From 06757761c3d7f0e0340ffdc63a8b0964058bc730 Mon Sep 17 00:00:00 2001
From: Jensen Bernard <jensen@devizer.io>
Date: Fri, 27 Mar 2026 13:52:39 +0100
Subject: [PATCH 1/2] fix: discover existing SSH keys instead of hardcoding key
 paths

The SSH module previously hardcoded IdentityFile and 1Password agent in
the ssh-config template, breaking git access on machines with existing
keys. Now discovers keys dynamically and only enables 1Password if
the agent socket exists.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 dotfiles/ssh-config |  7 ------
 modules/07-ssh.sh   | 54 ++++++++++++++++++++++++++++++++++++++++-----
 2 files changed, 48 insertions(+), 13 deletions(-)

diff --git a/dotfiles/ssh-config b/dotfiles/ssh-config
index eb2a57b..58d0aed 100644
--- a/dotfiles/ssh-config
+++ b/dotfiles/ssh-config
@@ -3,15 +3,8 @@
 
 Host *
     AddKeysToAgent yes
-    # 1Password SSH Agent (Secretive)
-    IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
     ServerAliveInterval 60
     ServerAliveCountMax 3
 
-Host github.com
-    HostName github.com
-    User git
-    IdentityFile ~/.ssh/developer_ed25519
-
 # Per-project/client overrides
 Include ~/.ssh/config.d/*.conf
diff --git a/modules/07-ssh.sh b/modules/07-ssh.sh
index 14e2fd1..442e298 100755
--- a/modules/07-ssh.sh
+++ b/modules/07-ssh.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Module 07: SSH — fix permissions, generate config from discovered keys
+# Module 07: SSH — fix permissions, discover keys, generate GitHub host config
 
 source "$(dirname "$0")/../lib/core.sh"
 source "$(dirname "$0")/../lib/state.sh"
@@ -8,27 +8,69 @@ SSH_DIR="${HOME}/.ssh"
 mkdir -p "$SSH_DIR"
 chmod 700 "$SSH_DIR"
 
-# Fix permissions on all private keys
+# Fix permissions on all private keys and collect key paths
 KEY_COUNT=0
+GITHUB_KEY=""
 for key in "$SSH_DIR"/*; do
   [ -f "$key" ] || continue
-  # Skip public keys and known_hosts
   [[ "$key" == *.pub ]] && continue
   [[ "$(basename "$key")" == "known_hosts"* ]] && continue
   [[ "$(basename "$key")" == "authorized_keys" ]] && continue
   [[ "$(basename "$key")" == "config"* ]] && continue
+  [[ "$(basename "$key")" == "environment" ]] && continue
 
   chmod 600 "$key"
   KEY_COUNT=$((KEY_COUNT + 1))
   mbp_log_step "permissions 600: $(basename "$key")"
+
+  # Pick the best key for GitHub (prefer ed25519, then rsa)
+  local_name="$(basename "$key")"
+  if [ -z "$GITHUB_KEY" ]; then
+    GITHUB_KEY="$key"
+  fi
+  # Prefer developer_ed25519 (mbp convention) > id_ed25519 > any ed25519 > first key
+  case "$local_name" in
+    developer_ed25519) GITHUB_KEY="$key" ;;
+    id_ed25519)        [[ "$(basename "$GITHUB_KEY")" != "developer_ed25519" ]] && GITHUB_KEY="$key" ;;
+    *ed25519*)         [[ "$(basename "$GITHUB_KEY")" != "developer_ed25519" && "$(basename "$GITHUB_KEY")" != "id_ed25519" ]] && GITHUB_KEY="$key" ;;
+  esac
 done
 
 # Ensure config.d directory for per-client/per-project includes
 mkdir -p "${SSH_DIR}/config.d"
 
-# Create ~/.ssh/config if not already symlinked by dotfiles module
-if [ ! -f "${SSH_DIR}/config" ] && [ ! -L "${SSH_DIR}/config" ]; then
-  mbp_log_step "No ~/.ssh/config found — dotfiles module will symlink it"
+# Generate GitHub host config from discovered keys
+GITHUB_CONF="${SSH_DIR}/config.d/github.conf"
+if [ -n "$GITHUB_KEY" ]; then
+  cat > "$GITHUB_CONF" << EOF
+# Generated by mbp — edit freely or delete to manage manually
+Host github.com
+    HostName github.com
+    User git
+    IdentityFile ${GITHUB_KEY}
+EOF
+  mbp_log_ok "GitHub SSH: using $(basename "$GITHUB_KEY")"
+elif [ ! -f "$GITHUB_CONF" ]; then
+  mbp_log_warn "No SSH keys found — GitHub access requires a key in ~/.ssh/"
+  mbp_log_warn "Generate one: ssh-keygen -t ed25519 -C \"your@email\" -f ~/.ssh/id_ed25519"
+fi
+
+# Configure 1Password SSH agent only if it's installed
+OP_AGENT_SOCK="${HOME}/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
+OP_CONF="${SSH_DIR}/config.d/1password.conf"
+if [ -S "$OP_AGENT_SOCK" ]; then
+  if [ ! -f "$OP_CONF" ]; then
+    cat > "$OP_CONF" << EOF
+# Generated by mbp — 1Password SSH Agent
+# Remove this file if you don't use 1Password for SSH keys
+Host *
+    IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
+EOF
+    mbp_log_ok "1Password SSH agent detected and configured"
+  fi
+elif [ -f "$OP_CONF" ]; then
+  rm "$OP_CONF"
+  mbp_log_step "1Password agent not found — removed stale config"
 fi
 
 mbp_log_ok "SSH: $KEY_COUNT keys secured"

From 20facf9ede47e0c3c6d7b37ccf8cba3ab09f5545 Mon Sep 17 00:00:00 2001
From: Jensen Bernard <jensen@devizer.io>
Date: Fri, 27 Mar 2026 13:55:14 +0100
Subject: [PATCH 2/2] chore: bump version to 1.0.1

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index 3eefcb9..7dea76e 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.0.0
+1.0.1