# TODO

Pick anything from here when relevant. Cross-cutting design notes live in
[CLAUDE.md](CLAUDE.md); high-level project intro in [README.md](README.md).

## Security

- **Unprivileged containers (userns mapping).** Today the nspawn container
  runs as a fully privileged root. Goal: `PrivateUsersChown=yes` (or the
  nixos-container equivalent) so uid 0 inside maps to an unprivileged uid
  on the host, and a container-root compromise lands the attacker on an
  ordinary user account, not the host's root. Requires per-agent state
  dirs to be chown'd to that uid on the host side.
- **Bash command allow-list.** Replace the blanket `Bash` allow with a
  pattern allow-list (`Bash(git *)`, `Bash(nix build .*)`, etc.) per
  claude-code's `--allowedTools` extended grammar. Likely lives in
  `agent.nix` so each agent can scope its own shell surface.

## Per-agent settings

- **Model override.** Hard-coded to `haiku` in the turn loop right now.
  Surface as a per-agent override: operator via dashboard, manager via
  `request_apply_commit` setting an attr on the agent's flake (most natural
  place since the flake already carries per-agent env/identity).

## UI / UX

- **Operator inbox view.** Drain replies addressed to `operator` and show
  them on the dashboard. Today they accumulate in sqlite unread; you can
  only see them by watching the live panel of the agent that sent them.
- **Per-agent UI substance.** Show last N inbox messages, last turn timing,
  link back to dashboard.
- **Static-asset SPA-style web UI.** Move toward: `index.html` is static,
  CSS/JS is static, all dynamic state is fetched over SSE / JSON endpoints.
  Currently the index HTML is server-rendered with state-dependent
  fragments inlined; the live event stream + async forms are already SSE /
  fetch. Goal is a cleaner split so the UI is one HTML file + JS app +
  small JSON API.
- **Background JS refresh on the live panel.** Already there for sends;
  any remaining places that reload the whole page should switch to fetch +
  partial updates.
- **xterm.js terminal** embedded per-agent, attached to a PTY exposed by
  the harness. Pairs well with the unprivileged-container work — would let
  the operator drop into the container without `nixos-container root-login`.

## Loop substance

- **Notes / state persistence.** Per-agent `notes.md` for durable scratch
  memory across turns. Compaction-on-overflow runs a separate short-lived
  claude session (à la bitburner-agent). The `--continue` session already
  gives short-term memory, but notes give cross-session durable knowledge
  that isn't lost on a `/compact` boundary.

## Lifecycle / reliability

- **Bounded broker.** Cap rows per recipient or auto-vacuum delivered
  messages older than a threshold. sqlite is growing unbounded.
- **Container crash events.** Watch `container@*.service` via D-Bus, push
  `HelperEvent::ContainerCrash` to the manager's inbox so the manager can
  react (restart, escalate, etc.).
- **`destroy --purge`.** Today `destroy` keeps state by design; add an
  opt-in flag (CLI + dashboard) to also wipe `/var/lib/hyperhive/agents/<name>/`
  and `/var/lib/hyperhive/applied/<name>/`.

## Cleanup / docs

- **Debug-only sub-commands.** `hive-ag3nt send/recv` and the analogous
  `hive-m1nd send/recv/...` exist only for ops debugging. Move them into a
  hidden `debug` sub-command to declutter `--help`, or drop entirely.