feat(ai): introduce APM for declarative plugin/skill/MCP management

[nobv]

What

Introduces APM (Agent Package Manager) v0.13.0+ as a new module (modules/ai/apm/) to declaratively manage Claude Code plugins, skills, and MCP servers across machines.

Why

• Reproducibility: lockfile-backed installs (apm install --frozen -g) fail loud on drift, matching Nix's declarative philosophy.
• Multi-machine sync: apm.yml + apm.lock.yaml are git-tracked and shared across macbook / macmini / work.
• Unified management: replaces ad-hoc per-tool installation with a single manifest.

Key changes

New module: modules/ai/apm/

• default.nix — installs apm via Homebrew (tap microsoft/apm), symlinks apm.yml (immutable, nix-store) and apm.lock.yaml (mkOutOfStoreSymlink, write-through).
• apm.yml (name: agent-config, version: 0.0.1) — declares:
  • anthropics/skills (Anthropic official skills bundle)
  • anthropics/claude-plugins-official/plugins/ralph-loop
  • currents-dev/playwright-best-practices-skill
  • shadcn-ui/ui/skills/shadcn
  • vercel-labs/agent-skills/skills/react-best-practices
  • vercel-labs/next-skills/skills/next-best-practices
  • MCP: io.github.github/github-mcp-server (HTTP transport)

Integration into just switch

• just switch now runs darwin-rebuild switch followed by apm install --frozen -g.
• Frozen install is read-only; if the lockfile drifts the just task exits non-zero so the user is told to run just apm-update and commit.
• home.activation is intentionally NOT used so APM sync is observable separately from the Nix activation.

Operational tasks (Justfile)

• just apm-sync — read-only sync (apm install --frozen -g)
• just apm-update — refresh deps and regenerate lockfile (commit the diff)
• just apm-outdated — show updates available
• just apm-audit — drift / integrity check

Related cleanup

• modules/ai/claude-code/settings.json: removed redundant enabledPlugins / extraKnownMarketplaces for anthropic-agent-skills (now APM-managed). claude-mem@thedotmack stays declared because its plugin cannot be installed via APM.
• Picks up the Stop hook ralph-loop registers (tracked via mkOutOfStoreSymlink).

Verification

• nix build .#darwinConfigurations.macbook.system --no-link — passes
• darwin-rebuild switch --flake .#macbook + apm install --frozen -g — both succeed; apm reports Installed 6 APM dependencies and 1 MCP server and Lockfile presence verified.

Rollout plan

Enabled only on macbook in this PR. macmini and work will follow once macbook has soaked.

Open follow-ups (out of scope)

• Pin unpinned dependencies (currently APM warns about unpinned skills).
• io.github.github/github-mcp-server is remote-SSE and fails to install for Codex CLI; harmless (configured for Claude/Gemini).

[nobv]

これ必要なんだけ？

[nobv]

もっと適切な名前があるはず

[nobv]

version は まだ 1.0.0 じゃない
0.0.1 でいい

[nobv]

 # 1. switch でまず ~/.apm/apm.yml を新しい内容に
  just switch
  # (activation で apm install --frozen -g が走るが、新 apm.yml ↔ 古 lockfile
  で必ず失敗するはず → 期待動作)

  # ↑が失敗したら次へ進む。activation の失敗は ~/.apm/apm.yml 自体は更新済みなのでOK

  # 2. lockfile 再生成 (mkOutOfStoreSymlink 経由で dotfiles の apm.lock.yaml に書き戻し)
  apm install -g

  # 3. frozen で再確認
  apm install --frozen -g

  # 4. 結果を共有 → git diff modules/ai/apm/apm.lock.yaml は私が確認

  # 5. もう一度 just switch で activation も成功するか確認
  just switch

このフローはかなり面倒なので activation しない方がいいのでは？

[nobv]

ここは just apm-sync を実行すればいいのでは？