Public Mac bootstrap files for uinaf machines.
This repo owns the portable layer: Homebrew bundles, zsh startup, mise runtimes, Git and SSH defaults, Codex defaults, editor settings, and setup and audit scripts.
It does not own secrets, identity, Codex auth/state, browser profiles, app caches, dependency folders, build output, or project checkouts. Those stay machine-local.
| Profile | Use it for | Installs |
|---|---|---|
| Shared | Base tools every uinaf Mac should have. | Brewfile |
| Personal | A human-operated laptop or desktop. | Brewfile + Brewfile.personal |
| Devbox | A shared Mac mini or SSH-first agent host. | Brewfile + Brewfile.devbox |
Most users want personal. Always-on agent hosts use devbox.
Install Apple Command Line Tools, Homebrew, git, and gh, then:
gh auth login
mkdir -p ~/projects/uinaf
gh repo clone uinaf/dotfiles ~/projects/uinaf/dotfiles
cd ~/projects/uinaf/dotfiles
./scripts/bootstrap/brew-bundle.sh personal
./scripts/bootstrap/install.sh
./scripts/bootstrap/configure-git.sh --profile personal
./scripts/app-store/personal.sh
mise install
./scripts/bootstrap/pull-repos.sh
./scripts/verify/bootstrap.sh --profile personalFor the full first-machine flow, devbox setup, Chrome vertical tabs, Blacksmith, and Tizen notes, read Bootstrap guide.
./scripts/bootstrap/install.sh links tracked files from home/ into $HOME.
Existing files are moved aside with a timestamped .backup.* suffix.
| Surface | Tracked source | Local-only extension |
|---|---|---|
| zsh | home/.zshenv, home/.zprofile, home/.zshrc |
machine shell history and ad hoc local files |
| mise | home/.config/mise/config.toml |
repo-local runtime files |
| Git | home/.gitconfig |
~/.gitconfig.local |
| SSH | home/.ssh/config |
~/.ssh/config.local, private keys |
| Codex | installer-managed defaults | auth, sessions, approvals, memory, worktrees |
| Editors | Zed and Ghostty defaults | app state, fonts, caches |
Keep these out of Git:
- Git identity, signing keys, and 1Password SSH agent vault selection.
- 1Password service-account tokens and item references.
- SSH private keys, certificates, Tizen archives, and device keys.
- Codex auth, Browser approvals, sessions, caches, worktrees, and app state.
- Browser profiles, Docker/Colima state, dependency folders, and build output.
For always-on agent hosts, use the secret model in Devbox setup: service-account tokens live in machine-local storage, generated runtime env files are owner-only, and normal shells do not export long-lived tokens.
Use repo checks before committing:
./scripts/verify/repo.shTo install the local pre-push guard for the fast repo gate:
./scripts/bootstrap/install-git-hooks.shUse live-machine checks only on a machine that should actually use these dotfiles:
./scripts/verify/bootstrap.sh --profile personal
./scripts/verify/bootstrap.sh --profile devboxFor security posture:
./scripts/audit/repo.sh --skip-mscp
./scripts/audit/host.sh
./scripts/audit/personal.sh
./scripts/audit/devbox.shSee Security audits for the audit layers, Lynis host audit, and macOS Security Compliance Project flow.
| Need | Read |
|---|---|
| Install or update a Mac | Bootstrap guide |
| Operate a shared agent Mac mini | Devbox setup |
| Help as an AI agent | Agent guide |
| Understand verification and CI | Agent readiness |
| Understand GitHub Actions | GitHub pipelines |
| Run security checks | Security audits |
| Contribute changes | Contributing |
| Report a vulnerability | Security |
| Find scripts | Script guide |
MIT. See License.