/install.sh | sh" so it describes the
keyring + apt repo + apt-get install workflow and then "sudo tailscale up".