What was broken

Agent git commits kept hitting 1Password biometric prompts. Root cause: an incomplete personal -> home role rename. The live role is home (set by config/fish/config.fish), but claude/roles/ only had personal.jsonc. claudeconfig.sh looked for home.jsonc, didn't find it, and silently skipped the role merge, so GIT_CONFIG_GLOBAL was never injected and every agent commit fell back to op-ssh-sign. It hid for ~2 months because a missing role file and a role with no overrides looked identical to the merge.

install.sh was still emitting personal too, so a fresh install would have re-broken it.

What's in here

Commit 1 - local SSH verification (ADR 0034)

• Adds ~/.gitconfig.d/allowed_signers (personal human + personal-agent identities)
• Points gpg.ssh.allowedSignersFile at it from the signing fragment
• Fixes git log --show-signature locally. No effect on signing or GitHub's Verified badge.

Commit 2 - role fix + guard + docs (ADRs 0035, 0036)

• Completes personal -> home across claudeconfig.sh, install.sh, .zshenv, claude/roles/, and the agent gitconfig fragment
• Adds a loud warning in claudeconfig.sh when a role has no matching file
• ADR 0035 captures the canonical role names (home/work/container, personal retired) and the role-vs-identity split
• ADR 0036 records the fail-loud decision; corrects stale refs in ADR 0031 and architecture.md

The git identity keeps the personal-agent name (GitHub-enrolled) on purpose; only the role name changed.

Verification

• Agent commit signs non-interactively, no 1Password prompt (both commits here are sig:G)
• ~/.claude/settings.json now injects GIT_CONFIG_GLOBAL
• git log --show-signature reports Good "git" signature
• prettier clean; cross-reference links resolve

Pre-existing unrelated working-tree edits (Brewfile, mise, .macos, etc.) were left out.

🤖 Generated with Claude Code