feat(home-manager): Add platform compatibility guards to cross-platform roles

Add lib.optionals pkgs.stdenv.isLinux guards to roles that contain
Linux-only packages or services to prevent build failures on Darwin:

- communication: Guard Electron apps (element-desktop, fluffychat,
  nextcloud-talk-desktop) that don't build on Darwin due to electron
  build-from-source limitations
- kdeconnect: Guard entire config block since services.kdeconnect
  requires D-Bus and systemd (Linux-only)
- sync: Guard syncthingtray package (requires Linux system tray)
- email: Guard systemd.user.services/timers (Darwin uses launchd)
- desktop: Guard Linux-only packages, services, and KDE-specific
  configurations including gnome-keyring, systemd services, and
  XDG mime associations

Implements bead: nixos-configs-tcu

.gitignore

@@ -1,2 +1,3 @@
 result
 thoughts
+.beads

flake.lock

@@ -21,6 +21,45 @@
         "type": "github"
       }
     },
+    "doomemacs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1767773143,
+        "narHash": "sha256-QL/t9v2kFNxBDyNJb/s411o3mxujan+QX5IZglTdpTk=",
+        "owner": "doomemacs",
+        "repo": "doomemacs",
+        "rev": "3e15fb36d7f94f0a218bda977be4d3f5da983a71",
+        "type": "github"
+      },
+      "original": {
+        "owner": "doomemacs",
+        "repo": "doomemacs",
+        "type": "github"
+      }
+    },
+    "emacs-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-doom-emacs-unstraightened"
+        ],
+        "nixpkgs-stable": [
+          "nix-doom-emacs-unstraightened"
+        ]
+      },
+      "locked": {
+        "lastModified": 1768011937,
+        "narHash": "sha256-SnU2XTo34vwVaijs+4VwcXTNwMWO4nwzzs08N39UagA=",
+        "owner": "nix-community",
+        "repo": "emacs-overlay",
+        "rev": "79abf71d9897cf3b5189f7175cda1b1102abc65c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "emacs-overlay",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -159,6 +198,27 @@
         "type": "github"
       }
     },
+    "nix-doom-emacs-unstraightened": {
+      "inputs": {
+        "doomemacs": "doomemacs",
+        "emacs-overlay": "emacs-overlay",
+        "nixpkgs": [],
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1768034604,
+        "narHash": "sha256-62pIZMvGHhYJmMiiBsxHqZt/dFyENPcFHlJq5NJF3Sw=",
+        "owner": "marienz",
+        "repo": "nix-doom-emacs-unstraightened",
+        "rev": "9b3b8044fe4ccdcbb2d6f733d7dbe4d5feea18bc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "marienz",
+        "repo": "nix-doom-emacs-unstraightened",
+        "type": "github"
+      }
+    },
     "nix-github-actions": {
       "inputs": {
         "nixpkgs": [
@@ -303,6 +363,7 @@
         "home-manager-unstable": "home-manager-unstable",
         "jovian": "jovian",
         "nix-darwin": "nix-darwin",
+        "nix-doom-emacs-unstraightened": "nix-doom-emacs-unstraightened",
         "nixos-wsl": "nixos-wsl",
         "nixpkgs": "nixpkgs_2",
         "nixpkgs-unstable": "nixpkgs-unstable",
@@ -324,6 +385,21 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -47,6 +47,12 @@
       url = "github:steveyegge/beads";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
+
+    nix-doom-emacs-unstraightened = {
+      url = "github:marienz/nix-doom-emacs-unstraightened";
+      # Don't follow nixpkgs to avoid rebuild issues with emacs-overlay
+      inputs.nixpkgs.follows = "";
+    };
   };
 
   outputs = { self, nixpkgs, nixpkgs-unstable, nixos-wsl, ... } @ inputs: let
@@ -70,6 +76,7 @@
         home-manager.useUserPackages = true;
         home-manager.sharedModules = [
           inputs.plasma-manager.homeModules.plasma-manager
+          inputs.nix-doom-emacs-unstraightened.homeModule
         ];
         home-manager.extraSpecialArgs = {
           globalInputs = inputs;
@@ -98,6 +105,7 @@
         home-manager.useUserPackages = true;
         home-manager.sharedModules = [
           inputs.plasma-manager-unstable.homeModules.plasma-manager
+          inputs.nix-doom-emacs-unstraightened.homeModule
         ];
         home-manager.extraSpecialArgs = {
           globalInputs = inputs;
@@ -129,6 +137,9 @@
         ];
         home-manager.useGlobalPkgs = true;
         home-manager.useUserPackages = true;
+        home-manager.sharedModules = [
+          inputs.nix-doom-emacs-unstraightened.homeModule
+        ];
         home-manager.extraSpecialArgs = {
           globalInputs = inputs;
         };

home/home-live-usb.nix

@@ -14,7 +14,12 @@
     desktop.enable = true;
     tmux.enable = true;
     plasma-manager.enable = true;
-    emacs.enable = true;
+    emacs = {
+      enable = true;
+      # Use pre-built Doom Emacs - all packages built at nix build time
+      # This means no doom sync is needed after booting the live USB
+      prebuiltDoom = true;
+    };
     i3_sway.enable = true;
     starship.enable = true;
     # development.enable = false;  # Not needed for live USB

home/roles/communication/default.nix

@@ -4,6 +4,7 @@ with lib;
 
 let
   cfg = config.home.roles.communication;
+  isLinux = pkgs.stdenv.isLinux;
 in
 {
   options.home.roles.communication = {
@@ -12,14 +13,14 @@ in
 
   config = mkIf cfg.enable {
     home.packages = [
-      # Communication apps
+      # For logging back into google chat (cross-platform)
+      globalInputs.google-cookie-retrieval.packages.${system}.default
+    ] ++ optionals isLinux [
+      # Linux-only communication apps (Electron apps don't build on Darwin)
       pkgs.element-desktop
       # Re-enabled in 25.11 after security issues were resolved
       pkgs.fluffychat
       pkgs.nextcloud-talk-desktop
-      
-      # For logging back into google chat
-      globalInputs.google-cookie-retrieval.packages.${system}.default
     ];
   };
 }

home/roles/desktop/default.nix

@@ -4,6 +4,7 @@ with lib;
 
 let
   cfg = config.home.roles.desktop;
+  isLinux = pkgs.stdenv.isLinux;
 in
 {
   options.home.roles.desktop = {
@@ -12,27 +13,29 @@ in
 
   config = mkIf cfg.enable {
     home.packages = with pkgs; [
-      # Desktop applications
+      # Cross-platform desktop applications
       bitwarden-desktop
-      dunst
       keepassxc
+      xdg-utils # XDG utilities for opening files/URLs with default applications
+    ] ++ optionals isLinux [
+      # Linux-only desktop applications
+      dunst
       unstable.ghostty
 
-      # Desktop utilities
+      # Linux-only desktop utilities
       feh # Image viewer and wallpaper setter for X11
       rofi # Application launcher for X11
       solaar # Logitech management software
       waybar
       wofi # Application launcher for Wayland
-      xdg-utils # XDG utilities for opening files/URLs with default applications
 
-      # System utilities with GUI components
+      # Linux-only system utilities with GUI components
       (snapcast.override { pulseaudioSupport = true; })
 
-      # KDE tiling window management
+      # KDE tiling window management (Linux-only)
       kdePackages.krohnkite  # Dynamic tiling extension for KWin 6
 
-      # KDE PIM applications for email, calendar, and contacts
+      # KDE PIM applications for email, calendar, and contacts (Linux-only)
       kdePackages.kmail
       kdePackages.kmail-account-wizard
       kdePackages.kmailtransport
@@ -40,33 +43,33 @@ in
       kdePackages.kaddressbook
       kdePackages.kontact
 
-      # KDE System components needed for proper integration
+      # KDE System components needed for proper integration (Linux-only)
       kdePackages.kded
       kdePackages.systemsettings
       kdePackages.kmenuedit
 
-      # Desktop menu support
+      # Desktop menu support (Linux-only)
       kdePackages.plasma-desktop # Contains applications.menu
 
-      # KDE Online Accounts support
+      # KDE Online Accounts support (Linux-only)
       kdePackages.kaccounts-integration
       kdePackages.kaccounts-providers
       kdePackages.signond
 
-      # KDE Mapping
+      # KDE Mapping (Linux-only)
       kdePackages.marble  # Virtual globe and world atlas
 
-      # KDE Productivity
+      # KDE Productivity (Linux-only)
       kdePackages.kate        # Advanced text editor with syntax highlighting
       kdePackages.okular      # Universal document viewer (PDF, ePub, etc.)
       kdePackages.spectacle   # Screenshot capture utility
       kdePackages.filelight   # Visual disk usage analyzer
 
-      # KDE Multimedia
+      # KDE Multimedia (Linux-only)
       kdePackages.gwenview    # Image viewer and basic editor
       kdePackages.elisa       # Music player
 
-      # KDE System Utilities  
+      # KDE System Utilities (Linux-only)
       kdePackages.ark         # Archive manager (zip, tar, 7z, etc.)
       kdePackages.yakuake     # Drop-down terminal emulator
     ];
@@ -77,12 +80,15 @@ in
 
     programs.spotify-player.enable = true;
 
-    services.gnome-keyring = {
+    # Linux-only: GNOME keyring service
+    services.gnome-keyring = mkIf isLinux {
       enable = true;
     };
 
-    # rbw vault unlock on login and resume from suspend
-    systemd.user.services.rbw-unlock-on-login = {
+    # Linux-only: systemd user services for rbw vault unlock
+    systemd.user.services = mkIf isLinux {
+      # rbw vault unlock on login
+      rbw-unlock-on-login = {
         Unit = {
           Description = "Unlock rbw vault at login";
           After = [ "graphical-session.target" ];
@@ -101,7 +107,8 @@ in
         };
       };
 
-    systemd.user.services.rbw-unlock-on-resume = {
+      # rbw vault unlock on resume from suspend
+      rbw-unlock-on-resume = {
         Unit = {
           Description = "Unlock rbw vault after resume from suspend";
           After = [ "suspend.target" ];
@@ -119,9 +126,10 @@ in
           WantedBy = [ "suspend.target" ];
         };
       };
+    };
 
-    # KDE environment variables for proper integration
-    home.sessionVariables = {
+    # Linux-only: KDE environment variables for proper integration
+    home.sessionVariables = mkIf isLinux {
       QT_QPA_PLATFORMTHEME = "kde";
       KDE_SESSION_VERSION = "6";
     };
@@ -141,13 +149,14 @@ in
           "x-scheme-handler/https" = "firefox.desktop";
         };
         defaultApplications = {
-          # Web browsers
+          # Web browsers (cross-platform)
           "text/html" = "firefox.desktop";
           "x-scheme-handler/http" = "firefox.desktop";
           "x-scheme-handler/https" = "firefox.desktop";
           "x-scheme-handler/about" = "firefox.desktop";
           "x-scheme-handler/unknown" = "firefox.desktop";
-          
+        } // optionalAttrs isLinux {
+          # Linux-only: KDE application associations
           # Documents
           "application/pdf" = "okular.desktop";
           "text/plain" = "kate.desktop";
@@ -190,9 +199,11 @@ in
       };
     };
 
-    # Fix for KDE applications.menu file issue on Plasma 6
+    # Linux-only: Fix for KDE applications.menu file issue on Plasma 6
     # KDE still looks for applications.menu but Plasma 6 renamed it to plasma-applications.menu
-    xdg.configFile."menus/applications.menu".source = "${pkgs.kdePackages.plasma-workspace}/etc/xdg/menus/plasma-applications.menu";
+    xdg.configFile."menus/applications.menu" = mkIf isLinux {
+      source = "${pkgs.kdePackages.plasma-workspace}/etc/xdg/menus/plasma-applications.menu";
+    };
 
     # Note: modules must be imported at top-level home config
   };

home/roles/development/skills/reconcile_beads.md

@@ -23,9 +23,11 @@ bd list --status=in_review
 
 1. **Get the PR URL from bead notes**:
    ```bash
-   bd show [BEAD_ID] --json | jq -r '.notes'
+   bd show [BEAD_ID] --json | jq -r '.[0].notes'
    ```
-   Extract the PR URL (look for lines starting with "PR:" or containing pull request URLs)
+   Note: `bd show --json` returns an array, so use `.[0]` to access the first element.
+   Extract the PR URL (look for lines starting with "PR:" or containing pull request URLs).
+   Extract the PR number: `echo "$NOTES" | grep -oP '/pulls/\K\d+'`
 
 2. **Detect hosting provider**:
    - Run `git remote get-url origin`
@@ -38,9 +40,10 @@ bd list --status=in_review
      ```
    - For Gitea:
      ```bash
-     tea pr view [PR_NUMBER]
+     tea pr list --state=closed
      ```
-     Look for "State: merged" or "State: closed"
+     Look for the PR number in the INDEX column with STATE "merged".
+     Note: `tea pr view [PR_NUMBER]` lists all PRs, not a specific one. Use `tea pr list --state=closed` and look for your PR number in the results.
 
 ### Step 3: Close merged beads
 

home/roles/emacs/default.nix

@@ -23,13 +23,30 @@ let
     if pkgs.stdenv.isDarwin
     then pkgs.emacs-macport.pkgs.withPackages emacsPackages
     else pkgs.emacs.pkgs.withPackages emacsPackages;
+
+  # Path to doom config directory (relative to this file)
+  doomConfigDir = ./doom;
 in
 {
   options.home.roles.emacs = {
     enable = mkEnableOption "Doom Emacs with vterm and tree-sitter support";
+
+    prebuiltDoom = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Use nix-doom-emacs-unstraightened to pre-build all Doom packages at
+        nix build time. This eliminates the need to run `doom sync` after
+        first boot, making it ideal for live USB images or immutable systems.
+
+        When enabled, the doom configuration is read-only (stored in nix store).
+      '';
+    };
   };
 
-  config = mkIf cfg.enable {
+  config = mkIf cfg.enable (mkMerge [
+    # Common configuration for both modes
+    {
       home.packages = [
         pkgs.emacs-all-the-icons-fonts
         pkgs.fira-code
@@ -46,13 +63,16 @@ in
         pkgs.python3
       ];
 
+      fonts.fontconfig.enable = true;
+    }
+
+    # Standard Doom Emacs mode (requires doom sync at runtime)
+    (mkIf (!cfg.prebuiltDoom) {
       programs.emacs = {
         enable = true;
         package = defaultEmacsPackage;
       };
 
-    fonts.fontconfig.enable = true;
-
       # Mount emacs and tree-sitter grammars from nix store
       home.file = {
         "${config.xdg.configHome}/emacs".source = doomEmacs;
@@ -73,5 +93,20 @@ in
         rm -rf "${config.xdg.configHome}/doom"
         ln -sf "${config.home.homeDirectory}/nixos-configs/home/roles/emacs/doom" "${config.xdg.configHome}/doom"
       '';
+    })
+
+    # Pre-built Doom Emacs mode (no doom sync needed - ideal for live USB)
+    (mkIf cfg.prebuiltDoom {
+      programs.doom-emacs = {
+        enable = true;
+        doomDir = doomConfigDir;
+        doomLocalDir = "${config.xdg.dataHome}/doom";
+        # Add extra packages that aren't part of Doom but needed for our config
+        extraPackages = epkgs: [
+          epkgs.vterm
+          epkgs.treesit-grammars.with-all-grammars
+        ];
       };
+    })
+  ]);
 }

home/roles/emacs/doom/packages.el

@@ -51,11 +51,21 @@
 
 ;; (package! org-caldav)
 
+;; Note: Packages with custom recipes must be pinned for nix-doom-emacs-unstraightened
+;; to build deterministically. Update pins when upgrading packages.
+
 (package! gptel :recipe (:nonrecursive t))
 
 (package! claude-code-ide
-  :recipe (:host github :repo "manzaltu/claude-code-ide.el"))
+  :recipe (:host github :repo "manzaltu/claude-code-ide.el")
+  :pin "760240d7f03ff16f90ede9d4f4243cd94f3fed73")
 
 (package! gptel-tool-library
   :recipe (:host github :repo "aard-fi/gptel-tool-library"
-           :files ("*.el")))
+           :files ("*.el"))
+  :pin "baffc3b0d74a2b7cbda0d5cd6dd7726d6ccaca83")
+
+(package! beads
+  :recipe (:type git :repo "https://codeberg.org/ctietze/beads.el.git"
+           :files ("lisp/*.el"))
+  :pin "f40a6461d3c0fa0969311bbb6a1e30d1bba86c88")

home/roles/email/default.nix

@@ -4,6 +4,7 @@ with lib;
 
 let
   cfg = config.home.roles.email;
+  isLinux = pkgs.stdenv.isLinux;
 in
 {
   options.home.roles.email = {
@@ -89,8 +90,9 @@ in
       account default : proton
     '';
 
-    # Systemd service for mail sync
-    systemd.user.services.mbsync = {
+    # Linux-only: Systemd service for mail sync (Darwin uses launchd instead)
+    systemd.user.services = mkIf isLinux {
+      mbsync = {
         Unit = {
           Description = "Mailbox synchronization service";
           After = [ "network-online.target" ];
@@ -104,9 +106,11 @@ in
           StandardError = "journal";
         };
       };
+    };
 
-    # Systemd timer for automatic sync
-    systemd.user.timers.mbsync = {
+    # Linux-only: Systemd timer for automatic sync
+    systemd.user.timers = mkIf isLinux {
+      mbsync = {
         Unit = {
           Description = "Mailbox synchronization timer";
         };
@@ -120,4 +124,5 @@ in
         };
       };
     };
+  };
 }

home/roles/kdeconnect/default.nix

@@ -4,13 +4,15 @@ with lib;
 
 let
   cfg = config.home.roles.kdeconnect;
+  isLinux = pkgs.stdenv.isLinux;
 in
 {
   options.home.roles.kdeconnect = {
     enable = mkEnableOption "Enable KDE Connect for device integration";
   };
 
-  config = mkIf cfg.enable {
+  # KDE Connect services are Linux-only (requires D-Bus and systemd)
+  config = mkIf (cfg.enable && isLinux) {
     services.kdeconnect = {
       enable = true;
       indicator = true;

home/roles/sync/default.nix

@@ -4,6 +4,7 @@ with lib;
 
 let
   cfg = config.home.roles.sync;
+  isLinux = pkgs.stdenv.isLinux;
 in
 {
   options.home.roles.sync = {
@@ -11,9 +12,10 @@ in
   };
 
   config = mkIf cfg.enable {
-    home.packages = with pkgs; [
+    # Linux-only: syncthingtray requires system tray support
+    home.packages = optionals isLinux (with pkgs; [
       syncthingtray
-    ];
+    ]);
 
     services.syncthing = {
       enable = true;