- scripts/install-client.sh: bootstraps a pi client — fetches certs from
the Caddy host via scp, rsyncs the extensions into ~/.pi/agent/, sets
up SSH key-auth to the ai-server for admin commands, probes the mTLS
/health endpoint to verify.
- scripts/issue-client-cert.sh: run on the Caddy host to mint a new
device identity — generates key + CSR, signs with the local root CA,
and emits both a modern p12 (AES-256) and a -legacy p12 (3DES/RC2-40)
for NSS-based browsers.
- scripts/install-browser-certs.sh: imports certs into Brave Flatpak's
isolated NSS DB, ~/.pki/nssdb for packaged Chromium-family browsers,
each Firefox profile, optionally the system trust store, and
optionally drops a Brave AutoSelectCertificateForUrls policy so the
cert prompt stops appearing on every page load.
All three are idempotent, --help-aware, and accept env/flag overrides
for the hardcoded defaults.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
