{config, ...}: let
  cfg = config.m3ta.pi-agent;
in {
  m3ta.pi-agent = {
    enable = true;
    binaryName = "pi";

    # Per-user policy map: authorized host users + their allowed project roots.
    hostUsers = {
      m3tam3re = {
        projectRoots = ["~/p"];
        # Optional (default comes from wrapper.hostConfigPath)
        configPath = ".pi/agents";
      };
    };

    wrapper = {
      enable = true;
      commandName = "pi";
      hideDirectBinary = true;

      # Sync Home Manager rendered Pi config from invoking user home.
      hostConfigPath = ".pi/agents";
    };
  };

  # Manage isolated pi-agent git identity via Home Manager (declarative + reusable pattern).
  home-manager.users.${cfg.user} = {
    home.username = cfg.user;
    home.homeDirectory = cfg.stateDir;
    home.stateVersion = "26.05";

    programs.git = {
      enable = true;
      signing.format = null;
      settings = {
        user = {
          name = "m3ta-chiron";
          email = "m3ta-chiron@agentmail.to";
        };
        core.excludesfile = "~/.gitignore_global";
        init.defaultBranch = "master";
        alias = {
          st = "status";
          logd = "log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit";
        };
      };
    };

    home.file.".gitignore_global".text = "";
  };
}