Skip to content

v2.0.0

Choose a tag to compare

@github-actions github-actions released this 28 Jun 22:24
2bf9f80

Breaking β€” keybindings realigned. The zsh file-picker moved off Ctrl+F to
Ctrl+T, and the cross-shell keys were settled fleet-wide: Ctrl+E atuin
TUI, Ctrl+R quick fzf history, Ctrl+G jump-to-session (navi dropped its
Ctrl+G widget for the navi command), Alt+Z zoxide jump. Update muscle
memory and re-source your shell (or restart it) after the next make sync. This is
the breaking change that makes this release 2.0.0 rather than a 1.x bump;
everything else below is additive or a fix.

Changed

  • /freshness-triage now covers the CLI tool pins. The routine reviewed zsh/nvim/
    actions bumps but said nothing about scripts/tool-versions.env β€” the one bump class
    that also needs make update-tool-checksums to refresh its *_SHA256. Added a section
    so a *_VERSION change without its checksum is flagged Hold (the audit only checks
    the hash is present, not correct, so a stale hash otherwise fails late at the action's
    sha256sum -c in CI). Routine-doc only; no code change.
  • Cross-shell keybindings aligned (PARITY.md decisions resolved). The four open
    parity decisions are settled and implemented on both shells: Ctrl+T = file picker
    (zsh moved off Ctrl+F), Ctrl+E = atuin TUI / Ctrl+R = quick fzf history,
    Ctrl+G = jump-to-session everywhere (zsh sesh; the host gets a psmux sessionizer,
    with navi demoted from its Ctrl+G widget to the navi command), and Alt+Z = zoxide
    jump + gaf/grf/grsf fuzzy git staging ported to pwsh. Core's functional change is
    the file-picker rebind (zsh/bindings.zsh: Ctrl+F→Ctrl+T), with the announced key
    updated everywhere it appears (zsh/fzf.zsh warning + comments, the core-help cheat
    row in zsh/functions.zsh, tmux/scripts/tmux-cheat.sh, README.md, and the
    test-core.sh assertions); the pwsh half lands in dotfiles-Windows. The six rows
    moved to aligned (file-picker, atuin, dir-jump, session-picker, fuzzy-git, cheat) are
    each enforced by a scripts/parity-check.sh needle. make audit + make parity-check green.
  • bootstrap-lib.sh gains opt-in dry-run + tallies (lib/bootstrap-lib.sh) β€” the
    shared provisioning scaffold now honors BLIB_DRY=1: blib_link / blib_seed /
    blib_link_core / blib_write_zshrc_loader / blib_set_login_shell PRINT what they
    would do and change nothing β€” every mutation (symlink, backup, seed copy, chmod, the tpm
    clone, the ssh perms, the .zshrc write, the chsh) is guarded β€” so an OS bootstrap's
    --dry-run can preview the whole plan instead of each repo hand-rolling it. blib_link
    also gained an idempotent already-correct-link no-op and a missing-source skip; the two
    inline git/sesh seed blocks are unified into a new blib_seed; BLIB_* counters +
    blib_wire_summary give a "N linked Β· M seeded Β· K backed up" footer. Backward
    compatible
    β€” BLIB_DRY defaults off and the non-dry path is byte-for-byte the prior
    behaviour, so the already-adopted Fedora/Arch/Alpine/openSUSE/Gentoo/Kali bootstraps are
    unaffected. This unblocks MacBook adopting the shared scaffold without losing its
    --dry-run. Verified: dry run creates zero files; a real run wires all 25 links + 2
    seeds; a re-run backs up nothing.
  • De-forked update.zsh's per-shell path (zsh/update.zsh) β€” the throttle check
    and the upgrade nudge ran date +%s once and sed -n Np twice on every
    interactive shell, three subprocess spawns (~1.7 ms each, measured) on the critical
    path before the first prompt β€” the exact fork tax this stack's cached inits + deferred
    plugins exist to avoid. Replaced with zsh builtins: $EPOCHSECONDS (a zsh/datetime
    param) for the clock and $(<file) + ${(f)…} for the two-line cache read, removing
    all three forks (~5 ms off a warm shell) with byte-identical behaviour and a date
    fallback if the module is unavailable. Profiled with make profile; the _pkgup_*
    parse + nudge unit tests are unchanged and green. (A profile-led pivot: caching
    tools.zsh's command -v probes β€” only ~1.8 ms total, and a stale cache could hide a
    newly-installed tool β€” was measured and rejected as not worth the footgun.)
  • Dropped dotfiles-Debian from the documented fleet. The Debian OS-native
    repo was only ever planned, never created, and is no longer being pursued β€” so
    the fleet docs that named it as a real target were ahead of reality. Removed it
    from the OS-native repo lists (README.md, CLAUDE.md, CONTRIBUTING.md,
    SECURITY.md, PORTING-MATRIX.md), reframed it in scripts/os-repos.txt from
    "planned" to a documented permanent absence (so it is not re-added), and dropped
    it from the claude-routines fleet-clone loop. This also reconciles the
    "nine-repo system" / "seven vendoring OS repos" counts, which the phantom Debian
    entry had thrown off by one. Debian distro-family facts (the bat→batcat /
    fd→fdfind renames, Kali being Debian-family) are unaffected and retained.
  • Hardened the Track B module selector (lib/bootstrap-lib.sh) β€” two fixes from
    review of the fan-out PRs. blib_select now fails fast on an unknown flag (a
    *) arm warns + exit 1 instead of silently falling through without recording a
    selection, so a caller typo can't make filtering appear to "work" while wiring
    everything). And blib_selected_note now mirrors blib_want's precedence: since
    --only is an allowlist that wins when set, a co-present --skip is ignored β€” the
    note reports a single active mode (only when set, otherwise skip) rather than
    appending a misleading (skipped: …) suffix that was never applied. Backward
    compatible
    β€” the single-selector and no-selector paths are unchanged. test-core.sh
    Section G gains an unknown-flag rejection case, a --skip/both-set precedence check on
    the note, and a BLIB_MODULES drift guard pinning the production group list to the
    tested oracle. make audit green.

Added

  • Auto-published GitHub Releases on tag push (.github/workflows/release.yml).
    Pushing a vX.Y.Z tag now publishes the GitHub Release automatically, finishing
    the make release … && make tag PUSH=1 path. The Release body is the curated
    CHANGELOG.md section for that version (not a git-cliff commit digest β€” CHANGELOG
    is the source-of-truth prose), and the job refuses to publish unless the tag is a
    clean SemVer that matches core.version at the tagged commit and the section
    exists. Uses the built-in GITHUB_TOKEN via the preinstalled gh CLI β€” no PAT,
    no third-party action. Re-running updates the existing Release's notes idempotently.
    Also refreshed cliff.toml's header (the repo DOES git-tag now) and
    RELEASE-STRATEGY.md (Β§5 checklist + Β§6) to match.
  • Release-automation: the three gaps RELEASE-STRATEGY.md flagged are now
    wired.
    (1) sync-core.sh stamps a core_tag field (git describe of the
    vendored commit) into each OS repo's core.lock, and fleet-drift.sh shows it
    in the RECORDED column β€” so the drift dashboard speaks in named releases, not
    just SHAs (the SHA still drives the verdict; the tag is display only, and the
    line is emitted only once Core actually carries a tag, keeping core.lock
    byte-identical to today until the first release). (2) A new audit-arch leg in
    ci.yml runs the shell-scope audit inside archlinux:latest (rolling glibc
    toolchain, newer than Ubuntu LTS), mirroring the existing audit-alpine
    (musl/busybox) leg β€” so Core is proven on both named container userlands before
    a tag. (3) scripts/tag-release.sh + make tag finish a release: commit
    core.version + CHANGELOG, create the annotated vX.Y.Z tag, re-run the
    audit gate; pushing is opt-in (make tag PUSH=1). make release VERSION=X.Y.Z && make tag is now the whole cut end to end.
  • RELEASE-STRATEGY.md β€” the cadence, tagging, and rollout policy. The repo
    shipped all the release machinery (core.version, scripts/release.sh, the
    sync-core.sh fan-out gate, core.lock provenance, the Monday freshness/drift
    bots) but no documented policy tying it together. The new doc adds that: Core
    as the sole versioned unit, a three-track cadence (continuous / weekly pin bumps
    / monthly + security tags), SemVer mapped to host blast-radius, why the
    three-layer subtree model beats common/-plus-conditionals, and a canary-first
    staged rollout so a Core release reaches one OS before all eight. Registered in the audit's
    META_ALLOWLIST. Docs-only; no behavioral change.
  • dotfiles-Defense joins the fleet as the defensive (blue) Role. The
    three-layer model always had room for a second Role beside dotfiles-Kali;
    defender-authored capability (Sigma rules, Sysmon baselines, Zeek/Suricata
    tuning, SIEM content, the hunt/triage workflow, a Dockerized detection lab) now
    has its own repo instead of living as attack-paired notes in Kali's
    PURPLE-TEAM.md. Core is vendored into it like any OS/Role repo, so the fleet
    grows: nine β†’ ten config repos, eight β†’ nine machine repos, seven β†’
    eight
    Core-vendoring targets. This sync carries the count + Role-layer wording
    updates fleet-wide (README.md, CLAUDE.md, ARCHITECTURE.md, SECURITY.md,
    CONTRIBUTING.md, the issue templates) and adds dotfiles-Defense to
    scripts/os-repos.txt so sync-core.sh fans Core into it. Docs/data only; no
    behavioral change to Core.
  • bootstrap-lib.sh gains --only/--skip module selection (lib/bootstrap-lib.sh)
    β€” the shared scaffold can now wire a SUBSET of the Core groups: zsh nvim tmux git prompt tools. New blib_select <--only|--skip> <csv> (validates a comma-separated
    selector β€” empty / leading / trailing / doubled commas and unknown groups all abort),
    blib_want <group> (consulted by blib_link_core, blib_link_os_layer,
    blib_write_zshrc_loader, blib_set_login_shell), and blib_selected_note for a
    summary suffix. Each OS overlay rides with its Core group (os.zsh→zsh, os.conf→tmux,
    os.gitconfig→git). This is the Core half of the dotfiles-web Bootstrap Command
    Generator's "Track B"; each OS bootstrap.sh just routes its --only/--skip here.
    Backward compatible β€” with neither selector set everything is wired exactly as
    before, so every existing caller is unaffected. make audit green.
  • gsync upstream-sync shortcut (.bin/sync-upstream.sh, zsh/aliases.zsh) β€”
    a one-word alias that git subtree pushes an OS repo's vendored core/ subtree
    back upstream to dotfiles-core (main) β€” the prefix that matches the registered
    core/ ⇄ root@main subtree boundary. The runner refuses to run unless a core/
    subtree is present (so it no-ops in dotfiles-core, the source of truth) and bails
    on a dirty working tree. The alias resolves the script relative to the sourced
    module via the ${(%):-%x} trick (the same one maint.zsh uses), so the
    shortcut survives the core/ subtree vendoring without putting .bin on PATH.
    Registered in core.manifest.
  • ARCHITECTURE.md β€” a strategic architecture overview: the three-layer
    model and its boundary test, the full fleet map (which repos vendor core/
    and which don't), the one-directional subtree vendoring topology, the
    load-bearing zsh load order, the audit gate, and the rationale for the model.
    Sits above README.md/CONTRIBUTING.md (which stay operational) and
    cross-references them. Added to the audit's repo-meta allowlist; it is docs,
    not shipped Core.
  • parity-check gate (scripts/parity-check.sh, make parity-check, weekly
    .github/workflows/parity-check.yml) β€” mechanises the aligned rows of PARITY.md:
    asserts a distinctive needle (starship/zoxide/atuin init, the fzf tokyonight palette,
    the fd default command) is present in both a zsh source and the pwsh source,
    failing when one side drifts. Reads pwsh from a sibling dotfiles-Windows checkout
    (skipped with a notice if absent, unless --strict; the workflow clones it and runs
    --strict), the same cross-repo pattern as fleet-drift.sh. The fzf-palette row is
    the regression guard for the parity fix just shipped; keybinding rows join the checker
    as each open decision is made. make audit green.
  • PARITY.md β€” the cross-shell parity contract β€” the source of truth for what
    "the same on zsh and PowerShell" means, mapping every prompt/alias/keybinding/
    function capability to aligned (must stay in step), deliberate (intentional
    platform difference), or gap (open item). Makes the WSL-zsh ↔ Windows-pwsh
    divergences a documented decision instead of silent drift, and names the open
    decisions (the Ctrl+G sesh-vs-navi collision, the file-picker key, the atuin
    key, the gaf/grf/grsf + Alt+Z ports). Paired with a same-change fix that
    brings the fzf tokyonight-storm palette to pwsh (dotfiles-Windows
    powershell/core/10-tools.ps1), which previously fell back to terminal-default
    colours β€” the first aligned row closed. A future scripts/parity-check.sh can
    mechanise the aligned rows the way fleet-drift.sh mechanised provenance.
  • core/ edit guard (blib_install_core_guard in lib/bootstrap-lib.sh, wired into
    scripts/sync-core.sh) β€” a local pre-commit hook that refuses commits touching the
    vendored core/ subtree, turning the prose rule "never hand-edit core/" into a
    mechanical block. Motivated by a real incident: an upstream "Lazy lock update" edited a
    vendored core/nvim/lazy-lock.json directly, drifting it from canonical Core. sync-core.sh
    now (re)installs the hook into every repo it fans out to (so the protection lands on the
    maintainer's machine, where the edit happens) and exempts its own legitimate subtree
    writes via DOTFILES_ALLOW_CORE_EDIT=1; a one-off bypass is the standard
    git commit --no-verify. Idempotent and non-destructive β€” it never clobbers a
    pre-existing unrelated pre-commit hook. Covered by hermetic git tests in
    scripts/test-core.sh. (Wiring it into each OS bootstrap.sh for fresh clones rides
    along with the pending bootstrap-lib.sh adoption.)
  • Fleet-drift check (scripts/fleet-drift.sh, make fleet-drift, and a weekly
    .github/workflows/fleet-drift.yml) β€” reads every OS repo's core.lock
    (core_sha=…) plus dotfiles-Windows's nvim/.core-ref (commit = …) and reports
    which repos lag Core's tip (BEHIND/AHEAD/DIVERGED, quantified in commits). Closes the
    gap where the per-repo provenance markers existed but nothing compared them, so a repo
    could silently sit on a stale Core (how the nvim lockfile drifted). Read-only β€” the
    fix is a human running make sync; a not-checked-out repo is skipped unless --strict.
    The reference commit is --ref/$CORE_REF_SHA β†’ origin/main β†’ main β†’ HEAD.
    Fleet list is the same scripts/os-repos.txt sync-core.sh reads; the scheduled
    workflow anonymously shallow-clones the public repos and fails red on drift.
  • .github/workflows/bootstrap-test.yml β€” a reusable (workflow_call)
    bootstrap integration test, authored once here and called by a thin ~10-line
    stub in each OS repo, so the OS repos gain CI without each carrying a duplicated
    copy of the logic (the same fan-out the Core layer exists to kill). Two jobs:
    lint runs shellcheck -x + bash -n + --help on bootstrap.sh (the OS
    repos previously had no CI at all, so this is their first gate); links-only
    runs bootstrap.sh --links-only inside the target distro's container and
    asserts the symlink graph + the generated ~/.zshrc (it pre-seeds the tpm dir
    to skip the network clone, mirroring test-core.sh's offline technique, and
    leaves the actual module load β€” already covered hermetically by test-core.sh β€”
    alone). Callers pass image/prep/offensive; Kali sets offensive: true.
  • lib/bootstrap-lib.sh β€” a vendored BASH provisioning scaffold that ends the
    per-repo bootstrap fan-out. Roughly half of each OS bootstrap.sh was the same
    code β€” link(), read_pkgs(), WSL detection, the Core-symlink loop, the .zshrc
    loader heredoc, the default-login-shell logic β€” copy-pasted and then independently
    reformatted, so a fix had to be made in every repo by hand (the exact N-way drift
    Core exists to kill, leaking through the one file that can't be vendored). The
    shared half now lives here as blib_* helpers (blib_link, blib_read_pkgs,
    blib_is_wsl, blib_link_core, blib_link_os_layer, blib_write_zshrc_loader,
    blib_set_login_shell), sourced by each bootstrap.sh alongside lib/ux.sh. The
    loader writer takes the module list as an argument, so a role repo (Kali) injects
    its offensive stage; the login-shell helper takes $BLIB_SU so a doas-only or
    root box works. The core/-presence check stays inline per bootstrap (you cannot
    source a lib out of core/ before confirming core/ exists). Listed in
    core.manifest; sourced (non-exec) like lib/ux.sh. Adopting it in each OS
    bootstrap.sh is a follow-up that lands after this is synced out.
  • pullall [dir] shell function (zsh/functions.zsh) β€” fast-update every git
    repo under a parent directory in parallel: prunes deleted remote branches,
    stashes uncommitted tracked changes, switches to each repo's auto-detected trunk
    (main/master/trunk/… via origin/HEAD, not a hard-coded main), fast-forwards
    it, pops the stash back (reporting a pop conflict instead of swallowing it), then
    prints a summary card. The parent directory is configurable (argument β†’
    $PULLALL_DIR β†’ CWD) so Core stays machine-agnostic; parallelism via
    xargs -P ($PULLALL_JOBS, default 10). Colour is TTY/NO_COLOR-aware and
    repo paths are passed positionally (no shell injection from odd names). Ships
    with a _pullall completion, a core-help row, and behavioural tests.
  • dotfiles-Defense-PLAN.md β€” a forward-looking architecture note plus a
    complete, ready-to-instantiate skeleton for a future dotfiles-Defense repo
    (the defensive/blue Role layer that mirrors dotfiles-Kali). Records the
    red/blue split decision, the trigger for standing the repo up, the layer-table
    identity, and every scaffold file verbatim (README, CLAUDE.md, bootstrap,
    defense.zsh, methodology, gitignore, compose stub, templates) so the repo can
    be git init-ed when the trigger is met. Added to the audit's repo-meta
    allowlist; it is planning, not shipped Core.
  • Claude Code project memory + maintenance routines (CLAUDE.md, .claude/) β€”
    a root CLAUDE.md encoding the three-layer model, the "is it Core?" test, the
    manifest contract, and the load order so every Claude session reasons from the
    real rules. Three on-demand slash commands automate the judgment-heavy chores the
    audit can't: /doc-audit (prose-vs-reality drift across the fleet, via the
    doc-consistency subagent), /tool-scout (research the modern-CLI stack for
    tools worth adopting, via the tool-scout subagent), and /freshness-triage
    (review dependency-bump PRs against upstream changelogs). All report-first; none
    vendor out without a green make audit. CLAUDE.md added to the audit's
    repo-meta allowlist (.claude/ was already a prefix).
  • Scheduled maintenance bots (.github/workflows/claude-routines.yml) β€” run the
    /doc-audit and /tool-scout routines headless on a weekly cron (and on demand),
    filing findings as a deduplicated GitHub issue. The Claude Code CLI is installed
    from npm (pinned via CLAUDE_CODE_VERSION in scripts/tool-versions.env) β€” no
    third-party action, mirroring freshness.yml. Auth is a Claude subscription token
    (CLAUDE_CODE_OAUTH_TOKEN, from claude setup-token); inert until that secret is
    set (the workflow no-ops with a warning otherwise).
  • make release-notes + cliff.toml β€” git-cliff config + a Makefile target that
    drafts a GitHub Release body from Conventional Commits since the last release commit.
    Scoped dev-tooling (audit allowlist, not core.manifest, zero runtime cost); it does
    not generate CHANGELOG.md (that stays hand-curated and is promoted by
    scripts/release.sh). Surfaced by /tool-scout (issue #44).
  • aliases.md is now surfaced in the changelog β€” the cross-fleet aliases cheat
    sheet (Core + per-OS + offensive layers), previously shipped without an entry.

Fixed

  • blib_set_login_shell no longer trusts a non-executable command -v zsh.
    command -v also resolves aliases/functions, so a shadowed zsh could yield an
    alias body rather than a path; it's now required to resolve to a real executable
    ([[ -x ]]) before being handed to chsh/usermod. The /etc/passwd fallback
    (used when getent is absent, e.g. busybox/Alpine) switched from a grep "^$user:"
    regex to awk -F: -v u="$user", so a username containing a regex metacharacter
    can't mis-match. Robustness only; no behavior change for normal setups.
  • Startup nudges no longer execute under a substitution prompt (zsh/update.zsh).
    _pkgup_notice ("N updates available β€” run `up` to apply") and _core_welcome
    ("dotfiles Core loaded β€” run `core`…") rendered their hints with print -P and wrapped
    the verb in backticks. Under setopt prompt_subst β€” which starship and any
    substitution prompt enable β€” print -P performs command substitution, so the backtick'd
    word was executed rather than printed: the update nudge fires from a precmd hook before
    up() is defined, surfacing as command not found: up on every package-manager box (and,
    once defined, silently triggering a privileged upgrade). Both hints now use single quotes
    ('up' / 'core'), which are literal under prompt expansion; the NO_COLOR branch already
    used the safe print -r. Surfaced by a make sync audit failing on a starship MacBook. A
    new test-core.sh regression seeds a cached count under prompt_subst with an up()
    sentinel and asserts the nudge mentions up but never runs it.
  • dotfiles-Defense-PLAN.md scaffold: bootstrap.sh --links-only was dead. The
    reproduced bootstrap.sh set LINKS_ONLY but never read it, so --links-only still ran
    the host-tool/docker probe (and shellcheck flagged the unused var). Guard the probe with
    (( DO_CHECK && ! LINKS_ONLY )) so --links-only truly just wires symlinks, and rewrite
    the (( missing == 0 )) && ok || warn line as if/then/else. The scaffold is now
    shellcheck-clean and was exercised end-to-end in a sandbox (--links-only wires Core +
    the defense stage); the "validated" note now says so. Planning doc only (allowlisted
    repo-meta) β€” nothing shipped/vendored.
  • gsync runner + core-guard installer hardening (review follow-up to the
    fan-out PRs). .bin/sync-upstream.sh: normalize to the git toplevel first so
    gsync works from any subdirectory (it is an absolute-path runner); use
    git status --porcelain for the clean-tree check so untracked files also block
    (git diff-index HEAD missed them); and reword the failure hint to be
    auth-agnostic (the remote is HTTPS, not SSH) and point at the right re-pull
    command for an OS repo. zsh/aliases.zsh: gsync is now a wrapper function,
    not an alias, so a dotfiles path containing whitespace stays one word and args
    pass through β€” with a matching _gsync completion and core-help row.
    lib/bootstrap-lib.sh blib_install_core_guard: detect the git work tree and
    hooks dir via git rev-parse (so worktrees/submodules, where .git is a file,
    get the guard too), skip with a warning when core.hooksPath is set (installing
    into the ignored .git/hooks was false protection), and return non-zero instead
    of silently succeeding if the hooks dir can't be created. New hermetic test
    covers the core.hooksPath skip.
  • sync-core.sh pre-fan-out audit no longer false-fails on the core-guard test.
    The script exports DOTFILES_ALLOW_CORE_EDIT=1 for its own legitimate subtree
    commits, but that exemption was still in the environment when it ran the
    pre-fan-out audit-core.sh β€” whose behavioral suite commits to a throwaway
    core/ and asserts the guard hook BLOCKS it. The inherited exemption made that
    assertion fail, reding an otherwise-green tree and forcing SYNC_SKIP_AUDIT=1.
    The audit now runs via env -u DOTFILES_ALLOW_CORE_EDIT (it never writes to
    core/, so it needs no exemption); the fan-out commits keep theirs.
  • bootstrap-lib.sh now wires three Core files it silently dropped.
    blib_link_core linked starship/nvim/mise/git/tmux/clip but omitted
    core/lazygit/config.yml (β†’ ~/.config/lazygit/config.yml), core/vim/vimrc
    (β†’ ~/.vimrc), and the core/sesh/sesh.toml.example seed
    (β†’ ~/.config/sesh/sesh.toml) β€” three files that are in core.manifest (the
    manifest comments even spell out their destinations) yet reached no machine,
    inherited from the per-repo bootstraps this library consolidated. lazygit + vim
    symlink like starship; sesh is seeded (copied, never relinked) like the git
    identity file. The matching bootstrap-test.yml assertions for these three were
    briefly deferred β€” that reusable test is referenced @main by every adopter, so
    it can only assert what each adopter's CURRENT vendored core/ produces, and asserting
    the wiring before make sync propagated it would have red-flagged Fedora/Kali. They are
    now re-added: every adopter's core.lock is at a Core that includes the wiring, so
    the @main test asserts lazygit/~/.vimrc/seeded-sesh again without false reds.
  • freshness.yml opens its pin-bump PRs against the default branch, not the
    dispatched ref (GITHUB_REF_NAME), and uses a ref-independent concurrency group β€”
    so a manual run from a feature branch can't target the wrong base or race the cron.
  • aliases.md β€” corrected the myip expansion (it redirects stderr:
    curl -fsS https://ifconfig.me 2>/dev/null && echo) and repo-qualified the
    cross-repo source paths in the header so they don't read as broken local links.
  • doc-consistency subagent β€” aligned its system description with the canonical
    nine-repo, three-layer (Core β†’ OS-native β†’ Role) wording.
  • audit-core.sh β€” clarified the META-allowlist comments: those files are "not
    shipped Core" (absent from core.manifest), not "never vendored" (the subtree copy
    carries them physically).
  • Doc drift caught by /doc-audit β€” corrected "vendored into/fans out to nine
    OS repos" β†’ eight (Windows vendors no core/) in CHANGELOG.md + CONTRIBUTING.md;
    added the manifest-listed zsh/loader.zsh and lazygit/config.yml to the README
    Layout tree; completed the README tmux-scripts list (added tmux-battery/tmux-cheat);
    and attributed the cheat alias to functions.zsh (not aliases.zsh) in aliases.md.

Security

  • CI tool downloads are now SHA-256 verified. The setup-core-tools composite
    action previously fetched its pinned gate binaries (shellcheck, actionlint, gitleaks,
    neovim) with curl … | tar and no integrity check β€” a tampered or MITM'd release
    asset would have executed inside the gate. Each install now downloads to a file,
    verifies it against a pinned hash from scripts/tool-versions.env, and only then
    installs; a mismatch fails the build. shfmt was folded into the action (it was the
    last tool still installed via inline curl in the OS-repo lint workflows), so one
    verified definition now covers every downloaded gate tool.
  • scripts/tool-versions.env gained a *_SHA256 per downloaded tool (the single
    source the action reads alongside each *_VERSION), plus SHFMT_VERSION.
  • scripts/audit-core.sh gained a "tool download integrity" section that fails the
    audit if any pinned *_VERSION lacks a 64-hex *_SHA256 β€” a version can no longer be
    bumped without refreshing its checksum.
  • scripts/update-tool-checksums.sh (new) recomputes the pinned hashes from the
    exact assets the action downloads, so a version bump is a one-command checksum refresh.
  • setup-core-tools skips only on its OWN verified binary, not any command -v match.
    The install steps short-circuited on command -v <tool>, which also matches a binary
    preinstalled on the runner (ubuntu-latest ships shellcheck) β€” so the verified install
    was silently skipped and the gate ran the unpinned, unverified system shellcheck. Each
    step now skips only when the binary is already in the action's own bindir (a genuine
    cache restore); the caller prepends bindir to PATH, so the verified binary always
    shadows any preinstalled one. Restores the integrity + pinning guarantee for shellcheck.