docs: CLAUDE.md + PLAN.md updated for current state (all phases shipped)

2026-05-15 02:15:25 +02:00 · 2026-05-15 02:15:25 +02:00 · c7b50aa5b7
commit c7b50aa5b7
parent fcd6563887
2 changed files with 210 additions and 121 deletions
--- a/PLAN.md
+++ b/PLAN.md
@ -1,6 +1,9 @@
 # hyperhive — Plan

-> **Status.** Planning doc for a new project. Lives at `~/Repos/nixos-configuration-claude/agent-system/PLAN.md` during planning; **moves to `~/Repos/hyperhive/PLAN.md`** once the repo is created.
+> **Status.** All phases 0–7 have shipped. This file is the original design
+> doc; **CLAUDE.md** is the current source of truth for what's actually built,
+> the file map, gotchas, and operator runbook. Keep this file for the *why*
+> and the original phase rationale; CLAUDE.md for *how things are today*.
 >
 > **Names.**
 > - Repo: `hyperhive`
@ -10,7 +13,7 @@
 >   - `hive-m1nd` — runs in the manager container (same crate, second `main.rs`, wires the manager tool surface).
 > - Shared crate between `hive-c0re` and `hive-ag3nt` (wire protocol, MCP verb types, message shapes): **`hive-sh4re`**.
 >
-> **Relationship to damocles.** Damocles is a separate, currently-running setup. `hyperhive` is a new, independent system in its own repo. Damocles' existing `claude-container.nix` informs the agent-base template but is not a dependency. Eventually damocles migrates onto `hyperhive` — out of v1 scope.
+> **Relationship to damocles.** Damocles is a separate, currently-running setup. `hyperhive` is a new, independent system in its own repo. Damocles' existing `claude-container.nix` informs the agent-base template but is not a dependency. Migration options laid out in `docs/damocles-migration.md`; recommendation is to keep them separate for now.

 ## What we're building

@ -109,39 +112,43 @@ A multi-Claude-Code-agent setup on a single host:

 ## Phased path

-### Phase 0 — repo bootstrap
+All phases ✅ shipped. Each section below is the *original* design with notes
+on what actually landed and what deviated. See CLAUDE.md → "Phase status" for
+the canonical summary.
+
+### ✅ Phase 0 — repo bootstrap
 - Create `~/Repos/hyperhive/`, init flake.
 - Cargo workspace: `hive-c0re/`, `hive-sh4re/`, `hive-ag3nt/` (the last with two `[[bin]]` targets — `hive-ag3nt` and `hive-m1nd`). All compile, all do nothing useful.
 - NixOS module skeleton (`nix/modules/hive-c0re.nix`) that runs the daemon as a systemd service on the host.
 - Agent base template (`nix/templates/agent-base.nix`) that builds a nixos-container including the `hive-ag3nt` binary.
 - **Exit:** `nixos-container create test-agent --flake .#agent-base && nixos-container start test-agent` brings up a container whose `hive-ag3nt` prints "hello" and exits.

-### Phase 1 — container lifecycle + Risk 1
+### ✅ Phase 1 — container lifecycle + Risk 1
 - `hive-c0re`: open host admin socket (`/run/hyperhive/host.sock`); verbs `spawn(name)`, `kill(name)`, `rebuild(name)`, `list()`. Uses `nixos-container` underneath; container name on the host is `h-<name>` (sub-agents) or `hm1nd` (manager).
 - CLI tool talking to the admin socket (same `hive-c0re` binary, subcommand-driven).
 - Manually mutate an agent's config flake, call `rebuild`, observe whether `hive-ag3nt` survives.
 - **Decision:** if hot-reload doesn't preserve the harness, that becomes a hard requirement of `hive-ag3nt`'s design (resume from disk state). Document the outcome.
 - **Exit:** spawn / rebuild / kill via CLI is reliable; known behaviour for in-flight rebuilds.

-### Phase 2 — sockets + minimal MCP
+### ✅ Phase 2 — sockets + minimal MCP
 - `hive-c0re` opens `manager.sock` and `agents/<name>.sock` (one per spawned agent). Per-socket MCP server with the right tool surface baked in. Types from `hive-sh4re`.
 - `hive-ag3nt`: MCP client (types from `hive-sh4re`), connects to its socket on startup, exchanges hello.
 - Tools: agent gets `send(to, body)`, `recv()`. No persistence yet (in-memory).
 - **Exit:** two test agents exchange messages through `hive-c0re` manually-driven.

-### Phase 3 — broker + turn loop
+### ✅ Phase 3 — broker + turn loop
 - `hive-c0re`: sqlite-backed message store (`messages` table; `id, sender, recipient, body, sent_at, delivered_at`). Survives `hive-c0re` restart.
 - `hive-ag3nt` (lib): real turn loop. Reads from `recv`; feeds new messages as user turns to `claude`; captures output; calls `send` for outbound. Long-running.
 - **Exit:** two `hive-ag3nt`-driven agents have a back-and-forth conversation through `hive-c0re`.

-### Phase 4 — `hive-m1nd` + privileged surface
+### ✅ Phase 4 — `hive-m1nd` + privileged surface
 - `hive-m1nd` binary (second `[[bin]]` in `hive-ag3nt`) wires the manager tool surface.
 - Manager container (`hm1nd`) declared in host NixOS module (auto-restart). Bind-mount `agents/**` RW.
 - Manager socket gets the privileged tool surface: `request_spawn`/`request_kill`, `request_apply_commit`, `inject_peer_info`, `send(..., wait_for_reply=true)`.
 - Smoke: attach a terminal to the manager container (`nixos-container root-login`); ask `hive-m1nd` to spawn an agent and route a message to it.
 - **Exit:** manager spawns, routes, kills a child agent end-to-end; lifecycle still gated by manual CLI approval (no GUI yet).

-### Phase 5 — git-commit approval flow
+### ✅ Phase 5 — git-commit approval flow
 - `state-repo` on host tracks world (agents directory listing, allow-lists, etc.).
 - Per-agent `config/` flake repos created at spawn time.
 - Manager's container: bind-mounted clones; uses plain `git` CLI to edit/commit.
@ -149,13 +156,13 @@ A multi-Claude-Code-agent setup on a single host:
 - Per-agent allow-list for `request_install`: in-list installs become auto-applied commits; novel pkgs become pending commits.
 - **Exit:** manager adds a package to an agent → user approves on CLI → agent picks it up.

-### Phase 6 — per-agent web UI + dashboard MVP
+### ✅ Phase 6 — per-agent web UI + dashboard MVP
 - `hive-ag3nt` web UI module (in the crate's lib): HTTP on a per-container host port (host network): status, last messages, embedded terminal (xterm.js over WebSocket). Both `hive-ag3nt` and `hive-m1nd` binaries expose it.
 - Dashboard served by `hive-c0re`: agent list, per-agent status, links to each agent's UI, link to manager's UI.
 - No approval UI yet; users still approve via CLI.
 - **Exit:** browser is a usable navigation layer over the whole system.

-### Phase 7 — dashboard commit view + polish
+### ✅ Phase 7 — dashboard commit view + polish
 - Pending-commits view in the dashboard with diff rendering and Approve/Deny buttons (replaces the CLI approve step).
 - Live message-flow view (`hive-c0re` sees all MCP relay traffic).
 - `hive-c0re` event push into `hive-m1nd`'s `next_event` (crashes, OOM, approval resolved).
@ -204,19 +211,36 @@ A multi-Claude-Code-agent setup on a single host:
 └── PLAN.md                           # this file
 ```

+## Resolved implementation decisions
+
+The original open-decisions list, with what we picked:
+
+- **Wire format.** Custom JSON-line over unix sockets (host admin / manager /
+  per-agent), not real MCP stdio. Simpler and good enough for now; can swap
+  to MCP later. SSE for the dashboard message-flow.
+- **Per-agent web UI.** `axum` HTTP server inside each container at a port
+  hashed from the agent name (8100–8999); manager at fixed 8000; dashboard
+  at 7000. Plain HTML, no HTMX, no xterm.js yet.
+- **`state-repo` schema.** Per-agent dir with files; not a single TOML.
+  Realised as two parallel git repos per agent: `proposed` (manager-editable)
+  and `applied` (hive-c0re-only). Container builds from `applied`.
+- **Manager access to applied state.** *Not* RW-mounted. Manager only has
+  `proposed/` bind-mounted; `applied/` is hive-c0re-only.
+- **One binary or two.** One: `hive-c0re` is daemon + CLI dispatched by
+  subcommand (`serve` / `spawn` / `kill` / `rebuild` / `list` / `pending` /
+  `approve` / `deny`).
+
+## Polish backlog (not phased)
+
+See CLAUDE.md → "Polish backlog" for the live list. Highlights: operator
+inbox drain, per-agent UI substance, xterm.js terminal embed, `destroy` verb,
+bounded broker, container-crash events via D-Bus.
+
 ## Explicitly deferred / out of v1 scope

 - Per-agent API keys, cost attribution.
 - Pooled / pre-warmed containers.
- Destroy verb on the `hive-c0re` API (use `rm` on host; `state-repo` records intent).
+- Destroy verb on the `hive-c0re` API (use `rm` on host).
 - Backup / replication of `agents/` state.
- Migration of existing damocles containers (later, separate effort).
+- Migration of existing damocles containers (`docs/damocles-migration.md`).
 - Anything about multiple hosts.
-
-## Open implementation decisions (resolve during build)
-
- MCP relay wire format: stdio MCP shuttled through the socket vs custom JSON-RPC matching MCP semantics. Default: stick with MCP stdio, `hive-c0re` multiplexes.
- Per-agent web UI tech: own small `axum` server in `hive-ag3nt`'s lib with embedded HTMX, plus xterm.js over WebSocket for the terminal. Reuse same stack as the dashboard.
- `state-repo` schema: filesystem-shaped (`agents/<name>/role.txt`, `agents/<name>/allow-list.txt`) vs single declarative file (`world.toml`). Lean filesystem-shaped — git diffs read naturally per agent.
- Whether `hive-m1nd` also auto-mounts `state-repo` RW or only via the `request_apply_commit` path. Lean: only via the verb (keeps the audit trail clean).
- Whether `hive-c0re` daemon and `hive-c0re` CLI are one binary (subcommands) or two binaries sharing a crate. Default: one binary, `hive-c0re serve` vs `hive-c0re approve <sha>` etc.