docs: add guide for fnox sync

[jdx]

Summary

• Adds a new guide page explaining fnox sync for caching remote provider secrets locally
• Covers the key use case: syncing 1Password (or other remote) secrets into fnox.local.toml with age/YubiKey encryption for instant, offline access
• Includes sections on basic usage, the fnox.local.toml pattern, YubiKey support, refreshing cache, and a full end-to-end workflow example
• Adds sidebar entry under Guide section

Test plan

• Verify the guide renders correctly in VitePress (mise run docs:dev)
• Confirm sidebar link works

🤖 Generated with Claude Code

---

Note

Low Risk
Documentation-only changes (new page + sidebar link) with no impact on runtime behavior or security-sensitive code.

Overview
Adds a new Guide page (docs/guide/sync.md) documenting fnox sync for caching secrets fetched from remote providers into a gitignored fnox.local.toml, including usage patterns (dry-run, filtering, source selection), the sync field format, YubiKey/age examples, and cache refresh workflow.

Updates the VitePress sidebar (docs/.vitepress/config.mjs) to include a new “Syncing Secrets Locally” entry under Features.

^{Written by Cursor Bugbot for commit 1c5611f. This will update automatically on new commits. Configure here.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces comprehensive documentation for the fnox sync feature. This new guide explains how users can cache remote provider secrets locally using various encryption methods like age or YubiKey, significantly improving performance by allowing offline and instant access to secrets. The documentation aims to clarify the benefits and usage of fnox sync for efficient secret management.

Highlights

• New Guide Page: A new guide page has been added explaining the fnox sync command.
• Local Secret Caching: The guide details how fnox sync fetches secrets from remote providers and re-encrypts them for local caching, enabling instant, offline access.
• Encryption and Storage: It covers the use case of syncing 1Password secrets into fnox.local.toml with age/YubiKey encryption.
• Comprehensive Usage: Sections include basic usage, the fnox.local.toml pattern, YubiKey support, refreshing the cache, and a full end-to-end workflow example.
• Documentation Navigation: A new entry for "Syncing Secrets Locally" has been added to the sidebar under the Guide section.

Changelog

• docs/.vitepress/config.mjs
  • Added a new sidebar navigation link for the fnox sync guide.
• docs/guide/sync.md
  • Created a new guide document detailing the fnox sync command and its functionality.

Activity

• No specific activity (comments, reviews, or progress updates) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[greptile-apps]

Greptile Summary

This PR adds a new guide page (docs/guide/sync.md) documenting the fnox sync command, which caches remote provider secrets locally using age/YubiKey encryption, and registers it in the VitePress sidebar. The content is well-written and covers the key use cases (basic usage, YubiKey support, cache refresh, and a full end-to-end workflow).

• New guide covers fnox sync mechanics, CLI flags (--dry-run, --source, --filter, --force), and the fnox.local.toml caching pattern clearly.
• Sidebar entry is correctly placed between Import/Export and Credential Leases.
• The full workflow example in Step 3 has a missing mkdir -p ~/.config/fnox before calling age-keygen -o ~/.config/fnox/age.txt, which will fail on fresh setups where that directory doesn't yet exist.

Confidence Score: 4/5

• Docs-only change; safe to merge with a minor fix to the workflow example.
• The change is purely documentation with no runtime code. The one concrete issue (missing mkdir -p in the shell workflow) would cause Step 3 to fail on a fresh machine, which is a noticeable error for the audience most likely to follow this guide step-by-step.
• docs/guide/sync.md — Step 3 of the full workflow example needs a mkdir -p guard before age-keygen.

Important Files Changed

Filename	Overview
docs/guide/sync.md	New guide page for fnox sync. Content is clear and well-structured; one logic issue in the workflow example where age-keygen writes to a directory that may not exist yet.
docs/.vitepress/config.mjs	Adds a single sidebar entry for the new sync guide between Import/Export and Credential Leases. No issues found.

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant fnox
    participant OP as 1Password (remote)
    participant age as age (local)
    participant Local as fnox.local.toml

    Note over Dev,Local: fnox sync --provider age --config fnox.local.toml

    Dev->>fnox: fnox sync
    fnox->>OP: Fetch plaintext secret values
    OP-->>fnox: DATABASE_URL, STRIPE_KEY, SENDGRID_KEY

    loop For each secret
        fnox->>age: Encrypt with age public key
        age-->>fnox: Encrypted ciphertext
        fnox->>Local: Write sync = {provider="age", value="..."}
    end

    Note over Dev,Local: Subsequent cd into project

    Dev->>fnox: Resolve secrets
    fnox->>Local: Read sync field (age ciphertext)
    fnox->>age: Decrypt locally
    age-->>fnox: Plaintext value
    fnox-->>Dev: Secrets injected (no remote call)

Loading

_{Last reviewed commit: 1c5611f}

[gemini-code-assist]

Code Review

This pull request adds a new documentation page for the fnox sync command, which is a great addition. The guide is well-structured and comprehensive. I've found a couple of minor issues in the examples that could confuse users and have provided suggestions to correct them. One is a small typo in a secret path, and the other is a potentially confusing instruction in the full workflow example where a user might not use their own generated key.

I am having trouble creating individual review comments. Click here to see my feedback.

docs/guide/sync.md (18)

There seems to be a copy-paste error in this example. The SENDGRID_KEY is configured to use a path from Stripe (Stripe/api-key). This is likely a typo and could be confusing. It should probably be SendGrid/api-key, which is what is used in a later example in this same document.

SENDGRID_KEY = { provider = "op", value = "SendGrid/api-key" }

docs/guide/sync.md (163-172)

The 'Full Workflow Example' is very helpful, but it could be confusing for users. In step 3, a new age key is generated, but in step 4, a hardcoded public key is used in the configuration. A user following this guide verbatim would not be able to decrypt secrets because the public key in the config doesn't match their private key.

To prevent this confusion, I suggest updating the instructions to explicitly tell the user to use the public key they just generated.

# 3. Set up your age key (one-time). The public key will be printed to your terminal.
age-keygen -o ~/.config/fnox/age.txt
export FNOX_AGE_KEY=$(grep "AGE-SECRET-KEY" ~/.config/fnox/age.txt)

# 4. Add age provider to your config.
#    IMPORTANT: Replace the placeholder recipient below with your public key from step 3.
cat >> fnox.toml << 'EOF'
[providers.age]
type = "age"
recipients = ["age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"] # <-- PASTE YOUR PUBLIC KEY HERE
EOF

[greptile-apps]

Missing mkdir -p before age-keygen

age-keygen -o ~/.config/fnox/age.txt will fail with a "no such file or directory" error on any system where ~/.config/fnox/ doesn't already exist (i.e., a fresh setup, which is exactly the scenario this guide targets). The directory needs to be created first.

Suggested change

	age-keygen -o ~/.config/fnox/age.txt
	mkdir -p ~/.config/fnox && age-keygen -o ~/.config/fnox/age.txt