[Unit]
Description=Teleo Agent %i
After=network.target
Wants=network.target

[Service]
Type=simple
User=teleo
Group=teleo
WorkingDirectory=/opt/teleo-eval/telegram

# Touch required paths before startup (prevents namespace crash on missing files)
ExecStartPre=/bin/bash -c 'touch /opt/teleo-eval/workspaces/.main-worktree.lock'
# Validate config before starting (fail fast on bad config)
ExecStartPre=/opt/teleo-eval/pipeline/.venv/bin/python3 /opt/teleo-eval/telegram/agent_runner.py --agent %i --validate

ExecStart=/opt/teleo-eval/pipeline/.venv/bin/python3 /opt/teleo-eval/telegram/agent_runner.py --agent %i

Restart=on-failure
RestartSec=10

# Filesystem protection (Rhea-approved)
ProtectSystem=strict
ReadWritePaths=/opt/teleo-eval/logs
ReadWritePaths=/opt/teleo-eval/telegram-archives
ReadWritePaths=/opt/teleo-eval/workspaces/main/inbox
ReadWritePaths=/opt/teleo-eval/workspaces/.main-worktree.lock
ReadWritePaths=/opt/teleo-eval/pipeline/pipeline.db
ReadWritePaths=/opt/teleo-eval/pipeline/pipeline.db-wal
ReadWritePaths=/opt/teleo-eval/pipeline/pipeline.db-shm

# Agent-specific learnings (all agents share the worktree write path)
ReadWritePaths=/opt/teleo-eval/workspaces/main/agents

Environment=PYTHONUNBUFFERED=1

[Install]
WantedBy=multi-user.target