nix: hyperhive.westonRdp.enable — opt-in weston + RDP backend per agent

CLAUDE.md

@@ -130,6 +130,8 @@ nix/
   templates/harness-base.nix    shared scaffolding for sub-agents + manager
   templates/agent-base.nix      sub-agent nixosConfiguration
   templates/manager.nix         manager nixosConfiguration
+  templates/weston-rdp.nix      optional `hyperhive.westonRdp.enable`
+                                 — weston + RDP backend systemd unit
 
 docs/
   conventions.md       naming, identity=socket, async forms, commit style
@@ -183,6 +185,22 @@ read them à la carte.
 In-flight or recent context that hasn't earned a section yet.
 Prune freely.
 
+- **Just landed:** `hyperhive.westonRdp.enable` option. New
+  `nix/templates/weston-rdp.nix` declares a per-agent bool;
+  enabling it runs weston with the RDP backend as a systemd
+  service (software/pixman render, self-signed TLS cert
+  generated first-boot under `/var/lib/weston`). Imported by
+  `harness-base.nix` so every agent has the option; an agent
+  opts in from its own `agent.nix`. Design note: it's a FLAT
+  per-agent option, not `hyperhive.agents.<name>.*` — each
+  agent is its own nixosConfiguration with no cross-agent
+  view, so the `<name>` indirection is meaningless. The unit
+  is `Type = "simple"` with an always-exit-0 `ExecStartPre` so
+  it can never abort `nixos-container update` (a `Type=notify`
+  weston that never signals READY would fail activation every
+  reload — the trap `tea-login` documents). A misconfigured
+  weston degrades to a restart loop in `journalctl`, not a
+  blocked rebuild.
 - **Just landed:** `get_logs` now resolves the machine name.
   `journalctl -M` wants the *machine* name (`h-gui`), not the
   logical agent name (`gui`) — `get_logs` was the one manager