Initial implementation of vault-os

Complete implementation across all 13 phases: - vault-core: types, YAML frontmatter parsing, entity classification, filesystem ops, config, prompt composition, validation, search - vault-watch: filesystem watcher with daemon write filtering, event classification - vault-scheduler: cron engine, process executor, task runner with retry logic and concurrency limiting - vault-api: Axum REST API (15 route modules), WebSocket with broadcast, AI assistant proxy, validation, templates - Dashboard: React + TypeScript + Tailwind v4 with kanban, CodeMirror editor, dynamic view system, AI chat sidebar - Nix flake with dev shell and NixOS module - Graceful shutdown, inotify overflow recovery, tracing instrumentation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-03 01:21:17 +01:00 · 2026-03-03 01:21:17 +01:00 · f820a72b04
commit f820a72b04
123 changed files with 18288 additions and 0 deletions
--- a/nix/module.nix
+++ b/nix/module.nix
@ -0,0 +1,111 @@
+flake:
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.vault-os;
+in
+{
+  options.services.vault-os = {
+    enable = lib.mkEnableOption "vault-os daemon";
+
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = flake.packages.${pkgs.stdenv.hostPlatform.system}.default;
+      description = "The vault-os package to use.";
+    };
+
+    vaultPath = lib.mkOption {
+      type = lib.types.path;
+      description = "Path to the vault directory.";
+    };
+
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 8080;
+      description = "HTTP port to listen on.";
+    };
+
+    bind = lib.mkOption {
+      type = lib.types.str;
+      default = "127.0.0.1";
+      description = "Address to bind to.";
+    };
+
+    maxParallel = lib.mkOption {
+      type = lib.types.int;
+      default = 4;
+      description = "Maximum parallel agent task executions.";
+    };
+
+    logLevel = lib.mkOption {
+      type = lib.types.str;
+      default = "info";
+      description = "Log level (trace, debug, info, warn, error).";
+    };
+
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = "vault-os";
+      description = "User to run vault-os as.";
+    };
+
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = "vault-os";
+      description = "Group to run vault-os as.";
+    };
+
+    environmentFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+      description = "Environment file for secrets (API keys, etc).";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+      home = cfg.vaultPath;
+    };
+
+    users.groups.${cfg.group} = {};
+
+    systemd.services.vault-os = {
+      description = "vault-os daemon";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      serviceConfig = {
+        Type = "simple";
+        User = cfg.user;
+        Group = cfg.group;
+        ExecStart = lib.concatStringsSep " " [
+          "${cfg.package}/bin/vault-os"
+          "--vault ${cfg.vaultPath}"
+          "--port ${toString cfg.port}"
+          "--bind ${cfg.bind}"
+          "--max-parallel ${toString cfg.maxParallel}"
+          "--log-level ${cfg.logLevel}"
+        ];
+        Restart = "on-failure";
+        RestartSec = 5;
+
+        # Hardening
+        NoNewPrivileges = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ReadWritePaths = [ cfg.vaultPath ];
+        PrivateTmp = true;
+        PrivateDevices = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectControlGroups = true;
+        RestrictSUIDSGID = true;
+        RemoveIPC = true;
+      } // lib.optionalAttrs (cfg.environmentFile != null) {
+        EnvironmentFile = cfg.environmentFile;
+      };
+    };
+  };
+}