fix(claude): repair home-role agent git identity + capture role-name convention#11
Merged
Merged
Conversation
Add ~/.gitconfig.d/allowed_signers listing the personal human and personal-agent identities, and point gpg.ssh.allowedSignersFile at it from the signing fragment so both the human and agent gitconfigs inherit it. Without it, git log --show-signature can't verify SSH-signed commits (it errors that allowedSignersFile must be configured). GitHub's Verified badge is unaffected; this is local verification only. See ADR 0034. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
DOTPICKLES_ROLE=home had no matching claude/roles/home.jsonc (only personal.jsonc existed), so claudeconfig.sh silently skipped the role merge, GIT_CONFIG_GLOBAL was never injected, and Claude agent commits fell back to ~/.gitconfig's op-ssh-sign -- a 1Password biometric prompt on every commit. The mismatch hid for ~2 months because a missing role file and a role with no overrides looked identical to the merge. Complete the personal->home rename across claudeconfig.sh (default + role file), install.sh, .zshenv, claude/roles/, and the agent gitconfig fragment, and warn loudly in claudeconfig.sh when a role has no matching file. The git identity keeps the personal-agent name (GitHub-enrolled); only the role changed. Document the canonical role names (ADR 0035) and the fail-loud decision (ADR 0036); correct stale references in ADR 0031 and architecture.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What was broken
Agent git commits kept hitting 1Password biometric prompts. Root cause: an incomplete
personal->homerole rename. The live role ishome(set byconfig/fish/config.fish), butclaude/roles/only hadpersonal.jsonc.claudeconfig.shlooked forhome.jsonc, didn't find it, and silently skipped the role merge, soGIT_CONFIG_GLOBALwas never injected and every agent commit fell back toop-ssh-sign. It hid for ~2 months because a missing role file and a role with no overrides looked identical to the merge.install.shwas still emittingpersonaltoo, so a fresh install would have re-broken it.What's in here
Commit 1 - local SSH verification (ADR 0034)
~/.gitconfig.d/allowed_signers(personal human + personal-agent identities)gpg.ssh.allowedSignersFileat it from thesigningfragmentgit log --show-signaturelocally. No effect on signing or GitHub's Verified badge.Commit 2 - role fix + guard + docs (ADRs 0035, 0036)
personal->homeacrossclaudeconfig.sh,install.sh,.zshenv,claude/roles/, and the agent gitconfig fragmentclaudeconfig.shwhen a role has no matching filehome/work/container,personalretired) and the role-vs-identity splitarchitecture.mdThe git identity keeps the
personal-agentname (GitHub-enrolled) on purpose; only the role name changed.Verification
sig:G)~/.claude/settings.jsonnow injectsGIT_CONFIG_GLOBALgit log --show-signaturereportsGood "git" signaturePre-existing unrelated working-tree edits (Brewfile, mise, .macos, etc.) were left out.
🤖 Generated with Claude Code