{ pkgs, ... }:
{
  boot.isNspawnContainer = true;

  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg) [ "claude-code" ];

  environment.systemPackages = with pkgs; [
    hyperhive
    claude-code
    bashInteractive
    git
    coreutils-full
  ];
  # claude's Bash tool refuses to run without a POSIX shell + $SHELL set.
  environment.variables.SHELL = "${pkgs.bashInteractive}/bin/bash";

  systemd.services.hive-ag3nt = {
    description = "hive-ag3nt harness";
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
    # The harness shells out to `claude` (turn loop + login flow). systemd
    # units get a minimal PATH by default, so we have to put claude-code on
    # it explicitly even though it's in environment.systemPackages above.
    # bash is on PATH so claude's Bash tool can spawn `$SHELL`.
    path = [
      pkgs.claude-code
      pkgs.bashInteractive
    ];
    environment.SHELL = "${pkgs.bashInteractive}/bin/bash";
    serviceConfig = {
      ExecStart = "${pkgs.hyperhive}/bin/hive-ag3nt serve";
      Restart = "on-failure";
      RestartSec = 2;
    };
  };

  system.stateVersion = "25.11";
}