feat(remote-dev): add zoxide/clang-tools/node/uv/AI agents; bring git+ssh; SSH-format signing

home.nix:
- Add zoxide (fixes 'command not found' on shell start), clang-tools
  (no compiler driver), nodejs (Mason npm LSPs), uv (Mason python LSPs;
  does not install python3 in PATH, so Ubuntu's /usr/bin/python3 stays
  the system default), claude-code, github-copilot-cli.
- Refine the leaf-tools policy comment: explicit denylist of build-
  toolchain binaries that would shadow Ubuntu's via PATH, plus a
  carve-out for editor/AI runtimes (node, uv, clang-tools).
- Symlink ~/.config/git/{config,attributes,ignore} and ~/.ssh/config
  from the dotfiles tree.

dot_config/zsh/dot_zshrc: guard direnv/zoxide/fzf inits with
'command -v X >/dev/null &&' so a fresh machine without one of them
no longer prints a stderr error on every shell start.

dot_config/git/config: append unconditional '[include] path =
~/.config/git/config.local' for machine-local overrides (used on the
remote-dev VM to switch to SSH-format signing via the forwarded
agent). Git silently skips missing include files.

remote-dev/README.md: document the update flow (config-only vs HM
rebuild), the single-shell leaf-tools policy, and the one-time VM
setup for SSH-format commit signing (allowed_signers + config.local,
ForwardAgent yes on the host).

1 files changed, 32 insertions, 3 deletions

diff --git a/remote-dev/home.nix b/remote-dev/home.nix
index a2b9392..184de6b 100644
--- a/remote-dev/home.nix
+++ b/remote-dev/home.nix
@@ -15,9 +15,19 @@ in
   home.stateVersion = "25.05";
 
   # ── Packages ────────────────────────────────────────────────────────────────
-  # Mirrors the dev-tool subset of `meta/base.txt` on the Arch host. Tools that
-  # only make sense on a workstation (procs/gdu/duf for sysadmin, lazygit
-  # unused, node/yarn only needed for markdown-preview on GUI) are excluded.
+  # Policy: this profile carries leaf CLI tools plus editor/AI-agent
+  # runtimes (node, uv). It must NEVER carry anything the project build
+  # might invoke. Forbidden on PATH (would shadow Ubuntu's and break
+  # builds against the system sysroot/libc): cc, c++, gcc, g++, clang,
+  # clang++, ld, ld.lld, ar, nm, objcopy, make, cmake, ninja, meson,
+  # pkg-config, autoconf, automake, libtool, python, python3, pip,
+  # cargo, rustc, go. If a project needs a newer toolchain, put it in
+  # a project-local flake.nix + direnv `.envrc`, NOT here.
+  #
+  # Allowed runtimes (used only by Mason/editor/AI agents): node, npm,
+  # npx (via `nodejs`), uv, uvx (via `uv` — does NOT install a python3,
+  # manages its own interpreters under XDG). clang-tools is allowed
+  # because it ships only formatters/linters/clangd, no compiler driver.
   home.packages = with pkgs; [
     # Editor + multiplexer
     neovim
@@ -30,6 +40,7 @@ in
     fzf
     sd
     choose
+    zoxide
 
     # Viewers
     bat
@@ -66,6 +77,17 @@ in
     gnupg
     pass
 
+    # C/C++ source tooling (no compiler driver in PATH)
+    clang-tools
+
+    # Editor/AI agent runtimes — NOT for project builds (see policy above)
+    nodejs # Mason npm LSPs; system python3 stays at /usr/bin/python3
+    uv     # Mason python LSPs in isolated venvs; brings `uv`/`uvx` only
+
+    # AI coding agents
+    claude-code
+    github-copilot-cli # NB: pkgs.copilot-cli is AWS Copilot, NOT this
+
     # Zsh and plugins (sourced from $HOME/.nix-profile/share/... by the shared zshrc)
     zsh
     zsh-syntax-highlighting
@@ -90,8 +112,15 @@ in
     "zsh/.zprofile".source    = link "dot_config/zsh/dot_zprofile";
     "ghostty".source          = link "dot_config/ghostty";   # for terminfo refs only
     "direnv/direnvrc".source  = link "dot_config/direnv/direnvrc";
+    "git/config".source       = link "dot_config/git/config";
+    "git/attributes".source   = link "dot_config/git/attributes";
+    "git/ignore".source       = link "dot_config/git/ignore";
   };
 
+  # ~/.ssh/config from the dotfiles tree (read-only); keys + known_hosts
+  # stay machine-local on the VM.
+  home.file.".ssh/config".source = link "private_dot_ssh/config";
+
   # ZDOTDIR redirect so login shells find ~/.config/zsh/.zprofile etc.
   home.file.".zshenv".text = ''
     export ZDOTDIR="$HOME/.config/zsh"