From 4283a3d3f7ce4ad6ce02f61e88516c9c2ba7ccf1 Mon Sep 17 00:00:00 2001
From: brian <brian@hanson.xyz>
Date: Tue, 14 Apr 2026 20:18:36 -0500
Subject: [PATCH] provision: add ccrypt, nodejs, claude, ssh identity keys, fix
 scons obj dirs

- Install ccrypt, nodejs 18, npm, claude code in provision
- Decrypt id_rsa/id_rsa.pub via dongle ID and install to /data/ssh/.ssh/
- Run provision directly instead of through qt_shell wrapper
- Fix panda and body SConscripts to mkdir obj/ before writing gitversion.h
- Add sudo to su - comma build call
- Remount / rw at top of provision

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 body/board/SConscript          |  1 +
 panda/SConscript               |  1 +
 system/clearpilot/on_start.sh  |  2 +-
 system/clearpilot/provision.sh | 29 +++++++++++++++++++++++++++--
 4 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/body/board/SConscript b/body/board/SConscript
index 39927c8..4f8c679 100755
--- a/body/board/SConscript
+++ b/body/board/SConscript
@@ -121,6 +121,7 @@ def objcopy(source, target, env, for_signature):
     return '$OBJCOPY -O binary %s %s' % (source[0], target[0])
 
 # Common autogenerated includes
+os.makedirs("obj", exist_ok=True)
 git_ver = get_version(BUILDER, BUILD_TYPE)
 with open("obj/gitversion.h", "w") as f:
   f.write(f'const uint8_t gitversion[8] = "{git_ver}";\n')
diff --git a/panda/SConscript b/panda/SConscript
index f44105f..cbeac11 100755
--- a/panda/SConscript
+++ b/panda/SConscript
@@ -166,6 +166,7 @@ Export('base_project_f4', 'base_project_h7', 'build_project')
 
 
 # Common autogenerated includes
+os.makedirs("board/obj", exist_ok=True)
 with open("board/obj/gitversion.h", "w") as f:
   f.write(f'const uint8_t gitversion[] = "{get_version(BUILDER, BUILD_TYPE)}";\n')
 
diff --git a/system/clearpilot/on_start.sh b/system/clearpilot/on_start.sh
index f93f0f3..3fe4566 100755
--- a/system/clearpilot/on_start.sh
+++ b/system/clearpilot/on_start.sh
@@ -14,5 +14,5 @@ nmcli radio wifi on 2>/dev/null
 
 # Provision (packages, git pull, build) if no quick_boot flag
 if [ ! -f /data/quick_boot ]; then
-    /data/openpilot/system/clearpilot/tools/qt_shell "/data/openpilot/system/clearpilot/provision_wrapper.sh" --title="ClearPilot Provision"
+    bash /data/openpilot/system/clearpilot/provision.sh
 fi
diff --git a/system/clearpilot/provision.sh b/system/clearpilot/provision.sh
index ba588a3..24322b3 100644
--- a/system/clearpilot/provision.sh
+++ b/system/clearpilot/provision.sh
@@ -6,6 +6,8 @@
 # SSH is handled by on_start.sh before this runs.
 # Output is displayed on screen via qt_shell.
 
+mount -o rw,remount /
+
 # 1. Wait for internet connectivity
 echo "Waiting for internet connectivity (up to 30s)..."
 ONLINE=0
@@ -29,9 +31,32 @@ echo "Remounting / read-write..."
 sudo mount -o remount,rw /
 echo "Installing packages..."
 sudo apt-get update -qq
-sudo apt-get install -y openvpn
+sudo apt-get install -y openvpn curl ccrypt
+echo "Installing Node.js 18..."
+curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
+sudo apt-get install -y nodejs
+node -v
+sudo apt-get install -y npm
+mount -o rw,remount /
+echo "Installing Claude Code..."
+curl -fsSL https://claude.ai/install.sh | bash
+echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc && source ~/.bashrc
 echo "Packages installed"
 
+# Decrypt and install SSH identity keys (for git auth)
+dongle_id=$(cat /data/params/d/DongleId 2>/dev/null)
+ssh_dir="/data/ssh/.ssh"
+if [[ $dongle_id == 90bb71* ]] && [[ ! -f "$ssh_dir/id_rsa" || ! -f "$ssh_dir/id_rsa.pub" ]]; then
+    echo "Decrypting SSH identity keys..."
+    bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_rsa.cpt /data/openpilot/system/clearpilot/dev/id_rsa
+    bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_rsa.pub.cpt /data/openpilot/system/clearpilot/dev/id_rsa.pub
+    mkdir -p "$ssh_dir"
+    cp /data/openpilot/system/clearpilot/dev/id_rsa /data/openpilot/system/clearpilot/dev/id_rsa.pub "$ssh_dir"
+    chmod 700 "$ssh_dir"
+    chmod 600 "$ssh_dir/id_rsa" "$ssh_dir/id_rsa.pub"
+    echo "SSH identity keys installed to $ssh_dir"
+fi
+
 # 4. Pull latest from remote (remote always wins)
 echo "Checking for updates..."
 cd /data/openpilot
@@ -50,7 +75,7 @@ fi
 # 5. Build
 echo ""
 echo "Starting build..."
-su - comma -c "bash /data/openpilot/build_only.sh"
+sudo su - comma -c "bash /data/openpilot/build_only.sh"
 if [ $? -eq 0 ]; then
     echo "Build succeeded"
     touch /data/quick_boot