{ pkgs, ... }:
{
  # Shared scaffolding for any hyperhive harness container — both
  # sub-agents (`agent-base.nix`) and the manager (`manager.nix`) extend
  # this. The systemd service that actually runs the harness binary
  # differs per role and lives in the child module.

  boot.isNspawnContainer = true;

  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg) [ "claude-code" ];

  environment.systemPackages = with pkgs; [
    hyperhive
    claude-code
    bashInteractive
    git
    coreutils-full
  ];
  # claude's Bash tool refuses to run without a POSIX shell + $SHELL set.
  environment.variables.SHELL = "${pkgs.bashInteractive}/bin/bash";

  # Default gitconfig for any commits the harness makes. The per-agent
  # `applied/<name>/flake.nix` overrides this with the agent's own name +
  # email; this fallback only kicks in if the container is built straight
  # from `agent-base` / `manager` without the per-agent extension.
  environment.etc."gitconfig".text = ''
    [user]
      name = hyperhive
      email = hyperhive@local
    [init]
      defaultBranch = main
  '';

  system.stateVersion = "25.11";
}