sync: auto-sync from GURU-KALI at 2026-05-26 18:47:58
Author: Mike Swanson Machine: GURU-KALI Timestamp: 2026-05-26 18:47:58
This commit is contained in:
@@ -43,6 +43,31 @@ purge_garbled_paths() {
|
||||
return 0
|
||||
}
|
||||
|
||||
# --- Attribution: force commit authorship to match identity.json -------------
|
||||
# Commit author is the per-person source of truth and must NEVER ride on stale
|
||||
# local `git config`. If config disagrees with identity.json, correct the LOCAL
|
||||
# repo config (not --global) so this machine's commits are always attributed to
|
||||
# the human who actually owns this identity. Call once per repo (claudetools,
|
||||
# then vault) before any commit happens.
|
||||
reconcile_git_identity() {
|
||||
local want_name="$1" want_email="$2" cur
|
||||
if [ -n "$want_name" ]; then
|
||||
cur=$(git config user.name 2>/dev/null || true)
|
||||
if [ "$cur" != "$want_name" ]; then
|
||||
echo -e "${YELLOW}[WARNING]${NC} git user.name '${cur}' -> '${want_name}' (corrected to match identity.json)"
|
||||
git config user.name "$want_name"
|
||||
fi
|
||||
fi
|
||||
if [ -n "$want_email" ]; then
|
||||
cur=$(git config user.email 2>/dev/null || true)
|
||||
if [ "$cur" != "$want_email" ]; then
|
||||
echo -e "${YELLOW}[WARNING]${NC} git user.email '${cur}' -> '${want_email}' (corrected to match identity.json)"
|
||||
git config user.email "$want_email"
|
||||
fi
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
# Machine + timestamp
|
||||
if [ -n "$COMPUTERNAME" ]; then
|
||||
MACHINE="$COMPUTERNAME"
|
||||
@@ -109,12 +134,36 @@ fi
|
||||
# Load user identity
|
||||
USER_DISPLAY="unknown"
|
||||
USER_GITEA=""
|
||||
USER_EMAIL=""
|
||||
if [ -f ".claude/identity.json" ]; then
|
||||
USER_DISPLAY=$($PYTHON -c "import json,sys; d=json.load(open('.claude/identity.json')); print(d.get('full_name', d.get('user','unknown')))" 2>/dev/null || echo "unknown")
|
||||
USER_GITEA=$($PYTHON -c "import json,sys; d=json.load(open('.claude/identity.json')); print(d.get('user',''))" 2>/dev/null || echo "")
|
||||
USER_EMAIL=$($PYTHON -c "import json,sys; d=json.load(open('.claude/identity.json')); print(d.get('email',''))" 2>/dev/null || echo "")
|
||||
fi
|
||||
echo -e "${GREEN}[OK]${NC} Syncing as: $USER_DISPLAY (machine: $MACHINE)"
|
||||
|
||||
# Force this repo's commit authorship to match identity.json before any commit.
|
||||
# Skip if identity.json was unreadable (USER_DISPLAY left at the "unknown"
|
||||
# sentinel) — overwriting correct config with "unknown" would be worse than
|
||||
# leaving it alone, and is the exact mis-attribution this guard prevents.
|
||||
if [ "$USER_DISPLAY" != "unknown" ]; then
|
||||
reconcile_git_identity "$USER_DISPLAY" "$USER_EMAIL"
|
||||
else
|
||||
echo -e "${YELLOW}[WARNING]${NC} identity.json present but unreadable — leaving existing git config untouched (not reconciling)."
|
||||
fi
|
||||
|
||||
# Warn (don't block) if identity.json's machine field disagrees with the real
|
||||
# hostname — the classic "stale identity.json copied to a new box" failure that
|
||||
# stamps logs/commits with the wrong machine. Compare case-insensitively and
|
||||
# ignore a trailing ".local" (macOS).
|
||||
if [ -f ".claude/identity.json" ]; then
|
||||
ID_MACHINE=$($PYTHON -c "import json; print(json.load(open('.claude/identity.json')).get('machine',''))" 2>/dev/null || echo "")
|
||||
norm() { printf '%s' "$1" | tr 'A-Z' 'a-z' | sed 's/\.local$//'; }
|
||||
if [ -n "$ID_MACHINE" ] && [ "$(norm "$ID_MACHINE")" != "$(norm "$MACHINE")" ]; then
|
||||
echo -e "${YELLOW}[WARNING]${NC} identity.json machine '${ID_MACHINE}' != hostname '${MACHINE}' — identity.json may be stale on this box. Fix it before attributing work."
|
||||
fi
|
||||
fi
|
||||
|
||||
# Phase 1a: Update submodules to latest remote
|
||||
# `git submodule foreach` only visits *initialized* submodules, so a fresh clone
|
||||
# would silently skip population and the old "[OK] updated" message lied. We now
|
||||
@@ -385,6 +434,12 @@ else
|
||||
cd "$VAULT_PATH"
|
||||
echo -e "${GREEN}[OK]${NC} Vault: $VAULT_PATH"
|
||||
|
||||
# Same attribution guard for the vault repo (it has its own git config).
|
||||
# Same "unknown" skip as the main repo — the main-repo warning already fired.
|
||||
if [ "$USER_DISPLAY" != "unknown" ]; then
|
||||
reconcile_git_identity "$USER_DISPLAY" "$USER_EMAIL"
|
||||
fi
|
||||
|
||||
# Commit any local vault changes (porcelain catches untracked-only too)
|
||||
if [ -n "$(git status --porcelain)" ]; then
|
||||
echo -e "${YELLOW}[INFO]${NC} Local vault changes detected — committing..."
|
||||
|
||||
66
.claude/scripts/whoami-block.sh
Executable file
66
.claude/scripts/whoami-block.sh
Executable file
@@ -0,0 +1,66 @@
|
||||
#!/bin/bash
|
||||
# Emit the canonical session-log "## User" attribution block.
|
||||
#
|
||||
# ATTRIBUTION IS NEVER INFERRED. The only sources of truth are:
|
||||
# .claude/identity.json (per-machine, gitignored — who sits at this keyboard)
|
||||
# .claude/users.json (role lookup by user key)
|
||||
# Do NOT derive the user from the hostname, the `# userEmail` context hint, or
|
||||
# from memory. /save calls this script and pastes its output verbatim as the
|
||||
# session log's first section, so every log is stamped identically and correctly.
|
||||
set -e
|
||||
|
||||
REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd)
|
||||
ID="$REPO_ROOT/.claude/identity.json"
|
||||
USERS="$REPO_ROOT/.claude/users.json"
|
||||
|
||||
if [ ! -f "$ID" ]; then
|
||||
echo "## User"
|
||||
echo "- **User:** UNKNOWN — no .claude/identity.json on this machine."
|
||||
echo "- **Action:** run the first-machine onboarding flow in CLAUDE.md before saving."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
PYTHON=""
|
||||
for c in py python3 python; do
|
||||
if command -v "$c" >/dev/null 2>&1 && "$c" -c "import sys" >/dev/null 2>&1; then PYTHON="$c"; break; fi
|
||||
done
|
||||
if [ -z "$PYTHON" ]; then
|
||||
echo "## User"
|
||||
echo "- **User:** (could not render — no Python interpreter found)"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
"$PYTHON" - "$ID" "$USERS" <<'PYEOF'
|
||||
import json, sys, socket, re
|
||||
idp, usersp = sys.argv[1], sys.argv[2]
|
||||
try:
|
||||
d = json.load(open(idp))
|
||||
except Exception as e:
|
||||
print("## User")
|
||||
print(f"- **User:** UNREADABLE — .claude/identity.json failed to parse ({e}).")
|
||||
print("- **Action:** repair identity.json before saving; do not infer the user.")
|
||||
sys.exit(0)
|
||||
full = d.get("full_name") or d.get("user", "unknown")
|
||||
user = d.get("user", "unknown")
|
||||
machine = d.get("machine", "unknown")
|
||||
role = d.get("role", "")
|
||||
|
||||
if not role:
|
||||
try:
|
||||
role = json.load(open(usersp))["users"].get(user, {}).get("role", "")
|
||||
except Exception:
|
||||
pass
|
||||
|
||||
def norm(x): return re.sub(r'\.local$', '', (x or '').lower())
|
||||
host = socket.gethostname()
|
||||
stale = machine and host and norm(machine) != norm(host)
|
||||
|
||||
print("## User")
|
||||
print(f"- **User:** {full} ({user})")
|
||||
print(f"- **Machine:** {machine}")
|
||||
if role:
|
||||
print(f"- **Role:** {role}")
|
||||
if stale:
|
||||
print(f"- **[WARNING]** identity.json machine '{machine}' != hostname '{host}'. "
|
||||
f"identity.json may be stale on this box — verify before trusting this attribution.")
|
||||
PYEOF
|
||||
Reference in New Issue
Block a user