nix templates: factor harness-base.nix (shared scaffolding incl. gitconfig)

2026-05-15 16:10:55 +02:00 · 2026-05-15 16:10:55 +02:00 · e1289a3e4c
commit e1289a3e4c
parent cb62e15d4f
11 changed files with 137 additions and 113 deletions
--- a/hive-ag3nt/src/bin/hive-ag3nt.rs
+++ b/hive-ag3nt/src/bin/hive-ag3nt.rs
@ -80,7 +80,13 @@ async fn main() -> Result<()> {
            });
            match initial {
                LoginState::Online => {
-                    serve(&cli.socket, Duration::from_millis(poll_ms), login_state, bus).await
+                    serve(
                        &cli.socket,
                        Duration::from_millis(poll_ms),
                        login_state,
                        bus,
                    )
                    .await
                }
                LoginState::NeedsLogin => {
                    // Partial-run mode: keep the harness alive (so the web UI
@ -152,8 +158,7 @@ async fn serve(
                    body: body.clone(),
                });
                let prompt = format_wake_prompt(&label, &from, &body);
-                let outcome =
+                let outcome = drive_turn(&prompt, &mcp_config, &bus, mcp::Flavor::Agent).await;
                    drive_turn(&prompt, &mcp_config, &bus, mcp::Flavor::Agent).await;
                emit_turn_end(&bus, &outcome);
            }
            Ok(AgentResponse::Empty) => {}
--- a/hive-ag3nt/src/bin/hive-m1nd.rs
+++ b/hive-ag3nt/src/bin/hive-m1nd.rs
@ -90,9 +90,7 @@ async fn main() -> Result<()> {
                }
            });
            match initial {
-                LoginState::Online => {
+                LoginState::Online => serve(&cli.socket, Duration::from_millis(poll_ms), bus).await,
                    serve(&cli.socket, Duration::from_millis(poll_ms), bus).await
                }
                LoginState::NeedsLogin => {
                    tracing::warn!(
                        claude_dir = %claude_dir.display(),
@ -174,8 +172,7 @@ async fn serve(socket: &Path, interval: Duration, bus: Bus) -> Result<()> {
                    body: body.clone(),
                });
                let prompt = format_wake_prompt(&label, &from, &body);
-                let outcome =
+                let outcome = drive_turn(&prompt, &mcp_config, &bus, mcp::Flavor::Manager).await;
                    drive_turn(&prompt, &mcp_config, &bus, mcp::Flavor::Manager).await;
                emit_turn_end(&bus, &outcome);
            }
            Ok(ManagerResponse::Empty) => {}
--- a/hive-ag3nt/src/mcp.rs
+++ b/hive-ag3nt/src/mcp.rs
@ -21,10 +21,8 @@ use std::path::PathBuf;
 use anyhow::Result;
 use rmcp::{
-    ServerHandler, ServiceExt,
+    ServerHandler, ServiceExt, handler::server::wrapper::Parameters, schemars, tool, tool_handler,
-    handler::server::wrapper::Parameters,
+    tool_router, transport::stdio,
    schemars, tool, tool_handler, tool_router,
    transport::stdio,
 };
 use crate::client;
@ -33,12 +31,7 @@ use crate::client;
 /// a status line → post-log. Free function so both `AgentServer` and
 /// `ManagerServer` use the same shape; the per-server `status_line`
 /// closure is what differs (different `Status` wire types).
-pub async fn run_tool_envelope<F, S>(
+pub async fn run_tool_envelope<F, S>(tool: &'static str, args: String, status: S, body: F) -> String
    tool: &'static str,
    args: String,
    status: S,
    body: F,
 ) -> String
 where
    F: Future<Output = String>,
    S: Future<Output = String>,
@ -223,8 +216,10 @@ impl ManagerServer {
 #[tool_router]
 impl ManagerServer {
-    #[tool(description = "Send a message to a sub-agent (by logical name), to another agent, \
+    #[tool(
-        or to the operator (recipient `operator`, surfaces in the dashboard).")]
+        description = "Send a message to a sub-agent (by logical name), to another agent, \
        or to the operator (recipient `operator`, surfaces in the dashboard)."
    )]
    async fn send(&self, Parameters(args): Parameters<SendArgs>) -> String {
        let log = format!("{args:?}");
        let to = args.to.clone();
@ -245,8 +240,10 @@ impl ManagerServer {
        .await
    }
-    #[tool(description = "Pop one message from the manager inbox. Returns sender + body, or \
+    #[tool(
-        empty.")]
+        description = "Pop one message from the manager inbox. Returns sender + body, or \
        empty."
    )]
    async fn recv(&self, Parameters(args): Parameters<RecvArgs>) -> String {
        let log = format!("{args:?}");
        run_tool_envelope("recv", log, self.status_line(), async move {
@ -256,7 +253,9 @@ impl ManagerServer {
                    format!("from: {from}\n\n{body}")
                }
                Ok(hive_sh4re::ManagerResponse::Empty) => "(empty)".into(),
-                Ok(hive_sh4re::ManagerResponse::Err { message }) => format!("recv failed: {message}"),
+                Ok(hive_sh4re::ManagerResponse::Err { message }) => {
                    format!("recv failed: {message}")
                }
                Ok(other) => format!("recv unexpected response: {other:?}"),
                Err(e) => format!("recv transport error: {e:#}"),
            }
@ -264,8 +263,10 @@ impl ManagerServer {
        .await
    }
-    #[tool(description = "Queue a Spawn approval for a brand-new sub-agent. The operator \
+    #[tool(
-        approves on the dashboard before the container is actually created.")]
+        description = "Queue a Spawn approval for a brand-new sub-agent. The operator \
        approves on the dashboard before the container is actually created."
    )]
    async fn request_spawn(&self, Parameters(args): Parameters<RequestSpawnArgs>) -> String {
        let log = format!("{args:?}");
        let name = args.name.clone();
@ -283,8 +284,10 @@ impl ManagerServer {
        .await
    }
-    #[tool(description = "Stop a sub-agent container (graceful). The state dir is kept; \
+    #[tool(
-        recreating reuses prior config + Claude credentials.")]
+        description = "Stop a sub-agent container (graceful). The state dir is kept; \
        recreating reuses prior config + Claude credentials."
    )]
    async fn kill(&self, Parameters(args): Parameters<KillArgs>) -> String {
        let log = format!("{args:?}");
        let name = args.name.clone();
@ -292,7 +295,9 @@ impl ManagerServer {
            let req = hive_sh4re::ManagerRequest::Kill { name: args.name };
            match client::request::<_, hive_sh4re::ManagerResponse>(&self.socket, &req).await {
                Ok(hive_sh4re::ManagerResponse::Ok) => format!("killed {name}"),
-                Ok(hive_sh4re::ManagerResponse::Err { message }) => format!("kill failed: {message}"),
+                Ok(hive_sh4re::ManagerResponse::Err { message }) => {
                    format!("kill failed: {message}")
                }
                Ok(other) => format!("kill unexpected response: {other:?}"),
                Err(e) => format!("kill transport error: {e:#}"),
            }
@ -300,9 +305,11 @@ impl ManagerServer {
        .await
    }
-    #[tool(description = "Submit a config change for operator approval. Pass the agent name \
+    #[tool(
        description = "Submit a config change for operator approval. Pass the agent name \
        (e.g. `alice` or `hm1nd` for the manager's own config) and a commit sha in that \
-        agent's proposed config repo. On approval hive-c0re rebuilds the container.")]
+        agent's proposed config repo. On approval hive-c0re rebuilds the container."
    )]
    async fn request_apply_commit(
        &self,
        Parameters(args): Parameters<RequestApplyCommitArgs>,
@ -310,7 +317,11 @@ impl ManagerServer {
        let log = format!("{args:?}");
        let agent = args.agent.clone();
        let commit_ref = args.commit_ref.clone();
-        run_tool_envelope("request_apply_commit", log, self.status_line(), async move {
+        run_tool_envelope(
            "request_apply_commit",
            log,
            self.status_line(),
            async move {
                let req = hive_sh4re::ManagerRequest::RequestApplyCommit {
                    agent: args.agent,
                    commit_ref: args.commit_ref,
@ -325,7 +336,8 @@ impl ManagerServer {
                    Ok(other) => format!("request_apply_commit unexpected response: {other:?}"),
                    Err(e) => format!("request_apply_commit transport error: {e:#}"),
                }
-        })
+            },
        )
        .await
    }
 }
@ -350,15 +362,8 @@ pub const SERVER_NAME: &str = "hyperhive";
 /// (`Task`) are intentionally omitted for now; `Bash` is allowed pending a
 /// finer-grained allow-list system for shell command patterns. Edit later
 /// as our trust model evolves.
-pub const ALLOWED_BUILTIN_TOOLS: &[&str] = &[
+pub const ALLOWED_BUILTIN_TOOLS: &[&str] =
-    "Bash",
+    &["Bash", "Edit", "Glob", "Grep", "Read", "TodoWrite", "Write"];
    "Edit",
    "Glob",
    "Grep",
    "Read",
    "TodoWrite",
    "Write",
 ];
 /// Which MCP tool surface to advertise via `--allowedTools`. The agent
 /// list is the strict subset of the manager list, so we just thread the
@ -376,7 +381,13 @@ pub enum Flavor {
 pub fn allowed_mcp_tools(flavor: Flavor) -> Vec<String> {
    let names: &[&str] = match flavor {
        Flavor::Agent => &["send", "recv"],
-        Flavor::Manager => &["send", "recv", "request_spawn", "kill", "request_apply_commit"],
+        Flavor::Manager => &[
            "send",
            "recv",
            "request_spawn",
            "kill",
            "request_apply_commit",
        ],
    };
    names
        .iter()
@ -388,7 +399,10 @@ pub fn allowed_mcp_tools(flavor: Flavor) -> Vec<String> {
 /// both the built-ins and the MCP surface.
 #[must_use]
 pub fn allowed_tools_arg(flavor: Flavor) -> String {
-    let mut all: Vec<String> = ALLOWED_BUILTIN_TOOLS.iter().map(|s| (*s).to_owned()).collect();
+    let mut all: Vec<String> = ALLOWED_BUILTIN_TOOLS
        .iter()
        .map(|s| (*s).to_owned())
        .collect();
    all.extend(allowed_mcp_tools(flavor));
    all.join(",")
 }
--- a/hive-ag3nt/src/web_ui.rs
+++ b/hive-ag3nt/src/web_ui.rs
@ -323,9 +323,9 @@ async fn events_stream(
    let rx = state.bus.subscribe();
    // Drop a "hello" note into the bus so every new subscriber sees at
    // least one event immediately and can clear the connecting placeholder.
-    state
+    state.bus.emit(crate::events::LiveEvent::Note(
-        .bus
+        "live stream attached".into(),
-        .emit(crate::events::LiveEvent::Note("live stream attached".into()));
+    ));
    let stream = BroadcastStream::new(rx).filter_map(|res| {
        let ev = res.ok()?;
        let json = serde_json::to_string(&ev).ok()?;
@ -356,10 +356,7 @@ struct CodeForm {
    code: String,
 }
-async fn post_login_code(
+async fn post_login_code(State(state): State<AppState>, Form(form): Form<CodeForm>) -> Response {
    State(state): State<AppState>,
    Form(form): Form<CodeForm>,
 ) -> Response {
    let session = state.session.lock().unwrap().clone();
    let Some(session) = session else {
        return error_response("no login session running");
--- a/hive-c0re/src/actions.rs
+++ b/hive-c0re/src/actions.rs
@ -6,7 +6,9 @@
 use std::sync::Arc;
 use anyhow::{Result, bail};
-use hive_sh4re::{ApprovalKind, ApprovalStatus, HelperEvent, MANAGER_AGENT, Message, SYSTEM_SENDER};
+use hive_sh4re::{
    ApprovalKind, ApprovalStatus, HelperEvent, MANAGER_AGENT, Message, SYSTEM_SENDER,
 };
 use crate::coordinator::{Coordinator, TransientKind};
 use crate::lifecycle::{self, MANAGER_NAME};
@ -83,7 +85,11 @@ pub async fn approve(coord: Arc<Coordinator>, id: i64) -> Result<()> {
    }
 }
-fn finish_approval(coord: &Coordinator, approval: &hive_sh4re::Approval, result: Result<()>) -> Result<()> {
+fn finish_approval(
    coord: &Coordinator,
    approval: &hive_sh4re::Approval,
    result: Result<()>,
 ) -> Result<()> {
    match result {
        Ok(()) => {
            notify_manager(
--- a/hive-c0re/src/auto_update.rs
+++ b/hive-c0re/src/auto_update.rs
@ -72,7 +72,6 @@ pub async fn rebuild_agent(coord: &Arc<Coordinator>, name: &str, current_rev: &s
    Ok(())
 }
 /// Auto-create the manager container on startup if it isn't already there.
 /// hive-c0re manages hm1nd end-to-end (Phase 8 follow-up): operators no
 /// longer declare `containers.hm1nd` in their host NixOS config. Bypasses
--- a/hive-c0re/src/lifecycle.rs
+++ b/hive-c0re/src/lifecycle.rs
@ -75,7 +75,11 @@ pub fn is_manager(name: &str) -> bool {
 /// extends. Manager → `manager`; everyone else → `agent-base`.
 #[must_use]
 pub fn flake_base(name: &str) -> &'static str {
-    if is_manager(name) { "manager" } else { "agent-base" }
+    if is_manager(name) {
        "manager"
    } else {
        "agent-base"
    }
 }
 fn validate(name: &str) -> Result<()> {
--- a/hive-sh4re/src/lib.rs
+++ b/hive-sh4re/src/lib.rs
@ -218,7 +218,9 @@ pub enum ManagerRequest {
    Status,
    /// Operator-injected message TO the manager (from the manager's own web
    /// UI). Same shape as `AgentRequest::OperatorMsg`.
-    OperatorMsg { body: String },
+    OperatorMsg {
        body: String,
    },
    /// Submit a spawn request for the user to approve. On approval the host
    /// creates and starts the container. Brand-new agent names only — if an
    /// agent of the same name already exists, the approval will fail.
--- a/nix/templates/agent-base.nix
+++ b/nix/templates/agent-base.nix
@ -1,27 +1,14 @@
 { pkgs, ... }:
 {
-  boot.isNspawnContainer = true;
+  imports = [ ./harness-base.nix ];
  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg) [ "claude-code" ];
  environment.systemPackages = with pkgs; [
    hyperhive
    claude-code
    bashInteractive
    git
    coreutils-full
  ];
  # claude's Bash tool refuses to run without a POSIX shell + $SHELL set.
  environment.variables.SHELL = "${pkgs.bashInteractive}/bin/bash";
  systemd.services.hive-ag3nt = {
    description = "hive-ag3nt harness";
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
-    # The harness shells out to `claude` (turn loop + login flow). systemd
+    # `claude` for the turn loop + `bash` for claude's Bash tool. systemd
-    # units get a minimal PATH by default, so we have to put claude-code on
+    # units get a minimal PATH by default; entries in
-    # it explicitly even though it's in environment.systemPackages above.
+    # `environment.systemPackages` aren't on it.
    # bash is on PATH so claude's Bash tool can spawn `$SHELL`.
    path = [
      pkgs.claude-code
      pkgs.bashInteractive
@ -33,6 +20,4 @@
      RestartSec = 2;
    };
  };
  system.stateVersion = "25.11";
 }
--- a/nix/templates/harness-base.nix
+++ b/nix/templates/harness-base.nix
@ -0,0 +1,35 @@
 { pkgs, ... }:
 {
  # Shared scaffolding for any hyperhive harness container — both
  # sub-agents (`agent-base.nix`) and the manager (`manager.nix`) extend
  # this. The systemd service that actually runs the harness binary
  # differs per role and lives in the child module.
  boot.isNspawnContainer = true;
  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg) [ "claude-code" ];
  environment.systemPackages = with pkgs; [
    hyperhive
    claude-code
    bashInteractive
    git
    coreutils-full
  ];
  # claude's Bash tool refuses to run without a POSIX shell + $SHELL set.
  environment.variables.SHELL = "${pkgs.bashInteractive}/bin/bash";
  # Default gitconfig for any commits the harness makes. The per-agent
  # `applied/<name>/flake.nix` overrides this with the agent's own name +
  # email; this fallback only kicks in if the container is built straight
  # from `agent-base` / `manager` without the per-agent extension.
  environment.etc."gitconfig".text = ''
    [user]
      name = hyperhive
      email = hyperhive@local
    [init]
      defaultBranch = main
  '';
  system.stateVersion = "25.11";
 }
--- a/nix/templates/manager.nix
+++ b/nix/templates/manager.nix
@ -1,27 +1,11 @@
 { pkgs, ... }:
 {
-  boot.isNspawnContainer = true;
+  imports = [ ./harness-base.nix ];
  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg) [ "claude-code" ];
  environment.systemPackages = with pkgs; [
    hyperhive
    claude-code
    bashInteractive
    git
    coreutils-full
  ];
  # claude's Bash tool refuses to run without a POSIX shell + $SHELL set.
  environment.variables.SHELL = "${pkgs.bashInteractive}/bin/bash";
  environment.etc."gitconfig".text = ''
    [user]
      name = hm1nd
      email = hm1nd@hyperhive
    [init]
      defaultBranch = main
  '';
  # HIVE_PORT/HIVE_LABEL/gitconfig are also injected by the generated
  # `applied/hm1nd/flake.nix` (see `lifecycle::setup_applied`); the values
  # here are the base config so the container stays sensible if anyone
  # ever evaluates `nixosConfigurations.manager` standalone.
  systemd.services.hive-m1nd = {
    description = "hive-m1nd manager harness";
    wantedBy = [ "multi-user.target" ];
@ -29,20 +13,16 @@
    environment = {
      HIVE_PORT = "8000";
      HIVE_LABEL = "hm1nd";
      SHELL = "${pkgs.bashInteractive}/bin/bash";
    };
    # See note in agent-base.nix — `claude` and a POSIX shell have to be on
    # the service PATH explicitly for the harness + claude's Bash tool.
    path = [
      pkgs.claude-code
      pkgs.bashInteractive
    ];
    environment.SHELL = "${pkgs.bashInteractive}/bin/bash";
    serviceConfig = {
      ExecStart = "${pkgs.hyperhive}/bin/hive-m1nd serve";
      Restart = "on-failure";
      RestartSec = 2;
    };
  };
  system.stateVersion = "25.11";
 }