dotfiles
mcp
Pass
Health Pass
- License — License: NOASSERTION
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Community trust — 63 GitHub stars
Code Pass
- Code scan — Scanned 12 files during light audit, no dangerous patterns found
Permissions Pass
- Permissions — No dangerous permissions requested
Purpose
This tool is a declarative workstation configuration manager for macOS, Linux, and WSL. It uses a "dot" CLI to apply, diagnose, and maintain consistent development environments across multiple machines.
Security Assessment
Risk Rating: Medium. The tool inherently executes local shell commands to configure your system and manage packages. It utilizes Age and SOPS for handling encrypted secrets, meaning it interacts with sensitive data, though no hardcoded secrets were detected in the scan. The README heavily highlights signed releases and attestation. However, the default installation method relies on piping a remote script directly into bash (`bash -c "$(curl ...)"`), which is a common but risky practice since it executes unverified code on your machine. Additionally, it pulls images from external cloud resources (like `cloudcdn.pro`). No dangerous code patterns were found during the light audit, but this category of tool requires elevated local privileges to function.
Quality Assessment
The project is actively maintained, with its latest updates pushed today. It demonstrates solid community engagement with 63 GitHub stars. However, the repository's license is marked as NOASSERTION, meaning it lacks a clearly defined open-source license, which is a significant drawback for enterprise or collaborative use. The codebase passed the automated security scans with no issues found across 12 files.
Verdict
Use with caution: the automation provides a solid local setup, but always inspect the remote install script before running it, and note the lack of a formal software license.
This tool is a declarative workstation configuration manager for macOS, Linux, and WSL. It uses a "dot" CLI to apply, diagnose, and maintain consistent development environments across multiple machines.
Security Assessment
Risk Rating: Medium. The tool inherently executes local shell commands to configure your system and manage packages. It utilizes Age and SOPS for handling encrypted secrets, meaning it interacts with sensitive data, though no hardcoded secrets were detected in the scan. The README heavily highlights signed releases and attestation. However, the default installation method relies on piping a remote script directly into bash (`bash -c "$(curl ...)"`), which is a common but risky practice since it executes unverified code on your machine. Additionally, it pulls images from external cloud resources (like `cloudcdn.pro`). No dangerous code patterns were found during the light audit, but this category of tool requires elevated local privileges to function.
Quality Assessment
The project is actively maintained, with its latest updates pushed today. It demonstrates solid community engagement with 63 GitHub stars. However, the repository's license is marked as NOASSERTION, meaning it lacks a clearly defined open-source license, which is a significant drawback for enterprise or collaborative use. The codebase passed the automated security scans with no issues found across 12 files.
Verdict
Use with caution: the automation provides a solid local setup, but always inspect the remote install script before running it, and note the lack of a formal software license.
Declarative dotfiles for macOS, Linux, and WSL — multi-shell parity, sub-second startup, wallpaper-driven themes, signed releases, AI/MCP-aware.
README.md
.dotfiles
A signed, local-first Trusted agent workstation baseline for macOS, Linux, and WSL. One CLI to apply, diagnose, repair, and attest.
Install
bash -c "$(curl -fsSL https://raw.githubusercontent.com/sebastienrousseau/dotfiles/master/install.sh)"
Then check your setup and take a tour:
dot doctor # verify installation
dot learn # interactive tour of your new dotfiles
You need git and curl. Works on macOS, Ubuntu/Debian, Arch, WSL2, and GitHub Codespaces.
Silent install (no prompts):
DOTFILES_SILENT=1 DOTFILES_NONINTERACTIVE=1 \
bash -c "$(curl -fsSL https://raw.githubusercontent.com/sebastienrousseau/dotfiles/master/install.sh)"
Docker sandbox:
docker run --rm -e DOTFILES_NONINTERACTIVE=1 ubuntu:24.04 bash -c \
'apt-get update -qq && apt-get install -y -qq git curl sudo >/dev/null 2>&1 \
&& git clone --depth 1 https://github.com/sebastienrousseau/dotfiles.git ~/.dotfiles \
&& bash ~/.dotfiles/install.sh \
&& export PATH="$HOME/.local/bin:$PATH" \
&& dot doctor'
Overview
This repo goes beyond a simple dotfiles collection. It works more like workstation infrastructure. Every file is tracked, the runtime scope is clear, and the workflow is simple: install, apply, diagnose, repair, attest, and recover. Chezmoi handles templates and platform differences. The dot CLI sits on top and ties it all together.
- Encrypted secrets with Age and SOPS
- Portable runtimes with Mise, plus Nix when you need fully repeatable builds
- Built-in recovery with
dot doctor,dot heal, restore, rollback, and bundle tools - Tracked governance with policy files, attestation output, and compliance checks stored in the repo
Architecture
Run it once or a hundred times. The machine ends up in the same state.
graph TD
A[User Shell] --> B{dot CLI}
B --> C[Diagnostics: dot doctor / smoke-test]
B --> D[Maintenance: dot update / prewarm]
B --> E[Lifecycle: dot apply / rollback]
D --> F[Chezmoi Source]
F --> G[Zsh / Fish / Bash Configs]
F --> H[Tool Runtimes: Mise / Nix]
G --> I[~/.cache/shell Fast Init]
Features
| Startup | Fast shell launch with lazy loading and cached setup |
| Shells | Fish, Zsh, Nushell, and PowerShell share one managed baseline |
| Platforms | Full support for macOS, Ubuntu/Debian, Arch, and WSL2 |
| Runtimes | Mise for managed toolchains, Nix Flakes for strict repeatable builds |
| Secrets | Age + SOPS for encrypted config and secret data |
| Signing | SSH ED25519 signing with trust-aware Git and release workflows |
| Recovery | Snapshot, restore, rollback, heal, and offline bundle tools |
| Governance | Agent profiles, MCP policy, registries, and workstation attestation files |
| CI | Compliance checks, SBOM diff, CodeQL, shell lint, and security gates |
The dot CLI
| Command | What it does |
|---|---|
dot apply |
Apply the tracked config to the machine |
dot update |
Pull the latest state and pre-warm slow paths |
dot doctor |
Check tools, paths, portability, and security |
dot heal |
Auto-fix tools, chezmoi drift, broken symlinks, and missing files (`--dry-run |
dot smoke-test |
Test critical toolchains and integrations |
dot attest |
Export machine-readable workstation evidence |
dot bundle |
Create a portable support or recovery archive |
Full reference: docs/reference/UTILS.md
First 5 Minutes
After you install:
- Check —
dot doctorchecks tools, paths, and security - Explore —
dot learnwalks you through shell, secrets, themes, and performance - Customize — edit
~/.config/chezmoi/chezmoi.tomlfor per-machine settings (Profiles) - Toggle features — turn features on or off in
.chezmoidata.toml(Feature Flags) - Apply —
dot applyapplies the config;dot prewarmcaches shell startup
See the Migration Guide for version upgrades.
What's Included
Shells and Navigation- Zsh loads in stages through small modules, not one big startup script
- Fish is set up for fast interactive use with
_cached_evaland deferred loading - Nushell handles structured terminal workflows while fitting into the rest of the setup
- PowerShell keeps cross-platform and WSL sessions on the same baseline
- Starship, Zoxide, Atuin, and fzf handle navigation and command recall
- Mise manages language and tool versions in user space, keeping the base system clean
- Nix Flakes offer strict repeatable builds when that matters more than speed
- Pueue gives long-running tasks a proper queue instead of extra terminal tabs
- Neovim ships as a full Lua-based editor, not a starter template
- Lazygit rounds out the terminal workflow without needing a GUI
- Age / SOPS keep secrets encrypted at rest and out of plaintext history
- SSH signing and trust metadata back up signed commits and verifiable changes
- Gitleaks, policy checks, and compliance workflows build security into the repo from the start
- Telemetry controls and local-first defaults keep you in charge of your workstation
- Attestation and registry files record machine state, policy, prompt, and model metadata in tracked JSON
For security hardening options, see the Security docs.
THE ARCHITECT ᛫ Sebastien Rousseau
THE ENGINE ᛞ EUXIS ᛫ Enterprise Unified Execution Intelligence System
License
Licensed under the MIT License. See LICENSE for details.
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found