| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Delta's hyperlink resolution shells out to git rev-parse for every
blob to build clickable file links, which is fine on bare metal but
death-by-fork on a slow VM — 'git diff' could take many seconds
while 'git diff | cat' returns instantly. Turn hyperlinks off; we
get clickable nothing but visible-everything-fast diffs.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Switch the dispatcher's per-clone override location from the
bespoke .git/hooks-local/ to the classic .git/hooks/. This is:
- The untracked location git has used since forever, so no new
convention to learn.
- Where husky, lefthook, pre-commit-the-tool, and most other hook
managers install by default — they now "just work" again under our
global core.hooksPath.
git init's *.sample files don't collide because the dispatcher only
matches the exact hook name and the executable bit. The only behavior
change is that a forgotten legacy .git/hooks/pre-commit from before
core.hooksPath was set will start running again — that's arguably
restoring expected git semantics, not a regression.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds an untracked per-clone override layer to the hook dispatcher.
Lookup order is now:
1. <git-dir>/hooks-local/<name> — untracked, per-clone, ignored by git
2. <repo-top>/.githooks/<name> — tracked, shared with teammates
Use case: a shared repo ships a .githooks/pre-commit you want to
locally replace without modifying the tracked file. Drop your hook in
.git/hooks-local/<name> (chmod +x) and the dispatcher will run it
instead — the global commit-msg trailer-strip and pre-push gate still
run on top.
If neither override exists, only the global user-level logic runs.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Inverts the hook delegation model. Previously per-repo hooks required
a project to either (a) write the entire hook themselves and lose the
global signed-commit / agent-author gate, or (b) override
core.hooksPath and write passthrough stubs that exec back to
$HOME/.config/git/hooks/*. Both are ergonomically miserable.
Now: the global hooks at ~/.config/git/hooks/ are *always* the entry
point. Each one calls a shared dispatcher (_dispatch.sh) that runs
<repo>/.githooks/<hookname> if it exists, propagating its exit status,
and then continues with whatever the global hook itself wants to do.
Projects just drop an executable file at .githooks/<name> — no
core.hooksPath, no stubs, no boilerplate. Repos that don't have a
.githooks/ dir keep working exactly as before.
GIT_HOOK_DISPATCHED guards against re-entry so legacy repos using the
old stub-and-exec pattern don't loop. pre-push tees stdin so both the
repo hook and the global ref-list loop see the full push payload.
Adds two new always-no-op global hooks (pre-commit, post-commit)
purely so the dispatch happens for those events too — previously only
commit-msg and pre-push existed globally.
Refactors this dotfiles repo to use the new pattern: drops the
self-delegating .githooks/pre-push stub and removes the per-repo
core.hooksPath override from `just init` (now an idempotent unsetter
to clean up the override from past bootstraps). The remote-dev VM's
home-manager profile symlinks all four hooks plus _dispatch.sh.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Various agentic tools (Copilot CLI, VS Code chat, etc.) auto-append
`Co-authored-by: Copilot <...>` / Claude / Codex trailers, which then
trip the pre-push hook's agent-coauthor check and force a manual
amend before the push goes through. Scrub at commit time instead.
Uses the same agent-substring list as executable_pre-push (kept in
sync by comment). Triggered as commit-msg (not pre-commit — pre-commit
runs before the message exists). Drops matching trailers in-place,
collapses trailing blanks, and is a no-op otherwise.
Also symlinks the new hook in the remote-dev home-manager config so
it deploys on the Ubuntu VM.
Bypass: `git commit --no-verify`.
|
| | |
|
| |
|
|
|
|
|
| |
Rebases onto @{u} re-signing each commit with the current author
identity and key, while stripping any Co-authored-by lines. Hooks are
disabled (core.hooksPath=/dev/null) so chezmoi's post-commit hook
doesn't fire once per replayed commit.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSH-format signing
home.nix:
- Add zoxide (fixes 'command not found' on shell start), clang-tools
(no compiler driver), nodejs (Mason npm LSPs), uv (Mason python LSPs;
does not install python3 in PATH, so Ubuntu's /usr/bin/python3 stays
the system default), claude-code, github-copilot-cli.
- Refine the leaf-tools policy comment: explicit denylist of build-
toolchain binaries that would shadow Ubuntu's via PATH, plus a
carve-out for editor/AI runtimes (node, uv, clang-tools).
- Symlink ~/.config/git/{config,attributes,ignore} and ~/.ssh/config
from the dotfiles tree.
dot_config/zsh/dot_zshrc: guard direnv/zoxide/fzf inits with
'command -v X >/dev/null &&' so a fresh machine without one of them
no longer prints a stderr error on every shell start.
dot_config/git/config: append unconditional '[include] path =
~/.config/git/config.local' for machine-local overrides (used on the
remote-dev VM to switch to SSH-format signing via the forwarded
agent). Git silently skips missing include files.
remote-dev/README.md: document the update flow (config-only vs HM
rebuild), the single-shell leaf-tools policy, and the one-time VM
setup for SSH-format commit signing (allowed_signers + config.local,
ForwardAgent yes on the host).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Same substring blacklist (copilot, claude, codex, ...) is now also
applied to every Co-authored-by trailer in the commit message, not
just the author header. Agents commonly slip in via that route.
Trailers extracted with %(trailers:key=Co-authored-by,valueonly,
unfold,separator=%x1f) and split in awk on \037, which can't appear
in identity strings, so the tab-delimited record format stays
unambiguous.
To fix a flagged trailer use git commit --amend / interactive rebase
to drop the Co-authored-by line; --reset-author won't help here.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Block commits where the author name/email contains any of:
copilot, claude, codex, chatgpt, cursor, aider, devin, [bot],
@openai., @anthropic.
Use plain index() substring matching in awk to dodge regex-escaping
pitfalls (an earlier draft using regex turned \[bot\] into a char
class via -v escape processing and false-matched 'o' in 'com').
Fix: rebase with --reset-author re-stamps you as author while
keeping the agent as it was (or drop them entirely). Documented in
the failure message.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Now flags any commit whose committer name+email doesn't match the
local user.name / user.email (which respects the includeIf rules in
~/.config/git/config, so per-tree work/personal identities work).
Author is left free: pulling someone else's commit and rebasing it
locally re-stamps the committer to you, satisfies this gate, and the
original author is preserved in the commit metadata.
Both checks (signature + committer) run in one rev-list pass with
tab-separated fields so awk parses unambiguously.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Activated via core.hooksPath = ~/.config/git/hooks in the global
git config. The hook walks each ref being pushed (range: remote..local
or, for new branches, local --not --remotes) and checks %G? on every
commit. Accepts G/U/X/Y (good signature variants), rejects N/B/E/R
(no signature, bad, missing key, revoked).
Bypass: git push --no-verify
This repo overrides hooksPath to .githooks/ for its just-check
pre-commit gate, so a thin .githooks/pre-push delegates to the global
hook to keep the policy enforced here too.
|
| |
|
|
|
|
|
|
|
| |
The Bridge presents a self-signed cert on its 127.0.0.1:1025 STARTTLS
listener, so git send-email's default cert verification fails with
SSL_verify_cert. Setting smtpSslCertPath to empty disables chain
verification for this single, loopback-only endpoint.
Per https://git-send-email.io/#step-2 (Proton Bridge note).
|
| |
|
|
|
|
|
|
|
|
|
| |
Add a [sendemail] block targeting the local Bridge SMTP listener
(127.0.0.1:1025, STARTTLS) and a credential helper scoped to that URL
that fetches the password from pass (proton/bridge-smtp). The helper
command is public; the secret stays in the password store. The bridge
SMTP username (sensitive but not secret) goes in the per-identity
private overlay (~/doxfiles), not here.
Also pull in the Perl SMTP modules git send-email needs at runtime.
|
|
|
Rename home/ contents to chezmoi naming conventions:
- dot_ prefix for dotfiles and dot-dirs
- private_dot_ for .gnupg and .ssh directories
- private_ for 0600 files (nym.pub)
- executable_ for scripts in .local/bin and display-toggle.sh
- symlink_ for mimeapps.list symlink
|
sommerfeld