← The Helm

Two-Machine Sync

Zach uses this workspace from the VM; you use it from your MacBook Air. This document explains how changes stay in sync between the two machines.

How it works

When a session starts, Claude automatically runs git pull to bring in any changes the other machine committed. You get the latest notes, projects, and files right away.

When a session ends (via /close or the session finishing), Claude automatically commits any changes you made and pushes them to GitHub. The commit message is "auto: session sync [machine name]".

That's it. You don't need to run any git commands yourself.

Your one-time setup (MacBook Air)

Do this once after pulling this file.

Pull to receive the hooks and config:

cd ~/path/to/jingbotanics
git pull

You do not edit .env by hand anymore. All tokens live in the encrypted secrets.yaml and are written to .env for you by scripts/secrets-to-env.sh (set up in the next section). Every MCP server that needs a secret is wrapped in @dotenvx/dotenvx run, so it reads .env automatically — nothing is exported in your shell. Full mechanism: MCP-SETUP.md → "How secrets resolve".

The hooks and config come from the repo — the only thing to install is the encrypted-secrets tooling below.

Security setup (one-time, MacBook Air)

This sets up encrypted secrets so your tokens travel between machines safely via git, instead of being shared manually.

a. Install the tools:

brew install sops age

b. Generate your age key:

mkdir -p ~/.secrets
age-keygen -o ~/.secrets/key.txt
chmod 600 ~/.secrets/key.txt

When age-keygen runs, it prints a line like Public key: age1abc123... — copy that line. It's safe to share.

c. Send Zach your public key:

Send Zach the age1... line from step (b). He'll add it to .sops.yaml and re-encrypt secrets.yaml so your key can decrypt it.

d. After Zach pushes the update, pull and run:

git pull
bash scripts/secrets-to-env.sh

This decrypts secrets.yaml and writes your .env automatically. You won't need to manage .env by hand after this.

e. Enable the secret scanner for manual commits:

git config core.hooksPath .githooks

This wires up a pre-commit check that blocks any commit containing plaintext tokens. It runs automatically — nothing else to configure.

Until steps (c) and (d) are done: your Mac can't decrypt secrets.yaml yet. That's fine — keep using your existing .env as normal. Nothing breaks; the sync and all hooks still work.

If you see a git conflict

On rare occasions, both machines might edit the same file at the same time and a conflict appears when the session starts. If that happens:

1. Run: git rebase --abort
2. Let Zach know — he'll sort it out.

Your changes aren't lost; git keeps them safe.

Notes

• /close still works as before — it writes a session summary, then the sync hook pushes everything.
• The push is always quiet and fail-soft. If you're offline, it just skips silently and tries again next session.
• Plaintext secrets (.env, credential files) are gitignored — they never get committed. Secrets are shared between machines only via secrets.yaml, which is sops+age encrypted before it's committed.