Phase 6a: per-container web UI (axum); per-agent port hashed from name

nix/modules/hive-c0re.nix

@@ -31,6 +31,17 @@ in
   config = lib.mkIf cfg.enable {
     environment.systemPackages = [ cfg.package ];
 
+    # Per-container web UIs share the host's network namespace and need their
+    # ports reachable. Manager: 8000. Sub-agents: 8100..8999 (deterministic
+    # hash; see `lifecycle::agent_web_port`).
+    networking.firewall.allowedTCPPorts = [ 8000 ];
+    networking.firewall.allowedTCPPortRanges = [
+      {
+        from = 8100;
+        to = 8999;
+      }
+    ];
+
     systemd.services.hive-c0re = {
       description = "hyperhive coordinator daemon";
       wantedBy = [ "multi-user.target" ];