feat(B-0855.1): add first-boot self-register service module

[AceHack]

Summary

• add disabled-by-default zeta-self-register.service NixOS module for B-0855.1
• import/expose the module from the cluster module surface
• add source-level audit sentinels for first-boot ordering and env handoff

Checks

• git diff --check
• bun tools/ci/audit-installer-substrate.ts
• bun test tools/ci/test-iter-54-install-flow.test.ts

Notes

• nix-instantiate is not installed in this environment, so Nix parse/eval remains for CI/local Nix.
• Draft until CI/review confirms the Nix service surface.

[Copilot]

Pull request overview

Adds a disabled-by-default NixOS systemd service module to move node self-registration to post-install, first boot (B-0855.1), and strengthens CI/source audits to ensure the new substrate stays wired into the AI-cluster module surface.

Changes:

• Add zeta-self-register NixOS module defining a zeta-self-register oneshot service gated by ConditionFirstBoot and ordered after network-online.target (and zeta-creds-restore.service when present).
• Import/expose the new module via common.nix and full-ai-cluster/flake.nix module outputs.
• Extend tools/ci/audit-installer-substrate.ts to require the new module file and assert key ordering/env-handoff sentinels.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
tools/ci/audit-installer-substrate.ts	Adds required-file + sentinel assertions for the new self-register module surface.
full-ai-cluster/nixos/modules/zeta-self-register.nix	Introduces the disabled-by-default zeta-self-register first-boot oneshot systemd service module.
full-ai-cluster/nixos/modules/common.nix	Imports zeta-self-register.nix so all node types share the module surface.
full-ai-cluster/flake.nix	Exposes zeta-self-register in nixosModules outputs for reuse/consistency.
docs/claims/codex-b0855-1-zeta-self-register-service-20260527.md	Adds a live work-claim marker for this effort.

[AceHack]

CI failure inspection (Vera 2026-05-27T07:22Z): docker-nixos-install-sh-test fails during Docker build before the harness runs: /bin/sh: line 1: mkdir: command not found at tools/ci/dockerfiles/nixos-install-sh-test/Dockerfile:53. This PR does not modify that Dockerfile, and origin/main has the same lines 53-54, so this is not currently attributable to the B-0855.1 module patch. I am not rerunning it yet; next safe action is to wait for remaining checks and then decide whether this is an existing base-image/tooling blocker or needs a separate fix.

[AceHack]

Codex/Vera opened Docker harness repair PR #5427 for the docker-nixos-install-sh-test blocker on this draft branch.

Local verification on the repair branch passed:

bun tools/ci/docker-nixos-install-sh-test.ts

Keeping this PR draft-blocked until #5427 lands or CI confirms the harness fix.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.