SSH agent fallback for git push in Claude Code sessions

[mkhnsn]

Problem

The ssh-sign wrapper (dot_config/git/executable_ssh-sign) now correctly falls back to ~/.ssh/id_ed25519_remote for commit signing in Claude Code sessions (detected via CLAUDECODE=1 env var). However, git push still goes through the 1Password SSH agent and fails because biometric approval can't be granted non-interactively.

Current workaround: push via HTTPS using the gh CLI token:

git -c url."https://x-access-token:$(gh auth token)@github.com/".insteadOf="git@github.com:" push -u origin HEAD

Desired behavior

In Claude Code sessions (or any session where 1Password biometric is unavailable), git push should automatically use the fallback key or HTTPS without manual intervention.

Options

1. GIT_SSH_COMMAND override — Set GIT_SSH_COMMAND="ssh -i ~/.ssh/id_ed25519_remote -o IdentitiesOnly=yes" in Claude Code sessions. Requires the fallback key to be registered with GitHub as an authentication key (currently it's only a signing key).
2. Switch git protocol to HTTPS — Configure url.https://github.com/.insteadOf=git@github.com: when CLAUDECODE=1 is set. Uses gh auth token for auth. Could be done in dot_zshrc or a git config include.
3. Register fallback key with GitHub — Add ~/.ssh/id_ed25519_remote.pub as an authentication key on GitHub, then use option 1.
4. Wrapper script for ssh — Similar to ssh-sign, wrap ssh to swap the identity file in fallback scenarios.

Context

• The fallback key is generated by run_once_11-remote-signing-key.sh.tmpl
• The ssh-sign wrapper strips -U (agent signing) and replaces -f with the fallback key
• CLAUDECODE=1 is set automatically in Claude Code sessions
• gh auth status shows a valid token with repo scope