{"id":14982900,"url":"https://github.com/sebastienrousseau/dotfiles","last_synced_at":"2026-05-31T00:01:37.249Z","repository":{"id":27394900,"uuid":"30871203","full_name":"sebastienrousseau/dotfiles","owner":"sebastienrousseau","description":"Declarative dotfiles for macOS, Linux, and WSL — multi-shell parity, sub-second startup, wallpaper-driven themes, SLSA-signed releases, AI/MCP-aware.","archived":false,"fork":false,"pushed_at":"2026-05-28T22:32:28.000Z","size":10114,"stargazers_count":66,"open_issues_count":8,"forks_count":16,"subscribers_count":3,"default_branch":"master","last_synced_at":"2026-05-29T00:14:01.260Z","etag":null,"topics":["age","ai","bash","chezmoi","dotfiles","fish","linux","macos","mcp","mise","nix","nushell","oidc","powershell","security","slsa","sops","workstation","wsl","zsh"],"latest_commit_sha":null,"homepage":"https://doc.dotfiles.io/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sebastienrousseau.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":".github/CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":".github/CODE-OF-CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null},"funding":{"github":["sebastienrousseau"]}},"created_at":"2015-02-16T14:15:57.000Z","updated_at":"2026-05-25T17:28:19.000Z","dependencies_parsed_at":"2026-02-04T01:00:45.014Z","dependency_job_id":null,"html_url":"https://github.com/sebastienrousseau/dotfiles","commit_stats":{"total_commits":699,"total_committers":11,"mean_commits":63.54545454545455,"dds":0.2675250357653791,"last_synced_commit":"53de5832aaf9347bfe2c0e11688b142472e6f472"},"previous_names":["reedia/dotfiles"],"tags_count":244,"template":false,"template_full_name":null,"purl":"pkg:github/sebastienrousseau/dotfiles","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sebastienrousseau%2Fdotfiles","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sebastienrousseau%2Fdotfiles/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sebastienrousseau%2Fdotfiles/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sebastienrousseau%2Fdotfiles/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sebastienrousseau","download_url":"https://codeload.github.com/sebastienrousseau/dotfiles/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sebastienrousseau%2Fdotfiles/sbom","scorecard":{"id":768333,"data":{"date":"2025-08-11","repo":{"name":"github.com/sebastienrousseau/dotfiles","commit":"e26d8540e980fa9857d8c11bb2700edb29c3c64a"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.2,"checks":[{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/release.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: .github/SECURITY.md:1","Info: Found linked content: .github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: .github/SECURITY.md:1","Info: Found text in security policy: .github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Code-Review","score":0,"reason":"Found 0/1 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":2,"reason":"dependency not pinned by hash detected -- score normalized to 2","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/sebastienrousseau/dotfiles/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/sebastienrousseau/dotfiles/release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/sebastienrousseau/dotfiles/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/sebastienrousseau/dotfiles/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/sebastienrousseau/dotfiles/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/sebastienrousseau/dotfiles/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/sebastienrousseau/dotfiles/release.yml/master?enable=pin","Warn: npmCommand not pinned by hash: lib/aliases/update/update.aliases.sh:178","Warn: npmCommand not pinned by hash: .github/workflows/release.yml:88","Info:   0 out of   6 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned","Info:   0 out of   2 npmCommand dependencies pinned","Info:   1 out of   1 goCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-23T01:30:39.591Z","repository_id":27394900,"created_at":"2025-08-23T01:30:39.591Z","updated_at":"2025-08-23T01:30:39.591Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33714033,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-30T02:00:06.278Z","response_time":92,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["age","ai","bash","chezmoi","dotfiles","fish","linux","macos","mcp","mise","nix","nushell","oidc","powershell","security","slsa","sops","workstation","wsl","zsh"],"created_at":"2024-09-24T14:06:22.712Z","updated_at":"2026-05-31T00:01:37.222Z","avatar_url":"https://github.com/sebastienrousseau.png","language":"Shell","funding_links":["https://github.com/sponsors/sebastienrousseau"],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://cloudcdn.pro/dotfiles/v2/images/logos/dotfiles.svg\" alt=\"Dotfiles logo\" width=\"128\" /\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003e.dotfiles\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eDeclarative dotfiles for macOS, Linux, WSL, and Windows-native PowerShell 7.4 LTS / 7.5+. Multi-shell by default. Sub-100ms CLI cold-start. Wallpaper-driven themes. Signed + attested releases. Fleet apply over SSH.\u003c/strong\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/sebastienrousseau/dotfiles/actions\"\u003e\u003cimg src=\"https://img.shields.io/github/actions/workflow/status/sebastienrousseau/dotfiles/ci.yml?style=for-the-badge\u0026logo=github\" alt=\"Build\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/sebastienrousseau/dotfiles/releases/latest\"\u003e\u003cimg src=\"https://img.shields.io/badge/Version-v0.2.503-blue?style=for-the-badge\" alt=\"Version\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/sebastienrousseau/dotfiles/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/downloads/sebastienrousseau/dotfiles/total?style=for-the-badge\" alt=\"Downloads\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://codespaces.new/sebastienrousseau/dotfiles\"\u003e\u003cimg src=\"https://img.shields.io/badge/Open%20in-Codespaces-blue?style=for-the-badge\u0026logo=github\" alt=\"Open in GitHub Codespaces\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://scorecard.dev/viewer/?uri=github.com/sebastienrousseau/dotfiles\"\u003e\u003cimg src=\"https://img.shields.io/ossf-scorecard/github.com/sebastienrousseau/dotfiles?style=for-the-badge\u0026label=OpenSSF%20Scorecard\" alt=\"OpenSSF Scorecard\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.bestpractices.dev/projects/new\"\u003e\u003cimg src=\"https://img.shields.io/badge/OpenSSF%20Best%20Practices-in%20progress-yellow?style=for-the-badge\" alt=\"OpenSSF Best Practices\" /\u003e\u003c/a\u003e\n  \u003ca href=\"LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-MIT-green?style=for-the-badge\" alt=\"License: MIT\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n\u003e **Why this is different.** You won't find these three things in `mathiasbynens/`, `holman/`, or `paulirish/`. First, wallpaper-driven terminal themes. We use K-Means clustering in CIELAB and enforce WCAG AAA contrast. Second, first-class agent governance. That covers MCP policy, A2A discovery, signed attestation logs, and bounded profiles (`ask` / `plan` / `apply` / `audit`). Third, verified multi-shell parity across zsh, fish, bash, nushell, and PowerShell. The suite is tested on macOS, Linux, WSL2, and Apple Silicon CI runners. Signed commits are enforced. The installer is idempotent. The CLI heals itself.\n\n\u003c!-- ASCIINEMA DEMO — closes #874 once recorded.\n     30-second clip covering: install.sh → dot doctor → dot theme rebuild.\n     Recording recipe (maintainer):\n\n       asciinema rec ~/dotfiles-demo.cast \\\n         --idle-time-limit 1 --rows 30 --cols 100 \\\n         --title \"Dotfiles: install → doctor → theme\"\n       # in the recording shell:\n       #   curl -fsSL https://raw.githubusercontent.com/sebastienrousseau/dotfiles/master/install.sh | bash\n       #   dot doctor\n       #   dot theme rebuild --force\n       # then Ctrl-D to stop\n\n     Upload with `asciinema upload ~/dotfiles-demo.cast`, grab the\n     resulting `https://asciinema.org/a/\u003cid\u003e` URL, and replace this\n     comment with:\n\n       \u003cp align=\"center\"\u003e\n         \u003ca href=\"https://asciinema.org/a/\u003cid\u003e\"\u003e\n           \u003cimg src=\"https://asciinema.org/a/\u003cid\u003e.svg\" alt=\"install → doctor → theme demo\" /\u003e\n         \u003c/a\u003e\n       \u003c/p\u003e\n--\u003e\n\n## Install\n\n**Verified install (recommended).** Pin to a release tag. Download the installer. Check its SHA256 against the value published with the release. Then run it. See [docs/security/INSTALL_VERIFICATION.md](docs/security/INSTALL_VERIFICATION.md) for the per-release hash and how it's generated.\n\n```bash\ncurl -fsSL -o /tmp/dotfiles-install.sh \\\n  https://raw.githubusercontent.com/sebastienrousseau/dotfiles/v0.2.503/install.sh\necho \"4c0303a2d88d5aed98428ab0da37618c9795af4dae0e6549646c2fce5235c280  /tmp/dotfiles-install.sh\" \\\n  | shasum -a 256 -c\nbash /tmp/dotfiles-install.sh\n```\n\n**Trust-source one-liner** (skips the SHA check — fine for sandboxes and ephemeral CI, not recommended for primary workstations):\n\n```bash\nbash -c \"$(curl -fsSL https://raw.githubusercontent.com/sebastienrousseau/dotfiles/master/install.sh)\"\n```\n\nThen verify and explore:\n\n```bash\ndot doctor        # verify installation\ndot learn         # interactive tour\n```\n\nThe install needs `git` and `curl`. The verified path also needs `shasum` or `sha256sum`. The script runs on macOS, Ubuntu, Debian, Arch, WSL2, and GitHub Codespaces.\n\n\u003cdetails\u003e\n\u003csummary\u003eCI/CD and Docker options\u003c/summary\u003e\n\nSilent install (no prompts):\n\n```bash\nDOTFILES_SILENT=1 DOTFILES_NONINTERACTIVE=1 \\\n  bash -c \"$(curl -fsSL https://raw.githubusercontent.com/sebastienrousseau/dotfiles/master/install.sh)\"\n```\n\nDocker sandbox:\n\n```bash\ndocker run --rm -e DOTFILES_NONINTERACTIVE=1 ubuntu:24.04 bash -c \\\n  'apt-get update -qq \u0026\u0026 apt-get install -y -qq git curl sudo \u003e/dev/null 2\u003e\u00261 \\\n  \u0026\u0026 git clone --depth 1 https://github.com/sebastienrousseau/dotfiles.git ~/.dotfiles \\\n  \u0026\u0026 bash ~/.dotfiles/install.sh \\\n  \u0026\u0026 export PATH=\"$HOME/.local/bin:$PATH\" \\\n  \u0026\u0026 dot doctor'\n```\n\n\u003c/details\u003e\n\n---\n\n## Why this repo is different\n\nMost dotfiles repos are personal collections. This one ships as workstation infrastructure. It's signed, attested, multi-platform, AI-aware, and self-healing.\n\n| Capability | What you get | Where |\n|:---|:---|:---|\n| **Wallpaper-driven themes** | K-Means clustering in CIELAB extracts terminal palettes from any wallpaper. WCAG AAA enforced. Dynamic HEIC dark/light. | `dot theme rebuild` |\n| **AI and MCP native** | Agent profiles, MCP policy enforcement, attestation logs, AI commit messages. | `dot ai`, `dot mcp`, `dot agent`, `dot mode` |\n| **Cryptographic attestation** | Signed commits, machine-readable evidence, policy bundle releases. | `dot attest`, `dot secrets verify` |\n| **Fleet management** | Multi-node drift dashboard, per-host profiles. | `dot fleet` |\n| **Self-healing** | Auto-repair tools, chezmoi drift, broken symlinks, missing files. | `dot heal`, `dot chaos`, `dot rollback`, `dot bundle` |\n| **Sub-second startup** | Lazy loading, `_cached_eval` pattern, mtime-based cache invalidation, realpath sidecar pins. | `dot perf`, `dot health` |\n| **Multi-shell parity** | Tier-1 (full): zsh, bash. Tier-2 (bridged): fish. Tier-3 (compatible): nushell. PowerShell is supported as a contract-tested parity target. See [ADR-007](docs/adr/ADR-007-multi-shell-parity.md) and [ADR-011](docs/adr/ADR-011-nushell-tier3-keep.md). | `dot env`, `dot profile` |\n| **Build artifacts → /tmp** | Cargo, Go, pip, uv, and Zig caches redirect to `/tmp/builds/`. Project dirs stay clean. | `~/.config/mise/config.toml`, `~/.cargo/config.toml` |\n| **Encrypted secrets** | Age and SOPS keep per-machine secrets out of plaintext history. | `dot secrets` |\n| **Portable runtimes** | Mise for managed toolchains. Nix Flakes for strict reproducibility. | `dot env`, `dot upgrade` |\n| **Schema-validated config** | `.chezmoidata.toml` is checked against a JSON Schema in CI via taplo. Typos in feature flags or profile names fail at PR time. | `config/chezmoidata.schema.json` |\n\n---\n\n## Architecture\n\nThe CLI is idempotent. Run it once or a hundred times. Same machine state.\n\n```mermaid\ngraph TD\n    A[User Shell] --\u003e B{dot CLI}\n    B --\u003e C[Lifecycle: sync / apply / rollback / heal]\n    B --\u003e D[Diagnostics: doctor / drift / benchmark / score]\n    B --\u003e E[AI \u0026 Agents: ai / mcp / agent / mode]\n    B --\u003e F[Themes: theme / theme rebuild]\n    B --\u003e G[Fleet \u0026 Attest: fleet / attest / bundle]\n\n    C --\u003e H[Chezmoi Source]\n    F --\u003e I[Wallpaper Discovery\u003cbr/\u003eSystem + Custom]\n    I --\u003e J[K-Means CIELAB Engine]\n    J --\u003e K[themes.toml\u003cbr/\u003eWCAG AAA enforced]\n    K --\u003e H\n\n    H --\u003e L[Zsh / Fish / Bash / Nushell / PowerShell]\n    H --\u003e M[Mise / Nix Toolchains]\n    H --\u003e N[MCP Policy / Agent Profiles]\n    L --\u003e O[~/.cache/shell Fast Init]\n\n    G --\u003e P[Signed Attestation Logs]\n```\n\n---\n\n## Wallpaper-Driven Themes\n\nDrop a wallpaper. Get a theme.\n\n`dot theme rebuild` discovers system wallpapers and your custom ones. On macOS it looks in `/System/Library/Desktop Pictures/`. On Linux it looks in `/usr/share/backgrounds/`. Custom wallpapers live in `~/Pictures/Wallpapers/`. K-Means clustering in CIELAB color space extracts dominant colors. The engine then generates a 16-color terminal palette, enforces WCAG AAA contrast, and assembles `themes.toml` on its own.\n\n| Tier | Source | Format |\n|:---|:---|:---|\n| **System** | macOS `/System/Library/Desktop Pictures/`\u003cbr/\u003eLinux `/usr/share/backgrounds/` | `.heic`, `.jpg`, `.png` |\n| **Custom** | `~/Pictures/Wallpapers/` (overrides system on name collision) | Apple-compatible dynamic HEIC (single file, both appearances) |\n\n```bash\ndot theme              # interactive picker (paired themes only)\ndot theme tahoe-dark   # switch directly\ndot theme toggle       # swap dark↔light within current family\ndot theme rebuild      # regenerate from current wallpapers\n```\n\nOn theme switch, every managed surface updates. Terminals: Ghostty, Alacritty, Kitty, WezTerm, Warp, iTerm2, tmux. Editors: Neovim and VS Code. The theme also sets GTK and icon themes, the macOS accent and dark-mode toggle (with a forced UI refresh), the browser color mode, and the wallpaper. On Linux, the engine auto-converts HEIC to PNG via `magick` or `heif-convert`.\n\nFull guide: [docs/guides/THEMING.md](docs/guides/THEMING.md)\n\n---\n\n## The `dot` CLI\n\nOver 80 commands grouped by intent. Run `dot help` for the full reference.\n\n### Start Here\n\n| | |\n|:---|:---|\n| `dot init \u003cuser\u003e` | Bootstrap any GitHub user's dotfiles repo through this harness |\n| `dot sync` | Apply dotfiles to this machine |\n| `dot doctor` | Check the environment and surface issues |\n| `dot learn` | Open the guided tour |\n| `dot agents render` | Sync `CLAUDE.md` → `AGENTS.md` + Cursor + Codex stubs |\n| `dot fleet apply` | SSH out to every host in `~/.config/dotfiles/fleet.toml` |\n| `dot registry list` | Browse reusable dotfile modules from the registry |\n\nA [Claude Code skill](defaults/dot_claude/skills/dotfiles-bootstrap/SKILL.md) is also shipped — `/skills` discovers `dotfiles-bootstrap` and runs `dot init` with profile-aware safety defaults.\n\n### Daily Use\n\n| | |\n|:---|:---|\n| `dot status` / `dot diff` | Show local drift; preview pending changes |\n| `dot edit` | Open the source directory |\n| `dot upgrade` | Update tools and dotfiles |\n| `dot commit` | Generate an AI commit message from the staged diff |\n\n### Inspect \u0026 Repair\n\n| | |\n|:---|:---|\n| `dot heal` | Auto-fix tools, chezmoi drift, and broken symlinks |\n| `dot rollback` | Return to a previous known-good state |\n| `dot attest` | Export workstation evidence |\n| `dot chaos` | Simulate corruption to test self-healing |\n| `dot bundle` | Create an offline tarball of the dotfiles environment |\n\n### AI \u0026 Agents\n\n| | |\n|:---|:---|\n| `dot ai` | Show installed AI tools |\n| `dot mcp` | Inspect MCP policy and registry |\n| `dot mode` | Show or set the agent profile (ask / plan / apply / audit) |\n| `dot agent` | Agent metadata, logs, checkpoints, conformance |\n| `dot patterns` | List bundled AI patterns (architect, hardener, refactor) |\n\n### Configuration\n\n| | |\n|:---|:---|\n| `dot theme` / `dot theme rebuild` | Switch theme or regenerate from wallpapers |\n| `dot env` | Show managed tool versions |\n| `dot profile` | Show or switch active profile |\n| `dot secrets` | Edit encrypted secrets |\n| `dot fonts` | Install or refresh Nerd Fonts |\n\n### Fleet \u0026 Performance\n\n| | |\n|:---|:---|\n| `dot fleet` | Multi-node status, drift, and namespace |\n| `dot perf` | Measure shell startup |\n| `dot score` / `dot security-score` | Health and security scorecards |\n| `dot health` | Live dashboard for caches and tool state |\n\nFull reference: [docs/reference/UTILS.md](docs/reference/UTILS.md) · Complete manual: [docs/manual/](docs/manual/) or `dot manual`\n\n---\n\n## Documentation\n\nThe `.dotfiles` Manual is published in nine formats: HTML (single and multi-page), PDF, EPUB, ASCII text, compressed variants, and Markdown source. It auto-builds on every change.\n\n- **Online** — \u003chttps://sebastienrousseau.github.io/dotfiles/manual/\u003e\n- **Terminal** — `dot manual text | less`\n- **PDF** — `dot manual pdf`\n- **Offline copy** — `dot manual --offline` (uses the bundled snapshot, no network)\n- **Sources** — [`docs/manual/`](docs/manual/)\n\n---\n\n## First 5 Minutes\n\n1. **Check** — `dot doctor` validates tools, paths, and security\n2. **Explore** — `dot learn` walks through shells, secrets, themes, and performance\n3. **Customize** — edit `~/.config/chezmoi/chezmoi.toml` for per-machine settings ([Profiles](docs/reference/PROFILES.md))\n4. **Toggle features** — flip features in `.chezmoidata.toml` ([Feature Flags](docs/reference/FEATURES.md))\n5. **Apply** — `dot sync` applies the config and the next interactive shell hydrates caches via `_cached_eval`\n\nSee the [Migration Guide](docs/operations/MIGRATION.md) for version upgrades.\n\n---\n\n## What's Included\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eShells and Navigation\u003c/b\u003e\u003c/summary\u003e\n\n- **Zsh** loads in stages through small modules, not one big startup script\n- **Fish** uses `_cached_eval` and deferred loading for fast interactive use\n- **Bash** ships full parity with zsh for tooling and aliases\n- **Nushell** handles structured terminal workflows (Tier-3 compatible)\n- **PowerShell** keeps cross-platform and WSL sessions on the same baseline. A `pwsh` parity contract runs in CI on every PR\n- **Starship**, **Zoxide**, **Atuin**, and **fzf** for navigation and command recall\n- **Starship Transient Prompt** collapses past prompts to a single glyph in scrollback on fish. The zsh hook is in place for when upstream Starship lands the matching function ([ADR-010](docs/adr/ADR-010-starship-transient-prompt.md))\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eDevelopment and Runtimes\u003c/b\u003e\u003c/summary\u003e\n\n- **Mise** manages language versions in user space (no system pollution)\n- **Nix Flakes** for strict reproducible builds when speed isn't the priority\n- **Pueue** queues long-running tasks instead of spawning extra terminal tabs\n- **Neovim** ships as a full Lua-based editor, not a starter template\n- **Lazygit** for terminal git workflow without a GUI\n- **Build caches** (Cargo, Go, pip, uv, Zig) redirect to `/tmp/builds/` and clear on reboot\n- **`_cached_eval`** caches expensive `tool init` output with mtime and realpath invalidation. Set `EVALCACHE_DISABLE=true` to bypass for debugging\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eAI, Agents, and MCP\u003c/b\u003e\u003c/summary\u003e\n\n- **Agent profiles** (`dot mode`) — switch between ask, plan, apply, and audit\n- **Pattern library** (`dot patterns`) — architect, hardener, and refactor patterns bundled in `dot_config/ai/patterns/`\n- **MCP policy enforcement** (`dot mcp`) — validate the Model Context Protocol registry against policy\n- **AI commit messages** (`dot commit`) — conventional commits generated from the staged diff\n- **AI tools** (`dot ai`) — Claude Code, Codex, GitHub Copilot, Gemini CLI, and friends managed via Mise\n- **Attestation logs** — every agent session is logged with a policy hash and an outcome\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eSecurity, Trust, and Governance\u003c/b\u003e\u003c/summary\u003e\n\n- **Age and SOPS** keep secrets encrypted at rest and out of plaintext history\n- **SSH ED25519 signing** plus trust metadata back signed commits and verifiable changes\n- **Gitleaks**, policy checks, and compliance workflows\n- **Workstation attestation** (`dot attest`) records machine state, policy, prompt, and model metadata in tracked JSON\n- **Telemetry controls** and local-first defaults — you own your data\n- **SBOM (CycloneDX)** and Grype CVE scanning in CI\n- **JSON Schema for `.chezmoidata.toml`** — taplo runs the schema in CI on every PR, so typos in feature flags or profile names fail before merge\n- **OIDC Trusted Publishing** — npm releases authenticate via OIDC, not a long-lived `NPM_TOKEN`. Provenance is attached to every published tarball\n\n\u003c/details\u003e\n\nFor security hardening options, see the [Security docs](docs/security/SECURITY.md).\n\n---\n\n## Comparison\n\n| | This repo | chezmoi | holman/dotfiles | nikitabobko/dotfiles |\n|:---|:---:|:---:|:---:|:---:|\n| Cross-platform (macOS/Linux/WSL) | ✓ | ✓ | macOS-leaning | macOS only |\n| Multi-shell parity (zsh/fish/nu/pwsh) | ✓ | — | bash only | zsh only |\n| Wallpaper-driven themes (K-Means) | ✓ | — | — | — |\n| AI / MCP integration | ✓ | — | — | — |\n| Cryptographic attestation | ✓ | — | — | — |\n| Self-healing CLI | ✓ | — | — | — |\n| Fleet management | ✓ | — | — | — |\n| Encrypted secrets (Age/SOPS) | ✓ | ✓ | — | — |\n| Build artifact redirection | ✓ | — | — | — |\n| Schema-validated config | ✓ | — | — | — |\n\n`chezmoi` is the underlying templating engine. This repo is the opinionated reference implementation.\n\n---\n\n**THE ARCHITECT** ᛫ [Sebastien Rousseau](https://sebastienrousseau.com)\n**THE ENGINE** ᛞ [EUXIS](https://euxis.co) ᛫ Enterprise Unified Execution Intelligence System\n\n---\n\n## License\n\nLicensed under the **MIT License**. See [LICENSE](LICENSE) for details.\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#dotfiles\"\u003eBack to Top\u003c/a\u003e\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsebastienrousseau%2Fdotfiles","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsebastienrousseau%2Fdotfiles","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsebastienrousseau%2Fdotfiles/lists"}