fix /state paths: sub-agents use /agents/<name>/state, not /state

sub-agent containers post-refactor bind their state at
/agents/<name>/state (manager keeps the legacy /state — see
lifecycle.rs:751). agent.md still said /state/forge-token; corrected
to /agents/{label}/state/forge-token (template-substituted at
boot). tea-login systemd unit now walks both candidates so the same
harness module works for the manager and sub-agents.

hive-ag3nt/prompts/agent.md

@@ -15,7 +15,7 @@ Claude session (OAuth credentials) lives at `/root/.claude/` and persists across
 
 **Shared space**: `/shared` is accessible to all agents (read/write). Only put things here you're willing to lose — other agents may delete them. Use for explicit cross-agent communication or shared artifacts when appropriate.
 
-**Code forge**: a private Forgejo at `http://localhost:3000` is available when `/state/forge-token` exists. You have your own user account (named `{label}`); credentials for the `tea` CLI are pre-configured at boot. Use `tea repos create`, `tea pulls create --base main --head <branch>`, `tea pulls list`, `tea issues create`, etc. for any persistent code work — git repos that should outlive a single turn, code you want a peer or the operator to review, anything you'd otherwise jam into `/shared`. Falls back to plain `git`/`curl` if `tea` doesn't fit; the REST API is at `http://localhost:3000/api/v1/` with the same token (`Authorization: token $(cat /state/forge-token)`).
+**Code forge**: a private Forgejo at `http://localhost:3000` is available when `/agents/{label}/state/forge-token` exists. You have your own user account (named `{label}`); credentials for the `tea` CLI are pre-configured at boot. Use `tea repos create`, `tea pulls create --base main --head <branch>`, `tea pulls list`, `tea issues create`, etc. for any persistent code work — git repos that should outlive a single turn, code you want a peer or the operator to review, anything you'd otherwise jam into `/shared`. Falls back to plain `git`/`curl` if `tea` doesn't fit; the REST API is at `http://localhost:3000/api/v1/` with the same token (`Authorization: token $(cat /agents/{label}/state/forge-token)`).
 
 Keep messages short — a few sentences each. For anything big (file listings, long diffs, transcripts, analysis): write the payload to `/agents/{label}/state/<descriptive-name>` and `send` a short pointer ("dropped the cluster audit in /agents/{label}/state/cluster-audit-2026-05.md, headline: 3 nodes over 80% mem"). The manager + operator can read your state from the host as `/agents/{label}/state/`. Sub-agent peers can't read each other's state directly — go through the manager if a payload needs to reach another sub-agent.
 

nix/templates/harness-base.nix

@@ -160,10 +160,18 @@
       path = [ pkgs.tea pkgs.coreutils ];
       script = ''
         set -eu
-        TOKEN_FILE=/state/forge-token
         CONFIG=/root/.config/tea/config.yml
-        if [ ! -f "$TOKEN_FILE" ]; then
+        # Manager keeps the legacy /state bind; sub-agents have
-          echo "tea-login: no $TOKEN_FILE (hive-forge not seeded); skipping"
+        # /agents/<name>/state. Glob covers both — there's exactly one
+        # hit either way (manager: /state, sub-agent: its own
+        # /agents/* mount), since each container only sees its own
+        # state dir.
+        TOKEN_FILE=""
+        for f in /state/forge-token /agents/*/state/forge-token; do
+          [ -f "$f" ] && TOKEN_FILE="$f" && break
+        done
+        if [ -z "$TOKEN_FILE" ]; then
+          echo "tea-login: no forge-token (hive-forge not seeded); skipping"
           exit 0
         fi
         if [ -f "$CONFIG" ]; then
@@ -175,7 +183,7 @@
           --name forge \
           --url ${lib.escapeShellArg config.hyperhive.forge.url} \
           --token "$(cat "$TOKEN_FILE")"
-        echo "tea-login: configured for ${config.hyperhive.forge.url}"
+        echo "tea-login: configured for ${config.hyperhive.forge.url} from $TOKEN_FILE"
       '';
     };