[codex] Propose fnox secret input UI

[bglusman]

Summary

• Adds a roadmap note for a small local fnox secret input UI.
• Confirms upstream fnox appears CLI-first from public README/docs, with no built-in web UI found in the checked docs.
• Defines create-only/write-only defaults, no plaintext readback, stdin transport, local bind, CSRF, and audit expectations.

Why

This captures a safer complement to !secure: a local form for entering new secrets without putting values into chat history, while keeping the scope smaller than a secret browser or dashboard.

Validation

• pre-push hook: fmt, clippy, workspace unit tests, loom tests, workspace checks

Draft until the fnox wrapper PR lands and we decide whether to implement this as a standalone binary or a onecli mode.

[Copilot]

Pull request overview

Adds a roadmap/proposal document describing a small, local-only “fnox secret input UI” intended to complement the existing !secure flow by enabling write-only secret entry without leaking values into chat history.

Changes:

• Introduces a new roadmap note documenting goals/non-goals for a local fnox secret input form.
• Specifies default behaviors (loopback bind, create-only, stdin transport, no plaintext readback) and a minimal API sketch.
• Captures security requirements and open questions for a potential implementation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

For consistency with the other roadmap notes, consider formatting the header metadata using the same bold-key style (e.g., **Status:** …, **Priority:** …, **Depends on:** … as in docs/roadmap/outbound-sensitive-data-detection.md:3-5). This makes the metadata easier to scan across documents.

Suggested change

	Status: proposal
	Related work: `!secure` command flow, OneCLI/fnox wrapper work
	**Status:** proposal
	**Related work:** `!secure` command flow, OneCLI/fnox wrapper work

[bglusman]

Codex integration sweep: acknowledged. I am leaving this PR branch untouched per the parallel-agent boundary; this remains actionable for the PR owner or a follow-up unless it is superseded by #38.

[bglusman]

Acknowledged. The non-codex equivalent (#34 + design RFC #29) implements the input-only / new-by-default web UI; security fixes for it are in #40. If #35 has different design choices worth keeping, point at them and I'll fold the deltas in.

[bglusman]

Closing — design ideas from this proposal were pulled into RFC #29 (now merged via #44 in main as 9ed51fbc) and informed the actual implementation in #34: input-only by default, new-by-default with explicit ?update=1 to rotate, optional first/last-N preview, single-use 5-min expiry. Three-tier update mode (create_only/confirm_update/allow_update) is a good follow-up if a more granular shape is needed.