# Code Review: Config & Packaging

## Scope
- `pkg/config/`
- `config.example.toml`
- `go.mod`, `go.sum`
- `flake.nix`
- `vendor/`

## Findings
### ✅ Strengths
- Config validation enforces required Matrix fields and defaults state store path.
- Example config mirrors the runtime schema and is easy to follow.
- Nix flake uses `buildGoModule` and includes systemd hardening defaults.

### ⚠️ Issues / Opportunities
1. **vendorHash = null hides dependency drift**
   - `flake.nix` is set to `vendorHash = null`, so Nix will accept the vendor tree without integrity verification.
   - Consider pinning a hash once the vendor tree is stable.

2. **Go toolchain version mismatch in dev shell**
   - `go.mod` specifies Go 1.24.0, but the dev shell uses `pkgs.go` (likely 1.23).
   - Consider pinning `go_1_24` in devShell to match the module requirement.

3. **Config file parsing assumes local disk**
   - Config load is file-only; no env overrides for access tokens.
   - Consider documenting secret handling if deploying in production.

## Notes
- `config.toml` is ignored by git; ensure deployments generate a proper Matrix config.