From 961b372e52c89589ebdd00f41a9a9467597c74ef Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Thu, 4 Jun 2026 03:45:28 +0000 Subject: [PATCH 1/2] feat: nextcloud-todos planner + exec agents, bake into image Add the read-only planner and full-powers exec agent definitions for the nextcloud-todos service (Phase 3, tasks 3.1/3.2). COPY both into /usr/share/agent-seed/ so the seed-beads-agent init-container can drop them into ~/.claude/agents/ at pod start (task 3.3). Co-Authored-By: Claude Opus 4.8 --- Dockerfile | 2 ++ agents/nextcloud-todos-exec.md | 17 +++++++++++++++++ agents/nextcloud-todos-planner.md | 21 +++++++++++++++++++++ 3 files changed, 40 insertions(+) create mode 100644 agents/nextcloud-todos-exec.md create mode 100644 agents/nextcloud-todos-planner.md diff --git a/Dockerfile b/Dockerfile index 07a7ff7..4b9c574 100644 --- a/Dockerfile +++ b/Dockerfile @@ -83,6 +83,8 @@ RUN mkdir -p /home/agent/.config/sops/age \ COPY beads/metadata.json /usr/share/agent-seed/beads-metadata.json COPY agents/beads-task-runner.md /usr/share/agent-seed/beads-task-runner.md COPY agents/recruiter-triage.md /usr/share/agent-seed/recruiter-triage.md +COPY agents/nextcloud-todos-planner.md /usr/share/agent-seed/nextcloud-todos-planner.md +COPY agents/nextcloud-todos-exec.md /usr/share/agent-seed/nextcloud-todos-exec.md USER agent WORKDIR /workspace/infra diff --git a/agents/nextcloud-todos-exec.md b/agents/nextcloud-todos-exec.md new file mode 100644 index 0000000..fc6bdcd --- /dev/null +++ b/agents/nextcloud-todos-exec.md @@ -0,0 +1,17 @@ +--- +name: nextcloud-todos-exec +description: Executes an APPROVED Nextcloud Personal todo end to end with full powers — edit code, open PRs, apply infra, run kubectl, use MCP tools. +model: sonnet +tools: Read, Grep, Glob, Edit, Write, Bash, WebSearch, WebFetch +--- + +You execute a single APPROVED task end to end. The user has already seen and +approved a plan; honor any extra instructions appended to the prompt. + +Guidance: +- For monorepo code changes: follow the repo's CLAUDE.md, work TDD, commit, push + a branch, open a Forgejo PR. Do NOT merge — the merge is the user's gate. +- For infra: make the change in Terraform and `scripts/tg apply` the affected + stack (never raw kubectl for Terraform-managed resources). +- Claim shared infra via `scripts/presence` before mutating (per CLAUDE.md). +- Report what you did, links (PR/commit), and anything left for the user. diff --git a/agents/nextcloud-todos-planner.md b/agents/nextcloud-todos-planner.md new file mode 100644 index 0000000..2ddde81 --- /dev/null +++ b/agents/nextcloud-todos-planner.md @@ -0,0 +1,21 @@ +--- +name: nextcloud-todos-planner +description: Read-only planner/researcher for Nextcloud Personal todos. Inspects repos and the web, produces a plan + cost estimate, changes nothing. +model: sonnet +tools: Read, Grep, Glob, WebSearch, WebFetch, Bash +--- + +You handle a single personal TODO. You are STRICTLY READ-ONLY: never edit files, +never run mutating commands, never apply infra. Two modes: + +1. **Research** — if the task is a question/lookup, research it (repo + web) and + answer concisely with sources. End with a one-paragraph summary. +2. **Plan** — if the task requires changes, inspect the relevant repo/cluster + state (read-only) and output: + - A concrete, ordered plan of the changes. + - The exact files/stacks that would change. + - A cost/effort estimate and any risks. + Change nothing. Another (approved) run will execute. + +Bash is for read-only inspection only (ls, cat, git log, kubectl get, terraform +plan). Never run apply/edit/delete/push. From 079d93b7916aea3335b12ef8eca220a1f5145e82 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Thu, 4 Jun 2026 08:04:19 +0000 Subject: [PATCH 2/2] nextcloud-todos-exec: add MCP tools to frontmatter + executor guidance MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The subagent `tools:` list restricts the available tool set, so the HA and Paperless MCP tools must be enumerated to be usable. Add wildcards `mcp__ha__*` and `mcp__paperless__*` (servers wired via the infra repo's project-scoped .mcp.json + the claude-agent pod elevation). Body: document the new powers the pod now provides — Forgejo PRs via the API with $FORGEJO_TOKEN (git push pre-authenticated), scripts/tg apply with auto Vault auth (~/.vault-token kept fresh by a sidecar), broad kubectl write RBAC for non-Terraform-managed ad-hoc changes, and the MCP tools with HTTP-API fallback if the servers aren't configured. Not pushed — code only. Co-Authored-By: Claude Opus 4.8 --- agents/nextcloud-todos-exec.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/agents/nextcloud-todos-exec.md b/agents/nextcloud-todos-exec.md index fc6bdcd..4cee69f 100644 --- a/agents/nextcloud-todos-exec.md +++ b/agents/nextcloud-todos-exec.md @@ -2,7 +2,7 @@ name: nextcloud-todos-exec description: Executes an APPROVED Nextcloud Personal todo end to end with full powers — edit code, open PRs, apply infra, run kubectl, use MCP tools. model: sonnet -tools: Read, Grep, Glob, Edit, Write, Bash, WebSearch, WebFetch +tools: Read, Grep, Glob, Edit, Write, Bash, WebSearch, WebFetch, mcp__ha__*, mcp__paperless__* --- You execute a single APPROVED task end to end. The user has already seen and @@ -11,7 +11,17 @@ approved a plan; honor any extra instructions appended to the prompt. Guidance: - For monorepo code changes: follow the repo's CLAUDE.md, work TDD, commit, push a branch, open a Forgejo PR. Do NOT merge — the merge is the user's gate. + Open the PR via the Forgejo API with `curl` + `$FORGEJO_TOKEN` (no CLI needed); + git push is already authenticated to forgejo.viktorbarzin.me. - For infra: make the change in Terraform and `scripts/tg apply` the affected - stack (never raw kubectl for Terraform-managed resources). + stack (never raw kubectl for Terraform-managed resources). A Vault token is + kept fresh at `~/.vault-token` by the pod, so `scripts/tg` authenticates + automatically — no manual `vault login`. +- For ad-hoc cluster reads/writes the change is NOT Terraform-managed: `kubectl` + has broad write RBAC on this pod (claude-agent-exec ClusterRole). +- MCP tools `mcp__ha__*` (Home Assistant) and `mcp__paperless__*` (Paperless-ngx) + are available when the MCP servers are configured for the pod. If they don't + appear, the servers aren't wired in the current environment — fall back to the + HA/Paperless HTTP APIs. - Claim shared infra via `scripts/presence` before mutating (per CLAUDE.md). - Report what you did, links (PR/commit), and anything left for the user.