- New module: hardware.uconsole-cm5-aio-v2
- GPIO rail control for GPS (27), LORA (16), SDR (7), USB (23)
- Systemd oneshot service (aiov2-rails-boot) to apply states at boot
- aiov2_ctl CLI tool packaged from GitHub source
- GPS UART support (ttyAMA0, 9600 baud) with dialout group
- Optional systemd user service for system tray GUI
- Wired into uconsole-cm5 NixOS config + SD image
All rails default OFF — activate on demand with:
aiov2_ctl <GPS|LORA|SDR|USB> on
- Add dotfiles repo as submodule in assets/dotfiles/
- Rewrite home.nix with direct file references instead of stow service
- Remove old custom dotfiles.nix service (replaced by home-manager)
- Clean up services/default.nix import
Remove infra repo bind mount and sudo access from ai-worker user.
Now ai-worker can only:
- SSH into host from Hermes container
- Run docker commands via docker group membership
- Execute ollama benchmarks via docker exec
Results saved to /opt/data/ai-optimizer/ in Hermes container.
- New module: modules/nixos/security/ai-worker-restricted.nix
- Bind mount for infra repo access (RW)
- Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix
- Audit logging for infra changes
- Documentation in README-ai-worker.md
- Updated users/ai-worker.nix:
- Enable services.aiWorkerAccess
- Lock password (SSH key only)
- Security documentation comments
- Updated flake.nix:
- Include new security module
SECURITY: AI must ask for user confirmation before running nh os switch
- Add headless openclaw node systemd service for host execution
- Migrate from nix to lix package manager
- Permit openclaw-2026.3.12 (insecure package warning)
- Use ai-worker user for node service
- Started OpenCode service and verified it's running
- Tested Context7 web search functionality
- Tested DuckDuckGo web search functionality
- Documented web search integration in open_code_server.nix
- Updated ROADMAP and STATE with completion status
- Phase 4 complete, ready for Phase 5: TAK Server Integration
