chore: update flake inputs

2026-05-01 16:01:13 +02:00 · 2026-05-01 04:01:14 +02:00 · 2026-04-30 16:01:17 +02:00 · 2026-04-30 04:00:54 +02:00 · 2026-04-29 20:07:12 +02:00 · 2026-04-29 19:51:35 +02:00
5 changed files with 100 additions and 28 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -3,11 +3,11 @@
    "agents": {
      "flake": false,
      "locked": {
-        "lastModified": 1777305531,
-        "narHash": "sha256-8GM2Aydq9i8KbvyObqyMYhWkY+e7oh3+eyMfUVnt6Oo=",
+        "lastModified": 1777399938,
+        "narHash": "sha256-xXPqUQezDdDtF8MbpZnwD1HkybOYwF92evx8rJ6OXCU=",
        "ref": "refs/heads/master",
-        "rev": "3829556188ee7a5bcdb23afa5ca5d50d6b621085",
-        "revCount": 81,
+        "rev": "9a91f1ee0cf011a7eaf1f16a9e17610b0457e055",
+        "revCount": 85,
        "type": "git",
        "url": "https://code.m3ta.dev/m3tam3re/AGENTS"
      },
@@ -39,11 +39,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1776877367,
-        "narHash": "sha256-EHq1/OX139R1RvBzOJ0aMRT3xnWyqtHBRUBuO1gFzjI=",
+        "lastModified": 1777268161,
+        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "0726a0ecb6d4e08f6adced58726b95db924cef57",
+        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
        "type": "github"
      },
      "original": {
@@ -55,11 +55,11 @@
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1777339203,
-        "narHash": "sha256-c5ztVZKSI8oQWB3TH1gRRKUsDOAa5hCL9hayN62cFfk=",
+        "lastModified": 1777643636,
+        "narHash": "sha256-7vvm5Ia8o3g7YNErFcDsbCx+Pk8HbnA+ZYuA5Zga7hY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "1e6f8d0bbbc27582692e90069c474ae833ca6989",
+        "rev": "da2366fac507ce7bd31852e7351e55b951656999",
        "type": "github"
      },
      "original": {
@@ -76,11 +76,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1776788052,
-        "narHash": "sha256-L4LBHVVtgMhSJm+IzZSYOR0UXPbvIRg4xiEV5urYxdI=",
+        "lastModified": 1777556999,
+        "narHash": "sha256-HfFlRwR8IMjudRttN4T8L3DJKnNlpWfeNzQPly/HaRY=",
        "owner": "Fission-AI",
        "repo": "OpenSpec",
-        "rev": "3c7a05c5dc88b2397c478805890b55ed392b19e8",
+        "rev": "347f0277e3be3549cd85cdea364fbd7710f1922b",
        "type": "github"
      },
      "original": {
--- a/modules/home-manager/coding/agents/pi.nix
+++ b/modules/home-manager/coding/agents/pi.nix
@@ -202,6 +202,38 @@
          See pi docs/settings.md for all options.
        '';
      };
+
+      # ── Pi Guardrails ─────────────────────────────────────────────
+      guardrails = mkOption {
+        type = types.nullOr (types.submodule {
+          options = {
+            enable =
+              mkEnableOption
+              ("Generate ~/.pi/agent/extensions/guardrails.json for pi-guardrails. "
+                + "Adds @aliou/pi-guardrails to packages automatically.");
+
+            config = mkOption {
+              type = types.attrsOf types.anything;
+              default = {};
+              description = ''
+                Guardrails configuration written to ~/.pi/agent/extensions/guardrails.json.
+                See https://github.com/aliou/pi-guardrails for config schema.
+
+                IMPORTANT: Path access checks are lexical (not symlink-safe).
+                Local project .pi/extensions/guardrails.json can override same rule IDs
+                (memory > local > global > defaults). For immutable global policies,
+                consider a wrapper or upstream patch.
+              '';
+            };
+          };
+        });
+        default = null;
+        description = ''
+          Pi Guardrails security configuration.
+          Generates ~/.pi/agent/extensions/guardrails.json when enabled.
+          The @aliou/pi-guardrails package is added to settings.packages automatically.
+        '';
+      };
    };

  config = with lib; let
@@ -224,8 +256,37 @@
          attrs
        );

+      # Base settings (already filtered)
      piSettings = filterNulls cfg.settings;

+      # Guardrails package to inject when guardrails is enabled
+      guardrailsPackage = "npm:@aliou/pi-guardrails@0.11.1";
+
+      # Guardrails config (only when guardrails is enabled)
+      guardrailsJson =
+        if (cfg.guardrails != null && cfg.guardrails.enable)
+        then builtins.toJSON cfg.guardrails.config
+        else null;
+
+      # Merge guardrails package into settings.packages when guardrails is enabled
+      piSettingsWithGuardrails = let
+        baseSettings = cfg.settings;
+        basePackages = baseSettings.packages or [];
+        hasGuardrailsPackage =
+          lib.any
+          (p:
+            lib.hasPrefix "npm:@aliou/pi-guardrails" p
+            || (lib.hasPrefix "git:" p && lib.hasSuffix "/pi-guardrails" p))
+          basePackages;
+        packagesWithGuardrails =
+          if (cfg.guardrails != null && cfg.guardrails.enable && !hasGuardrailsPackage)
+          then basePackages ++ [guardrailsPackage]
+          else basePackages;
+      in
+        if packagesWithGuardrails != basePackages
+        then filterNulls (baseSettings // {packages = packagesWithGuardrails;})
+        else piSettings;
+
      # Coding rules config for renderForPi (only when both agentsInput and codingRules are set)
      piCodingRules =
        if cfg.agentsInput != null && cfg.codingRules != null
@@ -269,10 +330,16 @@

        # ── ~/.pi/agent/settings.json ──────────────────────────────────
        {
-          ".pi/agent/settings.json".text = builtins.toJSON piSettings;
+          ".pi/agent/settings.json".text = builtins.toJSON piSettingsWithGuardrails;
          ".pi/agent/settings.json".force = true;
        }

+        # ── pi-guardrails config ─────────────────────────────────────
+        (mkIf (guardrailsJson != null) {
+          ".pi/agent/extensions/guardrails.json".text = guardrailsJson;
+          ".pi/agent/extensions/guardrails.json".force = true;
+        })
+
        # ── AGENTS.md — agent descriptions and specialist listing ──────
        (mkIf (cfg.agentsInput != null) {
          ".pi/agent/AGENTS.md".source = "${rendered}/AGENTS.md";
--- a/pkgs/kestractl/sources.json
+++ b/pkgs/kestractl/sources.json
@@ -1,13 +1,13 @@
 {
-  "version": "1.2.2",
+  "version": "1.3.0",
  "sources": {
    "aarch64-linux": {
-      "url": "https://github.com/kestra-io/kestractl/releases/download/1.2.2/kestractl_1.2.2_linux_arm64.tar.gz",
-      "hash": "sha256-sidFsCZPnJ07PM5QayPBqaqlBBJTLEdecfd0AWnL7Yo="
+      "url": "https://github.com/kestra-io/kestractl/releases/download/1.3.0/kestractl_1.3.0_linux_arm64.tar.gz",
+      "hash": "sha256-/18F6CZnnLbet4BmI1oQ5pZWkJwIshCq30qd+cm0GGA="
    },
    "x86_64-linux": {
-      "url": "https://github.com/kestra-io/kestractl/releases/download/1.2.2/kestractl_1.2.2_linux_amd64.tar.gz",
-      "hash": "sha256-0C2naN2ougBJSY2z2m6eORnLkLen87HD+a+gvtrUvdw="
+      "url": "https://github.com/kestra-io/kestractl/releases/download/1.3.0/kestractl_1.3.0_linux_amd64.tar.gz",
+      "hash": "sha256-xmsBiqNKvob8xHDyU253o6c25YIubHanNdLqzWaOvSA="
    }
  }
 }
--- a/pkgs/n8n/default.nix
+++ b/pkgs/n8n/default.nix
@@ -26,20 +26,20 @@
 in
  stdenv.mkDerivation (finalAttrs: {
    pname = "n8n";
-    version = "2.17.8";
+    version = "2.18.5";

    src = fetchFromGitHub {
      owner = "n8n-io";
      repo = "n8n";
      tag = "n8n@${finalAttrs.version}";
-      hash = "sha256-+Fr7zYca4+3R9J77TkHTGki8oz4FrE9MNsxOaDCF2GM=";
+      hash = "sha256-ws0DXGQFR+z3nVyd4Yn9pIM7yh+H6GnuCRSLxgvtPxo=";
    };

    pnpmDeps = fetchPnpmDeps {
      inherit (finalAttrs) pname version src;
      pnpm = pnpm_10;
      fetcherVersion = 3;
-      hash = "sha256-MBSxAsZXCaxwQpstJVxOOCIAE+0RqwlIrgXtE/hiTJM=";
+      hash = "sha256-Ajgne0neNm6HgMK6z3jnEkUJJxVOTgzjpSaMaJgIndQ=";
    };

    nativeBuildInputs =
--- a/pkgs/n8n/update.sh
+++ b/pkgs/n8n/update.sh
@@ -2,9 +2,14 @@
 #!nix-shell -i bash -p bash curl jq nix-update cacert git nix
 set -euo pipefail

-# n8n now publishes two releases per version: a "stable" tag and a "n8n@X.Y.Z" versioned tag.
-# Skip the "stable" tag and get the actual version from the next release.
-# Note: We removed --pure from the shebang because nix-update needs network access to prefetch hashes.
+# n8n releases are published with two tags per version:
+#   - "n8n@X.Y.Z" - the versioned tag
+#   - "stable"   - always points to the latest stable version
+#
+# We query the "stable" tag and extract the version from its target commitish (e.g., "release/2.18.5").
+# This ensures we always get the actual latest stable version, not the most recently created tag.
+
+set -euo pipefail

 # Get the directory where this script lives (should be pkgs/n8n/)
 script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
@@ -14,10 +19,10 @@ nixpkgs_root="$(cd "$script_dir/../.." && pwd)"

 cd "$nixpkgs_root"

-release_info=$(curl -s "https://api.github.com/repos/n8n-io/n8n/releases")
-new_version=$(echo "$release_info" | jq --raw-output 'map(select(.tag_name != "stable")) | .[0].tag_name | ltrimstr("n8n@")')
+# Query the "stable" tag and extract version from target_commitish (e.g., "release/2.18.5")
+new_version=$(curl -s "https://api.github.com/repos/n8n-io/n8n/releases/tags/stable" | jq --raw-output '.target_commitish | ltrimstr("release/")')

-echo "Latest version: n8n@${new_version}"
+echo "Latest stable version: n8n@${new_version}"
 echo "Running from: $(pwd)"

 # Use --flake --system to properly evaluate the flake-based package
Author	SHA1	Message	Date
nix-update bot	c6c3ffb548	chore: update flake inputs	2026-05-01 16:01:13 +02:00
nix-update bot	9b423315b3	chore: update flake inputs All checks were successful Update Nix Packages with nix-update / nix-update (push) Successful in 2m42s Details	2026-05-01 04:01:14 +02:00
nix-update bot	14d906ef93	chore: update flake inputs All checks were successful Update Nix Packages with nix-update / nix-update (push) Successful in 2m36s Details	2026-04-30 16:01:17 +02:00
nix-update bot	e7393d6fa4	chore: update flake inputs All checks were successful Update Nix Packages with nix-update / nix-update (push) Successful in 4m6s Details	2026-04-30 04:00:54 +02:00
m3ta-chiron	1da8c96447	fix(pi): correct guardrails enable option string Some checks failed Update Nix Packages with nix-update / nix-update (push) Failing after 34m23s Details	2026-04-29 20:07:12 +02:00
m3ta-chiron	6a8cb62903	style(pi): format guardrails module with alejandra	2026-04-29 19:51:35 +02:00
m3ta-chiron	a3e247e5af	feat(pi): add guardrails config option for pi-guardrails integration Adds a guardrails submodule option to coding.agents.pi that: - Generates ~/.pi/agent/extensions/guardrails.json when enabled - Automatically injects @aliou/pi-guardrails package into settings.packages - Provides structured options for policies, pathAccess, and permissionGate The module generates the JSON config that pi-guardrails reads for its security hooks (policies, permission-gate, path-access). Limitations documented in option descriptions: - Path access checks are lexical (not symlink-safe) - Local project guardrails.json can override global rule IDs	2026-04-29 19:48:10 +02:00
m3ta-chiron	f7f0c4072e	fix(n8n): use stable tag target to get actual version The previous jq filter grabbed the first non-stable release by creation date, which incorrectly returned 1.123.38 instead of the latest stable 2.18.5. Now query the 'stable' tag directly and extract version from its target_commitish (e.g., 'release/2.18.5' -> '2.18.5'), ensuring we always get the actual latest stable version. Also bump version from 2.17.8 to 2.18.5 with updated hashes.	2026-04-29 18:40:49 +02:00
m3tm3re	e601fde026	kestractl: 1.2.2 -> 1.3.0	2026-04-29 18:39:03 +02:00
nix-update bot	642e764b81	chore: update flake inputs	2026-04-29 16:01:26 +02:00
nix-update bot	0a224db2fc	chore: update flake inputs All checks were successful Update Nix Packages with nix-update / nix-update (push) Successful in 2m39s Details	2026-04-29 04:01:44 +02:00
nix-update bot	69e8fb93be	chore: update flake inputs All checks were successful Update Nix Packages with nix-update / nix-update (push) Successful in 23m34s Details	2026-04-28 16:01:26 +02:00