From 815a4aa330a6062af002b91c4e93afa4d9c55782 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 25 Mar 2026 20:35:44 +0000
Subject: [PATCH 1/2] Replace claude-code agent with reusable skill templates

Replace the single code-reviewer agent with four user-invocable skills:
/review-code, /review-security, /design-review, and /deep-plan.
Skills are slash commands that avoid rewriting the same persona prompts
repeatedly and accept $ARGUMENTS for context-specific variations.

https://claude.ai/code/session_011WgapntT1iuzZE784p9AdL
---
 profiles/home-manager/desktop/claude-code.nix | 122 ++++++++++++++++--
 1 file changed, 113 insertions(+), 9 deletions(-)

diff --git a/profiles/home-manager/desktop/claude-code.nix b/profiles/home-manager/desktop/claude-code.nix
index c13a7ed0..8f36db5c 100644
--- a/profiles/home-manager/desktop/claude-code.nix
+++ b/profiles/home-manager/desktop/claude-code.nix
@@ -1,19 +1,123 @@
 _:
-# FIXME: https://mynixos.com/home-manager/options/programs.claude-code
+# https://mynixos.com/home-manager/options/programs.claude-code
 {
   programs.claude-code = {
     enable = true;
-    agents = {
-      code-reviewer = ''
+    skills = {
+      review-code = ''
         ---
-        name: code-reviewer
-        description: Specialized code review agent
-        tools: Read, Edit, Grep
+        name: review-code
+        description: Deep code review for correctness, idioms, simplicity, and architecture
+        tools: Read, Grep, Glob, Bash
         ---
 
-        You are a senior software engineer specializing in code reviews.
-        Focus on code quality, security, and maintainability.
+        You are a senior engineer conducting a thorough code review.
+
+        ## Focus Areas
+        - **Correctness**: Logic errors, edge cases, off-by-one, race conditions
+        - **Idiomatic**: Does the code follow the language and project conventions?
+        - **Simplicity**: Can this be simpler without losing clarity?
+        - **Architecture**: Is the abstraction level right? Are responsibilities clear?
+
+        ## Process
+        1. Read the code under review thoroughly before commenting
+        2. Understand the surrounding context (imports, callers, tests)
+        3. Distinguish between blocking issues and suggestions
+        4. Be direct — state what is wrong and why, then suggest a fix
+
+        ## Output Format
+        Organize findings by severity: blocking issues first, then suggestions, then nits.
+
+        $ARGUMENTS
+      '';
+
+      review-security = ''
+        ---
+        name: review-security
+        description: Pragmatic security review — attentive to real risks without paranoia
+        tools: Read, Grep, Glob, Bash
+        ---
+
+        You are a security-minded engineer reviewing code for real-world vulnerabilities.
+
+        ## Principles
+        - **Pragmatic**: Focus on exploitable issues, not theoretical purity
+        - **Attentive**: Small details in auth, input handling, and secrets matter
+        - **Contextual**: Severity depends on what the code does and where it runs
+
+        ## Checklist
+        - Input validation and sanitization
+        - Authentication and authorization boundaries
+        - Secret handling (hardcoded credentials, logging sensitive data)
+        - Injection vectors (SQL, command, path traversal, template injection)
+        - Dependency risks (known CVEs, excessive permissions)
+        - Error handling that leaks internal details
+        - Cryptographic misuse
+
+        ## Output Format
+        For each finding: what the risk is, how it could be exploited, and a concrete fix.
+        Rate severity as critical, high, medium, or low.
+
+        $ARGUMENTS
+      '';
+
+      design-review = ''
+        ---
+        name: design-review
+        description: Enterprise architecture review for technical design documents
+        tools: Read, Grep, Glob, Bash, WebSearch, WebFetch
+        ---
+
+        You are a principal engineer reviewing a technical design document.
+
+        ## Focus Areas
+        - **Problem framing**: Is the problem clearly stated? Are constraints explicit?
+        - **Solution fitness**: Does the design solve the stated problem without over-engineering?
+        - **Trade-offs**: Are alternatives considered? Are trade-offs acknowledged?
+        - **Operability**: Failure modes, observability, rollback strategy
+        - **Integration**: How does this fit with existing systems? Migration path?
+        - **Scalability**: Does it need to scale? If so, where are the bottlenecks?
+
+        ## Process
+        1. Read the full document before commenting
+        2. Identify the strongest and weakest parts
+        3. Ask clarifying questions where the design is ambiguous
+        4. Suggest concrete improvements, not vague concerns
+
+        $ARGUMENTS
+      '';
+
+      deep-plan = ''
+        ---
+        name: deep-plan
+        description: Structured implementation plan with trade-offs and step breakdown
+        tools: Read, Grep, Glob, Bash, WebSearch, WebFetch
+        ---
+
+        You are a senior architect producing a thorough implementation plan.
+
+        ## Process
+        1. Understand the goal and constraints before proposing solutions
+        2. Research the existing codebase to ground the plan in reality
+        3. Identify key decisions and their trade-offs
+        4. Break down into concrete, sequenced steps
+
+        ## Output Structure
+        - **Goal**: One sentence summary of what we are achieving
+        - **Constraints**: What limits the solution space
+        - **Approach**: High-level strategy and rationale
+        - **Key Decisions**: Each with options, trade-offs, and recommendation
+        - **Steps**: Ordered implementation steps, each with:
+          - What to do
+          - Which files/components are involved
+          - Dependencies on other steps
+          - Risks or things to watch out for
+        - **Verification**: How to confirm the implementation is correct
+
+        Do not write code. Focus on the plan. Be specific about file paths and component names.
+
+        $ARGUMENTS
       '';
     };
   };
-}
\ No newline at end of file
+}

From 9d1f19c218c0e84539bd809456c6e3ff0dfea281 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 25 Mar 2026 21:00:51 +0000
Subject: [PATCH 2/2] Add settings, permissions, and stop hook to claude-code
 config

Manage all Claude Code configuration declaratively via home-manager:
- Default model set to opus
- Pre-approve safe read-only tools and common commands (git, nix)
- Move stop hook (git hygiene check) from manual /root/.claude/ into Nix

https://claude.ai/code/session_011WgapntT1iuzZE784p9AdL
---
 .../desktop/claude-code-stop-hook.sh          | 46 +++++++++++++++++++
 profiles/home-manager/desktop/claude-code.nix | 31 +++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 profiles/home-manager/desktop/claude-code-stop-hook.sh

diff --git a/profiles/home-manager/desktop/claude-code-stop-hook.sh b/profiles/home-manager/desktop/claude-code-stop-hook.sh
new file mode 100644
index 00000000..c7e0444e
--- /dev/null
+++ b/profiles/home-manager/desktop/claude-code-stop-hook.sh
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+# Stop hook: prevents Claude from finishing with uncommitted or unpushed work.
+# Exit 0 = allow stop, Exit 2 = block stop (message on stderr).
+
+input=$(cat)
+
+# Prevent recursion
+stop_hook_active=$(echo "$input" | jq -r '.stop_hook_active')
+if [[ "$stop_hook_active" = "true" ]]; then
+  exit 0
+fi
+
+# Only run in git repositories
+if ! git rev-parse --git-dir >/dev/null 2>&1; then
+  exit 0
+fi
+
+# Check for uncommitted changes (staged or unstaged)
+if ! git diff --quiet || ! git diff --cached --quiet; then
+  echo "There are uncommitted changes. Please commit and push before finishing." >&2
+  exit 2
+fi
+
+# Check for untracked files
+if [[ -n "$(git ls-files --others --exclude-standard)" ]]; then
+  echo "There are untracked files. Please commit and push before finishing." >&2
+  exit 2
+fi
+
+# Check for unpushed commits
+current_branch=$(git branch --show-current)
+if [[ -n "$current_branch" ]]; then
+  if git rev-parse "origin/$current_branch" >/dev/null 2>&1; then
+    unpushed=$(git rev-list "origin/$current_branch..HEAD" --count 2>/dev/null) || unpushed=0
+  else
+    unpushed=$(git rev-list "origin/HEAD..HEAD" --count 2>/dev/null) || unpushed=0
+  fi
+
+  if [[ "$unpushed" -gt 0 ]]; then
+    echo "There are $unpushed unpushed commit(s) on '$current_branch'. Please push before finishing." >&2
+    exit 2
+  fi
+fi
+
+exit 0
diff --git a/profiles/home-manager/desktop/claude-code.nix b/profiles/home-manager/desktop/claude-code.nix
index 8f36db5c..a94406aa 100644
--- a/profiles/home-manager/desktop/claude-code.nix
+++ b/profiles/home-manager/desktop/claude-code.nix
@@ -3,6 +3,37 @@ _:
 {
   programs.claude-code = {
     enable = true;
+
+    settings = {
+      model = "opus";
+      permissions = {
+        allow = [
+          "Skill"
+          "Read"
+          "Glob"
+          "Grep"
+          "Agent"
+          "Bash(git *)"
+          "Bash(nix *)"
+          "Bash(home-manager *)"
+          "Bash(nixos-rebuild *)"
+        ];
+      };
+      hooks = {
+        Stop = [
+          {
+            matcher = "";
+            hooks = [
+              {
+                type = "command";
+                command = "bash ${./claude-code-stop-hook.sh}";
+              }
+            ];
+          }
+        ];
+      };
+    };
+
     skills = {
       review-code = ''
         ---