Skip to content

lumalabs/coder-skills

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
coder_skills.py
coder_skills.py
 
 
install.sh
install.sh
 
 

Repository files navigation

coder-skills

Carry your personal Claude config (~/.claude/) into Coder workspaces.

The Coder workspace template at lumalabs/luma-core brings up Vespa for you on a remote pod. But your personal Claude setup — skill code, helper scripts, OAuth tokens, API keys — doesn't ride along. This tool fixes that.

What it does

Splits ~/.claude/ into two layers, each in the right storage for what it carries:

Layer Where Why
Personal skill code, helpers, CLAUDE.md, commands Per-engineer private GitHub repo lumalabs/dotfiles-<gh-username> Bidirectional via standard git push/pull. You see diffs, audit trail. Claude-as-agent edits land in the working tree → you commit when ready.
Credential files (~10 files: API keys, OAuth tokens, etc) Existing S3 auth-bucket (lumalabs-dev-oregon-coder-workspace-auth/<coder-user-id>/) Reuses the bucket Coder workspaces already use for ~/.claude/.credentials.json. KMS-encrypted, IRSA-scoped per-engineer, bidirectional sync daemon already runs.

After migrate, every Coder workspace claim auto-loads both layers — you SSH in and claude --version, linear-graphql, python3 ~/.claude/google_token.py all work.

Install

curl -fsSL https://raw.githubusercontent.com/lumalabs/coder-skills/main/install.sh | bash

Drops lumalabs-skills into /usr/local/bin. Depends on git, gh, aws, python3 (with boto3) — auto-installs boto3 if missing.

One-time setup

lumalabs-skills migrate

Walks you through:

  1. Scans ~/.claude/ for credential-shaped files. For each one, asks "is this a credential?" — confirmed creds get moved to ~/.coder-auth/, everything else stays in ~/.claude/.
  2. git init on ~/.claude/, writes .gitignore (creds + caches + scratch dirs all excluded).
  3. Creates lumalabs/dotfiles-<your-gh-username> private repo via gh repo create. Asks first.
  4. Initial commit + push of skill code.
  5. aws s3 sync ~/.coder-auth/ s3://<bucket>/<coder-user-id>/ to seed the cred layer.

The migration is interactive — never moves anything without confirming.

Day-to-day

# Push laptop edits to cloud (force one-shot, don't wait for the daemon's 30s)
lumalabs-skills push

# Pull cloud edits to laptop (e.g., after working in a workspace)
lumalabs-skills pull

# Rotate a credential — input is hidden (no echo), no secret values in shell history
lumalabs-skills rotate linear_api_key

# Show current state
lumalabs-skills status

For workspace-side use: the same CLI is baked into the Coder workspace image, so lumalabs-skills works identically inside a workspace. You can rotate a credential from any workspace and all your other workspaces pick it up within ~30s.

What gets committed vs. what gets synced via S3

migrate writes ~/.claude/.skills-vault.json — a manifest mapping each credential file to its S3 blob name + permissions. The manifest itself is committed (no secret values, just the layout — the workspace startup uses it to know what symlinks to set up).

Example manifest:

{
  "version": 1,
  "dotfiles_repo": "lumalabs/dotfiles-sshumaker",
  "coder_user_id": "3c705ffc-48c6-4875-8e55-568d31ae7b6a",
  "credentials": [
    {
      "file": ".claude/google_oauth_token.json",
      "auth_blob": "claude-google-oauth-token-json",
      "mode": "0600"
    },
    {
      "file": ".claude/linear_api_key",
      "auth_blob": "claude-linear-api-key",
      "mode": "0600"
    }
  ]
}

Workspace-side integration

In a Coder workspace, the agent's startup script:

  1. git clone https://github.com/lumalabs/dotfiles-<your-username>.git ~/.claude/
  2. Reads ~/.claude/.skills-vault.json
  3. For each credential entry, symlinks $HOME/<file>$HOME/.coder-auth/<auth_blob>
  4. The existing 30s S3 sync daemon keeps ~/.coder-auth/ mirrored to your S3 prefix

Result: when you SSH into a fresh workspace, both your personal skill code AND your credentials are already in place.

Configuration

Override via env (or just set defaults that match your team):

Env Default What
CODER_AUTH_BUCKET lumalabs-dev-oregon-coder-workspace-auth S3 bucket for cred sync
CODER_AUTH_BUCKET_REGION us-west-2
CODER_AUTH_BUCKET_PROFILE luma-dev AWS profile to use
CODER_DOTFILES_OWNER lumalabs GitHub org for the private repo
CODER_DOTFILES_PREFIX dotfiles- Repo name prefix; final name = <owner>/<prefix><gh-username>

Security

  • Credentials never enter chat or shell history. rotate uses getpass (input hidden, no echo).
  • The ~/.claude/ git repo is .gitignore'd aggressively — caches, scratch dirs, and the auth_blob names from the manifest. The migration tool generates a starting .gitignore based on what it migrated; review it before the first commit.
  • S3 bucket is IRSA-scoped per-engineer in the workspace pod (engineer can read/write their own <coder-user-id>/ prefix only). Laptop side uses the engineer's AWS SSO credentials directly.

Known limitations

  • Doesn't migrate node_modules/, cache/, etc. — those are explicitly excluded (commit them to the dotfiles repo only if you really want them, by removing from .gitignore manually).
  • Cred rotation is last-write-wins across concurrent workspaces. Acceptable for personal dev creds; fine in practice since the same engineer is the only writer.
  • No conflict-resolution UI for the git side; if you git push from two laptops at the same time, vanilla git semantics apply.

License

MIT.

About

Carry personal Claude config (skills, helpers, creds) into Coder workspaces

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages