chore(git): ignore .agents directory globally

Add Python-based slack-cli package that reads Slack messages from local
Chromium IndexedDB cache. Includes pinned dependencies for dfindexeddb,
python-snappy, and zstd. Enable on mac-va-mbp-work home config.

.agents/skills/update-package-hashes/SKILL.md

@@ -0,0 +1,70 @@
+---
+name: update-package-hashes
+description: Update a package in packages/ to a new version and refresh its hashes (src, vendorHash, npmDepsHash, cargoHash, etc.) WITHOUT compiling the package. Use when the user asks to bump, update, or upgrade a specific package under packages/. Requires package name and target version/rev.
+---
+
+# Update Package Hashes (Without Building)
+
+Require the user to supply the **package name** and **target version/rev/tag**. Ask if missing.
+
+## Hard Rules — Read First
+
+1. **Never run `nix build .#<pkg>`** or `.#packages.<system>.<pkg>`. That compiles the package. Only realise **FOD sub-attributes** (`.src`, `.goModules`, `.npmDeps`, `.cargoDeps`) — those are pure downloads, not builds.
+2. **Never** use `nix-prefetch-git`, `nix-prefetch-url`, `nix hash path`, `git clone` + manual hashing, `builtins.fetchGit`, or any other ad-hoc method to compute hashes. They produce hashes in formats that don't match what `fetchgit`/`fetchFromGitHub`/etc. expect, and you will waste time chasing mismatches.
+3. There are exactly **two** correct ways to get a hash, both listed below. If neither fits, stop and ask the user — don't improvise.
+
+## The Only Two Methods
+
+### Method A — `nurl` (preferred for `src` on any git forge)
+
+`nurl` works for **any git URL**, not just GitHub: `gitea.va.reichard.io`, `gitlab`, `codeberg`, `sourcehut`, plain `https://...git`, all fine. It downloads the source and prints a complete fetcher expression with the correct hash.
+
+```bash
+nix run nixpkgs#nurl -- <git-url> <rev-or-tag>
+```
+
+Examples:
+```bash
+nix run nixpkgs#nurl -- https://github.com/owner/repo v1.2.3
+nix run nixpkgs#nurl -- https://gitea.va.reichard.io/evan/slack-cli.git 0a9484257a2adc414aa4cdab4fb9539a37e04d1f
+```
+
+Copy the `hash = "sha256-..."` line into the package's `src` block.
+
+### Method B — FOD mismatch trick (for everything else)
+
+For `vendorHash`, `npmDepsHash`, `cargoHash`, `cargoLock.outputHashes.<crate>`, or any `src` using a custom fetcher (`leaveDotGit`, `postFetch`, `fetchSubmodules`, etc. — applies to `llama-cpp` and `llama-swap`), realise the **specific FOD sub-attribute** and read the `got:` line from the error.
+
+```bash
+nix build .#<name>.src --no-link 2>&1 | tee /tmp/hash.log         # for src
+nix build .#<name>.goModules --no-link 2>&1 | tee /tmp/hash.log   # for vendorHash
+nix build .#<name>.npmDeps --no-link 2>&1 | tee /tmp/hash.log     # for npmDepsHash
+nix build .#<name>.cargoDeps --no-link 2>&1 | tee /tmp/hash.log   # for cargoHash
+grep -E '^[[:space:]]*got:' /tmp/hash.log | tail -1 | awk '{print $2}'
+```
+
+Setting the hash to `sha256-AAAA...` (44 A's) or leaving the old one in place both work — the build will fail at the FOD with `got: sha256-...` which is the correct value.
+
+**Note:** `.src`, `.goModules`, etc. are sub-attributes of the derivation. They download but do not compile. `nix build .#<name>` (without the `.src` suffix) compiles — never do that.
+
+## Flow
+
+1. Edit `packages/<name>/default.nix` — bump `version` / `rev` / `tag`. Check for sibling `.nix` files (e.g. `ui.nix`) that may also need bumping.
+2. Get the new `src` hash with **Method A** (`nurl`). If the package uses a custom fetcher, use **Method B** on `.src` instead.
+3. For each dependency hash (`vendorHash` / `npmDepsHash` / `cargoHash` / etc.), use **Method B** on the matching sub-attribute.
+4. **Opaque `outputHash` FODs** (e.g. opencode's `node_modules` which runs `bun install`) — do NOT attempt locally. Leave as-is and flag for CI in the summary.
+5. Show `git diff -- packages/<name>/` and list any hashes left for CI.
+
+## Resolving Tags Without Cloning
+
+```bash
+git ls-remote <url> refs/tags/<tag>
+```
+
+## Don't Touch What Didn't Change
+
+Skip pinned sub-dependencies whose inputs didn't change — e.g. `slack-cli`'s `python-snappy` / `zstd-python` PyPI tarballs are pinned by the upstream `dfindexeddb`, not by the slack-cli rev.
+
+## Optional Shortcut
+
+`nix-update --flake <name> --version <v>` sometimes handles everything for simple packages. Try it first; fall back to the methods above if it fails.

AGENTS.md

@@ -116,3 +116,4 @@ Shared library helpers. `lib/module/default.nix` exports `mkOpt`, `mkBoolOpt`, `
 - **Editing Neovim config (Lua):** Modify files under `modules/home/programs/terminal/nvim/config/lua/`.
 - **Managing secrets:** Edit `.sops.yaml` for key groups, use `sops` CLI to encrypt/decrypt files in `secrets/`.
 - **Building/testing:** `nix build .#packages.<arch>.<name>` for packages, `nix build .#nixosConfigurations.<host>.config.system.build.toplevel` for full system builds.
+- **Bumping a package version / refreshing hashes:** Use the `update-package-hashes` skill at `.pi/skills/update-package-hashes/`.

homes/aarch64-darwin/evanreichard@mac-va-mbp-work/default.nix

@@ -57,6 +57,7 @@ in
     # colima
     docker
     keycastr
+    reichard.slack-cli
     _1password-cli
   ];
 }

modules/home/programs/terminal/git/config/.gitignore

@@ -1,3 +1,4 @@
 _scratch
 .direnv
 .envrc
+.agents

modules/home/programs/terminal/nvim/config/lua/lsp-config.lua

@@ -208,6 +208,7 @@ setup_lsp("gopls", {
 		})
 	end,
 	filetypes = { "go" },
+	cmd = { "gopls", "-remote=auto" },
 	settings = {
 		gopls = {
 			buildFlags = { "-tags=e2e" },

modules/home/programs/terminal/pi/config/AGENTS.md

@@ -42,7 +42,7 @@ write(path="file.txt", content="content")
 
 ### Comment Style
 
-A logical "block" of code (doesn't have to be a scope, but a cohesive group of statements responsible for something) should have a comment above it with a short "title". For example:
+A logical "block" of code (doesn't have to be a scope, but a cohesive group of statements responsible for something) should have a comment above it with a short "title". The title must be in **Title Case**. For example:
 
 ```go
 // Map Component Results

modules/home/programs/terminal/pi/config/extensions/replace-pi-with-claude-code.ts

@@ -2,8 +2,9 @@ import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
 
 export default function replacePiWithClaudeCodeExtension(pi: ExtensionAPI) {
   pi.on("before_agent_start", async (event) => {
+    // Replace "pi" With "claude code" - Exclude Literal ".pi" (e.g. Paths)
     const transformedSystemPrompt = event.systemPrompt.replace(
-      /pi/gi,
+      /(?<!\.)pi/gi,
       "claude code",
     );
 

modules/home/programs/terminal/pi/config/skills/address-gh-review/SKILL.md

@@ -0,0 +1,64 @@
+---
+name: address-gh-review
+description: 'Fetch and address unresolved GitHub PR review comments. Use when user asks to handle PR reviews, address review feedback, mentions "/address-gh-review", or wants to see what reviewers requested. Fetches unresolved threads, presents an actionable summary, and lets the user select which items to address.'
+---
+
+# GitHub PR Review
+
+## Overview
+
+Fetch unresolved review threads from the current PR, consolidate them into actionable items, and address selected items — each as a separate commit.
+
+## Prerequisites
+
+- `gh` CLI authenticated and in a repo with an open PR on the current branch
+- The `git-commit` skill available for committing changes
+
+## Workflow
+
+### 1. Fetch Review Comments
+
+Run the bundled script to get unresolved threads:
+
+```bash
+bash gh_review.sh
+```
+
+If the script fails (no PR, not authenticated, etc.), report the error and stop.
+
+### 2. Consolidate into Actionable Items
+
+Parse the output and group into actionable items. Combine threads that ask for the same change (e.g. multiple reviewers commenting on the same function about the same concern). Keep items separate when they require distinct code changes.
+
+Present a numbered list to the user:
+
+```
+## Unresolved Review Items
+
+1. **src/auth/login.ts:42** — Add rate limiting to prevent brute force attacks (alice-dev)
+2. **src/utils/validators.ts:89** — Use stricter type checking for email validation (bob-coder)
+3. **src/api/users.ts:156** — Add error handling for null responses (alice-dev, charlie-reviewer)
+```
+
+### 3. Ask User for Selection
+
+**Always ask before proceeding.** Prompt the user to select which items to address:
+
+```
+Which items would you like me to address? (e.g. "1,3", "all", or "none")
+```
+
+**Do not proceed until the user responds.** Respect "none" — just stop.
+
+### 4. Address Each Item
+
+For each selected item, in order:
+
+1. Read the relevant file and understand the context around the referenced line
+2. Implement the requested change
+3. Run relevant linting/tests if applicable (e.g. `quicklint`)
+4. Commit using the `git-commit` skill — **one commit per item**
+
+### 5. Summary
+
+After all selected items are addressed, print a brief summary of what was done.

modules/home/programs/terminal/pi/config/skills/address-gh-review/gh_review.sh

@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+# Fetch unresolved PR review threads, formatted for LLM consumption.
+# Omits diff hunks (the LLM can read files from the repo directly).
+# Groups comments into threads so conversation context is preserved.
+
+set -euo pipefail
+
+err() { echo "error: $1" >&2; exit 1; }
+
+# Verify gh CLI is installed
+command -v gh >/dev/null 2>&1 || err "'gh' CLI not found. Install it from https://cli.github.com"
+
+# Verify we're inside a git repository
+git rev-parse --is-inside-work-tree >/dev/null 2>&1 || err "not inside a git repository"
+
+# Verify the remote is a GitHub repo
+gh repo view --json name -q .name >/dev/null 2>&1 || err "this repo does not appear to be hosted on GitHub"
+
+# Verify we're on a PR branch
+PR_NUM=$(gh pr view --json number -q .number 2>/dev/null) || err "no pull request found for the current branch"
+
+# Fetch current user, repo owner, and repo name
+ME=$(gh api user -q .login 2>/dev/null) || err "failed to fetch GitHub user - are you authenticated? Run 'gh auth login'"
+OWNER=$(gh repo view --json owner -q .owner.login 2>/dev/null) || err "failed to determine repository owner"
+REPO=$(gh repo view --json name -q .name 2>/dev/null) || err "failed to determine repository name"
+
+# Fetch unresolved review threads via GraphQL
+OUTPUT=$(gh api graphql -f query='
+query {
+  repository(owner: "'"$OWNER"'", name: "'"$REPO"'") {
+    pullRequest(number: '"$PR_NUM"') {
+      reviewThreads(first: 100) {
+        nodes {
+          isResolved
+          comments(first: 100) {
+            nodes {
+              author { login }
+              body
+              path
+              line
+            }
+          }
+        }
+      }
+    }
+  }
+}' --jq '
+[
+  .data.repository.pullRequest.reviewThreads.nodes[]
+  | select(.isResolved == false)
+  | {
+      file: .comments.nodes[0].path,
+      line: .comments.nodes[0].line,
+      comments: [
+        .comments.nodes[]
+        | select(.author.login != "'"$ME"'")
+        | {author: .author.login, body: .body}
+      ]
+    }
+  | select(.comments | length > 0)
+]
+| .[]
+| "## \(.file):\(.line)\n\(.comments | map("- **\(.author)**: \(.body)") | join("\n"))\n"
+' 2>/dev/null) || err "GraphQL query failed - check your permissions and token scopes"
+
+# Format output
+if [[ -z "$OUTPUT" ]]; then
+  echo "No unresolved review comments found."
+else
+  echo "$OUTPUT" | sed 's/\\n/\n/g'
+fi

modules/home/programs/terminal/pi/config/skills/git-commit/SKILL.md

@@ -9,12 +9,19 @@ description: 'Execute git commit with conventional commit message analysis, inte
 
 Create standardized, semantic git commits using the Conventional Commits specification. Analyze the actual diff to determine appropriate type, scope, and message.
 
-## Automatic Execution
+## Automatic Execution — CRITICAL
 
-**When invoked, execute the commit immediately without asking for confirmation.** Simply analyze the diff and create the commit. Do not ask "what would you like to do" or wait for further input. Only ask clarifying questions if:
+**When this skill is invoked, EXECUTE THE COMMIT IMMEDIATELY. Do NOT ask for confirmation. Do NOT say "I'm ready" or "let me know when you want to proceed." Do NOT wait for further input. Do NOT acknowledge and then wait.**
-- Nothing is staged or modified
+
-- Changes span multiple unrelated logical groups that should be committed separately
+The skill is invoked when the user says "commit", "do it", "/commit", "make a commit", "create a commit", or any similar phrase. The moment you recognize this intent, analyze the diff and run `git commit`. That's it.
-- Secrets appear to be about to be committed
+
+**Zero prompts. Zero confirmation requests. Zero hand-holding.**
+
+Only skip the commit if:
+- Nothing is staged or modified (say "Nothing to commit" and stop)
+- Secrets appear to be about to be committed (refuse and stop)
+
+For everything else — just commit.
 
 ## Conventional Commit Format
 

modules/home/services/sketchybar/default.nix

@@ -10,7 +10,7 @@ let
   colors = {
     white = "0xddffffff";
     white_dim = "0x99ffffff";
-    bg = "0x20000000";
+    bg = "0x1a808080";
     transparent = "0x00000000";
     green = "0xff8ceb34";
     yellow = "0xffe8d44d";
@@ -48,16 +48,18 @@ let
     sketchybar --default \
       icon.font="$NERD_FONT" \
       icon.color=$COLOR_WHITE \
-      icon.padding_left=$PADDING \
+      icon.padding_left=$(($PADDING + 2)) \
       icon.padding_right=2 \
       label.font="$FONT_FACE:Medium:13.0" \
       label.color=$COLOR_WHITE \
       label.padding_left=2 \
-      label.padding_right=$PADDING \
+      label.padding_right=$(($PADDING + 2)) \
       background.color=$COLOR_BG \
       background.corner_radius=6 \
+      background.clip=0.5 \
       background.height=32 \
       background.padding_left=4 \
+      blur_radius=30 \
       background.padding_right=4
 
     # Right side items (rightmost → leftmost)
@@ -119,7 +121,7 @@ let
           elif [ "$VOL" -ge 30 ]; then
             ICON="󰖀"
           elif [ "$VOL" -gt 0 ]; then
-            ICON=""
+            ICON="󰕿"
           else
             ICON="󰖁"
           fi

modules/nixos/services/llama-swap/config.nix

@@ -124,6 +124,32 @@ in
       };
     };
 
+    # https://huggingface.co/unsloth/Qwen3.6-35B-A3B-GGUF/tree/main
+    "qwen3.6-35b-thinking" = {
+      name = "Qwen3.6 (35B) - Thinking";
+      macros.ctx = "262144";
+      cmd = ''
+        ${llama-cpp}/bin/llama-server \
+          --port ''${PORT} \
+          -m /mnt/ssd/Models/Qwen3.6/Qwen3.6-35B-A3B-UD-IQ4_XS.gguf \
+          -c ''${ctx} \
+          --temp 0.6 \
+          --top-p 0.95 \
+          --top-k 20 \
+          --min-p 0.0 \
+          --presence-penalty 0.0 \
+          --repeat-penalty 1.0 \
+          -dev CUDA0 \
+          -fit off
+      '';
+      metadata = {
+        type = [
+          "text-generation"
+          "coding"
+        ];
+      };
+    };
+
     # https://huggingface.co/bartowski/Qwen_Qwen3.5-27B-GGUF/tree/main
     "qwen3.5-27b-thinking" = {
       name = "Qwen3.5 (27B) - Thinking";

packages/llama-cpp/default.nix

@@ -7,12 +7,12 @@
   vulkanSupport = true;
 }).overrideAttrs
   (oldAttrs: rec {
-    version = "8680";
+    version = "8815";
     src = pkgs.fetchFromGitHub {
       owner = "ggml-org";
       repo = "llama.cpp";
       tag = "b${version}";
-      hash = "sha256-tJCA19BQs0vZc0VjPnbIrh3CJFxyPL6Ne4oIG4gfozw=";
+      hash = "sha256-QJsGBHLdvFfMXZJSk9D76b7v6DP06NaTYztHv41o/CA=";
       leaveDotGit = true;
       postFetch = ''
         git -C "$out" rev-parse --short HEAD > $out/COMMIT
@@ -20,6 +20,11 @@
       '';
     };
 
+    # Add SPIR-V Headers for Vulkan Backend
+    # Newer llama.cpp requires spirv/unified1/spirv.hpp which isn't
+    # pulled in by vulkan-headers alone.
+    buildInputs = (oldAttrs.buildInputs or [ ]) ++ [ pkgs.spirv-headers ];
+
     # Auto CPU Optimizations
     cmakeFlags = (oldAttrs.cmakeFlags or [ ]) ++ [
       "-DGGML_CUDA_ENABLE_UNIFIED_MEMORY=1"

packages/pi-coding-agent/default.nix

@@ -14,16 +14,16 @@
 
 buildNpmPackage rec {
   pname = "pi-coding-agent";
-  version = "0.67.2";
+  version = "0.67.5";
 
   src = fetchFromGitHub {
     owner = "badlogic";
     repo = "pi-mono";
     rev = "v${version}";
-    hash = "sha256-trZOz+8nkuFq/JoW9BTDyqD5kN8WuL2SaxSgb45JdEY=";
+    hash = "sha256-Pw2f/6rKGWzmSdswungerrGrR6i9tUVFNiA4xaNygsQ=";
   };
 
-  npmDepsHash = "sha256-zGCJlF360Neb8OwgjV3VhIlprsoq31p/1fN7VrxGeC8=";
+  npmDepsHash = "sha256-L53UEVQNsLoSkmP9L9AZQ74iThdMFBgtnLaXqZHqBRw=";
 
   nativeBuildInputs = [ pkg-config ];
 

packages/slack-cli/default.nix

@@ -0,0 +1,90 @@
+{ lib
+, fetchgit
+, fetchurl
+, python312
+, snappy
+,
+}:
+
+let
+  pythonPackages = python312.pkgs;
+
+  # ── Python Dependency Overrides ──────────────────────────────
+  #
+  # dfindexeddb pins python-snappy==0.6.1 and zstd==1.5.5.1.
+  # nixpkgs ships newer versions, so we build the exact pins
+  # from PyPI source tarballs.
+
+  python-snappy = pythonPackages.buildPythonPackage rec {
+    pname = "python-snappy";
+    version = "0.6.1";
+    format = "setuptools";
+
+    src = fetchurl {
+      url = "https://files.pythonhosted.org/packages/98/7a/44a24bad98335b2c72e4cadcdecf79f50197d1bab9f22f863a274f104b96/python-snappy-0.6.1.tar.gz";
+      hash = "sha256-tqEHqwYgasxTWdTFYyvZsi1EhwKnmzFpsMYuD7gIuyo=";
+    };
+
+    buildInputs = [ snappy ];
+
+    doCheck = false;
+  };
+
+  zstd-python = pythonPackages.buildPythonPackage rec {
+    pname = "zstd";
+    version = "1.5.5.1";
+    format = "setuptools";
+
+    src = fetchurl {
+      url = "https://files.pythonhosted.org/packages/source/z/zstd/zstd-1.5.5.1.tar.gz";
+      hash = "sha256-HvmAq/Dh4HKwKNLXbvlbR2YyZRyWIlzzC2Gcbu9iVnI=";
+    };
+
+    doCheck = false;
+  };
+
+  dfindexeddb = pythonPackages.buildPythonPackage rec {
+    pname = "dfindexeddb";
+    version = "20260210";
+    format = "setuptools";
+
+    src = fetchurl {
+      url = "https://files.pythonhosted.org/packages/source/d/dfindexeddb/dfindexeddb-20260210.tar.gz";
+      hash = "sha256-4ahEe4Lpoh0oqGR6kI7J1HEGfvKVEzu3qQ+3ykgFd/Y=";
+    };
+
+    propagatedBuildInputs = [
+      python-snappy
+      zstd-python
+    ];
+
+    doCheck = false;
+  };
+
+in
+pythonPackages.buildPythonApplication {
+  pname = "slack-cli";
+  version = "0.1.0";
+  format = "pyproject";
+
+  src = fetchgit {
+    url = "https://gitea.va.reichard.io/evan/slack-cli.git";
+    rev = "0a9484257a2adc414aa4cdab4fb9539a37e04d1f";
+    hash = "sha256-FbzE1yRdVIhmhqrxtT3C/Pomqv8iAjI9ydQGBZr+UgY=";
+  };
+
+  build-system = [ pythonPackages.setuptools ];
+
+  dependencies = [ dfindexeddb ];
+
+  doCheck = false;
+
+  meta = {
+    description = "Read Slack messages from local Chromium IndexedDB cache";
+    homepage = "https://gitea.va.reichard.io/evan/slack-cli";
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ evanreichard ];
+    mainProgram = "slack-cli";
+    platforms = lib.platforms.darwin;
+  };
+}

systems/aarch64-darwin/mac-va-mbp-work/default.nix

@@ -32,6 +32,7 @@
     };
     WindowManager = {
       HideDesktop = true;
+      StandardHideDesktopIcons = true;
     };
     finder = {
       CreateDesktop = false;