Phase 5c: separate proposed (manager) and applied (hive-c0re) repos; per-agent gitconfig

hive-c0re/src/coordinator.rs

@@ -14,7 +14,14 @@ use crate::broker::Broker;
 
 const AGENT_RUNTIME_ROOT: &str = "/run/hyperhive/agents";
 const MANAGER_RUNTIME_ROOT: &str = "/run/hyperhive/manager";
+/// Manager-editable per-agent config repos. Bind-mounted RW into the manager
+/// container as `/agents/<name>/`. Hive-c0re only writes to these on first
+/// spawn (initial commit); after that it's manager-only.
 const AGENT_STATE_ROOT: &str = "/var/lib/hyperhive/agents";
+/// Hive-c0re-only authoritative per-agent config repos. Containers build from
+/// these. Manager has no filesystem access; the only way to update is via
+/// `request_apply_commit` + user approval.
+const APPLIED_STATE_ROOT: &str = "/var/lib/hyperhive/applied";
 
 pub struct Coordinator {
     pub broker: Arc<Broker>,
@@ -73,7 +80,14 @@ impl Coordinator {
         Self::manager_dir().join("mcp.sock")
     }
 
-    pub fn agent_config_dir(name: &str) -> PathBuf {
+    /// Manager-editable proposed config repo. Bind-mounted into the manager
+    /// container as `/agents/<name>/config/`.
+    pub fn agent_proposed_dir(name: &str) -> PathBuf {
         PathBuf::from(format!("{AGENT_STATE_ROOT}/{name}/config"))
     }
+
+    /// Authoritative applied config repo. Hive-c0re-only.
+    pub fn agent_applied_dir(name: &str) -> PathBuf {
+        PathBuf::from(format!("{APPLIED_STATE_ROOT}/{name}"))
+    }
 }