zsh: eagerly define diff() to avoid prezto autoload-stub error

Pretzo's modules/utility/functions/diff registers an autoload stub that
emits '(eval):1: diff: function definition file not found' in non-
interactive eval contexts where $fpath doesn't include the utility
module's functions directory. Define diff as a real function up front so
the stub never has to look itself up.

.claude/.gitignore

@@ -0,0 +1,33 @@
+# Never track Claude Code per-machine state, secrets, or chat data.
+#
+# settings.json IS tracked (portable user prefs + permissions allowlist).
+# Everything else under ~/.claude/ stays per-host: credentials, session
+# logs, project memories, file-edit history, telemetry, caches.
+
+# Auth — must NEVER be tracked
+.credentials.json
+
+# Per-machine settings overrides (by Claude Code convention)
+settings.local.json
+
+# Chat and session data
+history.jsonl
+sessions/
+projects/
+file-history/
+plans/
+
+# Caches and ephemeral state
+cache/
+downloads/
+paste-cache/
+shell-snapshots/
+session-env/
+backups/
+telemetry/
+mcp-needs-auth-cache.json
+
+# Plugin marketplace state — known_marketplaces.json IS portable, but the
+# resolved-plugin caches and the local blocklist are per-machine.
+plugins/blocklist.json
+plugins/marketplaces/

.claude/settings.json

@@ -0,0 +1,57 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(tmux source-file:*)",
+      "Bash(git:*)",
+      "Bash(curl:*)",
+      "Bash(sudo:*)",
+      "Bash(find:*)",
+      "Bash(ls:*)",
+      "Bash(cat:*)",
+      "Bash(systemctl:*)",
+      "Bash(sysctl:*)",
+      "Bash(crontab:*)",
+      "Bash(dig:*)",
+      "Bash(ulimit:*)",
+      "Bash(python3:*)",
+      "Bash(iptables:*)",
+      "Bash(ip6tables:*)",
+      "Bash(ufw status:*)",
+      "Bash(firewall-cmd:*)",
+      "Bash(apt list:*)",
+      "Bash(apt-get install:*)",
+      "Bash(apt-get upgrade:*)",
+      "Bash(dpkg:*)",
+      "Bash(fail2ban-client status:*)",
+      "Bash(fail2ban-client set:*)",
+      "Bash(aa-status)",
+      "Bash(getenforce)",
+      "Bash(mount)",
+      "Bash(netstat -tuln)",
+      "Bash(netstat -tlnp)",
+      "Bash(openssl x509:*)",
+      "Bash(openssl rand:*)",
+      "Bash(grep -v \"^$\")",
+      "Bash(du -sh /var/log/*)",
+      "Bash(lsmod)",
+      "Bash(xargs ls:*)",
+      "Bash(last:*)",
+      "Bash(nginx:*)",
+      "Bash(redis-cli:*)",
+      "Bash(rkhunter:*)",
+      "Bash(aideinit)",
+      "Bash(npm --version)",
+      "Bash(ruby --version)",
+      "Bash(getent passwd:*)",
+      "Bash(sqlite3:*)",
+      "Read(//home/**)",
+      "Read(//opt/**)",
+      "Read(//etc/nginx/sites-enabled/**)",
+      "Read(//etc/nginx/sites-available/**)"
+    ],
+    "defaultMode": "auto"
+  },
+  "theme": "dark",
+  "verbose": true,
+  "skipAutoPermissionPrompt": true
+}

.local/bin/tmux-ip

@@ -29,5 +29,21 @@ if is_digitalocean && do_anchor_ip; then
   exit 0
 fi
 
-curl -s --connect-timeout 3 https://api.ipify.org 2>/dev/null \
+print_local_ip() {
-  || hostname -I | awk '{print $1}'
+  local iface ip
+  if command -v ipconfig >/dev/null 2>&1; then
+    for iface in en0 en1 en2; do
+      ip=$(ipconfig getifaddr "$iface" 2>/dev/null) || true
+      [ -n "${ip:-}" ] && { printf '%s\n' "$ip"; return 0; }
+    done
+  fi
+  if hostname -I >/dev/null 2>&1; then
+    hostname -I | awk '{print $1}'
+    return 0
+  fi
+  ifconfig 2>/dev/null | awk '/inet /{ if ($2 != "127.0.0.1") { print $2; exit } }'
+}
+
+ip=$(curl -s --connect-timeout 3 https://api.ipify.org 2>/dev/null || true)
+[ -z "${ip:-}" ] && ip=$(print_local_ip)
+printf '%s\n' "${ip:-}"

.local/bin/tmux-net

@@ -0,0 +1,17 @@
+#!/bin/bash
+#
+# Emit the tmux status-bar network segment.
+#   No VPN:  "⌂ <local_ip>"
+#   VPN up:  "⌂ <local_ip> / ⇡ <vpn_ip>"
+#
+
+set -u
+
+local_ip=$("$HOME/.local/bin/tmux-ip" 2>/dev/null || true)
+vpn_ip=$("$HOME/.local/bin/tmux-vpn-ip" 2>/dev/null || true)
+
+if [ -n "${vpn_ip:-}" ]; then
+  printf '\xe2\x8c\x82 %s / \xe2\x87\xa1 %s\n' "${local_ip:-}" "$vpn_ip"
+else
+  printf '\xe2\x8c\x82 %s\n' "${local_ip:-}"
+fi

.local/bin/tmux-vpn-ip

@@ -0,0 +1,24 @@
+#!/bin/bash
+#
+# Print the IPv4 of the first active VPN tunnel interface, if any.
+# Empty output when no VPN is up.
+#
+# macOS: utun*   Linux: tun*, wg*, ppp*
+
+set -u
+
+case "$(uname -s)" in
+  Darwin)
+    ifconfig 2>/dev/null | awk '
+      /^utun[0-9]+:/   { iface=$1; sub(":", "", iface); next }
+      /^[a-z]+[0-9]*:/ { iface="" }
+      iface != "" && $1 == "inet" { print $2; exit }
+    '
+    ;;
+  Linux)
+    if command -v ip >/dev/null 2>&1; then
+      ip -4 -o addr show 2>/dev/null \
+        | awk '$2 ~ /^(tun|wg|ppp)[0-9]+/ { sub("/.*","",$4); print $4; exit }'
+    fi
+    ;;
+esac

.tmux.conf

@@ -79,7 +79,7 @@ set -g pane-border-style fg=colour245
 set -g pane-active-border-style fg=colour39
 set -g message-style fg=colour16,bg=colour221,bold
 set -g status-left '#[fg=colour235,bg=colour252,bold] ❐ #S #[fg=colour252,bg=colour238,nobold]❯#[fg=colour245,bg=colour238,bold] #(whoami) '
-set -g status-right '#[bold][#[nobold,fg=colour229]#H#[fg=default] / #[fg=colour229]#(~/.local/bin/tmux-ip)#[fg=default,bold]]#[nobold,fg=colour255] %H:%M %d-%b-%Y '
+set -g status-right '#[bold][#[nobold,fg=colour229]#h#[fg=default] / #[fg=colour229]#(~/.local/bin/tmux-net)#[fg=default,bold]]#[nobold,fg=colour255] %H:%M %d-%b-%Y '
 set -g window-status-format '#[fg=colour235,bg=colour252,nobold] #(~/.local/bin/tmux-window-icon #{window_index}) #(pwd="#{pane_current_path}"; echo ${pwd####*/}) #W '
 set -g window-status-current-format '#[fg=colour234,bg=colour39,bold] [#[fg=colour232,bold]#{?window_zoomed_flag,#[fg=colour228],} #(~/.local/bin/tmux-window-icon #{window_index}) #(pwd="#{pane_current_path}"; echo ${pwd####*/}) #W #[fg=colour234,bold]] '
 set-option -g status-interval 60

Rakefile

@@ -210,7 +210,7 @@ def install_term_theme
   message = "Which theme would you like to apply to your iTerm2 profile?"
   color_scheme = ask message, iTerm_available_themes
 
-  return if color_scheme == 'None'
+  return if color_scheme.nil? || color_scheme == 'None'
 
   color_scheme_file = File.join('iTerm2', "#{color_scheme}.itermcolors")
 
@@ -220,6 +220,8 @@ def install_term_theme
   profiles << 'All'
   selected = ask message, profiles
 
+  return if selected.nil?
+
   if selected == 'All'
     (profiles.size-1).times { |idx| apply_theme_to_iterm_profile_idx idx, color_scheme_file }
   else
@@ -244,7 +246,12 @@ def ask(message, values)
   puts message
   while true
     values.each_with_index { |val, idx| puts " #{idx+1}. #{val}" }
-    selection = STDIN.gets.chomp
+    input = STDIN.gets
+    if input.nil?
+      puts "(no input available — skipping prompt)"
+      return nil
+    end
+    selection = input.chomp
     if (Float(selection)==nil rescue true) || selection.to_i < 0 || selection.to_i > values.size+1
       puts "ERROR: Invalid selection.\n\n"
     else

install.sh

@@ -36,7 +36,7 @@ PERSONAL_FILES=(
 # untouched. This deliberately avoids wholesale-replacing $HOME/.local etc.,
 # which would sweep away unrelated user data (fonts, app state, ...).
 PERSONAL_DIRS=(
-  .fonts .irssi .nano .themes .local .mplayer
+  .fonts .irssi .nano .themes .local .mplayer .claude
 )
 
 have() { command -v "$1" >/dev/null 2>&1; }

zsh/diff.zsh

@@ -0,0 +1,13 @@
+# Eagerly define `diff` as a real function instead of relying on prezto's
+# autoload stub. The autoload stub emits
+#   "(eval):1: diff: function definition file not found"
+# in non-interactive eval contexts where $fpath doesn't yet include the
+# prezto utility module's functions directory. Defining a real function
+# here bypasses the autoload path entirely.
+function diff {
+  if (( $+commands[colordiff] )); then
+    command diff --unified "$@" | colordiff --difftype diffu
+  else
+    command diff --unified "$@"
+  fi
+}