Make Personal Agents available on extremely limited hardware.

[peers8862]

List options.

[peers8862]

PicoClaw 10mb

[peers8862]

Let me pull up the earlier conversation details to make sure I'm building on everything we've established.

Now let me look at the existing host integration script and the pin layout to understand what's available for microSD SPI.

Now let me look at the PicoClaw GitHub repo for its actual structure and configuration format.

Now let me look at PicoClaw's internal architecture more closely — the tool system and provider interface.

Good. Now I have a complete picture of PicoClaw's architecture, the BABB dongle's existing firmware, and the integration surfaces. Let me build the comprehensive response.

Now I have everything I need. Let me create a comprehensive, focused response document.

Now let me build the complete focused document.

This will be better as inline conversation rather than a Word document. Let me write the comprehensive response directly.

Alright. Here's the focused picture. The dongle's microSD holds PicoClaw. The host machine — whatever it is — provides the CPU, RAM, and network. The dongle provides the secrets, the scanning, and the portable workspace. Every component has a specific role and a specific boundary.

The Core Concept

The operator plugs in one USB device and gets a complete AI-secured working environment. PicoClaw doesn't "install" on the host. It runs transiently from the dongle's storage using the host's processor, then vanishes when unplugged. The dongle is the source of truth — for identity, for keys, for configuration, for data. The host is disposable compute.

This matters for tradesmen because they move between machines. Their laptop today, a site PC tomorrow, a client's workstation next week. The dongle carries everything. The host carries nothing after disconnect.

USB Composite Device: The Foundation

The current RP2040 firmware exposes a single USB CDC serial interface. To support PicoClaw-from-dongle, the TinyUSB configuration needs to become a composite device exposing two interfaces simultaneously:

USB Composite Device: "BABB Security Dongle"
│
├── Interface 0: CDC ACM (serial)
│   Already built. This is the command/control channel.
│   babb_cmd(), AUTH, ENCRYPT, STATUS, etc.
│   PicoClaw talks to the dongle through this.
│
└── Interface 1: MSC (Mass Storage Class)
    NEW. Exposes the microSD card as a removable drive.
    The host sees it as a USB thumb drive.
    PicoClaw binaries, config, workspace all live here.

The TinyUSB config change:

/* tusb_config.h — updated for composite CDC + MSC */

#define CFG_TUD_CDC            1     /* Command serial interface */
#define CFG_TUD_MSC            1     /* Mass storage for microSD */
#define CFG_TUD_HID            0
#define CFG_TUD_MIDI           0
#define CFG_TUD_VENDOR         0

/* MSC Configuration */
#define CFG_TUD_MSC_EP_BUFSIZE 512   /* One SD sector per transfer */

/* Power — bump to 200mA for microSD active reads */
#define BOARD_TUD_MAX_POWER    200

The RP2040 acts as a USB-to-SPI bridge for the microSD. When the host reads a file from the "drive," the RP2040 translates the USB MSC SCSI commands into SPI reads to the microSD card. TinyUSB handles the protocol translation; you provide callbacks for tud_msc_read10_cb() and tud_msc_write10_cb() that talk to the SD card via SPI.

There's a critical subtlety here: the RP2040 needs to share the microSD between USB mass storage reads from the host and its own firmware reads (log writes, model loading, classification data). You can't have the host and the RP2040 writing simultaneously — FAT32 has no locking. The solution is a mode switch:

DONGLE STATES:

MSC_EXPOSED (host can see the drive):
  - Host reads PicoClaw binary, config files
  - Host reads/writes workspace files
  - RP2040 does NOT write to microSD
  - Scanner logging paused (buffered in RAM)
  - Classification model already loaded in SRAM

MSC_EJECTED (host has "safely removed" the drive):
  - Host cannot see the drive
  - RP2040 has exclusive microSD access
  - Scanner logging active, writes to SD
  - Background tasks can update logs, quarantine

Transition: Host "ejects" the drive via OS.
RP2040 receives SCSI START_STOP_UNIT command.
Flushes FAT32 cache. Switches to exclusive mode.

In practice, the launch script ejects the drive immediately after copying the PicoClaw binary to /tmp. From that point on, the RP2040 owns the SD and can write freely. When PicoClaw wants to read/write workspace files, it does so through the CDC serial interface — the RP2040 proxies file operations as BABB protocol commands.

MicroSD Hardware Integration

The T-PicoC3 uses SPI1 for the TFT display (GP8-GP13). The microSD needs its own SPI bus or shares SPI1 with chip-select arbitration. Since the TFT display and microSD are both SPI slaves, they can share the bus with separate CS pins:

RP2040 SPI1 Bus (shared):
  GP10  SPI1_SCK  ──→  TFT_SCLK  ──→  SD_CLK
  GP11  SPI1_MOSI ──→  TFT_MOSI  ──→  SD_DI (MOSI)
  GP12  SPI1_MISO ←──  (TFT none) ←──  SD_DO (MISO)
  GP9   TFT_CS    ──→  TFT chip select (active low)
  GP4   SD_CS     ──→  SD chip select (active low)
  GP5   SD_DET    ←──  SD card detect (optional)

Rule: Only one CS low at a time. 
TFT and SD never talk simultaneously.
Mutex in firmware enforces this.

On a custom PCB you'd give the SD its own SPI0 instance for full-speed parallel access. On the T-PicoC3 prototype, bus sharing works because TFT updates (status display) are infrequent and short, while SD operations are bursty (read a sector, done).

SPI clock: 25MHz for microSD in SPI mode (the SD card negotiates this during initialization). At 25MHz with single-bit SPI, theoretical throughput is ~3.1 MB/s. Real-world with protocol overhead and FAT32 cluster lookups: ~1.5-2 MB/s sustained reads. PicoClaw's 10MB binary loads in about 5-7 seconds from the SD to the host via USB MSC.

PicoClaw on the MicroSD: File Layout

microSD (32GB, FAT32)
│
├── /picoclaw/
│   │
│   ├── bin/
│   │   ├── picoclaw-linux-arm64         ~10 MB
│   │   ├── picoclaw-linux-amd64         ~11 MB
│   │   ├── picoclaw-linux-riscv64        ~9 MB
│   │   ├── picoclaw-windows-amd64.exe   ~12 MB
│   │   └── picoclaw-darwin-arm64        ~10 MB
│   │
│   ├── config/
│   │   ├── config.json                    ~1 KB
│   │   │
│   │   │   The config.json on the SD does NOT contain
│   │   │   real API keys. It contains the provider
│   │   │   structure, model selection, tool definitions,
│   │   │   and a sentinel value for the API key field:
│   │   │
│   │   │   {
│   │   │     "agents": {
│   │   │       "defaults": {
│   │   │         "workspace": "/tmp/babb-workspace",
│   │   │         "model": "anthropic/claude-sonnet-4-5",
│   │   │         "max_tokens": 8192,
│   │   │         "temperature": 0.7,
│   │   │         "max_tool_iterations": 20
│   │   │       }
│   │   │     },
│   │   │     "providers": {
│   │   │       "openrouter": {
│   │   │         "api_key": "BABB_HARDWARE_INJECT",
│   │   │         "api_base": "https://openrouter.ai/api/v1"
│   │   │       }
│   │   │     },
│   │   │     "tools": {
│   │   │       "babb": {
│   │   │         "serial_port": "BABB_AUTO_DETECT",
│   │   │         "scan_enabled": true,
│   │   │         "encrypt_enabled": true,
│   │   │         "alert_enabled": true
│   │   │       },
│   │   │       "web": {
│   │   │         "search": {
│   │   │           "api_key": "BABB_HARDWARE_INJECT",
│   │   │           "max_results": 5
│   │   │         }
│   │   │       }
│   │   │     }
│   │   │   }
│   │   │
│   │   │   "BABB_HARDWARE_INJECT" is the sentinel.
│   │   │   The launch script replaces it at runtime with
│   │   │   the real key fetched from the dongle's C3.
│   │   │
│   │   ├── tools/
│   │   │   ├── babb_scan.json             ~2 KB
│   │   │   │   Tool definition for PicoClaw's agent:
│   │   │   │   {
│   │   │   │     "name": "babb_scan_report",
│   │   │   │     "description": "Query the BABB dongle for
│   │   │   │       classification scan results from today's
│   │   │   │       LLM output monitoring",
│   │   │   │     "parameters": {
│   │   │   │       "date": "string (YYYY-MM-DD, default today)",
│   │   │   │       "category": "string (optional filter)",
│   │   │   │       "format": "summary | detailed | csv"
│   │   │   │     }
│   │   │   │   }
│   │   │   │
│   │   │   ├── babb_encrypt.json          ~1 KB
│   │   │   ├── babb_alert.json            ~1 KB
│   │   │   ├── babb_status.json           ~1 KB
│   │   │   └── babb_log.json              ~1 KB
│   │   │
│   │   └── prompts/
│   │       ├── system.md                  ~3 KB
│   │       │   System prompt for the BABB-integrated agent:
│   │       │   "You are a field assistant for industrial
│   │       │    operators. You have access to the BABB
│   │       │    security dongle via tool functions. When
│   │       │    the operator asks about scan results, use
│   │       │    babb_scan_report. When they need data
│   │       │    encrypted, use babb_encrypt..."
│   │       │
│   │       ├── compliance_report.md       ~2 KB
│   │       ├── daily_summary.md           ~2 KB
│   │       └── code_lookup.md             ~2 KB
│   │
│   └── launch/
│       ├── launch.sh                      ~4 KB
│       ├── launch.bat                     ~3 KB
│       └── launch_termux.sh              ~3 KB
│
├── /models/
│   ├── classifier_v1.tflite              2.7 KB
│   ├── tokenizer.bin                      12 KB
│   └── embeddings_mini.bin              256 KB
│
├── /config/
│   ├── policies.json                      4 KB
│   ├── keywords_sensitive.enc             8 KB
│   └── thresholds.json                    1 KB
│
├── /logs/
│   ├── stream/         (raw USB text, circular)
│   ├── classified/     (scan results CSV)
│   ├── alerts/         (encrypted flagged content)
│   └── picoclaw/       (agent conversation logs)
│
├── /quarantine/        (encrypted PII/sensitive content)
│
├── /workspace/         (operator's working files)
│   ├── notes/
│   ├── reports/
│   └── exports/
│
└── /firmware/
    ├── rp2040_current.uf2
    └── c3_current.bin

Total PicoClaw footprint: ~55 MB for all platform binaries + config + prompts. On a 32GB card, that's 0.17% of storage. The rest is available for logs, workspace, and quarantined content.

The Launch Script: What Ties It Together

This is the critical piece. The launch script is the bridge between the dumb USB drive the host sees and the secure agent environment the operator gets. It has to handle platform detection, key injection, serial port discovery, and clean teardown.

#!/bin/bash
# ─────────────────────────────────────────────────────
# BABB Dongle — PicoClaw Launch Script
# Run from the mounted microSD drive:
#   /mnt/babb/picoclaw/launch/launch.sh
#
# This script:
#   1. Detects host platform and architecture
#   2. Copies correct PicoClaw binary to /tmp
#   3. Discovers BABB dongle serial port
#   4. Authenticates with the dongle
#   5. Requests API keys from dongle hardware
#   6. Injects keys into runtime config
#   7. Launches PicoClaw
#   8. On exit: wipes all key material from host
# ─────────────────────────────────────────────────────

set -euo pipefail

BABB_TMP="/tmp/babb-$$"
BABB_CONFIG="$BABB_TMP/config.json"
BABB_BIN=""
BABB_PORT=""
BABB_SESSION_KEY=""
SCRIPT_DIR="$(cd "$(dirname "$0")/.." && pwd)"

cleanup() {
    echo "[BABB] Cleaning up..."
    
    # Wipe the runtime config (contains decrypted API key)
    if [ -f "$BABB_CONFIG" ]; then
        # Overwrite with zeros before deleting
        dd if=/dev/zero of="$BABB_CONFIG" bs=1 \
           count=$(stat -f%z "$BABB_CONFIG" 2>/dev/null || \
                   stat -c%s "$BABB_CONFIG" 2>/dev/null) \
           2>/dev/null
        rm -f "$BABB_CONFIG"
    fi
    
    # Wipe the temp directory
    if [ -d "$BABB_TMP" ]; then
        rm -rf "$BABB_TMP"
    fi
    
    # Tell the dongle to end the session
    if [ -n "$BABB_PORT" ] && [ -c "$BABB_PORT" ]; then
        echo "SESSION_END" > "$BABB_PORT" 2>/dev/null || true
    fi
    
    echo "[BABB] Session ended. No credentials remain on this machine."
}
trap cleanup EXIT INT TERM

# ── Step 1: Detect platform ─────────────────────────
detect_platform() {
    local os arch
    os="$(uname -s | tr '[:upper:]' '[:lower:]')"
    arch="$(uname -m)"
    
    case "$arch" in
        x86_64|amd64)   arch="amd64" ;;
        aarch64|arm64)   arch="arm64" ;;
        riscv64)         arch="riscv64" ;;
        *)
            echo "[BABB] Unsupported architecture: $arch" >&2
            exit 1
            ;;
    esac
    
    case "$os" in
        linux)  BABB_BIN="$SCRIPT_DIR/bin/picoclaw-linux-$arch" ;;
        darwin) BABB_BIN="$SCRIPT_DIR/bin/picoclaw-darwin-$arch" ;;
        *)
            echo "[BABB] Unsupported OS: $os" >&2
            exit 1
            ;;
    esac
    
    if [ ! -f "$BABB_BIN" ]; then
        echo "[BABB] Binary not found: $BABB_BIN" >&2
        echo "[BABB] Available binaries:" >&2
        ls -la "$SCRIPT_DIR/bin/" >&2
        exit 1
    fi
    
    echo "[BABB] Platform: $os/$arch"
    echo "[BABB] Binary: $(basename "$BABB_BIN")"
}

# ── Step 2: Find dongle serial port ─────────────────
detect_dongle() {
    local port=""
    
    # Linux: by-id symlink (most reliable)
    if [ -d /dev/serial/by-id ]; then
        port=$(ls /dev/serial/by-id/*BABB* 2>/dev/null | head -1)
    fi
    
    # macOS: usbmodem
    if [ -z "$port" ]; then
        port=$(ls /dev/cu.usbmodem*BABB* 2>/dev/null | head -1)
    fi
    
    # Fallback: common CDC ACM paths
    if [ -z "$port" ]; then
        for p in /dev/ttyACM0 /dev/ttyACM1 /dev/ttyUSB0; do
            if [ -c "$p" ]; then
                port="$p"
                break
            fi
        done
    fi
    
    if [ -z "$port" ]; then
        echo "[BABB] ERROR: Dongle serial port not found" >&2
        echo "[BABB] Is the dongle plugged in?" >&2
        exit 1
    fi
    
    BABB_PORT="$port"
    
    # Configure serial: raw mode, no echo
    stty -F "$BABB_PORT" raw -echo 2>/dev/null || \
    stty -f "$BABB_PORT" raw -echo 2>/dev/null
    
    echo "[BABB] Dongle found: $BABB_PORT"
}

# ── Step 3: Authenticate ────────────────────────────
authenticate() {
    local token response
    
    # Check if BLE proximity auto-auth is available
    echo "AUTH_CHECK" > "$BABB_PORT"
    response=$(timeout 2 head -1 "$BABB_PORT" 2>/dev/null || echo "")
    
    if echo "$response" | grep -q "AUTH: Already active"; then
        echo "[BABB] Authenticated via BLE proximity"
        return 0
    fi
    
    # Manual token entry
    echo -n "[BABB] Enter auth token: "
    read -rs token
    echo
    
    if [ -z "$token" ]; then
        echo "[BABB] No token provided" >&2
        exit 1
    fi
    
    echo "AUTH $token" > "$BABB_PORT"
    response=$(timeout 5 head -1 "$BABB_PORT" 2>/dev/null || echo "TIMEOUT")
    
    if echo "$response" | grep -q "Verified"; then
        echo "[BABB] Authentication successful"
    else
        echo "[BABB] Authentication failed: $response" >&2
        exit 1
    fi
    
    # Wipe token from shell variable memory
    token="0000000000000000000000000000000000"
}

# ── Step 4: Request API keys from hardware ──────────
inject_keys() {
    mkdir -p "$BABB_TMP"
    
    # Copy template config from SD
    cp "$SCRIPT_DIR/config/config.json" "$BABB_CONFIG"
    
    # Request LLM provider API key from dongle
    # The dongle's ESP32-C3 decrypts it from flash-encrypted
    # NVS using the eFuse master key, then sends it over
    # UART to RP2040, which forwards via CDC.
    echo "API_KEY_REQUEST openrouter" > "$BABB_PORT"
    local api_key
    api_key=$(timeout 5 head -1 "$BABB_PORT" 2>/dev/null || echo "")
    
    if [ -z "$api_key" ] || echo "$api_key" | grep -q "ERROR"; then
        echo "[BABB] Failed to retrieve API key from dongle" >&2
        exit 1
    fi
    
    # Strip the "API_KEY: " prefix from response
    api_key="${api_key#API_KEY: }"
    
    # Inject into runtime config, replacing sentinel
    # Using sed with a temp file to avoid leaving key in
    # shell history or process listings
    sed -i "s/BABB_HARDWARE_INJECT/$api_key/" "$BABB_CONFIG" 2>/dev/null || \
    sed "s/BABB_HARDWARE_INJECT/$api_key/" "$BABB_CONFIG" > "$BABB_CONFIG.tmp" && \
    mv "$BABB_CONFIG.tmp" "$BABB_CONFIG"
    
    # Request Brave search API key if configured
    echo "API_KEY_REQUEST brave_search" > "$BABB_PORT"
    local search_key
    search_key=$(timeout 3 head -1 "$BABB_PORT" 2>/dev/null || echo "")
    
    if [ -n "$search_key" ] && ! echo "$search_key" | grep -q "ERROR"; then
        search_key="${search_key#API_KEY: }"
        sed -i "s/BABB_HARDWARE_INJECT/$search_key/" "$BABB_CONFIG" 2>/dev/null || true
    fi
    
    # Wipe key variables from shell memory
    api_key="0000000000000000000000000000000000000000"
    search_key="0000000000000000000000000000000000000000"
    
    # Set restrictive permissions on runtime config
    chmod 600 "$BABB_CONFIG"
    
    # Inject dongle serial port path for BABB tools
    sed -i "s|BABB_AUTO_DETECT|$BABB_PORT|" "$BABB_CONFIG" 2>/dev/null || true
    
    echo "[BABB] API keys injected from hardware"
}

# ── Step 5: Eject mass storage ──────────────────────
eject_drive() {
    # Tell the host to stop using the drive.
    # The RP2040 needs exclusive microSD access for scanning.
    
    local mount_point
    mount_point=$(mount | grep -i babb | awk '{print $3}' | head -1)
    
    if [ -n "$mount_point" ]; then
        echo "[BABB] Ejecting drive: $mount_point"
        
        # Linux
        if command -v udisksctl &>/dev/null; then
            udisksctl unmount -b "$(mount | grep -i babb | awk '{print $1}' | head -1)" 2>/dev/null || true
        elif command -v umount &>/dev/null; then
            sudo umount "$mount_point" 2>/dev/null || true
        fi
        
        # macOS
        if command -v diskutil &>/dev/null; then
            diskutil unmount "$mount_point" 2>/dev/null || true
        fi
        
        # Tell dongle that MSC is ejected, safe to write SD
        echo "MSC_EJECTED" > "$BABB_PORT"
        sleep 0.5
        
        echo "[BABB] Drive ejected. Dongle has exclusive SD access."
    else
        echo "[BABB] Drive not mounted (already ejected or running from copy)"
    fi
}

# ── Step 6: Launch PicoClaw ─────────────────────────
launch_picoclaw() {
    # Copy binary to temp (so we're not running from the drive
    # that's about to be ejected)
    cp "$BABB_BIN" "$BABB_TMP/picoclaw"
    chmod +x "$BABB_TMP/picoclaw"
    
    echo "[BABB] ─────────────────────────────────────"
    echo "[BABB] PicoClaw ready. Dongle: $(basename "$BABB_PORT")"
    echo "[BABB] Model: $(grep '"model"' "$BABB_CONFIG" | head -1 | \
                          sed 's/.*: *"//;s/".*//')"
    echo "[BABB] Workspace: $BABB_TMP/workspace"
    echo "[BABB] Type 'exit' or Ctrl+C to end session"
    echo "[BABB] ─────────────────────────────────────"
    echo
    
    # Set HOME-like env for PicoClaw to find config
    # PicoClaw looks in ~/.picoclaw/config.json
    # We redirect it to our temp directory
    mkdir -p "$BABB_TMP/.picoclaw"
    cp "$BABB_CONFIG" "$BABB_TMP/.picoclaw/config.json"
    mkdir -p "$BABB_TMP/workspace"
    
    # Launch with redirected home
    HOME="$BABB_TMP" "$BABB_TMP/picoclaw" agent "$@"
    
    # PicoClaw exited. Cleanup trap handles the rest.
}

# ── Main ────────────────────────────────────────────
echo "[BABB] BABB Secure Agent Launcher v1.0"
echo

detect_platform
detect_dongle
authenticate
inject_keys
eject_drive
launch_picoclaw "$@"

The Key Injection Protocol

When the launch script sends API_KEY_REQUEST openrouter over CDC serial, here's the exact path through the dongle hardware:

HOST (launch.sh)
│
│  "API_KEY_REQUEST openrouter\n"
│  via USB CDC to /dev/ttyACM0
│
▼
RP2040 Core 0 — USB CDC receive buffer
│
│  1. Parse command: API_KEY_REQUEST
│  2. Check auth_state == AUTH_ACTIVE
│     (if not: respond "ERROR: Not authenticated")
│  3. Extract service name: "openrouter"
│  4. Build UART frame:
│     CMD = 0x60 (CMD_API_KEY_REQUEST)
│     Payload = "openrouter" (10 bytes)
│  5. Encode frame with CRC-8
│  6. mutex_enter(g_uart_mutex)
│  7. Write frame to UART0 (GP0 → C3 GPIO20)
│  8. mutex_exit(g_uart_mutex)
│
▼  UART at 115200 baud, ~15 bytes, ~1.3ms
│
ESP32-C3 — uart_rx_task (FreeRTOS, priority 10)
│
│  9.  Parser receives frame, validates CRC
│  10. Command: CMD_API_KEY_REQUEST
│  11. Extract service name: "openrouter"
│  12. Call babb_get_api_key("openrouter", key_buf, 64)
│      a. Open NVS namespace "babb_api" (flash-encrypted)
│      b. Read blob "cloud_api": [16B IV][ciphertext][16B tag]
│      c. Load api_enc key from "babb_keys" namespace
│      d. AES-256-GCM decrypt using hardware accelerator
│      e. Verify GCM auth tag (tampered? → reject)
│      f. Plaintext API key now in key_buf
│  13. Build response frame:
│      CMD = 0x61 (CMD_API_KEY_RESPONSE)
│      Payload = "sk-or-v1-abc123..." (plaintext key)
│  14. Send frame over UART (GPIO21 → RP2040 GP1)
│  15. mbedtls_platform_zeroize(key_buf, 64)
│      API key wiped from C3 RAM
│
▼  UART response, ~1.3ms
│
RP2040 Core 1 — UART receive loop
│
│  16. Parser receives response frame, validates CRC
│  17. Command: CMD_API_KEY_RESPONSE
│  18. Copy payload to CDC TX buffer:
│      "API_KEY: sk-or-v1-abc123...\n"
│  19. Write to USB CDC (Core 0 TinyUSB picks up on next poll)
│  20. Wipe the UART payload buffer
│
▼  USB CDC
│
HOST (launch.sh)
│
│  21. Reads "API_KEY: sk-or-v1-abc123..."
│  22. Strips prefix, injects into config.json
│  23. Wipes shell variable
│
│  Total time: ~5-10ms
│  Key exposure: ~3ms on C3, ~2ms on RP2040, ~50ms in shell variable
│  Key in flash-encrypted NVS: permanent (until rotation)
│  Key in any RAM: milliseconds

The new protocol commands for this:

/* Added to babb_protocol.h */

#define CMD_API_KEY_REQUEST    0x60  /* RP→C3: request decrypted API key */
#define CMD_API_KEY_RESPONSE   0x61  /* C3→RP: decrypted key (one-shot) */
#define CMD_SESSION_START      0x62  /* RP→C3: PicoClaw session opened */
#define CMD_SESSION_END        0x63  /* RP→C3: PicoClaw session closed */
#define CMD_SCAN_QUERY         0x64  /* RP→C3: classification log query */
#define CMD_SCAN_RESULT        0x65  /* C3→RP: classification results */
#define CMD_FILE_READ          0x66  /* CDC→RP: read file from SD */
#define CMD_FILE_WRITE         0x67  /* CDC→RP: write file to SD */
#define CMD_FILE_DATA          0x68  /* RP→CDC: file content chunk */
#define CMD_MSC_STATE          0x69  /* RP internal: MSC mode toggle */

PicoClaw Custom Tools: The BABB Integration Layer

PicoClaw's tool system works through its config.json. When the agent decides to use a tool, PicoClaw executes it and returns the result to the LLM. For BABB integration, PicoClaw needs custom tool executors that communicate with the dongle over CDC serial.

Since PicoClaw is Go, and its tool system supports external executors, the simplest integration is a small Go package or shell-script tools that PicoClaw calls. The tool definitions on the microSD tell PicoClaw what tools exist. The tool executors talk to the dongle:

PicoClaw agent loop:

User: "Were there any sensitive data flags in today's scans?"
  │
  ▼
LLM (Claude via OpenRouter API):
  "I'll check the scan results using the babb_scan_report tool."
  Tool call: babb_scan_report(date="2026-02-10", format="summary")
  │
  ▼
PicoClaw tool executor:
  Runs: echo "SCAN_REPORT 2026-02-10 summary" > /dev/ttyACM0
  Reads: response from serial port
  │
  ▼
RP2040:
  Receives SCAN_REPORT command over CDC
  Reads classification log from microSD:
    /logs/classified/2026-02-10.csv
  Aggregates results
  Returns over CDC:
    "SCAN: total=1247 normal=1189 code=41 sensitive=12 
     harmful=0 financial=5 medical=0 uncertain=0
     SSN_patterns=3 email_patterns=8 CC_patterns=1
     quarantined=12 synced=1235 pending=12"
  │
  ▼
PicoClaw returns tool result to LLM
  │
  ▼
LLM formats response:
  "Today's monitoring found 12 flagged items across 1,247 scanned
   text windows. Three SSN-pattern numbers and eight email addresses
   were detected. All 12 items are encrypted in quarantine on the
   dongle. One potential credit card number pattern was also caught.
   No harmful content was detected. Would you like me to generate
   a compliance report for these findings?"

The tool executors are simple shell scripts that live on the microSD:

#!/bin/bash
# /picoclaw/config/tools/babb_scan_executor.sh
# Called by PicoClaw when agent invokes babb_scan_report tool

PORT="${BABB_PORT:-/dev/ttyACM0}"
DATE="${1:-$(date +%Y-%m-%d)}"
FORMAT="${2:-summary}"

echo "SCAN_REPORT $DATE $FORMAT" > "$PORT"
timeout 5 head -1 "$PORT" 2>/dev/null

The File Proxy: When PicoClaw Needs SD Access After Ejection

After the drive is ejected and the RP2040 owns the microSD, PicoClaw can still read and write workspace files through the CDC serial interface. The RP2040 acts as a file server:

PicoClaw (on host):
  "Save this compliance report to the workspace"
  │
  ▼
Tool executor sends over CDC:
  FILE_WRITE /workspace/reports/2026-02-10_compliance.md
  <file content follows>
  EOF
  │
  ▼
RP2040:
  Receives FILE_WRITE command
  Opens /workspace/reports/2026-02-10_compliance.md on microSD
  Writes content via SPI/FatFS
  Responds: "FILE_OK 2847 bytes written"

─────────

PicoClaw (on host):
  "Read back today's classification log"
  │
  ▼
Tool executor sends:
  FILE_READ /logs/classified/2026-02-10.csv
  │
  ▼
RP2040:
  Opens file on microSD
  Reads via SPI
  Sends content over CDC in chunks:
  FILE_DATA 0 512 <512 bytes>
  FILE_DATA 512 512 <512 bytes>
  FILE_DATA 1024 247 <247 bytes>
  FILE_END 1271

PicoClaw receives, reassembles, passes to agent.

This is slower than direct file access (~50 KB/s through CDC serial versus ~2 MB/s from mounted drive), but it means PicoClaw can work with dongle storage even after the host has ejected the USB drive. For the typical files involved — text reports, CSV logs, small config files — the latency is unnoticeable.

Power Implications

The microSD adds to the power budget:

Component               Active      Idle/Sleep
──────────────────────────────────────────────
RP2040 (133MHz)         ~40 mA      ~12 mA
ESP32-C3 (WiFi on)      ~80 mA      ~15 mA
ESP32-C3 (WiFi sleep)   ~15 mA      ~5 mA
microSD (SPI active)    ~50 mA       —
microSD (SPI idle)      ~0.2 mA     ~0.2 mA
microSD (sleep/CMD)     ~0.05 mA    ~0.05 mA
TFT display (on)        ~20 mA       —
TFT display (off)        ~0 mA      ~0 mA
──────────────────────────────────────────────
Total active:           ~190 mA (display off, WiFi modem sleep)
Total peak:             ~270 mA (SD write + WiFi TX + display)
Total idle:             ~32 mA  (everything sleeping)

USB 2.0 provides 500mA. USB 3.0 provides 900mA. You're well within budget even at peak. The critical optimization is putting the microSD to sleep when not actively reading or writing. The RP2040 sends CMD0 (GO_IDLE_STATE) to the SD card after completing a batch write, which drops it from 50mA to 0.05mA. On the next access, the SD card re-initializes (~100ms latency, but only happens when transitioning from sleep).

The launch script's eject step is also a power optimization. While the host has the drive mounted, the RP2040 is handling USB MSC SCSI commands continuously, even if no files are being read — the OS polls the device. After ejection, the MSC interface quiesces and the RP2040 can drop to a lighter processing loop.

Session Lifecycle: Plug to Unplug

Here's the complete timeline of what happens:

T+0.0s   Operator plugs dongle into laptop USB-C port

T+0.1s   RP2040 boots (from SPI flash, ~100ms)
         Initializes USB composite device (CDC + MSC)
         Initializes SPI1 for microSD
         Mounts FAT32 filesystem on microSD
         Loads TF-Lite classifier model into SRAM (2.7KB, <1ms)
         Sends heartbeat to C3 over UART

T+0.3s   ESP32-C3 boots (from flash, ~200ms)
         Initializes WiFi (attempts stored SSIDs)
         Loads key ring from flash-encrypted NVS
         Responds to heartbeat

T+0.5s   Host OS detects USB composite device:
         - COM3 / /dev/ttyACM0 (CDC serial)
         - Drive D: / /mnt/babb (MSC removable media)
         Host mounts FAT32 drive

T+1.0s   Operator opens terminal
         $ /mnt/babb/picoclaw/launch/launch.sh
         
T+1.2s   Script detects: Linux amd64
         Script finds dongle: /dev/ttyACM0

T+1.5s   Script prompts for auth token
         Operator types token (or BLE auto-auths)
         Dongle verifies via C3 (HMAC-SHA256, ~2ms)
         
T+2.0s   Script requests API keys from dongle
         C3 decrypts from NVS (~3ms per key)
         Keys flow: C3→UART→RP2040→CDC→script
         Script injects into /tmp/babb-xxxx/config.json

T+2.5s   Script copies picoclaw binary to /tmp (10MB, ~6s from SD)

T+8.5s   Script ejects USB drive
         Host unmounts /mnt/babb
         RP2040 switches to exclusive SD mode
         Scanner can now write logs to SD

T+9.0s   PicoClaw starts (boots in <1 second)
         HOME=/tmp/babb-xxxx
         Config loaded from temp directory
         Connected to Claude via OpenRouter API
         BABB tools available via CDC serial

T+9.5s   OPERATOR IS WORKING
         "Check my scan results"
         "Encrypt this field data"
         "Send an alert to the office"
         "Write a compliance report"
         
         Meanwhile:
         - RP2040 Core 0 handles CDC commands from PicoClaw
         - RP2040 Core 1 runs TF-Lite scanner on USB text stream
         - ESP32-C3 handles WiFi alerts and crypto requests
         - microSD accumulates scan logs and workspace files

T+??     Operator types "exit" or presses Ctrl+C

         PicoClaw exits
         Cleanup trap fires:
           - Overwrites config.json with zeros
           - Deletes /tmp/babb-xxxx/ entirely
           - Sends SESSION_END to dongle
         
         RP2040 receives SESSION_END:
           - Flushes pending SD log writes
           - Switches MSC back to exposed mode
           - Resets auth_state to LOCKED

         No API keys remain anywhere on the host.
         All workspace files are on the microSD.
         The dongle is ready for the next session
         (or the next machine).

What Makes This Different From a Regular USB Drive With Scripts

Three things separate this from just putting PicoClaw on a normal thumb drive:

The keys never exist as files. On a normal USB drive, you'd have config.json with "api_key": "sk-or-v1-real-key-here" sitting in plaintext on a FAT32 filesystem. Anyone who picks up the drive can read it. On the BABB dongle, the config on disk says "api_key": "BABB_HARDWARE_INJECT". The real key exists only in the ESP32-C3's flash-encrypted NVS, protected by the eFuse master key. It surfaces in RAM for milliseconds during the injection step and is wiped on session end. If someone steals the dongle, they need the auth token to unlock it, and three failed attempts trigger a lockout.

The dongle monitors its own output. While PicoClaw runs and the operator queries Claude through it, the LLM responses flow through the USB CDC interface. The RP2040's scanner sees that traffic. If Claude accidentally includes a client's SSN in a response, the dongle catches it, encrypts it into quarantine, and alerts the operator — all without PicoClaw or the host being involved. The scanning is below the application layer. PicoClaw doesn't need to implement content filtering because the hardware does it.

The workspace is tamper-protected. Files on the microSD are written by the RP2040, which mediates all access. The file proxy validates paths (no ../../etc/passwd traversal attacks). The RP2040 can enforce write permissions — PicoClaw can write to /workspace/ but not to /firmware/ or /config/policies.json. The quarantine directory is write-only from the scanner and read-only via an authenticated CDC command. An attacker who compromises PicoClaw on the host can't reach into the dongle and tamper with security-critical files because the RP2040 enforces the boundary.

The end result: an operator carries a single USB device that turns any computer into their secure AI-assisted workstation, with hardware-protected credentials, real-time content scanning, and a portable workspace that follows them between machines.