feat: shell-install --trust-tap (Homebrew tap-trust resolution)

[sahil87]

Meta

ID	Type	Confidence	Plan	Review
l6lo	feat	3.5/5.0	15/15 tasks, 0/18 acceptance	✓ 1 cycle

Pipeline: intake ✓ → spec ✓ → apply ✓ → review ✓ → hydrate ✓ → ship → review-pr

Impact: +1115/−86 code (excluding fab/, docs/) · +2047/−147 total

Summary

Homebrew nags on every operation against the non-official sahil87/tap because the user sits in the default "limbo" trust state, and shll update amplifies it (the advisory prints 2–3× per command). shll previously offered no path to resolve it. This adds a first-class, user-invoked way to record genuine trust — forward-looking ahead of a future brew release that will require explicit trust — rather than silencing the hint.

Changes

• --trust-tap flag on shll shell-install (orthogonal selector that composes with the existing modes, not a new mutually-exclusive mode)
• Single combined shll-managed block holds both the export HOMEBREW_REQUIRE_TAP_TRUST=1 and the shell-init eval line under a new # >>> shll >>> sentinel, migrating the legacy # >>> shll shell-init >>> block in place
• Install is now a per-line MERGE (union of desired lines), not a whole-block append — an already-set-up user gets the export merged into their existing block without duplication
• --trust-tap does full setup: ensures both lines and runs the brew trust --tap sahil87/tap ceremony, atomically
• Composes with --print (dry-run, modifies nothing) and --uninstall (removes the whole block; does NOT run brew untrust — the trust record is inert without the policy var and is user-reversible)
• Graceful degradation: on old/missing brew the eval line is still written, the ceremony is skipped, and the command exits 0 with guidance toward the lighter HOMEBREW_NO_REQUIRE_TAP_TRUST=1 / HOMEBREW_NO_ENV_HINTS=1 escape hatches
• Tap name comes from a named constant (distinct from formulaPrefix — tap vs formula)
• Trust ceremony lives in brew.go so shell_install.go stays free of proc/exec imports — the TestNoProcImports guard holds
• README Troubleshooting section + --trust-tap flag docs; memory updated under cli/shell-install

Tests

All tests pass (122 in cmd/shll), including the new cases in shell_install_test.go and brew_test.go covering trust-block install, per-line idempotency, --print --trust-tap, whole-block --uninstall, degradation when brew trust is absent, already-set-up additive behavior, and brew absent. The TestNoProcImports guard confirms shell_install.go carries no proc/exec imports.

[Copilot]

Pull request overview

Adds --trust-tap to shll shell-install as an orthogonal flag that runs brew trust --tap sahil87/tap and writes export HOMEBREW_REQUIRE_TAP_TRUST=1 into a single shll-managed rc block, resolving Homebrew's tap-trust nag. The change also renames the sentinel to # >>> shll >>> (with in-place migration of legacy blocks), converts install into a per-line merge, and keeps subprocess work out of the file-I/O-only shell_install.go via a function-value ceremony seam in brew.go.

Changes:

• New --trust-tap flag that composes with default/--print/--uninstall, plus full setup (ceremony + policy line + eval line) with graceful degradation when brew trust is unavailable.
• Combined # >>> shll >>> sentinel block, per-line merge, and in-place migration of legacy # >>> shll shell-init >>> blocks (including both-sentinels-present self-healing and partial-block refuse-with-exit-2).
• Ceremony helpers (brewTrustAvailable, brewTrustTap, ensureTapTrust) live in brew.go, exposed to shell_install.go via an ensureTrustFunc seam so TestNoProcImports continues to hold.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/cmd/shll/tools.go	Adds tapName constant (no trailing slash) distinct from formulaPrefix.
src/cmd/shll/shell_install.go	New sentinel + migration, per-line merge, --trust-tap wiring through a ceremony function-value seam, partial-block refusal, separate appendBlock/rewriteBlocks paths.
src/cmd/shll/shell_install_test.go	Updates existing tests to the new sentinel and adds extensive trust/merge/migration/degradation/uninstall coverage with a proc.Runner fake.
src/cmd/shll/brew.go	Adds brewTrustAvailable (capability probe), brewTrustTap (ceremony), ensureTapTrust (orchestrator + diagnostics), and trustHatchHint.
src/cmd/shll/brew_test.go	New unit tests for the capability probe, ceremony argument shape, and ensureTapTrust degradation ladder.
README.md	Documents --trust-tap, the new sentinel block, and a Troubleshooting section.
fab/changes/260601-l6lo-shell-install-trust-tap/*	Intake/spec/plan/status artifacts for the change.
docs/memory/cli/shell-install.md, docs/memory/cli/commands.md	Memory updates documenting the new behavior, seam, and constants.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.