Skills Guide beginner 6 min read

Mastering `cm-identity-guard`: The Complete Guide

Hướng dẫn chi tiết về Mastering `cm-identity-guard`: The Complete Guide trong Vibe Coding dành cho None.

Skills used: cm-identity-guard

Mastering cm-identity-guard: The Complete Guide

In the high-velocity world of Vibe Coding, where we move from a fuzzy idea to a deployed application in minutes, there is a silent killer waiting in the shadows: Identity Contamination.

You know the feeling. You’ve been working on a high-stakes client project all morning. Lunch comes, and you decide to spend thirty minutes on your indie-hacker side project. You open a new terminal, initialize a repo, and hit git push. Five seconds later, your stomach drops. You realize you just pushed private client-side logic to your public GitHub profile, and your commit history is now a permanent record of your corporate email address being associated with a project called “Cat-Meme-Generator-v4.”

This isn’t just an embarrassing mistake; it’s a security breach, a professional liability, and a massive time-sink to fix. When we leverage AI agents like Cody Master to work across multiple GitHub accounts, Cloudflare organizations, and Supabase projects, the risk of “Wrong-Account Deployment” scales exponentially.

This is exactly why cm-identity-guard exists. It is the tactical “Safety Catch” for your development workflow. In this guide, we will explore how to master this skill to ensure that your identity is locked, verified, and protected before a single byte of code leaves your machine.

The Core Problem: Why Identity Matters in Vibe Coding

Vibe Coding emphasizes flow. It’s about staying in the “zone” where the AI understands your intent and handles the boilerplate. However, identity management is the ultimate “flow-breaker.” Traditional tools assume you are one person with one identity. But modern developers are multi-faceted:

  1. The Employee: Pushing to a corporate GitLab or GitHub Enterprise.
  2. The Freelancer: Managing five different client repositories with five different sets of credentials.
  3. The Indie Hacker: Moving fast on personal projects where “leaked secrets” could mean a $5,000 AWS bill overnight.

cm-identity-guard solves the Identity Friction problem. Instead of forcing you to manually check your git config user.email every time you switch folders, it implements a Project-Level Identity Lock. It treats your identity as a project-specific asset, not a global terminal setting.

Core Concepts: How cm-identity-guard Works

At its heart, cm-identity-guard operates on a “Gatekeeper” philosophy. It doesn’t just store your credentials; it enforces a verification protocol before any “Outbound Operation” (like a push or a deploy) can proceed.

1. The Identity Triad

The skill looks at three specific data points to verify who you are in the context of the current directory:

  • Source Control Identity: Your Git name and email.
  • Platform Identity: Your authentication status with providers like Cloudflare, Supabase, Neon, or Vercel.
  • Destination Mapping: Ensuring the current folder is authorized to talk to a specific remote repository or deployment slug.

2. The .project-identity.json File

This is the “Source of Truth” for your project. When you activate cm-identity-guard, it creates a localized manifest that explicitly defines which identity is “Allowed” for this specific workspace.

3. The “Block-First” Protocol

Unlike a simple linter, cm-identity-guard is designed to be intrusive where it counts. If you attempt to use the git-pushing skill or a deployment command while your local environment is authenticated to the “Wrong” account (e.g., your personal CLI is logged into a work Cloudflare account), the operation is immediately terminated with a high-signal error.

Practical Example: Setting Up an Identity Lock

Let’s walk through a real-world scenario. You are starting a new project called Project-X for a specific client. You want to make sure you never accidentally use your personal GitHub identity for this work.

Step 1: Activation and Initialization

First, we activate the skill within the Cody Master environment:

cody-master activate-skill cm-identity-guard

The agent will then prompt you to initialize the project identity. This will create a .project-identity.json file in your root. A typical configuration looks like this:

{
  "project_name": "Project-X",
  "identity": {
    "git": {
      "name": "Jane Developer (Client Work)",
      "email": "jane.d@client-corp.com",
      "signing_key": "ABC123XYZ"
    },
    "providers": {
      "github": {
        "account_type": "organization",
        "org_name": "client-corp-v2",
        "allowed_remotes": ["github.com/client-corp-v2/project-x.git"]
      },
      "cloudflare": {
        "account_id": "998877665544332211",
        "verified_email": "jane.d@client-corp.com"
      }
    }
  },
  "enforcement_level": "strict"
}

Step 2: The Verification Gate

Now, imagine you’ve finished a feature. You tell Cody: “Push these changes to the main branch.”

Before Cody calls the git-pushing tool, cm-identity-guard runs a pre-flight check. It executes git config user.email and wrangler whoami in the background.

The Failure Scenario: If your global Git config is still set to personal-jane@gmail.com, cm-identity-guard will trigger a hard stop:

[IDENTITY GUARD FAILURE] You are attempting to push to a ‘Strict’ project using the wrong identity. Expected: jane.d@client-corp.com Current: personal-jane@gmail.com Action Blocked. Please run git config --local user.email jane.d@client-corp.com or use the cm-identity-guard fix tool.

Step 3: Automatic Remediation

The power of this skill is that it doesn’t just complain; it fixes. You can simply say: “Fix my identity for this project.”

Cody will then:

  1. Apply the correct local (not global) Git configuration.
  2. Switch the active account in your CLI providers (if supported by the provider’s CLI).
  3. Re-verify and proceed with the original task.

Advanced Usage: Cross-Provider Syncing

cm-identity-guard is particularly powerful when you are using a “Modern Stack” like Next.js + Supabase + Cloudflare.

In this setup, identity isn’t just about Git. If you deploy a Supabase migration to the “Personal” project while your code is destined for the “Production” repo, you’ve just broken your production database.

The skill allows for Provider Locking. You can specify that for Project-X, the only valid Supabase project ID is proj-abc-123. If you accidentally have SUPABASE_PROJECT_ID=personal-db in your .env, the identity guard will catch the mismatch between your .project-identity.json and your .env variables before the migration runs.

Best Practices & Pro Tips

To get the most out of cm-identity-guard, follow these industry-standard practices:

1. Always Use --local Configuration

Never rely on global Git settings if you work on more than one project. cm-identity-guard encourages the use of local configs that live inside the .git/config of the specific repo. This ensures that even if you use a different terminal emulator, the identity travels with the folder.

2. Include Your .project-identity.json in Source Control (Carefully)

You should commit the .project-identity.json file to your repository if it does not contain secrets. The file should define the requirements for the identity (e.g., “The email must end in @company.com”), not the actual private keys. This allows your entire team to benefit from the same identity protection.

3. Pair with cm-secret-shield

While cm-identity-guard protects who you are, cm-secret-shield protects what you have (API keys, tokens). Using them together creates a “Zero-Trust” development environment where it is virtually impossible to leak data or push to the wrong destination.

4. The “Turn-Start” Check

Make it a habit to ask Cody: “Who am I right now?” at the start of a session. If the skill is active, it will give you a summarized status report:

Real-World Problem Solved: The “Shadow Commit”

A common issue in collaborative teams is the “Shadow Commit”—where a developer pushes code, but because their Git email wasn’t configured correctly on a new machine, their contributions aren’t linked to their GitHub profile. This ruins contribution graphs and makes it impossible to track who wrote what for security audits.

cm-identity-guard eliminates Shadow Commits by making Git identity a mandatory pre-condition for the commit and create-pr skills. If the identity isn’t verified, the commit isn’t made. Period.

Troubleshooting Common Issues

”The skill keeps blocking my pushes even though I’ve logged in.”

This usually happens because of Token Caching. Some CLIs (like gh or wrangler) cache credentials in a way that doesn’t update immediately in the current shell session.

  • Solution: Ask Cody to “Refresh my provider sessions.” This will force the CLIs to re-authenticate and update the guard’s state.

”I want to use two different emails in the same project.”

This is a rare but valid edge case (e.g., using a personal email for a “Docs” contribution but a work email for “Core” code).

  • Solution: You can define “Identity Roles” within the JSON. However, we recommend sticking to one identity per repository for maximum safety.

Conclusion: Engineering Peace of Mind

Vibe Coding is supposed to be fun. It’s supposed to be about the creative act of building. You shouldn’t have to spend 20% of your mental energy worrying if you’re about to accidentally leak a client’s IP or ruin your professional reputation with a misconfigured Git email.

cm-identity-guard is the “Set and Forget” solution for identity management. By spending two minutes setting up your .project-identity.json, you are buying yourself hours of future peace of mind. It allows you to move between projects with the speed of an agent and the security of a senior DevOps engineer.

Your identity is your brand. Guard it.

Ready to lock down your workflow? Start by activating the skill in your current project and let Cody handle the verification.