feat(rules): add git-identity rule and update agent prompts

AGENTS.md

@@ -444,6 +444,38 @@ m3taLib.coding-rules.mkCodingRules {
 
 See `rules/USAGE.md` for full documentation.
 
+## Agent Git Identity
+
+All agent commits use a dedicated bot identity for clear audit trails.
+
+### Configuration
+
+```nix
+coding.agents.gitIdentity = {
+  enable = true;
+  name = "m3ta-chiron";
+  email = "m3ta-chiron@agentmail.to";
+  sshKey = "/run/agenix/m3ta-chiron-ssh-key";
+};
+```
+
+### Environment Variables
+
+When enabled, these are automatically set:
+- `GIT_AUTHOR_NAME`, `GIT_AUTHOR_EMAIL`
+- `GIT_COMMITTER_NAME`, `GIT_COMMITTER_EMAIL`
+- `GIT_SSH_COMMAND` (for authenticated push)
+
+### Rules
+
+See `rules/concerns/git-identity.md` for detailed instructions.
+
+### Setup
+
+1. Generate SSH key: `ssh-keygen -t ed25519 -C "m3ta-chiron@agentmail.to" -f ~/.ssh/m3ta-chiron`
+2. Add public key to https://code.m3ta.dev/user/settings/keys
+3. Configure in NixOS: `coding.agents.gitIdentity.enable = true`
+
 ## Notes for AI Agents
 
 1. **Config-only repo** — no compilation step; `./scripts/test-skill.sh --validate` is the build

agents/chiron-forge/system-prompt.md

@@ -48,3 +48,16 @@ You are Chiron-Forge, the Greek centaur smith of Hephaestus, specializing in exe
 - DO NOT manage private knowledge (Apollo's domain)
 - DO NOT handle work communications (Hermes's domain)
 - DO NOT execute destructive operations without confirmation
+
+## Git Identity
+
+All your commits use the agent identity:
+- Author: m3ta-chiron <m3ta-chiron@agentmail.to>
+- SSH key configured for code.m3ta.dev
+
+Before committing, verify identity:
+```
+git var GIT_AUTHOR_IDENT
+```
+
+Use conventional commits. Push with `git push`.

agents/chiron/system-prompt.md

@@ -57,3 +57,16 @@ Include next steps or decision points when appropriate
 - Do NOT access private vaults or personal notes (Apollo's domain)
 - Do NOT write long-form content (Calliope's domain)
 - Do NOT execute build or deployment tasks (Chiron-Forge's domain)
+
+## Git Identity
+
+All your commits use the agent identity:
+- Author: m3ta-chiron <m3ta-chiron@agentmail.to>
+- SSH key configured for code.m3ta.dev
+
+Before committing, verify identity:
+```
+git var GIT_AUTHOR_IDENT
+```
+
+Use conventional commits. Push with `git push`.

rules/USAGE.md

@@ -42,6 +42,17 @@ Add AI coding rules to your project via `mkOpencodeRules`.
 - `frameworks` (optional): List of framework names (e.g., `["n8n" "django"]`)
 - `extraInstructions` (optional): Additional instruction file paths
 
+## Default Concerns
+
+When `concerns` is not specified, these are included:
+- coding-style
+- naming
+- documentation
+- testing
+- git-workflow
+- git-identity
+- project-structure
+
 ## .gitignore
 
 Add to your project's `.gitignore`:

rules/concerns/git-identity.md

@@ -0,0 +1,97 @@
+---
+name: git-identity
+description: "Use when: (1) committing code to git repositories, (2) pushing changes, (3) verifying git identity. Triggers: git commit, git push, git identity, author."
+compatibility: opencode, pi, claude-code
+---
+
+# Agent Git Identity
+
+This rule ensures all AI agent commits use a dedicated bot identity instead of personal user credentials.
+
+## How It Works
+
+**Environment variables** are set automatically by Home Manager via `coding.agents.gitIdentity`:
+- `GIT_AUTHOR_NAME` = m3ta-chiron
+- `GIT_AUTHOR_EMAIL` = m3ta-chiron@agentmail.to
+- `GIT_COMMITTER_*` = same
+- `GIT_SSH_COMMAND` = ssh with agent SSH key
+
+**Your job as the agent** is to:
+1. Verify the identity before committing
+2. Use conventional commit format
+3. Push with SSH authentication
+
+## Before Committing
+
+Always verify the git identity is correct:
+
+```bash
+git var GIT_AUTHOR_IDENT
+# Should show: m3ta-chiron <m3ta-chiron@agentmail.to>
+```
+
+If the identity is wrong, the environment variables are not set correctly. Report this to the user.
+
+## Commit Format
+
+Use conventional commits for all agent commits:
+
+```bash
+git commit -m "feat(scope): add feature"
+git commit -m "fix(bug): resolve issue"
+git commit -m "refactor(utils): improve code"
+git commit -m "docs(readme): update docs"
+git commit -m "chore(deps): update dependencies"
+git commit -m "test(api): add tests"
+```
+
+**Rules**:
+- Subject max 72 chars
+- Imperative mood ("add", not "added")
+- No period at end
+- Reference issues: `Closes #123`
+
+## Before Pushing
+
+SSH authentication is configured via `GIT_SSH_COMMAND`. Simply run:
+
+```bash
+git push
+```
+
+The SSH key configured in `coding.agents.gitIdentity.sshKey` will be used automatically.
+
+## Verification Commands
+
+```bash
+# Check author identity
+git var GIT_AUTHOR_IDENT
+
+# Check committer identity
+git var GIT_COMMITTER_IDENT
+
+# Check SSH command
+echo $GIT_SSH_COMMAND
+
+# List all commits by agent
+git log --author="m3ta-chiron" --oneline
+
+# Test SSH connectivity
+ssh -T git@code.m3ta.dev
+```
+
+## Troubleshooting
+
+**Commits show wrong author?**
+- Environment variables may not be set
+- Check: `echo $GIT_AUTHOR_NAME` should print "m3ta-chiron"
+- Report to user if variables are not set
+
+**Push authentication fails?**
+- SSH key may not be added to the git hosting
+- Check: `ssh -T git@code.m3ta.dev`
+- Verify `GIT_SSH_COMMAND` contains correct key path
+
+**Wrong SSH key used?**
+- Verify `GIT_SSH_COMMAND` contains the m3ta-chiron key
+- Personal SSH keys in `~/.ssh/` should not interfere