docs: add fnox notes and vs SecretSpec page

Made-with: Cursor

Author: codekiln

.beads/issues.jsonl

@@ -1,3 +1,3 @@
 {"id":"bd-9q4","title":"Import a project 'landing the plane' rule via Rulesync and generate Codex instructions","description":"Add this project’s equivalent of 'landing the plane' into AI instructions as a Rulesync-managed rule, not as an ad-hoc direct edit in AGENTS.md.","acceptance_criteria":"1) A Rulesync rule file is added/updated under .rulesync to encode the 'landing the plane' behavior for this project. 2) rulesync generate is run successfully. 3) Generated Codex-specific instruction files are updated by generation output. 4) Generated files and the Rulesync source rule are committed to git with a clear commit message. 5) No manual drift remains between generated outputs and Rulesync source.","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-25T10:49:29Z","created_by":"M∎r","updated_at":"2026-02-25T11:08:17Z","closed_at":"2026-02-25T11:08:17Z","close_reason":"Completed","labels":["ai-instructions","codex","rulesync"],"dependency_count":0,"dependent_count":0,"comment_count":0}
-{"id":"bd-4br","title":"Logseq: color-theme entity type + [[Catppuccin]] hub (alias UI/Color/Theme)","description":"## Goal\nIntroduce a **color-theme** Logseq entity type and a first instance hub for **Catppuccin**, so one page holds everything needed to apply that palette across the stack (Ghostty, Neovim, tmux, yazi, etc.), consistent with `[[Logseq/Entity]]` and `[[Logseq/Entity/software-project]]`.\n\n## Canonical naming\n- **Instance page title:** `[[Catppuccin]]` (short top-level canonical name, same spirit as software-project hubs like [[Lazygit]]).\n- **Alias for hierarchy / discoverability:** add page-level `alias:: [[UI/Color/Theme/Catppuccin]]` on `pages/Catppuccin.md` so the graph shows under `[[UI/Color]]` style navigation. Do not use the long path as the primary page title.\n\n## Deliverables\n\n### 1. Entity type page\n- Create `[[Logseq/Entity/color-theme]]` (filename `Logseq___Entity___color-theme.md`) documenting:\n  - What counts as a color-theme entity (palette family / design system reused across apps).\n  - Recognition and dedup (exact name, aliases, official style guide / org).\n  - Frontmatter: instances use `logseq-entity:: [[Logseq/Entity/color-theme]]`.\n  - Page shape: lean hub + optional sub-namespaces only when justified.\n  - Relationship to `software-project`: ports/plugins can remain software entities linking back to the theme hub.\n  - **Do not** prescribe or modify existing pages' `tags::`; follow garden tagging rules.\n\n### 2. Registry\n- Update `[[Logseq/Entity]]` to list **color-theme** alongside **software-project**, with a link to the new type page.\n\n### 3. First instance: Catppuccin\n- Create `pages/Catppuccin.md` with:\n  - `logseq-entity:: [[Logseq/Entity/color-theme]]`\n  - `alias:: [[UI/Color/Theme/Catppuccin]]`\n  - `date-created::` set to the theme family’s real public origin date if discoverable (not “page added today”); omit if unknown.\n  - **Identity:** official links, short description.\n  - **Flavors:** Latte, Frappe, Macchiato, Mocha — names, light/dark intent, stable config IDs (e.g. `catppuccin-mocha`).\n  - **Palette reference:** link official palette docs and/or minimal hex reference; add per-flavor subpages only if needed later.\n  - **Stack matrix:** for each of Ghostty, Neovim, tmux, yazi — mechanism (built-in / plugin / package), config hooks, links to existing garden pages ([[Ghostty]], [[Neovim]], [[tmux]], [[yazi]]) and to dotfiles or config subpages (e.g. [[tmux/Config]]) where detail already lives.\n  - **see-also::** peer themes as appropriate.\n\n### 4. Light cross-links\n- From relevant existing pages (e.g. [[Ghostty]]), add a brief pointer to [[Catppuccin]] where the theme is already mentioned or implied — no large rewrites.\n\n### 5. Optional bootstrap\n- If still using `.rulesync/config/logseq-entity.md` as fallback, add a short **color-theme** section aligned with the Logseq-native type page (or note that the type page is authoritative).\n\n## Acceptance criteria\n- `[[Logseq/Entity/color-theme]]` exists and reads as the SOP for this entity type.\n- `[[Logseq/Entity]]` links to it.\n- `[[Catppuccin]]` exists with `alias:: [[UI/Color/Theme/Catppuccin]]`, `logseq-entity:: [[Logseq/Entity/color-theme]]`, and enough structure that someone can wire Catppuccin across Ghostty, Neovim, tmux, and yazi from that hub plus linked notes.\n- LFM formatting (bullets, headings, no blank lines between blocks).\n- No changes to `tags::` frontmatter on existing pages unless the human explicitly asks.\n\n## References\n- Pattern model: `[[Logseq/Entity/software-project]]`, `.rulesync/config/logseq-entity.md`, `.rulesync/skills/logseq-entity/references/logseq-entity-type-pages.md`.\n","status":"open","priority":2,"issue_type":"feature","owner":"change-me@example.com","created_at":"2026-03-23T18:26:53Z","created_by":"CHANGE_ME","updated_at":"2026-03-23T18:26:53Z","dependency_count":0,"dependent_count":0,"comment_count":0}
+{"id":"bd-4br","title":"Logseq: color-theme entity type + [[Catppuccin]] hub (alias UI/Color/Theme)","description":"## Goal\nIntroduce a **color-theme** Logseq entity type and a first instance hub for **Catppuccin**, so one page holds everything needed to apply that palette across the stack (Ghostty, Neovim, tmux, yazi, etc.), consistent with `[[Logseq/Entity]]` and `[[Logseq/Entity/software-project]]`.\n\n## Canonical naming\n- **Instance page title:** `[[Catppuccin]]` (short top-level canonical name, same spirit as software-project hubs like [[Lazygit]]).\n- **Alias for hierarchy / discoverability:** add page-level `alias:: [[UI/Color/Theme/Catppuccin]]` on `pages/Catppuccin.md` so the graph shows under `[[UI/Color]]` style navigation. Do not use the long path as the primary page title.\n\n## Deliverables\n\n### 1. Entity type page\n- Create `[[Logseq/Entity/color-theme]]` (filename `Logseq___Entity___color-theme.md`) documenting:\n  - What counts as a color-theme entity (palette family / design system reused across apps).\n  - Recognition and dedup (exact name, aliases, official style guide / org).\n  - Frontmatter: instances use `logseq-entity:: [[Logseq/Entity/color-theme]]`.\n  - Page shape: lean hub + optional sub-namespaces only when justified.\n  - Relationship to `software-project`: ports/plugins can remain software entities linking back to the theme hub.\n  - **Do not** prescribe or modify existing pages' `tags::`; follow garden tagging rules.\n\n### 2. Registry\n- Update `[[Logseq/Entity]]` to list **color-theme** alongside **software-project**, with a link to the new type page.\n\n### 3. First instance: Catppuccin\n- Create `pages/Catppuccin.md` with:\n  - `logseq-entity:: [[Logseq/Entity/color-theme]]`\n  - `alias:: [[UI/Color/Theme/Catppuccin]]`\n  - `date-created::` set to the theme family’s real public origin date if discoverable (not “page added today”); omit if unknown.\n  - **Identity:** official links, short description.\n  - **Flavors:** Latte, Frappe, Macchiato, Mocha — names, light/dark intent, stable config IDs (e.g. `catppuccin-mocha`).\n  - **Palette reference:** link official palette docs and/or minimal hex reference; add per-flavor subpages only if needed later.\n  - **Stack matrix:** for each of Ghostty, Neovim, tmux, yazi — mechanism (built-in / plugin / package), config hooks, links to existing garden pages ([[Ghostty]], [[Neovim]], [[tmux]], [[yazi]]) and to dotfiles or config subpages (e.g. [[tmux/Config]]) where detail already lives.\n  - **see-also::** peer themes as appropriate.\n\n### 4. Light cross-links\n- From relevant existing pages (e.g. [[Ghostty]]), add a brief pointer to [[Catppuccin]] where the theme is already mentioned or implied — no large rewrites.\n\n### 5. Optional bootstrap\n- If still using `.rulesync/config/logseq-entity.md` as fallback, add a short **color-theme** section aligned with the Logseq-native type page (or note that the type page is authoritative).\n\n## Acceptance criteria\n- `[[Logseq/Entity/color-theme]]` exists and reads as the SOP for this entity type.\n- `[[Logseq/Entity]]` links to it.\n- `[[Catppuccin]]` exists with `alias:: [[UI/Color/Theme/Catppuccin]]`, `logseq-entity:: [[Logseq/Entity/color-theme]]`, and enough structure that someone can wire Catppuccin across Ghostty, Neovim, tmux, and yazi from that hub plus linked notes.\n- LFM formatting (bullets, headings, no blank lines between blocks).\n- No changes to `tags::` frontmatter on existing pages unless the human explicitly asks.\n\n## References\n- Pattern model: `[[Logseq/Entity/software-project]]`, `.rulesync/config/logseq-entity.md`, `.rulesync/skills/logseq-entity/references/logseq-entity-type-pages.md`.\n","status":"closed","priority":2,"issue_type":"feature","owner":"change-me@example.com","created_at":"2026-03-23T18:26:53Z","created_by":"CHANGE_ME","updated_at":"2026-03-23T18:29:26Z","closed_at":"2026-03-23T18:29:26Z","close_reason":"Implemented color-theme entity type, Catppuccin hub, registry, cross-links, rulesync bootstrap.","dependency_count":0,"dependent_count":0,"comment_count":0}
 {"id":"bd-10","title":"Harden Beads sync for this JSONL-only Logseq garden","description":"The repo now intentionally runs Beads in JSONL-only mode, but bd doctor still flags sync-branch and merge-driver setup gaps. Follow up by choosing the right git-backed sync approach for a Logseq garden, keeping the repo JSONL-only and avoiding coding-project assumptions like in-repo worktrees.","acceptance_criteria":"1. Confirm and preserve JSONL-only Beads operation for this repo; do not introduce a committed SQLite database workflow.\n2. Decide and implement the repo's intended bd sync strategy for multi-device use, including whether to configure a sync branch.\n3. Configure the necessary git integration for that strategy (for example merge driver and any recommended hooks), or document why a specific integration is intentionally skipped.\n4. Verify the chosen workflow with the relevant bd commands in normal mode and record any repo-specific caveats for Logseq usage.","status":"open","priority":2,"issue_type":"task","created_at":"2026-03-13T09:04:10Z","created_by":"Myer","updated_at":"2026-03-13T09:04:10Z","dependency_count":0,"dependent_count":0,"comment_count":0}

pages/Person___Jeff Dickey.md

@@ -4,5 +4,5 @@ alias:: [[@jdx]]
 logseq-entity:: [[Logseq/Entity/person]]
 - [[Person/Jeff Dickey/Web]] https://jdx.dev/
 - [[Person/Jeff Dickey/GitHub]] https://github.com/jdx/
-	- > author of mise-en-place, #oclif and [[heroku/CLI]]
--
+	- > author of [[mise]] mise-en-place, [[oclif]] and [[heroku/CLI]]
+	- also maintains [[fnox]] (secrets CLI; docs at https://fnox.jdx.dev/) alongside [[mise]]

pages/Person___Jeff Dickey___GitHub___fnox.md

@@ -0,0 +1,4 @@
+- GitHub: [jdx/fnox: Fort Knox for your secrets](https://github.com/jdx/fnox)
+- Docs: https://fnox.jdx.dev/
+- Author: [[Person/Jeff Dickey]] (same ecosystem as [[mise]])
+- Related: [[fnox]], [[fnox/vs/secretspec]]

pages/fnox.md

@@ -0,0 +1,19 @@
+tags:: [[CLI/Tool]]
+created-by:: [[Person/Jeff Dickey]]
+
+- [fnox — Fort Knox for your secrets](https://fnox.jdx.dev/) [^1]
+	- **fnox** is a secrets manager CLI from [[Person/Jeff Dickey]] (same author as [[mise]]), aimed at developer workflows around a checked-in `fnox.toml`.
+- Repo: [[Person/Jeff Dickey/GitHub/fnox]]
+- ## What it does
+	- Manages secrets with **encryption**, **cloud / vault providers**, or **both** in one config file you can keep in version control.
+	- Each secret picks a **provider** (for example age ciphertext in the file, or a reference resolved from AWS, GCP, Azure, [[1Password]], Bitwarden, Infisical, Doppler, HashiCorp Vault, Unix `pass`, OS keychain, and others). [^1]
+	- **Shell integration** can auto-load secrets when you `cd` into a directory that contains `fnox.toml` (`fnox activate` for bash, zsh, fish; see upstream docs for Nushell). [^1]
+	- **Profiles** support different secret sets for dev, staging, production, and custom environments. [^1]
+- ## Typical commands
+	- `fnox init` — scaffold config in a repo
+	- `fnox set` / `fnox get` — write or read a secret through configured providers
+	- `fnox exec -- <command>` — run a subprocess with secrets injected as environment variables (similar ergonomics to other “run with secrets” CLIs)
+- ## Comparison in this graph
+	- [[fnox/vs/secretspec]] — detailed contrast with [[secretspec]]
+- ## Footnotes
+	- [^1]: https://fnox.jdx.dev/

pages/fnox___vs___secretspec.md

@@ -0,0 +1,47 @@
+- Purpose of this page
+	- Highlight **capabilities that show up in one tool’s public story but not the other’s**, so you can scan for gaps instead of reading two parallel product pitches. Provider catalogs change; treat bullets as **“documented on the official site when this note was written”**, then verify in each project’s current docs. [^1] [^2]
+- ## Features emphasized for **fnox** but not for **[[secretspec]]**
+	- **Encrypt-to-git in the project file**
+		- **fnox** documents storing **encrypted ciphertext** (or KMS-style encrypted payloads) **inside `fnox.toml`** that you commit—for example via **age** (including SSH-key flows) or **AWS / Azure / GCP KMS**—so teammates clone **values-in-repo** without plaintext in history. [^1]
+		- **[[secretspec]]**’s public positioning is the opposite: **`secretspec.toml` declares requirements only**; it should **not** carry real secret material, even encrypted—the committed file is the **contract**, not the vault. [^2]
+	- **Inline non-provider “plain” defaults in the same repo file**
+		- **fnox** documents a **`plain` provider for defaults** (explicitly “for defaults only”) so local dev can ship **cleartext defaults beside** encrypted or remote-backed entries in **`fnox.toml`**. [^1]
+		- **[[secretspec]]** steers defaults through **providers** (for example **dotenv**, **keyring**) rather than treating the committed spec as a place for inline secret values. [^2]
+	- **Directory-based shell auto-export**
+		- **fnox** documents **`fnox activate`** so a shell can **auto-load secrets when you `cd`** into a tree that contains **`fnox.toml`**. [^1]
+		- **[[secretspec]]**’s homepage narrative centers on **`secretspec run` / `check` / `set`** style workflows and SDK loading—not an equivalent **“activate my shell on directory entry”** feature in the same first-class way. [^2]
+	- **Providers called out on fnox’s landing page but not on SecretSpec’s homepage list**
+		- Examples from **fnox** marketing/docs: **AWS Systems Manager Parameter Store (`aws-ps`)**, **Azure Key Vault secrets (`azure-sm`)**, **Bitwarden Secrets Manager**, **Doppler**, **Infisical**, plus the **encrypt-to-git** stack (**age**, **AWS/Azure/GCP KMS**) as a headline cluster. [^1]
+		- **[[secretspec]]**’s homepage provider gallery at the time emphasized **keyring**, **dotenv**, **`env` (read-only for CI)**, **`pass`**, **[[1Password]]**, **LastPass**, **GCP Secret Manager**, **AWS Secrets Manager**, **Vault/OpenBao**—a different shape (no **Doppler**, **Infisical**, **Parameter Store**, **Azure** entries, or **age/KMS encrypt-to-git** in that same list). [^2]
+- ## Features emphasized for **[[secretspec]]** but not for **fnox**
+	- **Committed file is never a value store (even encrypted)**
+		- **[[secretspec]]** repeats that **`secretspec.toml` only declares names, descriptions, required/optional rules, and shapes**—**values always come from providers at runtime**. That is a **design guarantee** in how they describe the system. [^2]
+		- **fnox** intentionally supports **ciphertext and plain defaults inside `fnox.toml`**, so it does **not** share that same “spec never holds secrets” invariant. [^1]
+	- **First-party in-process Rust SDK with codegen**
+		- **[[secretspec]]** documents a **type-safe Rust SDK**: `declare_secrets!` over **`secretspec.toml`**, builder-style `load()`, typed fields, optional secrets as `Option`, helpers like **`set_as_env_vars`**, and invites other language SDKs via contributions. [^2]
+		- **fnox**’s landing page is **CLI + TOML + shell integration**-centric; it does **not** advertise a comparable **generated Rust API surface** the same way. [^1]
+	- **Built-in cross-provider migration (`import`)**
+		- **[[secretspec]]** documents **`secretspec import`** (example flow: import from **`dotenv://.env.production`** into **`keyring://`**) as a first-class way to **move material between backends without changing app code**. [^2]
+		- **fnox** docs summarized here do **not** foreground an **`import`-style** “bulk move between providers” command in the same way (you may still accomplish moves manually per provider). [^1]
+	- **Secret requirement primitives beyond name + provider**
+		- **[[secretspec]]** documents **`as_path`** (materialize to **temporary files** for consumers that need paths), plus **`type` + `generate`** so some secrets can be **auto-created when missing** (for example generated passwords). [^2]
+		- **fnox**’s quick examples center on **provider + value/reference**; those **declaration-level** knobs are **not** the headline in the same public comparison surface. [^1]
+	- **User-global provider configuration with interactive setup**
+		- **[[secretspec]]** shows **`secretspec config init`** writing **`~/.config/secretspec/config.toml`**, interactive provider picking, and **per-secret provider overrides / fallback lists** wired through **named provider aliases** in that config. [^2]
+		- **fnox**’s intro emphasizes **project-local `fnox.toml`** and providers declared there; it does **not** mirror that exact **interactive user-wide config wizard + alias layer** in the excerpted homepage material. [^1]
+	- **Providers called out on SecretSpec’s homepage but not on fnox’s landing list**
+		- Examples: **LastPass**, the dedicated **read-only `env` provider for CI**, and the **dotenv** provider as a first-class “traditional `.env`” backend sit in **[[secretspec]]**’s story. [^2]
+		- **fnox** lists **OS keychain**, **`pass`**, cloud managers, etc., but **does not list LastPass, dotenv-as-provider, or a read-only env backend** in the same marketing provider grid. [^1]
+- ## Overlap (intentionally brief)
+	- Both offer **multi-environment profiles**, a **TOML project file**, CLI flows to **run subprocesses with secrets injected**, and overlapping remote backends such as **[[1Password]]**, **Vault-class** stores, **GCP/AWS secret managers**, and Unix **`pass`**. Treat this section as **shared baseline**, not the differentiator. [^1] [^2]
+- ## One-line positioning (reminder)
+	- **fnox**: one committed **`fnox.toml`** can orchestrate **remote refs**, **encrypt-to-git**, and **plain defaults**, plus optional **shell activation on `cd`**. [^1]
+	- **[[secretspec]]**: one committed **`secretspec.toml`** is the **policy and inventory**; **values and migrations** live in **providers**, with a **Rust SDK** for typed in-app access. [^2]
+- ## Related in this graph
+	- [[fnox]] — hub note for the tool
+	- [[secretspec]] — existing stub and links
+	- [[devenv/Blog/25/07/Announcing SecretSpec]] — motivation and critique of “encrypted secrets in repo” approaches from the devenv perspective
+	- [[Person/Jeff Dickey/GitHub/fnox]] — canonical repo link
+- ## Footnotes
+	- [^1]: https://fnox.jdx.dev/
+	- [^2]: https://secretspec.dev/