01874821f2
The orchestrator Pi is retired (2026-05-31). All agents now run on the cc-ci-orchestrator VM (NixOS, loops user, /srv/cc-ci). The VM is a direct tailnet peer to cc-ci — no SOCKS proxy, no userspace tailscaled, no ProxyCommand. Updated across all affected files: AGENTS.md - Remove Pi from reboot description; migration complete (not "parked") - cc-ci access: direct ssh, not via proxy kickoff.md - Prerequisites: direct tailnet peer, not proxy - Host deps: NixOS (not apt) - Fallback/Incus: b1 reachable directly, no --proxy curl flag plan.md §1 + §1.5 - §1 bootstrap: direct SSH, check tailscale status (not restart proxy) - §1.5 intro: "VM" not "sandbox host"; no proxy - Credentials table: remove TS_AUTH_KEY row; update cc-ci SSH row - Replace "Tailscale connection (proxy)" subsection with direct-peer description plan-orchestrator-migration.md - Mark COMPLETE (2026-05-31); historical record only plan-phase1c-full-reproducibility.md - Incus access: direct, not via SOCKS proxy prompts/builder.md + prompts/adversary.md - cc-ci access language only: direct ssh, no proxy restart instructions - adversary: *.ci.commoninternet.net via plain curl, no proxy flag REBOOTS.md - Retitle for VM; note Pi retired; Pi entries marked historical systemd/cc-ci-loops.service - User/Group/HOME/PATH: notplants → loops - Remove cc-ci-tailscaled.service dependency (no proxy on VM) - Add note about nix/configuration.nix as the authoritative VM declaration test-e2e-testme-acceptance.md - tailscale status: no --socket flag - ssh to throwaway: no ProxyCommand Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
cc-ci-orchestrator
Orchestrator workspace for building the cc-ci Co-op Cloud recipe CI server. The plan, launch
tooling, and loop prompts live in cc-ci-plan/; see AGENTS.md for the
roles and operating model. Secrets (.testenv) are gitignored — never commit them.
Run the orchestrator in tmux (survives disconnects + closing your laptop)
Keep this supervising session alive on the host with tmux, and use --remote-control so you can
watch/steer it from claude.ai/code (or the mobile app).
# 0. Exit any running orchestrator session first — a conversation can't be resumed while it's live:
# /exit (inside Claude) or Ctrl-D
# 1. Start a detachable tmux session on this host
tmux new -s orchestrator
# 2. Inside tmux, resume the orchestrator conversation WITH remote control:
claude --resume autonomous-orchestrator \
--remote-control "autonomous-orchestrator" \
--dangerously-skip-permissions
# - If name-resume opens a picker instead of resuming directly, choose "autonomous-orchestrator".
# - Or resume by the stable session id (more deterministic in a fresh pane):
# claude --resume 34a80a99-b37e-4809-b8da-ccc9fafe785e \
# --remote-control "autonomous-orchestrator" --dangerously-skip-permissions
# 3. Detach — the process keeps running: press Ctrl-b, then d
Reconnect later
- On this host:
tmux attach -t orchestrator - From anywhere: claude.ai/code → the
autonomous-orchestratorsession
Why it survives: tmux keeps the claude process alive across SSH disconnects and your laptop
closing; remote-control runs outbound from this host to Anthropic, so it stays connected
regardless of the viewer. After a host reboot, re-run steps 1–2.
Two different "names":
--resume <name|id>selects the conversation to restore (shown in the/resumepicker); the--remote-control "<name>"value is only the web display label and resumes nothing. Resuming reuses the same session id each time (stays34a8…) — don't pass--fork-sessionunless you intend to branch a new conversation.Already inside a live session and just want the web surface? Run
/remote-control— no exit/resume.
Kick off / supervise the loops
cd /srv/cc-ci/cc-ci-plan
./launch.sh start # Builder + Adversary loops (interactive --remote-control in tmux) + watchdog
./launch.sh status # session + DONE state
./launch.sh logs builder|adversary|watchdog
./launch.sh stop
Full supervision guide, credential map, and the Incus VM fallback are in
cc-ci-plan/kickoff.md and cc-ci-plan/plan.md §1.5.