dotfiles/.githooks, branch master

feat(git): user-level hooks auto-dispatch into /.githooks/

2026-05-19T15:45:17Z

Inverts the hook delegation model. Previously per-repo hooks required a project to either (a) write the entire hook themselves and lose the global signed-commit / agent-author gate, or (b) override core.hooksPath and write passthrough stubs that exec back to $HOME/.config/git/hooks/*. Both are ergonomically miserable. Now: the global hooks at ~/.config/git/hooks/ are *always* the entry point. Each one calls a shared dispatcher (_dispatch.sh) that runs /.githooks/ if it exists, propagating its exit status, and then continues with whatever the global hook itself wants to do. Projects just drop an executable file at .githooks/ — no core.hooksPath, no stubs, no boilerplate. Repos that don't have a .githooks/ dir keep working exactly as before. GIT_HOOK_DISPATCHED guards against re-entry so legacy repos using the old stub-and-exec pattern don't loop. pre-push tees stdin so both the repo hook and the global ref-list loop see the full push payload. Adds two new always-no-op global hooks (pre-commit, post-commit) purely so the dispatch happens for those events too — previously only commit-msg and pre-push existed globally. Refactors this dotfiles repo to use the new pattern: drops the self-delegating .githooks/pre-push stub and removes the per-repo core.hooksPath override from `just init` (now an idempotent unsetter to clean up the override from past bootstraps). The remote-dev VM's home-manager profile symlinks all four hooks plus _dispatch.sh.

feat(git): global pre-push hook rejecting unsigned commits

2026-05-13T12:43:34Z

Activated via core.hooksPath = ~/.config/git/hooks in the global git config. The hook walks each ref being pushed (range: remote..local or, for new branches, local --not --remotes) and checks %G? on every commit. Accepts G/U/X/Y (good signature variants), rejects N/B/E/R (no signature, bad, missing key, revoked). Bypass: git push --no-verify This repo overrides hooksPath to .githooks/ for its just-check pre-commit gate, so a thin .githooks/pre-push delegates to the global hook to keep the policy enforced here too.

feat(justfile): add check-fmt and check recipes; pre-commit hook

2026-04-21T00:24:38Z

Split concerns: fmt-check (check-fmt) from lint. check-fmt mirrors fmt with each tool's --check/-d flag. check runs both as a single quality gate. A new .githooks/pre-commit runs 'just check' on every commit; bypass with git commit --no-verify. Also drop just --fmt --check and prettier --check from the lint recipe (they're format checks, belong in check-fmt).

refactor: revert auto-init, add dedicated 'just init' recipe

2026-04-21T00:23:26Z

chezmoi init is only needed when .chezmoi.toml.tmpl changes, so running it on every apply is unnecessary overhead. Run 'just init' manually when the template changes.

fix: use 'chezmoi init --apply' to regenerate config on template changes

2026-04-21T00:23:26Z

When .chezmoi.toml.tmpl changes (e.g. adding [status] exclude=scripts), plain 'chezmoi apply' warns and keeps using the stale config. Using 'init --apply' regenerates the config from the template and applies in one step. Status does a silent init first for the same reason.

fix: pass -S . to chezmoi so apply/status work from any CWD

2026-04-21T00:23:26Z

Without an explicit source, chezmoi defaults to ~/.local/share/chezmoi which doesn't exist on this setup. The post-commit hook uses git rev-parse so it works even if the hook is run from a subdirectory.

feat: add tracked git hooks and justfile

2026-04-21T00:23:19Z

- .githooks/post-commit: runs chezmoi apply after every commit - justfile: 'just install-hooks' sets core.hooksPath - Added justfile and .githooks/ to .chezmoiignore