tildelane — secure dotfile governance

The Problem

Dotfile managers trust you. They shouldn't.

Traditional dotfile tools — stow, chezmoi, yadm — make syncing convenient. But they have zero defense against the most common infrastructure incident in the industry:

AWS_ACCESS_KEY_ID committed in .zshrc
Private SSH key pushed to dotfiles repo
Database password embedded in app config
Slack webhook URL sitting in a YAML file

These aren't hypotheticals. Secret scanners on GitHub detect thousands of leaked credentials daily, many from dotfile repos. The problem isn't carelessness — it's that existing tools provide no guardrails.

The Solution

Every commit passes a mandatory security pipeline.

There is no flag to skip it. No --force. No escape hatch. The pipeline is fail-closed: if any gate fails, the commit is rejected.

Manifest Gate

Only explicitly tracked files are allowed. Nothing unregistered can enter the repo.

Secret Scanning

Embedded gitleaks rules detect API keys, tokens, passwords, and known credential patterns.

Entropy Analysis

Shannon entropy detection flags high-randomness strings that look like secrets, even without pattern matches.

Blocked Patterns

Regex-based policy matching catches domain-specific patterns: private keys, connection strings, webhook URLs.

Encryption

Sensitive files are transparently encrypted with per-file data keys and automatic rotation.

Reject or Commit

Any violation → hard rejection. No partial commits. No warnings-only mode. Pass everything, or commit nothing.

In Practice

Simple commands. Uncompromising safety.

$ lane init default --remote=git@github.com:me/dotfiles.git

✓ Profile 'default' created

$ lane track ~/.zshrc

✓ Tracking ~/.zshrc in profile 'default'

$ lane track ~/.config/app/secrets.conf --encrypt

✓ Tracking ~/.config/app/secrets.conf (encrypted)

$ lane commit -m "add shell config"

manifest .............. pass

secret scan ........... pass

entropy check ......... pass

blocked patterns ...... pass

encryption ............ pass

✓ Committed to 'default' [a3f9c1e]

$ lane commit -m "update env"

manifest .............. pass

✗ secret scan: AWS_ACCESS_KEY_ID detected (line 47)

REJECTED — remove the secret and try again

Capabilities

Built for real-world dotfile management.

# Profiles

Organize dotfiles into isolated profiles — default, work, personal. Each has its own git repo, remote, manifest, and governance rules.

⊕ Three-Way Sync

Detects conflicts between home, repo, and last-sync baselines. Five sync states: clean, home-modified, repo-modified, conflict, missing.

¶ Transparent Encryption

Per-file data keys with envelope encryption. Plaintext at home, ciphertext in git. Automatic key rotation on configurable schedules.

> No Shell-Outs

All git operations are programmatic via go-git. No shelling out means no way to bypass the governance pipeline with git flags.

~ Audit Command

Health checks for secret exposure, key rotation status, missing files, and repository integrity. Run it in CI or before a push.

& Multi-Machine

Init on machine A, push to remote. Pull and apply on machine B. Encrypted files decrypt transparently with the shared master key.

Architecture

Domain-driven Go, no external dependencies.

Commands

init, track, untrack
status, diff
commit, push, pull, apply
rotate, verify, audit

Internals

profile — lifecycle management
governance — security pipeline
encryption — age-based envelope model
sync — three-way merge engine

Design Principles

Fail-closed — never degrade silently
No bypass — governance is hardcoded
No shell-outs — programmatic git only
Go 1.23+ — single static binary