Add staged diff secret scanning with AI auto-fix and queue policy

Implement secret detection in staged diffs with interactive AI masking,
add `queue_on_issues` commit option, and improve skills management with
auto-sync and install support. Skills are now gitignored by default.

Author: nikivdev

.gitignore

@@ -2,6 +2,7 @@
 .cargo/
 .ai/internal/
 .ai/web/
+.ai/skills/
 .ai/todos/*.bike
 .claude/
 .codex/
@@ -24,6 +25,7 @@ node_modules
 package-lock.json
 yarn.lock
 .vercel
+env-local/
 *.db
 .repo_ignore
 i.*

docs/commands/commit.md

@@ -162,6 +162,19 @@ Sensitive patterns include:
 - `.pem`, `.key`, `id_rsa`, `id_ed25519`
 - Files containing `password`, `secret`, `token`
 
+### Secret Scan (Staged Diff)
+
+Flow scans staged diffs for likely secrets (API keys, tokens, passwords). If a match
+is detected, the commit is blocked. In an interactive terminal, flow offers to run
+an auto-fix using `ai` to mask or replace the values, then asks for approval to
+continue.
+
+You can bypass the check for a single commit with:
+
+```
+FLOW_ALLOW_SECRET_COMMIT=1 f commit
+```
+
 ### Large Diffs
 
 Warns about files with significant changes:
@@ -239,6 +252,18 @@ model = "kimi-k2-thinking-turbo" # optional; uses Kimi default if omitted
 
 This uses `kimi --quiet` (print mode) with your existing Kimi CLI auth/config.
 
+### Queue Policy
+
+Queue only when review finds issues (auto-push on a clean review):
+
+```toml
+[commit]
+queue = true
+queue_on_issues = true
+```
+
+`--queue` / `--no-queue` still override this behavior.
+
 ### AI Session Context
 
 When `--context` is enabled, includes recent Claude Code session context:

docs/features.md

@@ -275,7 +275,7 @@ f env delete KEY1 KEY2
 
 ## Codex Skills
 
-Manage Codex skills stored in `.ai/skills/`. Skills help Codex understand project-specific workflows.
+Manage Codex skills stored in `.ai/skills/` (gitignored by default). Skills help Codex understand project-specific workflows.
 
 ### Managing Skills
 
@@ -315,8 +315,18 @@ f skills sync
 
 This creates a skill for each task in `flow.toml`, so Codex automatically knows about your project's workflows.
 
+To auto-sync tasks or auto-install curated skills on demand, add a `[skills]` section to `flow.toml`:
+
+```toml
+[skills]
+sync_tasks = true
+install = ["linear", "github-pr"]
+```
+
 ### Skill Structure
 
+`.ai/skills/` is generated locally and should not be committed.
+
 ```
 .ai/skills/
 └── deploy-worker/
@@ -494,7 +504,7 @@ alias f="flow"
     ├── sessions/
     │   └── claude/
     │       └── index.json
-    └── skills/            # Codex skills
+    └── skills/            # Codex skills (gitignored, materialized locally)
         └── <skill-name>/
             └── skill.md
 ```

docs/flow-toml-spec.md

@@ -29,6 +29,10 @@ activate_on_cd_to_root = true     # optional, default false
 dependencies = ["fast"]           # optional, names from [deps] or [flox.install]
 shortcuts = ["s"]                 # optional aliases for task lookup
 
+[skills]              # optional: skill enforcement (gitignored by default)
+sync_tasks = true     # optional: generate skills for tasks
+install = ["linear"]  # optional: ensure skills are installed (local ~/.codex/skills preferred, else registry)
+
 [[alias]]             # optional shell aliases (or use [aliases] table)
 fr = "f run"          # key/value pairs of alias -> command
 
@@ -50,6 +54,7 @@ fr = "f run"
 - `activate_on_cd_to_root`: tasks flagged run automatically when Flow is invoked via `activate` hooks.
 - `shortcuts`: case-insensitive aliases and abbreviations (auto-generated from task names) resolve tasks.
 - `alias`/`aliases`: emitted by `f setup` as shell `alias` lines.
+- `[skills]`: optional skill enforcement; `sync_tasks` generates `.ai/skills` from tasks and `install` ensures registry skills are present (skills are gitignored by default).
 
 ## Notes
 

docs/task-failure-hooks.md

@@ -72,8 +72,9 @@ export FLOW_DISABLE_TASK_FAILURE_HOOK=1
 
 ## Rise / Zed Behavior
 
-If your hook calls `rise work`, Flow automatically appends `--no-open` unless you
-explicitly allow it. This prevents Zed from opening on every failure.
+If your hook calls `rise work`, Flow automatically appends `--no-open` and strips
+`--focus` / `--focus-app` unless you explicitly allow opening. This prevents Zed
+or other apps from launching on every failure.
 
 To allow the open behavior:
 

flow.toml

@@ -19,6 +19,7 @@ commit_with_check_review_url = "http://100.114.156.47:3000/review"
 
 [commit]
 queue = true
+queue_on_issues = true
 
 [jj]
 default_branch = "main"
@@ -209,6 +210,11 @@ name = "pond-debug"
 command = "bash -c 'cd /Users/nikiv/repos/ghostty-org/ghostty && zig build -Doptimize=Debug'"
 description = "Build Pond (Ghostty fork) in debug mode"
 
+[[tasks]]
+name = "zed-build-debug-release"
+command = "bash -c 'cd /Users/nikiv/repos/zed-industries/zed && ./script/bundle-mac -d && ./script/bundle-mac'"
+description = "Build Zed macOS bundle in debug mode (fast) and then in release mode"
+
 [[tasks]]
 name = "linsa-assistant-serve"
 command = "bash -c 'cd /Users/nikiv/code/org/linsa/linsa/api/cpp && sh ./run.sh serve'"

src/cli.rs

@@ -337,7 +337,7 @@ pub enum Commands {
     Ext(ExtCommand),
     #[command(
         about = "Manage Codex skills (.ai/skills/).",
-        long_about = "Create, list, and manage Codex skills for this project. Skills are stored in .ai/skills/ and help Codex understand project-specific workflows."
+        long_about = "Create, list, and manage Codex skills for this project. Skills are stored in .ai/skills/ (gitignored by default) and help Codex understand project-specific workflows."
     )]
     Skills(SkillsCommand),
     #[command(
@@ -1344,6 +1344,16 @@ pub enum CommitQueueAction {
         /// Commit hash (short or full).
         hash: String,
     },
+    /// Open the queued commit diff in Rise app (multi-file diff UI).
+    Open {
+        /// Commit hash (short or full).
+        hash: String,
+    },
+    /// Print the full diff for a queued commit to stdout.
+    Diff {
+        /// Commit hash (short or full).
+        hash: String,
+    },
     /// Approve a queued commit and push it.
     Approve {
         /// Commit hash (short or full).