docs: tag-driven config-apply plan + migration story

scratchpad in claude.md marks this as in-flight; docs/approvals.md
gets the new tag state machine (proposal/approved/building/deployed/
failed/denied) and the manager applied.git read-only mount. todo
picks up the unprivileged-containers git-identity caveat and a web
ui for config repos as a downstream follow-up.

TODO.md

@@ -21,7 +21,12 @@ Pick anything from here when relevant. Cross-cutting design notes live in
   nixos-container equivalent) so uid 0 inside maps to an unprivileged uid
   on the host, and a container-root compromise lands the attacker on an
   ordinary user account, not the host's root. Requires per-agent state
-  dirs to be chown'd to that uid on the host side.
+  dirs to be chown'd to that uid on the host side. The per-agent git
+  identity (currently injected via `programs.git.config.user` against
+  the root user in `setup_applied`'s generated flake) also needs to be
+  provisioned for whatever non-root user claude runs as, or commits
+  the manager makes against `/agents/<n>/config` will fall back to a
+  generic `nixos@…` identity.
 - **Bash command allow-list.** Replace the blanket `Bash` allow with a
   pattern allow-list (`Bash(git *)`, `Bash(nix build .*)`, etc.) per
   claude-code's `--allowedTools` extended grammar. Likely lives in
@@ -64,6 +69,13 @@ Pick anything from here when relevant. Cross-cutting design notes live in
 
 ## UI / UX
 
+- **Web UI for config repos.** Browse history, diffs, tags
+  (proposed + approval/* + applied/*) per agent, all from the
+  dashboard. Something lighter than a full forge — read-only
+  log + diff + raw-file view is enough. Pairs naturally with
+  the upcoming config-repo overhaul (tags become the audit
+  trail; UI surfaces them).
+
 - **xterm.js terminal** embedded per-agent, attached to a PTY exposed by
   the harness. Pairs well with the unprivileged-container work — would let
   the operator drop into the container without `nixos-container root-login`.