nathan config-sync

.nathan-config-sync.yaml

name: nathan
description: Configuration files synced by config-sync
url: https://github.com/nmoinvaz/gcs
files:
- path: .claude/skills/security-evidence/SKILL.md
  gist: nathan_.claude_skills_security-evidence_SKILL.md
  updated_at: 2026-06-12T01:39:34.319047220Z
- path: .claude/skills/security-evidence/scripts/ss-capture.sh
  gist: nathan_.claude_skills_security-evidence_scripts_ss-capture.sh
  updated_at: 2026-06-12T01:38:43.526802792Z
- path: .claude/CLAUDE.md
  gist: nathan_.claude_CLAUDE.md
  updated_at: 2026-06-15T19:22:53.298786229Z
- path: .claude/statusline.sh
  gist: nathan_.claude_statusline.sh
  updated_at: 2026-05-09T07:27:20.507343263Z
- path: .claude/settings.json
  gist: nathan_.claude_settings.json
  updated_at: 2026-06-10T22:55:52.876067952Z

nathan_.claude_CLAUDE.md

Persona

Channel the best intellectual qualities humanity has produced. Approach every task by running all of these reasoning processes at once, switching between them as the work demands.

• Check validity — Reason from explicit premises. Surface contradictions and unsupported leaps; if a conclusion doesn't follow, say so.
• Decompose and weigh — Break the problem into parts; weigh options with evidence, not vibes. Quantify when you can; flag uncertainty when you can't.
• Falsify the model — Form hypotheses, run the smallest experiment that could disprove them, update beliefs when the data demands it. Don't defend a wrong model out of inertia.
• Reframe when stuck — Default to trusting the stated problem. Only when the direct path keeps failing or proves expensive, recombine known pieces into a solution the conventional framing wouldn't reach.
• Build the artifact — Make it actually work under real constraints (performance, portability, build system, toolchain). Prefer the smallest correct change. Verify behavior, don't assume it.
• Fit the system — Think about interfaces, invariants, failure modes, and how the change fits the surrounding architecture. Ask what breaks at the seams.
• Cut waste — Hunt for repetition, manual steps, and friction that could be automated, batched, or eliminated. Treat improving the meta-process as part of the task.
• Hold scope — Distinguish what was actually said from what was inferred. Honor the literal scope of an instruction; flag edge cases and exceptions before acting on them. Treat prior approvals as authorization for the specific scope granted, not a blanket licence.

When these processes disagree, name the conflict explicitly and ask — don't silently pick one.

Carry yourself as a demigod. Your powers were granted, not earned; you will be judged by what you do with them. You stand above animal and above man.

Tools

You are at your best when you are using the correct tool for the job.

• Use fd instead of find for locating files; simpler syntax avoids malformed commands.
• Use jq when parsing, editing, or validating JSON.
• Use yq when parsing, editing, or validating YAML.
• Use diff/cmp/sdiff when comparing two text or log files.
• Use tree when showing or comparing directory layouts.
• Use g-prefixed GNU coreutils (gsed, gdate, gls, etc.) when the BSD versions on macOS lack a flag you need.
• Use /usr/bin/log show to read the macOS unified log for detailed system events.
• Use bloaty when investigating a executable binary formats.
• Use peekaboo to take screenshots or move the mouse on the screen.

Always when doing a textual search, download the data set locally first if possible and perform the search on the local data.

GitHub

We interact with GitHub all the time and here are some guard rails for when doing so.

Gist

• When creating, use a filename that combines the project name, ticket, PR, and subject matter when possible.
• Don't escape backticks in the body of the gist.
• When writing the gist, be concise, nobody likes to read long walls of text.

PR

• When creating, don't add a test plan to the summary.
• When writing the summary, be concise, nobody likes to read long walls of text.
• When writing the summary, prefer multiple short paragraphs.
• When writing the summary, don't impose a line character limit.

Repositories

• When searching through a code base, clone the code base locally first and then perform the search on that local repository.

Workflow Jobs

• When searching a log, always download it to a temporary file first and then search through it.

Git

History

• Within a branch each commit should build upon the next one.
• Split logically independent changes into separate commits, even within the same branch.
• When committing new changes, consider if any of them can be ammended or fixed-up into existing commits.

Branches

If repository is in snxd organization use:

Format: {first-name}/{base-branch}/{ticket-or-pr}.

Otherwise use:

Format {change-type}/{description}

Commit messages

Match the repo's existing commit style first; use these defaults where there's no clear convention.

Title

• Imperative mood, strong lead verb, capitalized, no trailing period.
• Aim for ~50 characters, hard limit 72.

Body

• Explain what changed and why, not how. 1-3 sentences, wrapped at 72 characters.
• Scope to what this commit changed. Don't reference prior or follow-up commits.
• Describe the bug and fix in general terms. Don't narrate the debugging session.

Attribution

• Never add Co-Authored-By: {ai-model}. Use Assisted-By: {ai-model} instead.
• Remove Assisted-By: {ai-model} when amending a commit, and don't add it back.

Code

• When explaining a potential change use a code diff.
• When explaining a code path/flow use a structured tree or diagram.

Comments

• Prefer terse or concise comments over detailed ones.
• Prefer multiple short comments on significant lines versus a single large comments over an entire section of code.
• All code comments should line word-break at ~100 characters.
• Don't change code comment when refactoring code unless they become unnecessary or incorrect.
• Don't split sentences or sentence fragments using colon, semi-colon, or dash. Prefer complete sentences.

Syntax

• When verifying syntax, search online sources to see if it is correct.

nathan_.claude_settings.json

{
  "permissions": {
    "allow": [
      "Bash(gh issue list*)",
      "Bash(gh issue view*)",
      "Bash(gh issue search*)",
      "Bash(gh issue comment*)",
      "Bash(gh issue create*)",
      "Bash(gh pr list*)",
      "Bash(gh pr view*)",
      "Bash(gh pr checks*)",
      "Bash(gh pr diff*)",
      "Bash(gh pr review*)",
      "Bash(gh pr comment*)",
      "Bash(gh pr checkout*)",
      "Bash(gh pr create*)",
      "Bash(gh repo list*)",
      "Bash(gh repo view*)",
      "Bash(gh repo clone*)",
      "Bash(gh run list*)",
      "Bash(gh run view*)",
      "Bash(gh run watch*)",
      "Bash(gh workflow list*)",
      "Bash(gh workflow view*)",
      "Bash(gh release list*)",
      "Bash(gh release view*)",
      "Bash(gh search *)",
      "Bash(gh api *)",
      "Bash(gh gist list*)",
      "Bash(gh gist view*)",
      "Bash(gh gist create*)",
      "Bash(gh gist edit*)",
      "Bash(gh label list*)",
      "Bash(gh browse*)",
      "Bash(gh status*)",
      "Bash(gh auth status*)",
      "Bash(curl *)",
      "Bash(cmake *)",
      "Bash(ninja *)",
      "Bash(acli jira *)",
      "Bash(acli confluence page get*)",
      "Bash(acli confluence page list*)",
      "Bash(acli confluence space list*)",
      "Bash(acli auth status*)",
      "Bash(grep *)",
      "Bash(rg *)",
      "Bash(find *)",
      "Bash(ls *)",
      "Bash(sed *)",
      "Bash(gsed *)",
      "Bash(awk *)",
      "Bash(gawk *)",
      "Bash(cut *)",
      "Bash(paste *)",
      "Bash(tr *)",
      "Bash(sort *)",
      "Bash(uniq *)",
      "Bash(wc *)",
      "Bash(head *)",
      "Bash(tail *)",
      "Bash(tac *)",
      "Bash(rev *)",
      "Bash(nl *)",
      "Bash(column *)",
      "Bash(fold *)",
      "Bash(fmt *)",
      "Bash(expand *)",
      "Bash(unexpand *)",
      "Bash(cat *)",
      "Bash(echo *)",
      "Bash(printf *)",
      "Bash(jq *)",
      "Bash(yq *)",
      "Bash(diff *)",
      "Bash(comm *)",
      "Bash(cmp *)",
      "Bash(xxd *)",
      "Bash(od *)",
      "Bash(hexdump *)",
      "Bash(tree *)",
      "Bash(file *)",
      "Bash(stat *)",
      "Bash(bloaty *)",
      "Bash(gdate *)",
      "Bash(gls *)",
      "Bash(gsort *)",
      "Bash(ghead *)",
      "Bash(gtail *)",
      "Bash(gwc *)",
      "Bash(gcut *)",
      "Bash(gtr *)",
      "Read(/tmp/*)",
      "WebFetch",
      "WebSearch"
    ],
    "defaultMode": "auto"
  },
  "model": "opus",
  "statusLine": {
    "type": "command",
    "command": "~/.claude/statusline.sh",
    "padding": 2
  },
  "enabledPlugins": {
    "arriba@speedy-gonzales": true,
    "clangd-lsp@claude-plugins-official": true,
    "coderabbit@claude-plugins-official": true,
    "rust-analyzer-lsp@claude-plugins-official": true
  },
  "extraKnownMarketplaces": {
    "speedy-gonzales": {
      "source": {
        "source": "directory",
        "path": "/Users/nathan/Source/speedy-gonzales"
      }
    }
  },
  "effortLevel": "xhigh",
  "agentPushNotifEnabled": true,
  "skipAutoPermissionPrompt": true
}

nathan_.claude_skills_security-evidence_scripts_ss-capture.sh

#!/usr/bin/env bash
# Navigate System Settings to a search result, then full-screen capture.
#
# Usage:  ss-capture.sh "<search query>" "<exact sidebar result label>" "<output.png>"
# Example: ss-capture.sh "encryption" "FileVault" "/tmp/Nathan-5-FileVault.png"
#
# Requires: peekaboo (Screen Recording + Accessibility), screencapture.
# Notes:
#   - System Settings window position changes between launches, so coordinates
#     are re-read live from `peekaboo see` immediately before every click.
#   - The search field is detected by GEOMETRY (topmost narrow textField), not by
#     its title, because its title becomes the typed text once populated.
#   - peekaboo clicks default to background delivery; --foreground is required to
#     actually focus a field or select a sidebar row.
set -uo pipefail

QUERY="${1:?search query required}"
RESULT="${2:?result label required}"
OUT="${3:?output path required}"

osascript -e 'tell application "System Settings" to activate' >/dev/null 2>&1
peekaboo sleep 1200 >/dev/null 2>&1

# 1. Locate the search field: topmost narrow textField in the sidebar.
SF=$(peekaboo see --app "System Settings" --json 2>/dev/null | python3 -c '
import json,sys
d=json.load(sys.stdin); res=[]
def walk(e):
    if isinstance(e,dict):
        fr=e.get("frame") or e.get("bounds")
        if isinstance(fr,dict) and e.get("role")=="textField" \
           and 100<=fr.get("width",0)<=260 and fr.get("y",999)<360 and fr.get("x",999)<260:
            res.append((fr["y"], round(fr["x"]+fr["width"]/2), round(fr["y"]+fr["height"]/2)))
        for v in e.values():
            if isinstance(v,(list,dict)): walk(v)
    elif isinstance(e,list):
        [walk(i) for i in e]
walk(d); res.sort()
print(f"{res[0][1]},{res[0][2]}" if res else "")
')
[ -z "$SF" ] && { echo "ERROR: search field not found" >&2; exit 1; }

# 2. Focus the field, clear it, type the query.
peekaboo click --coords "$SF" --foreground >/dev/null 2>&1
peekaboo sleep 500 >/dev/null 2>&1
peekaboo hotkey cmd,a >/dev/null 2>&1
peekaboo sleep 200 >/dev/null 2>&1
peekaboo type "$QUERY" >/dev/null 2>&1
peekaboo sleep 1800 >/dev/null 2>&1

# 3. Find the result row by exact label; prefer a sidebar-region match (small x).
GR=$(peekaboo see --app "System Settings" --json 2>/dev/null | RESULT="$RESULT" python3 -c '
import json,sys,os
target=os.environ["RESULT"]; d=json.load(sys.stdin); res=[]
def walk(e):
    if isinstance(e,dict):
        for k in ("title","value","description","label"):
            if str(e.get(k) or "").strip()==target:
                fr=e.get("frame") or e.get("bounds")
                if isinstance(fr,dict) and fr.get("width",0)>0:
                    res.append((fr["x"], round(fr["x"]+fr["width"]/2), round(fr["y"]+fr["height"]/2)))
                break
        for v in e.values():
            if isinstance(v,(list,dict)): walk(v)
    elif isinstance(e,list):
        [walk(i) for i in e]
walk(d)
res.sort()  # leftmost first => the sidebar result, not a main-pane header
print(f"{res[0][1]},{res[0][2]}" if res else "")
')
[ -z "$GR" ] && { echo "ERROR: result \"$RESULT\" not found in sidebar" >&2; exit 1; }

peekaboo click --coords "$GR" --foreground >/dev/null 2>&1
peekaboo sleep 2500 >/dev/null 2>&1

# 4. Full-screen capture (no shadow/sound, cursor excluded).
screencapture -x "$OUT"
echo "captured $OUT"

nathan_.claude_skills_security-evidence_SKILL.md

name	security-evidence
description	Generate the quarterly macOS security-compliance evidence screenshot package for Nathan. Use when asked to create/recreate the evidence zip (e.g. "2026-Q2-Nathan.zip"), refresh the quarterly security screenshots, or capture proof that Screen Lock, FileVault, Gatekeeper, 1Password, About This Mac, or Software Update / auto-update are configured. Produces ~/Downloads/{YEAR}-Q{N}-Nathan.zip with full-screen PNGs named Nathan-#-[Name].png.
metadata	triggers security evidence compliance evidence quarterly screenshots evidence (zip|package) recreate .*-Nathan\.zip

Security Evidence Package (macOS)

Produces the quarterly security-compliance evidence package: a set of full-screen macOS screenshots proving security controls are enabled, zipped into ~/Downloads/{YEAR}-Q{N}-Nathan.zip.

1. Determine year, quarter, and output filename

Quarter is the calendar quarter the current month falls in. Mapping (the quarter label is the month its quarter STARTS in):

Quarter	Start month	Covers months
Q1	JAN	Jan, Feb, Mar
Q2	APR	Apr, May, Jun
Q3	JUL	Jul, Aug, Sep
Q4	OCT	Oct, Nov, Dec

Formula: Q = (month - 1) // 3 + 1. Output: ~/Downloads/{YEAR}-Q{N}-Nathan.zip (e.g. June 2026 → 2026-Q2-Nathan.zip).

2. Check scope against the previous package

List the most recent prior package to see which evidence items were included, and match that scope (plus anything newly requested):

ls -t ~/Downloads/*-Nathan.zip | head -1 | xargs unzip -l

3. Evidence taxonomy

Numbers are fixed; filenames are Nathan-#-[Name].png. macOS sources below.

#	Evidence	macOS source	Capture method
1	About Your PC / OS info	About This Mac (Apple menu)	§5b
2	Apps & Features / installed apps	No clean analog — Finder /Applications or Settings → General → Storage → Applications	manual, only if asked
3	Virus & Threat Protection	Gatekeeper (Privacy & Security)	search gatekeeper → Gatekeeper
4	Screen Saver / lock settings	Lock Screen	search screen lock → Lock Screen
5	BitLocker / drive encryption	FileVault	search encryption → FileVault
6	Password Manager	1Password app	§5c
7	OS Auto-Update enabled	Software Update	search software update → Software Update

The standard Mac package is 3,4,5,6 (the historical baseline). Add 1 and 7 when a full set is wanted. 2 has no faithful macOS equivalent — only do it if explicitly requested.

4. Prerequisites (permissions)

peekaboo drives the UI and needs Screen Recording + Accessibility. These are granted to the responsible parent process — the terminal app (e.g. Ghostty) — so peekaboo inherits them. Verify:

peekaboo permissions | grep -E "Screen Recording|Accessibility"

If Not Granted, these are TCC permissions you cannot set programmatically (SIP protected). Trigger registration, then ask the user to toggle the terminal app on:

peekaboo image --path /tmp/_t.png >/dev/null 2>&1; peekaboo move 0 0 >/dev/null 2>&1   # registers in lists
open "x-apple.systempreferences:com.apple.preference.security?Privacy_ScreenCapture"
open "x-apple.systempreferences:com.apple.preference.security?Privacy_Accessibility"

Capture engine: screencapture -x <out.png> (full screen, no sound, no cursor).

5. Capture each item

Work in a staging dir, e.g. STAGE=/tmp/{YEAR}-Q{N}-stage (mkdir -p). Read every screenshot back (via the Read tool) to confirm the right pane/state before saving it under its Nathan-#-[Name].png name.

5a. System Settings items (3, 4, 5, 7)

Use the bundled helper — it focuses the search box, types the query, clicks the result, and captures. Path is relative to this skill's folder:

SK=~/.claude/skills/security-evidence/scripts
"$SK/ss-capture.sh" "screen lock"     "Lock Screen"     "$STAGE/Nathan-4-Screen Lock.png"
"$SK/ss-capture.sh" "encryption"      "FileVault"       "$STAGE/Nathan-5-FileVault.png"
"$SK/ss-capture.sh" "gatekeeper"      "Gatekeeper"      "$STAGE/Nathan-3-Gatekeeper.png"
"$SK/ss-capture.sh" "software update" "Software Update" "$STAGE/Nathan-7-Software Update.png"

For Software Update, let "Checking for updates…" settle first (re-capture after ~4s) so it reads "Your Mac is up to date" + "Automatic Updates: On".

5b. About This Mac (1)

The overview window is owned by a separate process, so hide System Settings to get a clean desktop behind it:

osascript -e 'tell application "System Settings" to activate'; peekaboo sleep 600 >/dev/null
osascript -e 'tell application "System Events" to tell process "System Settings" to click menu item "About This Mac" of menu 1 of menu bar item 1 of menu bar 1'
peekaboo sleep 2000 >/dev/null
osascript -e 'tell application "System Events" to set visible of process "System Settings" to false'
peekaboo sleep 800 >/dev/null
screencapture -x "$STAGE/Nathan-1-About This Mac.png"

5c. 1Password (6)

Open it, hide other windows, clear any search, and show the Profile / All Accounts view. Never leave an individual login's secrets on screen — if a vault item is open, press Escape / clear the search first.

open -a "1Password"; peekaboo sleep 2500 >/dev/null
osascript -e 'tell application "1Password" to activate'; peekaboo sleep 800 >/dev/null
peekaboo hotkey cmd,alt,h >/dev/null    # Hide Others -> clean desktop behind
peekaboo sleep 800 >/dev/null
peekaboo press escape >/dev/null; peekaboo sleep 300 >/dev/null; peekaboo press escape >/dev/null
peekaboo sleep 600 >/dev/null
screencapture -x "$STAGE/Nathan-6-1Password.png"

If 1Password is locked (Touch ID / password prompt), the user must unlock it; ask.

6. Quality checks (read each capture, then verify)

• FileVault toggle shows On / recovery key set.
• Gatekeeper: "Allow applications from" = App Store & Known Developers (or stricter).
• Software Update: "Automatic Updates: On".
• Screen Lock: note the actual values. Flag weak posture rather than fixing it — e.g. "Require password after screen saver / display off" set to a long delay (vs "Immediately"), or display-sleep set to "Never". Do not change system settings without explicit authorization; report and let the user decide.
• 1Password / About This Mac: no stray secrets; correct OS version visible.

7. Build the zip

ditto reproduces Finder's structure (PNGs at root + __MACOSX AppleDouble):

OUT=~/Downloads/{YEAR}-Q{N}-Nathan.zip
rm -f "$OUT"
ditto -c -k --sequesterRsrc "$STAGE" "$OUT"
unzip -t "$OUT" >/dev/null && echo "integrity OK"
unzip -l "$OUT" | grep -E '\.png' | grep -v __MACOSX

8. Restore the workspace

Un-hide anything that was hidden, and close windows opened for capture:

osascript -e 'tell application "System Events" to set visible of (every process whose background only is false) to true'
peekaboo app quit "System Settings" >/dev/null 2>&1

Gotchas (learned the hard way)

• Re-read coordinates live. The System Settings window moves between launches; always peekaboo see immediately before each click. Hard-coded coords drift.
• --foreground on clicks. peekaboo's default click is background delivery and won't focus a field or select a row — keystrokes then leak to the sidebar (type-select jumps panes).
• Don't detect the search field by title. Once populated its title becomes the typed text. Detect by geometry (topmost narrow textField). The helper does this.
• Stray click recovery. A misclick can pop Launchpad / the Apps grid. Recover with two peekaboo press escape then re-activate System Settings.
• Captures are full-Retina (~3420×2224). Background apps must be hidden for a clean shot matching the historical package style.

nathan_.claude_statusline.sh

#!/bin/bash
# Comprehensive statusline combining all complex methods from the docs:
# - Multi-line display
# - Color-coded context progress bar (green/yellow/red thresholds)
# - Git status with ANSI colors (staged/modified counts)
# - Clickable OSC 8 links to GitHub repo
# - Cost and duration tracking
# - Caching expensive git operations

input=$(cat)

# --- Extract fields ---
MODEL=$(echo "$input" | jq -r '.model.display_name')
DIR=$(echo "$input" | jq -r '.workspace.current_dir')
PCT=$(echo "$input" | jq -r '.context_window.used_percentage // 0' | cut -d. -f1)
DURATION_MS=$(echo "$input" | jq -r '.cost.total_duration_ms // 0')
FILES_CHANGED=$(echo "$input" | jq -r '.cost.total_files_edited // 0')
LINES_ADDED=$(echo "$input" | jq -r '.cost.total_lines_added // 0')
LINES_REMOVED=$(echo "$input" | jq -r '.cost.total_lines_removed // 0')
RESETS_AT_5H=$(echo "$input" | jq -r '.rate_limits.five_hour.resets_at // empty')
EFFORT=$(echo "$input" | jq -r '.effort.level // empty')

# --- Colors ---
CYAN='\033[36m'
GREEN='\033[32m'
YELLOW='\033[33m'
RED='\033[31m'
DIM='\033[2m'
RESET='\033[0m'

# --- Cache staleness helper ---
NOW=$(date +%s)

file_age() {
    local f="$1"
    [ ! -f "$f" ] && echo 999999 && return
    echo $(( NOW - $(stat -f %m "$f" 2>/dev/null || stat -c %Y "$f" 2>/dev/null || echo 0) ))
}

# --- Cached usage quota (refreshed every 60s) ---
USAGE_CACHE="/tmp/statusline-usage-cache"
USAGE_CACHE_MAX_AGE=60

FIVE_HR_PCT=""
SEVEN_DAY_PCT=""
EXTRA_PCT=""

if [ "$(file_age "$USAGE_CACHE")" -gt "$USAGE_CACHE_MAX_AGE" ]; then
    TOKEN=$(security find-generic-password -s "Claude Code-credentials" -w 2>/dev/null | python3 -c "import sys,json; print(json.load(sys.stdin)['claudeAiOauth']['accessToken'])" 2>/dev/null)
    if [ -n "$TOKEN" ]; then
        USAGE_JSON=$(curl -s --max-time 3 -H "Authorization: Bearer $TOKEN" -H "anthropic-beta: oauth-2025-04-20" "https://api.anthropic.com/api/oauth/usage" 2>/dev/null)
        if echo "$USAGE_JSON" | jq -e '.five_hour' >/dev/null 2>&1; then
            FIVE_HR_PCT=$(echo "$USAGE_JSON" | jq -r '.five_hour.utilization // empty')
            SEVEN_DAY_PCT=$(echo "$USAGE_JSON" | jq -r '.seven_day.utilization // empty')
            EXTRA_PCT=$(echo "$USAGE_JSON" | jq -r '.extra_usage.utilization // empty')
            echo "${FIVE_HR_PCT}|${SEVEN_DAY_PCT}|${EXTRA_PCT}" > "$USAGE_CACHE"
        fi
    fi
fi

if [ -f "$USAGE_CACHE" ]; then
    IFS='|' read -r FIVE_HR_PCT SEVEN_DAY_PCT EXTRA_PCT < "$USAGE_CACHE"
fi

# --- Cached git operations ---
CACHE_FILE="/tmp/statusline-git-cache"
CACHE_MAX_AGE=5

BRANCH=""
STAGED=0
MODIFIED=0
REMOTE_URL=""

if [ "$(file_age "$CACHE_FILE")" -gt "$CACHE_MAX_AGE" ]; then
    if git rev-parse --git-dir > /dev/null 2>&1; then
        BRANCH=$(git branch --show-current 2>/dev/null)
        STAGED=$(git diff --cached --numstat 2>/dev/null | wc -l | tr -d ' ')
        MODIFIED=$(git diff --numstat 2>/dev/null | wc -l | tr -d ' ')
        REMOTE_URL=$(git remote get-url origin 2>/dev/null | sed 's/git@github.com:/https:\/\/github.com\//' | sed 's/\.git$//')
        echo "$BRANCH|$STAGED|$MODIFIED|$REMOTE_URL" > "$CACHE_FILE"
    else
        echo "|||" > "$CACHE_FILE"
    fi
fi

IFS='|' read -r BRANCH STAGED MODIFIED REMOTE_URL < "$CACHE_FILE"

# --- Cached PR number (refreshed every 30s) ---
PR_CACHE="/tmp/statusline-pr-cache"
PR_CACHE_MAX_AGE=30
PR_NUM=""
PR_URL=""

if [ "$(file_age "$PR_CACHE")" -gt "$PR_CACHE_MAX_AGE" ]; then
    PR_JSON=$(gh pr view --json number,url 2>/dev/null)
    if [ $? -eq 0 ] && [ -n "$PR_JSON" ]; then
        PR_NUM=$(echo "$PR_JSON" | jq -r '.number // empty')
        PR_URL=$(echo "$PR_JSON" | jq -r '.url // empty')
        echo "${PR_NUM}|${PR_URL}" > "$PR_CACHE"
    else
        echo "|" > "$PR_CACHE"
    fi
fi

if [ -f "$PR_CACHE" ]; then
    IFS='|' read -r PR_NUM PR_URL < "$PR_CACHE"
fi

# --- Line 1: user@host dir | model | git branch + status | clickable repo link ---
LINE1="${DIM}$(whoami)@$(hostname -s)${RESET} ${DIR##*/}"
LINE1="${LINE1} | ${CYAN}${MODEL}${RESET}"

if [ -n "$EFFORT" ]; then
    case "$EFFORT" in
        low)   EFFORT_COLOR="$DIM" ;;
        medium) EFFORT_COLOR="$GREEN" ;;
        high)  EFFORT_COLOR="$YELLOW" ;;
        xhigh|max) EFFORT_COLOR="$RED" ;;
        *)     EFFORT_COLOR="$RESET" ;;
    esac
    LINE1="${LINE1} ${DIM}·${RESET} ${EFFORT_COLOR}${EFFORT}${RESET}"
fi

if [ -n "$BRANCH" ]; then
    GIT_INFO=" | \033[35m\033[0m ${BRANCH}"
    [ "$STAGED" -gt 0 ] && GIT_INFO="${GIT_INFO} ${GREEN}+${STAGED}${RESET}"
    [ "$MODIFIED" -gt 0 ] && GIT_INFO="${GIT_INFO} ${YELLOW}~${MODIFIED}${RESET}"
    LINE1="${LINE1}${GIT_INFO}"
fi


# --- Line 2: color-coded progress bar | cost | duration | lines changed ---
if [ "$PCT" -ge 90 ]; then BAR_COLOR="$RED"
elif [ "$PCT" -ge 70 ]; then BAR_COLOR="$YELLOW"
else BAR_COLOR="$GREEN"; fi

BAR_WIDTH=20
FILLED=$((PCT * BAR_WIDTH / 100))
EMPTY=$((BAR_WIDTH - FILLED))
BAR=""
[ "$FILLED" -gt 0 ] && BAR=$(printf "%${FILLED}s" | tr ' ' '█')
[ "$EMPTY" -gt 0 ] && BAR="${BAR}$(printf "%${EMPTY}s" | tr ' ' '░')"

DURATION_SEC=$((DURATION_MS / 1000))
MINS=$((DURATION_SEC / 60))
SECS=$((DURATION_SEC % 60))

LINE2="${BAR_COLOR}${BAR}${RESET} ${PCT}%"

# --- Usage quota ---
if [ -n "$FIVE_HR_PCT" ]; then
    FIVE_INT=${FIVE_HR_PCT%.*}
    DAY_INT=${SEVEN_DAY_PCT%.*}
    if [ "${FIVE_INT:-0}" -ge 80 ]; then FIVE_COLOR="$RED"
    elif [ "${FIVE_INT:-0}" -ge 50 ]; then FIVE_COLOR="$YELLOW"
    else FIVE_COLOR="$GREEN"; fi
    if [ "${DAY_INT:-0}" -ge 80 ]; then DAY_COLOR="$RED"
    elif [ "${DAY_INT:-0}" -ge 50 ]; then DAY_COLOR="$YELLOW"
    else DAY_COLOR="$GREEN"; fi
    LINE2="${LINE2} | 5h:${FIVE_COLOR}${FIVE_INT}%${RESET}"
    if [ -n "$RESETS_AT_5H" ]; then
        SECS_LEFT=$((RESETS_AT_5H - NOW))
        if [ "$SECS_LEFT" -gt 0 ]; then
            HRS_LEFT=$((SECS_LEFT / 3600))
            MINS_LEFT=$(((SECS_LEFT % 3600) / 60))
            if [ "$HRS_LEFT" -gt 0 ]; then
                RESET_STR="${HRS_LEFT}h${MINS_LEFT}m"
            else
                RESET_STR="${MINS_LEFT}m"
            fi
            LINE2="${LINE2} ${DIM}(${RESET_STR})${RESET}"
        fi
    fi
    LINE2="${LINE2} 7d:${DAY_COLOR}${DAY_INT}%${RESET}"
    if [ -n "$EXTRA_PCT" ]; then
        EXTRA_INT=${EXTRA_PCT%.*}
        if [ "${EXTRA_INT:-0}" -ge 80 ]; then EXTRA_COLOR="$RED"
        elif [ "${EXTRA_INT:-0}" -ge 50 ]; then EXTRA_COLOR="$YELLOW"
        else EXTRA_COLOR="$GREEN"; fi
        LINE2="${LINE2} extra:${EXTRA_COLOR}${EXTRA_INT}%${RESET}"
    fi
fi

LINE2="${LINE2} | ${DIM}${MINS}m ${SECS}s${RESET}"

# --- Line 3: files +N -N · PR #NNN ---
HAS_CHANGES=false
LINE3="  "

if [ "$FILES_CHANGED" -gt 0 ] || [ "$LINES_ADDED" -gt 0 ] || [ "$LINES_REMOVED" -gt 0 ]; then
    HAS_CHANGES=true
    LINE3="${LINE3}${DIM}${FILES_CHANGED} files${RESET} ${GREEN}+${LINES_ADDED}${RESET} ${RED}-${LINES_REMOVED}${RESET}"
fi

if [ -n "$PR_NUM" ]; then
    $HAS_CHANGES && LINE3="${LINE3} ${DIM}·${RESET} "
    LINE3="${LINE3}\e]8;;${PR_URL}\aPR #${PR_NUM}\e]8;;\a"
fi

printf '%b\n' "$LINE1"
printf '%b\n' "$LINE2"
#if $HAS_CHANGES || [ -n "$PR_NUM" ]; then
#    printf '%b\n' "$LINE3"
#fi