chore: tooling update

Author: ryanclark

.gitignore

@@ -9,3 +9,5 @@ devid.*
 .DS_Store
 .claude/
 docs/superpowers/
+
+justfile.local

Makefile

@@ -48,10 +48,10 @@ macOS (Apple Silicon) and Linux (arm64/amd64) are supported.
 > [!NOTE]
 > Keychain access to "Chrome Safe Storage" is only needed if you use the `extra_usage` segment (see below).
 
-Or build from source:
+Or build from source (requires [just](https://github.com/casey/just)):
 
 ```
-make install
+just install
 ```
 
 ## Setup
@@ -317,7 +317,7 @@ The defaults are `-f 70` (show 5-hour reset countdown above 70%) and `-s 100` (n
 ### Basic build
 
 ```
-make install
+just install
 ```
 
 This builds without codesigning. The Chrome Keychain password is cached locally to `~/.statusline/chrome_key` to avoid repeated Keychain prompts during development.
@@ -331,25 +331,25 @@ Codesigning makes Keychain's "Always Allow" persist across rebuilds. You need an
 If you don't have a Developer ID Application certificate yet:
 
 ```
-make cert-request DEVELOPER_NAME="Your Name"
+just cert-request "Your Name"
 ```
 
 This generates a certificate signing request. Upload `devid.csr` at the URL shown, select **Developer ID Application**, and download the `.cer` file. Then import it:
 
 ```
-make cert-import CER=~/Downloads/developerID_application.cer
+just cert-import ~/Downloads/developerID_application.cer
 ```
 
 This installs the certificate into your Keychain and prints your signing identity. Clean up afterwards:
 
 ```
-make cert-clean
+just cert-clean
 ```
 
 #### Building
 
 ```
-make install-signed DEVELOPER_NAME="Your Name" TEAM_ID="ABC123XYZ"
+just install-signed "Your Name" "ABC123XYZ"
 ```
 
 To find your name and team ID:

README.md

@@ -5,9 +5,9 @@
 # Only evaluate the platforms we actually build/ship — keeps windows-only crates
 # (and their licenses / duplicate versions) out of the graph.
 targets = [
-    "aarch64-apple-darwin",
-    "x86_64-unknown-linux-gnu",
-    "aarch64-unknown-linux-gnu",
+  "aarch64-apple-darwin",
+  "x86_64-unknown-linux-gnu",
+  "aarch64-unknown-linux-gnu",
 ]
 
 [advisories]
@@ -20,16 +20,16 @@ version = 2
 # Permissive licenses present in the dependency tree. `cargo deny check
 # licenses` fails if a new dependency introduces one not listed here.
 allow = [
-    "MIT",
-    "Apache-2.0",
-    "BSD-2-Clause",
-    "BSD-3-Clause",
-    "ISC",
-    "Zlib",
-    "Unicode-3.0",
-    "MPL-2.0",
-    # Mozilla CA root bundle shipped via rustls/webpki-roots.
-    "CDLA-Permissive-2.0",
+  "MIT",
+  "Apache-2.0",
+  "BSD-2-Clause",
+  "BSD-3-Clause",
+  "ISC",
+  "Zlib",
+  "Unicode-3.0",
+  "MPL-2.0",
+  # Mozilla CA root bundle shipped via rustls/webpki-roots.
+  "CDLA-Permissive-2.0",
 ]
 confidence-threshold = 0.8
 

deny.toml

@@ -0,0 +1,73 @@
+bin := "statusline"
+target_bin := "target" / "debug" / bin
+release_bin := "target" / "release" / bin
+
+default: build
+
+gate: fmt lint test
+    cargo build --workspace -q
+
+check:
+    cargo check --workspace --all-targets
+
+test:
+    cargo test --workspace
+
+lint:
+    cargo clippy --workspace --all-targets -- -D warnings
+    cargo clippy -p statusline --all-targets --features codesigned -- -D warnings
+
+fmt:
+    cargo fmt --all
+    taplo fmt
+
+compile:
+    cargo build --workspace
+
+build:
+    cargo build --workspace --release
+
+build-signed developer_name team_id:
+    cargo build --workspace --release --features codesigned
+    codesign --force --options runtime --sign "Developer ID Application: {{developer_name}} ({{team_id}})" {{release_bin}}
+    codesign --verify --verbose {{release_bin}}
+
+install: build
+    cp {{release_bin}} "${CARGO_HOME:-$HOME/.cargo}/bin/"
+
+install-signed developer_name team_id: (build-signed developer_name team_id)
+    cp {{release_bin}} "${CARGO_HOME:-$HOME/.cargo}/bin/"
+
+dev *ARGS:
+    cargo build --quiet
+    {{target_bin}} {{ARGS}}
+
+cert-request developer_name:
+    openssl req -new -newkey rsa:2048 -nodes \
+        -keyout devid.key -out devid.csr \
+        -subj "/CN={{developer_name}}"
+    @echo ""
+    @echo "Upload devid.csr at:"
+    @echo "  https://developer.apple.com/account/resources/certificates/add"
+    @echo "Select 'Developer ID Application', then download the .cer file."
+    @echo ""
+    @echo "Then run: just cert-import <path-to-downloaded.cer>"
+
+cert-import cer:
+    openssl x509 -inform DER -in "{{cer}}" -out devid.crt
+    openssl pkcs12 -export -out devid.p12 -inkey devid.key -in devid.crt -legacy
+    security import devid.p12 -k ~/Library/Keychains/login.keychain-db
+    @echo ""
+    @echo "Certificate imported. Your signing identity:"
+    @security find-identity -v -p codesigning | grep "Developer ID Application"
+    @echo ""
+    @IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | sed 's/.*"\(.*\)".*/\1/'); \
+        NAME=$(echo "$IDENTITY" | sed 's/Developer ID Application: \(.*\) (.*/\1/'); \
+        TEAM=$(echo "$IDENTITY" | sed 's/.*(\(.*\))/\1/'); \
+        echo "Test with:"; \
+        echo "  just install-signed \"$NAME\" \"$TEAM\""; \
+        echo ""; \
+        echo "Clean up: just cert-clean"
+
+cert-clean:
+    rm -f devid.key devid.csr devid.crt devid.p12

justfile

@@ -1 +1 @@
-hard_tabs = true
+hard_tabs = true

rustfmt.toml

@@ -0,0 +1,6 @@
+# TOML formatting via `taplo fmt` (runs as part of `just fmt`).
+exclude = ["target/**", "Cargo.lock"]
+
+[formatting]
+# Keep entries in the order they're written (no alphabetical churn).
+reorder_keys = false