feat: migrate host Hyprland configs to Lua (Hyprland 0.55+)

- m3-kratos/home.nix: use hl.monitor({}), hl.workspace_rule({}),
  hl.window_rule({}) table-based Lua API
- m3-ares/home.nix: same Lua API + tuxedo-backlight via hl.on()
- Update flake.lock: home-manager -> 74f170c6 (2026-05-18)

.beads/hooks/post-checkout

@@ -1,5 +1,5 @@
 #!/usr/bin/env sh
-# --- BEGIN BEADS INTEGRATION v1.0.2 ---
+# --- BEGIN BEADS INTEGRATION v1.0.3 ---
 # This section is managed by beads. Do not remove these markers.
 if command -v bd >/dev/null 2>&1; then
   export BD_GIT_HOOK=1
@@ -21,4 +21,4 @@ if command -v bd >/dev/null 2>&1; then
   fi
   if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
 fi
-# --- END BEADS INTEGRATION v1.0.2 ---
+# --- END BEADS INTEGRATION v1.0.3 ---

.beads/hooks/post-merge

@@ -1,5 +1,5 @@
 #!/usr/bin/env sh
-# --- BEGIN BEADS INTEGRATION v1.0.2 ---
+# --- BEGIN BEADS INTEGRATION v1.0.3 ---
 # This section is managed by beads. Do not remove these markers.
 if command -v bd >/dev/null 2>&1; then
   export BD_GIT_HOOK=1
@@ -21,4 +21,4 @@ if command -v bd >/dev/null 2>&1; then
   fi
   if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
 fi
-# --- END BEADS INTEGRATION v1.0.2 ---
+# --- END BEADS INTEGRATION v1.0.3 ---

.beads/hooks/pre-commit

@@ -1,5 +1,5 @@
 #!/usr/bin/env sh
-# --- BEGIN BEADS INTEGRATION v1.0.2 ---
+# --- BEGIN BEADS INTEGRATION v1.0.3 ---
 # This section is managed by beads. Do not remove these markers.
 if command -v bd >/dev/null 2>&1; then
   export BD_GIT_HOOK=1
@@ -21,4 +21,4 @@ if command -v bd >/dev/null 2>&1; then
   fi
   if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
 fi
-# --- END BEADS INTEGRATION v1.0.2 ---
+# --- END BEADS INTEGRATION v1.0.3 ---

.beads/hooks/pre-push

@@ -1,5 +1,5 @@
 #!/usr/bin/env sh
-# --- BEGIN BEADS INTEGRATION v1.0.2 ---
+# --- BEGIN BEADS INTEGRATION v1.0.3 ---
 # This section is managed by beads. Do not remove these markers.
 if command -v bd >/dev/null 2>&1; then
   export BD_GIT_HOOK=1
@@ -21,4 +21,4 @@ if command -v bd >/dev/null 2>&1; then
   fi
   if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
 fi
-# --- END BEADS INTEGRATION v1.0.2 ---
+# --- END BEADS INTEGRATION v1.0.3 ---

.beads/hooks/prepare-commit-msg

@@ -1,5 +1,5 @@
 #!/usr/bin/env sh
-# --- BEGIN BEADS INTEGRATION v1.0.2 ---
+# --- BEGIN BEADS INTEGRATION v1.0.3 ---
 # This section is managed by beads. Do not remove these markers.
 if command -v bd >/dev/null 2>&1; then
   export BD_GIT_HOOK=1
@@ -21,4 +21,4 @@ if command -v bd >/dev/null 2>&1; then
   fi
   if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
 fi
-# --- END BEADS INTEGRATION v1.0.2 ---
+# --- END BEADS INTEGRATION v1.0.3 ---

.beads/issues.jsonl

@@ -1,3 +1,3 @@
-{"id":"home-profile-restructuring-edz","title":"Create copy-hermes-skills systemd service","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:44:42Z","started_at":"2026-04-26T12:36:30Z","closed_at":"2026-04-26T12:44:42Z","close_reason":"Created systemd service in hosts/m3-hermes/services/hermes-agent.nix - copies skills to /var/lib/hermes/.agents/skills before hermes-agent starts","labels":["hermes-agent","nixos"],"dependencies":[{"issue_id":"home-profile-restructuring-edz","depends_on_id":"home-profile-restructuring-ycz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":1,"comment_count":0}
+{"_type":"issue","id":"home-profile-restructuring-edz","title":"Create copy-hermes-skills systemd service","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:44:42Z","started_at":"2026-04-26T12:36:30Z","closed_at":"2026-04-26T12:44:42Z","close_reason":"Created systemd service in hosts/m3-hermes/services/hermes-agent.nix - copies skills to /var/lib/hermes/.agents/skills before hermes-agent starts","labels":["hermes-agent","nixos"],"dependencies":[{"issue_id":"home-profile-restructuring-edz","depends_on_id":"home-profile-restructuring-ycz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":1,"comment_count":0}
-{"id":"home-profile-restructuring-ycz","title":"Build hermes-agent skills using mkOpencodeSkills","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":2,"created_at":"2026-04-26T12:30:09Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:35:15Z","started_at":"2026-04-26T12:31:35Z","closed_at":"2026-04-26T12:35:15Z","close_reason":"Added inputs to module signature and defined hermesSkills via inputs.agents.lib.mkOpencodeSkills with basecamp, anthropic, and kestra external skills. Verified with nixos-rebuild dry-run --flake .#m3-hermes (no errors).","labels":["hermes-agent","nixos"],"dependency_count":0,"dependent_count":1,"comment_count":0}
+{"_type":"issue","id":"home-profile-restructuring-ycz","title":"Build hermes-agent skills using mkOpencodeSkills","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":2,"created_at":"2026-04-26T12:30:09Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:35:15Z","started_at":"2026-04-26T12:31:35Z","closed_at":"2026-04-26T12:35:15Z","close_reason":"Added inputs to module signature and defined hermesSkills via inputs.agents.lib.mkOpencodeSkills with basecamp, anthropic, and kestra external skills. Verified with nixos-rebuild dry-run --flake .#m3-hermes (no errors).","labels":["hermes-agent","nixos"],"dependency_count":0,"dependent_count":1,"comment_count":0}
-{"id":"home-profile-restructuring-cxa","title":"Verify skills available at /var/lib/hermes/.agents/skills","status":"closed","priority":2,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:50:58Z","started_at":"2026-04-26T12:38:15Z","closed_at":"2026-04-26T12:50:58Z","close_reason":"Manually verified - skills are present at /var/lib/hermes/.agents/skills on m3-hermes","labels":["hermes-agent","testing"],"dependencies":[{"issue_id":"home-profile-restructuring-cxa","depends_on_id":"home-profile-restructuring-edz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":0,"comment_count":0}
+{"_type":"issue","id":"home-profile-restructuring-cxa","title":"Verify skills available at /var/lib/hermes/.agents/skills","status":"closed","priority":2,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:50:58Z","started_at":"2026-04-26T12:38:15Z","closed_at":"2026-04-26T12:50:58Z","close_reason":"Manually verified - skills are present at /var/lib/hermes/.agents/skills on m3-hermes","labels":["hermes-agent","testing"],"dependencies":[{"issue_id":"home-profile-restructuring-cxa","depends_on_id":"home-profile-restructuring-edz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":0,"comment_count":0}

.gitignore

@@ -26,6 +26,7 @@ Thumbs.db
 opencode.json
 
 # AI agent state
+.claude/
 .sidecar/
 .sidecar-*
 .sisyphus/
@@ -39,6 +40,7 @@ opencode.json
 .pi*
 .worktrees/
 docs/plans/
+CLAUDE.md
 
 # Beads / Dolt files (added by bd init)
 .dolt/

flake.lock

@@ -47,11 +47,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1777399938,
+        "lastModified": 1778518220,
-        "narHash": "sha256-xXPqUQezDdDtF8MbpZnwD1HkybOYwF92evx8rJ6OXCU=",
+        "narHash": "sha256-6AQs9VZ0/DuD4njPbYHRE4v+SgJc6SBrGwemTWxikVc=",
         "ref": "refs/heads/master",
-        "rev": "9a91f1ee0cf011a7eaf1f16a9e17610b0457e055",
+        "rev": "b6e1aaa6261c5056d024d8d4785659eaa4e675e6",
-        "revCount": 85,
+        "revCount": 87,
         "type": "git",
         "url": "ssh://gitea@code.m3ta.dev/m3tam3re/AGENTS"
       },
@@ -280,11 +280,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776613567,
+        "lastModified": 1777713215,
-        "narHash": "sha256-gC9Cp5ibBmGD5awCA9z7xy6MW6iJufhazTYJOiGlCUI=",
+        "narHash": "sha256-8GzXDOXckDWwST8TY5DbwYFjdvQLlP7K9CLSVx6iTTo=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "32f4236bfc141ae930b5ba2fb604f561fed5219d",
+        "rev": "63b4e7e6cf75307c1d26ac3762b886b5b0247267",
         "type": "github"
       },
       "original": {
@@ -322,11 +322,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775087534,
+        "lastModified": 1777988971,
-        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
+        "narHash": "sha256-qIoWPDs+0/8JecyYgE3gpKQxW/4bLW/gp45vow9ioCQ=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
+        "rev": "0678d8986be1661af6bb555f3489f2fdfc31f6ff",
         "type": "github"
       },
       "original": {
@@ -406,16 +406,16 @@
         "uv2nix": "uv2nix_2"
       },
       "locked": {
-        "lastModified": 1777573861,
+        "lastModified": 1778170968,
-        "narHash": "sha256-whY/1WL2fQUhPqDp7CGm3MSwOOo7FB1eADhNVnHeCRU=",
+        "narHash": "sha256-YQQUEDUim2CiYpL3uG7Wi1fWPsT2wtIqoBeJuAj9hUk=",
         "owner": "NousResearch",
         "repo": "hermes-agent",
-        "rev": "73bf3ab1b22314ed9dfecbb59242c03742fe72af",
+        "rev": "498bfc7bc12a937621b4215312049b1000726df3",
         "type": "github"
       },
       "original": {
         "owner": "NousResearch",
-        "ref": "v2026.4.30",
+        "ref": "v2026.5.7",
         "repo": "hermes-agent",
         "type": "github"
       }
@@ -448,11 +448,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777476904,
+        "lastModified": 1779113444,
-        "narHash": "sha256-EeLoE8n4+QCbteyAsYXxhfr97RFfWL1ga0xwfL6lpKw=",
+        "narHash": "sha256-/L61sT1PIKmGWIQpIh0uJGH/ANvcsf6y4alxtb9kelg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "8c8e5389e75a36bee53920de8ee24f017b3ae03e",
+        "rev": "74f170c62d57f90e656841f1f699e6bdf40f0a24",
         "type": "github"
       },
       "original": {
@@ -512,11 +512,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777679572,
+        "lastModified": 1778503501,
-        "narHash": "sha256-egYNbRrkn+6SwTHinhdb6WUfzzdC3nXfCRqS321VylY=",
+        "narHash": "sha256-08L/X4/do7nET4rzidJ76eV/1r+mB7DchVpdPypsghc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "9cb587ade2aa1b4a7257f0238d41072690b0ca4f",
+        "rev": "85ba629c79449badf4338117c27f0ee92b4b9f1a",
         "type": "github"
       },
       "original": {
@@ -577,11 +577,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1777439951,
+        "lastModified": 1778304612,
-        "narHash": "sha256-1Bs4ZbBayXWicrOrQQn3/BnnqhEy+tQjdFn40wHu1dw=",
+        "narHash": "sha256-7FkBnR56KZ8RwY5kPd3ans8f68IYjF1J66gOUlLsiLA=",
         "owner": "numtide",
         "repo": "llm-agents.nix",
-        "rev": "2641c18f5bb9d0b95e81beca1b0415e174d7e650",
+        "rev": "c741913095c4815f6651aa0a2c24b3ce15e414e4",
         "type": "github"
       },
       "original": {
@@ -602,11 +602,11 @@
         "nur": "nur"
       },
       "locked": {
-        "lastModified": 1777712073,
+        "lastModified": 1778520138,
-        "narHash": "sha256-pzzvQP3bs56k6pphtdbWtmE23jhJJ1LoGVDmUZOxGhM=",
+        "narHash": "sha256-X58c8BUIshyUnp6XEKumFUYXqMFnrDTj+aGuGIbKwxg=",
         "ref": "refs/heads/master",
-        "rev": "55661c12d4c74e06bb7a86ebede212d26099b00c",
+        "rev": "a87d9510bd84f51bf93970730b8688ab7221bbdd",
-        "revCount": 14,
+        "revCount": 30,
         "type": "git",
         "url": "ssh://gitea@code.m3ta.dev/m3tam3re/m3ta-home"
       },
@@ -627,11 +627,11 @@
         "openspec": "openspec"
       },
       "locked": {
-        "lastModified": 1777687275,
+        "lastModified": 1778508052,
-        "narHash": "sha256-75fbn1g+46RjjsqapKOGAU1hdKyju4qK/p8IVmyBZdM=",
+        "narHash": "sha256-kxzZvJv757TGfHReR21aX6N/jkGMWzGSy9GQEclYD4Y=",
         "ref": "refs/heads/master",
-        "rev": "fa28774656daf391ae8a79e30dc3a69261dfa82f",
+        "rev": "8113723a48c4afa016881ccd5bc4be3fad2c7d5f",
-        "revCount": 272,
+        "revCount": 294,
         "type": "git",
         "url": "ssh://gitea@code.m3ta.dev/m3tam3re/nixpkgs"
       },
@@ -649,11 +649,11 @@
         "openspec": "openspec_2"
       },
       "locked": {
-        "lastModified": 1777687275,
+        "lastModified": 1778518789,
-        "narHash": "sha256-75fbn1g+46RjjsqapKOGAU1hdKyju4qK/p8IVmyBZdM=",
+        "narHash": "sha256-9WZvO2BBofC2Wp4dvP4/aQ6Jhmcxh9lEGTYj09hLXrI=",
         "ref": "refs/heads/master",
-        "rev": "fa28774656daf391ae8a79e30dc3a69261dfa82f",
+        "rev": "d64c581516c02702ec28e5d2304330d7b035235d",
-        "revCount": 272,
+        "revCount": 295,
         "type": "git",
         "url": "ssh://gitea@code.m3ta.dev/m3tam3re/nixpkgs"
       },
@@ -830,11 +830,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1777684196,
+        "lastModified": 1778507606,
-        "narHash": "sha256-irZjT++CZFBGHsuHNqPTa6AE1wVVuxdoR7pcdp6hq0A=",
+        "narHash": "sha256-6Yc2dIhijc8G+dbMNocyclxF19dUrjaT+EeXGrXmXlg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1cad9ada6da0658a588196ddcb2836004caa2293",
+        "rev": "39a7b8d815fcc8b689d56fc4a3fa8de4ef93d169",
         "type": "github"
       },
       "original": {
@@ -846,11 +846,11 @@
     },
     "nixpkgs-master_2": {
       "locked": {
-        "lastModified": 1777684196,
+        "lastModified": 1778507606,
-        "narHash": "sha256-irZjT++CZFBGHsuHNqPTa6AE1wVVuxdoR7pcdp6hq0A=",
+        "narHash": "sha256-6Yc2dIhijc8G+dbMNocyclxF19dUrjaT+EeXGrXmXlg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1cad9ada6da0658a588196ddcb2836004caa2293",
+        "rev": "39a7b8d815fcc8b689d56fc4a3fa8de4ef93d169",
         "type": "github"
       },
       "original": {
@@ -862,11 +862,11 @@
     },
     "nixpkgs-master_3": {
       "locked": {
-        "lastModified": 1777483759,
+        "lastModified": 1778307931,
-        "narHash": "sha256-luE+pNcTx3gz109lEC/xUxPHrx1aEZsp5X4OEBcnGaw=",
+        "narHash": "sha256-GkUOqeH6tb2/K1tv3t0F/xROIAh5/zEGutzEUIrQ+u8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "b540331d6f1e343b6812b5aa1d97c707a0de0da2",
+        "rev": "8f689324e32c31a3d2c24490a19e266c3fb6508b",
         "type": "github"
       },
       "original": {
@@ -878,11 +878,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1777077449,
+        "lastModified": 1778003029,
-        "narHash": "sha256-AIiMJiqvGrN4HyLEbKAoCSRRYn0rnlW5VbKNIMIYqm4=",
+        "narHash": "sha256-q/nkKLDtHIyLjZpKhWk3cSK5IYsFqtMd6UtXF3ddjgA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "a4bf06618f0b5ee50f14ed8f0da77d34ecc19160",
+        "rev": "0c88e1f2bdb93d5999019e99cb0e61e1fe2af4c5",
         "type": "github"
       },
       "original": {
@@ -894,11 +894,11 @@
     },
     "nixpkgs_10": {
       "locked": {
-        "lastModified": 1777268161,
+        "lastModified": 1777954456,
-        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
+        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
+        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
         "type": "github"
       },
       "original": {
@@ -974,11 +974,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1776949667,
+        "lastModified": 1778124196,
-        "narHash": "sha256-GMSVw35Q+294GlrTUKlx087E31z7KurReQ1YHSKp5iw=",
+        "narHash": "sha256-pYEytCNic/czazbV9r3tbQ6BZzqRBg/41x2dIC5ymOo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "01fbdeef22b76df85ea168fbfe1bfd9e63681b30",
+        "rev": "68a8af93ff4297686cb68880845e61e5e2e41d92",
         "type": "github"
       },
       "original": {
@@ -1006,11 +1006,11 @@
     },
     "nixpkgs_7": {
       "locked": {
-        "lastModified": 1777578337,
+        "lastModified": 1777954456,
-        "narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=",
+        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "15f4ee454b1dce334612fa6843b3e05cf546efab",
+        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
         "type": "github"
       },
       "original": {
@@ -1022,11 +1022,11 @@
     },
     "nixpkgs_8": {
       "locked": {
-        "lastModified": 1777268161,
+        "lastModified": 1777954456,
-        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
+        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
+        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
         "type": "github"
       },
       "original": {
@@ -1079,11 +1079,11 @@
         "nixpkgs": "nixpkgs_7"
       },
       "locked": {
-        "lastModified": 1777712567,
+        "lastModified": 1778506944,
-        "narHash": "sha256-HnS+JN7FhBq0dPdigYGE9py3TAMInzRPkVW8mE4qSQE=",
+        "narHash": "sha256-lU0Bleh0reE+WU7j8Uiqsu6ekPav50L8sXsgOvEQS+0=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "5035bb030208b191f464446970df5786f25b7ae9",
+        "rev": "0166493cfe4e0e9927435c1cfbf5505cfb0d10d1",
         "type": "github"
       },
       "original": {
@@ -1100,11 +1100,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777486007,
+        "lastModified": 1778308643,
-        "narHash": "sha256-5R0q8ESHux3Le76n4IuNUThkAo4o2M+Kj1Loj2J7ahI=",
+        "narHash": "sha256-MpJyLyJWAwOy7rVs7pWqRwH2b8/rj+B524VzdonvXBs=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "6f5d55cfd726ff4cd68d006bddbdf459d0dc471b",
+        "rev": "98d908741ed91101cd0649961f12d2427bdba7d3",
         "type": "github"
       },
       "original": {
@@ -1122,11 +1122,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777679960,
+        "lastModified": 1778120451,
-        "narHash": "sha256-yLc5BzIecR3L9lPILImNqRgOqqXCZH902CSBLn/5UJI=",
+        "narHash": "sha256-MUSPD16+hoFBfQWYahtNLN2BIFEAlFFo2KNofrc947g=",
         "owner": "Fission-AI",
         "repo": "OpenSpec",
-        "rev": "0ca74762dc03ee25f8651eaa7c33866170112031",
+        "rev": "053d8a59d587f3c027a06ad80503a6b43d4f2a92",
         "type": "github"
       },
       "original": {
@@ -1143,11 +1143,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777679960,
+        "lastModified": 1778120451,
-        "narHash": "sha256-yLc5BzIecR3L9lPILImNqRgOqqXCZH902CSBLn/5UJI=",
+        "narHash": "sha256-MUSPD16+hoFBfQWYahtNLN2BIFEAlFFo2KNofrc947g=",
         "owner": "Fission-AI",
         "repo": "OpenSpec",
-        "rev": "0ca74762dc03ee25f8651eaa7c33866170112031",
+        "rev": "053d8a59d587f3c027a06ad80503a6b43d4f2a92",
         "type": "github"
       },
       "original": {
@@ -1316,11 +1316,11 @@
     "skills-anthropic": {
       "flake": false,
       "locked": {
-        "lastModified": 1776964038,
+        "lastModified": 1778286877,
-        "narHash": "sha256-xFsg66TCtKzSgRIW6Ab771FWEIhei3jPgfE4byMiB44=",
+        "narHash": "sha256-jKNYFom6R+Qw7LQ8vFPBe51JpqIP0tTSY8LM4aPlnT4=",
         "owner": "anthropics",
         "repo": "skills",
-        "rev": "5128e1865d670f5d6c9cef000e6dfc4e951fb5b9",
+        "rev": "f458cee31a7577a47ba0c9a101976fa599385174",
         "type": "github"
       },
       "original": {
@@ -1332,11 +1332,11 @@
     "skills-basecamp": {
       "flake": false,
       "locked": {
-        "lastModified": 1777481361,
+        "lastModified": 1777902228,
-        "narHash": "sha256-GJ94Y1n+zR6zpOWjAGFYFWFIFpT1royFJOy2TaQXpzU=",
+        "narHash": "sha256-XDsWpUhFb/gxatRFla07nwoc2y3WwaBLsiDdtCnqx38=",
         "owner": "basecamp",
         "repo": "basecamp-cli",
-        "rev": "59d59b66974d442190b0762129b4f1749adcedf0",
+        "rev": "b56ada1b3d42b42a9422ba39b30a223f9f960231",
         "type": "github"
       },
       "original": {
@@ -1364,11 +1364,11 @@
     "skills-superpowers": {
       "flake": false,
       "locked": {
-        "lastModified": 1776996157,
+        "lastModified": 1777932301,
-        "narHash": "sha256-0WupTacT1jIwVBloj1i0RF7wIllVtP8eMPRl7VrXdbE=",
+        "narHash": "sha256-3E3rO6hR87JUfS3XV1Eaoz6SDWOftleWvN9UPNFEMjw=",
         "owner": "obra",
         "repo": "superpowers",
-        "rev": "6efe32c9e2dd002d0c394e861e0529675d1ab32e",
+        "rev": "f2cbfbefebbfef77321e4c9abc9e949826bea9d7",
         "type": "github"
       },
       "original": {
@@ -1380,11 +1380,11 @@
     "skills-vercel": {
       "flake": false,
       "locked": {
-        "lastModified": 1777394685,
+        "lastModified": 1778275952,
-        "narHash": "sha256-YxCMuTl+pVJ7dXhaL7l9vDw9k2orlG31j7/0pgllMJk=",
+        "narHash": "sha256-RYwgUf173N4lGalTta4HkBR7sdZwuzRoAY6M8JsT+RY=",
         "owner": "vercel-labs",
         "repo": "skills",
-        "rev": "7c0a9af3f8738965b71341712710ac7371089b34",
+        "rev": "c99a72b371b5b4da865f5afa87c5a686f3a46766",
         "type": "github"
       },
       "original": {

flake.nix

@@ -73,7 +73,7 @@
       url = "github:vercel-labs/skills";
       flake = false;
     };
-    hermes-agent.url = "github:NousResearch/hermes-agent/v2026.4.30";
+    hermes-agent.url = "github:NousResearch/hermes-agent/v2026.5.7";
 
     rustfs = {
       url = "github:rustfs/rustfs-flake";
@@ -104,7 +104,7 @@
   in {
     packages =
       forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system});
-    overlays = builtins.removeAttrs allOverlays ["mkLlmAgentsOverlay"];
+    overlays = removeAttrs allOverlays ["mkLlmAgentsOverlay"];
     lib.mkLlmAgentsOverlay = allOverlays.mkLlmAgentsOverlay;
     homeManagerModules = import ./modules/home-manager;
 

hosts/common/users/m3tam3re.nix

@@ -37,7 +37,7 @@
     # ── Server hosts ──
     m3-atlas = {
       context = "server";
-      sets = ["coding"];
+      sets = [];
     };
     m3-helios = {
       context = "server";
@@ -53,10 +53,13 @@
     };
   };
 
-  profile = hostProfiles.${hostname} or {
+  profile =
-    context = "server";
+    hostProfiles.${
-    sets = [];
+      hostname
-  };
+    } or {
+      context = "server";
+      sets = [];
+    };
   m3ta-lib = inputs.m3ta-home.lib;
 
   # Check if a per-host home.nix exists

hosts/m3-ares/home.nix

@@ -36,35 +36,39 @@ with lib; {
       };
     }
 
-    # ── Hyprland monitor layout ──
+    # ── Hyprland monitor layout & host-specific rules ──
     (mkIf config.desktop.wm.hyprland.enable {
       wayland.windowManager.hyprland = {
         enable = true;
         settings = {
-          exec-once = ["tuxedo-backlight"];
+          # Laptop internal + external HDMI
           monitor = [
-            "eDP-1,preferred,0x0,1.25"
+            { output = "eDP-1";     mode = "preferred";       position = "0x0";     scale = 1.25; }
-            "HDMI-A-1,1920x1080@120,2560x0,1"
+            { output = "HDMI-A-1";  mode = "1920x1080@120";   position = "2560x0";  scale = 1; }
           ];
-          workspace = [
+          workspace_rule = [
-            "1, monitor:eDP-1, default:true"
+            { workspace = 1; monitor = "eDP-1";    default = true; }
-            "2, monitor:eDP-1"
+            { workspace = 2; monitor = "eDP-1"; }
-            "3, monitor:eDP-1"
+            { workspace = 3; monitor = "eDP-1"; }
-            "4, monitor:HDMI-A-1"
+            { workspace = 4; monitor = "HDMI-A-1"; }
-            "5, monitor:HDMI-A-1,border:false,rounding:false"
+            { workspace = 5; monitor = "HDMI-A-1"; border = false; rounding = false; }
-            "6, monitor:HDMI-A-1"
+            { workspace = 6; monitor = "HDMI-A-1"; }
           ];
-          windowrule = [
+          window_rule = [
-            "match:class dev.zed.Zed, workspace 1"
+            { match = { class = "dev.zed.Zed" };            workspace = "1"; }
-            "match:class Msty, workspace 1"
+            { match = { class = "Msty" };                    workspace = "1"; }
-            "match:class ^(com.obsproject.Studio)$, workspace 2"
+            { match = { class = "^com.obsproject.Studio$" }; workspace = "2"; }
-            "match:class ^(brave-browser)$, workspace 4, opacity 1.0"
+            { match = { class = "^(brave-browser)$" };      workspace = "4"; opacity = 1.0; }
-            "match:class ^(vivaldi-stable)$, workspace 4, opacity 1.0"
+            { match = { class = "^(vivaldi-stable)$" };     workspace = "4"; opacity = 1.0; }
-            "match:class ^steam_app_\\d+$, fullscreen on"
+            { match = { class = "^steam_app_\\d+$" };       fullscreen = true; workspace = "5"; idle_inhibit = "focus"; }
-            "match:class ^steam_app_\\d+$, workspace 5"
-            "match:class ^steam_app_\\d+$, idle_inhibit focus"
           ];
         };
+        extraConfig = mkAfter ''
+          -- Host startup: TUXEDO backlight
+          hl.on("hyprland.start", function()
+            hl.exec_cmd("tuxedo-backlight")
+          end)
+        '';
       };
     })
   ];

hosts/m3-atlas/services/hermes-agent.nix

@@ -1,191 +0,0 @@
-{config, ...}: let
-  # Default ElevenLabs voice: Bella (German-capable female)
-  elevenlabsVoiceId = "hpp4J3VqNfWAUOO0d1Us";
-in {
-  services.hermes-agent = {
-    enable = true;
-    addToSystemPackages = true;
-
-    # Secrets via agenix
-    environmentFiles = [config.age.secrets."hermes-env".path];
-
-    # Non-secret environment variables
-    environment = {
-      #
-    };
-
-    # ── Container mode (podman) ──────────────────────────────────────────
-    container = {
-      enable = true;
-      backend = "podman";
-    };
-
-    settings = {
-      # ── Model ──────────────────────────────────────────────────────────
-      model = {
-        default = "glm-5.1";
-        provider = "zai";
-        base_url = "https://api.z.ai/api/coding/paas/v4/";
-      };
-
-      credential_pool_strategies = {
-        zai = "fill_first";
-      };
-
-      toolsets = ["all"];
-
-      # ── Agent ──────────────────────────────────────────────────────────
-      agent = {
-        max_turns = 90;
-        gateway_timeout = 1800;
-        tool_use_enforcement = "auto";
-      };
-
-      # ── Terminal ───────────────────────────────────────────────────────
-      terminal = {
-        backend = "local";
-        modal_mode = "auto";
-        cwd = ".";
-        timeout = 180;
-        persistent_shell = true;
-      };
-
-      # ── Browser ────────────────────────────────────────────────────────
-      browser = {
-        inactivity_timeout = 120;
-        command_timeout = 30;
-        cloud_provider = "local";
-      };
-
-      # ── Checkpoints / Compression ──────────────────────────────────────
-      checkpoints = {
-        enabled = true;
-        max_snapshots = 50;
-      };
-
-      file_read_max_chars = 100000;
-
-      compression = {
-        enabled = true;
-        threshold = 0.5;
-        target_ratio = 0.2;
-        protect_last_n = 20;
-      };
-
-      # ── Display ────────────────────────────────────────────────────────
-      display = {
-        compact = false;
-        personality = "kawaii";
-        resume_display = "full";
-        busy_input_mode = "interrupt";
-        inline_diffs = true;
-        skin = "default";
-        tool_progress = "all";
-      };
-
-      # ── TTS / STT / Voice ──────────────────────────────────────────────
-      tts = {
-        provider = "elevenlabs";
-        elevenlabs = {
-          voice_id = elevenlabsVoiceId;
-          model_id = "eleven_multilingual_v2";
-        };
-      };
-
-      stt = {
-        enabled = true;
-        provider = "local";
-        local = {model = "base";};
-      };
-
-      voice = {
-        record_key = "ctrl+b";
-        max_recording_seconds = 120;
-        silence_threshold = 200;
-        silence_duration = 3.0;
-      };
-
-      # ── Memory ─────────────────────────────────────────────────────────
-      memory = {
-        memory_enabled = true;
-        user_profile_enabled = true;
-        memory_char_limit = 2200;
-        user_char_limit = 1375;
-      };
-
-      # ── Delegation ─────────────────────────────────────────────────────
-      delegation = {
-        max_iterations = 50;
-      };
-
-      # ── Discord ────────────────────────────────────────────────────────
-      discord = {
-        require_mention = true;
-        auto_thread = true;
-        reactions = true;
-      };
-
-      # ── Approvals / Security ───────────────────────────────────────────
-      approvals = {
-        mode = "manual";
-        timeout = 60;
-      };
-
-      security = {
-        redact_secrets = true;
-        tirith_enabled = true;
-        tirith_fail_open = true;
-      };
-
-      # ── Cron / Session ─────────────────────────────────────────────────
-      cron = {wrap_response = true;};
-
-      session_reset = {
-        mode = "both";
-        idle_minutes = 1440;
-        at_hour = 4;
-      };
-
-      # ── Web ────────────────────────────────────────────────────────────
-      web = {backend = "exa";};
-
-      # ── Platform Toolsets ──────────────────────────────────────────────
-      platform_toolsets = {
-        cli = [
-          "browser"
-          "clarify"
-          "code_execution"
-          "cronjob"
-          "delegation"
-          "file"
-          "image_gen"
-          "memory"
-          "session_search"
-          "skills"
-          "terminal"
-          "todo"
-          "tts"
-          "vision"
-          "web"
-        ];
-        telegram = [
-          "browser"
-          "clarify"
-          "code_execution"
-          "cronjob"
-          "delegation"
-          "file"
-          "image_gen"
-          "memory"
-          "session_search"
-          "skills"
-          "terminal"
-          "todo"
-          "tts"
-          "vision"
-          "web"
-        ];
-      };
-    };
-  };
-}

hosts/m3-atlas/services/traefik.nix

@@ -43,6 +43,12 @@
     dynamicConfigOptions = {
       http = {
         services = {
+          # ── Hermes Dashboard (m3-hermes over Netbird) ────────────────
+          hermes-dashboard = {
+            loadBalancer.servers = [
+              {url = "http://100.81.231.152:9119";}
+            ];
+          };
           dummy = {
             loadBalancer.servers = [
               {url = "http://192.168.0.1";} # Diese URL wird nie verwendet
@@ -79,6 +85,15 @@
         };
 
         routers = {
+          # ── Hermes Dashboard — Netbird mesh only ─────────────────────
+          hermes-dashboard = {
+            rule = "Host(`dash.m3ta.dev`)";
+            service = "hermes-dashboard";
+            entrypoints = ["websecure"];
+            tls = {
+              certResolver = "godaddy";
+            };
+          };
           api = {
             rule = "Host(`r.m3tam3re.com`)";
             service = "api@internal";

hosts/m3-hermes/secrets.nix

@@ -7,6 +7,9 @@
       hermes-cloud-env = {
         file = ../../secrets/hermes-cloud-env.age;
       };
+      hermes-api-server-key = {
+        file = ../../secrets/hermes-api-server-key.age;
+      };
     };
   };
 }

hosts/m3-hermes/services/default.nix

@@ -1,5 +1,7 @@
 {
   imports = [
     ./hermes-agent.nix
+    ./hermes-dashboard.nix
+    ./netbird.nix
   ];
 }

hosts/m3-hermes/services/hermes-agent.nix

@@ -11,11 +11,12 @@
   # matrix-nio is installed via pip in /home/hermes/.venv but the hermes
   # process uses the read-only Nix store Python, so we inject the venv's
   # site-packages via PYTHONPATH and provide libstdc++ for libolm (e2e).
-  venvSitePackages = "/home/hermes/.venv/lib/python3.11/site-packages";
+  # NOTE: v0.13.0 upgraded to Python 3.12 — path updated accordingly.
+  venvSitePackages = "/home/hermes/.venv/lib/python3.12/site-packages";
   gccLibPath = "${pkgs.stdenv.cc.cc.lib}/lib";
 
   # Build skills using agents flake lib for hermes user
-  hermesSkills = inputs.agents.lib.mkOpencodeSkills {
+  hermesSkills = inputs.agents.lib.mkSkills {
     inherit pkgs;
     customSkills = "${inputs.agents}/skills";
     externalSkills = [
@@ -48,13 +49,6 @@ in {
           user: m3ta-chiron
           default: true
     ''}"
-    "f /home/hermes/.gitconfig 0644 hermes hermes - ${pkgs.writeText "gitconfig" ''
-      [user]
-        name = m3ta-chiron
-        email = m3ta-chiron@agentmail.to
-      [init]
-        defaultBranch = main
-    ''}"
   ];
 
   systemd.services.copy-hermes-skills = {
@@ -78,21 +72,40 @@ in {
     enable = true;
     addToSystemPackages = true;
 
-    extraPackages = with pkgs; [docker git tea];
+    extraPackages = with pkgs; [
+      docker
+      git
+      tea
+      nix
+      zellij
+    ];
 
     # Secrets via agenix
     environmentFiles = [
       config.age.secrets."hermes-env".path
       config.age.secrets."hermes-cloud-env".path
+      config.age.secrets."hermes-api-server-key".path
     ];
 
     # Non-secret environment variables
+    # Git identity is set entirely via env vars (GIT_AUTHOR_*, GIT_COMMITTER_*,
+    # GIT_INIT_DEFAULT_BRANCH) — no .gitconfig file needed. Env vars take
+    # precedence over any gitconfig, and the hermes gateway injects them into
+    # all terminal sessions via .env.
     environment = {
       GLM_BASE_URL = "https://api.z.ai/api/coding/paas/v4/";
       GIT_AUTHOR_NAME = "m3ta-chiron";
       GIT_AUTHOR_EMAIL = "m3ta-chiron@agentmail.to";
       GIT_COMMITTER_NAME = "m3ta-chiron";
       GIT_COMMITTER_EMAIL = "m3ta-chiron@agentmail.to";
+      GIT_INIT_DEFAULT_BRANCH = "master";
+
+      # ── API Server (OpenAI-compatible, for Hermes Desktop App) ─────────
+      # Accessible via Netbird mesh VPN — not exposed to the public internet.
+      # Bind to 0.0.0.0 so the Netbird interface can reach it.
+      API_SERVER_ENABLED = "true";
+      API_SERVER_HOST = "0.0.0.0";
+      API_SERVER_PORT = "8642";
     };
 
     # ── Container mode (podman) ──────────────────────────────────────────
@@ -152,7 +165,8 @@ in {
         cloud_provider = "local";
       };
 
-      # ── Checkpoints / Compression ──────────────────────────────────────
+      # ── Checkpoints v2 ─────────────────────────────────────────────────
+      # v0.13.0: Single-store rewrite with real pruning + disk guardrails.
       checkpoints = {
         enabled = true;
         max_snapshots = 50;
@@ -215,12 +229,24 @@ in {
         max_spawn_depth = 2;
       };
 
+      # ── Kanban (v0.13.0 — Multi-Agent Board) ──────────────────────────
+      # Durable task board with embedded dispatcher in gateway process.
+      # Workers are full OS processes with identity, heartbeat, reclaim,
+      # zombie detection, and hallucination gate.
+      kanban = {
+        dispatch_in_gateway = true;
+        dispatch_interval_seconds = 60;
+      };
+
       # ── Matrix ────────────────────────────────────────────────────────
       matrix = {
         homeserver = "https://matrix.m3ta.dev";
         user_id = "@chiron:m3ta.dev";
         allowed_users = ["@m3tam3re:m3ta.dev"];
         encryption = true;
+        group_sessions_per_user = true;
+        auto_thread = true;
+        dm_mention_threads = true;
       };
 
       # ── Approvals / Security ───────────────────────────────────────────

hosts/m3-hermes/services/hermes-dashboard.nix

@@ -0,0 +1,65 @@
+{
+  config,
+  pkgs,
+  inputs,
+  ...
+}: let
+  # Netbird mesh VPN range — dashboard only accessible from mesh peers.
+  # m3-atlas Traefik proxies to this port over Netbird.
+  netbirdRange = "100.64.0.0/16";
+
+  # Reference the hermes-agent package from the running service config
+  hermesPkg = config.services.hermes-agent.package or (inputs.hermes-agent.packages.${pkgs.stdenv.hostPlatform.system}.default or pkgs.hermes-agent);
+in {
+  # ── Hermes Dashboard systemd service ───────────────────────────────────
+  # Web UI for managing Hermes Agent — sessions, config, kanban, cron, etc.
+  #
+  # Flow: Browser → dash.m3ta.dev (TLS via m3-atlas Traefik) → Netbird → :9119
+  #
+  # --insecure is required to bind 0.0.0.0 (hermes refuses non-localhost otherwise).
+  # Safe because firewall restricts port 9119 to Netbird mesh only.
+  systemd.services.hermes-dashboard = {
+    description = "Hermes Agent Web Dashboard";
+    after = ["network.target" "hermes-agent.service"];
+    wants = ["hermes-agent.service"];
+    wantedBy = ["multi-user.target"];
+
+    serviceConfig = {
+      Type = "simple";
+      User = "hermes";
+      Group = "hermes";
+
+      ExecStart = "${hermesPkg}/bin/hermes dashboard --host 0.0.0.0 --port 9119 --no-open --insecure";
+
+      # Environment matching the hermes-agent service
+      Environment = [
+        "HERMES_HOME=/var/lib/hermes/.hermes"
+        "HERMES_MANAGED=true"
+        "HOME=/var/lib/hermes"
+      ];
+
+      # Security hardening (matching hermes-agent service pattern)
+      NoNewPrivileges = true;
+      ProtectSystem = "strict";
+      ProtectHome = "read-only";
+      ReadWritePaths = ["/var/lib/hermes" "/tmp"];
+      PrivateTmp = true;
+
+      # Restart policy
+      Restart = "on-failure";
+      RestartSec = 5;
+    };
+  };
+
+  # ── Firewall: Dashboard only from Netbird mesh ─────────────────────────
+  networking.firewall = {
+    extraCommands = ''
+      # Allow Hermes Dashboard (9119/tcp) only from Netbird mesh VPN
+      ip46tables -A nixos-fw -p tcp --dport 9119 -s ${netbirdRange} -j nixos-fw-accept
+    '';
+
+    extraStopCommands = ''
+      ip46tables -D nixos-fw -p tcp --dport 9119 -s ${netbirdRange} -j nixos-fw-accept 2>/dev/null || true
+    '';
+  };
+}

hosts/m3-hermes/services/netbird.nix

@@ -0,0 +1,29 @@
+{pkgs, ...}: {
+  services.netbird.enable = true;
+
+  systemd.services.netbird = {
+    environment = {
+      NB_DISABLE_SSH_CONFIG = "true";
+      NB_USE_LEGACY_ROUTING = "true";
+    };
+    path = [
+      pkgs.shadow
+      pkgs.util-linux
+    ];
+  };
+
+  programs.ssh.extraConfig = ''
+    Match exec "${pkgs.netbird}/bin/netbird ssh detect %h %p"
+        PreferredAuthentications password,publickey,keyboard-interactive
+        PasswordAuthentication yes
+        PubkeyAuthentication yes
+        BatchMode no
+        ProxyCommand ${pkgs.netbird}/bin/netbird ssh proxy %h %p
+        StrictHostKeyChecking no
+        UserKnownHostsFile /dev/null
+        CheckHostIP no
+        LogLevel ERROR
+  '';
+
+  networking.firewall.checkReversePath = "loose";
+}

hosts/m3-kratos/configuration.nix

@@ -10,7 +10,7 @@
   # Use the systemd-boot EFI boot loader.
   boot.supportedFilesystems = ["zfs"];
   boot.zfs.package = pkgs.zfs_unstable;
-  boot.zfs.forceImportAll = true;
+  boot.zfs.forceImportAll = false;
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
   boot.initrd.kernelModules = ["amdgpu"];

hosts/m3-kratos/home.nix

@@ -36,31 +36,32 @@ with lib; {
       };
     }
 
-    # ── Hyprland monitor layout ──
+    # ── Hyprland monitor layout & host-specific rules ──
     (mkIf config.desktop.wm.hyprland.enable {
       wayland.windowManager.hyprland = {
         enable = true;
         settings = {
+          # Dual monitor: DP-1 left, DP-2 right
           monitor = [
-            "DP-1,2560x1440@144,0x0,1"
+            { output = "DP-1"; mode = "2560x1440@144"; position = "0x0";     scale = 1; }
-            "DP-2,2560x1440@144,2560x0,1"
+            { output = "DP-2"; mode = "2560x1440@144"; position = "2560x0";  scale = 1; }
           ];
-          workspace = [
+          workspace_rule = [
-            "1, monitor:DP-1, default:true"
+            { workspace = 1; monitor = "DP-1"; default = true; }
-            "2, monitor:DP-1"
+            { workspace = 2; monitor = "DP-1"; }
-            "3, monitor:DP-1"
+            { workspace = 3; monitor = "DP-1"; }
-            "4, monitor:DP-2"
+            { workspace = 4; monitor = "DP-2"; }
-            "5, monitor:DP-2"
+            { workspace = 5; monitor = "DP-2"; }
-            "6, monitor:DP-2"
+            { workspace = 6; monitor = "DP-2"; }
-            "7, monitor:DP-2"
+            { workspace = 7; monitor = "DP-2"; }
           ];
-          windowrule = [
+          window_rule = [
-            "match:class dev.zed.Zed, workspace 1"
+            { match = { class = "dev.zed.Zed" };            workspace = "1"; }
-            "match:class Msty, workspace 1"
+            { match = { class = "Msty" };                    workspace = "1"; }
-            "match:class ^(com.obsproject.Studio)$, workspace 2"
+            { match = { class = "^com.obsproject.Studio$" }; workspace = "2"; }
-            "match:class ^(brave-browser)$, workspace 4, opacity 1.0"
+            { match = { class = "^(brave-browser)$" };      workspace = "4"; opacity = 1.0; }
-            "match:class ^(vivaldi-stable)$, workspace 4, opacity 1.0"
+            { match = { class = "^(vivaldi-stable)$" };     workspace = "4"; opacity = 1.0; }
-            "match:class ^steam_app_\\d+$, idle_inhibit focus"
+            { match = { class = "^steam_app_\\d+$" };       idle_inhibit = "focus"; }
           ];
         };
       };

hosts/m3-kratos/services/default.nix

@@ -1,7 +1,6 @@
 {pkgs, ...}: {
   imports = [
     ./containers
-    ./hermes-agent.nix
     ./mem0.nix
     # ./n8n.nix
     ./netbird.nix

hosts/m3-kratos/services/hermes-agent.nix

@@ -1,184 +0,0 @@
-{config, ...}: let
-  # Default ElevenLabs voice: Bella (German-capable female)
-  elevenlabsVoiceId = "hpp4J3VqNfWAUOO0d1Us";
-in {
-  services.hermes-agent = {
-    enable = true;
-    addToSystemPackages = true;
-
-    # Secrets via agenix
-    environmentFiles = [config.age.secrets."hermes-env".path];
-
-    # Non-secret environment variables
-    environment = {
-      GLM_BASE_URL = "https://api.z.ai/api/coding/paas/v4/";
-    };
-
-    settings = {
-      # ── Model ──────────────────────────────────────────────────────────
-      model = {
-        default = "glm-5.1";
-        provider = "zai";
-      };
-
-      credential_pool_strategies = {
-        zai = "fill_first";
-      };
-
-      toolsets = ["all"];
-
-      # ── Agent ──────────────────────────────────────────────────────────
-      agent = {
-        max_turns = 90;
-        gateway_timeout = 1800;
-        tool_use_enforcement = "auto";
-      };
-
-      # ── Terminal ───────────────────────────────────────────────────────
-      terminal = {
-        backend = "ssh";
-        modal_mode = "auto";
-        cwd = ".";
-        timeout = 180;
-        persistent_shell = true;
-      };
-
-      # ── Browser ────────────────────────────────────────────────────────
-      browser = {
-        inactivity_timeout = 120;
-        command_timeout = 30;
-        cloud_provider = "local";
-      };
-
-      # ── Checkpoints / Compression ──────────────────────────────────────
-      checkpoints = {
-        enabled = true;
-        max_snapshots = 50;
-      };
-
-      file_read_max_chars = 100000;
-
-      compression = {
-        enabled = true;
-        threshold = 0.5;
-        target_ratio = 0.2;
-        protect_last_n = 20;
-      };
-
-      # ── Display ────────────────────────────────────────────────────────
-      display = {
-        compact = false;
-        personality = "kawaii";
-        resume_display = "full";
-        busy_input_mode = "interrupt";
-        inline_diffs = true;
-        skin = "default";
-        tool_progress = "all";
-      };
-
-      # ── TTS / STT / Voice ──────────────────────────────────────────────
-      tts = {
-        provider = "elevenlabs";
-        elevenlabs = {
-          voice_id = elevenlabsVoiceId;
-          model_id = "eleven_multilingual_v2";
-        };
-      };
-
-      stt = {
-        enabled = true;
-        provider = "local";
-        local = {model = "base";};
-      };
-
-      voice = {
-        record_key = "ctrl+b";
-        max_recording_seconds = 120;
-        silence_threshold = 200;
-        silence_duration = 3.0;
-      };
-
-      # ── Memory ─────────────────────────────────────────────────────────
-      memory = {
-        memory_enabled = true;
-        user_profile_enabled = true;
-        memory_char_limit = 2200;
-        user_char_limit = 1375;
-      };
-
-      # ── Delegation ─────────────────────────────────────────────────────
-      delegation = {
-        max_iterations = 50;
-      };
-
-      # ── Discord ────────────────────────────────────────────────────────
-      discord = {
-        require_mention = true;
-        auto_thread = true;
-        reactions = true;
-      };
-
-      # ── Approvals / Security ───────────────────────────────────────────
-      approvals = {
-        mode = "manual";
-        timeout = 60;
-      };
-
-      security = {
-        redact_secrets = true;
-        tirith_enabled = true;
-        tirith_fail_open = true;
-      };
-
-      # ── Cron / Session ─────────────────────────────────────────────────
-      cron = {wrap_response = true;};
-
-      session_reset = {
-        mode = "both";
-        idle_minutes = 1440;
-        at_hour = 4;
-      };
-
-      # ── Web ────────────────────────────────────────────────────────────
-      web = {backend = "exa";};
-
-      # ── Platform Toolsets ──────────────────────────────────────────────
-      platform_toolsets = {
-        cli = [
-          "browser"
-          "clarify"
-          "code_execution"
-          "cronjob"
-          "delegation"
-          "file"
-          "image_gen"
-          "memory"
-          "session_search"
-          "skills"
-          "terminal"
-          "todo"
-          "tts"
-          "vision"
-          "web"
-        ];
-        telegram = [
-          "browser"
-          "clarify"
-          "code_execution"
-          "cronjob"
-          "delegation"
-          "file"
-          "image_gen"
-          "memory"
-          "session_search"
-          "skills"
-          "terminal"
-          "todo"
-          "tts"
-          "vision"
-          "web"
-        ];
-      };
-    };
-  };
-}

issues.jsonl

@@ -1,3 +1,3 @@
 {"id":"home-profile-restructuring-edz","title":"Create copy-hermes-skills systemd service","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:44:42Z","started_at":"2026-04-26T12:36:30Z","closed_at":"2026-04-26T12:44:42Z","close_reason":"Created systemd service in hosts/m3-hermes/services/hermes-agent.nix - copies skills to /var/lib/hermes/.agents/skills before hermes-agent starts","labels":["hermes-agent","nixos"],"dependencies":[{"issue_id":"home-profile-restructuring-edz","depends_on_id":"home-profile-restructuring-ycz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":1,"comment_count":0}
-{"id":"home-profile-restructuring-ycz","title":"Build hermes-agent skills using mkOpencodeSkills","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":2,"created_at":"2026-04-26T12:30:09Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:35:15Z","started_at":"2026-04-26T12:31:35Z","closed_at":"2026-04-26T12:35:15Z","close_reason":"Added inputs to module signature and defined hermesSkills via inputs.agents.lib.mkOpencodeSkills with basecamp, anthropic, and kestra external skills. Verified with nixos-rebuild dry-run --flake .#m3-hermes (no errors).","labels":["hermes-agent","nixos"],"dependency_count":0,"dependent_count":1,"comment_count":0}
+{"id":"home-profile-restructuring-ycz","title":"Build hermes-agent skills using mkSkills","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":2,"created_at":"2026-04-26T12:30:09Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:35:15Z","started_at":"2026-04-26T12:31:35Z","closed_at":"2026-04-26T12:35:15Z","close_reason":"Added inputs to module signature and defined hermesSkills via inputs.agents.lib.mkSkills with basecamp, anthropic, and kestra external skills. Verified with nixos-rebuild dry-run --flake .#m3-hermes (no errors).","labels":["hermes-agent","nixos"],"dependency_count":0,"dependent_count":1,"comment_count":0}
 {"id":"home-profile-restructuring-cxa","title":"Verify skills available at /var/lib/hermes/.agents/skills","status":"closed","priority":2,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:50:58Z","started_at":"2026-04-26T12:38:15Z","closed_at":"2026-04-26T12:50:58Z","close_reason":"Manually verified - skills are present at /var/lib/hermes/.agents/skills on m3-hermes","labels":["hermes-agent","testing"],"dependencies":[{"issue_id":"home-profile-restructuring-cxa","depends_on_id":"home-profile-restructuring-edz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":0,"comment_count":0}

secrets.nix

@@ -52,6 +52,7 @@ in {
   "secrets/honcho-key.age".publicKeys = systems ++ users;
   "secrets/hermes-env.age".publicKeys = systems ++ users;
   "secrets/hermes-cloud-env.age".publicKeys = systems ++ users;
+  "secrets/hermes-api-server-key.age".publicKeys = systems ++ users;
   "secrets/hermes-gitea-token.age".publicKeys = systems ++ users;
   "secrets/tuwunel-registration-token.age".publicKeys = systems ++ users;
 }

secrets/hermes-api-server-key.age

@@ -0,0 +1,26 @@
+age-encryption.org/v1
+-> ssh-ed25519 4NLKrw 2TwbZwX9SwWg4SVC0A2ICmyRjSfO+xtfBcBOK1lh3T4
+DSf4DrOAvW7L49lh6cq5IqrMM7gqXv2+67rR3ttn+CE
+-> ssh-ed25519 5kwcsA K1hqFOAxq2T+oLp3bQjLYpXtlQVkA7RHCM/8ETMGbwU
+xIE4xz50LB5vbDTTLKVcx9vC2iXIsRLThHYYxGjcJyY
+-> ssh-ed25519 9d4YIQ bXYb62OM/N+EXpMOZZ6zEbpfaH10Vz62PuUdGODXolw
+j64kKzOn8CmSnykEuWnXHZ0nfqwOfOxX4FPR4GSouR0
+-> ssh-ed25519 3Bcr1w C4alN6ud7q0K4I7NHuBgC77D6zeTfZVGjNS3EKpvL00
+NpjOsg3eJ5LvX0lV7NYuVHLeqeYylHdmw60H+KeG1GY
+-> ssh-ed25519 c4NQlA In5wsg4+LTIEbP75B83GMXPCItSPGwKWUW8QO+QjXyY
+oK1kikhr4RMq6QMv9kjNjiKrf5srlGh7hGbU2qns2rM
+-> ssh-rsa DQlE7w
+tcP4yPgGWqHYeE1gw/KD6cswik+9WU2s2f7hg5mK78085sQ7npXRsBVAz2OCRn07
+foeAAmnY4YmKriBh421JOVNBDOXHR5dfaIKY9b663L+rYj99ic0rfW26C+dqKitF
+SnvveL3Zf16nqg6duSVA7LIcIFgkIlA+RXnHPVho+P4GwEH7W8nCf/4kUquuhB7B
+F4Hx1qOknmGyNBJBFi27D04ZDDk/ZVxioYsO6P6TUu7MuaGmQCoVKREDl5RRh4zO
+XD8/TFDRsJLqqcbCKIlU+6CN1+L0r4FN4K0UaTjwPNzGvn5EEjBKw9RpOhdvI28I
+WlAQ+w6gdQiz9Ju4e5p7Doz2MbNb6894DimawHjzl968Xy5ifX2XA+FBdcW5hU9A
+u+7VXKZmbfMyvRA7lmKRoi4SurJAyQd6iXBrVKfTwFc53V/tJi48bsKcE3yXxHH+
+lKGuZFNGDDkqCruycjvz94WaIHy3fv5hhmBdgwoCZK1VGSLAnwdm1rG4B9m3t/K8
+
+-> ssh-ed25519 CSMyhg FNYYdEIJYcxkjMuM5lnIs9gIilvgD44uazZE8CjNeho
+QHeghlsOOlYNMwhMHT4o7DeuyxGP/3wyqm94HUHjn44
+--- zRG6aCTS+X18VpeN+tz38kaUoilk1kN5KrWTWYZ6pV4
+ræX_qÔÁ’Ð껿H#p¯f™”}(žA(ã|»?ë0ªyJk¥SD‡\Jm&uõÃ&Ô9€ýÄ5Ù+çÊ…!v%Y˜ù~ãÁ$û“šZÇÓ°j„z–Â\ßá1,Vf˜
+£’æ1zª»#Ó

secrets/rustfs-access-key.age

@@ -1 +1,31 @@
-PLACEHOLDER
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDROTEtydyBnRjhF
+SHhTS2YrOHF1OWM1Zm04elkzVWpST0hhN0RhOWZBZGpBYmNTVnk4Cm9SMm5NcWdV
+Rnh0TVpqTlFSaGtaMnBrSGorUEhDd1RibWs1VUt5RGtqaVEKLT4gc3NoLWVkMjU1
+MTkgNWt3Y3NBIFV5OWhMU204L25nR3ZLOWl1a1ppZkUvcTNJTDhlNmE3eXpJMjRL
+NWdsWDQKNGhVYUhwRWRndjFYVEVIT3N2WE1WVncyV1Q1Q1BoNkhraVU5Q2s4UmtB
+OAotPiBzc2gtZWQyNTUxOSA5ZDRZSVEgVkRwdGtHVTlTMUVMOFZrdUNHZHc5UWo3
+WWtRaXJPY0p2QWZOUEtjWDVCYwpYQmh3ejdLOWdmM3dZbWJuRU1EYlRYZ2tJL3VY
+OURUKzhRY2dtcVRQZnBnCi0+IHNzaC1lZDI1NTE5IDNCY3IxdyAyOFI4YllyWlox
+V09BbERmRm4yd1Y5dlh0UGphK05DMGpsWXJQTmwrVlRVCjdqNE4yVHFKWFV3NXlr
+bm40M1BpNGNNNDdJOXMyak5EUWdMa0hrb3lJY3cKLT4gc3NoLWVkMjU1MTkgYzRO
+UWxBICsxb3poQit6VGRtWmZXUWUxMmRGWUN6RGVOeUxEZjdvZldTTE5XSFpDRVkK
+bFNWLzFpazJLM0Q2R0NKU2FaS25ldEQ1RUZQM2RpektaT1NhRnJtS0JFcwotPiBz
+c2gtcnNhIERRbEU3dwpFMVdKYnhiTWF4MCtJMFNHVGtOZGNBdlVDYWRRR252dVd6
+NW1vNFRtbENLbHB2cHo1aE43M3RiZGh1QkVQVzBECjlvRnhYbjlpWWFFTEFFc1cw
+NjFVSENsVWJHdWdGV3ZEY2tOcXkvUm9SSFE4VWw5eHVUSnV6SmxCRU9TNUdpRjMK
+aGNhdHcvay85N0ZQNksydEhkcXNkc0h6dkRMRXlzUCtNNGM1V2tXb28wQ05valBH
+TUdJa3V1bEdYRUZveFNwbwpIbWRnZmtQMDREd08rRkx3OERwRVZZNVlnSXlNNlFH
+SkFoQWVEN1NzL0lqeVkvZllPdUkvbWZkU2NxNjQyYTIvCnJ4QmZ1SlpGNkp3UXFD
+SUdFMFY5RWVadTd5QmM1U2tIZ3dLQ2ZZKzF0WTE3K09aN3FYWUVBYkErVlNpblNU
+QzgKNENEZStFeitaYmE5Q1MyQ0lWSFlZb2hJdlBVNkhUUjBFWkxsWmZqdHNYb3Fk
+VVJMMzg2V2xWdnNCNndGSWdpbAoyUHZ1WXR5UG04ZmZOdVluU2J6VUhKZ0xMZ0lS
+R3YrY3RIRHJCby8yVWxIMWpGNWlJK1h4eXdRUXExT3pleWc3CnRmQVl1Yk1IUUFJ
+blNoUGxVUUlVOG9FSE5CMDVidmZhSWJmWTFsY0lFcWpZU213cmcxNzFvb29XaklC
+MnhpSkwKCi0+IHNzaC1lZDI1NTE5IENTTXloZyBOMDNYdGlvL3Y5QUp2YlNlUDZu
+RXFyTkFWbFFsN1oweEErSS9Ccmh0WmwwClpzTWw1aXNqVXdaTVFrTTJ6Y0FWbVpR
+TXk4cTNUUElkeGF1VUZ0U3RWcEEKLT4gTyUkcSZASGstZ3JlYXNlCnYwSGdsbE5h
+d2JLOAotLS0gcjB3WU1rNDhBY1VxalpBNVJRSTJFZ0NhWEZlSW15UHphMnRHTjBj
+aGptRQpiZ/2f41GnSHdg+EXeRwxHOHc/RNfEwlKhEB/Weq8tQ2Xf/jJ21WiWsTIm
+g7Sq9EO6JyYMTJ/qlccpytfkU/qkouyR+z3prQcP7NWTcg==
+-----END AGE ENCRYPTED FILE-----

secrets/rustfs-secret-key.age

@@ -1 +1,32 @@
-PLACEHOLDER
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDROTEtydyBQd3FZ
+dUFYOFhoUGdBejZKYjRnVmNvYU85LzdJS1lVZFNRS3pTeS9hT0c4Cndwc3pHdStQ
+N1QvU0NSbGJhNEJCOE83eThhSFBrbDJPU0tDbmhIM3lwcjQKLT4gc3NoLWVkMjU1
+MTkgNWt3Y3NBIHdaS3UvRUdFb3pITmZGdTNEaUtXdnlUMWFuNk5ZcFV0VVIwNllN
+S2c5Rm8KV0x3Z2NjcUdLWmFEUExDT2EwbjFhQ2Y2TXNoaUc1d052RnJmM3VOSDVr
+VQotPiBzc2gtZWQyNTUxOSA5ZDRZSVEgOG1URGlNekltV0YyQ2Y2NFdPL2tSWDlG
+UnNLc2wrSllNWFd6aU9LWGN3YwpXUEthT3NNVHZJMUJndiswUVNFNWZjZnBDS3ZH
+dXBJV1FSNEpPRGxQd0JrCi0+IHNzaC1lZDI1NTE5IDNCY3IxdyAvSTlFMitYZFVQ
+ZER6ZDI5OEorTE5TRTdlcllPSmpkUjU5SkV2N0xQY1JBCmJPNFN5NEovdHBVVDRl
+T0czS0g2dEgyTXhIMmtJVFRONDQ3enpLbFhJT3MKLT4gc3NoLWVkMjU1MTkgYzRO
+UWxBIDBUV2RYajBTMkZ4WnV4ZUVCeHFZay9vRGR2dkcxaXBPOWxsZ05IZm1KVDAK
+am56blp1ajlzc0NSYjY5NFdGNlNzQ0NNQzZPeVRtWTc1Z0lEYzc2TGNFMAotPiBz
+c2gtcnNhIERRbEU3dwpOMGowMWFoRzhsTGp0U0RqeHUyckZvQU9EVkQxUXE1b0U0
+N2hPU2NZY2huNm5kREg5SExCZGYzaTUwdWs4MjlsCjhONjVOWnZDZjFRU2k2K2Uz
+dnVmWVd5MCt6bFk4UVU3UEdsWXZMOHlZMktzWWR4SFJ6Vzh4dDFpYWNYRVQ2UmsK
+aW5iODV0WDYyQWN4K1ROZUVjdE40MGlxZDlXdnZVRVZBc04zdVRaOE9RTUJPUWxa
+YnJjZEg3OGcxNHVEVkR0MgpGUWh6NHV4WTcxUEZwUU52QkdsOE5hZy9XWFpjQUFP
+bDZzUjd3ZXFTTmpDN3ViZ0dpL3BOTFpBL3k2aUs3Qm9HCkVDeXZ2M0dQcWJwaXdm
+N2E1R2pjcWY2V1dYaEFNMVc3MG9ndDRLd0tVdkxHSUxwL2REazE2Unc1Z3JjUHJh
+NDgKamVqZjdkU0hCTVhqcjRsL1NtYkxxd3BId0lsRTRRUTNrZ05mcE1ZRkFSUlBW
+VVdkd2VSNzJMQVJEM2QyVkMzSQoxRGVOOUtzdGVOMTBLVk8zN2xjT3lvYm0vSXpQ
+VElTaS84SUxIekVybGYxV0ttZldVWHhyVVEvdzRFK3RibVFGCjV3bzltRjFTb0pu
+bGJQaTJ1Mlgxd0hNN2VvS0p3eDd4WHNkaTkwV3MwWTdLWUxnNzJjLzBBZzZsck5h
+Zk1UUDcKCi0+IHNzaC1lZDI1NTE5IENTTXloZyByQ1cwWm50UTY1bkp2NWZFeFVU
+T0htZDFWUUFsdlBSOVVNY3RTZnNwdjE0CjBySlExb1dnTGJKZy9MT25Oa2hZdDJZ
+Um9PZWlpOVA5bTBRM2wvVHJJaG8KLT4gWS1ncmVhc2UgWydtCnF4dzJjR2luMHBS
+S2p3bUE2bVl2R2FaQ2hRK3greGMKLS0tIDhSdFFGaGlGRVV2VFZKcTNWYnNtbUQr
+blprSjUyMjJwQkhBbVBCTmVhQ0kKUITtRYOYPDGGQlKrEp/JVUP8jTcptZxVaVcd
+AmxviaG76EuXQeK/VgrGKoi+bZwHbpCbXBT2H8DBuSPgXdG3aQDQn2QgZylMnhmM
+wzU=
+-----END AGE ENCRYPTED FILE-----