flk

AGENTS.md

@@ -33,10 +33,12 @@ alejandra .                   # Format all Nix files
 
 ### File Structure
 - **Modules**: `modules/` - All configuration (flake-parts modules, auto-imported by import-tree)
+  - `hosts/` - Per-host composition modules
+  - `profiles/` - Shared host and user profile bundles
   - `_lib/` - Utility functions (underscore = ignored by import-tree)
   - `_darwin/` - Darwin-specific sub-modules
   - `_neovim/` - Neovim plugin configs
-  - `_hosts/` - Host-specific sub-files (disk-config, hardware, etc.)
+  - `hosts/_parts/` - Host-specific leaf files (disk-config, hardware, service fragments, etc.)
 - **Apps**: `apps/` - Per-system app scripts (Nushell)
 - **Secrets**: `secrets/` - SOPS-encrypted secrets (`.sops.yaml` for config)
 
@@ -52,7 +54,9 @@ alejandra .                   # Format all Nix files
 - `homeManager` - Home Manager configuration
 - `os` - Applies to both NixOS and darwin
 
-**Hosts**: `den.hosts.<system>.<name>` defined in `modules/hosts.nix`
+**Hosts**: `den.hosts.<system>.<name>` declared in `modules/inventory.nix`
+
+**Profiles**: shared bundles live under `modules/profiles/{host,user}` and are exposed as `den.aspects.host-*` and `den.aspects.user-*`
 
 **Defaults**: `den.default.*` defined in `modules/defaults.nix`
 
@@ -131,7 +135,7 @@ in {
 ### Secrets Management
 - Use SOPS for secrets (see `.sops.yaml`)
 - Never commit unencrypted secrets
-- Secret definitions live in per-host modules (`modules/michael.nix`, `modules/tahani.nix`, etc.)
+- Secret definitions live in per-host modules (`modules/hosts/michael.nix`, `modules/hosts/tahani.nix`, etc.)
 - Shared SOPS defaults (module imports, key paths) in `modules/secrets.nix`
 
 ### Aspect Composition

README.md

@@ -10,7 +10,9 @@ Personal Nix flake for four machines:
 ## Repository Map
 
 - `modules/` - flake-parts modules, auto-imported via `import-tree`
-- `modules/_hosts/` - host-specific submodules like hardware, disks, and services
+- `modules/hosts/` - per-host composition modules
+- `modules/hosts/_parts/` - host-private leaf modules like hardware, disks, and services
+- `modules/profiles/` - shared host and user profile bundles
 - `modules/_lib/` - local helper functions
 - `apps/` - Nushell apps exposed through the flake
 - `secrets/` - SOPS-encrypted secrets
@@ -21,9 +23,11 @@ Personal Nix flake for four machines:
 
 This repo uses `den` and organizes configuration around aspects instead of putting everything directly in host files.
 
-- shared behavior lives in `den.aspects.<name>.<class>` modules
-- hosts are declared in `modules/hosts.nix`
-- host composition happens in `modules/<host>.nix`
+- shared behavior lives in `den.aspects.<name>.<class>` modules under `modules/*.nix`
+- the machine inventory lives in `modules/inventory.nix`
+- shared bundles live in `modules/profiles/{host,user}/`
+- host composition happens in `modules/hosts/<host>.nix`
+- host-private imports live in `modules/hosts/_parts/<host>/`
 - user-level config mostly lives in Home Manager aspects
 
 Common examples:
@@ -31,8 +35,9 @@ Common examples:
 - `modules/core.nix` - shared Nix and shell foundation
 - `modules/dev-tools.nix` - VCS, language, and developer tooling
 - `modules/network.nix` - SSH, fail2ban, and tailscale aspects
-- `modules/michael.nix` - server composition for `michael`
-- `modules/tahani.nix` - server/workstation composition for `tahani`
+- `modules/profiles/user/workstation.nix` - shared developer workstation user bundle
+- `modules/hosts/michael.nix` - server composition for `michael`
+- `modules/hosts/tahani.nix` - server/workstation composition for `tahani`
 
 ## Common Commands
 

flake.lock

@@ -130,11 +130,11 @@
     },
     "den": {
       "locked": {
-        "lastModified": 1774153178,
-        "narHash": "sha256-cSLx4AFv+CehXgg4F32OQs1trvvbW0pjJp92ZzGbWLw=",
+        "lastModified": 1774223159,
+        "narHash": "sha256-aPfuEzOcd1Jaj+XkELOgDSX8DpM8YQCX1z8KKpKGJtY=",
         "owner": "vic",
         "repo": "den",
-        "rev": "907fdc486a5429b20cddbab2fe3c2ded51386b88",
+        "rev": "5728cf32f2f2a3c4b0e34ecfb211ce8c0131a3a7",
         "type": "github"
       },
       "original": {
@@ -441,11 +441,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1774135471,
-        "narHash": "sha256-TVeIGOxnfSPM6JvkRkXHpJECnj1OG2dXkWMSA4elzzQ=",
+        "lastModified": 1774210133,
+        "narHash": "sha256-yeiWCY9aAUUJ3ebMVjs0UZXRnT5x90MCtpbpOWiXrvM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "856b01ebd1de3f53c3929ce8082d9d67d799d816",
+        "rev": "c6fe2944ad9f2444b2d767c4a5edee7c166e8a95",
         "type": "github"
       },
       "original": {
@@ -457,11 +457,11 @@
     "homebrew-cask": {
       "flake": false,
       "locked": {
-        "lastModified": 1774191097,
-        "narHash": "sha256-A/67Xh7tZJqdNhAexlgwP9xxXXhYtDbDYZpJdIlgchk=",
+        "lastModified": 1774249610,
+        "narHash": "sha256-MdzRhOIH5t7pBRFXNsR/aKQzUkFkK8Oon4Fqc+j3jPo=",
         "owner": "homebrew",
         "repo": "homebrew-cask",
-        "rev": "71320dbb986eace593acd56d0717a512003e87e5",
+        "rev": "742a8f2af8676cca52cfc5753dbce6c0cfee519f",
         "type": "github"
       },
       "original": {
@@ -473,11 +473,11 @@
     "homebrew-core": {
       "flake": false,
       "locked": {
-        "lastModified": 1774193224,
-        "narHash": "sha256-r2ESttFIUrcAjRKfrj4aOb3fND1R7gSauBgyIffUdn8=",
+        "lastModified": 1774249283,
+        "narHash": "sha256-B3L1YpysszVUEg9wqj+B8SNpGUHcfYWlrLD1GQC40E8=",
         "owner": "homebrew",
         "repo": "homebrew-core",
-        "rev": "32d9e41f935cc6a67770ab8dc8f709e18ff90486",
+        "rev": "e9db20c2b64def74b5fbbed530ee8436878c9721",
         "type": "github"
       },
       "original": {
@@ -519,11 +519,11 @@
     "jj-diffconflicts": {
       "flake": false,
       "locked": {
-        "lastModified": 1773600164,
-        "narHash": "sha256-jSbBhy4n/8cynQx6LAJ0KCIvpHbQLtPIYkOG0cpW47M=",
+        "lastModified": 1774204449,
+        "narHash": "sha256-CDLOo07tGOg/7Sowb1d39k9Nq/RW50axGj8L1D3Be70=",
         "owner": "rafikdraoui",
         "repo": "jj-diffconflicts",
-        "rev": "e7d485171ad4df85765d1db05fe86b74f534b5ee",
+        "rev": "58163ae8fe7646179dfd7741206dd9a2b4cdadc0",
         "type": "github"
       },
       "original": {
@@ -593,11 +593,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1774190239,
-        "narHash": "sha256-j1CRpjQSAChzvkh+4P2WQpO7aJJn514ZpbQ03T1fk38=",
+        "lastModified": 1774237443,
+        "narHash": "sha256-4h/vWMOCvd0s5WK7DONqlljImbbKG55gmnVfBcxcFoY=",
         "owner": "numtide",
         "repo": "llm-agents.nix",
-        "rev": "20277623694c39636c6d6cc709461931d0fe64d3",
+        "rev": "d17f058f96e7993b50879e871a742b3ed9a5f429",
         "type": "github"
       },
       "original": {
@@ -637,11 +637,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1774137890,
-        "narHash": "sha256-o1bwfbAeJ4jouE0dG176+n0Oy30AIKoczX/Wjbx2Iwo=",
+        "lastModified": 1774224385,
+        "narHash": "sha256-VQPMdAUOhDqb6AUAn6oQYPvU2DVGHIc3iRdAHlDhSHQ=",
         "owner": "nix-community",
         "repo": "neovim-nightly-overlay",
-        "rev": "004286778676bb67da256a0c1b93add3e1275be7",
+        "rev": "701c0a6174fde5de4b9424c0d1e5a4306b73baac",
         "type": "github"
       },
       "original": {
@@ -653,11 +653,11 @@
     "neovim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1774136084,
-        "narHash": "sha256-84L6rm4ilbd+mg3mhTufTVTpY6lrlfNtFOlcIh5ekgo=",
+        "lastModified": 1774221289,
+        "narHash": "sha256-nxFkSVa268w237r0i0xxCpzyIVtfXocm1xI+vsjJlgo=",
         "owner": "neovim",
         "repo": "neovim",
-        "rev": "0db8efcbe4fc9642597ac93556793948c01f8f6f",
+        "rev": "6cd1fe9a66947511f59226d51dd70197d80513e5",
         "type": "github"
       },
       "original": {
@@ -750,11 +750,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1774197149,
-        "narHash": "sha256-M+ErdpqiHoPRI7sqYpxwp0BQlQXLn1yNY95n9q7o6/M=",
+        "lastModified": 1774249382,
+        "narHash": "sha256-OsvVvcOQFbkOJV9y8Fy8xLmXl+UDw1SEm/hZjTGSI2Q=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "87d5802892194cc6e4aa5fdc63b5de3ffce873f2",
+        "rev": "9a50eb242f5449d99c3b44dfb5b0eac6fc38807f",
         "type": "github"
       },
       "original": {
@@ -864,6 +864,23 @@
         "type": "github"
       }
     },
+    "pi-mcp-adapter": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1773642170,
+        "narHash": "sha256-E6Kf+OyTN/pF8pKADJO0B1+buAPqNcXnZl9ssZwSP8U=",
+        "owner": "nicobailon",
+        "repo": "pi-mcp-adapter",
+        "rev": "01ba9a4e86bd16d895db319b913d73754a473acb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nicobailon",
+        "ref": "v2.2.0",
+        "repo": "pi-mcp-adapter",
+        "type": "github"
+      }
+    },
     "pi-rose-pine": {
       "flake": false,
       "locked": {
@@ -928,6 +945,7 @@
         "pi-agent-stuff": "pi-agent-stuff",
         "pi-elixir": "pi-elixir",
         "pi-harness": "pi-harness",
+        "pi-mcp-adapter": "pi-mcp-adapter",
         "pi-rose-pine": "pi-rose-pine",
         "sops-nix": "sops-nix",
         "zjstatus": "zjstatus"

flake.nix

@@ -80,6 +80,10 @@
 			url = "github:aliou/pi-harness";
 			flake = false;
 		};
+		pi-mcp-adapter = {
+			url = "github:nicobailon/pi-mcp-adapter/v2.2.0";
+			flake = false;
+		};
 		pi-rose-pine = {
 			url = "github:zenobi-us/pi-rose-pine";
 			flake = false;

modules/_ai-tools/extensions/no-scripting.ts

@@ -1,7 +1,7 @@
 /**
  * No Scripting Extension
  *
- * Blocks python, perl, ruby, php, lua, and inline bash/sh scripts.
+ * Blocks python, perl, ruby, php, lua, node -e, and inline bash/sh scripts.
  * Tells the LLM to use `nu -c` instead.
  */
 
@@ -9,7 +9,7 @@ import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
 import { isToolCallEventType } from "@mariozechner/pi-coding-agent";
 
 const SCRIPTING_PATTERN =
-	/(?:^|[;&|]\s*|&&\s*|\|\|\s*|\$\(\s*|`\s*)(?:python[23]?|perl|ruby|php|lua|bash\s+-c|sh\s+-c)\s/;
+	/(?:^|[;&|]\s*|&&\s*|\|\|\s*|\$\(\s*|`\s*)(?:python[23]?|perl|ruby|php|lua|node\s+-e|bash\s+-c|sh\s+-c)\s/;
 
 export default function (pi: ExtensionAPI) {
 	pi.on("tool_call", async (event, _ctx) => {
@@ -21,7 +21,7 @@ export default function (pi: ExtensionAPI) {
 			return {
 				block: true,
 				reason:
-					"Do not use python, perl, ruby, php, lua, or inline bash/sh for scripting. Use `nu -c` instead.",
+					"Do not use python, perl, ruby, php, lua, node -e, or inline bash/sh for scripting. Use `nu -c` instead.",
 			};
 		}
 	});

modules/_ai-tools/mcp.json

@@ -0,0 +1,21 @@
+{
+  "mcpServers": {
+    "opensrc": {
+      "command": "npx",
+      "args": ["-y", "opensrc-mcp"],
+      "directTools": true
+    },
+    "context7": {
+      "url": "https://mcp.context7.com/mcp",
+      "directTools": true
+    },
+    "grep_app": {
+      "url": "https://mcp.grep.app",
+      "directTools": true
+    },
+    "sentry": {
+      "url": "https://mcp.sentry.dev/mcp",
+      "auth": "oauth"
+    }
+  }
+}

modules/_ai-tools/skills/jujutsu/SKILL.md

@@ -0,0 +1,143 @@
+---
+name: jujutsu
+description: Manages version control with Jujutsu (jj), including rebasing, conflict resolution, and Git interop. Use when tracking changes, navigating history, squashing/splitting commits, or pushing to Git remotes.
+---
+
+# Jujutsu
+
+Git-compatible VCS focused on concurrent development and ease of use.
+
+> ⚠️ **Not Git!** Jujutsu syntax differs from Git:
+>
+> - Parent: `@-` not `@~1` or `@^`
+> - Grandparent: `@--` not `@~2`
+> - Child: `@+` not `@~-1`
+> - Use `jj log` not `jj changes`
+
+## Key Commands
+
+| Command                    | Description                                  |
+| -------------------------- | -------------------------------------------- |
+| `jj st`                    | Show working copy status                     |
+| `jj log`                   | Show change log                              |
+| `jj diff`                  | Show changes in working copy                 |
+| `jj new`                   | Create new change                            |
+| `jj desc`                  | Edit change description                      |
+| `jj squash`                | Move changes to parent                       |
+| `jj split`                 | Split current change                         |
+| `jj rebase -s src -d dest` | Rebase changes                               |
+| `jj absorb`                | Move changes into stack of mutable revisions |
+| `jj bisect`                | Find bad revision by bisection               |
+| `jj fix`                   | Update files with formatting fixes           |
+| `jj sign`                  | Cryptographically sign a revision            |
+| `jj metaedit`              | Modify metadata without changing content     |
+
+## Basic Workflow
+
+```bash
+jj new                   # Create new change
+jj desc -m "feat: add feature"  # Set description
+jj log                   # View history
+jj edit change-id        # Switch to change
+jj new --before @        # Time travel (create before current)
+jj edit @-               # Go to parent
+```
+
+## Time Travel
+
+```bash
+jj edit change-id        # Switch to specific change
+jj next --edit           # Next child change
+jj edit @-               # Parent change
+jj new --before @ -m msg # Insert before current
+```
+
+## Merging & Rebasing
+
+```bash
+jj new x yz -m msg       # Merge changes
+jj rebase -s src -d dest # Rebase source onto dest
+jj abandon              # Delete current change
+```
+
+## Conflicts
+
+```bash
+jj resolve              # Interactive conflict resolution
+# Edit files, then continue
+```
+
+## Revset Syntax
+
+**Parent/child operators:**
+
+| Syntax | Meaning          | Example              |
+| ------ | ---------------- | -------------------- |
+| `@-`   | Parent of @      | `jj diff -r @-`      |
+| `@--`  | Grandparent      | `jj log -r @--`      |
+| `x-`   | Parent of x      | `jj diff -r abc123-` |
+| `@+`   | Child of @       | `jj log -r @+`       |
+| `x::y` | x to y inclusive | `jj log -r main::@`  |
+| `x..y` | x to y exclusive | `jj log -r main..@`  |
+| `x\|y` | Union (or)       | `jj log -r 'a \| b'` |
+
+**⚠️ Common mistakes:**
+
+- ❌ `@~1` → ✅ `@-` (parent)
+- ❌ `@^` → ✅ `@-` (parent)
+- ❌ `@~-1` → ✅ `@+` (child)
+- ❌ `jj changes` → ✅ `jj log` or `jj diff`
+- ❌ `a,b,c` → ✅ `a | b | c` (union uses pipe, not comma)
+
+**Functions:**
+
+```bash
+jj log -r 'heads(all())'        # All heads
+jj log -r 'remote_bookmarks()..'  # Not on remote
+jj log -r 'author(name)'        # By author
+jj log -r 'description(regex)'  # By description
+jj log -r 'mine()'              # My commits
+jj log -r 'committer_date(after:"7 days ago")'  # Recent commits
+jj log -r 'mine() & committer_date(after:"yesterday")'  # My recent
+```
+
+## Templates
+
+```bash
+jj log -T 'commit_id ++ "\n" ++ description'
+```
+
+## Git Interop
+
+```bash
+jj bookmark create main -r @  # Create bookmark
+jj git push --bookmark main   # Push bookmark
+jj git fetch                 # Fetch from remote
+jj bookmark track main@origin # Track remote
+```
+
+## Advanced Commands
+
+```bash
+jj absorb               # Auto-move changes to relevant commits in stack
+jj bisect start         # Start bisection
+jj bisect good          # Mark current as good
+jj bisect bad           # Mark current as bad
+jj fix                  # Run configured formatters on files
+jj sign -r @            # Sign current revision
+jj metaedit -r @ -m "new message"  # Edit metadata only
+```
+
+## Tips
+
+- No staging: changes are immediate
+- Use conventional commits: `type(scope): desc`
+- `jj undo` to revert operations
+- `jj op log` to see operation history
+- Bookmarks are like branches
+- `jj absorb` is powerful for fixing up commits in a stack
+
+## Related Skills
+
+- **gh**: GitHub CLI for PRs and issues
+- **review**: Code review before committing

modules/_overlays/pi-mcp-adapter.nix

@@ -3,13 +3,7 @@
 		prev.buildNpmPackage {
 			pname = "pi-mcp-adapter";
 			version = "2.2.0";
-			src =
-				prev.fetchFromGitHub {
-					owner = "nicobailon";
-					repo = "pi-mcp-adapter";
-					rev = "v2.2.0";
-					hash = "sha256-E6Kf+OyTN/pF8pKADJO0B1+buAPqNcXnZl9ssZwSP8U=";
-				};
+			src = inputs.pi-mcp-adapter;
 			npmDepsHash = "sha256-myJ9h/zC/KDddt8NOVvJjjqbnkdEN4ZR+okCR5nu7hM=";
 			dontNpmBuild = true;
 		};

modules/ai-tools.nix

@@ -2,7 +2,6 @@
 	den.aspects.ai-tools.homeManager = {
 		pkgs,
 		inputs',
-		lib,
 		...
 	}: {
 		home.packages = [
@@ -21,160 +20,15 @@
 				source = "${pkgs.pi-mcp-adapter}/lib/node_modules/pi-mcp-adapter";
 				recursive = true;
 			};
-			".pi/agent/extensions/no-git.ts".source = ./_ai-tools/no-git.ts;
-			".pi/agent/extensions/no-scripting.ts".source = ./_ai-tools/no-scripting.ts;
-			".pi/agent/extensions/review.ts".source = ./_ai-tools/review.ts;
-			".pi/agent/extensions/session-name.ts".source = ./_ai-tools/session-name.ts;
+			".pi/agent/extensions/no-git.ts".source = ./_ai-tools/extensions/no-git.ts;
+			".pi/agent/extensions/no-scripting.ts".source = ./_ai-tools/extensions/no-scripting.ts;
+			".pi/agent/extensions/review.ts".source = ./_ai-tools/extensions/review.ts;
+			".pi/agent/extensions/session-name.ts".source = ./_ai-tools/extensions/session-name.ts;
 			".pi/agent/skills/elixir-dev" = {
 				source = "${inputs.pi-elixir}/skills/elixir-dev";
 				recursive = true;
 			};
-			".pi/agent/skills/jujutsu/SKILL.md".text =
-				lib.removePrefix "\n" (builtins.replaceStrings ["\t"] [""] ''
-						---
-						name: jujutsu
-						description: Manages version control with Jujutsu (jj), including rebasing, conflict resolution, and Git interop. Use when tracking changes, navigating history, squashing/splitting commits, or pushing to Git remotes.
-						---
-
-						# Jujutsu
-
-						Git-compatible VCS focused on concurrent development and ease of use.
-
-						> ⚠️ **Not Git!** Jujutsu syntax differs from Git:
-						>
-						> - Parent: `@-` not `@~1` or `@^`
-						> - Grandparent: `@--` not `@~2`
-						> - Child: `@+` not `@~-1`
-						> - Use `jj log` not `jj changes`
-
-						## Key Commands
-
-						| Command                    | Description                                  |
-						| -------------------------- | -------------------------------------------- |
-						| `jj st`                    | Show working copy status                     |
-						| `jj log`                   | Show change log                              |
-						| `jj diff`                  | Show changes in working copy                 |
-						| `jj new`                   | Create new change                            |
-						| `jj desc`                  | Edit change description                      |
-						| `jj squash`                | Move changes to parent                       |
-						| `jj split`                 | Split current change                         |
-						| `jj rebase -s src -d dest` | Rebase changes                               |
-						| `jj absorb`                | Move changes into stack of mutable revisions |
-						| `jj bisect`                | Find bad revision by bisection               |
-						| `jj fix`                   | Update files with formatting fixes           |
-						| `jj sign`                  | Cryptographically sign a revision            |
-						| `jj metaedit`              | Modify metadata without changing content     |
-
-						## Basic Workflow
-
-						```bash
-						jj new                   # Create new change
-						jj desc -m "feat: add feature"  # Set description
-						jj log                   # View history
-						jj edit change-id        # Switch to change
-						jj new --before @        # Time travel (create before current)
-						jj edit @-               # Go to parent
-						```
-
-						## Time Travel
-
-						```bash
-						jj edit change-id        # Switch to specific change
-						jj next --edit           # Next child change
-						jj edit @-               # Parent change
-						jj new --before @ -m msg # Insert before current
-						```
-
-						## Merging & Rebasing
-
-						```bash
-						jj new x yz -m msg       # Merge changes
-						jj rebase -s src -d dest # Rebase source onto dest
-						jj abandon              # Delete current change
-						```
-
-						## Conflicts
-
-						```bash
-						jj resolve              # Interactive conflict resolution
-						# Edit files, then continue
-						```
-
-						## Revset Syntax
-
-						**Parent/child operators:**
-
-						| Syntax | Meaning          | Example              |
-						| ------ | ---------------- | -------------------- |
-						| `@-`   | Parent of @      | `jj diff -r @-`      |
-						| `@--`  | Grandparent      | `jj log -r @--`      |
-						| `x-`   | Parent of x      | `jj diff -r abc123-` |
-						| `@+`   | Child of @       | `jj log -r @+`       |
-						| `x::y` | x to y inclusive | `jj log -r main::@`  |
-						| `x..y` | x to y exclusive | `jj log -r main..@`  |
-						| `x\|y` | Union (or)       | `jj log -r 'a \| b'` |
-
-						**⚠️ Common mistakes:**
-
-						- ❌ `@~1` → ✅ `@-` (parent)
-						- ❌ `@^` → ✅ `@-` (parent)
-						- ❌ `@~-1` → ✅ `@+` (child)
-						- ❌ `jj changes` → ✅ `jj log` or `jj diff`
-						- ❌ `a,b,c` → ✅ `a | b | c` (union uses pipe, not comma)
-
-						**Functions:**
-
-						```bash
-						jj log -r 'heads(all())'        # All heads
-						jj log -r 'remote_bookmarks()..'  # Not on remote
-						jj log -r 'author(name)'        # By author
-						jj log -r 'description(regex)'  # By description
-						jj log -r 'mine()'              # My commits
-						jj log -r 'committer_date(after:"7 days ago")'  # Recent commits
-						jj log -r 'mine() & committer_date(after:"yesterday")'  # My recent
-						```
-
-						## Templates
-
-						```bash
-						jj log -T 'commit_id ++ "\n" ++ description'
-						```
-
-						## Git Interop
-
-						```bash
-						jj bookmark create main -r @  # Create bookmark
-						jj git push --bookmark main   # Push bookmark
-						jj git fetch                 # Fetch from remote
-						jj bookmark track main@origin # Track remote
-						```
-
-						## Advanced Commands
-
-						```bash
-						jj absorb               # Auto-move changes to relevant commits in stack
-						jj bisect start         # Start bisection
-						jj bisect good          # Mark current as good
-						jj bisect bad           # Mark current as bad
-						jj fix                  # Run configured formatters on files
-						jj sign -r @            # Sign current revision
-						jj metaedit -r @ -m "new message"  # Edit metadata only
-						```
-
-						## Tips
-
-						- No staging: changes are immediate
-						- Use conventional commits: `type(scope): desc`
-						- `jj undo` to revert operations
-						- `jj op log` to see operation history
-						- Bookmarks are like branches
-						- `jj absorb` is powerful for fixing up commits in a stack
-
-						## Related Skills
-
-						- **gh**: GitHub CLI for PRs and issues
-						- **review**: Code review before committing
-					'');
+			".pi/agent/skills/jujutsu/SKILL.md".source = ./_ai-tools/skills/jujutsu/SKILL.md;
 			".pi/agent/themes" = {
 				source = "${inputs.pi-rose-pine}/themes";
 				recursive = true;
@@ -209,25 +63,7 @@
 						}
 					];
 				};
-			".pi/agent/mcp.json".text =
-				builtins.toJSON {
-					mcpServers = {
-						opensrc = {
-							command = "npx";
-							args = ["-y" "opensrc-mcp"];
-						};
-						context7 = {
-							url = "https://mcp.context7.com/mcp";
-						};
-						grep_app = {
-							url = "https://mcp.grep.app";
-						};
-						sentry = {
-							url = "https://mcp.sentry.dev/mcp";
-							auth = "oauth";
-						};
-					};
-				};
+			".pi/agent/mcp.json".source = ./_ai-tools/mcp.json;
 		};
 	};
 }

modules/dendritic.nix

@@ -70,6 +70,10 @@
 			url = "github:aliou/pi-harness";
 			flake = false;
 		};
+		pi-mcp-adapter = {
+			url = "github:nicobailon/pi-mcp-adapter/v2.2.0";
+			flake = false;
+		};
 		# Overlay inputs
 		himalaya.url = "github:pimalaya/himalaya";
 		jj-ryu = {

modules/hosts/_parts/michael/gitea.nix

@@ -5,21 +5,21 @@
 }: {
 	sops.secrets = {
 		michael-gitea-litestream = {
-			sopsFile = ../../../secrets/michael-gitea-litestream;
+			sopsFile = ../../../../secrets/michael-gitea-litestream;
 			format = "binary";
 			owner = "gitea";
 			group = "gitea";
 			path = "/run/secrets/michael-gitea-litestream";
 		};
 		michael-gitea-restic-password = {
-			sopsFile = ../../../secrets/michael-gitea-restic-password;
+			sopsFile = ../../../../secrets/michael-gitea-restic-password;
 			format = "binary";
 			owner = "gitea";
 			group = "gitea";
 			path = "/run/secrets/michael-gitea-restic-password";
 		};
 		michael-gitea-restic-env = {
-			sopsFile = ../../../secrets/michael-gitea-restic-env;
+			sopsFile = ../../../../secrets/michael-gitea-restic-env;
 			format = "binary";
 			owner = "gitea";
 			group = "gitea";

modules/hosts/chidi.nix

@@ -2,34 +2,16 @@
 	den.hosts.aarch64-darwin.chidi.users.cschmatzler.aspect = "chidi-cschmatzler";
 
 	den.aspects.chidi-cschmatzler = {
-		includes = [
-			den.aspects.shell
-			den.aspects.ssh-client
-			den.aspects.terminal
-			den.aspects.atuin
-			den.aspects.dev-tools
-			den.aspects.neovim
-			den.aspects.ai-tools
-			den.aspects.secrets
-			den.aspects.zellij
-			den.aspects.zk
-			den.aspects.desktop
-		];
+		includes = [den.aspects.user-darwin-laptop];
 
 		homeManager = {...}: {
-			programs.home-manager.enable = true;
-			fonts.fontconfig.enable = true;
 			programs.git.settings.user.email = "christoph@tuist.dev";
 		};
 	};
 
 	den.aspects.chidi.includes = [
 		(den.lib.perHost {
-				includes = [
-					den.aspects.darwin-system
-					den.aspects.core
-					den.aspects.tailscale
-				];
+				includes = [den.aspects.host-darwin-base];
 
 				darwin = {pkgs, ...}: {
 					networking.hostName = "chidi";

modules/hosts/jason.nix

@@ -0,0 +1,21 @@
+{den, ...}: {
+	den.hosts.aarch64-darwin.jason.users.cschmatzler.aspect = "jason-cschmatzler";
+
+	den.aspects.jason-cschmatzler = {
+		includes = [
+			den.aspects.user-darwin-laptop
+			den.aspects.user-personal
+		];
+	};
+
+	den.aspects.jason.includes = [
+		(den.lib.perHost {
+				includes = [den.aspects.host-darwin-base];
+
+				darwin = {...}: {
+					networking.hostName = "jason";
+					networking.computerName = "jason";
+				};
+			})
+	];
+}

modules/hosts/michael.nix

@@ -6,30 +6,20 @@
 	den.hosts.x86_64-linux.michael.users.cschmatzler.aspect = "michael-cschmatzler";
 
 	den.aspects.michael-cschmatzler = {
-		includes = [den.aspects.shell];
-
-		homeManager = {...}: {
-			programs.home-manager.enable = true;
-		};
+		includes = [den.aspects.user-minimal];
 	};
 
 	den.aspects.michael.includes = [
 		(den.lib.perHost {
-				includes = [
-					den.aspects.nixos-system
-					den.aspects.core
-					den.aspects.openssh
-					den.aspects.fail2ban
-					den.aspects.tailscale
-				];
+				includes = [den.aspects.host-public-server];
 
 				nixos = {modulesPath, ...}: {
 					imports = [
 						(modulesPath + "/installer/scan/not-detected.nix")
-						./_hosts/michael/backups.nix
-						./_hosts/michael/disk-config.nix
-						./_hosts/michael/gitea.nix
-						./_hosts/michael/hardware-configuration.nix
+						./_parts/michael/backups.nix
+						./_parts/michael/disk-config.nix
+						./_parts/michael/gitea.nix
+						./_parts/michael/hardware-configuration.nix
 						inputs.disko.nixosModules.default
 					];
 

modules/hosts/tahani.nix

@@ -3,23 +3,12 @@
 
 	den.aspects.tahani-cschmatzler = {
 		includes = [
-			den.aspects.shell
-			den.aspects.ssh-client
-			den.aspects.terminal
-			den.aspects.atuin
-			den.aspects.dev-tools
-			den.aspects.neovim
-			den.aspects.ai-tools
-			den.aspects.secrets
-			den.aspects.zellij
-			den.aspects.zk
+			den.aspects.user-workstation
+			den.aspects.user-personal
 			den.aspects.email
 		];
 
 		homeManager = {
-			programs.home-manager.enable = true;
-			programs.git.settings.user.email = "christoph@schmatzler.com";
-
 			programs.nushell.extraConfig = ''
 				if $nu.is-interactive and ('SSH_CONNECTION' in ($env | columns)) and ('ZELLIJ' not-in ($env | columns)) {
 					try {
@@ -35,36 +24,31 @@
 
 	den.aspects.tahani.includes = [
 		(den.lib.perHost {
-				includes = [
-					den.aspects.nixos-system
-					den.aspects.core
-					den.aspects.openssh
-					den.aspects.tailscale
-				];
+				includes = [den.aspects.host-nixos-base];
 
 				nixos = {...}: {
 					imports = [
-						./_hosts/tahani/adguardhome.nix
-						./_hosts/tahani/cache.nix
-						./_hosts/tahani/networking.nix
-						./_hosts/tahani/paperless.nix
+						./_parts/tahani/adguardhome.nix
+						./_parts/tahani/cache.nix
+						./_parts/tahani/networking.nix
+						./_parts/tahani/paperless.nix
 					];
 
 					networking.hostName = "tahani";
 
 					sops.secrets = {
 						tahani-paperless-password = {
-							sopsFile = ../secrets/tahani-paperless-password;
+							sopsFile = ../../secrets/tahani-paperless-password;
 							format = "binary";
 							path = "/run/secrets/tahani-paperless-password";
 						};
 						tahani-paperless-gpt-env = {
-							sopsFile = ../secrets/tahani-paperless-gpt-env;
+							sopsFile = ../../secrets/tahani-paperless-gpt-env;
 							format = "binary";
 							path = "/run/secrets/tahani-paperless-gpt-env";
 						};
 						tahani-email-password = {
-							sopsFile = ../secrets/tahani-email-password;
+							sopsFile = ../../secrets/tahani-email-password;
 							format = "binary";
 							owner = "cschmatzler";
 							path = "/run/secrets/tahani-email-password";

modules/jason.nix

@@ -1,40 +0,0 @@
-{den, ...}: {
-	den.hosts.aarch64-darwin.jason.users.cschmatzler.aspect = "jason-cschmatzler";
-
-	den.aspects.jason-cschmatzler = {
-		includes = [
-			den.aspects.shell
-			den.aspects.ssh-client
-			den.aspects.terminal
-			den.aspects.atuin
-			den.aspects.dev-tools
-			den.aspects.neovim
-			den.aspects.ai-tools
-			den.aspects.secrets
-			den.aspects.zellij
-			den.aspects.zk
-			den.aspects.desktop
-		];
-
-		homeManager = {...}: {
-			programs.home-manager.enable = true;
-			fonts.fontconfig.enable = true;
-			programs.git.settings.user.email = "christoph@schmatzler.com";
-		};
-	};
-
-	den.aspects.jason.includes = [
-		(den.lib.perHost {
-				includes = [
-					den.aspects.darwin-system
-					den.aspects.core
-					den.aspects.tailscale
-				];
-
-				darwin = {...}: {
-					networking.hostName = "jason";
-					networking.computerName = "jason";
-				};
-			})
-	];
-}

modules/profiles/host/darwin-base.nix

@@ -0,0 +1,7 @@
+{den, ...}: {
+	den.aspects.host-darwin-base.includes = [
+		den.aspects.darwin-system
+		den.aspects.core
+		den.aspects.tailscale
+	];
+}

modules/profiles/host/nixos-base.nix

@@ -0,0 +1,8 @@
+{den, ...}: {
+	den.aspects.host-nixos-base.includes = [
+		den.aspects.nixos-system
+		den.aspects.core
+		den.aspects.openssh
+		den.aspects.tailscale
+	];
+}

modules/profiles/host/public-server.nix

@@ -0,0 +1,6 @@
+{den, ...}: {
+	den.aspects.host-public-server.includes = [
+		den.aspects.host-nixos-base
+		den.aspects.fail2ban
+	];
+}

modules/profiles/user/base.nix

@@ -0,0 +1,17 @@
+{den, ...}: {
+	den.aspects.user-base = {
+		includes = [
+			den.aspects.shell
+			den.aspects.ssh-client
+			den.aspects.terminal
+			den.aspects.atuin
+			den.aspects.secrets
+			den.aspects.zellij
+			den.aspects.zk
+		];
+
+		homeManager = {
+			programs.home-manager.enable = true;
+		};
+	};
+}

modules/profiles/user/darwin-laptop.nix

@@ -0,0 +1,12 @@
+{den, ...}: {
+	den.aspects.user-darwin-laptop = {
+		includes = [
+			den.aspects.user-workstation
+			den.aspects.desktop
+		];
+
+		homeManager = {
+			fonts.fontconfig.enable = true;
+		};
+	};
+}

modules/profiles/user/minimal.nix

@@ -0,0 +1,11 @@
+{den, ...}: {
+	den.aspects.user-minimal = {
+		includes = [
+			den.aspects.shell
+		];
+
+		homeManager = {
+			programs.home-manager.enable = true;
+		};
+	};
+}

modules/profiles/user/personal.nix

@@ -0,0 +1,5 @@
+{...}: {
+	den.aspects.user-personal.homeManager = {
+		programs.git.settings.user.email = "christoph@schmatzler.com";
+	};
+}

modules/profiles/user/workstation.nix

@@ -0,0 +1,8 @@
+{den, ...}: {
+	den.aspects.user-workstation.includes = [
+		den.aspects.user-base
+		den.aspects.dev-tools
+		den.aspects.neovim
+		den.aspects.ai-tools
+	];
+}