home: add claude-code program with home-manager module

Configures claude-code using the home-manager programs.claude-code module:
- Settings: model, gopls plugin, auto-update disabled, permissions
- Agents: docs-verifier, security-reviewer
- Skills: pr summary generator

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

home/programs/claude-code/default.nix

@@ -0,0 +1,55 @@
+{ pkgs, ... }:
+{
+  programs.claude-code = {
+    enable = true;
+    package = pkgs.claude-code-bin;
+
+    agents = {
+      docs-verifier = ./agents/docs-verifier.md;
+      security-reviewer = ./agents/security-reviewer.md;
+    };
+
+    skills = {
+      pr = ./skills/pr;
+    };
+
+    settings = {
+      model = "opus";
+      enabledPlugins = {
+        "gopls-lsp@claude-plugins-official" = true;
+      };
+      env = {
+        DISABLE_AUTOUPDATER = "1";
+      };
+      permissions = {
+        allow = [
+          "Bash(git diff:*)"
+          "Bash(git log:*)"
+          "Bash(git branch:*)"
+          "Bash(git commit:*)"
+          "Bash(git status:*)"
+          "Bash(git add:*)"
+          "Bash(nix build:*)"
+          "Bash(nix fmt:*)"
+          "Bash(nix flake check:*)"
+          "Bash(nix flake show:*)"
+          "Bash(nix eval:*)"
+          "Bash(nvd diff:*)"
+        ];
+        deny = [
+          "Read(*.tfvars)"
+          "Read(**/*.tfvars)"
+          "Read(.env)"
+          "Read(**/.env)"
+          "Read(./secrets/**)"
+          "Read(.sops.yaml)"
+          "Read(~/.ssh/*)"
+        ];
+      };
+      statusLine = {
+        type = "command";
+        command = ''input=$(cat); echo "$(basename "$(echo "$input" | jq -r '.workspace.current_dir')") | $(echo "$input" | jq -r '.model.display_name')"'';
+      };
+    };
+  };
+}