Personal macOS dotfiles, deployed via GNU Stow.
git clone [email protected]:jthodge/tilde.git ~/tilde
cd ~/tilde
brew bundle install
stow -d . -t "$HOME" $(cat .stow-packages)Each entry in .stow-packages mirrors a slice of $HOME; the
file is the canonical list and the bootstrap above feeds it to
stow verbatim. The scripts/ directory is intentionally not
stowed — its contents are invoked in place.
GitHub treats SSH keys in two independent categories on your account:
Authentication keys (used for git push / git fetch over SSH) and
Signing keys (used to verify commit signatures). A key registered
under one does not count for the other.
Register ~/.ssh/id_ed25519.pub under both so that:
git pushover SSH works (authentication).- Commits signed locally via
op-ssh-signrender a green Verified badge on github.com (signing).
Same public key bytes; two separate entries.
At https://github.com/settings/keys, for each category:
- Click New SSH key.
- Title:
id_ed25519 (authentication)orid_ed25519 (signing). - Key type: select Authentication Key or Signing Key to match.
- Key: paste the contents of
~/.ssh/id_ed25519.pub. - Save. Repeat for the other category.
gh auth refresh -h github.com -s admin:public_key,admin:ssh_signing_key
gh ssh-key add ~/.ssh/id_ed25519.pub --type authentication --title "id_ed25519 (authentication)"
gh ssh-key add ~/.ssh/id_ed25519.pub --type signing --title "id_ed25519 (signing)"The allowlists are independent so that a read-only deploy key (auth only, often on shared infrastructure) cannot be misused to forge "verified" commits in your account, and a hardware-token-bound signing key never doubles as an inbound auth vector.
Pi is the polyglot agent harness installed alongside Claude Code. Managed via Volta for parity with the rest of the JS toolchain:
volta install @earendil-works/pi-coding-agentVolta records the pinned version in its toolchain (visible via
volta list). Pi 0.75+ requires Node ≥ 22.19.0; on older Node, Volta
will resolve to the latest compatible 0.74.x. Update Node via
volta install [email protected] to unlock newer Pi releases.
Authenticate via OAuth subscriptions rather than API keys:
pi
# inside the TUI:
/login # pick "Claude Pro/Max", complete browser OAuth
/login # pick "ChatGPT Plus/Pro (Codex Subscription)", complete browser OAuthTokens land at ~/.pi/agent/auth.json (runtime state, not tracked).
Billing note: third-party harnesses like Pi do not consume Claude Pro/Max plan limits. Usage is billed per token as "extra usage" — enable at https://claude.ai/settings/usage before invoking Anthropic models from Pi.
The git package ships a staged-secret pre-commit hook at
git/.config/git/hooks/pre-commit. After stow git, ~/.gitconfig
points core.hooksPath at ~/.config/git/hooks, making the scanner
active for every commit on this host. Bypass requires the explicit
git commit --no-verify escape after manual review.