model persisted to /state; stop auto-allowing claude-code unfree

model persistence: /model <name> now writes to /state/hyperhive-model
(in-container), Bus::new reads it on init. operator override survives
harness restart and container rebuild; gone on --purge like every
other piece of agent state. path overridable via HYPERHIVE_MODEL_FILE
for tests. failure to persist is a warn, not fatal — runtime override
still applies, just won't survive a restart.

unfree opt-in: drop the auto-allowUnfreePredicate from
harness-base.nix and the claude-unstable overlay. operator now has to
set nixpkgs.config.allowUnfree (or a predicate listing claude-code)
in their own host config. silent unfree bypass was sketchy; this is
honest. readme + gotchas updated to spell out the snippet.

todo: drops model-persistence + container-crash + journald (all
shipped); adds per-agent send allow-list (constrain who an agent can
message).

docs/gotchas.md

@@ -53,11 +53,15 @@ socket without needing a clean reinstall.
 
 ## `claude-code` is unfree
 
-`harness-base.nix` allow-list's it specifically. The flake pins it to
-**nixpkgs-unstable** via `overlays.claude-unstable` (stable lags too
-far). The overlay imports unstable with its own
-`allowUnfreePredicate` so the access inside the overlay doesn't
-itself trip.
+The flake pins it to **nixpkgs-unstable** via
+`overlays.claude-unstable` (stable lags too far). The overlay
+imports unstable inheriting the user's `nixpkgs.config`, so the
+operator must opt in by setting `allowUnfree = true` (or an
+`allowUnfreePredicate` that whitelists `claude-code`) on their host
+config. hyperhive deliberately does NOT auto-allow — silent unfree
+bypass would be sketchy, and the error message is clear enough that
+the operator can fix it once and forget about it. Same on the
+per-agent containers (they inherit through the same nixpkgs).
 
 ## Claude credentials are per-agent