{ pkgs, config, ... }: let forgejo-mcp-wrapper = pkgs.writeShellScript "forgejo-mcp-wrapper" '' export FORGEJO_ACCESS_TOKEN="$(cat ${config.sops.secrets.forgejo_access_token.path})" exec forgejo-mcp --transport stdio --url https://code.t-juice.club ''; in { sops.secrets."forgejo_access_token" = { }; programs.claude-code = { enable = true; package = pkgs.claude-code-bin; agents = { docs-verifier = ./agents/docs-verifier.md; security-reviewer = ./agents/security-reviewer.md; }; skills = { pr = ./skills/pr; }; mcpServers = { forgejo = { type = "stdio"; command = "${forgejo-mcp-wrapper}"; }; }; settings = { model = "opus"; enabledPlugins = { "gopls-lsp@claude-plugins-official" = true; }; env = { DISABLE_AUTOUPDATER = "1"; }; permissions = { allow = [ "Bash(git diff:*)" "Bash(git log:*)" "Bash(git branch:*)" "Bash(git commit:*)" "Bash(git status:*)" "Bash(git add:*)" "Bash(nix build:*)" "Bash(nix fmt:*)" "Bash(nix flake check:*)" "Bash(nix flake show:*)" "Bash(nix eval:*)" "Bash(nvd diff:*)" ]; deny = [ "Read(*.tfvars)" "Read(**/*.tfvars)" "Read(.env)" "Read(**/.env)" "Read(~/.ssh/*)" ]; }; hooks = { PostToolUse = [ { matcher = "EnterPlanMode"; hooks = [ { type = "command"; command = "echo 'A plan is being created. If this session has not been renamed yet, suggest a concise, descriptive session name based on the conversation so far and ask the user to run /rename .'"; } ]; } ]; }; statusLine = { type = "command"; command = ''input=$(cat); echo "$(basename "$(echo "$input" | jq -r '.workspace.current_dir')") | $(echo "$input" | jq -r '.model.display_name')"''; }; }; }; }