fix: Two parallel activation paths for llama agents (ENABLE_LLAMA_AGENT vs [agents.X] TOML) (#846)

- Remove ENABLE_LLAMA_AGENT conditional block from docker-compose generation
- Remove legacy agents-llama and agents-llama-all services from docker-compose.yml
- Remove llama bot user creation code (dev-qwen, dev-qwen-nightly) from lib/forge-setup.sh
- Remove FORGE_TOKEN_LLAMA/FORGE_PASS_LLAMA environment variables from .env.example
- Add migration error check that fails when ENABLE_LLAMA_AGENT=1 is found in .env
- Update documentation: remove agents-llama entries from AGENTS.md and lib/AGENTS.md
- Delete docs/agents-llama.md (legacy documentation)
- TOML [agents.X] sections in projects/*.toml is now the canonical activation path

lib/generators.sh

@@ -68,6 +68,10 @@ _get_primary_woodpecker_repo_id() {
 
 # Parse project TOML for local-model agents and emit compose services.
 # Writes service definitions to stdout; caller handles insertion into compose file.
+#
+# This is the canonical activation path for llama-backed agents.
+# The legacy ENABLE_LLAMA_AGENT env flag is removed — its presence in .env
+# triggers a migration error at disinto up time.
 _generate_local_model_services() {
   local compose_file="$1"
   local projects_dir="${FACTORY_ROOT}/projects"
@@ -248,6 +252,10 @@ for name, config in agents.items():
 # **CANONICAL SOURCE**: This generator is the single source of truth for docker-compose.yml.
 # The tracked docker-compose.yml file has been removed. Operators must run 'bin/disinto init'
 # to materialize a working stack on a fresh checkout.
+#
+# Local-model agents are configured via [agents.X] TOML sections in projects/*.toml.
+# The legacy ENABLE_LLAMA_AGENT flag is removed — its presence in .env triggers
+# a migration error at compose generation time.
 _generate_compose_impl() {
   local forge_port="${1:-3000}"
   local use_build="${2:-false}"
@@ -415,130 +423,6 @@ services:
 
 COMPOSEEOF
 
-  # ── Conditional agents-llama block (ENABLE_LLAMA_AGENT=1) ──────────────
-  # Local-Qwen dev agent — gated on ENABLE_LLAMA_AGENT so factories without
-  # a local llama endpoint don't try to start it.  See docs/agents-llama.md.
-  if [ "${ENABLE_LLAMA_AGENT:-0}" = "1" ]; then
-    cat >> "$compose_file" <<'LLAMAEOF'
-
-  agents-llama:
-    build:
-      context: .
-      dockerfile: docker/agents/Dockerfile
-    container_name: disinto-agents-llama
-    restart: unless-stopped
-    security_opt:
-      - apparmor=unconfined
-    volumes:
-      - agent-data:/home/agent/data
-      - project-repos:/home/agent/repos
-      - ${CLAUDE_SHARED_DIR:-/var/lib/disinto/claude-shared}:${CLAUDE_SHARED_DIR:-/var/lib/disinto/claude-shared}
-      - ${CLAUDE_CONFIG_FILE:-${HOME}/.claude.json}:/home/agent/.claude.json:ro
-      - ${CLAUDE_BIN_DIR}:/usr/local/bin/claude:ro
-      - ${AGENT_SSH_DIR:-${HOME}/.ssh}:/home/agent/.ssh:ro
-      - ${SOPS_AGE_DIR:-${HOME}/.config/sops/age}:/home/agent/.config/sops/age:ro
-      - woodpecker-data:/woodpecker-data:ro
-    environment:
-      FORGE_URL: http://forgejo:3000
-      FORGE_REPO: ${FORGE_REPO:-disinto-admin/disinto}
-      FORGE_TOKEN: ${FORGE_TOKEN_LLAMA:-}
-      FORGE_PASS: ${FORGE_PASS_LLAMA:-}
-      FORGE_BOT_USERNAMES: ${FORGE_BOT_USERNAMES:-}
-      WOODPECKER_TOKEN: ${WOODPECKER_TOKEN:-}
-      CLAUDE_TIMEOUT: ${CLAUDE_TIMEOUT:-7200}
-      CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC: ${CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC:-1}
-      CLAUDE_AUTOCOMPACT_PCT_OVERRIDE: "60"
-      ANTHROPIC_API_KEY: ${ANTHROPIC_API_KEY:-}
-      ANTHROPIC_BASE_URL: ${ANTHROPIC_BASE_URL:-}
-      FORGE_ADMIN_PASS: ${FORGE_ADMIN_PASS:-}
-      DISINTO_CONTAINER: "1"
-      PROJECT_NAME: ${PROJECT_NAME:-project}
-      PROJECT_REPO_ROOT: /home/agent/repos/${PROJECT_NAME:-project}
-      WOODPECKER_DATA_DIR: /woodpecker-data
-      WOODPECKER_REPO_ID: "PLACEHOLDER_WP_REPO_ID"
-      CLAUDE_CONFIG_DIR: ${CLAUDE_CONFIG_DIR:-/var/lib/disinto/claude-shared/config}
-      POLL_INTERVAL: ${POLL_INTERVAL:-300}
-      AGENT_ROLES: dev
-    healthcheck:
-      test: ["CMD", "pgrep", "-f", "entrypoint.sh"]
-      interval: 60s
-      timeout: 5s
-      retries: 3
-      start_period: 30s
-    depends_on:
-      forgejo:
-        condition: service_healthy
-    networks:
-      - disinto-net
-
-  agents-llama-all:
-    build:
-      context: .
-      dockerfile: docker/agents/Dockerfile
-    container_name: disinto-agents-llama-all
-    restart: unless-stopped
-    profiles: ["agents-llama-all"]
-    security_opt:
-      - apparmor=unconfined
-    volumes:
-      - agent-data:/home/agent/data
-      - project-repos:/home/agent/repos
-      - ${CLAUDE_SHARED_DIR:-/var/lib/disinto/claude-shared}:${CLAUDE_SHARED_DIR:-/var/lib/disinto/claude-shared}
-      - ${CLAUDE_CONFIG_FILE:-${HOME}/.claude.json}:/home/agent/.claude.json:ro
-      - ${CLAUDE_BIN_DIR}:/usr/local/bin/claude:ro
-      - ${AGENT_SSH_DIR:-${HOME}/.ssh}:/home/agent/.ssh:ro
-      - ${SOPS_AGE_DIR:-${HOME}/.config/sops/age}:/home/agent/.config/sops/age:ro
-      - woodpecker-data:/woodpecker-data:ro
-    environment:
-      FORGE_URL: http://forgejo:3000
-      FORGE_REPO: ${FORGE_REPO:-disinto-admin/disinto}
-      FORGE_TOKEN: ${FORGE_TOKEN_LLAMA:-}
-      FORGE_PASS: ${FORGE_PASS_LLAMA:-}
-      FORGE_REVIEW_TOKEN: ${FORGE_REVIEW_TOKEN:-}
-      FORGE_PLANNER_TOKEN: ${FORGE_PLANNER_TOKEN:-}
-      FORGE_GARDENER_TOKEN: ${FORGE_GARDENER_TOKEN:-}
-      FORGE_VAULT_TOKEN: ${FORGE_VAULT_TOKEN:-}
-      FORGE_SUPERVISOR_TOKEN: ${FORGE_SUPERVISOR_TOKEN:-}
-      FORGE_PREDICTOR_TOKEN: ${FORGE_PREDICTOR_TOKEN:-}
-      FORGE_ARCHITECT_TOKEN: ${FORGE_ARCHITECT_TOKEN:-}
-      FORGE_FILER_TOKEN: ${FORGE_FILER_TOKEN:-}
-      FORGE_BOT_USERNAMES: ${FORGE_BOT_USERNAMES:-}
-      WOODPECKER_TOKEN: ${WOODPECKER_TOKEN:-}
-      CLAUDE_TIMEOUT: ${CLAUDE_TIMEOUT:-7200}
-      CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC: ${CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC:-1}
-      CLAUDE_AUTOCOMPACT_PCT_OVERRIDE: "60"
-      CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS: "1"
-      ANTHROPIC_API_KEY: ${ANTHROPIC_API_KEY:-}
-      ANTHROPIC_BASE_URL: ${ANTHROPIC_BASE_URL:-}
-      FORGE_ADMIN_PASS: ${FORGE_ADMIN_PASS:-}
-      DISINTO_CONTAINER: "1"
-      PROJECT_NAME: ${PROJECT_NAME:-project}
-      PROJECT_REPO_ROOT: /home/agent/repos/${PROJECT_NAME:-project}
-      WOODPECKER_DATA_DIR: /woodpecker-data
-      WOODPECKER_REPO_ID: "PLACEHOLDER_WP_REPO_ID"
-      CLAUDE_CONFIG_DIR: ${CLAUDE_CONFIG_DIR:-/var/lib/disinto/claude-shared/config}
-      POLL_INTERVAL: ${POLL_INTERVAL:-300}
-      GARDENER_INTERVAL: ${GARDENER_INTERVAL:-21600}
-      ARCHITECT_INTERVAL: ${ARCHITECT_INTERVAL:-21600}
-      PLANNER_INTERVAL: ${PLANNER_INTERVAL:-43200}
-      SUPERVISOR_INTERVAL: ${SUPERVISOR_INTERVAL:-1200}
-      AGENT_ROLES: review,dev,gardener,architect,planner,predictor,supervisor
-    healthcheck:
-      test: ["CMD", "pgrep", "-f", "entrypoint.sh"]
-      interval: 60s
-      timeout: 5s
-      retries: 3
-      start_period: 30s
-    depends_on:
-      forgejo:
-        condition: service_healthy
-      woodpecker:
-        condition: service_started
-    networks:
-      - disinto-net
-LLAMAEOF
-  fi
-
   # Resume the rest of the compose file (runner onward)
   cat >> "$compose_file" <<'COMPOSEEOF'
 
@@ -712,6 +596,16 @@ networks:
     driver: bridge
 COMPOSEEOF
 
+  # ── Check for legacy ENABLE_LLAMA_AGENT flag ─────────────────────────
+  # The TOML [agents.X] path is canonical. If ENABLE_LLAMA_AGENT=1 is found
+  # in .env, fail with a migration message.
+  local env_file="${FACTORY_ROOT}/.env"
+  if [ -f "$env_file" ] && grep -q '^ENABLE_LLAMA_AGENT=1$' "$env_file" 2>/dev/null; then
+    echo "Error: ENABLE_LLAMA_AGENT=1 is no longer supported" >&2
+    echo "  Use the [agents.X] TOML path in projects/*.toml instead." >&2
+    exit 1
+  fi
+
   # Patch PROJECT_REPO_ROOT — interpolate PROJECT_NAME at generation time
   # (Docker Compose cannot resolve it; it's a shell variable, not a .env var)
   sed -i "s|\${PROJECT_NAME:-project}|${PROJECT_NAME}|g" "$compose_file"