feat: add agent environment config

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

README.md

@@ -9,6 +9,7 @@ Tracked files:
 - `agents/AGENTS.md` — shared global personal preferences (agent-agnostic)
 - `agents/AGENTS-claude.md` — Claude Code wrapper (`@AGENTS.md` + `@~/.claude/RTK.md`)
 - `agents/AGENTS-opencode.md` — OpenCode wrapper (`@AGENTS.md`)
+- `claude/statusline-command.sh` — Claude Code statusline (dir, branch, model, thinking, rate limits)
 
 This repo is intentionally small. Machine-specific setup stays local unless explicitly promoted into shared config later.
 
@@ -25,6 +26,7 @@ source "$HOME/Projekte/dotfiles/.zshrc"
 ```zsh
 ln -s "$HOME/Projekte/dotfiles/agents/AGENTS-claude.md"        ~/.claude/CLAUDE.md
 ln -s "$HOME/Projekte/dotfiles/agents/AGENTS-opencode.md"      ~/.config/opencode/AGENTS.md
+ln -s "$HOME/Projekte/dotfiles/claude/statusline-command.sh"   ~/.claude/statusline-command.sh
 ```
 
 The wrappers `@`-include the shared base `agents/AGENTS.md`; add agent-specific content directly in the wrapper file.

agents/.env.agents

@@ -0,0 +1,41 @@
+# influxdb
+export INFLUXDB_READ_TOKEN="op://24ylu7osc22gtdcoic6rgjsp2m/mdrtosjm42btdrhejoo4eg4mmu/password"
+export INFLUXDB_URL="op://24ylu7osc22gtdcoic6rgjsp2m/mdrtosjm42btdrhejoo4eg4mmu/url"
+export INFLUXDB_ORG="op://24ylu7osc22gtdcoic6rgjsp2m/mdrtosjm42btdrhejoo4eg4mmu/org"
+# bigquery
+export BIGQUERY_SERVICE_ACCOUNT_JSON="op://24ylu7osc22gtdcoic6rgjsp2m/bjyiugpg4gzruvskxjita6eutm/martin-wiegand-ai-50f35be6b554.json"
+export BIGQUERY_PROJECT_ID="op://24ylu7osc22gtdcoic6rgjsp2m/bjyiugpg4gzruvskxjita6eutm/project"
+# agents guide
+export AGENTS_GUID_TOKEN="op://24ylu7osc22gtdcoic6rgjsp2m/qzwjz73g2evbot5xqqnqtc7tiy/password"
+# icinga
+export ICINGA_BASE_URL="op://24ylu7osc22gtdcoic6rgjsp2m/stoktfjxvifslqwguhrpmprcwe/url"
+export ICINGA_USER="op://24ylu7osc22gtdcoic6rgjsp2m/stoktfjxvifslqwguhrpmprcwe/username"
+export ICINGA_API_PASSWORD="op://24ylu7osc22gtdcoic6rgjsp2m/stoktfjxvifslqwguhrpmprcwe/password"
+# grafana
+export GRAFANA_URL="op://24ylu7osc22gtdcoic6rgjsp2m/jwgq6zd77be4kwvk76q7lskc6i/url"
+export GRAFANA_READ_TOKEN="op://24ylu7osc22gtdcoic6rgjsp2m/jwgq6zd77be4kwvk76q7lskc6i/password"
+# ionos
+export IONOS_API_TOKEN="op://24ylu7osc22gtdcoic6rgjsp2m/c67ygbr54xsxblxgnoljeawbse/password"
+# swift
+export SWIFT3_TOKEN="op://24ylu7osc22gtdcoic6rgjsp2m/uigw4g52gkd6ocmzeeqi4fk2wu/password"
+# bitbucket dc
+export BITBUCKET_DC_PAT="op://24ylu7osc22gtdcoic6rgjsp2m/wipkwb7pmc2xyuq5vibywhqvpi/credential"
+# atlassian cloud
+export ATLASSIAN_CLOUD_PAT="op://24ylu7osc22gtdcoic6rgjsp2m/ywanqqqcviwqyoeoxa6g2au5ki/credential"
+# n8n prod
+# "mcp": {
+#   "n8n-seibert": {
+#     "type": "local",
+#     "command": [
+#       "npx",
+#       "-y",
+#       "n8n-mcp"
+#     ],
+#     "environment": {
+#       "N8N_API_KEY": "{env:N8N_SEIBERT_API_KEY}",
+#       "N8N_API_URL": "{env:N8N_SEIBERT_API_URL}"
+#     }
+#   }
+# }
+export N8N_SEIBERT_API_URL="op://24ylu7osc22gtdcoic6rgjsp2m/qbkhrul2lm7uxy4kjqjpt5eoju/url"
+export N8N_SEIBERT_API_KEY="op://24ylu7osc22gtdcoic6rgjsp2m/qbkhrul2lm7uxy4kjqjpt5eoju/credential"

agents/AGENTS.md

@@ -14,6 +14,17 @@
   project's `AGENTS.md` / `CLAUDE.md` specifies a different directory,
   that wins.
 
+## Sandbox
+
+- **Always run commands sandboxed first.** Only use `dangerouslyDisableSandbox: true` as a last resort after a sandbox-related failure — never preemptively.
+- **On sandbox failure:** analyze the error message for the blocked path, then suggest adding it to `sandbox.filesystem.allowWrite` in `~/.claude/settings.json`. Only fall back to `dangerouslyDisableSandbox: true` if the path can't be determined or the user prefers it.
+
+## Temporary Files
+
+- **Use `$TMPDIR` or `.tmp/` (project-local) for temporary files.** Never use `/tmp` directly or paths like `/Library/Application Support` — those are not in the sandbox allowlist and trigger permission prompts.
+- `$TMPDIR` is set by the sandbox to a writable path. `.tmp/` inside the project directory is always writable without prompts.
+- Ensure `.tmp/` is listed in `.gitignore` when creating temp files in a tracked repo.
+
 ## Tooling
 
 - **`ccc` for semantic code search.** Repos containing a

claude/statusline-command.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+input=$(cat)
+cwd=$(echo "$input" | jq -r '.workspace.current_dir // .cwd')
+dir=$(basename "$cwd")
+model=$(echo "$input" | jq -r '.model.display_name // ""')
+
+# Git branch (skip optional locks)
+branch=$(git -C "$cwd" symbolic-ref --quiet --short HEAD 2>/dev/null)
+
+# Context usage
+used=$(echo "$input" | jq -r '.context_window.used_percentage // empty')
+
+# Rate limits
+rl_5h=$(echo "$input" | jq -r '.rate_limits.five_hour.used_percentage // empty')
+rl_7d=$(echo "$input" | jq -r '.rate_limits.seven_day.used_percentage // empty')
+
+# Thinking / effort
+thinking=$(echo "$input" | jq -r '.thinking.enabled // empty')
+effort=$(echo "$input" | jq -r '.effort.level // empty')
+
+# Build dim suffix
+dim=""
+[[ -n "$branch" ]]          && dim="$dim ($branch)"
+[[ -n "$model" ]]           && dim="$dim $model"
+[[ -n "$effort" ]]          && dim="$dim $effort"
+[[ -n "$used" ]]            && dim="$dim $(printf '%.0f%%' "$used")"
+
+usage=""
+[[ -n "$rl_5h" ]]  && usage="$usage $(printf '%.0f%%/5h' "$rl_5h")"
+[[ -n "$rl_7d" ]]  && usage="$usage $(printf '%.0f%%/7d' "$rl_7d")"
+[[ -n "$usage" ]]   && dim="$dim -$usage"
+
+printf '\033[1m%s\033[0m\033[2m%s\033[0m\n' "$dir" "$dim"