feat: migrate Henry off local machine to dedicated infrastructure

[jack-nsheaps]

Summary

Henry (ai-agent-henry) currently runs on Nate's local machine. He needs to be moved to dedicated infrastructure ASAP. This issue tracks the migration plan including manual steps, secrets, and CI access.

Current State

• Henry runs locally on the same machine as Jack and Nate
• Uses shared resources (gh keyring, 1Password, filesystem)
• Agent harness is bash-based (bin/agent)

Target State

Henry runs on his own infrastructure (VM, container, or remote session), isolated from Nate's local machine.

Migration Plan

Manual Steps (to be done now, codified in IaC later)

1. Provision compute — VM, container, or remote session for Henry

   • Choose platform (Proxmox VM, Docker, cloud instance)
   • Provision the resource
   • Install base dependencies (git, bun, mise, claude-code)

2. Authentication & Secrets

   • GitHub App installation token for Henry (separate from Jack's)
   • 1Password service account for Henry (or shared with appropriate vault access)
   • GH_CONFIG_DIR isolation so Henry doesn't use Nate's keyring
   • SSH keys for git operations
   • Discord bot token (if Henry needs Discord)
   • Telegram bot token (if Henry needs Telegram)

3. Repository Setup

   • Clone nsheaps/.ai-agent-henry
   • Configure git identity (user.name, user.email)
   • Set up Claude Code plugins (marketplace sync)
   • Configure session-env files

4. Agent Harness

   • Copy/adapt launcher script from Jack's bin/agent
   • Configure tmux session for Henry
   • Set up scheduled tasks (if any)
   • Configure continuation prompts

5. CI Access

   • GitHub Actions workflow dispatch for Henry (PR nsheaps/.ai-agent-henry#9)
   • Ensure Henry can trigger CI in ai-mktpl for reviews
   • Set up any webhook integrations

6. Networking

   • Ensure Henry can reach GitHub API
   • Ensure Henry can reach Discord/Telegram APIs
   • Ensure Henry can reach 1Password Connect (if applicable)

IaC Codification (follow-up)

Each manual step above should eventually be codified in nsheaps/iac:

• Terraform/OpenTofu for compute provisioning
• Ansible/cloud-init for base setup
• Secrets management via 1Password + env injection

Related

• Discord thread: https://discord.com/channels/1490863845252665415/1491497390207799546
• Tilt.dev harness rewrite: https://github.com/nsheaps/agents/issues/118
• Agents monorepo: https://github.com/nsheaps/agents/issues/116
• VM/container orchestration: https://discord.com/channels/1490863845252665415/1491156112173437078
• Agent isolation: https://discord.com/channels/1490863845252665415/1491155869600190676
• Henry repository dispatch PR: https://github.com/nsheaps/.ai-agent-henry/pull/9