init

docs/machine-audit.md

@@ -0,0 +1,255 @@
+# Machine Audit
+
+This is the baseline inventory used to seed the first pass of this Nix config.
+
+## Host Summary
+
+- Machine: `hari-macbook-pro`
+- Hostname: `hari-macbook-pro.local`
+- Platform: `arm64-darwin`
+- OS: macOS `26.3` (`25D5112c`)
+- Nix: `2.34.1`
+- `darwin-rebuild`: not installed yet
+
+## Filesystem Roots Checked
+
+Top-level roots on `/`:
+
+- `Applications`
+- `Library`
+- `System`
+- `Users`
+- `nix`
+- `opt`
+- `private`
+- `usr`
+
+Large user-owned roots spotted during audit:
+
+- `/Users/rathi`
+- `/Users/rathi/Documents`
+- `/Users/rathi/Library`
+- `/Users/rathi/.config`
+- `/Users/rathi/.local`
+- `/opt/homebrew`
+
+## Live Dotfiles Source Of Truth
+
+The live machine is wired to `~/dots`, not `~/Documents/GitHub/dots`.
+
+Confirmed symlinks:
+
+- `~/.gitconfig -> ~/dots/git/.gitconfig`
+- `~/.zshrc -> ~/dots/zsh/.zshrc`
+
+There is also a duplicate clone at `~/Documents/GitHub/dots`. Content matched during the audit, but the active machine points at `~/dots`.
+
+## Homebrew Inventory
+
+This repo currently mirrors the top-level Homebrew inventory rather than every transitive dependency.
+
+### Taps
+
+- `daytonaio/tap`
+- `getcompanion-ai/tap`
+- `hashicorp/tap`
+- `homebrew/services`
+- `humanlayer/humanlayer`
+- `jnsahaj/lumen`
+- `nicosuave/tap`
+- `nikitabobko/tap`
+- `opencode-ai/tap`
+- `pantsbuild/tap`
+- `pipedreamhq/pd-cli`
+- `steipete/tap`
+- `stripe/stripe-cli`
+- `supabase/tap`
+- `tallesborges/zdx`
+- `withgraphite/tap`
+
+### Brew Leaves
+
+The current leaves were captured into [`modules/homebrew.nix`](../modules/homebrew.nix). A few noteworthy details:
+
+- `python@3.13` was installed but `link: false` in the generated Brewfile
+- `withgraphite/tap/graphite` was also `link: false`
+- Go tools and one cargo tool were present in the Brewfile but are not yet expressed in the Nix module
+- VS Code extension `anthropic.claude-code` was also present in the Brewfile and is not yet managed here
+
+### Casks
+
+Current casks were also captured into [`modules/homebrew.nix`](../modules/homebrew.nix), including:
+
+- `aerospace`
+- `codex`
+- `companion`
+- `gcloud-cli`
+- `ghostty@tip`
+- `warp`
+- `virtualbox`
+
+### Brew Services
+
+Installed but not currently running:
+
+- `cloudflared`
+- `postgresql@14`
+- `postgresql@16`
+- `postgresql@17`
+- `redis`
+- `tailscale`
+- `unbound`
+
+## Apps Outside Current Brew Casks
+
+The following apps were present in `/Applications` but did not match the current cask inventory during a rough audit, so they should be reviewed separately:
+
+- `Amphetamine.app`
+- `Cap.app`
+- `ChatGPT.app`
+- `Claude.app`
+- `Cluely.app`
+- `Conductor.app`
+- `Dia.app`
+- `Docker.app`
+- `Granola.app`
+- `Helium.app`
+- `Karabiner-Elements.app`
+- `Karabiner-EventViewer.app`
+- `Klack.app`
+- `Numbers.app`
+- `PastePal.app`
+- `Raycast.app`
+- `Readout.app`
+- `Rectangle.app`
+- `Safari.app`
+- `Screen Studio.app`
+- `Signal.app`
+- `Tailscale.app`
+- `Telegram.app`
+- `Typora.app`
+- `Wispr Flow.app`
+- `Zen.app`
+- `kitty.app`
+- `logioptionsplus.app`
+
+Some of these may belong in:
+
+- Mac App Store
+- direct DMG installers
+- manual vendor installers
+- future Homebrew casks that were not part of the current audit
+
+## Launch Agents Found
+
+These are current launch agents worth deciding on explicitly:
+
+- `com.nanoclaw.plist`
+- `com.thread-view.collector.plist`
+- `com.thread-view.ngrok.plist`
+- `pi.plist`
+- `homebrew.mxcl.postgresql@16.plist`
+- `org.virtualbox.vboxwebsrv.plist`
+- Google updater agents
+- iMazing mini agent
+
+These are not yet represented in Nix.
+
+## Config Directories Found
+
+Notable user config roots under `~/.config`:
+
+- `agents`
+- `amp`
+- `gcloud`
+- `gh`
+- `gh-dash`
+- `ghostty`
+- `git`
+- `graphite`
+- `k9s`
+- `karabiner`
+- `kitty`
+- `nanoclaw`
+- `opencode`
+- `raycast`
+- `rpi`
+- `stripe`
+- `tmux`
+- `worktrunk`
+- `zed`
+
+Notable app state under `~/Library/Application Support`:
+
+- `Claude`
+- `Codex`
+- `Code`
+- `Cursor`
+- `Docker Desktop`
+- `Ghostty`
+- `Google`
+- `LogiOptionsPlus`
+- `OpenAI`
+- `Raycast`
+- `Screen Studio`
+- `Signal`
+- `Slack`
+- `Telegram Desktop`
+- `Warp`
+- `Zed`
+
+These paths are exactly why the first config keeps Homebrew and dotfile migration conservative.
+
+## Codebase Summary
+
+Code roots found:
+
+- `~/Documents/GitHub` with `108` repos
+- `~/code/symphony-workspaces`
+- `~/dev/diffs.nvim`
+
+Repo manifest counts under `~/Documents/GitHub`:
+
+- `package.json`: `56`
+- `pnpm-workspace.yaml`: `7`
+- `turbo.json`: `5`
+- `pyproject.toml`: `6`
+- `requirements.txt`: `7`
+- `go.mod`: `3`
+- `Cargo.toml`: `4`
+- `flake.nix`: `4`
+- `Dockerfile`: `10`
+- `docker-compose.yml`: `7`
+
+Practical implication:
+
+- JavaScript/TypeScript is the dominant toolchain
+- Python is the second major toolchain
+- Go and Rust are both active enough to be first-class system runtimes
+- Docker and local infra tooling belong in the baseline machine config
+
+## Migration Boundaries
+
+Safe to move into Nix now:
+
+- core CLI packages
+- current Homebrew taps, brews, and casks
+- dotfiles already living in `~/dots`
+- basic macOS defaults
+
+Should stay manual or secret-managed for now:
+
+- `~/.secrets`
+- `~/.npmrc`
+- `~/.yarnrc`
+- cloud credentials and tokens under `~/.config`
+- app-internal state in `~/Library/Application Support`
+- custom launch agents until they are rewritten declaratively
+
+Recommended next steps:
+
+1. Switch this host once with cleanup disabled.
+2. Translate `git`, `zsh`, and `ghostty` from raw symlinks into pure Home Manager modules.
+3. Decide whether `~/dots` should remain the source of truth or be folded into this repo.
+4. Capture secrets explicitly instead of relying on ad hoc local files.
+5. Review the unmanaged `/Applications` set and choose Homebrew cask, App Store, or manual buckets for each.