harness-base: wrap config attributes after introducing options

mixing options.* with bare config-level attributes (boot.*, environment.*, etc.) at the same level isn't supported once the module declares any options — nix needs them under an explicit 'config = { ... }' block. error from the host: 'unsupported attribute boot. caused by introducing top-level options'. wrap accordingly.

nix/templates/harness-base.nix

@@ -59,45 +59,47 @@
     '';
   };
 
-  environment.etc."hyperhive/extra-mcp.json".text =
-    builtins.toJSON config.hyperhive.extraMcpServers;
+  config = {
+    environment.etc."hyperhive/extra-mcp.json".text =
+      builtins.toJSON config.hyperhive.extraMcpServers;
 
-  boot.isNspawnContainer = true;
+    boot.isNspawnContainer = true;
 
-  # `claude-code` is unfree. Each per-agent container's nixosConfiguration
-  # evaluates its own `nixpkgs` instance, so the operator's host-level
-  # `nixpkgs.config.allowUnfreePredicate` does not propagate into here —
-  # we have to allow it inside the container's config as well.
-  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg) [ "claude-code" ];
+    # `claude-code` is unfree. Each per-agent container's nixosConfiguration
+    # evaluates its own `nixpkgs` instance, so the operator's host-level
+    # `nixpkgs.config.allowUnfreePredicate` does not propagate into here —
+    # we have to allow it inside the container's config as well.
+    nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg) [ "claude-code" ];
 
-  environment.systemPackages = with pkgs; [
-    hyperhive
-    claude-code
-    bashInteractive
-    coreutils-full
-    # procps for pkill — used by the web UI's /api/cancel to SIGINT the
-    # in-flight claude turn.
-    procps
-  ];
+    environment.systemPackages = with pkgs; [
+      hyperhive
+      claude-code
+      bashInteractive
+      coreutils-full
+      # procps for pkill — used by the web UI's /api/cancel to SIGINT the
+      # in-flight claude turn.
+      procps
+    ];
 
-  # Git is needed by claude's Bash tool (for the agent <-> manager config
-  # request flow) and by hive-c0re's own setup_applied / setup_proposed.
-  # The per-agent `applied/<name>/flake.nix` overrides `user.name` and
-  # `user.email` with the agent's identity — values here are `mkDefault`
-  # so the per-agent override wins without needing `mkForce`.
-  programs.git = {
-    enable = true;
-    config = {
-      user = {
-        name = lib.mkDefault "hyperhive";
-        email = lib.mkDefault "hyperhive@local";
+    # Git is needed by claude's Bash tool (for the agent <-> manager config
+    # request flow) and by hive-c0re's own setup_applied / setup_proposed.
+    # The per-agent `applied/<name>/flake.nix` overrides `user.name` and
+    # `user.email` with the agent's identity — values here are `mkDefault`
+    # so the per-agent override wins without needing `mkForce`.
+    programs.git = {
+      enable = true;
+      config = {
+        user = {
+          name = lib.mkDefault "hyperhive";
+          email = lib.mkDefault "hyperhive@local";
+        };
+        init.defaultBranch = lib.mkDefault "main";
       };
-      init.defaultBranch = lib.mkDefault "main";
     };
+
+    # claude's Bash tool refuses to run without a POSIX shell + $SHELL set.
+    environment.variables.SHELL = "${pkgs.bashInteractive}/bin/bash";
+
+    system.stateVersion = "25.11";
   };
-
-  # claude's Bash tool refuses to run without a POSIX shell + $SHELL set.
-  environment.variables.SHELL = "${pkgs.bashInteractive}/bin/bash";
-
-  system.stateVersion = "25.11";
 }