phase 8 step 1: per-agent claude creds bind + destroy keeps state

hive-c0re/src/lifecycle.rs

@@ -16,6 +16,10 @@ pub const MANAGER_NAME: &str = "hm1nd";
 /// Mount point of the per-agent runtime directory inside the container.
 pub const CONTAINER_RUNTIME_MOUNT: &str = "/run/hive";
 
+/// Mount point of the per-agent Claude credentials dir inside the container.
+/// Persistent across destroy/recreate so OAuth login survives.
+pub const CONTAINER_CLAUDE_MOUNT: &str = "/root/.claude";
+
 const GIT_NAME: &str = "hive-c0re";
 const GIT_EMAIL: &str = "hive-c0re@hyperhive";
 
@@ -66,14 +70,16 @@ pub async fn spawn(
     agent_dir: &Path,
     proposed_dir: &Path,
     applied_dir: &Path,
+    claude_dir: &Path,
 ) -> Result<()> {
     validate(name)?;
     setup_proposed(proposed_dir, name).await?;
     setup_applied(applied_dir, name, hyperhive_flake).await?;
+    ensure_claude_dir(claude_dir)?;
     let container = container_name(name);
     let flake_ref = format!("{}#default", applied_dir.display());
     run(&["create", &container, "--flake", &flake_ref]).await?;
-    set_nspawn_flags(&container, agent_dir)?;
+    set_nspawn_flags(&container, agent_dir, claude_dir)?;
     set_resource_limits(&container)?;
     systemd_daemon_reload().await?;
     run(&["start", &container]).await
@@ -108,12 +114,14 @@ pub async fn rebuild(
     hyperhive_flake: &str,
     agent_dir: &Path,
     applied_dir: &Path,
+    claude_dir: &Path,
 ) -> Result<()> {
     validate(name)?;
     setup_applied(applied_dir, name, hyperhive_flake).await?;
+    ensure_claude_dir(claude_dir)?;
     let container = container_name(name);
     let flake_ref = format!("{}#default", applied_dir.display());
-    set_nspawn_flags(&container, agent_dir)?;
+    set_nspawn_flags(&container, agent_dir, claude_dir)?;
     set_resource_limits(&container)?;
     systemd_daemon_reload().await?;
     run(&["update", &container, "--flake", &flake_ref]).await?;
@@ -248,6 +256,23 @@ pub async fn apply_commit(applied_dir: &Path, proposed_dir: &Path, commit_ref: &
     Ok(())
 }
 
+/// Create the per-agent Claude credentials dir if missing. Mode 0700 — only
+/// root inside the container reads/writes it. Idempotent: existing dirs are
+/// left untouched (an agent's OAuth tokens survive `destroy`/recreate).
+fn ensure_claude_dir(claude_dir: &Path) -> Result<()> {
+    if !claude_dir.exists() {
+        std::fs::create_dir_all(claude_dir)
+            .with_context(|| format!("create {}", claude_dir.display()))?;
+        #[cfg(unix)]
+        {
+            use std::os::unix::fs::PermissionsExt;
+            std::fs::set_permissions(claude_dir, std::fs::Permissions::from_mode(0o700))
+                .with_context(|| format!("chmod {}", claude_dir.display()))?;
+        }
+    }
+    Ok(())
+}
+
 fn initial_agent_nix(name: &str) -> String {
     format!(
         "{{ ... }}:\n{{\n  # Per-agent overrides for {name}. The manager edits this\n  # file (and commits) to customise the agent's NixOS config.\n}}\n",
@@ -347,12 +372,13 @@ async fn systemd_daemon_reload() -> Result<()> {
 /// is reachable on the host) and `EXTRA_NSPAWN_FLAGS` (the runtime-dir bind).
 /// The start script expands `$EXTRA_NSPAWN_FLAGS` unquoted into the
 /// `systemd-nspawn` command.
-fn set_nspawn_flags(container: &str, agent_dir: &Path) -> Result<()> {
+fn set_nspawn_flags(container: &str, agent_dir: &Path, claude_dir: &Path) -> Result<()> {
     let path = format!("/etc/nixos-containers/{container}.conf");
     let original = std::fs::read_to_string(&path).with_context(|| format!("read {path}"))?;
     let bind_flag = format!(
-        "EXTRA_NSPAWN_FLAGS=\"--bind={}:{CONTAINER_RUNTIME_MOUNT}\"",
-        agent_dir.display()
+        "EXTRA_NSPAWN_FLAGS=\"--bind={runtime}:{CONTAINER_RUNTIME_MOUNT} --bind={claude}:{CONTAINER_CLAUDE_MOUNT}\"",
+        runtime = agent_dir.display(),
+        claude = claude_dir.display(),
     );
     let mut lines: Vec<String> = original
         .lines()