bd sync: 2026-01-03 18:39:05

.beads/issues.jsonl

@@ -2,9 +2,10 @@
 {"id":"ops-jrz1-03o","title":"Upgrade mautrix-slack to v25.11","description":"Upgrade is just flake update + deploy. Current deployed: v0.2.3+dev.unknown (Oct 13). Flake lock: v25.10 (Oct 22). Latest nixpkgs-unstable: v25.11. Run: nix flake update nixpkgs-unstable \u0026\u0026 deploy. May fix edit panic (ops-jrz1-qxr).","status":"closed","priority":2,"issue_type":"task","created_at":"2025-12-05T18:24:18.332067067-08:00","updated_at":"2025-12-05T19:07:09.156981447-08:00","closed_at":"2025-12-05T19:07:09.156981447-08:00"}
 {"id":"ops-jrz1-0tk","title":"Set up backup strategy for /home dev directories","description":"User home directories contain work that should be backed up. Options: (1) Daily tarball to object storage, (2) Restic/borg to remote, (3) Syncthing to another host, (4) Just document that users should push to git. Consider: frequency, retention, restore process, cost.","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-03T14:17:56.208262155-08:00","created_by":"dan","updated_at":"2026-01-03T14:17:56.208262155-08:00"}
 {"id":"ops-jrz1-1bk","title":"Add CPU watchdog timer","description":"Systemd timer that detects sustained CPU abuse and kills offending user.\n\n## Script: /usr/local/bin/cpu-watchdog\n```bash\n#\\!/usr/bin/env bash\n# Detect sustained CPU abuse, kill after 5 consecutive violations\nTHRESHOLD=180  # 180% CPU (almost 2 cores)\nCOUNTFILE=\"/var/lib/cpu-watchdog\"\nmkdir -p \"$COUNTFILE\"\n\nfor user in $(ls /home); do\n  id \"$user\" \u0026\u003e/dev/null || continue\n  pct=$(ps -u \"$user\" -o %cpu= 2\u003e/dev/null | awk '{s+=$1}END{print int(s)}')\n  pct=${pct:-0}\n  \n  if [ \"$pct\" -gt \"$THRESHOLD\" ]; then\n    count=$(cat \"$COUNTFILE/$user\" 2\u003e/dev/null || echo 0)\n    count=$((count + 1))\n    echo \"$count\" \u003e \"$COUNTFILE/$user\"\n    logger -t cpu-watchdog \"User $user at ${pct}% CPU (strike $count/5)\"\n    \n    if [ \"$count\" -ge 5 ]; then\n      /usr/local/bin/killswitch \"$user\" \"sustained CPU abuse (${pct}%)\"\n      rm -f \"$COUNTFILE/$user\"\n    fi\n  else\n    rm -f \"$COUNTFILE/$user\"\n  fi\ndone\n```\n\n## Systemd timer\n```nix\nsystemd.services.cpu-watchdog = {\n  script = ''/usr/local/bin/cpu-watchdog'';\n  serviceConfig.Type = \"oneshot\";\n};\nsystemd.timers.cpu-watchdog = {\n  wantedBy = [ \"timers.target\" ];\n  timerConfig = {\n    OnBootSec = \"1min\";\n    OnUnitActiveSec = \"1min\";\n  };\n};\n```\n\n## Behavior\n- Runs every minute\n- 5 consecutive minutes at \u003e180% CPU = kill\n- Resets counter if CPU drops below threshold","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-02T20:20:53.246401154-08:00","created_by":"dan","updated_at":"2026-01-02T21:02:35.469465906-08:00","closed_at":"2026-01-02T21:02:35.469465906-08:00","close_reason":"Closed","dependencies":[{"issue_id":"ops-jrz1-1bk","depends_on_id":"ops-jrz1-396","type":"blocks","created_at":"2026-01-02T20:21:14.270063028-08:00","created_by":"dan"}]}
-{"id":"ops-jrz1-1kv","title":"Set up terminfo for xterm-ghostty and other modern terminals","status":"open","priority":3,"issue_type":"task","created_at":"2026-01-03T11:34:42.133192121-08:00","created_by":"dan","updated_at":"2026-01-03T11:34:42.133192121-08:00"}
+{"id":"ops-jrz1-1kv","title":"Set up terminfo for xterm-ghostty and other modern terminals","status":"closed","priority":3,"issue_type":"task","created_at":"2026-01-03T11:34:42.133192121-08:00","created_by":"dan","updated_at":"2026-01-03T18:02:28.819727599-08:00","closed_at":"2026-01-03T18:02:28.819727599-08:00","close_reason":"Added pkgs-unstable.ghostty.terminfo and kitty.terminfo to configuration.nix, deployed successfully"}
 {"id":"ops-jrz1-2bu","title":"Direct Slack bot path for learners","description":"Alternative path: learners write Python bots using slack-bolt, connect directly to Slack via Socket Mode. No Matrix, no bridge.\n\n## Architecture\n```\nlearner code → slack-bolt → Socket Mode WebSocket → Slack API\n```\n\n## Status\n\n**Done:**\n- [x] /etc/slack-learner.env with shared tokens (xoxb-, xapp-)\n- [x] learners group for access control (dantest is member)\n- [x] learner-add.sh adds users to group, sources env in .bashrc\n- [x] Design doc: docs/learner-slack-direct.md\n\n**Not Done:**\n- [ ] Starter template (~/slack-bot-template/)\n- [ ] Process management (systemd user services or supervisor)\n- [ ] #learner-sandbox channel in Slack\n- [ ] End-to-end test with real learner\n\n## Tradeoffs vs Maubot/Matrix (ops-jrz1-2pm)\n- Faster feedback (direct to Slack)\n- Excellent slack-bolt docs\n- But: shared bot identity, manual process management\n\n## Ready to Use NOW\nWorks today with terminal editors (vim/nano):\n```bash\nssh alice@ops-jrz1\npip install slack-bolt\npython bot.py  # responds in Slack\n```\n\nVS Code Remote-SSH needs nix-ld deployed first.","status":"open","priority":2,"issue_type":"epic","created_at":"2025-12-29T18:56:10.239324326-05:00","created_by":"dan","updated_at":"2026-01-02T10:04:58.786306917-08:00"}
 {"id":"ops-jrz1-2pm","title":"Remote dev environment for learners","description":"Set up dev environments for learners to build maubot plugins (Matrix bots that can bridge to Slack).\n\n## Approach\nVS Code Remote-SSH + shared maubot + per-user Unix accounts\n\n## Architecture\n```\nlearner code → maubot → Matrix → mautrix-slack bridge → Slack\n```\n\n## Status\n\n**Done:**\n- [x] learner-add.sh / learner-remove.sh scripts\n- [x] Hello-world plugin template (templates/plugin-skeleton/)\n- [x] Test user `dantest` created with ~/plugins/hello-dantest/\n- [x] Maubot running and healthy\n\n**Not Done:**\n- [ ] nix-ld for VS Code Remote-SSH (config added, not deployed)\n- [ ] Test full VS Code Remote-SSH flow\n- [ ] Test Claude Code extension over Remote-SSH\n- [ ] #learners-sandbox Matrix room\n- [ ] Onboarding doc polish\n\n## Tradeoffs vs Direct Slack (ops-jrz1-2bu)\n- Slower feedback (bridge hop)\n- Sparse maubot docs\n- But: managed process lifecycle, per-bot identity\n\n## Docs\n- docs/learner-onboarding.md\n- docs/learner-admin.md","status":"open","priority":2,"issue_type":"epic","created_at":"2025-12-28T10:13:21.90764918-05:00","created_by":"dan","updated_at":"2026-01-02T10:04:58.472361796-08:00"}
+{"id":"ops-jrz1-2r9","title":"Remove unused 'config' parameter from configuration.nix","description":"deadnix reports unused lambda pattern 'config' at line 1. Either remove it or prefix with underscore.","status":"open","priority":4,"issue_type":"task","created_at":"2026-01-03T17:35:57.074498327-08:00","created_by":"dan","updated_at":"2026-01-03T17:35:57.074498327-08:00"}
 {"id":"ops-jrz1-30e","title":"Add gastown (gt) to system packages via flake input","description":"Add gastown CLI (gt) as a system-wide package.\n\n## What is gastown?\nGastown (gt) is the orchestration layer to beads' memory layer. Together they form a workflow for AI-supervised coding.\n\n## Status\n**BLOCKED**: No releases available yet. Repo uses GoReleaser but no tags/releases published.\n- Requires Go 1.24 to build from source\n- Once releases exist, add like beads: flake input + systemPackages\n\n## Source\ngithub:steveyegge/gastown\n\n## Workaround\nUsers can build locally: `go install github.com/steveyegge/gastown@latest`","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-02T16:37:47.093900357-08:00","created_by":"dan","updated_at":"2026-01-02T19:08:28.742017652-08:00","closed_at":"2026-01-02T19:08:28.742017652-08:00","close_reason":"Won't fix - not adding gastown to this server"}
 {"id":"ops-jrz1-396","title":"Add killswitch script","description":"Script to immediately terminate all processes for a user.\n\n## Script: /usr/local/bin/killswitch\n```bash\n#!/usr/bin/env bash\n# Usage: killswitch \u003cusername\u003e [reason]\nset -euo pipefail\nUSER=\"$1\"\nREASON=\"${2:-manual kill}\"\n\nif ! id \"$USER\" \u0026\u003e/dev/null; then\n  echo \"User not found: $USER\" \u003e\u00262\n  exit 1\nfi\n\nlogger -t killswitch \"Killing all processes for $USER: $REASON\"\npkill -u \"$USER\" || true\nloginctl terminate-user \"$USER\" 2\u003e/dev/null || true\necho \"Killed $USER: $REASON\"\n```\n\n## Usage\n```bash\n# Manual kill\nkillswitch dan \"investigating suspicious activity\"\n\n# From watchdog\nkillswitch dan \"sustained CPU abuse (250%)\"\n```\n\n## Notes\n- Logs to syslog with 'killswitch' tag\n- Terminates user session and all processes\n- Safe to run if user has no processes","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-02T20:19:35.306146948-08:00","created_by":"dan","updated_at":"2026-01-02T20:25:38.950670564-08:00","closed_at":"2026-01-02T20:25:38.950670564-08:00","close_reason":"Closed"}
 {"id":"ops-jrz1-3au","title":"Research: Learner deployment pipeline","description":"How does learner code get to \"prod\" (running services)?\n\n## Current context\n- Maubot: Upload .mbp via web UI\n- Slack bots: Manual `python bot.py` or systemd user service\n\n## Questions\n1. Can learners run persistent services? (`systemctl --user`)\n2. Should they have access to maubot admin UI?\n3. Git-based deploy? Push to trigger reload?\n4. Who can restart what?\n\n## Options\n- **Manual only** - Learner runs in foreground/tmux\n- **User systemd** - `systemctl --user enable mybot`\n- **Supervised** - Central supervisor manages learner procs\n- **GitOps** - Push to deploy (complex)\n\n## Security considerations\n- What if learner bot crashes in loop?\n- Resource limits on user services?\n- Can learner affect other learners' services?","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-02T12:27:34.107447487-08:00","created_by":"dan","updated_at":"2026-01-02T12:27:34.107447487-08:00"}
@@ -13,6 +14,7 @@
 {"id":"ops-jrz1-3fd","title":"Deploy and test single-user instance (Phase 1)","description":"Deploy one container for testing. Validate: WebSocket, extensions, terminal, opencode, memory usage. Access via SSH tunnel initially.","status":"open","priority":2,"issue_type":"task","created_at":"2025-12-05T17:16:54.783260036-08:00","updated_at":"2025-12-05T17:16:54.783260036-08:00","dependencies":[{"issue_id":"ops-jrz1-3fd","depends_on_id":"ops-jrz1-3so","type":"parent-child","created_at":"2025-12-05T17:17:36.400677984-08:00","created_by":"daemon","metadata":"{}"},{"issue_id":"ops-jrz1-3fd","depends_on_id":"ops-jrz1-5oe","type":"blocks","created_at":"2025-12-05T17:17:38.708397909-08:00","created_by":"daemon","metadata":"{}"},{"issue_id":"ops-jrz1-3fd","depends_on_id":"ops-jrz1-av0","type":"blocks","created_at":"2025-12-05T17:17:38.721665448-08:00","created_by":"daemon","metadata":"{}"},{"issue_id":"ops-jrz1-3fd","depends_on_id":"ops-jrz1-9gd","type":"blocks","created_at":"2025-12-05T17:17:38.737824478-08:00","created_by":"daemon","metadata":"{}"}]}
 {"id":"ops-jrz1-3jo","title":"Test: VS Code extension execution location","description":"When using VS Code Remote-SSH, does Claude Code extension run locally or on server?\n\n## Why it matters\n- If local: needs to proxy commands to server, may have latency/sync issues\n- If remote: has direct access, simpler model, but needs install on server\n\n## Test plan\n1. Connect VS Code Remote-SSH to jrz1 as dantest\n2. Install Claude Code extension\n3. Observe where extension runs (check processes on both sides)\n4. Run a simple Claude command, see where execution happens\n5. Check if extension needs API key on server or uses local\n\n## Expected outcome\nDocument actual behavior for onboarding docs.","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-02T12:27:34.517565101-08:00","created_by":"dan","updated_at":"2026-01-02T12:27:34.517565101-08:00"}
 {"id":"ops-jrz1-3so","title":"Browser-based dev environment with opencode","description":"Epic: Provide VS Code in browser via code-server with opencode AI integration.\n\nKey decisions:\n- code-server in Podman containers (rootless)\n- opencode CLI + VS Code extension pre-installed\n- Subdomain routing (dan.code.clarun.xyz)\n- Custom container image\n- Target users: non-programmers, testers, learners\n\nDesign doc: specs/004-browser-dev-environment/design.md\n\nMigrated from ops-jrz1-ndl","status":"closed","priority":1,"issue_type":"epic","created_at":"2025-12-05T17:04:36.709352529-08:00","updated_at":"2025-12-28T00:01:08.825440506-05:00","closed_at":"2025-12-28T00:01:08.825440506-05:00","close_reason":"Won't fix - non-MS browser-based VSCode solutions have reliability/compatibility issues"}
+{"id":"ops-jrz1-3ux","title":"Document activation script behavior for user slice limits","description":"configuration.nix:171-178 uses activation script to write to /run/systemd/system/. This survives reboot but behavior on re-activation should be documented. Consider if systemd-tmpfiles would be more appropriate.","status":"open","priority":3,"issue_type":"task","created_at":"2026-01-03T17:35:59.432265237-08:00","created_by":"dan","updated_at":"2026-01-03T17:35:59.432265237-08:00"}
 {"id":"ops-jrz1-3x4","title":"Add maubot SDK and deploy script to container image","description":"Container image needs:\n- Python 3.11 + maubot SDK\n- deploy.sh script (zip → .mbp → curl to maubot API)\n- maubot API reachable from container (host network or port forward)\n\nPart of learner onboarding for bot development.","status":"closed","priority":2,"issue_type":"task","created_at":"2025-12-06T12:18:06.841708662-08:00","updated_at":"2025-12-28T00:05:44.748474842-05:00","closed_at":"2025-12-28T00:05:44.748474842-05:00","close_reason":"Parent epic cancelled - browser-based dev approach abandoned","dependencies":[{"issue_id":"ops-jrz1-3x4","depends_on_id":"ops-jrz1-3so","type":"parent-child","created_at":"2025-12-06T12:18:16.085519885-08:00","created_by":"daemon","metadata":"{}"},{"issue_id":"ops-jrz1-3x4","depends_on_id":"ops-jrz1-d58","type":"blocks","created_at":"2025-12-06T12:18:16.110944935-08:00","created_by":"daemon","metadata":"{}"}]}
 {"id":"ops-jrz1-45v","title":"Matrix/Slack identity mismatch: dan vs vlad","description":"Matrix user @dan:clarun.xyz is linked to Slack user 'vlad'. Messages appear as vlad in Slack but dan in Element. Cosmetic confusion. Options: rename Matrix display name, or re-login bridge with different Slack account.","status":"open","priority":3,"issue_type":"task","created_at":"2025-12-05T19:38:19.899555475-08:00","updated_at":"2025-12-05T19:38:19.899555475-08:00"}
 {"id":"ops-jrz1-46y","title":"Write onboarding documentation","description":"Critical for non-programmers. Cover: login, opencode usage, Git setup (PAT workflow), resource limits, security hygiene. Keep concise.","status":"closed","priority":2,"issue_type":"task","created_at":"2025-12-05T15:32:41.586544583-08:00","updated_at":"2025-12-28T00:08:06.743739166-05:00","closed_at":"2025-12-28T00:08:06.743739166-05:00","close_reason":"Browser-based dev environment cancelled","dependencies":[{"issue_id":"ops-jrz1-46y","depends_on_id":"ops-jrz1-7j4","type":"blocks","created_at":"2025-12-05T15:33:25.328712413-08:00","created_by":"daemon","metadata":"{}"},{"issue_id":"ops-jrz1-46y","depends_on_id":"ops-jrz1-wj2","type":"blocks","created_at":"2025-12-05T15:33:25.351559821-08:00","created_by":"daemon","metadata":"{}"},{"issue_id":"ops-jrz1-46y","depends_on_id":"ops-jrz1-3so","type":"parent-child","created_at":"2025-12-05T17:05:47.401868669-08:00","created_by":"daemon","metadata":"{}"}]}
@@ -22,6 +24,7 @@
 {"id":"ops-jrz1-5ki","title":"Set up programmatic QA test user for bridge testing","status":"open","priority":3,"issue_type":"task","created_at":"2025-12-05T20:17:04.312571398-08:00","updated_at":"2025-12-05T20:17:04.312571398-08:00"}
 {"id":"ops-jrz1-5oe","title":"Create NixOS module for code-server containers","description":"Module to manage per-user Podman containers, nginx routing, secrets. Use virtualisation.oci-containers. Generate systemd units.","status":"closed","priority":2,"issue_type":"task","created_at":"2025-12-05T17:16:54.656121092-08:00","updated_at":"2025-12-28T00:05:44.743524099-05:00","closed_at":"2025-12-28T00:05:44.743524099-05:00","close_reason":"Parent epic cancelled - browser-based dev approach abandoned","dependencies":[{"issue_id":"ops-jrz1-5oe","depends_on_id":"ops-jrz1-3so","type":"parent-child","created_at":"2025-12-05T17:17:36.386278268-08:00","created_by":"daemon","metadata":"{}"},{"issue_id":"ops-jrz1-5oe","depends_on_id":"ops-jrz1-d58","type":"blocks","created_at":"2025-12-05T17:17:38.694752468-08:00","created_by":"daemon","metadata":"{}"}]}
 {"id":"ops-jrz1-62b","title":"dev-add: check devs group exists before creating user","description":"dev-add failed silently when devs group was missing. User was created but SSH key wasn't set up. Script should validate prerequisites first.","status":"closed","priority":2,"issue_type":"bug","created_at":"2026-01-03T11:50:57.134573631-08:00","created_by":"dan","updated_at":"2026-01-03T11:53:40.714806901-08:00","closed_at":"2026-01-03T11:53:40.714806901-08:00","close_reason":"Added devs group check before user creation in dev-add.sh"}
+{"id":"ops-jrz1-6es","title":"Update egress-watchdog source to use 'killswitch' not /usr/local/bin path","description":"scripts/egress-watchdog:44 has hardcoded /usr/local/bin/killswitch. The Nix build uses replaceStrings to fix this, but source should reflect reality. Change to just 'killswitch'.","status":"open","priority":3,"issue_type":"task","created_at":"2026-01-03T17:35:58.211053165-08:00","created_by":"dan","updated_at":"2026-01-03T17:35:58.211053165-08:00"}
 {"id":"ops-jrz1-6of","title":"AI cost/rate limiting per user","description":"One user could drain API credits with runaway script. Need rate limiting per user, either via proxy middleware or opencode config. Track usage.","status":"closed","priority":2,"issue_type":"task","created_at":"2025-12-05T15:32:30.772304538-08:00","updated_at":"2025-12-05T17:42:42.773613559-08:00","closed_at":"2025-12-05T17:42:42.773613559-08:00","dependencies":[{"issue_id":"ops-jrz1-6of","depends_on_id":"ops-jrz1-3so","type":"parent-child","created_at":"2025-12-05T17:05:47.206816868-08:00","created_by":"daemon","metadata":"{}"},{"issue_id":"ops-jrz1-6of","depends_on_id":"ops-jrz1-wj2","type":"blocks","created_at":"2025-12-05T17:17:38.658742196-08:00","created_by":"daemon","metadata":"{}"}]}
 {"id":"ops-jrz1-6t9","title":"Evaluate llm CLI: per-repo vs system-wide install","description":"Simon Willison's llm CLI tool. Options: (1) System-wide via nixpkgs, (2) Per-user via uv/pip, (3) Per-project .envrc. Consider: multiple users, plugin ecosystem, update frequency.","status":"open","priority":3,"issue_type":"task","created_at":"2026-01-03T09:35:13.705897177-08:00","created_by":"dan","updated_at":"2026-01-03T09:35:13.705897177-08:00"}
 {"id":"ops-jrz1-7j4","title":"Git credential strategy for non-programmers","description":"Non-programmers can't manage SSH keys. Pre-configure git-credential-store or provide simple PAT workflow with docs. Store in persistent home with 600 perms.","status":"closed","priority":2,"issue_type":"task","created_at":"2025-12-05T15:32:19.673999683-08:00","updated_at":"2025-12-05T17:38:54.788694408-08:00","closed_at":"2025-12-05T17:38:54.788694408-08:00","dependencies":[{"issue_id":"ops-jrz1-7j4","depends_on_id":"ops-jrz1-3so","type":"parent-child","created_at":"2025-12-05T17:05:47.139749437-08:00","created_by":"daemon","metadata":"{}"}]}
@@ -30,6 +33,7 @@
 {"id":"ops-jrz1-8m7","title":"Add cgroups limits for user slices","description":"Add soft resource limits to prevent one user/agent from crashing server.\n\n## Config\n```nix\nsystemd.slices.\"user\".sliceConfig = {\n  MemoryMax = \"80%\";\n  TasksMax = 500;\n  CPUWeight = 100;  # Fair sharing, no hard quota\n};\n```\n\n## Behavior\n- Memory: Users collectively can't exceed 80% RAM\n- Tasks: Max 500 processes per user (prevents fork bombs)\n- CPU: Fair sharing when contended, bursts allowed\n\n## Testing\n- Verify with `systemctl show user-1001.slice`\n- Test fork bomb doesn't crash server","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-02T20:16:22.600133044-08:00","created_by":"dan","updated_at":"2026-01-02T21:02:35.455928291-08:00","closed_at":"2026-01-02T21:02:35.455928291-08:00","close_reason":"Closed"}
 {"id":"ops-jrz1-8mc","title":"configuration.nix: Document UID range 1000:65534 rationale","description":"UID range 1000:65534 excludes root but includes nobody (65534). Add comment explaining rationale. configuration.nix:70","status":"closed","priority":4,"issue_type":"task","created_at":"2026-01-03T08:17:35.893969961-08:00","created_by":"dan","updated_at":"2026-01-03T09:32:23.604873295-08:00","closed_at":"2026-01-03T09:32:23.604873295-08:00","close_reason":"Added comment explaining UID range 1000:65534"}
 {"id":"ops-jrz1-9gd","title":"Upgrade VPS RAM for dev environments","description":"Current: 2GB. Need 4-8GB for multiple code-server containers. Coordinate with Vultr, plan maintenance window.","status":"closed","priority":2,"issue_type":"task","created_at":"2025-12-05T17:16:54.267689439-08:00","updated_at":"2025-12-28T00:08:06.748175273-05:00","closed_at":"2025-12-28T00:08:06.748175273-05:00","close_reason":"Browser-based dev environment cancelled","dependencies":[{"issue_id":"ops-jrz1-9gd","depends_on_id":"ops-jrz1-3so","type":"parent-child","created_at":"2025-12-05T17:17:36.331146543-08:00","created_by":"daemon","metadata":"{}"}]}
+{"id":"ops-jrz1-9hq","title":"Add earlier root check to dev-add.sh","description":"dev-add.sh has EUID check at line 138, but could fail earlier with clearer message before doing validation work.","status":"open","priority":4,"issue_type":"task","created_at":"2026-01-03T17:35:58.633740163-08:00","created_by":"dan","updated_at":"2026-01-03T17:35:58.633740163-08:00"}
 {"id":"ops-jrz1-9pe","title":"Research: System packages for learner accounts","description":"How do dev users get access to toolchains (Go, Node, Rust, etc.)?\n\n## Findings\n\n**Users CAN self-install packages:**\n```bash\nnix profile install nixpkgs#go\nnix profile install nixpkgs#nodejs\nnix profile install nixpkgs#rustc\n```\n\nPackages go to `~/.nix-profile/bin`, already in PATH. Works today.\n\n**Devshells work too:**\n```bash\n# In project with flake.nix\nnix develop\n```\n\n## Options\n\n| Option | Pros | Cons |\n|--------|------|------|\n| **Self-service only** | Minimal config, user learns nix | Cold start friction |\n| **Global defaults** | Zero friction for common tools | Bloats system, version conflicts |\n| **Starter script** | One command setup, customizable | Another thing to maintain |\n| **direnv + devshells** | Per-project envs, reproducible | Needs direnv installed globally |\n\n## Current State\n- `nix profile install` works for users ✅\n- `nix develop` works ✅\n- direnv NOT installed globally\n- Only python3, uv in system packages\n\n## Recommendation\n1. Add `direnv` to global packages (enables per-project devshells)\n2. Document `nix profile install` for quick one-offs\n3. Provide example flake.nix templates for Go, Node, Rust projects\n4. Keep system packages minimal (python3, uv, direnv, git, vim)\n\n## Test Results\n```\n$ nix profile install nixpkgs#go\n$ go version\ngo version go1.22.8 linux/amd64\n```","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-02T12:27:32.894163417-08:00","created_by":"dan","updated_at":"2026-01-02T12:32:32.502649201-08:00","closed_at":"2026-01-02T12:32:32.502649201-08:00","close_reason":"Users can self-install via nix profile. Added direnv globally for devshells."}
 {"id":"ops-jrz1-9x8","title":"Claude CLI update mechanism","description":"Claude Code CLI is manually installed to /usr/local/bin/claude.\n\n## Current state\n- Installed via: curl -fsSL https://claude.ai/install.sh | bash\n- Copied to /usr/local/bin/claude\n- No automatic updates\n\n## Options\n1. Periodic manual update (run install script again)\n2. Systemd timer to check for updates\n3. Package via nix (would need custom derivation)\n\n## Acceptance criteria\nDocument the update process at minimum.","status":"open","priority":3,"issue_type":"task","created_at":"2026-01-02T16:46:03.908575951-08:00","created_by":"dan","updated_at":"2026-01-02T16:46:03.908575951-08:00"}
 {"id":"ops-jrz1-a3w","title":"egress-watchdog: Document GNU grep -P dependency","description":"grep -oP requires GNU grep with PCRE. NixOS always has it, but add comment for portability awareness. scripts/egress-watchdog:25","status":"closed","priority":4,"issue_type":"task","created_at":"2026-01-03T08:17:35.642729617-08:00","created_by":"dan","updated_at":"2026-01-03T09:32:23.646375858-08:00","closed_at":"2026-01-03T09:32:23.646375858-08:00","close_reason":"Added comment noting grep -oP requires GNU grep with PCRE"}
@@ -40,6 +44,7 @@
 {"id":"ops-jrz1-bbn","title":"Research: Resource limits and quotas","description":"Should we limit CPU/memory/disk per learner?\n\n## Current state\n- No limits configured\n- Single VPS shared by all users\n- 2GB RAM, 1 vCPU (Vultr $6 tier?)\n\n## Options\n1. **No limits** - Trust learners, monitor manually\n2. **Systemd slices** - cgroups for user sessions\n3. **Disk quotas** - Limit ~/\n4. **ulimits** - Process limits\n\n## Questions\n- What resources does a typical dev session use?\n- What about `go build` or `npm install`?\n- Is this premature optimization?","status":"closed","priority":3,"issue_type":"task","created_at":"2026-01-02T12:27:34.884865507-08:00","created_by":"dan","updated_at":"2026-01-03T10:11:09.79120117-08:00","closed_at":"2026-01-03T10:11:09.79120117-08:00","close_reason":"Implemented: systemd slices (user.slice MemoryMax=80%, TasksMax=500) + per-user limits (MemoryMax=50%, TasksMax=200, CPUQuota=200%). Disk quotas tracked separately in ops-jrz1-oxx."}
 {"id":"ops-jrz1-bhk","title":"Add disk quotas for user workspaces","description":"User could fill host disk via /var/lib/vscode/\u003cuser\u003e/. Add per-directory quotas or monitoring/alerting on disk usage.","status":"closed","priority":3,"issue_type":"task","created_at":"2025-12-05T15:32:41.199417226-08:00","updated_at":"2025-12-28T00:05:44.7635372-05:00","closed_at":"2025-12-28T00:05:44.7635372-05:00","close_reason":"Parent epic cancelled - browser-based dev approach abandoned","dependencies":[{"issue_id":"ops-jrz1-bhk","depends_on_id":"ops-jrz1-3so","type":"parent-child","created_at":"2025-12-05T17:05:47.309592029-08:00","created_by":"daemon","metadata":"{}"}]}
 {"id":"ops-jrz1-blh","title":"mautrix-slack edit panic persists in v25.11","description":"mautrix-slack panic on rapid message edits (race condition)\n\n**Root cause**: Edit event arrives before original message is stored in DB. ConvertEdit accesses nil metadata.\n\n**Location**: handleslack.go:575 - has TODO comment: 'this can panic?'\n\n**Reproduction**: Edit a Slack message within ~1 second of sending\n\n**Upstream status**: \n- v25.11 is latest (we're on it)\n- Known to devs (TODO in code)\n- No open issue filed yet\n\n**Stack trace**:\ngo.mau.fi/mautrix-slack/pkg/connector.(*SlackMessage).ConvertEdit\n  handleslack.go:575\nmaunium.net/go/mautrix/bridgev2.(*Portal).handleRemoteEdit\n  portal.go:2838","status":"closed","priority":2,"issue_type":"bug","created_at":"2025-12-05T19:40:33.255395189-08:00","updated_at":"2025-12-28T00:06:14.637057055-05:00","closed_at":"2025-12-28T00:06:14.637057055-05:00","close_reason":"Duplicate of ops-jrz1-f15 which has fix ready","comments":[{"id":2,"issue_id":"ops-jrz1-blh","author":"dan","text":"Confirmed panic exists in nixpkgs-unstable from 2025-12-02. Fix will be addressed via platform upgrade (see ops-jrz1-00e).","created_at":"2025-12-08T23:54:57Z"}]}
+{"id":"ops-jrz1-bom","title":"Consolidate repeated attribute keys in configuration.nix","description":"statix W20: networking and environment keys are repeated across the file. Consolidate into single blocks for readability.","status":"open","priority":4,"issue_type":"task","created_at":"2026-01-03T17:35:57.496164613-08:00","created_by":"dan","updated_at":"2026-01-03T17:35:57.496164613-08:00"}
 {"id":"ops-jrz1-cmv","title":"Add egress rate limiting (iptables)","description":"Hard limit outbound connections per user to prevent mass exfil/scanning.\n\n## Config\n```nix\nnetworking.firewall.extraCommands = ''\n  # Rate limit new outbound connections for regular users (uid 1000+)\n  iptables -A OUTPUT -m state --state NEW -m owner --uid-owner 1000:65534 \\\n    -m limit --limit 30/min --limit-burst 60 -j ACCEPT\n  iptables -A OUTPUT -m state --state NEW -m owner --uid-owner 1000:65534 \\\n    -j LOG --log-prefix \"EGRESS-LIMIT: \"\n  iptables -A OUTPUT -m state --state NEW -m owner --uid-owner 1000:65534 \\\n    -j REJECT\n'';\n```\n\n## Behavior\n- 30 new connections/min sustained, burst of 60\n- Over limit: logged and rejected\n- Doesn't affect established connections\n\n## Testing\n- `for i in {1..100}; do curl -s ifconfig.me \u0026 done`\n- Should see EGRESS-LIMIT in journal after ~60","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-02T20:16:32.276607792-08:00","created_by":"dan","updated_at":"2026-01-02T21:12:35.5888406-08:00","closed_at":"2026-01-02T21:12:35.5888406-08:00","close_reason":"Closed"}
 {"id":"ops-jrz1-cpm","title":"Add admin alerting when killswitch fires","description":"Killswitch only logs to journald. Consider external notification (email, Matrix message, webhook) when users are terminated.","status":"open","priority":4,"issue_type":"task","created_at":"2026-01-03T08:40:26.416998752-08:00","created_by":"dan","updated_at":"2026-01-03T08:40:26.416998752-08:00"}
 {"id":"ops-jrz1-d38","title":"Add tmux to system packages","description":"Add tmux for session persistence. Users can run bots in tmux, disconnect, reconnect.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-02T15:13:58.514256583-08:00","created_by":"dan","updated_at":"2026-01-02T17:25:59.102158299-08:00","closed_at":"2026-01-02T17:25:59.102158299-08:00","close_reason":"Closed"}
@@ -57,10 +62,12 @@
 {"id":"ops-jrz1-ghd","title":"Research: User isolation and sandboxing options","description":"Can users see each other's code? What isolation do we need?\n\n## Current state\n- Standard Unix permissions\n- No containers or VMs\n- Users in same `users` group\n\n## Options to evaluate\n1. **Unix perms only** - `chmod 700 ~` (current)\n2. **Separate groups** - Per-user primary group\n3. **Containers** - systemd-nspawn, podman\n4. **VMs** - microVMs per user (heavy)\n5. **Firejail/bubblewrap** - Process sandboxing\n\n## Questions\n- What's the threat model? (curious learners vs malicious actors)\n- How much isolation is worth the complexity?\n- Does NixOS offer anything special here?","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-02T12:27:33.291275677-08:00","created_by":"dan","updated_at":"2026-01-02T12:27:33.291275677-08:00"}
 {"id":"ops-jrz1-glk","title":"VS Code extension policy (security)","description":"Extensions can run arbitrary code. Decide: allow arbitrary installs, or curate/restrict? For non-programmers, pre-install safe set and optionally disable marketplace.","status":"closed","priority":3,"issue_type":"task","created_at":"2025-12-05T15:32:41.463030936-08:00","updated_at":"2025-12-28T00:08:06.752037252-05:00","closed_at":"2025-12-28T00:08:06.752037252-05:00","close_reason":"Browser-based dev environment cancelled","dependencies":[{"issue_id":"ops-jrz1-glk","depends_on_id":"ops-jrz1-3so","type":"parent-child","created_at":"2025-12-05T17:05:47.372120465-08:00","created_by":"daemon","metadata":"{}"}]}
 {"id":"ops-jrz1-gwk","title":"Declarative script deployment via NixOS","description":"Scripts in scripts/ are manually deployed via scp to /usr/local/bin/. Convert to NixOS declarative deployment using writeShellApplication.\n\nTwo packages (per orch consensus):\n1. watchdog-scripts - killswitch, cpu-watchdog, egress-watchdog\n   → Referenced directly by systemd, NOT in PATH\n2. admin-scripts - learner-add.sh, learner-remove.sh\n   → Added to systemPackages for interactive use\n\nSubtasks:\n- ops-jrz1-vw4: Create watchdog-scripts package\n- ops-jrz1-o9c: Create admin-scripts package (parallel)\n- ops-jrz1-ujw: Update systemd services to use store paths\n- ops-jrz1-sdz: Remove manual /usr/local/bin scripts\n- ops-jrz1-f6i: Update docs","status":"closed","priority":2,"issue_type":"epic","created_at":"2026-01-03T08:39:41.242421474-08:00","created_by":"dan","updated_at":"2026-01-03T09:21:09.83027789-08:00","closed_at":"2026-01-03T09:21:09.83027789-08:00","close_reason":"Epic complete: All scripts now deployed declaratively via writeShellApplication"}
+{"id":"ops-jrz1-i1z","title":"Add timestamp to killswitch output","description":"scripts/killswitch echo output has no timestamp. Consider adding or document reliance on systemd journal.","status":"open","priority":4,"issue_type":"task","created_at":"2026-01-03T17:35:59.019670457-08:00","created_by":"dan","updated_at":"2026-01-03T17:35:59.019670457-08:00"}
 {"id":"ops-jrz1-i8i","title":"Enable mautrix-slack relay mode for bot bridging","status":"closed","priority":2,"issue_type":"task","created_at":"2025-12-06T19:09:42.087506995-08:00","updated_at":"2025-12-06T19:09:47.612545472-08:00","closed_at":"2025-12-06T19:09:47.612545472-08:00"}
 {"id":"ops-jrz1-iok","title":"Instagram bot missing base-config.yaml","description":"Plugin was missing base-config.yaml required by maubot Config class. Fixed in commit 4b9481d.","status":"closed","priority":2,"issue_type":"bug","created_at":"2025-12-06T13:02:10.103730128-08:00","updated_at":"2025-12-06T13:02:15.055396318-08:00","closed_at":"2025-12-06T13:02:15.055396318-08:00"}
 {"id":"ops-jrz1-jit","title":"Logging and monitoring for dev environments","description":"No observability plan. Need: container CPU/mem metrics, nginx logs, disk usage monitoring, alert on repeated 401s or resource exhaustion.","status":"closed","priority":3,"issue_type":"task","created_at":"2025-12-05T15:32:41.318448038-08:00","updated_at":"2025-12-28T00:08:06.750234292-05:00","closed_at":"2025-12-28T00:08:06.750234292-05:00","close_reason":"Browser-based dev environment cancelled","dependencies":[{"issue_id":"ops-jrz1-jit","depends_on_id":"ops-jrz1-3so","type":"parent-child","created_at":"2025-12-05T17:05:47.343610481-08:00","created_by":"daemon","metadata":"{}"}]}
 {"id":"ops-jrz1-jvt","title":"Add beads (bd) to system packages via flake input","description":"Add beads CLI as a system-wide package using the flake input pattern.\n\n## Implementation\n```nix\n# flake.nix inputs\nbeads = {\n  url = \"github:steveyegge/beads\";\n  inputs.nixpkgs.follows = \"nixpkgs-unstable\";\n};\n\n# configuration.nix or module\nenvironment.systemPackages = [\n  inputs.beads.packages.${system}.default\n];\n```\n\n## Why this approach\nPer orch consensus:\n- Flake inputs + systemPackages is NixOS best practice\n- Reproducible, version-pinned via flake.lock\n- All users get same version\n- Config stays per-repo (.beads/)\n\n## Acceptance criteria\n- `bd --version` works for all users\n- No manual install needed\n- Pinned in flake.lock","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-02T16:36:04.106750429-08:00","created_by":"dan","updated_at":"2026-01-02T17:25:59.114217153-08:00","closed_at":"2026-01-02T17:25:59.114217153-08:00","close_reason":"Closed"}
+{"id":"ops-jrz1-jwl","title":"Update cpu-watchdog source to use 'killswitch' not /usr/local/bin path","description":"scripts/cpu-watchdog:36 has hardcoded /usr/local/bin/killswitch. The Nix build uses replaceStrings to fix this, but source should reflect reality. Change to just 'killswitch'.","status":"open","priority":3,"issue_type":"task","created_at":"2026-01-03T17:35:57.848239876-08:00","created_by":"dan","updated_at":"2026-01-03T17:35:57.848239876-08:00"}
 {"id":"ops-jrz1-k1z","title":"killswitch: Rename USER variable to avoid shadowing","description":"USER=\"$1\" shadows shell builtin $USER. Rename to TARGET_USER for clarity. scripts/killswitch:15","status":"closed","priority":3,"issue_type":"task","created_at":"2026-01-03T08:17:35.258067292-08:00","created_by":"dan","updated_at":"2026-01-03T09:31:54.318499842-08:00","closed_at":"2026-01-03T09:31:54.318499842-08:00","close_reason":"Renamed USER to TARGET_USER to avoid shadowing shell builtin"}
 {"id":"ops-jrz1-k2a","title":"Security posture and threat analysis for dev server","description":"Perform security analysis for the shared dev server environment.\n\n## Scope\n- Multi-user SSH access\n- Agentic coders (Claude, etc.) running with user privileges\n- Shared Slack tokens\n- Network egress\n- Nix store access\n\n## Questions to answer\n- What's the threat model? (curious devs vs malicious actors)\n- What can a compromised user account access?\n- What can an agentic coder do that a human couldn't?\n- Are there secrets at risk?\n- What isolation is needed?\n\n## Deliverables\n- Threat model document\n- Risk assessment\n- Recommendations for mitigations","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-02T16:34:32.681248615-08:00","created_by":"dan","updated_at":"2026-01-02T19:14:53.774623716-08:00","closed_at":"2026-01-02T19:14:53.774623716-08:00","close_reason":"Closed"}
 {"id":"ops-jrz1-kg0","title":"Switch to subdomain routing (dan.code.clarun.xyz)","description":"Path-based routing (/code/dan/) is fragile. Extensions assume root path, cookies scope incorrectly, PWA breaks. Switch to wildcard subdomains for cleaner isolation.","status":"closed","priority":1,"issue_type":"task","created_at":"2025-12-05T15:32:19.283887085-08:00","updated_at":"2025-12-05T17:23:11.983564455-08:00","closed_at":"2025-12-05T17:23:11.983564455-08:00","dependencies":[{"issue_id":"ops-jrz1-kg0","depends_on_id":"ops-jrz1-3so","type":"parent-child","created_at":"2025-12-05T17:05:47.043217984-08:00","created_by":"daemon","metadata":"{}"}]}