programs.git.enable + harness PATH tracks systemPackages

- harness-base.nix: switch to programs.git for declarative gitconfig.
- agent + manager service path = /run/current-system/sw → agents pick up
  new packages from their own agent.nix without harness edits.
- generated applied/<name>/flake.nix overrides programs.git.config.user
  (no more raw etc.gitconfig collision).

hive-c0re/src/lifecycle.rs

@@ -243,13 +243,10 @@ pub async fn setup_applied(
         modules = [
           ./agent.nix
           {{
-            environment.etc."gitconfig".text = ''
+            programs.git.config.user = {{
-              [user]
+              name = "{name}";
-                name = {name}
+              email = "{name}@hyperhive";
-                email = {name}@hyperhive
+            }};
-              [init]
-                defaultBranch = main
-            '';
             systemd.services.{service}.environment = {{
               HIVE_PORT = "{port}";
               HIVE_LABEL = "{name}";

nix/templates/agent-base.nix

@@ -6,13 +6,13 @@
     description = "hive-ag3nt harness";
     wantedBy = [ "multi-user.target" ];
     after = [ "network.target" ];
-    # `claude` for the turn loop + `bash` for claude's Bash tool. systemd
+    # systemd units get a minimal PATH by default and don't inherit
-    # units get a minimal PATH by default; entries in
+    # `environment.systemPackages`. Pointing at `/run/current-system/sw`
-    # `environment.systemPackages` aren't on it.
+    # gives the harness (and any tools claude shells out to via Bash)
-    path = [
+    # access to everything declared in `systemPackages` — including
-      pkgs.claude-code
+    # anything an agent adds to its own `agent.nix` — without having to
-      pkgs.bashInteractive
+    # touch the service definition.
-    ];
+    path = [ "/run/current-system/sw" ];
     environment.SHELL = "${pkgs.bashInteractive}/bin/bash";
     serviceConfig = {
       ExecStart = "${pkgs.hyperhive}/bin/hive-ag3nt serve";

nix/templates/harness-base.nix

@@ -13,23 +13,28 @@
     hyperhive
     claude-code
     bashInteractive
-    git
     coreutils-full
   ];
+
+  # Git is needed by claude's Bash tool (for the agent <-> manager config
+  # request flow) and by hive-c0re's own setup_applied / setup_proposed.
+  # `programs.git.enable` installs the binary + manages `/etc/gitconfig`
+  # declaratively so the inline module in `applied/<name>/flake.nix` can
+  # override `user.name` / `user.email` per agent without fighting a raw
+  # `environment.etc."gitconfig"` block.
+  programs.git = {
+    enable = true;
+    config = {
+      user = {
+        name = "hyperhive";
+        email = "hyperhive@local";
+      };
+      init.defaultBranch = "main";
+    };
+  };
+
   # claude's Bash tool refuses to run without a POSIX shell + $SHELL set.
   environment.variables.SHELL = "${pkgs.bashInteractive}/bin/bash";
 
-  # Default gitconfig for any commits the harness makes. The per-agent
-  # `applied/<name>/flake.nix` overrides this with the agent's own name +
-  # email; this fallback only kicks in if the container is built straight
-  # from `agent-base` / `manager` without the per-agent extension.
-  environment.etc."gitconfig".text = ''
-    [user]
-      name = hyperhive
-      email = hyperhive@local
-    [init]
-      defaultBranch = main
-  '';
-
   system.stateVersion = "25.11";
 }

nix/templates/manager.nix

@@ -15,10 +15,11 @@
       HIVE_LABEL = "hm1nd";
       SHELL = "${pkgs.bashInteractive}/bin/bash";
     };
-    path = [
+    # See note in agent-base.nix — `/run/current-system/sw` makes the
-      pkgs.claude-code
+    # harness service PATH track `environment.systemPackages` so anything
-      pkgs.bashInteractive
+    # an agent adds to its own `agent.nix` is visible without editing the
-    ];
+    # service definition.
+    path = [ "/run/current-system/sw" ];
     serviceConfig = {
       ExecStart = "${pkgs.hyperhive}/bin/hive-m1nd serve";
       Restart = "on-failure";