# TODO

Pick anything from here when relevant. Cross-cutting design notes live in
[CLAUDE.md](CLAUDE.md); high-level project intro in [README.md](README.md).

## Security

- **Unprivileged containers (userns mapping).** Today the nspawn container
  runs as a fully privileged root. Goal: `PrivateUsersChown=yes` (or the
  nixos-container equivalent) so uid 0 inside maps to an unprivileged uid
  on the host, and a container-root compromise lands the attacker on an
  ordinary user account, not the host's root. Requires per-agent state
  dirs to be chown'd to that uid on the host side.
- **Bash command allow-list.** Replace the blanket `Bash` allow with a
  pattern allow-list (`Bash(git *)`, `Bash(nix build .*)`, etc.) per
  claude-code's `--allowedTools` extended grammar. Likely lives in
  `agent.nix` so each agent can scope its own shell surface.

## Per-agent settings

- **Model override.** Hard-coded to `haiku` in the turn loop right now.
  Surface as a per-agent override: operator via dashboard, manager via
  `request_apply_commit` setting an attr on the agent's flake (most natural
  place since the flake already carries per-agent env/identity).

## UI / UX

- **Per-agent UI substance.** Show last N inbox messages, last turn timing,
  link back to dashboard.
- **xterm.js terminal** embedded per-agent, attached to a PTY exposed by
  the harness. Pairs well with the unprivileged-container work — would let
  the operator drop into the container without `nixos-container root-login`.

## Manager → operator question channel

- **TTL / cancel on `ask_operator`.** Questions today block forever; the
  manager turn stays alive until the operator answers. Add a per-question
  `ttl_seconds` (or a dashboard "cancel" button that resolves the question
  with a sentinel answer) so a long-idle question can time out and let the
  manager fall back. Wire the timeout into `OperatorQuestions::wait_answered`
  and surface remaining-time on the dashboard.

## Loop substance

- **Notes compaction.** `/state/` is bind-mounted persistently and agents
  are told (in the system prompt) to keep `/state/notes.md` for durable
  knowledge — but we don't currently nudge them to compact when notes
  grow. Bitburner-agent's pattern: a short-lived secondary claude session
  that takes the existing notes + a "compact this" prompt and rewrites
  them in place. Add when the notes start bloating.

## Lifecycle / reliability

- **Bounded broker.** Cap rows per recipient or auto-vacuum delivered
  messages older than a threshold. sqlite is growing unbounded.
- **Container crash events.** Watch `container@*.service` via D-Bus, push
  `HelperEvent::ContainerCrash` to the manager's inbox so the manager can
  react (restart, escalate, etc.).
- **`destroy --purge`.** Today `destroy` keeps state by design; add an
  opt-in flag (CLI + dashboard) to also wipe `/var/lib/hyperhive/agents/<name>/`
  and `/var/lib/hyperhive/applied/<name>/`.

## Cleanup / docs

- **Debug-only sub-commands.** `hive-ag3nt send/recv` and the analogous
  `hive-m1nd send/recv/...` exist only for ops debugging. Move them into a
  hidden `debug` sub-command to declutter `--help`, or drop entirely.