chore: update flake inputs

2026-05-01 16:01:13 +02:00 · 2026-05-01 04:01:14 +02:00 · 2026-04-30 16:01:17 +02:00 · 2026-04-30 04:00:54 +02:00 · 2026-04-29 20:07:12 +02:00 · 2026-04-29 19:51:35 +02:00
20 changed files with 252 additions and 275 deletions
--- a/.beads/issues.jsonl
+++ b/.beads/issues.jsonl
@@ -0,0 +1 @@
+{"id":"nixpkgs-ng1","title":"Configure agent git identity in nixpkgs repo","description":"Git commits are using p@m3ta.dev instead of m3ta-chiron@agentmail.to. The GIT_AUTHOR_NAME and GIT_AUTHOR_EMAIL environment variables are not set in this environment. Need to configure the agent git identity for this repository following the pattern in AGENTS.md","status":"open","priority":2,"issue_type":"task","owner":"p@m3ta.dev","created_at":"2026-04-27T18:16:17Z","created_by":"m3tm3re","updated_at":"2026-04-27T18:16:17Z","dependency_count":0,"dependent_count":0,"comment_count":0}
--- a/flake.lock
+++ b/flake.lock
@@ -3,11 +3,11 @@
    "agents": {
      "flake": false,
      "locked": {
-        "lastModified": 1776092721,
-        "narHash": "sha256-avV4Snqp0K57I9s8D61+GHlg9DYZFSIvjaS4d4RYpG8=",
+        "lastModified": 1777399938,
+        "narHash": "sha256-xXPqUQezDdDtF8MbpZnwD1HkybOYwF92evx8rJ6OXCU=",
        "ref": "refs/heads/master",
-        "rev": "0ad41acb03eee0e22cba611b2171a3d3ee30cb10",
-        "revCount": 72,
+        "rev": "9a91f1ee0cf011a7eaf1f16a9e17610b0457e055",
+        "revCount": 85,
        "type": "git",
        "url": "https://code.m3ta.dev/m3tam3re/AGENTS"
      },
@@ -39,11 +39,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1775423009,
-        "narHash": "sha256-vPKLpjhIVWdDrfiUM8atW6YkIggCEKdSAlJPzzhkQlw=",
+        "lastModified": 1777268161,
+        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "68d8aa3d661f0e6bd5862291b5bb263b2a6595c9",
+        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
        "type": "github"
      },
      "original": {
@@ -55,11 +55,11 @@
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1775657231,
-        "narHash": "sha256-DP8FfybiZPp5WLB9eIk0TC2mdvuYzxLGgrBODDrwPEI=",
+        "lastModified": 1777643636,
+        "narHash": "sha256-7vvm5Ia8o3g7YNErFcDsbCx+Pk8HbnA+ZYuA5Zga7hY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "4e03baaa39b7746eac5704d623461422131cd03d",
+        "rev": "da2366fac507ce7bd31852e7351e55b951656999",
        "type": "github"
      },
      "original": {
@@ -69,27 +69,6 @@
        "type": "github"
      }
    },
-    "opencode": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-master"
-        ]
-      },
-      "locked": {
-        "lastModified": 1775782812,
-        "narHash": "sha256-m+Ue7FWiTjKMAn1QefAwOMfOb2Vybk0mJPV9zcbkOmE=",
-        "owner": "anomalyco",
-        "repo": "opencode",
-        "rev": "877be7e8e04142cd8fbebcb5e6c4b9617bf28cce",
-        "type": "github"
-      },
-      "original": {
-        "owner": "anomalyco",
-        "ref": "v1.4.3",
-        "repo": "opencode",
-        "type": "github"
-      }
-    },
    "openspec": {
      "inputs": {
        "nixpkgs": [
@@ -97,11 +76,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1775372219,
-        "narHash": "sha256-MJakKC026Sarz7nMmiFrfONWc4xgaw8ApV0Hhp4ebhM=",
+        "lastModified": 1777556999,
+        "narHash": "sha256-HfFlRwR8IMjudRttN4T8L3DJKnNlpWfeNzQPly/HaRY=",
        "owner": "Fission-AI",
        "repo": "OpenSpec",
-        "rev": "64d476f8b924bb9b74b896ea0aa784970e37da69",
+        "rev": "347f0277e3be3549cd85cdea364fbd7710f1922b",
        "type": "github"
      },
      "original": {
@@ -116,7 +95,6 @@
        "basecamp": "basecamp",
        "nixpkgs": "nixpkgs",
        "nixpkgs-master": "nixpkgs-master",
-        "opencode": "opencode",
        "openspec": "openspec"
      }
    }
--- a/flake.nix
+++ b/flake.nix
@@ -10,12 +10,6 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    # opencode needs newer bun from master
-    opencode = {
-      url = "github:anomalyco/opencode/v1.4.3";
-      inputs.nixpkgs.follows = "nixpkgs-master";
-    };
-
    # openspec - spec-driven development for AI coding assistants
    openspec = {
      url = "github:Fission-AI/OpenSpec";
--- a/modules/home-manager/coding/agents/claude-code.nix
+++ b/modules/home-manager/coding/agents/claude-code.nix
@@ -3,14 +3,16 @@
  lib,
  pkgs,
  ...
-}: let
-  shared = import ./shared-options.nix {inherit lib;};
-in
-  with lib; let
-    cfg = config.coding.agents.claude-code;
+}: {
+  imports = [
+    ./shared/default.nix
+  ];
+
+  options.coding.agents.claude-code = let
+    shared = import ./shared/shared-options.nix {inherit lib;};
    mcpCfg = config.programs.mcp or null;
-  in {
-    options.coding.agents.claude-code = {
+  in
+    with lib; {
      enable = mkEnableOption "Claude Code agent management via canonical agent.toml definitions";

      agentsInput = shared.mkAgentsInputOption ''
@@ -38,9 +40,12 @@ in
      };
    };

-    config = mkIf cfg.enable (let
+  config = with lib; let
+    shared = import ./shared/shared-options.nix {inherit lib;};
+    cfg = config.coding.agents.claude-code;
    agentsLib = (import ../../../../lib {inherit lib;}).agents;
-
+  in
+    mkIf cfg.enable (let
      # Rendered agents + permissions (only if agentsInput is set)
      rendered = mkIf (cfg.agentsInput != null) (
        agentsLib.renderForClaudeCode {
--- a/modules/home-manager/coding/agents/default.nix
+++ b/modules/home-manager/coding/agents/default.nix
@@ -10,7 +10,7 @@
  pkgs,
  ...
 }: let
-  shared = import ./shared-options.nix {inherit lib;};
+  shared = import ./shared/shared-options.nix {inherit lib;};
  cfg = config.coding.agents.skills;
  mkIf = lib.mkIf;
 in {
--- a/modules/home-manager/coding/agents/opencode.nix
+++ b/modules/home-manager/coding/agents/opencode.nix
@@ -3,11 +3,15 @@
  lib,
  pkgs,
  ...
-}: let
-  shared = import ./shared-options.nix {inherit lib;};
+}: {
+  imports = [
+    ./shared/default.nix
+  ];
+
+  options.coding.agents.opencode = let
+    shared = import ./shared/shared-options.nix {inherit lib;};
  in
    with lib; {
-    options.coding.agents.opencode = {
      enable = mkEnableOption "OpenCode agent management via canonical agent.toml definitions";

      agentsInput = shared.mkAgentsInputOption ''
@@ -19,13 +23,17 @@ in
      modelOverrides = shared.mkModelOverridesOption;
    };

-    config = mkIf config.coding.agents.opencode.enable {
-      # Rendered agent files symlinked to ~/.config/opencode/agents/
-      xdg.configFile."opencode/agents" = let
+  config = with lib; let
+    shared = import ./shared/shared-options.nix {inherit lib;};
    cfg = config.coding.agents.opencode;
+  in
+    mkIf cfg.enable {
+      # Rendered agent files symlinked to ~/.config/opencode/agents/
+      xdg.configFile."opencode/agents" = let
+        agentsLib = (import ../../../../lib {inherit lib;}).agents;
      in
        mkIf (cfg.agentsInput != null) {
-          source = (import ../../../../lib {inherit lib;}).agents.renderForOpencode {
+          source = agentsLib.renderForOpencode {
            inherit pkgs;
            canonical = cfg.agentsInput.lib.loadAgents;
            modelOverrides = cfg.modelOverrides;
@@ -33,22 +41,13 @@ in
        };

      # Static config dirs from AGENTS repo
-      xdg.configFile."opencode/context" = let
-        cfg = config.coding.agents.opencode;
-      in
-        mkIf (cfg.agentsInput != null) {
+      xdg.configFile."opencode/context" = mkIf (cfg.agentsInput != null) {
        source = "${cfg.agentsInput}/context";
      };
-      xdg.configFile."opencode/commands" = let
-        cfg = config.coding.agents.opencode;
-      in
-        mkIf (cfg.agentsInput != null) {
+      xdg.configFile."opencode/commands" = mkIf (cfg.agentsInput != null) {
        source = "${cfg.agentsInput}/commands";
      };
-      xdg.configFile."opencode/prompts" = let
-        cfg = config.coding.agents.opencode;
-      in
-        mkIf (cfg.agentsInput != null) {
+      xdg.configFile."opencode/prompts" = mkIf (cfg.agentsInput != null) {
        source = "${cfg.agentsInput}/prompts";
      };
    };
--- a/modules/home-manager/coding/agents/pi.nix
+++ b/modules/home-manager/coding/agents/pi.nix
@@ -3,14 +3,16 @@
  lib,
  pkgs,
  ...
-}: let
-  shared = import ./shared-options.nix {inherit lib;};
-in
-  with lib; let
-    cfg = config.coding.agents.pi;
+}: {
+  imports = [
+    ./shared/default.nix
+  ];
+
+  options.coding.agents.pi = let
+    shared = import ./shared/shared-options.nix {inherit lib;};
    mcpCfg = config.programs.mcp or null;
-  in {
-    options.coding.agents.pi = {
+  in
+    with lib; {
      enable = mkEnableOption "Pi agent management via canonical agent.toml definitions";

      mcpServers = mkOption {
@@ -200,9 +202,45 @@ in
          See pi docs/settings.md for all options.
        '';
      };
+
+      # ── Pi Guardrails ─────────────────────────────────────────────
+      guardrails = mkOption {
+        type = types.nullOr (types.submodule {
+          options = {
+            enable =
+              mkEnableOption
+              ("Generate ~/.pi/agent/extensions/guardrails.json for pi-guardrails. "
+                + "Adds @aliou/pi-guardrails to packages automatically.");
+
+            config = mkOption {
+              type = types.attrsOf types.anything;
+              default = {};
+              description = ''
+                Guardrails configuration written to ~/.pi/agent/extensions/guardrails.json.
+                See https://github.com/aliou/pi-guardrails for config schema.
+
+                IMPORTANT: Path access checks are lexical (not symlink-safe).
+                Local project .pi/extensions/guardrails.json can override same rule IDs
+                (memory > local > global > defaults). For immutable global policies,
+                consider a wrapper or upstream patch.
+              '';
+            };
+          };
+        });
+        default = null;
+        description = ''
+          Pi Guardrails security configuration.
+          Generates ~/.pi/agent/extensions/guardrails.json when enabled.
+          The @aliou/pi-guardrails package is added to settings.packages automatically.
+        '';
+      };
    };

-    config = mkIf cfg.enable (let
+  config = with lib; let
+    shared = import ./shared/shared-options.nix {inherit lib;};
+    cfg = config.coding.agents.pi;
+  in
+    mkIf cfg.enable (let
      # Build settings.json by filtering out null values recursively
      filterNulls = attrs:
        lib.filterAttrs (_: v: v != null) (
@@ -218,8 +256,37 @@ in
          attrs
        );

+      # Base settings (already filtered)
      piSettings = filterNulls cfg.settings;

+      # Guardrails package to inject when guardrails is enabled
+      guardrailsPackage = "npm:@aliou/pi-guardrails@0.11.1";
+
+      # Guardrails config (only when guardrails is enabled)
+      guardrailsJson =
+        if (cfg.guardrails != null && cfg.guardrails.enable)
+        then builtins.toJSON cfg.guardrails.config
+        else null;
+
+      # Merge guardrails package into settings.packages when guardrails is enabled
+      piSettingsWithGuardrails = let
+        baseSettings = cfg.settings;
+        basePackages = baseSettings.packages or [];
+        hasGuardrailsPackage =
+          lib.any
+          (p:
+            lib.hasPrefix "npm:@aliou/pi-guardrails" p
+            || (lib.hasPrefix "git:" p && lib.hasSuffix "/pi-guardrails" p))
+          basePackages;
+        packagesWithGuardrails =
+          if (cfg.guardrails != null && cfg.guardrails.enable && !hasGuardrailsPackage)
+          then basePackages ++ [guardrailsPackage]
+          else basePackages;
+      in
+        if packagesWithGuardrails != basePackages
+        then filterNulls (baseSettings // {packages = packagesWithGuardrails;})
+        else piSettings;
+
      # Coding rules config for renderForPi (only when both agentsInput and codingRules are set)
      piCodingRules =
        if cfg.agentsInput != null && cfg.codingRules != null
@@ -263,10 +330,16 @@ in

        # ── ~/.pi/agent/settings.json ──────────────────────────────────
        {
-          ".pi/agent/settings.json".text = builtins.toJSON piSettings;
+          ".pi/agent/settings.json".text = builtins.toJSON piSettingsWithGuardrails;
          ".pi/agent/settings.json".force = true;
        }

+        # ── pi-guardrails config ─────────────────────────────────────
+        (mkIf (guardrailsJson != null) {
+          ".pi/agent/extensions/guardrails.json".text = guardrailsJson;
+          ".pi/agent/extensions/guardrails.json".force = true;
+        })
+
        # ── AGENTS.md — agent descriptions and specialist listing ──────
        (mkIf (cfg.agentsInput != null) {
          ".pi/agent/AGENTS.md".source = "${rendered}/AGENTS.md";
--- a/modules/home-manager/coding/agents/shared/default.nix
+++ b/modules/home-manager/coding/agents/shared/default.nix
@@ -0,0 +1,7 @@
+# Shared agent module exports
+# Imports all shared modules for the coding.agents namespace.
+{
+  imports = [
+    ./git-identity.nix
+  ];
+}
--- a/modules/home-manager/coding/agents/shared/git-identity.nix
+++ b/modules/home-manager/coding/agents/shared/git-identity.nix
@@ -0,0 +1,64 @@
+# Git identity module for agent commits.
+# Sets GIT_AUTHOR_*, GIT_COMMITTER_*, and GIT_SSH_COMMAND environment variables.
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.coding.agents.gitIdentity;
+in {
+  options.coding.agents.gitIdentity = {
+    enable = lib.mkEnableOption ''
+      Agent Git identity for commits. When enabled, sets GIT_AUTHOR_* and
+      GIT_COMMITTER_* environment variables for consistent bot identity.
+    '';
+
+    name = lib.mkOption {
+      type = lib.types.str;
+      default = "m3ta-chiron";
+      description = "Git user name for agent commits.";
+      example = "m3ta-chiron";
+    };
+
+    email = lib.mkOption {
+      type = lib.types.str;
+      default = "m3ta-chiron@agentmail.to";
+      description = "Git email for agent commits.";
+      example = "m3ta-chiron@agentmail.to";
+    };
+
+    signingKey = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+      description = ''
+        Optional GPG signing key for verified commits.
+        Set to null to disable signing.
+      '';
+      example = "/home/user/.gnupg/sign_key.gpg";
+    };
+
+    sshKey = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        Path to SSH private key for git push authentication.
+        Use agenix-managed paths like /run/agenix/m3ta-chiron-ssh-key
+        for secure secret management.
+      '';
+      example = "/run/agenix/m3ta-chiron-ssh-key";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    home.sessionVariables = {
+      # Git author/committer identity
+      GIT_AUTHOR_NAME = cfg.name;
+      GIT_AUTHOR_EMAIL = cfg.email;
+      GIT_COMMITTER_NAME = cfg.name;
+      GIT_COMMITTER_EMAIL = cfg.email;
+
+      # SSH command for git push
+      GIT_SSH_COMMAND = "ssh -i ${cfg.sshKey} -o IdentitiesOnly=yes -o StrictHostKeyChecking=accept-new";
+    };
+  };
+}
--- a/modules/home-manager/coding/agents/shared/shared-options.nix
+++ b/modules/home-manager/coding/agents/shared/shared-options.nix
--- a/pkgs/code2prompt/default.nix
+++ b/pkgs/code2prompt/default.nix
@@ -1,40 +0,0 @@
-{
-  lib,
-  fetchFromGitHub,
-  nix-update-script,
-  rustPlatform,
-  pkg-config,
-  perl,
-  openssl,
-}:
-rustPlatform.buildRustPackage rec {
-  pname = "code2prompt";
-  version = "4.2.0";
-
-  src = fetchFromGitHub {
-    owner = "mufeedvh";
-    repo = "code2prompt";
-    rev = "v${version}";
-    hash = "sha256-Gh8SsSTZW7QlyyC3SWJ5pOK2x85/GT7+LPJn2Jeczpc=";
-  };
-
-  cargoLock = {
-    lockFile = src + "/Cargo.lock";
-  };
-
-  buildAndTestSubdir = "crates/code2prompt";
-
-  nativeBuildInputs = [pkg-config perl];
-
-  buildInputs = [openssl];
-
-  passthru.updateScript = nix-update-script {};
-
-  meta = with lib; {
-    description = "A CLI tool that converts your codebase into a single LLM prompt with a source tree, prompt templating, and token counting";
-    homepage = "https://github.com/mufeedvh/code2prompt";
-    license = licenses.mit;
-    platforms = platforms.linux;
-    mainProgram = "code2prompt";
-  };
-}
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -18,7 +18,6 @@ in {

  sidecar = pkgs.callPackage ./sidecar {};
  td = pkgs.callPackage ./td {};
-  code2prompt = pkgs.callPackage ./code2prompt {};
  eigent = pkgs.callPackage ./eigent {};
  hyprpaper-random = pkgs.callPackage ./hyprpaper-random {};
  launch-webapp = pkgs.callPackage ./launch-webapp {};
@@ -39,13 +38,4 @@ in {

  basecamp = inputs.basecamp.packages.${system}.default;
  openspec = inputs.openspec.packages.${system}.default;
-
-  # ── Modified packages ────────────────────────────────────────────
-  # Imported from flake inputs but built with local overrides.
-
-  # inputs.opencode is used for:
-  #   - opencode binary (copied into the Tauri sidecars directory)
-  #   - node_modules (with FOD hash fix for upstream issue #11755)
-  #   - src + patches (via inputs.opencode)
-  opencode-desktop = pkgs.callPackage ./opencode-desktop {inherit inputs;};
 }
--- a/pkgs/kestractl/sources.json
+++ b/pkgs/kestractl/sources.json
@@ -1,13 +1,13 @@
 {
-  "version": "1.2.2",
+  "version": "1.3.0",
  "sources": {
    "aarch64-linux": {
-      "url": "https://github.com/kestra-io/kestractl/releases/download/1.2.2/kestractl_1.2.2_linux_arm64.tar.gz",
-      "hash": "sha256-sidFsCZPnJ07PM5QayPBqaqlBBJTLEdecfd0AWnL7Yo="
+      "url": "https://github.com/kestra-io/kestractl/releases/download/1.3.0/kestractl_1.3.0_linux_arm64.tar.gz",
+      "hash": "sha256-/18F6CZnnLbet4BmI1oQ5pZWkJwIshCq30qd+cm0GGA="
    },
    "x86_64-linux": {
-      "url": "https://github.com/kestra-io/kestractl/releases/download/1.2.2/kestractl_1.2.2_linux_amd64.tar.gz",
-      "hash": "sha256-0C2naN2ougBJSY2z2m6eORnLkLen87HD+a+gvtrUvdw="
+      "url": "https://github.com/kestra-io/kestractl/releases/download/1.3.0/kestractl_1.3.0_linux_amd64.tar.gz",
+      "hash": "sha256-xmsBiqNKvob8xHDyU253o6c25YIubHanNdLqzWaOvSA="
    }
  }
 }
--- a/pkgs/mem0/default.nix
+++ b/pkgs/mem0/default.nix
@@ -6,14 +6,14 @@
 }:
 python3.pkgs.buildPythonPackage rec {
  pname = "mem0ai";
-  version = "1.0.9";
+  version = "2.0.1";
  pyproject = true;

  src = fetchFromGitHub {
    owner = "mem0ai";
    repo = "mem0";
    rev = "v${version}";
-    hash = "sha256-tcWH5VbjIBSHinfjirxbUhxqgU0xOUlcHTQHraMuALg=";
+    hash = "sha256-lNSE0Yit+FmM8opC4XYtfVef7JfGd3wMKbLj67Kp4Qw=";
  };

  # Relax Python dependency version constraints
--- a/pkgs/n8n/default.nix
+++ b/pkgs/n8n/default.nix
@@ -26,20 +26,20 @@
 in
  stdenv.mkDerivation (finalAttrs: {
    pname = "n8n";
-    version = "2.17.5";
+    version = "2.18.5";

    src = fetchFromGitHub {
      owner = "n8n-io";
      repo = "n8n";
      tag = "n8n@${finalAttrs.version}";
-      hash = "sha256-JwPrQOohXXeuUEcr5S+41ZElBJ3TxR3cgT45CjbzyR4=";
+      hash = "sha256-ws0DXGQFR+z3nVyd4Yn9pIM7yh+H6GnuCRSLxgvtPxo=";
    };

    pnpmDeps = fetchPnpmDeps {
      inherit (finalAttrs) pname version src;
      pnpm = pnpm_10;
      fetcherVersion = 3;
-      hash = "sha256-MBSxAsZXCaxwQpstJVxOOCIAE+0RqwlIrgXtE/hiTJM=";
+      hash = "sha256-Ajgne0neNm6HgMK6z3jnEkUJJxVOTgzjpSaMaJgIndQ=";
    };

    nativeBuildInputs =
--- a/pkgs/n8n/update.sh
+++ b/pkgs/n8n/update.sh
@@ -1,8 +1,29 @@
 #!/usr/bin/env nix-shell
-#!nix-shell --pure -i bash -p bash curl jq nix-update cacert git
+#!nix-shell -i bash -p bash curl jq nix-update cacert git nix
 set -euo pipefail

-# n8n now publishes two releases per version: a "stable" tag and a "n8n@X.Y.Z" versioned tag.
-# Skip the "stable" tag and get the actual version from the next release.
-new_version="$(curl -s "https://api.github.com/repos/n8n-io/n8n/releases" | jq --raw-output 'map(select(.tag_name != "stable")) | .[0].tag_name | ltrimstr("n8n@")')"
-nix-update n8n --flake --version "$new_version"
+# n8n releases are published with two tags per version:
+#   - "n8n@X.Y.Z" - the versioned tag
+#   - "stable"   - always points to the latest stable version
+#
+# We query the "stable" tag and extract the version from its target commitish (e.g., "release/2.18.5").
+# This ensures we always get the actual latest stable version, not the most recently created tag.
+
+set -euo pipefail
+
+# Get the directory where this script lives (should be pkgs/n8n/)
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Get the nixpkgs root (parent of pkgs/)
+nixpkgs_root="$(cd "$script_dir/../.." && pwd)"
+
+cd "$nixpkgs_root"
+
+# Query the "stable" tag and extract version from target_commitish (e.g., "release/2.18.5")
+new_version=$(curl -s "https://api.github.com/repos/n8n-io/n8n/releases/tags/stable" | jq --raw-output '.target_commitish | ltrimstr("release/")')
+
+echo "Latest stable version: n8n@${new_version}"
+echo "Running from: $(pwd)"
+
+# Use --flake --system to properly evaluate the flake-based package
+nix-update --flake --system x86_64-linux n8n --version "$new_version"
--- a/pkgs/opencode-desktop/default.nix
+++ b/pkgs/opencode-desktop/default.nix
@@ -1,114 +0,0 @@
-{
-  lib,
-  stdenv,
-  symlinkJoin,
-  makeWrapper,
-  rustPlatform,
-  pkg-config,
-  cargo-tauri,
-  bun,
-  nodejs,
-  cargo,
-  rustc,
-  jq,
-  wrapGAppsHook4,
-  dbus,
-  glib,
-  gtk4,
-  libsoup_3,
-  librsvg,
-  libappindicator,
-  glib-networking,
-  openssl,
-  webkitgtk_4_1,
-  gst_all_1,
-  inputs ? null,
-}: let
-  # Get upstream opencode package for shared attributes
-  opencode = inputs.opencode.packages.${stdenv.hostPlatform.system}.default;
-
-  # Workaround for https://github.com/anomalyco/opencode/issues/11755
-  # Upstream is missing outputHashes for git dependencies
-  # Also fix stale npm deps hash in upstream node_modules FOD
-  fixedNodeModules = opencode.node_modules.overrideAttrs {
-    outputHash = "sha256-285KZ7rZLRoc6XqCZRHc25NE+mmpGh/BVeMpv8aPQtQ=";
-  };
-
-  opencode-desktop = rustPlatform.buildRustPackage (finalAttrs: {
-    pname = "opencode-desktop";
-    version = opencode.version;
-    src = opencode.src;
-    node_modules = fixedNodeModules;
-    patches = opencode.patches;
-
-    cargoRoot = "packages/desktop/src-tauri";
-    cargoLock = {
-      lockFile = finalAttrs.src + "/packages/desktop/src-tauri/Cargo.lock";
-      outputHashes = {
-        "specta-2.0.0-rc.22" = "sha256-YsyOAnXELLKzhNlJ35dHA6KGbs0wTAX/nlQoW8wWyJQ=";
-        "tauri-2.9.5" = "sha256-dv5E/+A49ZBvnUQUkCGGJ21iHrVvrhHKNcpUctivJ8M=";
-        "tauri-specta-2.0.0-rc.21" = "sha256-n2VJ+B1nVrh6zQoZyfMoctqP+Csh7eVHRXwUQuiQjaQ=";
-      };
-    };
-    buildAndTestSubdir = finalAttrs.cargoRoot;
-
-    nativeBuildInputs =
-      [pkg-config cargo-tauri.hook bun nodejs cargo rustc jq makeWrapper]
-      ++ lib.optionals stdenv.hostPlatform.isLinux [wrapGAppsHook4];
-
-    buildInputs = lib.optionals stdenv.isLinux [
-      dbus
-      glib
-      gtk4
-      libsoup_3
-      librsvg
-      libappindicator
-      glib-networking
-      openssl
-      webkitgtk_4_1
-      gst_all_1.gstreamer
-      gst_all_1.gst-plugins-base
-      gst_all_1.gst-plugins-good
-      gst_all_1.gst-plugins-bad
-    ];
-
-    strictDeps = true;
-
-    preBuild = ''
-      cp -a ${finalAttrs.node_modules}/{node_modules,packages} .
-      chmod -R u+w node_modules packages
-      patchShebangs node_modules
-      patchShebangs packages/desktop/node_modules
-
-      mkdir -p packages/desktop/src-tauri/sidecars
-      cp ${opencode}/bin/opencode packages/desktop/src-tauri/sidecars/opencode-cli-${stdenv.hostPlatform.rust.rustcTarget}
-    '';
-
-    tauriBuildFlags = ["--config" "tauri.prod.conf.json" "--no-sign"];
-
-    postFixup = lib.optionalString stdenv.hostPlatform.isLinux ''
-      mv $out/bin/OpenCode $out/bin/opencode-desktop
-      sed -i 's|^Exec=OpenCode$|Exec=opencode-desktop|' $out/share/applications/OpenCode.desktop
-    '';
-  });
-  # Wrapper for Wayland support
-in
-  symlinkJoin {
-    name = "opencode-desktop";
-    paths = [opencode-desktop];
-
-    nativeBuildInputs = [makeWrapper];
-
-    postBuild = ''
-      wrapProgram $out/bin/opencode-desktop \
-        --run 'if [[ "$NIXOS_OZONE_WL" == "1" ]]; then export OC_ALLOW_WAYLAND=1; fi'
-    '';
-
-    meta = {
-      description = "OpenCode Desktop App with Wayland support";
-      homepage = "https://opencode.ai";
-      license = lib.licenses.mit;
-      platforms = lib.platforms.linux;
-      mainProgram = "opencode-desktop";
-    };
-  }
--- a/pkgs/sidecar/default.nix
+++ b/pkgs/sidecar/default.nix
@@ -13,16 +13,16 @@
 }:
 buildGoModule (finalAttrs: {
  pname = "sidecar";
-  version = "0.83.0";
+  version = "0.84.0";

  src = fetchFromGitHub {
    owner = "marcus";
    repo = "sidecar";
    tag = "v${finalAttrs.version}";
-    hash = "sha256-L6q2eZO1rNngWwHVhBJ2ftVbvYTConpqYHEb3nwiXxs=";
+    hash = "sha256-80ldZlaZ99ti8dvw+Awev7ucz03iOVD2yzz/+IFHDvA=";
  };

-  vendorHash = "sha256-fIaHzc0L4jwVSh/YjrXBB7nENqCgOfHF5bnljFsGbVo=";
+  vendorHash = "sha256-IDD+hQZODNPj+Gy9CX5GFdMcsvt75aFLpabXZehAjaw=";

  subPackages = ["cmd/sidecar"];

--- a/pkgs/td/default.nix
+++ b/pkgs/td/default.nix
@@ -9,13 +9,13 @@
 }:
 buildGoModule (finalAttrs: {
  pname = "td";
-  version = "0.43.0";
+  version = "0.44.0";

  src = fetchFromGitHub {
    owner = "marcus";
    repo = "td";
    tag = "v${finalAttrs.version}";
-    hash = "sha256-DwzuXumEEQWfZW+GbbY9kyqkEFZQ9sC+sSbVxfrY6bM=";
+    hash = "sha256-k1OCK6LE99fHLuxv8HZUW8cSn2Wmk74J7kb6Mi5ZpVw=";
  };

  vendorHash = "sha256-hFFG+vLXcL2NNdLQvQZ1hzu++pp5AkbFOPQS10wtsec=";
--- a/shells/coding.nix
+++ b/shells/coding.nix
@@ -57,7 +57,6 @@ in
      customPackages.sidecar

      # Code analysis tools
-      customPackages.code2prompt

      # Nix development tools (for this repo)
      nil
Author	SHA1	Message	Date
nix-update bot	c6c3ffb548	chore: update flake inputs	2026-05-01 16:01:13 +02:00
nix-update bot	9b423315b3	chore: update flake inputs All checks were successful Update Nix Packages with nix-update / nix-update (push) Successful in 2m42s Details	2026-05-01 04:01:14 +02:00
nix-update bot	14d906ef93	chore: update flake inputs All checks were successful Update Nix Packages with nix-update / nix-update (push) Successful in 2m36s Details	2026-04-30 16:01:17 +02:00
nix-update bot	e7393d6fa4	chore: update flake inputs All checks were successful Update Nix Packages with nix-update / nix-update (push) Successful in 4m6s Details	2026-04-30 04:00:54 +02:00
m3ta-chiron	1da8c96447	fix(pi): correct guardrails enable option string Some checks failed Update Nix Packages with nix-update / nix-update (push) Failing after 34m23s Details	2026-04-29 20:07:12 +02:00
m3ta-chiron	6a8cb62903	style(pi): format guardrails module with alejandra	2026-04-29 19:51:35 +02:00
m3ta-chiron	a3e247e5af	feat(pi): add guardrails config option for pi-guardrails integration Adds a guardrails submodule option to coding.agents.pi that: - Generates ~/.pi/agent/extensions/guardrails.json when enabled - Automatically injects @aliou/pi-guardrails package into settings.packages - Provides structured options for policies, pathAccess, and permissionGate The module generates the JSON config that pi-guardrails reads for its security hooks (policies, permission-gate, path-access). Limitations documented in option descriptions: - Path access checks are lexical (not symlink-safe) - Local project guardrails.json can override global rule IDs	2026-04-29 19:48:10 +02:00
m3ta-chiron	f7f0c4072e	fix(n8n): use stable tag target to get actual version The previous jq filter grabbed the first non-stable release by creation date, which incorrectly returned 1.123.38 instead of the latest stable 2.18.5. Now query the 'stable' tag directly and extract version from its target_commitish (e.g., 'release/2.18.5' -> '2.18.5'), ensuring we always get the actual latest stable version. Also bump version from 2.17.8 to 2.18.5 with updated hashes.	2026-04-29 18:40:49 +02:00
m3tm3re	e601fde026	kestractl: 1.2.2 -> 1.3.0	2026-04-29 18:39:03 +02:00
nix-update bot	642e764b81	chore: update flake inputs	2026-04-29 16:01:26 +02:00
nix-update bot	0a224db2fc	chore: update flake inputs All checks were successful Update Nix Packages with nix-update / nix-update (push) Successful in 2m39s Details	2026-04-29 04:01:44 +02:00
nix-update bot	69e8fb93be	chore: update flake inputs All checks were successful Update Nix Packages with nix-update / nix-update (push) Successful in 23m34s Details	2026-04-28 16:01:26 +02:00
nix-update bot	c63ecc899c	td: 0.43.0 -> 0.44.0 All checks were successful Update Nix Packages with nix-update / nix-update (push) Successful in 2m35s Details Diff: https://github.com/marcus/td/compare/v0.43.0...v0.44.0	2026-04-28 04:03:27 +02:00
nix-update bot	5d2bfbd27c	sidecar: 0.83.0 -> 0.84.0 Diff: https://github.com/marcus/sidecar/compare/v0.83.0...v0.84.0 Changelog: https://github.com/marcus/sidecar/releases/tag/v0.84.0	2026-04-28 04:02:57 +02:00
nix-update bot	66c398d196	mem0: 1.0.9 -> 2.0.1 Diff: https://github.com/mem0ai/mem0/compare/v1.0.9...v2.0.1 Changelog: https://github.com/mem0ai/mem0/releases/tag/v2.0.1	2026-04-28 04:02:08 +02:00
nix-update bot	729ea971c5	chore: update flake inputs	2026-04-28 04:01:09 +02:00
m3tm3re	ce16dfff2e	chore(beads): initialize issue tracker Some checks failed Update Nix Packages with nix-update / nix-update (push) Failing after 37m14s Details Add nixpkgs-ng1 task: Configure agent git identity	2026-04-27 20:16:27 +02:00
m3tm3re	31464e245e	chore(nix): remove deprecated packages - Remove opencode flake input (old v1.4.3 URL, superseded) - Remove code2prompt package - Remove opencode-desktop package	2026-04-27 20:14:18 +02:00
m3ta-chiron	251a6892a3	fix(n8n): resolve nix-update hash prefetch failure - Remove --pure from nix-shell shebang to allow network access - Add --flake --system x86_64-linux for proper flake evaluation - Navigate to nixpkgs root before running nix-update - Also bump version 2.17.5 -> 2.17.8	2026-04-27 19:46:14 +02:00
m3tam3re	95aeff28ad	Merge pull request 'feature/agent-git-identity' (#16 ) from feature/agent-git-identity into master Reviewed-on: #16	2026-04-27 17:56:26 +02:00
m3tm3re	fa339ae8cc	fix(agents): correct shared-options.nix import paths from ../ to ./	2026-04-27 13:17:11 +02:00
m3tm3re	cec0c31d91	fix(agents): correct shared-options.nix import path	2026-04-27 13:11:11 +02:00
m3tm3re	6a8360305d	fix(agents): remove shared-options.nix from imports to avoid module system conflict	2026-04-27 13:08:40 +02:00
m3tm3re	5edd0929d0	fix(agents): correct import paths for shared module	2026-04-27 13:00:52 +02:00
m3tm3re	60aeec7cfe	feat(agents): add gitIdentity module - Renamed shared-options.nix to shared/shared-options.nix - Created shared/default.nix importing git-identity.nix and shared-options.nix - Created shared/git-identity.nix with gitIdentity option set: - enable: Toggle for agent git identity - name: Git author name (default: m3ta-chiron) - email: Git author email (default: m3ta-chiron@agentmail.to) - signingKey: Optional GPG signing key path - sshKey: SSH private key path for git push auth - Updated opencode.nix, pi.nix, claude-code.nix to import shared/default.nix - Restructured modules to follow proper Nix module syntax with imports at top level	2026-04-27 12:43:56 +02:00
				`@@ -0,0 +1 @@`
				{"id":"nixpkgs-ng1","title":"Configure agent git identity in nixpkgs repo","description":"Git commits are using p@m3ta.dev instead of m3ta-chiron@agentmail.to. The GIT_AUTHOR_NAME and GIT_AUTHOR_EMAIL environment variables are not set in this environment. Need to configure the agent git identity for this repository following the pattern in AGENTS.md","status":"open","priority":2,"issue_type":"task","owner":"p@m3ta.dev","created_at":"2026-04-27T18:16:17Z","created_by":"m3tm3re","updated_at":"2026-04-27T18:16:17Z","dependency_count":0,"dependent_count":0,"comment_count":0}