Merge pull request 'fix: remove dead .gitconfig, use GIT_INIT_DEFAULT_BRANCH env var' (#17) from fix/gitconfig-cleanup into master

Reviewed-on: #17

.beads/issues.jsonl

@@ -1,3 +1,3 @@
 {"_type":"issue","id":"home-profile-restructuring-edz","title":"Create copy-hermes-skills systemd service","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:44:42Z","started_at":"2026-04-26T12:36:30Z","closed_at":"2026-04-26T12:44:42Z","close_reason":"Created systemd service in hosts/m3-hermes/services/hermes-agent.nix - copies skills to /var/lib/hermes/.agents/skills before hermes-agent starts","labels":["hermes-agent","nixos"],"dependencies":[{"issue_id":"home-profile-restructuring-edz","depends_on_id":"home-profile-restructuring-ycz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":1,"comment_count":0}
-{"_type":"issue","id":"home-profile-restructuring-ycz","title":"Build hermes-agent skills using mkOpencodeSkills","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":2,"created_at":"2026-04-26T12:30:09Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:35:15Z","started_at":"2026-04-26T12:31:35Z","closed_at":"2026-04-26T12:35:15Z","close_reason":"Added inputs to module signature and defined hermesSkills via inputs.agents.lib.mkOpencodeSkills with basecamp, anthropic, and kestra external skills. Verified with nixos-rebuild dry-run --flake .#m3-hermes (no errors).","labels":["hermes-agent","nixos"],"dependency_count":0,"dependent_count":1,"comment_count":0}
+{"_type":"issue","id":"home-profile-restructuring-ycz","title":"Build hermes-agent skills using mkSkills:w","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":2,"created_at":"2026-04-26T12:30:09Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:35:15Z","started_at":"2026-04-26T12:31:35Z","closed_at":"2026-04-26T12:35:15Z","close_reason":"Added inputs to module signature and defined hermesSkills via inputs.agents.lib.mkSkills with basecamp, anthropic, and kestra external skills. Verified with nixos-rebuild dry-run --flake .#m3-hermes (no errors).","labels":["hermes-agent","nixos"],"dependency_count":0,"dependent_count":1,"comment_count":0}
 {"_type":"issue","id":"home-profile-restructuring-cxa","title":"Verify skills available at /var/lib/hermes/.agents/skills","status":"closed","priority":2,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:50:58Z","started_at":"2026-04-26T12:38:15Z","closed_at":"2026-04-26T12:50:58Z","close_reason":"Manually verified - skills are present at /var/lib/hermes/.agents/skills on m3-hermes","labels":["hermes-agent","testing"],"dependencies":[{"issue_id":"home-profile-restructuring-cxa","depends_on_id":"home-profile-restructuring-edz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":0,"comment_count":0}

flake.lock

@@ -448,11 +448,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1779113444,
+        "lastModified": 1778248595,
-        "narHash": "sha256-/L61sT1PIKmGWIQpIh0uJGH/ANvcsf6y4alxtb9kelg=",
+        "narHash": "sha256-dhFgEjoeJMYN/7OY6xfxS799YB4IjbbYXTjyGIJyLpc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "74f170c62d57f90e656841f1f699e6bdf40f0a24",
+        "rev": "fdb2ccba9d5e1238d32e0c4a3ec1a277efa80c1d",
         "type": "github"
       },
       "original": {
@@ -602,11 +602,11 @@
         "nur": "nur"
       },
       "locked": {
-        "lastModified": 1778520138,
+        "lastModified": 1778516940,
-        "narHash": "sha256-X58c8BUIshyUnp6XEKumFUYXqMFnrDTj+aGuGIbKwxg=",
+        "narHash": "sha256-BhC9zIEmXoWY0TK0achwUueKhzUA5sja6bjonzrEPxo=",
         "ref": "refs/heads/master",
-        "rev": "a87d9510bd84f51bf93970730b8688ab7221bbdd",
+        "rev": "7894a89843559cb1597bf0f32e0579f37052f497",
-        "revCount": 30,
+        "revCount": 28,
         "type": "git",
         "url": "ssh://gitea@code.m3ta.dev/m3tam3re/m3ta-home"
       },

hosts/m3-ares/home.nix

@@ -36,39 +36,35 @@ with lib; {
       };
     }
 
-    # ── Hyprland monitor layout & host-specific rules ──
+    # ── Hyprland monitor layout ──
     (mkIf config.desktop.wm.hyprland.enable {
       wayland.windowManager.hyprland = {
         enable = true;
         settings = {
-          # Laptop internal + external HDMI
+          exec-once = ["tuxedo-backlight"];
           monitor = [
-            { output = "eDP-1";     mode = "preferred";       position = "0x0";     scale = 1.25; }
+            "eDP-1,preferred,0x0,1.25"
-            { output = "HDMI-A-1";  mode = "1920x1080@120";   position = "2560x0";  scale = 1; }
+            "HDMI-A-1,1920x1080@120,2560x0,1"
           ];
-          workspace_rule = [
+          workspace = [
-            { workspace = 1; monitor = "eDP-1";    default = true; }
+            "1, monitor:eDP-1, default:true"
-            { workspace = 2; monitor = "eDP-1"; }
+            "2, monitor:eDP-1"
-            { workspace = 3; monitor = "eDP-1"; }
+            "3, monitor:eDP-1"
-            { workspace = 4; monitor = "HDMI-A-1"; }
+            "4, monitor:HDMI-A-1"
-            { workspace = 5; monitor = "HDMI-A-1"; border = false; rounding = false; }
+            "5, monitor:HDMI-A-1,border:false,rounding:false"
-            { workspace = 6; monitor = "HDMI-A-1"; }
+            "6, monitor:HDMI-A-1"
           ];
-          window_rule = [
+          windowrule = [
-            { match = { class = "dev.zed.Zed" };            workspace = "1"; }
+            "match:class dev.zed.Zed, workspace 1"
-            { match = { class = "Msty" };                    workspace = "1"; }
+            "match:class Msty, workspace 1"
-            { match = { class = "^com.obsproject.Studio$" }; workspace = "2"; }
+            "match:class ^(com.obsproject.Studio)$, workspace 2"
-            { match = { class = "^(brave-browser)$" };      workspace = "4"; opacity = 1.0; }
+            "match:class ^(brave-browser)$, workspace 4, opacity 1.0"
-            { match = { class = "^(vivaldi-stable)$" };     workspace = "4"; opacity = 1.0; }
+            "match:class ^(vivaldi-stable)$, workspace 4, opacity 1.0"
-            { match = { class = "^steam_app_\\d+$" };       fullscreen = true; workspace = "5"; idle_inhibit = "focus"; }
+            "match:class ^steam_app_\\d+$, fullscreen on"
+            "match:class ^steam_app_\\d+$, workspace 5"
+            "match:class ^steam_app_\\d+$, idle_inhibit focus"
           ];
         };
-        extraConfig = mkAfter ''
-          -- Host startup: TUXEDO backlight
-          hl.on("hyprland.start", function()
-            hl.exec_cmd("tuxedo-backlight")
-          end)
-        '';
       };
     })
   ];

hosts/m3-atlas/services/honcho.nix

@@ -0,0 +1,422 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.services.honcho;
+in {
+  options.services.honcho = {
+    enable = mkEnableOption "Honcho memory server for AI agents";
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.callPackage ../../../pkgs/honcho {};
+      description = "The Honcho package to use.";
+    };
+
+    user = mkOption {
+      type = types.str;
+      default = "honcho";
+      description = "User under which Honcho runs.";
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "honcho";
+      description = "Group under which Honcho runs.";
+    };
+
+    dataDir = mkOption {
+      type = types.str;
+      default = "/var/lib/honcho";
+      description = "Data directory for Honcho.";
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 8000;
+      description = "Port for the Honcho API server.";
+    };
+
+    # ── Core Settings ──
+    settings = mkOption {
+      type = types.submodule {
+        freeformType = types.attrsOf types.anything;
+        options = {
+          LOG_LEVEL = mkOption {
+            type = types.str;
+            default = "INFO";
+            description = "Log level.";
+          };
+
+          NAMESPACE = mkOption {
+            type = types.str;
+            default = "honcho";
+            description = "Namespace prefix for vector stores and cache.";
+          };
+
+          AUTH_USE_AUTH = mkOption {
+            type = types.bool;
+            default = false;
+            description = "Enable JWT auth (not needed behind Traefik BasicAuth).";
+          };
+
+          CACHE_ENABLED = mkOption {
+            type = types.bool;
+            default = true;
+            description = "Enable Redis caching.";
+          };
+
+          VECTOR_STORE_TYPE = mkOption {
+            type = types.str;
+            default = "pgvector";
+            description = "Vector store backend.";
+          };
+
+          SENTRY_ENABLED = mkOption {
+            type = types.bool;
+            default = false;
+            description = "Enable Sentry.";
+          };
+
+          METRICS_ENABLED = mkOption {
+            type = types.bool;
+            default = false;
+            description = "Enable Prometheus metrics.";
+          };
+
+          TELEMETRY_ENABLED = mkOption {
+            type = types.bool;
+            default = false;
+            description = "Enable CloudEvents telemetry.";
+          };
+        };
+      };
+      default = {};
+      description = "Honcho environment variables (env vars).";
+    };
+
+    # ── Database ──
+    database = mkOption {
+      type = types.submodule {
+        options = {
+          createLocally = mkOption {
+            type = types.bool;
+            default = true;
+            description = "Create local PostgreSQL DB and user.";
+          };
+
+          host = mkOption {
+            type = types.str;
+            default = "localhost";
+          };
+
+          port = mkOption {
+            type = types.port;
+            default = 5432;
+          };
+
+          name = mkOption {
+            type = types.str;
+            default = "honcho";
+          };
+
+          user = mkOption {
+            type = types.str;
+            default = "honcho";
+          };
+
+          passwordFile = mkOption {
+            type = types.nullOr types.path;
+            default = null;
+            description = "File containing DB password (exported as DB_CONNECTION_URI).";
+          };
+        };
+      };
+      default = {};
+    };
+
+    # ── Redis ──
+    redis = mkOption {
+      type = types.submodule {
+        options = {
+          url = mkOption {
+            type = types.str;
+            default = "redis://localhost:6380/0";
+            description = "Redis URL for Honcho caching.";
+          };
+        };
+      };
+      default = {};
+    };
+
+    # ── LLM Provider ──
+    llm = mkOption {
+      type = types.submodule {
+        options = {
+          openaiApiKeyFile = mkOption {
+            type = types.nullOr types.path;
+            default = null;
+            description = "File exporting LLM_OPENAI_API_KEY.";
+          };
+
+          anthropicApiKeyFile = mkOption {
+            type = types.nullOr types.path;
+            default = null;
+            description = "File exporting LLM_ANTHROPIC_API_KEY.";
+          };
+
+          geminiApiKeyFile = mkOption {
+            type = types.nullOr types.path;
+            default = null;
+            description = "File exporting LLM_GEMINI_API_KEY.";
+          };
+        };
+      };
+      default = {};
+    };
+
+    # ── Deriver (Background Reasoning) ──
+    deriver = mkOption {
+      type = types.submodule {
+        options = {
+          enable = mkOption {
+            type = types.bool;
+            default = true;
+          };
+
+          workers = mkOption {
+            type = types.ints.positive;
+            default = 1;
+          };
+
+          model = mkOption {
+            type = types.str;
+            default = "gpt-4.1-mini";
+            description = "Model for deriver reasoning.";
+          };
+
+          transport = mkOption {
+            type = types.str;
+            default = "openai";
+            description = "LLM transport (openai, anthropic, gemini).";
+          };
+
+          baseUrl = mkOption {
+            type = types.nullOr types.str;
+            default = null;
+            description = "OpenAI-compatible base URL for self-hosted.";
+          };
+
+          apiKeyFile = mkOption {
+            type = types.nullOr types.path;
+            default = null;
+            description = "File exporting DERIVER_MODEL_CONFIG__OVERRIDES__API_KEY.";
+          };
+        };
+      };
+      default = {};
+    };
+
+    # ── Dialectic ──
+    dialectic = mkOption {
+      type = types.submodule {
+        options = {
+          model = mkOption {
+            type = types.str;
+            default = "gpt-4.1-mini";
+          };
+
+          transport = mkOption {
+            type = types.str;
+            default = "openai";
+          };
+
+          baseUrl = mkOption {
+            type = types.nullOr types.str;
+            default = null;
+          };
+        };
+      };
+      default = {};
+    };
+
+    # ── Embedding ──
+    embedding = mkOption {
+      type = types.submodule {
+        options = {
+          model = mkOption {
+            type = types.str;
+            default = "text-embedding-3-small";
+          };
+
+          transport = mkOption {
+            type = types.str;
+            default = "openai";
+          };
+
+          baseUrl = mkOption {
+            type = types.nullOr types.str;
+            default = null;
+          };
+        };
+      };
+      default = {};
+    };
+  };
+
+  config = let
+    # Build the DB connection URI
+    dbUri =
+      if cfg.database.passwordFile != null
+      then "postgresql+psycopg://${cfg.database.user}@${cfg.database.host}:${toString cfg.database.port}/${cfg.database.name}"
+      else "postgresql+psycopg://${cfg.database.user}@${cfg.database.host}:${toString cfg.database.port}/${cfg.database.name}";
+
+    # Common env vars for both API and Deriver
+    commonEnv =
+      cfg.settings
+      // {
+        DB_CONNECTION_URI = dbUri;
+        CACHE_URL = cfg.redis.url;
+        PYTHON_DOTENV_DISABLED = "true";
+        HONCHO_CONFIG_TOML_DISABLED = "true";
+      };
+
+    # Shared EnvironmentFile list
+    envFiles =
+      (optional (cfg.llm.openaiApiKeyFile != null) cfg.llm.openaiApiKeyFile)
+      ++ (optional (cfg.llm.anthropicApiKeyFile != null) cfg.llm.anthropicApiKeyFile)
+      ++ (optional (cfg.llm.geminiApiKeyFile != null) cfg.llm.geminiApiKeyFile)
+      ++ (optional (cfg.deriver.apiKeyFile != null) cfg.deriver.apiKeyFile);
+  in
+    mkIf cfg.enable {
+      # ── User & Group ──
+      users.users.${cfg.user} = mkIf (cfg.user == "honcho") {
+        isSystemUser = true;
+        group = cfg.group;
+        home = cfg.dataDir;
+        createHome = true;
+      };
+      users.groups.${cfg.group} = mkIf (cfg.group == "honcho") {};
+
+      # ── API Server ──
+      systemd.services.honcho-api = {
+        description = "Honcho Memory API Server";
+        after = ["network.target" "postgresql.service"];
+        requires = ["postgresql.service"];
+        wantedBy = ["multi-user.target"];
+
+        environment = commonEnv;
+
+        serviceConfig = {
+          Type = "simple";
+          User = cfg.user;
+          Group = cfg.group;
+          WorkingDirectory = cfg.package;
+
+          ExecStartPre = "${cfg.package}/bin/honcho-migrate";
+          ExecStart = "${cfg.package}/bin/honcho-api --port ${toString cfg.port}";
+
+          Restart = "on-failure";
+          RestartSec = "5";
+
+          EnvironmentFile = envFiles;
+
+          # Security
+          NoNewPrivileges = true;
+          ProtectSystem = "strict";
+          ProtectHome = true;
+          ReadWritePaths = [cfg.dataDir];
+          PrivateTmp = true;
+        };
+      };
+
+      # ── Deriver Worker ──
+      systemd.services.honcho-deriver = mkIf cfg.deriver.enable {
+        description = "Honcho Deriver (Background Reasoning)";
+        after = ["network.target" "postgresql.service" "honcho-api.service"];
+        requires = ["postgresql.service"];
+        wants = ["honcho-api.service"];
+        wantedBy = ["multi-user.target"];
+
+        environment =
+          commonEnv
+          // {
+            DERIVER_ENABLED = "true";
+            DERIVER_WORKERS = toString cfg.deriver.workers;
+            DERIVER_MODEL_CONFIG__TRANSPORT = cfg.deriver.transport;
+            DERIVER_MODEL_CONFIG__MODEL = cfg.deriver.model;
+          }
+          // optionalAttrs (cfg.deriver.baseUrl != null) {
+            DERIVER_MODEL_CONFIG__OVERRIDES__BASE_URL = cfg.deriver.baseUrl;
+          }
+          // (
+            builtins.listToAttrs (
+              map (level: {
+                name = "DIALECTIC_LEVELS__${level}__MODEL_CONFIG__MODEL";
+                value = cfg.dialectic.model;
+              })
+              ["minimal" "low" "medium" "high" "max"]
+            )
+          )
+          // (
+            builtins.listToAttrs (
+              map (level: {
+                name = "DIALECTIC_LEVELS__${level}__MODEL_CONFIG__TRANSPORT";
+                value = cfg.dialectic.transport;
+              })
+              ["minimal" "low" "medium" "high" "max"]
+            )
+          )
+          // optionalAttrs (cfg.dialectic.baseUrl != null) (
+            builtins.listToAttrs (
+              map (level: {
+                name = "DIALECTIC_LEVELS__${level}__MODEL_CONFIG__OVERRIDES__BASE_URL";
+                value = cfg.dialectic.baseUrl;
+              })
+              ["minimal" "low" "medium" "high" "max"]
+            )
+          )
+          // {
+            EMBEDDING_MODEL_CONFIG__MODEL = cfg.embedding.model;
+            EMBEDDING_MODEL_CONFIG__TRANSPORT = cfg.embedding.transport;
+          }
+          // optionalAttrs (cfg.embedding.baseUrl != null) {
+            EMBEDDING_MODEL_CONFIG__OVERRIDES__BASE_URL = cfg.embedding.baseUrl;
+          };
+
+        serviceConfig = {
+          Type = "simple";
+          User = cfg.user;
+          Group = cfg.group;
+          WorkingDirectory = cfg.package;
+
+          ExecStart = "${cfg.package}/bin/honcho-deriver";
+
+          Restart = "on-failure";
+          RestartSec = "10";
+
+          EnvironmentFile = envFiles;
+
+          NoNewPrivileges = true;
+          ProtectSystem = "strict";
+          ProtectHome = true;
+          ReadWritePaths = [cfg.dataDir];
+          PrivateTmp = true;
+        };
+      };
+
+      # ── Local PostgreSQL ──
+      services.postgresql = mkIf cfg.database.createLocally {
+        ensureDatabases = [cfg.database.name];
+        ensureUsers = [
+          {
+            name = cfg.database.user;
+            ensureDBOwnership = true;
+          }
+        ];
+      };
+    };
+}

hosts/m3-atlas/services/redis.nix

@@ -0,0 +1,16 @@
+{config, ...}: {
+  services.redis.servers.honcho = {
+    enable = true;
+    port = 6380; # Separate from default Redis (6379) to avoid conflicts
+    bind = "127.0.0.1";
+    save = [
+      [900 1]
+      [300 10]
+      [60 10000]
+    ];
+  };
+
+  networking.firewall.extraCommands = ''
+    iptables -A INPUT -p tcp -s 127.0.0.1 --dport 6380 -j ACCEPT
+  '';
+}

hosts/m3-kratos/home.nix

@@ -36,32 +36,31 @@ with lib; {
       };
     }
 
-    # ── Hyprland monitor layout & host-specific rules ──
+    # ── Hyprland monitor layout ──
     (mkIf config.desktop.wm.hyprland.enable {
       wayland.windowManager.hyprland = {
         enable = true;
         settings = {
-          # Dual monitor: DP-1 left, DP-2 right
           monitor = [
-            { output = "DP-1"; mode = "2560x1440@144"; position = "0x0";     scale = 1; }
+            "DP-1,2560x1440@144,0x0,1"
-            { output = "DP-2"; mode = "2560x1440@144"; position = "2560x0";  scale = 1; }
+            "DP-2,2560x1440@144,2560x0,1"
           ];
-          workspace_rule = [
+          workspace = [
-            { workspace = 1; monitor = "DP-1"; default = true; }
+            "1, monitor:DP-1, default:true"
-            { workspace = 2; monitor = "DP-1"; }
+            "2, monitor:DP-1"
-            { workspace = 3; monitor = "DP-1"; }
+            "3, monitor:DP-1"
-            { workspace = 4; monitor = "DP-2"; }
+            "4, monitor:DP-2"
-            { workspace = 5; monitor = "DP-2"; }
+            "5, monitor:DP-2"
-            { workspace = 6; monitor = "DP-2"; }
+            "6, monitor:DP-2"
-            { workspace = 7; monitor = "DP-2"; }
+            "7, monitor:DP-2"
           ];
-          window_rule = [
+          windowrule = [
-            { match = { class = "dev.zed.Zed" };            workspace = "1"; }
+            "match:class dev.zed.Zed, workspace 1"
-            { match = { class = "Msty" };                    workspace = "1"; }
+            "match:class Msty, workspace 1"
-            { match = { class = "^com.obsproject.Studio$" }; workspace = "2"; }
+            "match:class ^(com.obsproject.Studio)$, workspace 2"
-            { match = { class = "^(brave-browser)$" };      workspace = "4"; opacity = 1.0; }
+            "match:class ^(brave-browser)$, workspace 4, opacity 1.0"
-            { match = { class = "^(vivaldi-stable)$" };     workspace = "4"; opacity = 1.0; }
+            "match:class ^(vivaldi-stable)$, workspace 4, opacity 1.0"
-            { match = { class = "^steam_app_\\d+$" };       idle_inhibit = "focus"; }
+            "match:class ^steam_app_\\d+$, idle_inhibit focus"
           ];
         };
       };

pkgs/honcho/default.nix

@@ -0,0 +1,153 @@
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+  python3,
+}:
+# NOTE: First build will fail with a hash mismatch error.
+# Copy the "got: sha256-XXX..." from the error and replace fakeHash below.
+let
+  version = "3.0.6";
+
+  src = fetchFromGitHub {
+    owner = "plastic-labs";
+    repo = "honcho";
+    tag = "v${version}";
+    hash = lib.fakeHash;
+  };
+
+  pythonEnv = python3.withPackages (ps:
+    with ps; [
+      # Core web framework
+      fastapi
+      uvicorn
+      httptools
+      python-dotenv
+      sqlalchemy
+      fastapi-pagination
+
+      # Database & vector
+      pgvector
+      psycopg
+      greenlet
+
+      # LLM providers
+      openai
+      google-genai
+
+      # Utilities
+      httpx
+      rich
+      nanoid
+      alembic
+      pyjwt
+      tenacity
+      tiktoken
+      langfuse
+      pydantic
+      pydantic-settings
+      pdfplumber
+      typing-extensions
+      json-repair
+      scikit-learn
+      prometheus-client
+      cloudevents
+
+      # Vector store backends
+      turbopuffer
+      lancedb
+      pyarrow
+
+      # Cache
+      redis
+      cashews
+
+      # Observability
+      sentry-sdk
+    ]);
+in
+  stdenv.mkDerivation {
+    pname = "honcho";
+    inherit version src;
+
+    buildInputs = [pythonEnv];
+
+    buildPhase = ''
+      rm -rf sdks honcho-cli
+    '';
+
+    installPhase = ''
+      mkdir -p $out/{src,migrations,scripts,bin}
+
+      cp -r src/* $out/src/
+      cp -r migrations/* $out/migrations/
+      cp scripts/provision_db.py $out/scripts/
+      cp alembic.ini $out/
+
+      # API wrapper
+      cat > $out/bin/honcho-api << 'WRAPPER'
+      #!/bin/sh
+      exec ${pythonEnv}/bin/python -c "
+      import sys, os
+      app_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+      os.chdir(app_dir)
+      sys.path.insert(0, app_dir)
+      os.environ.setdefault('PYTHON_DOTENV_DISABLED', 'true')
+      os.environ.setdefault('HONCHO_CONFIG_TOML_DISABLED', 'true')
+      import uvicorn
+      port = int(os.environ.get('PORT', '8000'))
+      for i, arg in enumerate(sys.argv[1:]):
+          if arg.startswith('--port='):
+              port = int(arg.split('=',1)[1])
+          elif arg == '--port':
+              nxt = sys.argv[i+2:i+3]
+              if nxt: port = int(nxt[0])
+      uvicorn.run('src.main:app', host='0.0.0.0', port=port)
+      " "$@"
+      WRAPPER
+      chmod +x $out/bin/honcho-api
+
+      # Deriver wrapper
+      cat > $out/bin/honcho-deriver << 'WRAPPER'
+      #!/bin/sh
+      exec ${pythonEnv}/bin/python -c "
+      import sys, os
+      app_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+      os.chdir(app_dir)
+      sys.path.insert(0, app_dir)
+      os.environ.setdefault('PYTHON_DOTENV_DISABLED', 'true')
+      os.environ.setdefault('HONCHO_CONFIG_TOML_DISABLED', 'true')
+      from src.deriver.__main__ import *
+      " "$@"
+      WRAPPER
+      chmod +x $out/bin/honcho-deriver
+
+      # Migration wrapper
+      cat > $out/bin/honcho-migrate << 'WRAPPER'
+      #!/bin/sh
+      exec ${pythonEnv}/bin/python -c "
+      import sys, os, asyncio
+      app_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+      os.chdir(app_dir)
+      sys.path.insert(0, app_dir)
+      os.environ.setdefault('PYTHON_DOTENV_DISABLED', 'true')
+      os.environ.setdefault('HONCHO_CONFIG_TOML_DISABLED', 'true')
+      from src.db import init_db
+      asyncio.run(init_db())
+      " "$@"
+      WRAPPER
+      chmod +x $out/bin/honcho-migrate
+    '';
+
+    passthru = {
+      inherit pythonEnv;
+      python = pythonEnv;
+    };
+
+    meta = {
+      description = "Honcho — Memory system for stateful AI agents";
+      homepage = "https://honcho.dev";
+      license = lib.licenses.agpl3Only;
+      platforms = lib.platforms.linux;
+    };
+  }