From 67267307019324ffd0cefcb5f23e377856980b85 Mon Sep 17 00:00:00 2001
From: Erik Flodin <erik@flodin.me>
Date: Mon, 10 Feb 2025 20:58:01 +0100
Subject: [PATCH 1/7] parse_encrypt: Don't let e.g. "*.ext" match files in
 subdirs

This matches the behavior before 3.4.0.

Silent errors from ls-files to avoid warnings about e.g. directories that
aren't readable and also list files that would have been encrypted had they not
been tracked in git (#521).

Fix the patterns written to info/exclude so that they match the same files as
are encrypted (e.g. *.key should only match .key files in the topdir, not in
subdirs).
---
 test/conftest.py                    |  8 +--
 test/test_encryption.py             |  5 +-
 test/test_unit_exclude_encrypted.py |  6 +-
 test/test_unit_parse_encrypt.py     |  6 +-
 yadm                                | 98 +++++++++++++++++++++--------
 5 files changed, 87 insertions(+), 36 deletions(-)

diff --git a/test/conftest.py b/test/conftest.py
index 455e5c6..0523355 100644
--- a/test/conftest.py
+++ b/test/conftest.py
@@ -609,14 +609,14 @@ disable-scdaemon
     env["GNUPGHOME"] = home
 
     # this pre-populates std files in the GNUPGHOME
-    runner(["gpg", "-k"], env=env)
+    runner(["gpg", "-k"], env=env, report=False)
 
     def register_gpg_password(password):
         """Publish a new GPG mock password and flush cached passwords"""
         home.join("mock-password").write(password)
-        runner(["gpgconf", "--reload", "gpg-agent"], env=env)
+        runner(["gpgconf", "--reload", "gpg-agent"], env=env, report=False)
 
     yield data(home, register_gpg_password)
 
-    runner(["gpgconf", "--kill", "gpg-agent"], env=env)
-    runner(["gpgconf", "--remove-socketdir", "gpg-agent"], env=env)
+    runner(["gpgconf", "--kill", "gpg-agent"], env=env, report=False)
+    runner(["gpgconf", "--remove-socketdir", "gpg-agent"], env=env, report=False)
diff --git a/test/test_encryption.py b/test/test_encryption.py
index 23d8e37..33b7394 100644
--- a/test/test_encryption.py
+++ b/test/test_encryption.py
@@ -92,6 +92,7 @@ def encrypt_targets(yadm_cmd, paths):
     paths.work.join("globs dir/globs file2").write("globs file2")
     expected.append("globs dir/globs file2")
     paths.encrypt.write("globs*\n", mode="a")
+    paths.encrypt.write("globs d*/globs*\n", mode="a")
 
     # blank lines
     paths.encrypt.write("\n        \n\t\n", mode="a")
@@ -404,8 +405,8 @@ def test_encrypt_added_to_exclude(runner, yadm_cmd, paths, gnupg):
 
     run = runner(yadm_cmd("encrypt"), env=env)
 
-    assert "test-encrypt-data" in paths.repo.join("info/exclude").read()
-    assert "original-data" in paths.repo.join("info/exclude").read()
+    assert "test-encrypt-data" in exclude_file.read()
+    assert "original-data" in exclude_file.read()
     assert run.success
     assert run.err == ""
 
diff --git a/test/test_unit_exclude_encrypted.py b/test/test_unit_exclude_encrypted.py
index 99db336..bbe29fd 100644
--- a/test/test_unit_exclude_encrypted.py
+++ b/test/test_unit_exclude_encrypted.py
@@ -24,7 +24,7 @@ def test_exclude_encrypted(runner, tmpdir, yadm, encrypt_exists, auto_exclude, e
     if exclude == "outdated":
         exclude_file.write(f"original-exclude\n{header}outdated\n", ensure=True)
     elif exclude == "up-to-date":
-        exclude_file.write(f"original-exclude\n{header}test-encrypt-data\n", ensure=True)
+        exclude_file.write(f"original-exclude\n{header}/test-encrypt-data\n", ensure=True)
 
     script = f"""
         YADM_TEST=1 source {yadm}
@@ -42,9 +42,9 @@ def test_exclude_encrypted(runner, tmpdir, yadm, encrypt_exists, auto_exclude, e
         if encrypt_exists:
             assert exclude_file.exists()
             if exclude == "missing":
-                assert exclude_file.read() == f"{header}test-encrypt-data\n"
+                assert exclude_file.read() == f"{header}/test-encrypt-data\n"
             else:
-                assert exclude_file.read() == ("original-exclude\n" f"{header}test-encrypt-data\n")
+                assert exclude_file.read() == ("original-exclude\n" f"{header}/test-encrypt-data\n")
             if exclude != "up-to-date":
                 assert f"Updating {exclude_file}" in run.out
             else:
diff --git a/test/test_unit_parse_encrypt.py b/test/test_unit_parse_encrypt.py
index 2acac15..935bea4 100644
--- a/test/test_unit_parse_encrypt.py
+++ b/test/test_unit_parse_encrypt.py
@@ -100,10 +100,11 @@ def create_test_encrypt_data(paths):
     edata += "*card1\n"  # matches same file as the one above
     paths.work.join("wildcard1").write("", ensure=True)
     paths.work.join("wildcard2").write("", ensure=True)
+    paths.work.join("subdir/wildcard1").write("", ensure=True)
     expected.add("wildcard1")
     expected.add("wildcard2")
 
-    edata += "dirwild*\n"
+    edata += "dirwild*/file*\n"
     paths.work.join("dirwildcard/file1").write("", ensure=True)
     paths.work.join("dirwildcard/file2").write("", ensure=True)
     expected.add("dirwildcard/file1")
@@ -125,6 +126,9 @@ def create_test_encrypt_data(paths):
     expected.add("ex ex/file4")
     expected.add("ex ex/file6.text")
 
+    paths.work.join("dirwildcard/file7.ex").write("", ensure=True)
+    expected.add("dirwildcard/file7.ex")
+
     # double star
     edata += "doublestar/**/file*\n"
     edata += "!**/file3\n"
diff --git a/yadm b/yadm
index f0c1403..2dbb540 100755
--- a/yadm
+++ b/yadm
@@ -61,6 +61,7 @@ PROC_VERSION="/proc/version"
 OPERATING_SYSTEM="Unknown"
 
 ENCRYPT_INCLUDE_FILES="unparsed"
+NO_ENCRYPT_TRACKED_FILES=()
 
 LEGACY_WARNING_ISSUED=0
 INVALID_ALT=()
@@ -1042,6 +1043,12 @@ function encrypt() {
   printf '%s\n' "${ENCRYPT_INCLUDE_FILES[@]}"
   echo
 
+  if [ ${#NO_ENCRYPT_TRACKED_FILES[@]} -gt 0 ]; then
+    echo "Warning: The following files are tracked and will NOT be encrypted:"
+    printf '%s\n' "${NO_ENCRYPT_TRACKED_FILES[@]}"
+    echo
+  fi
+
   # encrypt all files which match the globs
   if tar -f - -c "${ENCRYPT_INCLUDE_FILES[@]}" | _encrypt_to "$YADM_ARCHIVE"; then
     echo "Wrote new file: $YADM_ARCHIVE"
@@ -1468,38 +1475,59 @@ function version() {
 
 function exclude_encrypted() {
 
+  local auto_exclude
   auto_exclude=$(config --bool yadm.auto-exclude)
   [ "$auto_exclude" == "false" ] && return 0
 
-  exclude_path="${YADM_REPO}/info/exclude"
-  newline=$'\n'
-  exclude_flag="# yadm-auto-excludes"
-  exclude_header="${exclude_flag}${newline}"
+  # do nothing if there is no YADM_ENCRYPT
+  [ -e "$YADM_ENCRYPT" ] || return 0
+
+  readonly exclude_path="${YADM_REPO}/info/exclude"
+  readonly newline=$'\n'
+  readonly exclude_flag="# yadm-auto-excludes"
+
+  local exclude_header="${exclude_flag}${newline}"
   exclude_header="${exclude_header}# This section is managed by yadm."
   exclude_header="${exclude_header}${newline}"
   exclude_header="${exclude_header}# Any edits below will be lost."
   exclude_header="${exclude_header}${newline}"
 
-  # do nothing if there is no YADM_ENCRYPT
-  [ -e "$YADM_ENCRYPT" ] || return 0
-
   # read encrypt
-  encrypt_data=""
-  while IFS='' read -r line || [ -n "$line" ]; do
-    encrypt_data="${encrypt_data}${line}${newline}"
+  local encrypt_data=""
+  local pattern
+  while IFS='' read -r pattern || [ -n "$pattern" ]; do
+    case ${pattern:0:1} in
+      \#)
+        pattern=""
+        ;;
+      !)
+        # Prepend / to the pattern so that it matches the same files as in
+        # parse_encrypt (i.e. only from the root)
+        pattern="!/${pattern:1}$newline"
+        ;;
+      *)
+        if ! [[ $pattern =~ ^[[:blank:]]*(#|$) ]]; then
+          pattern="/$pattern$newline"
+        else
+          pattern=""
+        fi
+        ;;
+    esac
+    encrypt_data="${encrypt_data}${pattern}"
   done <"$YADM_ENCRYPT"
 
   # read info/exclude
-  unmanaged=""
-  managed=""
+  local unmanaged=""
+  local managed=""
   if [ -e "$exclude_path" ]; then
-    flag_seen=0
+    local -i flag_seen=0
+    local line
     while IFS='' read -r line || [ -n "$line" ]; do
       [ "$line" = "$exclude_flag" ] && flag_seen=1
-      if [ "$flag_seen" -eq 0 ]; then
-        unmanaged="${unmanaged}${line}${newline}"
-      else
+      if ((flag_seen)); then
         managed="${managed}${line}${newline}"
+      else
+        unmanaged="${unmanaged}${line}${newline}"
       fi
     done <"$exclude_path"
   fi
@@ -1926,26 +1954,44 @@ function parse_encrypt() {
   local -a exclude
   local -a include
 
-  while IFS= read -r pattern; do
-    case $pattern in
-      \#*)
+  local pattern
+  while IFS='' read -r pattern || [ -n "$pattern" ]; do
+    case ${pattern:0:1} in
+      \#)
         # Ignore comments
         ;;
-      !*)
-        exclude+=("--exclude=${pattern:1}")
+      !)
+        exclude+=("--exclude=/${pattern:1}")
         ;;
       *)
-        if ! [[ $pattern =~ ^[[:blank:]]*$ ]]; then
+        if ! [[ $pattern =~ ^[[:blank:]]*(#|$) ]]; then
           include+=("$pattern")
         fi
         ;;
     esac
   done <"$YADM_ENCRYPT"
 
-  if [[ ${#include} -gt 0 ]]; then
-    while IFS= read -r filename; do
-      ENCRYPT_INCLUDE_FILES+=("${filename%/}")
-    done <<<"$("$GIT_PROGRAM" ls-files --others "${exclude[@]}" -- "${include[@]}")"
+  if [ ${#include[@]} -gt 0 ]; then
+    while IFS='' read -r filename; do
+      if [ -n "$filename" ]; then
+        ENCRYPT_INCLUDE_FILES+=("${filename%/}")
+      fi
+    done <<<"$(
+      "$GIT_PROGRAM" --glob-pathspecs ls-files --others \
+        "${exclude[@]}" -- "${include[@]}" 2>/dev/null
+    )"
+
+    [ "$YADM_COMMAND" = "encrypt" ] || return
+
+    # List files that matches encryption pattern but is tracked
+    while IFS='' read -r filename; do
+      if [ -n "$filename" ]; then
+        NO_ENCRYPT_TRACKED_FILES+=("${filename%/}")
+      fi
+    done <<<"$(
+      "$GIT_PROGRAM" --glob-pathspecs ls-files \
+        "${exclude[@]}" -- "${include[@]}"
+    )"
   fi
 }
 

From d4796108f404cf68a351f465c1010213f3d281b4 Mon Sep 17 00:00:00 2001
From: Erik Flodin <erik@flodin.me>
Date: Thu, 27 Feb 2025 21:18:07 +0100
Subject: [PATCH 2/7] Automatically exclude alt links and template files

unless yadm.auto-exclude is set to false (#234, #465).

Alt files exclude pattern will be written to $GIT_DIR/info/exclude.yadm-alt and
encrypt files exclude patthern to ...yadm-encrypt. Then these two files will be
merged together and added to $GIT_DIR/info/exclude whenever one of them has
changed.
---
 test/test_alt.py                    |  23 ++++++
 test/test_unit_exclude_encrypted.py |   7 +-
 yadm                                | 119 ++++++++++++++++------------
 yadm.1                              |  15 +++-
 4 files changed, 110 insertions(+), 54 deletions(-)

diff --git a/test/test_alt.py b/test/test_alt.py
index ef421f7..138d609 100644
--- a/test/test_alt.py
+++ b/test/test_alt.py
@@ -217,6 +217,29 @@ def test_auto_alt(runner, yadm_cmd, paths, autoalt):
                 assert str(paths.work.join(source_file)) not in linked
 
 
+@pytest.mark.usefixtures("ds1_copy")
+@pytest.mark.parametrize("autoexclude", [None, "true", "false"])
+def test_alt_exclude(runner, yadm_cmd, paths, autoexclude):
+    """Test alt exclude"""
+
+    # set the value of auto-exclude
+    if autoexclude:
+        os.system(" ".join(yadm_cmd("config", "yadm.auto-exclude", autoexclude)))
+
+    utils.create_alt_files(paths, "##default")
+    run = runner(yadm_cmd("alt", "-d"))
+    assert run.success
+
+    run = runner(yadm_cmd("status", "-z", "-uall", "--ignored"))
+    assert run.success
+    assert run.err == ""
+    status = run.out.split("\0")
+
+    for link_path in TEST_PATHS:
+        flags = "??" if autoexclude == "false" else "!!"
+        assert f"{flags} {link_path}" in status
+
+
 @pytest.mark.usefixtures("ds1_copy")
 def test_stale_link_removal(runner, yadm_cmd, paths):
     """Stale links to alternative files are removed
diff --git a/test/test_unit_exclude_encrypted.py b/test/test_unit_exclude_encrypted.py
index bbe29fd..1daa891 100644
--- a/test/test_unit_exclude_encrypted.py
+++ b/test/test_unit_exclude_encrypted.py
@@ -9,7 +9,12 @@ import pytest
 def test_exclude_encrypted(runner, tmpdir, yadm, encrypt_exists, auto_exclude, exclude):
     """Test exclude_encrypted()"""
 
-    header = "# yadm-auto-excludes\n# This section is managed by yadm.\n# Any edits below will be lost.\n"
+    header = """\
+# yadm-auto-excludes
+# This section is managed by yadm.
+# Any edits below will be lost.
+# yadm encrypt
+"""
 
     config_function = 'function config() { echo "false";}'
     if auto_exclude:
diff --git a/yadm b/yadm
index 2dbb540..2e8bea2 100755
--- a/yadm
+++ b/yadm
@@ -691,6 +691,11 @@ function set_local_alt_values() {
 }
 
 function alt_linking() {
+  local -a exclude=()
+
+  local log="debug"
+  [ -n "$loud" ] && log="echo"
+
   local -i index
   for ((index = 0; index < ${#alt_targets[@]}; ++index)); do
     local target="${alt_targets[$index]}"
@@ -709,17 +714,17 @@ function alt_linking() {
     if [[ -n "$template_processor" ]]; then
       template "$template_processor" "$source" "$target"
     elif [[ "$do_copy" -eq 1 ]]; then
-      debug "Copying $source to $target"
-      [[ -n "$loud" ]] && echo "Copying $source to $target"
-
+      $log "Copying $source to $target"
       cp -f "$source" "$target"
     else
-      debug "Linking $source to $target"
-      [[ -n "$loud" ]] && echo "Linking $source to $target"
-
+      $log "Linking $source to $target"
       ln_relative "$source" "$target"
     fi
+
+    exclude+=("${target#"$YADM_WORK"}")
   done
+
+  update_exclude alt "${exclude[@]}"
 }
 
 function ln_relative() {
@@ -1473,18 +1478,35 @@ function version() {
 
 # ****** Utility Functions ******
 
-function exclude_encrypted() {
+function update_exclude() {
 
   local auto_exclude
   auto_exclude=$(config --bool yadm.auto-exclude)
   [ "$auto_exclude" == "false" ] && return 0
 
-  # do nothing if there is no YADM_ENCRYPT
-  [ -e "$YADM_ENCRYPT" ] || return 0
+  local exclude_path="${YADM_REPO}/info/exclude"
+  local newline=$'\n'
 
-  readonly exclude_path="${YADM_REPO}/info/exclude"
-  readonly newline=$'\n'
-  readonly exclude_flag="# yadm-auto-excludes"
+  local part_path="$exclude_path.yadm-$1"
+  local part_str
+  part_str=$(join_string "$newline" "${@:2}")
+
+  if [ -e "$part_path" ]; then
+    if [ "$part_str" = "$(<"$part_path")" ]; then
+      return
+    fi
+
+    rm -f "$part_path"
+  elif [ -z "$part_str" ]; then
+    return
+  fi
+
+  if [ -n "$part_str" ]; then
+    assert_parent "$part_path"
+    cat >"$part_path" <<<"$part_str"
+  fi
+
+  local exclude_flag="# yadm-auto-excludes"
 
   local exclude_header="${exclude_flag}${newline}"
   exclude_header="${exclude_header}# This section is managed by yadm."
@@ -1492,30 +1514,6 @@ function exclude_encrypted() {
   exclude_header="${exclude_header}# Any edits below will be lost."
   exclude_header="${exclude_header}${newline}"
 
-  # read encrypt
-  local encrypt_data=""
-  local pattern
-  while IFS='' read -r pattern || [ -n "$pattern" ]; do
-    case ${pattern:0:1} in
-      \#)
-        pattern=""
-        ;;
-      !)
-        # Prepend / to the pattern so that it matches the same files as in
-        # parse_encrypt (i.e. only from the root)
-        pattern="!/${pattern:1}$newline"
-        ;;
-      *)
-        if ! [[ $pattern =~ ^[[:blank:]]*(#|$) ]]; then
-          pattern="/$pattern$newline"
-        else
-          pattern=""
-        fi
-        ;;
-    esac
-    encrypt_data="${encrypt_data}${pattern}"
-  done <"$YADM_ENCRYPT"
-
   # read info/exclude
   local unmanaged=""
   local managed=""
@@ -1532,14 +1530,39 @@ function exclude_encrypted() {
     done <"$exclude_path"
   fi
 
-  if [ "${exclude_header}${encrypt_data}" != "$managed" ]; then
+  local exclude_str=""
+  for suffix in alt encrypt; do
+    if [ -e "${exclude_path}.yadm-$suffix" ]; then
+      local header="# yadm $suffix$newline"
+      exclude_str="$exclude_str$header$(<"$exclude_path".yadm-"$suffix")"
+    fi
+  done
+
+  if [ "${exclude_header}${exclude_str}${newline}" != "$managed" ]; then
     debug "Updating ${exclude_path}"
-    assert_parent "$exclude_path"
-    printf "%s" "${unmanaged}${exclude_header}${encrypt_data}" >"$exclude_path"
+    cat >"$exclude_path" <<<"${unmanaged}${exclude_header}${exclude_str}"
   fi
 
   return 0
+}
 
+function exclude_encrypted() {
+  local -a exclude=()
+
+  if [ -r "$YADM_ENCRYPT" ]; then
+    local pattern
+    while IFS='' read -r pattern || [ -n "$pattern" ]; do
+      # Prepend / to the pattern so that it matches the same files as in
+      # parse_encrypt (i.e. only from the root)
+      if [ "${pattern:0:1}" = "!" ]; then
+        exclude+=("!/${pattern:1}")
+      elif ! [[ $pattern =~ ^[[:blank:]]*(#|$) ]]; then
+        exclude+=("/$pattern")
+      fi
+    done <"$YADM_ENCRYPT"
+  fi
+
+  update_exclude encrypt "${exclude[@]}"
 }
 
 function query_distro() {
@@ -1956,19 +1979,11 @@ function parse_encrypt() {
 
   local pattern
   while IFS='' read -r pattern || [ -n "$pattern" ]; do
-    case ${pattern:0:1} in
-      \#)
-        # Ignore comments
-        ;;
-      !)
-        exclude+=("--exclude=/${pattern:1}")
-        ;;
-      *)
-        if ! [[ $pattern =~ ^[[:blank:]]*(#|$) ]]; then
-          include+=("$pattern")
-        fi
-        ;;
-    esac
+    if [ "${pattern:0:1}" = "!" ]; then
+      exclude+=("--exclude=/${pattern:1}")
+    elif ! [[ $pattern =~ ^[[:blank:]]*(#|$) ]]; then
+      include+=("$pattern")
+    fi
   done <"$YADM_ENCRYPT"
 
   if [ ${#include[@]} -gt 0 ]; then
diff --git a/yadm.1 b/yadm.1
index caa37de..52ef994 100644
--- a/yadm.1
+++ b/yadm.1
@@ -363,7 +363,8 @@ you may still run "yadm alt" manually to create the alternate links. This
 feature is enabled by default.
 .TP
 .B yadm.auto-exclude
-Disable the automatic exclusion of patterns defined in
+Disable the automatic exclusion of created alternate links, template files and
+patterns defined in
 .IR $HOME/.config/yadm/encrypt .
 This feature is enabled by default.
 .TP
@@ -614,6 +615,12 @@ configuration.
 Even if disabled, links can be manually created by running
 .BR "yadm alt" .
 
+Created links are automatically added to the repository's
+.I info/exclude
+file. This can be disabled using the
+.I yadm.auto-exclude
+configuration.
+
 Class is a special value which is stored locally on each host (inside the local
 repository). To use alternate symlinks using class, you must set the value of
 class using the configuration
@@ -748,6 +755,12 @@ would look like:
   <%+ whatever.extra %>
   <% fi -%>
 
+Created files are automatically added to the repository's
+.I info/exclude
+file. This can be disabled using the
+.I yadm.auto-exclude
+configuration.
+
 .SH ENCRYPTION
 
 It can be useful to manage confidential files, like SSH or GPG keys, across

From 9ff5e0965077756cd9d8bdde82231456a60d2ad3 Mon Sep 17 00:00:00 2001
From: AaronYoung5 <aryoung@mit.edu>
Date: Sun, 2 Mar 2025 22:05:15 +0100
Subject: [PATCH 3/7] Add support for negative alt conditions (#522)

---
 test/test_unit_score_file.py | 73 ++++++++++++++++++++++++++++++++++++
 yadm                         | 27 ++++++++-----
 yadm.1                       | 24 +++++++++---
 3 files changed, 109 insertions(+), 15 deletions(-)

diff --git a/test/test_unit_score_file.py b/test/test_unit_score_file.py
index 9952c0c..d5412c1 100644
--- a/test/test_unit_score_file.py
+++ b/test/test_unit_score_file.py
@@ -321,3 +321,76 @@ def test_underscores_and_upper_case_in_distro_and_family(runner, yadm):
     assert run.success
     assert run.err == ""
     assert run.out == expected
+
+
+def test_negative_class_condition(runner, yadm):
+    """Test negative class condition: returns 0 when matching and proper score when not matching."""
+    script = f"""
+        YADM_TEST=1 source {yadm}
+        local_class="testclass"
+        local_classes=("testclass")
+
+        # 0
+        score=0
+        score_file "filename##~class.testclass" "dest"
+        echo "score: $score"
+
+        # 16
+        score=0
+        score_file "filename##~class.badclass" "dest"
+        echo "score2: $score"
+
+        # 16
+        score=0
+        score_file "filename##~c.badclass" "dest"
+        echo "score3: $score"
+    """
+    run = runner(command=["bash"], inp=script)
+    assert run.success
+    output = run.out.strip().splitlines()
+    assert output[0] == "score: 0"
+    assert output[1] == "score2: 16"
+    assert output[2] == "score3: 16"
+
+
+def test_negative_combined_conditions(runner, yadm):
+    """Test negative conditions for multiple alt types: returns 0 when matching and proper score when not matching."""
+    script = f"""
+        YADM_TEST=1 source {yadm}
+        local_class="testclass"
+        local_classes=("testclass")
+        local_distro="testdistro"
+
+        # (0) + (0) = 0
+        score=0
+        score_file "filename##~class.testclass,~distro.testdistro" "dest"
+        echo "score: $score"
+
+        # (1000 + 16) + (1000 + 4) = 2020
+        score=0
+        score_file "filename##class.testclass,distro.testdistro" "dest"
+        echo "score2: $score"
+
+        # 0 (negated class condition)
+        score=0
+        score_file "filename##~class.badclass,~distro.testdistro" "dest"
+        echo "score3: $score"
+
+        # (1000 + 16) + (4) = 1020
+        score=0
+        score_file "filename##class.testclass,~distro.baddistro" "dest"
+        echo "score4: $score"
+
+        # (1000 + 16) + (16) = 1032
+        score=0
+        score_file "filename##class.testclass,~class.badclass" "dest"
+        echo "score5: $score"
+    """
+    run = runner(command=["bash"], inp=script)
+    assert run.success
+    output = run.out.strip().splitlines()
+    assert output[0] == "score: 0"
+    assert output[1] == "score2: 2020"
+    assert output[2] == "score3: 0"
+    assert output[3] == "score4: 1020"
+    assert output[4] == "score5: 1032"
diff --git a/yadm b/yadm
index 2e8bea2..dccb7c9 100755
--- a/yadm
+++ b/yadm
@@ -180,32 +180,39 @@ function score_file() {
     local value=${field#*.}
     [ "$field" = "$label" ] && value="" # when .value is omitted
 
+    # Check for negative condition prefix (e.g., "~<label>")
+    local negate=0
+    if [ "${label:0:1}" = "~" ]; then
+      negate=1
+      label="${label:1}"
+    fi
+
     shopt -s nocasematch
-    local -i delta=-1
+    local -i delta=$((negate ? 1 : -1))
     case "$label" in
       default)
         delta=0
         ;;
       a | arch)
-        [[ "$value" = "$local_arch" ]] && delta=1
+        [[ "$value" = "$local_arch" ]] && delta=1 || delta=-1
         ;;
       o | os)
-        [[ "$value" = "$local_system" ]] && delta=2
+        [[ "$value" = "$local_system" ]] && delta=2 || delta=-2
         ;;
       d | distro)
-        [[ "${value// /_}" = "${local_distro// /_}" ]] && delta=4
+        [[ "${value// /_}" = "${local_distro// /_}" ]] && delta=4 || delta=-4
         ;;
       f | distro_family)
-        [[ "${value// /_}" = "${local_distro_family// /_}" ]] && delta=8
+        [[ "${value// /_}" = "${local_distro_family// /_}" ]] && delta=8 || delta=-8
         ;;
       c | class)
-        in_list "$value" "${local_classes[@]}" && delta=16
+        in_list "$value" "${local_classes[@]}" && delta=16 || delta=-16
         ;;
       h | hostname)
-        [[ "$value" = "$local_host" ]] && delta=32
+        [[ "$value" = "$local_host" ]] && delta=32 || delta=-32
         ;;
       u | user)
-        [[ "$value" = "$local_user" ]] && delta=64
+        [[ "$value" = "$local_user" ]] && delta=64 || delta=-64
         ;;
       e | extension)
         # extension isn't a condition and doesn't affect the score
@@ -231,11 +238,13 @@ function score_file() {
     esac
     shopt -u nocasematch
 
+    ((negate)) && delta=$((-delta))
     if ((delta < 0)); then
       score=0
       return
     fi
-    score=$((score + 1000 + delta))
+    ((negate)) || delta=$((delta + 1000))
+    score=$((score + delta))
   done
 
   record_score "$score" "$target" "$source" "$template_processor"
diff --git a/yadm.1 b/yadm.1
index 52ef994..fd631ad 100644
--- a/yadm.1
+++ b/yadm.1
@@ -476,9 +476,11 @@ commas.
 
 Each condition is an attribute/value pair, separated by a period. Some
 conditions do not require a "value", and in that case, the period and value can
-be omitted. Most attributes can be abbreviated as a single letter.
+be omitted. Most attributes can be abbreviated as a single letter. Prefixing an
+attribute with "~" negates the condition, meaning the condition is considered
+only if the attribute/value pair evaluates to false.
 
-  <attribute>[.<value>]
+  [~]<attribute>[.<value>]
 
 .BR NOTE :
 Value is compared case-insensitive.
@@ -555,9 +557,10 @@ symbolic links will be created for the most appropriate version.
 
 The "most appropriate" version is determined by calculating a score for each
 version of a file. A template is always scored higher than any symlink
-condition. The number of conditions is the next largest factor in scoring.
-Files with more conditions will always be favored. Any invalid condition will
-disqualify that file completely.
+condition. The number of conditions is the next largest factor in scoring;
+files with more conditions will always be favored. Negative conditions (prefixed
+with "~") are scored only relative to the number of non-negated conditions.
+Any invalid condition will disqualify that file completely.
 
 If you don't care to have all versions of alternates stored in the same
 directory as the generated symlink, you can place them in the
@@ -576,6 +579,7 @@ files are managed by yadm's repository:
   - $HOME/path/example.txt##os.Linux
   - $HOME/path/example.txt##os.Linux,hostname.host1
   - $HOME/path/example.txt##os.Linux,hostname.host2
+  - $HOME/path/example.txt##class.Work,~os.Darwin
 
 If running on a Macbook named "host2",
 yadm will create a symbolic link which looks like this:
@@ -598,10 +602,18 @@ If running on a Solaris server, the link will use the default version:
 
 .IR $HOME/path/example.txt " -> " $HOME/path/example.txt##default
 
-If running on a system, with class set to "Work", the link will be:
+If running on a Macbook with class set to "Work", the link will be:
 
 .IR $HOME/path/example.txt " -> " $HOME/path/example.txt##class.Work
 
+Negative conditions are supported via the "~" prefix. If again running on a system
+with class set to "Work", but instead within Windows Subsystem for Linux, where the
+os is reported as WSL, the link will be:
+
+.IR $HOME/path/example.txt " -> " $HOME/path/example.txt##class.Work,~os.Darwin
+
+Negative conditions use the same weight which corresponds to the attached attribute.
+
 If no "##default" version exists and no files have valid conditions, then no
 link will be created.
 

From bee1558a4edc3b4ad392be8373a8dda2f8c08793 Mon Sep 17 00:00:00 2001
From: Erik Flodin <erik@flodin.me>
Date: Sun, 2 Mar 2025 22:18:09 +0100
Subject: [PATCH 4/7] Minor cleanups of alt handling

Also correct alt conditions precedence list in manual.
---
 yadm   | 11 +++++++----
 yadm.1 | 23 +++++++++++------------
 2 files changed, 18 insertions(+), 16 deletions(-)

diff --git a/yadm b/yadm
index dccb7c9..c239f65 100755
--- a/yadm
+++ b/yadm
@@ -191,7 +191,11 @@ function score_file() {
     local -i delta=$((negate ? 1 : -1))
     case "$label" in
       default)
-        delta=0
+        if ((negate)); then
+          INVALID_ALT+=("$source")
+        else
+          delta=0
+        fi
         ;;
       a | arch)
         [[ "$value" = "$local_arch" ]] && delta=1 || delta=-1
@@ -219,7 +223,7 @@ function score_file() {
         continue
         ;;
       t | template | yadm)
-        if [ -d "$source" ]; then
+        if [ -d "$source" ] || ((negate)); then
           INVALID_ALT+=("$source")
         else
           template_processor=$(choose_template_processor "$value")
@@ -243,8 +247,7 @@ function score_file() {
       score=0
       return
     fi
-    ((negate)) || delta=$((delta + 1000))
-    score=$((score + delta))
+    score=$((score + delta + (negate ? 0 : 1000)))
   done
 
   record_score "$score" "$target" "$source" "$template_processor"
diff --git a/yadm.1 b/yadm.1
index fd631ad..9145b24 100644
--- a/yadm.1
+++ b/yadm.1
@@ -512,6 +512,12 @@ Class must be manually set using
 See the CONFIGURATION section for more details about setting
 .BR local.class .
 .TP
+.BR distro_family ,\  f
+Valid if the value matches the distro family.
+Distro family is calculated by inspecting the ID_LIKE line from
+.B "/etc/os-release"
+(or ID if no ID_LIKE line is found).
+.TP
 .BR distro ,\  d
 Valid if the value matches the distro.
 Distro is calculated by running
@@ -519,12 +525,6 @@ Distro is calculated by running
 or by inspecting the ID from
 .BR "/etc/os-release" .
 .TP
-.BR distro_family ,\  f
-Valid if the value matches the distro family.
-Distro family is calculated by inspecting the ID_LIKE line from
-.B "/etc/os-release"
-(or ID if no ID_LIKE line is found).
-.TP
 .BR os ,\  o
 Valid if the value matches the OS.
 OS is calculated by running
@@ -573,13 +573,13 @@ files are managed by yadm's repository:
 
   - $HOME/path/example.txt##default
   - $HOME/path/example.txt##class.Work
+  - $HOME/path/example.txt##class.Work,~os.Darwin
   - $HOME/path/example.txt##os.Darwin
   - $HOME/path/example.txt##os.Darwin,hostname.host1
   - $HOME/path/example.txt##os.Darwin,hostname.host2
   - $HOME/path/example.txt##os.Linux
   - $HOME/path/example.txt##os.Linux,hostname.host1
   - $HOME/path/example.txt##os.Linux,hostname.host2
-  - $HOME/path/example.txt##class.Work,~os.Darwin
 
 If running on a Macbook named "host2",
 yadm will create a symbolic link which looks like this:
@@ -606,14 +606,13 @@ If running on a Macbook with class set to "Work", the link will be:
 
 .IR $HOME/path/example.txt " -> " $HOME/path/example.txt##class.Work
 
-Negative conditions are supported via the "~" prefix. If again running on a system
-with class set to "Work", but instead within Windows Subsystem for Linux, where the
-os is reported as WSL, the link will be:
+Since class has higher precedence than os, this version is chosen.
+
+If running on a system with class set to "Work", but instead within Windows
+Subsystem for Linux, where the os is reported as WSL, the link will be:
 
 .IR $HOME/path/example.txt " -> " $HOME/path/example.txt##class.Work,~os.Darwin
 
-Negative conditions use the same weight which corresponds to the attached attribute.
-
 If no "##default" version exists and no files have valid conditions, then no
 link will be created.
 

From 2ac90b004c014d861784e3c796321fe2c8cb6e52 Mon Sep 17 00:00:00 2001
From: Erik Flodin <erik@flodin.me>
Date: Mon, 3 Mar 2025 21:36:36 +0100
Subject: [PATCH 5/7] Fix handling of filenames with space in bash completion
 (#341)

By calling __gitcompappend with the same suffix as the completion for git
does (i.e. " ") we can remove the call to sort -u as it is no longer
needed (bash seems to remove duplicates) and then spaces are handled correctly.

Also make the completion available in testhost.
---
 Makefile             |  1 +
 completion/bash/yadm | 67 ++++++++++++++++++--------------------------
 2 files changed, 29 insertions(+), 39 deletions(-)

diff --git a/Makefile b/Makefile
index db48512..cf6695a 100644
--- a/Makefile
+++ b/Makefile
@@ -123,6 +123,7 @@ testhost: require-docker .testyadm
 		--hostname testhost \
 		--rm -it \
 		-v "$(CURDIR)/.testyadm:/bin/yadm:ro" \
+		-v "$(CURDIR)/completion/bash/yadm:/usr/share/bash-completion/completions/yadm:ro" \
 		$(IMAGE) \
 		bash -l
 
diff --git a/completion/bash/yadm b/completion/bash/yadm
index bb3609d..def0c66 100644
--- a/completion/bash/yadm
+++ b/completion/bash/yadm
@@ -1,88 +1,85 @@
 # test if git completion is missing, but loader exists, attempt to load
-if ! declare -F _git > /dev/null && ! declare -F __git_wrap__git_main > /dev/null; then
-  if declare -F _completion_loader > /dev/null; then
+if ! declare -F _git >/dev/null && ! declare -F __git_wrap__git_main >/dev/null; then
+  if declare -F _completion_loader >/dev/null; then
     _completion_loader git
   fi
 fi
 
 # only operate if git completion is present
-if declare -F _git > /dev/null || declare -F __git_wrap__git_main > /dev/null; then
+if declare -F _git >/dev/null || declare -F __git_wrap__git_main >/dev/null; then
 
   _yadm() {
 
     local current=${COMP_WORDS[COMP_CWORD]}
     local penultimate
-    if [ "$((COMP_CWORD-1))" -ge "0" ]; then
-      penultimate=${COMP_WORDS[COMP_CWORD-1]}
+    if ((COMP_CWORD >= 1)); then
+      penultimate=${COMP_WORDS[COMP_CWORD - 1]}
     fi
     local antepenultimate
-    if [ "$((COMP_CWORD-2))" -ge "0" ]; then
-      antepenultimate=${COMP_WORDS[COMP_CWORD-2]}
+    if ((COMP_CWORD >= 2)); then
+      antepenultimate=${COMP_WORDS[COMP_CWORD - 2]}
     fi
 
     local -x GIT_DIR
-    # shellcheck disable=SC2034
     GIT_DIR="$(yadm introspect repo 2>/dev/null)"
 
     case "$penultimate" in
       bootstrap)
         COMPREPLY=()
         return 0
-      ;;
+        ;;
       config)
-        COMPREPLY=( $(compgen -W "$(yadm introspect configs 2>/dev/null)") )
+        COMPREPLY=($(compgen -W "$(yadm introspect configs 2>/dev/null)"))
         return 0
-		  ;;
+        ;;
       decrypt)
-        COMPREPLY=( $(compgen -W "-l" -- "$current") )
+        COMPREPLY=($(compgen -W "-l" -- "$current"))
         return 0
-		  ;;
+        ;;
       init)
-        COMPREPLY=( $(compgen -W "-f -w" -- "$current") )
+        COMPREPLY=($(compgen -W "-f -w" -- "$current"))
         return 0
-		  ;;
+        ;;
       introspect)
-        COMPREPLY=( $(compgen -W "commands configs repo switches" -- "$current") )
+        COMPREPLY=($(compgen -W "commands configs repo switches" -- "$current"))
         return 0
-		  ;;
+        ;;
       help)
         COMPREPLY=() # no specific help yet
         return 0
-      ;;
+        ;;
       list)
-        COMPREPLY=( $(compgen -W "-a" -- "$current") )
+        COMPREPLY=($(compgen -W "-a" -- "$current"))
         return 0
-		  ;;
+        ;;
     esac
 
     case "$antepenultimate" in
       clone)
-        COMPREPLY=( $(compgen -W "-f -w -b --bootstrap --no-bootstrap" -- "$current") )
+        COMPREPLY=($(compgen -W "-f -w -b --bootstrap --no-bootstrap" -- "$current"))
         return 0
-		  ;;
+        ;;
     esac
 
-    local yadm_switches=( $(yadm introspect switches 2>/dev/null) )
+    local yadm_switches=($(yadm introspect switches 2>/dev/null))
 
     # this condition is so files are completed properly for --yadm-xxx options
     if [[ " ${yadm_switches[*]} " != *" $penultimate "* ]]; then
       # TODO: somehow solve the problem with [--yadm-xxx option] being
       #       incompatible with what git expects, namely [--arg=option]
-      if declare -F _git > /dev/null; then
+      if declare -F _git >/dev/null; then
         _git
       else
         __git_wrap__git_main
       fi
     fi
     if [[ "$current" =~ ^- ]]; then
-      local matching
-      matching=$(compgen -W "${yadm_switches[*]}" -- "$current")
-      __gitcompappend "$matching"
+      __gitcompappend "${yadm_switches[*]}" "" "$current" " "
     fi
 
     # Find the index of where the sub-command argument should go.
     local command_idx
-    for (( command_idx=1 ; command_idx < ${#COMP_WORDS[@]} ; command_idx++ )); do
+    for ((command_idx = 1; command_idx < ${#COMP_WORDS[@]}; command_idx++)); do
       local command_idx_arg="${COMP_WORDS[$command_idx]}"
       if [[ " ${yadm_switches[*]} " = *" $command_idx_arg "* ]]; then
         let command_idx++
@@ -93,19 +90,11 @@ if declare -F _git > /dev/null || declare -F __git_wrap__git_main > /dev/null; t
       fi
     done
     if [[ "$COMP_CWORD" = "$command_idx" ]]; then
-      local matching
-      matching=$(compgen -W "$(yadm introspect commands 2>/dev/null)" -- "$current")
-      __gitcompappend "$matching"
+      __gitcompappend "$(yadm introspect commands 2>/dev/null)" "" "$current" " "
     fi
-
-    # remove duplicates found in COMPREPLY (a native bash way could be better)
-    if [ -n "${COMPREPLY[*]}" ]; then
-      COMPREPLY=($(echo "${COMPREPLY[@]}" | sort -u))
-    fi
-
   }
 
-	complete -o bashdefault -o default -F _yadm yadm 2>/dev/null \
-		|| complete -o default -F _yadm yadm
+  complete -o bashdefault -o default -o nospace -F _yadm yadm 2>/dev/null ||
+    complete -o default -o nospace -F _yadm yadm
 
 fi

From 0e0172769decc8c6098b17b4c2d8d952f99c6068 Mon Sep 17 00:00:00 2001
From: Erik Flodin <erik@flodin.me>
Date: Tue, 25 Feb 2025 23:47:08 +0100
Subject: [PATCH 6/7] Add yadm.filename variable to default template processor

Similar to yadm.source but reflects the current file also in included
files (#520).
---
 test/test_unit_template_default.py | 12 +++++++-----
 yadm                               |  6 ++++--
 yadm.1                             |  1 +
 3 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/test/test_unit_template_default.py b/test/test_unit_template_default.py
index 3c071c5..a4532c2 100644
--- a/test/test_unit_template_default.py
+++ b/test/test_unit_template_default.py
@@ -141,7 +141,7 @@ end of template
 
 INCLUDE_BASIC = "basic\n"
 INCLUDE_VARIABLES = """\
-included <{{ yadm.class }}> file
+included <{{ yadm.class }}> file ({{yadm.filename}})
 
 empty line above
 """
@@ -151,8 +151,8 @@ TEMPLATE_INCLUDE = """\
 The first line
 {% include empty %}
 An empty file removes the line above
-{%include basic%}
-{% include "./variables.{{ yadm.os }}"  %}
+{%include ./basic%}
+{% include "variables.{{ yadm.os }}"  %}
   {% include dir/nested %}
 Include basic again:
 {% include basic %}
@@ -161,7 +161,7 @@ EXPECTED_INCLUDE = f"""\
 The first line
 An empty file removes the line above
 basic
-included <{LOCAL_CLASS}> file
+included <{LOCAL_CLASS}> file (VARIABLES_FILENAME)
 
 empty line above
 no newline at the end
@@ -280,6 +280,8 @@ def test_include(runner, yadm, tmpdir):
     input_file.chmod(FILE_MODE)
     output_file = tmpdir.join("output")
 
+    expected = EXPECTED_INCLUDE.replace("VARIABLES_FILENAME", str(variables_file))
+
     script = f"""
         YADM_TEST=1 source {yadm}
         set_awk
@@ -290,7 +292,7 @@ def test_include(runner, yadm, tmpdir):
     run = runner(command=["bash"], inp=script)
     assert run.success
     assert run.err == ""
-    assert output_file.read() == EXPECTED_INCLUDE
+    assert output_file.read() == expected
     assert os.stat(output_file).st_mode == os.stat(input_file).st_mode
 
 
diff --git a/yadm b/yadm
index c239f65..473a7b1 100755
--- a/yadm
+++ b/yadm
@@ -379,7 +379,7 @@ BEGIN {
   yadm["user"] = user
   yadm["distro"] = distro
   yadm["distro_family"] = distro_family
-  yadm["source"] = source
+  yadm["source"] = ARGV[1]
 
   VARIABLE = "(env|yadm)\\.[a-zA-Z0-9_]+"
 
@@ -469,6 +469,9 @@ function replace_vars(input) {
     if (fields[1] == "env") {
       output = output ENVIRON[fields[2]]
     }
+    else if (fields[2] == "filename") {
+      output = output filename[current]
+    }
     else {
       output = output yadm[fields[2]]
     }
@@ -485,7 +488,6 @@ EOF
     -v user="$local_user" \
     -v distro="$local_distro" \
     -v distro_family="$local_distro_family" \
-    -v source="$input" \
     -v source_dir="$(builtin_dirname "$input")" \
     "$awk_pgm" \
     "$input" "${local_classes[@]}"
diff --git a/yadm.1 b/yadm.1
index 9145b24..eb68337 100644
--- a/yadm.1
+++ b/yadm.1
@@ -705,6 +705,7 @@ During processing, the following variables are available in the template:
  yadm.classes         YADM_CLASSES         All classes
  yadm.distro          YADM_DISTRO          lsb_release \-si
  yadm.distro_family   YADM_DISTRO_FAMILY   ID_LIKE from /etc/os-release
+ yadm.filename                             Filename for the current file
  yadm.hostname        YADM_HOSTNAME        uname \-n (without domain)
  yadm.os              YADM_OS              uname \-s
  yadm.source          YADM_SOURCE          Template filename

From 4f4c5e29141aa0ed0cbadd4eb27d4da21b01d290 Mon Sep 17 00:00:00 2001
From: Erik Flodin <erik@flodin.me>
Date: Tue, 4 Mar 2025 00:01:45 +0100
Subject: [PATCH 7/7] Update CHANGES and prepare for 3.5.0

---
 CHANGES      |   9 +++
 CONTRIBUTORS |   1 +
 README.md    |   2 +-
 yadm         |   2 +-
 yadm.1       |   2 +-
 yadm.md      | 178 +++++++++++++++++++++++++++++----------------------
 yadm.spec    |   2 +-
 7 files changed, 114 insertions(+), 82 deletions(-)

diff --git a/CHANGES b/CHANGES
index 96c3c5b..d361d1f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,12 @@
+3.5.0
+  * Silence warnings when collecting alt files (#521)
+  * Adjust handling of encrypt patterns to match 3.3.0 and older
+  * Make encrypt exclude patterns only match encrypted files
+  * Automatically exclude alt and template files (#234)
+  * Support negative alt conditions (#365)
+  * Handle filenames with space in bash completion (#341)
+  * Add new yadm.filename template variable (#520)
+
 3.4.0
   * Improve and harden alt file regeneration (#466)
   * Fix "yadm config" in fish completion (#491)
diff --git a/CONTRIBUTORS b/CONTRIBUTORS
index 7975524..eec1cba 100644
--- a/CONTRIBUTORS
+++ b/CONTRIBUTORS
@@ -9,6 +9,7 @@ Jonathan Daigle
 Luis López
 Tin Lai
 Espen Henriksen
+AaronYoung5
 Cameron Eagans
 Klas Mellbourn
 James Clark
diff --git a/README.md b/README.md
index abc7335..dd108e0 100644
--- a/README.md
+++ b/README.md
@@ -78,7 +78,7 @@ The star count helps others discover yadm.
 [master-badge]: https://img.shields.io/github/actions/workflow/status/yadm-dev/yadm/test.yml?branch=master
 [master-commits]: https://github.com/yadm-dev/yadm/commits/master
 [master-date]: https://img.shields.io/github/last-commit/yadm-dev/yadm/master.svg?label=master
-[obs-badge]: https://img.shields.io/badge/OBS-v3.4.0-blue
+[obs-badge]: https://img.shields.io/badge/OBS-v3.5.0-blue
 [obs-link]: https://software.opensuse.org/download.html?project=home%3ATheLocehiliosan%3Ayadm&package=yadm
 [releases-badge]: https://img.shields.io/github/tag/yadm-dev/yadm.svg?label=latest+release
 [releases-link]: https://github.com/yadm-dev/yadm/releases
diff --git a/yadm b/yadm
index 473a7b1..34d951c 100755
--- a/yadm
+++ b/yadm
@@ -22,7 +22,7 @@ if [ -z "$BASH_VERSION" ]; then
   [ "$YADM_TEST" != 1 ] && exec bash "$0" "$@"
 fi
 
-VERSION=3.4.0
+VERSION=3.5.0
 
 YADM_WORK="$HOME"
 YADM_DIR=
diff --git a/yadm.1 b/yadm.1
index eb68337..3affda7 100644
--- a/yadm.1
+++ b/yadm.1
@@ -1,5 +1,5 @@
 .\" vim: set spell so=8:
-.TH YADM 1 "February 9, 2025" "3.4.0"
+.TH YADM 1 "March 3, 2025" "3.5.0"
 
 .SH NAME
 
diff --git a/yadm.md b/yadm.md
index fa8c412..9f98206 100644
--- a/yadm.md
+++ b/yadm.md
@@ -269,8 +269,9 @@
               create the alternate links. This feature is enabled by default.
 
        yadm.auto-exclude
-              Disable   the   automatic   exclusion  of  patterns  defined  in
-              $HOME/.config/yadm/encrypt.  This feature is enabled by default.
+              Disable the automatic exclusion of created alternate links, tem‐
+              plate  files and patterns defined in $HOME/.config/yadm/encrypt.
+              This feature is enabled by default.
 
        yadm.auto-perms
               Disable the automatic permission changes described in  the  sec‐
@@ -382,9 +383,11 @@
        Each  condition is an attribute/value pair, separated by a period. Some
        conditions do not require a "value", and in that case, the  period  and
        value  can  be  omitted. Most attributes can be abbreviated as a single
-       letter.
+       letter. Prefixing an attribute with "~" negates the condition,  meaning
+       the  condition is considered only if the attribute/value pair evaluates
+       to false.
 
-         <attribute>[.<value>]
+         [~]<attribute>[.<value>]
 
        NOTE: Value is compared case-insensitive.
 
@@ -410,16 +413,16 @@
               the CONFIGURATION section for more  details  about  setting  lo‐
               cal.class.
 
+       distro_family, f
+              Valid  if the value matches the distro family.  Distro family is
+              calculated by inspecting the ID_LIKE line  from  /etc/os-release
+              (or ID if no ID_LIKE line is found).
+
        distro, d
               Valid  if the value matches the distro.  Distro is calculated by
               running lsb_release -si or by inspecting the ID from /etc/os-re‐
               lease.
 
-       distro_family, f
-              Valid if the value matches the distro family.  Distro family  is
-              calculated  by  inspecting the ID_LIKE line from /etc/os-release
-              (or ID if no ID_LIKE line is found).
-
        os, o  Valid if the value matches the OS.  OS is calculated by  running
               uname -s.
 
@@ -449,8 +452,10 @@
        The "most appropriate" version is determined by calculating a score for
        each version of a file. A template is always  scored  higher  than  any
        symlink  condition. The number of conditions is the next largest factor
-       in scoring.  Files with more conditions will always be favored. Any in‐
-       valid condition will disqualify that file completely.
+       in scoring; files with more conditions will always be favored. Negative
+       conditions (prefixed with "~") are scored only relative to  the  number
+       of  non-negated conditions.  Any invalid condition will disqualify that
+       file completely.
 
        If you don't care to have all versions of alternates stored in the same
        directory  as  the  generated  symlink,  you  can  place  them  in  the
@@ -462,6 +467,7 @@
 
          - $HOME/path/example.txt##default
          - $HOME/path/example.txt##class.Work
+         - $HOME/path/example.txt##class.Work,~os.Darwin
          - $HOME/path/example.txt##os.Darwin
          - $HOME/path/example.txt##os.Darwin,hostname.host1
          - $HOME/path/example.txt##os.Darwin,hostname.host2
@@ -491,10 +497,18 @@
 
        $HOME/path/example.txt -> $HOME/path/example.txt##default
 
-       If running on a system, with class set to "Work", the link will be:
+       If running on a Macbook with class set to "Work", the link will be:
 
        $HOME/path/example.txt -> $HOME/path/example.txt##class.Work
 
+       Since class has higher precedence than os, this version is chosen.
+
+       If  running  on  a  system with class set to "Work", but instead within
+       Windows Subsystem for Linux, where the os is reported as WSL, the  link
+       will be:
+
+       $HOME/path/example.txt -> $HOME/path/example.txt##class.Work,~os.Darwin
+
        If  no  "##default"  version exists and no files have valid conditions,
        then no link will be created.
 
@@ -505,47 +519,50 @@
        abled  using  the yadm.auto-alt configuration.  Even if disabled, links
        can be manually created by running yadm alt.
 
-       Class is a special value which is stored locally on each  host  (inside
-       the  local repository). To use alternate symlinks using class, you must
-       set the value of class using the configuration  local.class.   This  is
+       Created links are automatically added to the repository's  info/exclude
+       file. This can be disabled using the yadm.auto-exclude configuration.
+
+       Class  is  a special value which is stored locally on each host (inside
+       the local repository). To use alternate symlinks using class, you  must
+       set  the  value  of class using the configuration local.class.  This is
        set like any other yadm configuration with the yadm config command. The
        following sets the class to be "Work".
 
          yadm config local.class Work
 
-       Similarly,  the values of architecture, os, hostname, user, distro, and
-       distro_family can be manually overridden using  the  configuration  op‐
-       tions  local.arch,  local.os, local.hostname, local.user, local.distro,
+       Similarly, the values of architecture, os, hostname, user, distro,  and
+       distro_family  can  be  manually overridden using the configuration op‐
+       tions local.arch, local.os, local.hostname,  local.user,  local.distro,
        and local.distro-family.
 
 
 ## TEMPLATES
-       If a template condition is defined in an alternate file's "##"  suffix,
+       If  a template condition is defined in an alternate file's "##" suffix,
        and the necessary dependencies for the template are available, then the
        file will be processed to create or overwrite files.
 
        Supported template processors:
 
        default
-              This  is  yadm's  built-in template processor. This processor is
-              very basic, with a Jinja-like  syntax.  The  advantage  of  this
-              processor  is  that it only depends upon awk, which is available
-              on most *nix systems. To use this processor, specify  the  value
+              This is yadm's built-in template processor.  This  processor  is
+              very  basic,  with  a  Jinja-like  syntax. The advantage of this
+              processor is that it only depends upon awk, which  is  available
+              on  most  *nix systems. To use this processor, specify the value
               of "default" or just leave the value off (e.g. "##template").
 
               NOTE: This template processor performs case-insensitive compari‐
               sions in if statements.
 
        ESH    ESH is a template processor written in POSIX compliant shell. It
-              allows  executing  shell  commands within templates. This can be
-              used to reference your own configurations within templates,  for
+              allows executing shell commands within templates.  This  can  be
+              used  to reference your own configurations within templates, for
               example:
 
                 <% yadm config mysection.myconfig %>
 
               To use the ESH template processor, specify the value of "esh"
 
-       j2cli  To  use the j2cli Jinja template processor, specify the value of
+       j2cli  To use the j2cli Jinja template processor, specify the value  of
               "j2"  or "j2cli".
 
        envtpl To use the envtpl Jinja template processor, specify the value of
@@ -555,10 +572,10 @@
        NOTE: Specifying "j2" as the processor will attempt to use j2cli or en‐
        vtpl, whichever is available.
 
-       If the template processor specified is  available,  templates  will  be
+       If  the  template  processor  specified is available, templates will be
        processed to create or overwrite files.
 
-       During  processing,  the  following variables are available in the tem‐
+       During processing, the following variables are available  in  the  tem‐
        plate:
 
         Default              Jinja or ESH         Description
@@ -568,6 +585,8 @@
         yadm.classes         YADM_CLASSES         All classes
         yadm.distro          YADM_DISTRO          lsb_release -si
         yadm.distro_family   YADM_DISTRO_FAMILY   ID_LIKE from /etc/os-release
+        yadm.filename                              Filename  for  the  current
+       file
         yadm.hostname        YADM_HOSTNAME        uname -n (without domain)
         yadm.os              YADM_OS              uname -s
         yadm.source          YADM_SOURCE          Template filename
@@ -621,58 +640,61 @@
          <%+ whatever.extra %>
          <% fi -%>
 
+       Created  files are automatically added to the repository's info/exclude
+       file. This can be disabled using the yadm.auto-exclude configuration.
+
 
 ## ENCRYPTION
-       It  can  be  useful to manage confidential files, like SSH or GPG keys,
-       across multiple systems. However, doing so would put  plain  text  data
+       It can be useful to manage confidential files, like SSH  or  GPG  keys,
+       across  multiple  systems.  However, doing so would put plain text data
        into a Git repository, which often resides on a public system. yadm can
-       make  it  easy  to  encrypt and decrypt a set of files so the encrypted
-       version can be maintained in the Git  repository.   This  feature  will
+       make it easy to encrypt and decrypt a set of  files  so  the  encrypted
+       version  can  be  maintained  in the Git repository.  This feature will
        only work if a supported tool is available.  Both gpg(1) and openssl(1)
-       are  supported.   gpg is used by default, but openssl can be configured
+       are supported.  gpg is used by default, but openssl can  be  configured
        with the yadm.cipher configuration.
 
-       To use this feature, a list of patterns (one per line) must be  created
-       and  saved as $HOME/.config/yadm/encrypt.  This list of patterns should
+       To  use this feature, a list of patterns (one per line) must be created
+       and saved as $HOME/.config/yadm/encrypt.  This list of patterns  should
        be relative to the configured work-tree (usually $HOME).  For example:
 
                   .ssh/*.key
                   .gnupg/*.gpg
 
-       Standard filename expansions (*, ?, [) are supported.  Two  consecutive
-       asterisks  "**"  can  be used to match all subdirectories.  Other shell
+       Standard  filename  expansions (*, ?, [) are supported. Two consecutive
+       asterisks "**" can be used to match all  subdirectories.   Other  shell
        expansions like brace and tilde are not supported.  Spaces in paths are
-       supported, and should not be quoted.  If a directory is specified,  its
-       contents  will  be  included.   Paths  beginning with a "!" will be ex‐
+       supported,  and should not be quoted.  If a directory is specified, its
+       contents will be included.  Paths beginning with  a  "!"  will  be  ex‐
        cluded.
 
        The yadm encrypt command will find all files matching the patterns, and
-       prompt for a password. Once a  password  has  confirmed,  the  matching
-       files  will  be encrypted and saved as $HOME/.local/share/yadm/archive.
-       The "encrypt" and "archive" files should be added to the  yadm  reposi‐
+       prompt  for  a  password.  Once  a password has confirmed, the matching
+       files will be encrypted and saved  as  $HOME/.local/share/yadm/archive.
+       The  "encrypt"  and "archive" files should be added to the yadm reposi‐
        tory so they are available across multiple systems.
 
        To decrypt these files later, or on another system run yadm decrypt and
-       provide  the  correct password.  After files are decrypted, permissions
+       provide the correct password.  After files are  decrypted,  permissions
        are automatically updated as described in the PERMISSIONS section.
 
-       Symmetric encryption is used by default, but asymmetric encryption  may
+       Symmetric  encryption is used by default, but asymmetric encryption may
        be enabled using the yadm.gpg-recipient configuration.
 
-       NOTE:  It is recommended that you use a private repository when keeping
+       NOTE: It is recommended that you use a private repository when  keeping
        confidential files, even though they are encrypted.
 
        Patterns found in $HOME/.config/yadm/encrypt are automatically added to
-       the repository's info/exclude file every  time  yadm  encrypt  is  run.
+       the  repository's  info/exclude  file  every  time yadm encrypt is run.
        This is to prevent accidentally committing sensitive data to the repos‐
        itory.  This can be disabled using the yadm.auto-exclude configuration.
 
        Using transcrypt or git-crypt
 
-       A  completely separate option for encrypting data is to install and use
-       transcrypt or git-crypt.  Once installed, you can use  these  tools  by
-       running  yadm transcrypt or yadm git-crypt.  These tools enables trans‐
-       parent encryption and decryption of files in a git repository. See  the
+       A completely separate option for encrypting data is to install and  use
+       transcrypt  or  git-crypt.   Once installed, you can use these tools by
+       running yadm transcrypt or yadm git-crypt.  These tools enables  trans‐
+       parent  encryption and decryption of files in a git repository. See the
        following web sites for more information:
 
        - https://github.com/elasticdog/transcrypt
@@ -681,9 +703,9 @@
 
 
 ## PERMISSIONS
-       When  files  are checked out of a Git repository, their initial permis‐
-       sions are dependent upon the user's umask. Because of this,  yadm  will
-       automatically  update  the  permissions of some file paths. The "group"
+       When files are checked out of a Git repository, their  initial  permis‐
+       sions  are  dependent upon the user's umask. Because of this, yadm will
+       automatically update the permissions of some file  paths.  The  "group"
        and "others" permissions will be removed from the following files:
 
        - $HOME/.local/share/yadm/archive
@@ -695,39 +717,39 @@
        - The GPG directory and files, .gnupg/*
 
        yadm will automatically update permissions by default. This can be dis‐
-       abled using the yadm.auto-perms configuration. Even if  disabled,  per‐
-       missions  can  be manually updated by running yadm perms.  The .ssh di‐
-       rectory processing can be disabled using the yadm.ssh-perms  configura‐
-       tion.  The  .gnupg  directory  processing  can  be  disabled  using the
+       abled  using  the yadm.auto-perms configuration. Even if disabled, per‐
+       missions can be manually updated by running yadm perms.  The  .ssh  di‐
+       rectory  processing can be disabled using the yadm.ssh-perms configura‐
+       tion. The  .gnupg  directory  processing  can  be  disabled  using  the
        yadm.gpg-perms configuration.
 
-       When cloning a repo which includes data in a .ssh or .gnupg  directory,
-       if  those  directories  do  not exist at the time of cloning, yadm will
+       When  cloning a repo which includes data in a .ssh or .gnupg directory,
+       if those directories do not exist at the time  of  cloning,  yadm  will
        create the directories with mask 0700 prior to merging the fetched data
        into the work-tree.
 
        When running a Git command and .ssh or .gnupg directories do not exist,
-       yadm will create those directories with mask 0700 prior to running  the
+       yadm  will create those directories with mask 0700 prior to running the
        Git command. This can be disabled using the yadm.auto-private-dirs con‐
        figuration.
 
 
 ## HOOKS
-       For  every  command yadm supports, a program can be provided to run be‐
-       fore or after that command. These are  referred  to  as  "hooks".  yadm
-       looks  for  hooks in the directory $HOME/.config/yadm/hooks.  Each hook
+       For every command yadm supports, a program can be provided to  run  be‐
+       fore  or  after  that  command.  These are referred to as "hooks". yadm
+       looks for hooks in the directory $HOME/.config/yadm/hooks.   Each  hook
        is named using a prefix of pre_ or post_, followed by the command which
        should trigger the hook. For example, to create a hook which is run af‐
        ter every yadm pull command, create a hook named post_pull.  Hooks must
        have the executable file permission set.
 
        If a pre_ hook is defined, and the hook terminates with a non-zero exit
-       status, yadm will refuse to run the yadm command.  For  example,  if  a
-       pre_commit  hook is defined, but that command ends with a non-zero exit
-       status, the yadm commit will never be run. This allows one  to  "short-
+       status,  yadm  will  refuse  to run the yadm command. For example, if a
+       pre_commit hook is defined, but that command ends with a non-zero  exit
+       status,  the  yadm commit will never be run. This allows one to "short-
        circuit" any operation using a pre_ hook.
 
-       Hooks  have  the  following  environment variables available to them at
+       Hooks have the following environment variables  available  to  them  at
        runtime:
 
        YADM_HOOK_COMMAND
@@ -755,19 +777,19 @@
 
 
 ## FILES
-       All of yadm's configurations are  relative  to  the  "yadm  directory".
-       yadm  uses the "XDG Base Directory Specification" to determine this di‐
-       rectory.  If the environment variable $XDG_CONFIG_HOME is defined as  a
-       fully  qualified  path,  this  directory will be $XDG_CONFIG_HOME/yadm.
+       All  of  yadm's  configurations  are  relative to the "yadm directory".
+       yadm uses the "XDG Base Directory Specification" to determine this  di‐
+       rectory.   If the environment variable $XDG_CONFIG_HOME is defined as a
+       fully qualified path, this  directory  will  be  $XDG_CONFIG_HOME/yadm.
        Otherwise it will be $HOME/.config/yadm.
 
        Similarly, yadm's data files are relative to the "yadm data directory".
-       yadm uses the "XDG Base Directory Specification" to determine this  di‐
-       rectory.   If  the  environment variable $XDG_DATA_HOME is defined as a
+       yadm  uses the "XDG Base Directory Specification" to determine this di‐
+       rectory.  If the environment variable $XDG_DATA_HOME is  defined  as  a
        fully qualified path, this directory will be $XDG_DATA_HOME/yadm.  Oth‐
        erwise it will be $HOME/.local/share/yadm.
 
-       The following are the default paths yadm uses for its own  data.   Most
+       The  following  are the default paths yadm uses for its own data.  Most
        of these paths can be altered using universal options.  See the OPTIONS
        section for details.
 
@@ -776,16 +798,16 @@
               tive to this directory.
 
        $HOME/.local/share/yadm
-              The  yadm  data  directory.  By default, all data yadm stores is
+              The yadm data directory. By default, all  data  yadm  stores  is
               relative to this directory.
 
        $YADM_DIR/config
               Configuration file for yadm.
 
        $YADM_DIR/alt
-              This is a directory to keep  "alternate  files"  without  having
-              them  side-by-side  with the resulting symlink or processed tem‐
-              plate. Alternate files placed in this directory will be  created
+              This  is  a  directory  to keep "alternate files" without having
+              them side-by-side with the resulting symlink or  processed  tem‐
+              plate.  Alternate files placed in this directory will be created
               relative to $HOME instead.
 
        $YADM_DATA/repo.git
diff --git a/yadm.spec b/yadm.spec
index 8799654..3670860 100644
--- a/yadm.spec
+++ b/yadm.spec
@@ -1,7 +1,7 @@
 %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}
 Name: yadm
 Summary: Yet Another Dotfiles Manager
-Version: 3.4.0
+Version: 3.5.0
 Group: Development/Tools
 Release: 1%{?dist}
 URL: https://yadm.io