v2.0.0
Breaking β keybindings realigned. The zsh file-picker moved off
Ctrl+Fto
Ctrl+T, and the cross-shell keys were settled fleet-wide:Ctrl+Eatuin
TUI,Ctrl+Rquick fzf history,Ctrl+Gjump-to-session (navi dropped its
Ctrl+Gwidget for thenavicommand),Alt+Zzoxide jump. Update muscle
memory and re-source your shell (or restart it) after the nextmake sync. This is
the breaking change that makes this release 2.0.0 rather than a 1.x bump;
everything else below is additive or a fix.
Changed
/freshness-triagenow covers the CLI tool pins. The routine reviewed zsh/nvim/
actions bumps but said nothing aboutscripts/tool-versions.envβ the one bump class
that also needsmake update-tool-checksumsto refresh its*_SHA256. Added a section
so a*_VERSIONchange without its checksum is flagged Hold (the audit only checks
the hash is present, not correct, so a stale hash otherwise fails late at the action's
sha256sum -cin CI). Routine-doc only; no code change.- Cross-shell keybindings aligned (PARITY.md decisions resolved). The four open
parity decisions are settled and implemented on both shells: Ctrl+T = file picker
(zsh moved offCtrl+F), Ctrl+E = atuin TUI / Ctrl+R = quick fzf history,
Ctrl+G = jump-to-session everywhere (zsh sesh; the host gets a psmux sessionizer,
with navi demoted from its Ctrl+G widget to thenavicommand), and Alt+Z = zoxide
jump +gaf/grf/grsffuzzy git staging ported to pwsh. Core's functional change is
the file-picker rebind (zsh/bindings.zsh:Ctrl+FβCtrl+T), with the announced key
updated everywhere it appears (zsh/fzf.zshwarning + comments, thecore-helpcheat
row inzsh/functions.zsh,tmux/scripts/tmux-cheat.sh,README.md, and the
test-core.shassertions); the pwsh half lands indotfiles-Windows. The six rows
moved toaligned(file-picker, atuin, dir-jump, session-picker, fuzzy-git, cheat) are
each enforced by ascripts/parity-check.shneedle.make audit+make parity-checkgreen. bootstrap-lib.shgains opt-in dry-run + tallies (lib/bootstrap-lib.sh) β the
shared provisioning scaffold now honorsBLIB_DRY=1:blib_link/blib_seed/
blib_link_core/blib_write_zshrc_loader/blib_set_login_shellPRINT what they
would do and change nothing β every mutation (symlink, backup, seed copy, chmod, the tpm
clone, the ssh perms, the.zshrcwrite, thechsh) is guarded β so an OS bootstrap's
--dry-runcan preview the whole plan instead of each repo hand-rolling it.blib_link
also gained an idempotent already-correct-link no-op and a missing-source skip; the two
inline git/sesh seed blocks are unified into a newblib_seed;BLIB_*counters +
blib_wire_summarygive a "N linked Β· M seeded Β· K backed up" footer. Backward
compatible βBLIB_DRYdefaults off and the non-dry path is byte-for-byte the prior
behaviour, so the already-adopted Fedora/Arch/Alpine/openSUSE/Gentoo/Kali bootstraps are
unaffected. This unblocks MacBook adopting the shared scaffold without losing its
--dry-run. Verified: dry run creates zero files; a real run wires all 25 links + 2
seeds; a re-run backs up nothing.- De-forked
update.zsh's per-shell path (zsh/update.zsh) β the throttle check
and the upgrade nudge randate +%sonce andsed -n Nptwice on every
interactive shell, three subprocess spawns (~1.7 ms each, measured) on the critical
path before the first prompt β the exact fork tax this stack's cached inits + deferred
plugins exist to avoid. Replaced with zsh builtins:$EPOCHSECONDS(azsh/datetime
param) for the clock and$(<file)+${(f)β¦}for the two-line cache read, removing
all three forks (~5 ms off a warm shell) with byte-identical behaviour and adate
fallback if the module is unavailable. Profiled withmake profile; the_pkgup_*
parse + nudge unit tests are unchanged and green. (A profile-led pivot: caching
tools.zsh'scommand -vprobes β only ~1.8 ms total, and a stale cache could hide a
newly-installed tool β was measured and rejected as not worth the footgun.) - Dropped
dotfiles-Debianfrom the documented fleet. The Debian OS-native
repo was only ever planned, never created, and is no longer being pursued β so
the fleet docs that named it as a real target were ahead of reality. Removed it
from the OS-native repo lists (README.md,CLAUDE.md,CONTRIBUTING.md,
SECURITY.md,PORTING-MATRIX.md), reframed it inscripts/os-repos.txtfrom
"planned" to a documented permanent absence (so it is not re-added), and dropped
it from theclaude-routinesfleet-clone loop. This also reconciles the
"nine-repo system" / "seven vendoring OS repos" counts, which the phantom Debian
entry had thrown off by one. Debian distro-family facts (thebatβbatcat/
fdβfdfindrenames, Kali being Debian-family) are unaffected and retained. - Hardened the Track B module selector (
lib/bootstrap-lib.sh) β two fixes from
review of the fan-out PRs.blib_selectnow fails fast on an unknown flag (a
*)arm warns +exit 1instead of silently falling through without recording a
selection, so a caller typo can't make filtering appear to "work" while wiring
everything). Andblib_selected_notenow mirrorsblib_want's precedence: since
--onlyis an allowlist that wins when set, a co-present--skipis ignored β the
note reports a single active mode (onlywhen set, otherwiseskip) rather than
appending a misleading(skipped: β¦)suffix that was never applied. Backward
compatible β the single-selector and no-selector paths are unchanged.test-core.sh
Section G gains an unknown-flag rejection case, a--skip/both-set precedence check on
the note, and aBLIB_MODULESdrift guard pinning the production group list to the
tested oracle.make auditgreen.
Added
- Auto-published GitHub Releases on tag push (
.github/workflows/release.yml).
Pushing avX.Y.Ztag now publishes the GitHub Release automatically, finishing
themake release β¦ && make tag PUSH=1path. The Release body is the curated
CHANGELOG.mdsection for that version (not a git-cliff commit digest β CHANGELOG
is the source-of-truth prose), and the job refuses to publish unless the tag is a
clean SemVer that matchescore.versionat the tagged commit and the section
exists. Uses the built-inGITHUB_TOKENvia the preinstalledghCLI β no PAT,
no third-party action. Re-running updates the existing Release's notes idempotently.
Also refreshedcliff.toml's header (the repo DOES git-tag now) and
RELEASE-STRATEGY.md(Β§5 checklist + Β§6) to match. - Release-automation: the three gaps
RELEASE-STRATEGY.mdflagged are now
wired. (1)sync-core.shstamps acore_tagfield (git describeof the
vendored commit) into each OS repo'score.lock, andfleet-drift.shshows it
in theRECORDEDcolumn β so the drift dashboard speaks in named releases, not
just SHAs (the SHA still drives the verdict; the tag is display only, and the
line is emitted only once Core actually carries a tag, keepingcore.lock
byte-identical to today until the first release). (2) A newaudit-archleg in
ci.ymlruns the shell-scope audit insidearchlinux:latest(rolling glibc
toolchain, newer than Ubuntu LTS), mirroring the existingaudit-alpine
(musl/busybox) leg β so Core is proven on both named container userlands before
a tag. (3)scripts/tag-release.sh+make tagfinish a release: commit
core.version+CHANGELOG, create the annotatedvX.Y.Ztag, re-run the
audit gate; pushing is opt-in (make tag PUSH=1).make release VERSION=X.Y.Z && make tagis now the whole cut end to end. RELEASE-STRATEGY.mdβ the cadence, tagging, and rollout policy. The repo
shipped all the release machinery (core.version,scripts/release.sh, the
sync-core.shfan-out gate,core.lockprovenance, the Monday freshness/drift
bots) but no documented policy tying it together. The new doc adds that: Core
as the sole versioned unit, a three-track cadence (continuous / weekly pin bumps
/ monthly + security tags), SemVer mapped to host blast-radius, why the
three-layer subtree model beatscommon/-plus-conditionals, and a canary-first
staged rollout so a Core release reaches one OS before all eight. Registered in the audit's
META_ALLOWLIST. Docs-only; no behavioral change.dotfiles-Defensejoins the fleet as the defensive (blue) Role. The
three-layer model always had room for a second Role besidedotfiles-Kali;
defender-authored capability (Sigma rules, Sysmon baselines, Zeek/Suricata
tuning, SIEM content, the hunt/triage workflow, a Dockerized detection lab) now
has its own repo instead of living as attack-paired notes in Kali's
PURPLE-TEAM.md. Core is vendored into it like any OS/Role repo, so the fleet
grows: nine β ten config repos, eight β nine machine repos, seven β
eight Core-vendoring targets. This sync carries the count + Role-layer wording
updates fleet-wide (README.md,CLAUDE.md,ARCHITECTURE.md,SECURITY.md,
CONTRIBUTING.md, the issue templates) and addsdotfiles-Defenseto
scripts/os-repos.txtsosync-core.shfans Core into it. Docs/data only; no
behavioral change to Core.bootstrap-lib.shgains--only/--skipmodule selection (lib/bootstrap-lib.sh)
β the shared scaffold can now wire a SUBSET of the Core groups:zsh nvim tmux git prompt tools. Newblib_select <--only|--skip> <csv>(validates a comma-separated
selector β empty / leading / trailing / doubled commas and unknown groups all abort),
blib_want <group>(consulted byblib_link_core,blib_link_os_layer,
blib_write_zshrc_loader,blib_set_login_shell), andblib_selected_notefor a
summary suffix. Each OS overlay rides with its Core group (os.zshβzsh,os.confβtmux,
os.gitconfigβgit). This is the Core half of the dotfiles-web Bootstrap Command
Generator's "Track B"; each OSbootstrap.shjust routes its--only/--skiphere.
Backward compatible β with neither selector set everything is wired exactly as
before, so every existing caller is unaffected.make auditgreen.gsyncupstream-sync shortcut (.bin/sync-upstream.sh,zsh/aliases.zsh) β
a one-word alias thatgit subtree pushes an OS repo's vendoredcore/subtree
back upstream to dotfiles-core (main) β the prefix that matches the registered
core/β root@main subtree boundary. The runner refuses to run unless acore/
subtree is present (so it no-ops in dotfiles-core, the source of truth) and bails
on a dirty working tree. The alias resolves the script relative to the sourced
module via the${(%):-%x}trick (the same onemaint.zshuses), so the
shortcut survives thecore/subtree vendoring without putting.binonPATH.
Registered incore.manifest.ARCHITECTURE.mdβ a strategic architecture overview: the three-layer
model and its boundary test, the full fleet map (which repos vendorcore/
and which don't), the one-directional subtree vendoring topology, the
load-bearing zsh load order, the audit gate, and the rationale for the model.
Sits aboveREADME.md/CONTRIBUTING.md(which stay operational) and
cross-references them. Added to the audit's repo-meta allowlist; it is docs,
not shipped Core.parity-checkgate (scripts/parity-check.sh,make parity-check, weekly
.github/workflows/parity-check.yml) β mechanises thealignedrows ofPARITY.md:
asserts a distinctive needle (starship/zoxide/atuin init, the fzf tokyonight palette,
thefddefault command) is present in both a zsh source and the pwsh source,
failing when one side drifts. Reads pwsh from a siblingdotfiles-Windowscheckout
(skipped with a notice if absent, unless--strict; the workflow clones it and runs
--strict), the same cross-repo pattern asfleet-drift.sh. The fzf-palette row is
the regression guard for the parity fix just shipped; keybinding rows join the checker
as each open decision is made.make auditgreen.PARITY.mdβ the cross-shell parity contract β the source of truth for what
"the same on zsh and PowerShell" means, mapping every prompt/alias/keybinding/
function capability toaligned(must stay in step),deliberate(intentional
platform difference), orgap(open item). Makes the WSL-zsh β Windows-pwsh
divergences a documented decision instead of silent drift, and names the open
decisions (theCtrl+Gsesh-vs-navi collision, the file-picker key, the atuin
key, thegaf/grf/grsf+Alt+Zports). Paired with a same-change fix that
brings the fzf tokyonight-storm palette to pwsh (dotfiles-Windows
powershell/core/10-tools.ps1), which previously fell back to terminal-default
colours β the firstalignedrow closed. A futurescripts/parity-check.shcan
mechanise thealignedrows the wayfleet-drift.shmechanised provenance.core/edit guard (blib_install_core_guardinlib/bootstrap-lib.sh, wired into
scripts/sync-core.sh) β a localpre-commithook that refuses commits touching the
vendoredcore/subtree, turning the prose rule "never hand-editcore/" into a
mechanical block. Motivated by a real incident: an upstream "Lazy lock update" edited a
vendoredcore/nvim/lazy-lock.jsondirectly, drifting it from canonical Core.sync-core.sh
now (re)installs the hook into every repo it fans out to (so the protection lands on the
maintainer's machine, where the edit happens) and exempts its own legitimate subtree
writes viaDOTFILES_ALLOW_CORE_EDIT=1; a one-off bypass is the standard
git commit --no-verify. Idempotent and non-destructive β it never clobbers a
pre-existing unrelatedpre-commithook. Covered by hermetic git tests in
scripts/test-core.sh. (Wiring it into each OSbootstrap.shfor fresh clones rides
along with the pendingbootstrap-lib.shadoption.)- Fleet-drift check (
scripts/fleet-drift.sh,make fleet-drift, and a weekly
.github/workflows/fleet-drift.yml) β reads every OS repo'score.lock
(core_sha=β¦) plusdotfiles-Windows'snvim/.core-ref(commit = β¦) and reports
which repos lag Core's tip (BEHIND/AHEAD/DIVERGED, quantified in commits). Closes the
gap where the per-repo provenance markers existed but nothing compared them, so a repo
could silently sit on a stale Core (how the nvim lockfile drifted). Read-only β the
fix is a human runningmake sync; a not-checked-out repo is skipped unless--strict.
The reference commit is--ref/$CORE_REF_SHAβorigin/mainβmainβHEAD.
Fleet list is the samescripts/os-repos.txtsync-core.shreads; the scheduled
workflow anonymously shallow-clones the public repos and fails red on drift. .github/workflows/bootstrap-test.ymlβ a reusable (workflow_call)
bootstrap integration test, authored once here and called by a thin ~10-line
stub in each OS repo, so the OS repos gain CI without each carrying a duplicated
copy of the logic (the same fan-out the Core layer exists to kill). Two jobs:
lintrunsshellcheck -x+bash -n+--helponbootstrap.sh(the OS
repos previously had no CI at all, so this is their first gate);links-only
runsbootstrap.sh --links-onlyinside the target distro's container and
asserts the symlink graph + the generated~/.zshrc(it pre-seeds the tpm dir
to skip the network clone, mirroringtest-core.sh's offline technique, and
leaves the actual module load β already covered hermetically bytest-core.shβ
alone). Callers passimage/prep/offensive; Kali setsoffensive: true.lib/bootstrap-lib.shβ a vendored BASH provisioning scaffold that ends the
per-repo bootstrap fan-out. Roughly half of each OS bootstrap.sh was the same
code βlink(),read_pkgs(), WSL detection, the Core-symlink loop, the.zshrc
loader heredoc, the default-login-shell logic β copy-pasted and then independently
reformatted, so a fix had to be made in every repo by hand (the exact N-way drift
Core exists to kill, leaking through the one file that can't be vendored). The
shared half now lives here asblib_*helpers (blib_link,blib_read_pkgs,
blib_is_wsl,blib_link_core,blib_link_os_layer,blib_write_zshrc_loader,
blib_set_login_shell), sourced by each bootstrap.sh alongsidelib/ux.sh. The
loader writer takes the module list as an argument, so a role repo (Kali) injects
itsoffensivestage; the login-shell helper takes$BLIB_SUso a doas-only or
root box works. Thecore/-presence check stays inline per bootstrap (you cannot
source a lib out ofcore/before confirmingcore/exists). Listed in
core.manifest; sourced (non-exec) likelib/ux.sh. Adopting it in each OS
bootstrap.sh is a follow-up that lands after this is synced out.pullall [dir]shell function (zsh/functions.zsh) β fast-update every git
repo under a parent directory in parallel: prunes deleted remote branches,
stashes uncommitted tracked changes, switches to each repo's auto-detected trunk
(main/master/trunk/β¦ viaorigin/HEAD, not a hard-codedmain), fast-forwards
it, pops the stash back (reporting a pop conflict instead of swallowing it), then
prints a summary card. The parent directory is configurable (argument β
$PULLALL_DIRβ CWD) so Core stays machine-agnostic; parallelism via
xargs -P($PULLALL_JOBS, default 10). Colour is TTY/NO_COLOR-aware and
repo paths are passed positionally (no shell injection from odd names). Ships
with a_pullallcompletion, acore-helprow, and behavioural tests.dotfiles-Defense-PLAN.mdβ a forward-looking architecture note plus a
complete, ready-to-instantiate skeleton for a futuredotfiles-Defenserepo
(the defensive/blue Role layer that mirrorsdotfiles-Kali). Records the
red/blue split decision, the trigger for standing the repo up, the layer-table
identity, and every scaffold file verbatim (README, CLAUDE.md, bootstrap,
defense.zsh, methodology, gitignore, compose stub, templates) so the repo can
begit init-ed when the trigger is met. Added to the audit's repo-meta
allowlist; it is planning, not shipped Core.- Claude Code project memory + maintenance routines (
CLAUDE.md,.claude/) β
a rootCLAUDE.mdencoding the three-layer model, the "is it Core?" test, the
manifest contract, and the load order so every Claude session reasons from the
real rules. Three on-demand slash commands automate the judgment-heavy chores the
audit can't:/doc-audit(prose-vs-reality drift across the fleet, via the
doc-consistencysubagent),/tool-scout(research the modern-CLI stack for
tools worth adopting, via thetool-scoutsubagent), and/freshness-triage
(review dependency-bump PRs against upstream changelogs). All report-first; none
vendor out without a greenmake audit.CLAUDE.mdadded to the audit's
repo-meta allowlist (.claude/was already a prefix). - Scheduled maintenance bots (
.github/workflows/claude-routines.yml) β run the
/doc-auditand/tool-scoutroutines headless on a weekly cron (and on demand),
filing findings as a deduplicated GitHub issue. The Claude Code CLI is installed
from npm (pinned viaCLAUDE_CODE_VERSIONinscripts/tool-versions.env) β no
third-party action, mirroringfreshness.yml. Auth is a Claude subscription token
(CLAUDE_CODE_OAUTH_TOKEN, fromclaude setup-token); inert until that secret is
set (the workflow no-ops with a warning otherwise). make release-notes+cliff.tomlβ git-cliff config + a Makefile target that
drafts a GitHub Release body from Conventional Commits since the last release commit.
Scoped dev-tooling (audit allowlist, notcore.manifest, zero runtime cost); it does
not generateCHANGELOG.md(that stays hand-curated and is promoted by
scripts/release.sh). Surfaced by/tool-scout(issue #44).aliases.mdis now surfaced in the changelog β the cross-fleet aliases cheat
sheet (Core + per-OS + offensive layers), previously shipped without an entry.
Fixed
blib_set_login_shellno longer trusts a non-executablecommand -v zsh.
command -valso resolves aliases/functions, so a shadowedzshcould yield an
alias body rather than a path; it's now required to resolve to a real executable
([[ -x ]]) before being handed tochsh/usermod. The/etc/passwdfallback
(used whengetentis absent, e.g. busybox/Alpine) switched from agrep "^$user:"
regex toawk -F: -v u="$user", so a username containing a regex metacharacter
can't mis-match. Robustness only; no behavior change for normal setups.- Startup nudges no longer execute under a substitution prompt (
zsh/update.zsh).
_pkgup_notice("N updates available β run `up` to apply") and_core_welcome
("dotfiles Core loaded β run `core`β¦") rendered their hints withprint -Pand wrapped
the verb in backticks. Undersetopt prompt_substβ which starship and any
substitution prompt enable βprint -Pperforms command substitution, so the backtick'd
word was executed rather than printed: the update nudge fires from a precmd hook before
up()is defined, surfacing ascommand not found: upon every package-manager box (and,
once defined, silently triggering a privileged upgrade). Both hints now use single quotes
('up'/'core'), which are literal under prompt expansion; theNO_COLORbranch already
used the safeprint -r. Surfaced by amake syncaudit failing on a starship MacBook. A
newtest-core.shregression seeds a cached count underprompt_substwith anup()
sentinel and asserts the nudge mentionsupbut never runs it. dotfiles-Defense-PLAN.mdscaffold:bootstrap.sh--links-onlywas dead. The
reproducedbootstrap.shsetLINKS_ONLYbut never read it, so--links-onlystill ran
the host-tool/docker probe (and shellcheck flagged the unused var). Guard the probe with
(( DO_CHECK && ! LINKS_ONLY ))so--links-onlytruly just wires symlinks, and rewrite
the(( missing == 0 )) && ok || warnline as if/then/else. The scaffold is now
shellcheck-clean and was exercised end-to-end in a sandbox (--links-onlywires Core +
the defense stage); the "validated" note now says so. Planning doc only (allowlisted
repo-meta) β nothing shipped/vendored.gsyncrunner + core-guard installer hardening (review follow-up to the
fan-out PRs)..bin/sync-upstream.sh: normalize to the git toplevel first so
gsyncworks from any subdirectory (it is an absolute-path runner); use
git status --porcelainfor the clean-tree check so untracked files also block
(git diff-index HEADmissed them); and reword the failure hint to be
auth-agnostic (the remote is HTTPS, not SSH) and point at the right re-pull
command for an OS repo.zsh/aliases.zsh:gsyncis now a wrapper function,
not an alias, so a dotfiles path containing whitespace stays one word and args
pass through β with a matching_gsynccompletion andcore-helprow.
lib/bootstrap-lib.shblib_install_core_guard: detect the git work tree and
hooks dir viagit rev-parse(so worktrees/submodules, where.gitis a file,
get the guard too), skip with a warning whencore.hooksPathis set (installing
into the ignored.git/hookswas false protection), and return non-zero instead
of silently succeeding if the hooks dir can't be created. New hermetic test
covers thecore.hooksPathskip.sync-core.shpre-fan-out audit no longer false-fails on the core-guard test.
The scriptexportsDOTFILES_ALLOW_CORE_EDIT=1for its own legitimate subtree
commits, but that exemption was still in the environment when it ran the
pre-fan-outaudit-core.shβ whose behavioral suite commits to a throwaway
core/and asserts the guard hook BLOCKS it. The inherited exemption made that
assertion fail, reding an otherwise-green tree and forcingSYNC_SKIP_AUDIT=1.
The audit now runs viaenv -u DOTFILES_ALLOW_CORE_EDIT(it never writes to
core/, so it needs no exemption); the fan-out commits keep theirs.bootstrap-lib.shnow wires three Core files it silently dropped.
blib_link_corelinked starship/nvim/mise/git/tmux/clip but omitted
core/lazygit/config.yml(β~/.config/lazygit/config.yml),core/vim/vimrc
(β~/.vimrc), and thecore/sesh/sesh.toml.exampleseed
(β~/.config/sesh/sesh.toml) β three files that are incore.manifest(the
manifest comments even spell out their destinations) yet reached no machine,
inherited from the per-repo bootstraps this library consolidated. lazygit + vim
symlink like starship; sesh is seeded (copied, never relinked) like the git
identity file. The matchingbootstrap-test.ymlassertions for these three were
briefly deferred β that reusable test is referenced@mainby every adopter, so
it can only assert what each adopter's CURRENT vendoredcore/produces, and asserting
the wiring beforemake syncpropagated it would have red-flagged Fedora/Kali. They are
now re-added: every adopter'score.lockis at a Core that includes the wiring, so
the@maintest asserts lazygit/~/.vimrc/seeded-sesh again without false reds.freshness.ymlopens its pin-bump PRs against the default branch, not the
dispatched ref (GITHUB_REF_NAME), and uses a ref-independent concurrency group β
so a manual run from a feature branch can't target the wrong base or race the cron.aliases.mdβ corrected themyipexpansion (it redirects stderr:
curl -fsS https://ifconfig.me 2>/dev/null && echo) and repo-qualified the
cross-repo source paths in the header so they don't read as broken local links.doc-consistencysubagent β aligned its system description with the canonical
nine-repo, three-layer (Core β OS-native β Role) wording.audit-core.shβ clarified the META-allowlist comments: those files are "not
shipped Core" (absent fromcore.manifest), not "never vendored" (the subtree copy
carries them physically).- Doc drift caught by
/doc-auditβ corrected "vendored into/fans out to nine
OS repos" β eight (Windows vendors nocore/) inCHANGELOG.md+CONTRIBUTING.md;
added the manifest-listedzsh/loader.zshandlazygit/config.ymlto the README
Layout tree; completed the README tmux-scripts list (addedtmux-battery/tmux-cheat);
and attributed thecheatalias tofunctions.zsh(notaliases.zsh) inaliases.md.
Security
- CI tool downloads are now SHA-256 verified. The
setup-core-toolscomposite
action previously fetched its pinned gate binaries (shellcheck, actionlint, gitleaks,
neovim) withcurl β¦ | tarand no integrity check β a tampered or MITM'd release
asset would have executed inside the gate. Each install now downloads to a file,
verifies it against a pinned hash fromscripts/tool-versions.env, and only then
installs; a mismatch fails the build.shfmtwas folded into the action (it was the
last tool still installed via inlinecurlin the OS-repo lint workflows), so one
verified definition now covers every downloaded gate tool. scripts/tool-versions.envgained a*_SHA256per downloaded tool (the single
source the action reads alongside each*_VERSION), plusSHFMT_VERSION.scripts/audit-core.shgained a "tool download integrity" section that fails the
audit if any pinned*_VERSIONlacks a 64-hex*_SHA256β a version can no longer be
bumped without refreshing its checksum.scripts/update-tool-checksums.sh(new) recomputes the pinned hashes from the
exact assets the action downloads, so a version bump is a one-command checksum refresh.setup-core-toolsskips only on its OWN verified binary, not anycommand -vmatch.
The install steps short-circuited oncommand -v <tool>, which also matches a binary
preinstalled on the runner (ubuntu-latestships shellcheck) β so the verified install
was silently skipped and the gate ran the unpinned, unverified system shellcheck. Each
step now skips only when the binary is already in the action's ownbindir(a genuine
cache restore); the caller prependsbindirtoPATH, so the verified binary always
shadows any preinstalled one. Restores the integrity + pinning guarantee for shellcheck.