FIDO2 hardware key generation now handles diverse security keys:
- Detect ed25519-sk vs ecdsa-sk support via ykman/fido2-token, with
automatic fallback chain: ed25519-sk → ecdsa-sk → ecdsa-sk -O resident
- Detect FIDO hardware by HID usage page (0xF1D0) instead of hardcoded
Yubico vendor ID — works with SoloKeys, Titan, Nitrokey, etc.
- Check libfido2 availability via ldconfig, dpkg-query, and rpm
- Warn on Qubes OS vhci_hcd USB passthrough (corrupts CTAP2 messages)
- Suppress admin recommendations when dependency is missing so install
instructions stay visible
- Accept ecdsa-sk keys in signing key filter
New --reset-signing flag clears git signing config, removes
allowed_signers entries, and moves/deletes key files so a fresh key
can be generated.
Bump version to 0.3.0.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Detect Homebrew openssh by checking for ssh-sk-helper binary instead
of running ssh-keygen (which blocks waiting for a FIDO touch).
Co-Authored-By: Claude <noreply@anthropic.com>
Use Homebrew ssh-keygen for FIDO2 key generation on macOS instead of
searching for libsk-libfido2.dylib (removed in modern openssh). Group
interactive apply prompts into 6 categories with explanations. Fix
Linux gitleaks install hint to show apt/dnf instead of brew.
Co-Authored-By: Claude <noreply@anthropic.com>
Replace ~25 individual y/n prompts with 6 logical groups, each showing
a table of pending changes with one-line explanations before prompting.
Also fix FIDO2 middleware detection (needs brew openssh, not just libfido2).
Co-Authored-By: Claude <noreply@anthropic.com>
Remove unused SIGNING_KEY_PATH variable (dead code), add trap for
temp file cleanup in apply_ssh_directive, add -- separator before
ssh-keygen path arguments, add info message when falling back to
in-memory credential cache on Linux.
Closes: #15🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Warn users in the signing wizard that reusing the same signing key
across personal and work accounts enables cross-platform identity
correlation. Recommend separate keys per org with git includeIf.
Also added to admin recommendations section.
Closes: #12🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Change prompt default from Y to N so users must explicitly opt in.
Fix gemini command to use -p flag for non-interactive stdin mode.
Consolidate review prompt text into a variable.
Closes: #11🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Use 10#$var arithmetic prefix to avoid bash interpreting leading
zeros as octal (e.g., 08 or 09 would cause "value too great for
base" errors). 2 new tests (64 total).
Closes: #9🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Replace sed 's/[^0-9.]//g' with grep -oE for semver extraction —
fixes breakage on Apple Git suffix and rc versions. Add
strip_ssh_value() helper to strip inline comments and surrounding
quotes from SSH config values. Applied to IdentityFile scanning,
audit_ssh_directive, and apply_ssh_directive. 9 new tests (62 total).
Closes: #8🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Asks users to confirm they've reviewed the script before it modifies
config. On decline, prints instructions for piping the script to
Claude Code or Gemini CLI for a security review. Skipped with -y
and --audit flags. 3 new tests (53 total).
Closes: #7🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
