feat(S-66): /dotfiles-sync audits S-64 watcher health#101
Merged
Conversation
Notify-only watcher health audit closes the post-S-64 gap where the watcher was the only first-class subsystem with no sync-time check. New `dotfiles watch doctor` verb probes six conditions: both LaunchAgents running, plist fingerprint matches `chezmoi managed | sha256sum`, lock absent or <60s, `fswatch --version` works, log mtime within 30d. Headless boxes self-skip. Each non-[ok] line carries an inline `Fix: <cmd>` suffix so the operator can remediate without cross-referencing the spec. Wiring script writes the managed-set sha256 to `$HOME/.cache/dotfiles-watcher.managed.sha256` as a side effect so the doctor has something to diff against. `/dotfiles-sync` skill gains a "Watcher health (notify-only)" subsection between Secret cache and SA token rotation; it grep-filters [warn]/[err] so healthy machines stay silent. Notify-only by design per S-64 philosophy: operator runs the fix, never the sync. Tests at tests/dotfiles-watch.sh § 4 add 8 cases driven by fake launchctl + fake fswatch + extended fake chezmoi shims (FAKE_LC_WP/FAKE_LC_FS/ FAKE_HEADLESS/NOW_OVERRIDE env knobs). Suite now 26/26 (up from 17). End-to-end verified on Mac mini: clean state silent; bootout of fswatch agent surfaces `[err] ... Fix: dotfiles watch install`; bootstrap restores silence. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Notify-only watcher health audit closes the post-S-64 gap where the watcher was the only first-class subsystem of the dotfiles workflow with no sync-time check.
dotfiles watch doctorverb (POSIX sh) probes six conditions: both LaunchAgentsstate = running, plist fingerprint matcheschezmoi managed | sha256sum(cached at~/.cache/dotfiles-watcher.managed.sha256, written from the existingrun_onchangewiring), lock absent or <60s,fswatch --versionworks, log mtime within 30d. Headless boxes self-skip with one[ok]line. Each non-[ok]line carries an inlineFix: <cmd>suffix./dotfiles-syncskill gains a "Watcher health (notify-only)" subsection between Secret cache and SA token rotation; grep-filters[warn]/[err]so healthy machines stay silent. Notify-only by design per the S-64 philosophy (operator runs the fix, never the sync).tests/dotfiles-watch.sh§ 4 add 8 cases via fakelaunchctl+ fakefswatch+ extended fakechezmoi datashims (FAKE_LC_WP,FAKE_LC_FS,FAKE_HEADLESS,NOW_OVERRIDEenv knobs). Suite now 26/26 (up from 17).Spec:
docs/specs/S-66-dotfiles-sync-watcher-audit.md. Extends S-64 (the watcher itself) and S-65 (post-ship doc sweep).Test plan
shellcheck --severity=warning home/dot_local/bin/executable_dotfiles-watch-doctor tests/dotfiles-watch.shcleanfish -n home/dot_config/fish/functions/dotfiles.fishcleanchezmoi execute-template < home/.chezmoiscripts/run_onchange_after_dotfiles-watcher.sh.tmpl | bash -ncleanbash tests/dotfiles-watch.sh→ 26/26 pass on Mac minichezmoi managed | wc -l→ 187 (no regression)[ok]exit 0;launchctl bootoutof fswatch agent →[err] agent: com.truonghan.dotfiles-watcher-fswatch not loaded — Fix: dotfiles watch installexit 1;bootstrap→ silent again exit 0Notable
Secret-guard hook (S-62) caught an early test sentinel using
deadbeef...(64-hex = sha256-shaped, looked like a private key). Swapped tostale-fingerprint-non-hex-sentinelso the test fixture can never collide with a real hash. Validates that the hook trips even on test code that looks secret-shaped.🤖 Generated with Claude Code