Reproducible, privacy-hardened macOS configuration managed with chezmoi. One command bootstraps a clean Mac into a fully configured environment: shell, packages, git, encrypted secrets, macOS preferences, Dock, firewall, and Claude Code config.
| When | Command |
|---|---|
Shell says "run mac" |
mac |
| Change a config | chezmoi cd → edit → chezmoi diff → chezmoi apply |
| Pull updates from another machine | chezmoi update |
| Inspect today's brew upgrade output | brewlog |
mac is the one entry point for anything the system has flagged. It refreshes the drift check, summarises what's pending across home files, brew packages, macOS defaults, and security baseline, then walks you through fixing it. If nothing is wrong it says so and exits.
| What | When | Where to look |
|---|---|---|
Homebrew upgrades (brew upgrade && brew doctor && brew cleanup) |
Once per day, on first shell of the day | brewlog (or tail ~/.cache/brewup.log) |
| Drift detection | Every new shell + 09:30 daily notification | Shell banner; mac to act |
| Brew install tracking | Every interactive brew install/uninstall/... |
Shell banner shows pending count; mac merges into Brewfile.tmpl |
| Weekly draft PRs for outdated formulae and stale external pins | Mondays | GitHub Actions: update-brew, update-externals |
| Monthly full-history secret scan | First of the month | GitHub Actions: audit |
Nothing auto-merges. Nothing auto-applies to $HOME. Updates land as draft PRs for you to review.
See docs/runbooks/new-machine.md.
chezmoi add --encrypt <path>Full procedure: docs/runbooks/secret-rotation.md.
Just run mac. Detail: docs/runbooks/recover-from-drift.md.
make ci # lint, fmt, template matrix, secret scan, brew bundle check
chezmoi diff # preview before deploying
chezmoi apply # deployCLAUDE.md— agent brief: architecture, safety rules, template variablesdocs/decisions/— Architecture Decision RecordsAGENTS.md— short brief for non-Claude agents
MIT. See LICENSE.