Remove pointless exports from ssh/rc, add process-model comment

ssh/rc runs as a sshd child process so exports never reach the user's shell. SSH_REMOTE_AUTH_SOCK was set and exported but never used (a leftover from a prior failed fix attempt). SSH_AUTH_SOCK was reassigned to the symlink path and exported, also to no effect. Remove both. https://claude.ai/code/session_01RhXaFzxJA5D2BcGcz18ipA
Fix shenv clobbering forwarded SSH socket with local agent in tmux
2026-05-25 21:19:09 -07:00 · 2026-04-19 02:19:05 +00:00 · 2026-04-19 01:47:36 +00:00 · 2026-04-19 01:43:12 +00:00
36 changed files with 68 additions and 645 deletions
--- a/25
+++ b/25
@@ -1,5 +1,4 @@
 tap "dart-lang/dart"
 tap "holtwick/tap"
 tap "sass/sass"
 brew "ack"
@@ -9,11 +8,11 @@ brew "autoconf"
 brew "automake"
 brew "b2-tools"
 brew "bat"
 brew "bazelisk"
 brew "binwalk"
 brew "cask"
 brew "ccache"
 brew "certbot"
 brew "cloudflared"
 brew "cmake"
 brew "colima"
 brew "devcontainer"
@@ -21,11 +20,8 @@ brew "dfu-util"
 brew "difftastic"
 brew "direnv"
 brew "duck"
 brew "dust"
 brew "earthly"
 brew "esptool"
 brew "fish"
 brew "fq"
 brew "gh"
 brew "ghidra", link: false
 brew "git"
@@ -35,18 +31,14 @@ brew "gnupg"
 brew "go"
 brew "gradle"
 brew "hf"
 brew "holtwick/tap/bx"
 brew "htop"
 brew "httpie"
 brew "huggingface-cli"
 brew "hugo"
 brew "imagemagick"
 brew "john-jumbo"
 brew "jq"
 brew "kubeconform"
 brew "kubectx"
 brew "librsvg"
 brew "lima"
 brew "minikube"
 brew "mise"
 brew "mosh"
 brew "neovim"
@@ -60,7 +52,6 @@ brew "pkgconf"
 brew "protobuf"
 brew "pwgen"
 brew "pwntools"
 brew "python@3.13"
 brew "qemu"
 brew "restic"
 brew "ripgrep"
@@ -102,7 +93,6 @@ cask "rectangle"
 cask "scroll-reverser"
 cask "temurin"
 cask "veracrypt"
 cask "wezterm"
 cask "zulu@17"
 def is_corp?
@@ -110,22 +100,13 @@ def is_corp?
  `profiles status -type enrollment 2>/dev/null`.include?("Enrolled via DEP: Yes")
 end
 if is_corp?
  brew "bazelisk", link: false
 end
 # non-corp
 if !is_corp?
-  brew "bazelisk"
+  brew "bazel"
  brew "openssh"
  brew "virt-manager"
  cask "claude-code"
  cask "cryptomator"
  cask "keepassxc"
  cask "gcloud-cli"
  cask "google-cloud-sdk"
  cask "keybase"
  cask "orbstack"
  cask "jordanbaird-ice"
 end
--- a/bin/linux/autostart.py
+++ b/bin/linux/autostart.py
--- a/bin/linux/backup.sh
+++ b/bin/linux/backup.sh
--- a/bin/linux/checksec.sh
+++ b/bin/linux/checksec.sh
--- a/bin/disk-benchmark
+++ b/bin/disk-benchmark
@@ -12,17 +12,8 @@ fi
 trap "test -f ${FILENAME} && rm -f ${FILENAME}" EXIT
 IOENGINE="libaio"
 DIRECT=1
 if [ "$(uname)" = "Darwin" ]; then
  IOENGINE="posixaio"
  # macOS doesn't support O_DIRECT in the same way, but fio's direct=1 
  # handles it via F_NOCACHE if supported.
  DIRECT=1
 fi
 fio --loops=5 --size=${BENCHMARK_SIZE} --filename=${FILENAME} \
-  --stonewall --ioengine=${IOENGINE} --direct=${DIRECT} \
+  --stonewall --ioengine=libaio --direct=1 \
  --name=Seqread --bs=1m --rw=read \
  --name=Seqwrite --bs=1m --rw=write \
  --name=512Kread --bs=512k --rw=randread \
--- a/bin/google-chrome-burp
+++ b/bin/google-chrome-burp
@@ -1,10 +1,6 @@
 #!/bin/bash
 CHROME_BINS="google-chrome-beta google-chrome"
 if [ "$(uname)" = "Darwin" ]; then
  CHROME_BINS="${CHROME_BINS} /Applications/Google\ Chrome\ Beta.app/Contents/MacOS/Google\ Chrome\ Beta /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome"
 fi
 for bin in ${CHROME_BINS} ; do
  if command -v ${bin} >/dev/null 2>&1 ; then
    CHROME=$(command -v ${bin})
@@ -22,4 +18,4 @@ export HOME=${HOME}/.chrome-pentest
 mkdir -p ${HOME}
 # Launch chrome for burp
-exec "${CHROME}" --user-data-dir=${HOME}/chrome-pentest --proxy-server=127.0.0.1:8080
+exec ${CHROME} --user-data-dir=${HOME}/chrome-pentest --proxy-server=127.0.0.1:8080
--- a/bin/linux/i3lock.sh
+++ b/bin/linux/i3lock.sh
--- a/bin/macos/update_brewfile
+++ b/bin/macos/update_brewfile
@@ -251,13 +251,7 @@ def main(args):
            if last_type and e.pkg_type != last_type:
                output_lines.append("")
            last_type = e.pkg_type
-
+        output_lines.extend(e.to_lines())
        lines = e.to_lines()
        # If we just added a blank line, and the new lines start with one, skip the first new line
        if output_lines and output_lines[-1] == "" and lines and lines[0] == "":
            output_lines.extend(lines[1:])
        else:
            output_lines.extend(lines)
    new_content = "\n".join(output_lines)
    if footer:
--- a/bin/linux/nvidia_hold.sh
+++ b/bin/linux/nvidia_hold.sh
--- a/bin/linux/pactl_helper
+++ b/bin/linux/pactl_helper
--- a/bin/linux/qdisc_span.sh
+++ b/bin/linux/qdisc_span.sh
--- a/bin/quartz
+++ b/bin/quartz
@@ -1,63 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 # QUARTZ_DIR search logic
 if [ -z "${QUARTZ_DIR:-}" ]; then
    if [ -f "quartz.config.ts" ]; then
        QUARTZ_DIR="$PWD"
    elif [ -d "$HOME/Personal/notes-quartz" ]; then
        QUARTZ_DIR="$HOME/Personal/notes-quartz"
    elif [ -d "$HOME/Projects/notes-quartz" ]; then
        QUARTZ_DIR="$HOME/Projects/notes-quartz"
    else
        echo "Error: QUARTZ_DIR could not be found." >&2
        exit 1
    fi
 fi
 if [ ! -d "$QUARTZ_DIR" ]; then
    echo "Error: QUARTZ_DIR '$QUARTZ_DIR' is not a directory." >&2
    exit 1
 fi
 # NOTES_DIR search logic
 PARSE_NOTES_DIR=""
 # Use a copy of args to find -d/--directory
 ARGS=("$@")
 for ((i=0; i<${#ARGS[@]}; i++)); do
    if [[ "${ARGS[i]}" == "-d" || "${ARGS[i]}" == "--directory" ]]; then
        if [[ $((i+1)) -lt ${#ARGS[@]} ]]; then
            PARSE_NOTES_DIR="${ARGS[i+1]}"
        fi
        break
    fi
 done
 if [ -n "$PARSE_NOTES_DIR" ]; then
    NOTES_DIR="$PARSE_NOTES_DIR"
 elif [ -z "${NOTES_DIR:-}" ]; then
    if [ -d "$HOME/Notes" ]; then
        NOTES_DIR="$HOME/Notes"
    elif [ -d "$HOME/Personal/notes" ]; then
        NOTES_DIR="$HOME/Personal/notes"
    elif [ -d "$HOME/Projects/notes" ]; then
        NOTES_DIR="$HOME/Projects/notes"
    else
        echo "Error: NOTES_DIR could not be found." >&2
        exit 1
    fi
 fi
 if [ ! -d "$NOTES_DIR" ]; then
    echo "Error: NOTES_DIR '$NOTES_DIR' is not a directory." >&2
    exit 1
 fi
 cd "$QUARTZ_DIR"
 # Run npx quartz
 # Following the prompt's structure but using NOTES_DIR for the flag
 # npx quartz ${argv[1]} --directory ${NOTES_DIR} "$@"
 # We use ${1:-} for argv[1] to handle cases with no arguments.
 npx quartz "${1:-}" --directory "$NOTES_DIR" "$@"
--- a/bin/linux/remove-wine-associations
+++ b/bin/linux/remove-wine-associations
--- a/bin/screenshot.sh
+++ b/bin/screenshot.sh
@@ -5,14 +5,8 @@
 set -ue
 TOOLS="flameshot scrot"
 if [ "$(uname)" = "Darwin" ]; then
  TOOLS="screencapture ${TOOLS}"
 fi
 SCREENDIR=${SCREENDIR:-${HOME}/Pictures/Screenshots}
 SCROT_FORMAT="%F-%T.png"
 # Filename for screencapture
 FILE_NAME=$(date "+%Y-%m-%d-%H%M%S.png")
 function default_screenshot_command {
  for tool in ${TOOLS} ; do
@@ -47,29 +41,10 @@ function scrot_full_capture {
  scrot "${SCREENDIR}/${SCROT_FORMAT}"
 }
 function mac_capture {
  local mode="${1}"
  local target="${SCREENDIR}/${FILE_NAME}"
  case "${mode}" in
    region)
      screencapture -i "${target}"
      ;;
    window)
      screencapture -i -w "${target}"
      ;;
    full)
      screencapture "${target}"
      ;;
  esac
 }
 case "${CMD}" in
  region|window|full)
    mkdir -p "${SCREENDIR}"
    case "${TOOL}" in
      screencapture)
        mac_capture "${CMD}"
        ;;
      flameshot)
        case "${CMD}" in
          region|window)
--- a/bin/linux/setup/apt_proxy.sh
+++ b/bin/linux/setup/apt_proxy.sh
--- a/bin/linux/setup/i3.sh
+++ b/bin/linux/setup/i3.sh
--- a/bin/linux/setup/spicerandr.sh
+++ b/bin/linux/setup/spicerandr.sh
--- a/bin/linux/smart-copy-paste
+++ b/bin/linux/smart-copy-paste
--- a/bin/linux/switch_virt.sh
+++ b/bin/linux/switch_virt.sh
--- a/bin/update-authorized-keys
+++ b/bin/update-authorized-keys
@@ -1,310 +0,0 @@
 #!/usr/bin/env bash
 # update-authorized-keys - Manage ~/.ssh/authorized_keys from multiple sources
 #
 # BEHAVIOR:
 # 1. Collects SSH public keys from one or more source directories (default: ~/.ssh/authorized_keys.d).
 # 2. Skips empty files and files symlinked to /dev/null (masking).
 # 3. Deterministically concatenates keys into a "managed block" wrapped in markers:
 #    # BEGIN UPDATE-AUTHORIZED-KEYS
 #    # END UPDATE-AUTHORIZED-KEYS
 # 4. Deduplicates managed keys: if the same key (including options) is found in multiple files,
 #    it is included once with a comment listing all source filenames.
 # 5. Preserves "manual" keys found in the target file outside the markers.
 # 6. Removes manual keys that exactly match a managed key (options + key data).
 # 7. Validates every proposed key individually using 'ssh-keygen -l -f'.
 # 8. Optionally validates the whole file with 'authorized-keys-test' if available.
 # 9. Displays a unified diff and prompts for confirmation before atomic replacement.
 # 10. Supports a --dry-run mode and a --self-test mode for verifying logic.
 set -o nounset
 set -o errexit
 set -o pipefail
 CLEANUP_FILES=()
 cleanup() {
    rm -rf "${CLEANUP_FILES[@]}"
 }
 trap cleanup EXIT
 # Configuration
 DEFAULT_DIR="${HOME}/.ssh/authorized_keys.d"
 DEFAULT_TARGET="${HOME}/.ssh/authorized_keys"
 BEGIN_MARKER="# BEGIN UPDATE-AUTHORIZED-KEYS"
 END_MARKER="# END UPDATE-AUTHORIZED-KEYS"
 # State
 SOURCE_DIRS=()
 TARGET_FILE="${DEFAULT_TARGET}"
 DRY_RUN=0
 usage() {
    cat <<EOF
 Usage: $(basename "$0") [options]
 Options:
  --dir DIR         Primary directory for managed keys (default: ${DEFAULT_DIR})
  --extra-dir DIR   Additional directory to scan for keys (can be repeated)
  --target FILE     Target authorized_keys file (default: ${DEFAULT_TARGET})
  --dry-run         Show changes and validate without modifying the target
  --self-test       Run internal suite of tests to verify script logic
  --help            Show this help message
 EOF
 }
 run_self_test() {
    echo "Running self-test..."
    local test_root=$(mktemp -d)
    CLEANUP_FILES+=("${test_root}")
    local d1="${test_root}/d1"
    local d2="${test_root}/d2"
    local target="${test_root}/target"
    mkdir -p "${d1}" "${d2}"
    local key1="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8XoR7N7X5XoR7N7X5XoR7N7X5XoR7N7X5XoR7N7X5X key1"
    local key2="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL9YpS8O8Y6YpS8O8Y6YpS8O8Y6YpS8O8Y6YpS8O8Y6Y key2"
    local key_man="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM0ZqT9P9Z7ZqT9P9Z7ZqT9P9Z7ZqT9P9Z7ZqT9P9Z7Z manual"
    local long_opt="environment=\"VAR=VERY_LONG_VALUE_THAT_EXCEEDS_TWENTY_CHARS\""
    echo "${key1}" > "${d1}/k1"
    echo "${key1}" > "${d2}/k1_dup"
    echo "${key2}" > "${d2}/k2"
    echo "${long_opt} ${key1}" > "${d1}/k1_long"
    echo "${long_opt} ${key2}" > "${d1}/k2_long"
    ln -s /dev/null "${d1}/masked"
    cat <<EOF > "${target}"
 ${key_man}
 ${key1} # This should be removed as it's now managed
 EOF
    echo "Executing script in test mode..."
    # Pipe "y" to handle the TTY check if we are not in a TTY during test
    echo "y" | "$0" --dir "${d1}" --extra-dir "${d2}" --target "${target}" > /dev/null
    local content=$(cat "${target}")
    echo -n "Check markers... "
    if [[ "${content}" == *"${BEGIN_MARKER}"* && "${content}" == *"${END_MARKER}"* ]]; then echo "OK"; else echo "FAIL"; exit 1; fi
    echo -n "Check managed deduplication... "
    if grep -q "Source: k1, k1_dup" "${target}"; then echo "OK"; else echo "FAIL"; exit 1; fi
    echo -n "Check long option deduplication (should NOT deduplicate different keys)... "
    if grep -q "k1_long" "${target}" && grep -q "k2_long" "${target}"; then echo "OK"; else echo "FAIL"; exit 1; fi
    echo -n "Check manual key preservation... "
    if grep -q "manual" "${target}"; then echo "OK"; else echo "FAIL"; exit 1; fi
    echo -n "Check manual key filtering... "
    local manual_count=$(grep -c "${key1}" "${target}")
    # key1 appears twice in managed block (once plain, once with long opt) 
    # and it was in manual block. The manual one should be removed.
    # So we expect 2 occurrences in the final file (both in managed block).
    if [[ ${manual_count} -eq 2 ]]; then echo "OK"; else echo "FAIL (Found ${manual_count} occurrences, expected 2)"; exit 1; fi
    echo -n "Check masking... "
    if ! grep -q "masked" "${target}"; then echo "OK"; else echo "FAIL"; exit 1; fi
    echo "Self-test passed successfully!"
    exit 0
 }
 # Parse arguments
 while [[ $# -gt 0 ]]; do
    case "$1" in
        --dir) 
            [[ -z "${2:-}" ]] && { echo "Error: --dir requires an argument" >&2; exit 1; }
            SOURCE_DIRS+=("$2"); shift 2 ;;
        --extra-dir) 
            [[ -z "${2:-}" ]] && { echo "Error: --extra-dir requires an argument" >&2; exit 1; }
            SOURCE_DIRS+=("$2"); shift 2 ;;
        --target) 
            [[ -z "${2:-}" ]] && { echo "Error: --target requires an argument" >&2; exit 1; }
            TARGET_FILE="$2"; shift 2 ;;
        --dry-run) DRY_RUN=1; shift ;;
        --self-test) run_self_test ;;
        --help) usage; exit 0 ;;
        *) echo "Unknown option: $1" >&2; usage; exit 1 ;;
    esac
 done
 if [[ ${#SOURCE_DIRS[@]} -eq 0 ]]; then
    SOURCE_DIRS+=("${DEFAULT_DIR}")
 fi
 mkdir -p "$(dirname "${TARGET_FILE}")"
 TMP_FILE=$(mktemp)
 CLEANUP_FILES+=("${TMP_FILE}")
 collect_keys() {
    local dirs=("${@}")
    for dir in "${dirs[@]}"; do
        if [[ ! -d "${dir}" ]]; then continue; fi
        # Use a glob to avoid parsing ls
        for file in "${dir}"/*; do
            [[ ! -e "${file}" ]] && continue
            [[ ! -f "${file}" || ! -s "${file}" ]] && continue
            if [[ -L "${file}" && "$(readlink "${file}")" == "/dev/null" ]]; then continue; fi
            while read -r line; do
                [[ -z "${line}" || "${line}" =~ ^[[:space:]]*# ]] && continue
                # Use a specific delimiter that is unlikely to be in the key or filename
                # If using tabs, ensure we only split on the first one in AWK
                printf "%s\t%s\n" "$(basename "${file}")" "${line}"
            done < "${file}"
        done
    done
 }
 # Use a HEREDOC for the complex AWK script to avoid shell interpolation issues
 MANAGED_BLOCK=$(collect_keys "${SOURCE_DIRS[@]}" | awk -F'\t' '
 {
    # Splitting on the first tab manually to be robust
    tab_idx = index($0, "\t")
    source = substr($0, 1, tab_idx - 1)
    full_line = substr($0, tab_idx + 1)
    # Signature detection: all options + key type + key data
    # (Excludes the comment at the end)
    n = split(full_line, parts, " ")
    sig = ""
    for (i=1; i<=n; i++) {
        sig = (sig == "" ? parts[i] : sig " " parts[i])
        # A key line is [options] <type> <base64> [comment]
        # We stop after the base64 part. Key types start with known prefixes.
        if (parts[i] ~ /^(ssh-|ecdsa-|sk-)/ && i < n) {
            sig = sig " " parts[i+1]
            break
        }
    }
    # Fallback if no key type found (should not happen with valid keys)
    if (sig == "") sig = full_line
    if (!(sig in keys)) {
        keys[sig] = full_line
        order[++count] = sig
    }
    sources[sig] = (sources[sig] ? sources[sig] ", " : "") source
 }
 END {
    for (i=1; i<=count; i++) {
        sig = order[i]
        print "# Source: " sources[sig]
        print keys[sig]
    }
 }')
 MANUAL_KEYS=""
 if [[ -f "${TARGET_FILE}" ]]; then
    MANUAL_KEYS=$(awk -v begin="${BEGIN_MARKER}" -v end="${END_MARKER}" '
    BEGIN { inside=0 }
    $0 == begin { inside=1; next }
    $0 == end { inside=0; next }
    !inside { print $0 }
    ' "${TARGET_FILE}")
 fi
 MANAGED_SIGS_TMP=$(mktemp)
 echo "${MANAGED_BLOCK}" | awk '/^[^#]/ {
    n = split($0, parts, " ")
    sig = ""
    for (i=1; i<=n; i++) {
        sig = (sig == "" ? parts[i] : sig " " parts[i])
        if (parts[i] ~ /^(ssh-|ecdsa-|sk-)/ && i < n) {
            sig = sig " " parts[i+1]
            break
        }
    }
    if (sig != "") print sig
 }' > "${MANAGED_SIGS_TMP}"
 FINAL_MANUAL_KEYS=$(echo "${MANUAL_KEYS}" | awk -v sigs_file="${MANAGED_SIGS_TMP}" '
 BEGIN {
    while ((getline line < sigs_file) > 0) {
        managed[line] = 1
    }
    close(sigs_file)
 }
 {
    if ($0 ~ /^[[:space:]]*$/ || $0 ~ /^[[:space:]]*#/) {
        print $0
        next
    }
    n = split($0, parts, " ")
    sig = ""
    for (i=1; i<=n; i++) {
        sig = (sig == "" ? parts[i] : sig " " parts[i])
        if (parts[i] ~ /^(ssh-|ecdsa-|sk-)/ && i < n) {
            sig = sig " " parts[i+1]
            break
        }
    }
    if (!(sig in managed)) {
        print $0
    }
 }')
 rm -f "${MANAGED_SIGS_TMP}"
 {
    if [[ -n "${MANAGED_BLOCK}" ]]; then
        echo "${BEGIN_MARKER}"
        echo "${MANAGED_BLOCK}"
        echo "${END_MARKER}"
    fi
    echo "${FINAL_MANUAL_KEYS}"
 } > "${TMP_FILE}"
 echo "Validating proposed changes..."
 VALID=1
 while read -r line; do
    [[ -z "${line}" || "${line}" =~ ^[[:space:]]*# ]] && continue
    if ! echo "${line}" | ssh-keygen -l -f - >/dev/null 2>&1; then
        echo "ERROR: Invalid SSH key detected: ${line}" >&2
        VALID=0
    fi
 done < "${TMP_FILE}"
 if command -v authorized-keys-test >/dev/null 2>&1; then
    if ! authorized-keys-test "${TMP_FILE}"; then
        echo "ERROR: Proposed file failed authorized-keys-test." >&2
        VALID=0
    fi
 fi
 if [[ ${VALID} -eq 0 ]]; then
    echo "Validation failed. Aborting." >&2
    exit 1
 fi
 if [[ -f "${TARGET_FILE}" ]]; then
    diff -u "${TARGET_FILE}" "${TMP_FILE}" || true
 else
    echo "Target file does not exist. Proposed content:"
    cat "${TMP_FILE}"
 fi
 if [[ ${DRY_RUN} -eq 1 ]]; then
    echo "Dry run complete. No changes made."
    exit 0
 fi
 if [[ -t 0 ]]; then
    echo -n "Apply these changes to ${TARGET_FILE}? [y/N] "
    read -r response
 elif [[ ! -t 0 ]]; then
    # Read from pipe or file if provided
    if ! read -r response; then
        echo "Non-interactive shell detected and no input provided. Aborting."
        exit 1
    fi
 fi
 if [[ "${response}" =~ ^([yY][eE][sS]|[yY])$ ]]; then
    chmod 0600 "${TMP_FILE}"
    mv "${TMP_FILE}" "${TARGET_FILE}"
    echo "Changes applied successfully."
 else
    echo "Aborted."
    exit 1
 fi
--- a/dotfiles/aliases
+++ b/dotfiles/aliases
@@ -1,6 +1,9 @@
 # General aliases, should only be sourced in interactive shells
 # Try to keep in sync with ~/.config/fish/conf.d/aliases.fish
 # Cryptsetup alias
 alias luksFormat='cryptsetup luksFormat --type=luks2 --pbkdf-memory=2560000 --pbkdf=argon2id -i 15000 -s 512 -h sha256 -c aes-xts-plain64'
 # Timestamp in a machine-sortable form
 alias tstamp="date '+%Y%m%d-%H%M%S'"
@@ -10,6 +13,12 @@ alias mdcode="sed 's/^/    /'"
 # Intel format plz
 alias objdump="command objdump -M intel"
 # Drop caches for swap issues
 alias drop_caches="echo 3 | sudo /usr/bin/tee /proc/sys/vm/drop_caches"
 # dump acpi temperature
 alias gettemp='printf "%02.2f\n" "$(cat /sys/class/thermal/thermal_zone0/temp)e-3"'
 # get git working directory
 alias gitroot="git rev-parse --show-toplevel"
@@ -22,37 +31,20 @@ alias ipy="ipython3 --no-banner"
 # Skip the header on bc
 alias bc="command bc -q"
 # Clear the GPG agent
 alias clear-gpg-agent="echo RELOADAGENT | gpg-connect-agent"
 # Earthly ssh
 alias earthly='earthly --ssh-auth-sock ""'
 if [ "$(uname)" = "Linux" ]; then
  # Cryptsetup alias
  alias luksFormat='cryptsetup luksFormat --type=luks2 --pbkdf-memory=2560000 --pbkdf=argon2id -i 15000 -s 512 -h sha256 -c aes-xts-plain64'
  # Drop caches for swap issues
  alias drop_caches="echo 3 | sudo /usr/bin/tee /proc/sys/vm/drop_caches"
  # dump acpi temperature
  alias gettemp='printf "%02.2f\n" "$(cat /sys/class/thermal/thermal_zone0/temp)e-3"'
 # Get a decently readable df
 alias dfh="df -h -x tmpfs -x devtmpfs -x squashfs -x fuse -x efivarfs"
 # Clear the GPG agent
 alias clear-gpg-agent="echo RELOADAGENT | gpg-connect-agent"
 # Battery details
 alias bat-details='upower -i $(upower -e | grep battery)'
 # Nvidia refresh rate
 alias nvidia-refresh-rate='nvidia-settings --display=:0 -q RefreshRate -t'
-  # to clipboard
+# Earthly ssh
-  alias toclip='xclip -selection clipboard'
+alias earthly='earthly --ssh-auth-sock ""'
 elif [ "$(uname)" = "Darwin" ]; then
  # Get a decently readable df
  alias dfh="df -h"
 # to clipboard
-  alias toclip='pbcopy'
+alias toclip='xclip -selection clipboard'
 fi
--- a/dotfiles/bxignore
+++ b/dotfiles/bxignore
@@ -1,4 +0,0 @@
 # Credentials
 .ssh
 Passwords.kdbx
 Passwords.kdbx.age
--- a/dotfiles/config/fish/conf.d/aliases.fish
+++ b/dotfiles/config/fish/conf.d/aliases.fish
@@ -1,3 +1,6 @@
 # Cryptsetup alias
 alias luksFormat 'cryptsetup luksFormat --type=luks2 --pbkdf-memory=2560000 --pbkdf=argon2id -i 15000 -s 512 -h sha256 -c aes-xts-plain64'
 # Timestamp in a machine-sortable form
 alias tstamp "date '+%Y%m%d-%H%M%S'"
@@ -7,6 +10,12 @@ alias mdcode "sed 's/^/    /'"
 # Intel format plz
 alias objdump "command objdump -M intel"
 # Drop caches for swap issues
 alias drop_caches "echo 3 | sudo /usr/bin/tee /proc/sys/vm/drop_caches"
 # dump acpi temperature
 alias gettemp 'printf "%02.2f\n" (cat /sys/class/thermal/thermal_zone0/temp)e-3'
 # get git working directory
 alias gitroot "git rev-parse --show-toplevel"
@@ -19,40 +28,23 @@ alias ipy "ipython3 --no-banner"
 # Skip the header on bc
 alias bc "command bc -q"
 # Clear the GPG agent
 alias clear-gpg-agent "echo RELOADAGENT | gpg-connect-agent"
 # Earthly ssh
 alias earthly 'earthly --ssh-auth-sock ""'
 if test (uname) = "Linux"
  # Cryptsetup alias
  alias luksFormat 'cryptsetup luksFormat --type=luks2 --pbkdf-memory=2560000 --pbkdf=argon2id -i 15000 -s 512 -h sha256 -c aes-xts-plain64'
  # Drop caches for swap issues
  alias drop_caches "echo 3 | sudo /usr/bin/tee /proc/sys/vm/drop_caches"
  # dump acpi temperature
  alias gettemp 'printf "%02.2f\n" (cat /sys/class/thermal/thermal_zone0/temp)e-3'
 # Get a decently readable df
 alias dfh "df -h -x tmpfs -x devtmpfs -x squashfs -x fuse -x efivarfs"
 # Clear the GPG agent
 alias clear-gpg-agent "echo RELOADAGENT | gpg-connect-agent"
 # Battery details
 alias bat-details 'upower -i (upower -e | grep battery)'
 # Nvidia refresh rate
 alias nvidia-refresh-rate 'nvidia-settings --display=:0 -q RefreshRate -t'
-  # to clipboard
+# Earthly ssh
-  alias toclip 'xclip -selection clipboard'
+alias earthly 'earthly --ssh-auth-sock ""'
 else if test (uname) = "Darwin"
  # Get a decently readable df
  alias dfh "df -h"
 # to clipboard
-  alias toclip 'pbcopy'
+alias toclip 'xclip -selection clipboard'
 end
 # On some systems, bat is batcat
 if not command -v bat >/dev/null 2>&1
--- a/dotfiles/config/fish/config.fish
+++ b/dotfiles/config/fish/config.fish
@@ -34,6 +34,4 @@ end
 fish_add_path --move --path {$HOME}/bin
 if test (uname) = "Darwin"
    fish_add_path --move --path {$HOME}/bin/macos
 else if test (uname) = "Linux"
    fish_add_path --move --path {$HOME}/bin/linux
 end
--- a/dotfiles/config/mise/config.toml
+++ b/dotfiles/config/mise/config.toml
@@ -9,8 +9,9 @@ uv_venv_auto = true
 [tools]
 age = "latest"
 age-plugin-yubikey = "latest"
 usage = "latest"
-uv = "0.11.8"
+uv = "latest"
 [hooks]
 postinstall = "mise sync python --uv"
--- a/dotfiles/gitconfig
+++ b/dotfiles/gitconfig
@@ -19,17 +19,14 @@
 [difftool]
  prompt = false
 [difftool "difftastic"]
  cmd = difft "$LOCAL" "$REMOTE"
 [alias]
  st = status
  last = log -1 HEAD
  # Thanks to
  # http://durdn.com/blog/2012/11/22/must-have-git-aliases-advanced-examples/
-  logs = log --pretty=format:"%C(yellow)%h%Cred%d %Creset%s%Cblue [%cn]" --decorate
+  logs = log --pretty=format:"%C(yellow)%h%Cred%d\\ %Creset%s%Cblue\\ [%cn]" --decorate
  lg = log -p
-  ll = log --pretty=format:"%C(yellow)%h%Cred%d %Creset%s%Cblue [%cn]" --decorate --numstat
+  ll = log --pretty=format:"%C(yellow)%h%Cred%d\\ %Creset%s%Cblue\\ [%cn]" --decorate --numstat
  files = ls-files
  ls = ls-files
  lol = log --graph --pretty=format:'%C(yellow)%h%Creset %an: %s - %Creset %C(yellow)%d%Creset %Cblue(%cr)%Creset' --abbrev-commit --date=relative
@@ -95,12 +92,8 @@
  process = git-lfs filter-process
 [include]
  path = ~/.gitconfig.d/aliases
  path = ~/.gitconfig.d/override
  path = ~/.gitconfig.d/local
-[includeIf "gitdir/i:~/personal/"]
+[includeIf "gitdir:~/personal/"]
  path = ~/.gitconfig.d/personal
 [rerere]
  enabled = true
--- a/dotfiles/shenv
+++ b/dotfiles/shenv
@@ -15,7 +15,6 @@ export DEBEMAIL="david@systemoverlord.com"
 export DEBFULLNAME="David Tomaschik"
 export LESS="-MR"
 export QUOTING_STYLE="literal"  # Coreutils quotes
 export HOMEBREW_NO_ENV_HINTS=1
 # Fix gnome-terminal
 if [ "$TERM" = "xterm" ] && [ "$COLORTERM" = "gnome-terminal" ] ; then
@@ -195,8 +194,6 @@ if [ "$(uname)" = "Darwin" ] ; then
  export XDG_RUNTIME_DIR="${XDG_RUNTIME_DIR:-$TMPDIR/runtime-$(id -u)}"
  export XDG_STATE_HOME="${XDG_STATE_HOME:-$HOME/.local/state}"
  export PATH="${HOME}/bin/macos:${PATH}"
 elif [ "$(uname)" = "Linux" ] ; then
  export PATH="${HOME}/bin/linux:${PATH}"
 fi
 if test -e "$HOME/.localenv"; then
--- a/dotfiles/tmux.conf
+++ b/dotfiles/tmux.conf
@@ -45,7 +45,7 @@ set -g window-status-current-style fg=colour235,bg=colour33,bold
 set -g status-interval 60
 set -g status-left-length 30
 set -g status-left '/#h: #S/ '
-set -g status-right '#{?pane_title,/#{pane_title}/ ,}#(uptime | rev | cut -d":" -f1 | rev | sed s/,//g)#[default] #[fg=colour166]%H:%M#[default]'
+set -g status-right '#{?pane_title,/#{pane_title}/ ,}#(cut -d " " -f 1-3 /proc/loadavg)#[default] #[fg=colour166]%H:%M#[default]'
 # Advanced mouse mode from http://tangledhelix.com/blog/2012/07/16/tmux-and-mouse-mode/
 # Toggle mouse on
@@ -65,9 +65,8 @@ bind M \
    display 'Mouse: OFF'
 # tmux X clipboard integration
-if-shell 'test "$(uname)" = "Darwin"' \
+bind C-c run "tmux show-buffer | xsel -i -b"
-  'bind C-c run "tmux show-buffer | pbcopy"; bind C-v run "tmux set-buffer -- \"$(pbpaste)\"; tmux paste-buffer"' \
+bind C-v run "tmux set-buffer -- \"$(xsel -o -b)\"; tmux paste-buffer"
  'bind C-c run "tmux show-buffer | xsel -i -b"; bind C-v run "tmux set-buffer -- \"$(xsel -o -b)\"; tmux paste-buffer"'
 # List of plugins
 set -g @plugin 'tmux-plugins/tpm'
--- a/dotfiles/zshrc
+++ b/dotfiles/zshrc
@@ -185,9 +185,6 @@ have_command() {
 if test -d ${HOME}/.local/bin ; then
  export PATH="${HOME}/.local/bin:${PATH}"
 fi
 if test -d ${HOME}/.npm-packages/bin ; then
  export PATH="${HOME}/.npm-packages/bin:${PATH}"
 fi
 # Source extras and aliases if interactive
 if [[ $- == *i* ]] ; then
@@ -292,8 +289,6 @@ fi
 PATH="${HOME}/bin:${PATH}"
 if [[ "$(uname)" == "Darwin" ]]; then
  PATH="${HOME}/bin/macos:${PATH}"
 elif [[ "$(uname)" == "Linux" ]]; then
  PATH="${HOME}/bin/linux:${PATH}"
 fi
 # Load any local settings
--- a/dotfiles/zshrc.d/alert.zsh
+++ b/dotfiles/zshrc.d/alert.zsh
@@ -18,15 +18,8 @@ alert() {
    icon="error"
  fi
  if [ "$(uname)" = "Darwin" ]; then
    # macOS notification
    local title="Finished: '$*'"
    local msg="Exit code: $ret"
    osascript -e "display notification \"$msg\" with title \"$title\""
  else
  # Send the notification with the executed command
  notify-send --urgency=low -i "$icon" "Finished: '$@'"
  fi
  # Return the original exit code
  return $ret
--- a/dotfiles/zshrc.d/android.zsh
+++ b/dotfiles/zshrc.d/android.zsh
@@ -1,12 +1,7 @@
 if [ "$(uname)" = "Darwin" ]; then
 ANDROID_HOME=$HOME/Library/Android/sdk
 else
  ANDROID_HOME=$HOME/Android/Sdk
 fi
-if test -d "${ANDROID_HOME}" ; then
+if test -d $ANDROID_HOME ; then
-  export ANDROID_HOME
+  PATH=$PATH:$ANDROID_HOME/emulator:$ANDROID_HOME/platform-tools
  PATH="${PATH}:${ANDROID_HOME}/emulator:${ANDROID_HOME}/platform-tools"
 else
  unset ANDROID_HOME
 fi
--- a/dotfiles/zshrc.d/assemble.zsh
+++ b/dotfiles/zshrc.d/assemble.zsh
@@ -6,11 +6,7 @@ if have_command nasm && have_command objdump ; then
    local TMPF=`mktemp`
    local bytes
    local byte
-    local format="elf"
+    $NASM -f elf -o $TMPF $1
    if [[ "$OSTYPE" == darwin* ]]; then
      format="macho64"
    fi
    $NASM -f $format -o $TMPF $1
    $OBJDUMP -M intel -d $TMPF | grep '^ ' | cut -f2 | while read -A bytes ; do
      for byte in $bytes ; do
        echo -n "\\\\x$byte"
--- a/dotfiles/zshrc.d/functions.zsh
+++ b/dotfiles/zshrc.d/functions.zsh
@@ -1,11 +1,5 @@
 function dumpenv {
  if [ "$(uname)" = "Linux" ]; then
  tr '\0' '\n' < /proc/${1}/environ
  elif [ "$(uname)" = "Darwin" ]; then
    # macOS doesn't have /proc, use ps instead. 
    # Note: this may truncate if environment is very large.
    ps -p ${1} -wwwe -o command= | tr ' ' '\n' | grep '='
  fi
 }
 if test -x "/sbin/starship" ; then
--- a/dotfiles/zshrc.d/lesshighlight.zsh
+++ b/dotfiles/zshrc.d/lesshighlight.zsh
@@ -1,20 +1,8 @@
-# Find src-hilite-lesspipe.sh
+test -f /usr/share/source-highlight/src-hilite-lesspipe.sh && \
 _SRCHILITE=""
 for _p in /usr/share/source-highlight/src-hilite-lesspipe.sh /opt/homebrew/bin/src-hilite-lesspipe.sh /usr/local/bin/src-hilite-lesspipe.sh ; do
  if [ -f "$_p" ] ; then
    _SRCHILITE="$_p"
    break
  fi
 done
 if [ -n "$_SRCHILITE" ] ; then
  function srcless {
    if [ $# -ne 1 ] ; then
-      echo "Usage: srcless <file>" > /dev/stderr
+      echo "$0 <what>" > /dev/stderr
      return 1
    fi
-    "$_SRCHILITE" "$1" | less -R
+    /usr/share/source-highlight/src-hilite-lesspipe.sh $1 | less -R
  }
 fi
 unset _SRCHILITE _p
--- a/dotfiles/zshrc.d/skelify.zsh
+++ b/dotfiles/zshrc.d/skelify.zsh
@@ -3,17 +3,6 @@
 # Skelify -- move a file to my .skel and setup symlinks
 function skelify {
  local -A opts
  zparseopts -D -A opts -overlay:
  local overlay_name="${opts[--overlay]}"
  local base_skel_dir="${HOME}/.skel/dotfiles"
  local extra_args=()
  if [[ -n "${overlay_name}" ]]; then
    base_skel_dir="${HOME}/.skel/dotfile_overlays/${overlay_name}"
    extra_args=(--overlay "${overlay_name}")
  fi
  local target
  local whichdir
  local relhome
@@ -21,19 +10,16 @@ function skelify {
  local fulltarget
  for target in $~@; do
    if test -d ${target} ; then
-      skelify "${extra_args[@]}" ${target}/* || return 1
+      skelify ${target}/* || return 1
    elif test -f ${target} ; then
      if ! whichdir=$(cd $(dirname $target) && pwd); then
        echo Could not find directory for $target >/dev/stderr
        return 1
      fi
      fname=$(basename ${target})
      fulltarget="${whichdir}/${fname}"
      if [[ ${whichdir} == ${HOME} ]] ; then
        relhome=""
      elif [[ ${whichdir} == ${HOME}/* ]] ; then
      relhome=${whichdir#${HOME}/}
-      else
+      fulltarget="${whichdir}/${fname}"
      if [[ ${relhome} == ${whichdir} ]] ; then
        echo ${whichdir} is not in home >/dev/stderr
        return 1
      fi
@@ -46,7 +32,7 @@ function skelify {
        return 1
      fi
      echo ${target}
-      local skeldir="${base_skel_dir}/${relhome}"
+      local skeldir="${HOME}/.skel/dotfiles/${relhome}"
      mkdir -p "${skeldir}"
      mv ${target} "${skeldir}/${fname}"
      ln -s "${skeldir}/${fname}" "${fulltarget}"
--- a/dotfiles/zshrc.d/util.zsh
+++ b/dotfiles/zshrc.d/util.zsh
@@ -1,56 +0,0 @@
 # utility function to "open" a file
 o() {
  if [[ "$OSTYPE" == "darwin"* ]]; then
    open "$@"
  elif [[ "$OSTYPE" == "linux-gnu"* ]]; then
    xdg-open "$@"
  else
    echo "Unknown OS"
  fi
 }
 # Copy from stdin to the system clipboard
 syscopy() {
    if command -v pbcopy >/dev/null 2>&1; then
        # macOS
        pbcopy "$@"
    elif command -v wl-copy >/dev/null 2>&1; then
        # Linux Wayland
        wl-copy "$@"
    elif command -v xclip >/dev/null 2>&1; then
        # Linux X11
        xclip -selection clipboard "$@"
    elif command -v xsel >/dev/null 2>&1; then
        # Linux X11 (alternative)
        xsel --clipboard --input "$@"
    elif command -v clip.exe >/dev/null 2>&1; then
        # Windows WSL
        clip.exe "$@"
    else
        echo "Error: No clipboard utility found. Please install pbcopy, wl-copy, xclip, or xsel." >&2
        return 1
    fi
 }
 # Paste from the system clipboard to stdout
 syspaste() {
    if command -v pbpaste >/dev/null 2>&1; then
        # macOS
        pbpaste "$@"
    elif command -v wl-paste >/dev/null 2>&1; then
        # Linux Wayland
        wl-paste "$@"
    elif command -v xclip >/dev/null 2>&1; then
        # Linux X11
        xclip -selection clipboard -o "$@"
    elif command -v xsel >/dev/null 2>&1; then
        # Linux X11 (alternative)
        xsel --clipboard --output "$@"
    elif command -v powershell.exe >/dev/null 2>&1; then
        # Windows WSL
        powershell.exe -noprofile -command Get-Clipboard "$@"
    else
        echo "Error: No clipboard utility found. Please install pbpaste, wl-paste, xclip, or xsel." >&2
        return 1
    fi
 }