docs: sync README and AGENTS.md with current codebase, rename Justfile to justfile

AGENTS.md

@@ -15,7 +15,7 @@ flake.nix
 
 - `lib/default.nix` — builders `mkDarwin`/`mkNixos`, shared `sshKeys` constant (passed via `specialArgs`), `homeManagerConfig` helper. NixOS also gets `catppuccin.nixosModules.catppuccin`.
 - `modules/shared/` — both platforms: nix/nixpkgs settings (Lix, overlays), fonts, `programs.fish.enable`, `services.openssh.enable`
-- `modules/darwin/` — macOS: system preferences, homebrew (casks/brews/masApps), 1Password CLI, user
+- `modules/darwin/` — macOS: system preferences, homebrew (casks/brews/masApps), user
 - `modules/nixos/` — NixOS: system packages, locale/timezone, docker, user
 - `home/` — home-manager (shared across all hosts via `useGlobalPkgs`), catppuccin theme
 - `hosts/*/` — per-host overrides (mac-mini: 24/7 server with sleep disabled; macbook-air: portable)
@@ -67,23 +67,24 @@ cd ~/nix-config && sudo nixos-rebuild switch --flake .#wsl
 - **`onActivation.cleanup = "zap"`**: Any brew formula/cask NOT declared in `modules/darwin/default.nix` WILL be removed on rebuild. Be comprehensive.
 - **First-time macOS bootstrap requires sudo**: `sudo nix run nix-darwin -- switch --flake .#mac-mini` (not `darwin-rebuild` which doesn't exist yet).
 - **First-time WSL bootstrap needs `nix-shell -p git`**: Fresh NixOS-WSL has no `git`. Use `nix-shell -p git --run "git clone ..."` to clone, then `sudo nixos-rebuild switch`.
-- **mise for version management**: Activated in `home/shell/fish.nix` via `mise activate fish | source`. Config in `home/dev/languages.nix` trusts all config paths.
+- **mise for version management**: Configured via `programs.mise` in `home/dev/languages.nix` with `enableFishIntegration = true`. Config trusts all config paths.
 
 ## Secrets (1Password CLI)
 
 - **Not sops-nix** — secrets are injected at shell startup via `op inject` (1Password CLI).
 - Template: `home/shell/fish.nix` generates `~/.config/op-env/env.tpl` with `op://` references (safe to commit — contains no real secrets).
 - Fish function `op-env` runs on interactive shell init, calling `op inject --in-file` to set env vars: `AI_GATEWAY_BASE_URL`, `AI_GATEWAY_API_KEY`, `EXA_API_KEY`, `CONTEXT7_API_KEY`.
-- macOS: `programs._1password.enable = true` in `modules/darwin/default.nix`.
+- Auth via `OP_SERVICE_ACCOUNT_TOKEN` env var (set it in `~/.config/fish/local.fish`, which is sourced before `op-env` runs).
-- WSL: aliases `op` to `op.exe` (Windows interop) in `home/shell/fish.nix`.
+- `programs._1password.enable = true` in `modules/shared/default.nix` (shared across all platforms).
 - Never commit `*.dec.yaml`, `*.dec.json`, `*.plaintext` (in `.gitignore`).
 
 ## Shell
 
 Fish (not zsh). All tool integrations use `enableFishIntegration`. Key files:
-- `home/shell/fish.nix` — abbreviations, interactiveShellInit, mise activation
+- `home/shell/fish.nix` — abbreviations, aliases, interactiveShellInit, 1Password `op-env`
 - `home/shell/tools.nix` — fzf, atuin, zoxide (`--cmd cd`), direnv, bat, eza, yazi, btop, zellij
 - `home/shell/starship.nix` — prompt
+- `home/shell/ghostty.nix` — Ghostty terminal config (macOS only, `package = null` since installed via Homebrew cask)
 
 ## Home Manager option API
 

README.md

@@ -62,20 +62,18 @@ sudo nixos-rebuild switch --flake .#wsl
 ├── modules/
 │   ├── darwin/default.nix     # macOS 模块（Homebrew、系统偏好等）
 │   ├── nixos/                 # NixOS 模块
-│   │   ├── base.nix           # 基础包
+│   │   ├── default.nix        # 系统包、区域、用户
-│   │   ├── docker.nix         # Docker 配置
+│   │   └── docker.nix         # Docker 配置
-│   │   ├── locale.nix         # 区域 / 语言
-│   │   └── default.nix        # 入口（用户、shell）
 │   └── shared/                # 共享模块（Nix 设置）
 ├── home/                      # Home Manager 配置
-│   ├── default.nix            # 入口 + 用户级包
+│   ├── default.nix            # 入口 + 用户级包 + Catppuccin 主题
-│   ├── theme.nix              # Catppuccin 主题
 │   ├── dev/                   # 开发工具
 │   │   ├── neovim.nix
 │   │   ├── languages.nix      # 语言运行时、LSP
 │   │   └── git.nix
 │   └── shell/                 # Shell 配置
 │       ├── fish.nix           # Fish shell
+│       ├── ghostty.nix        # Ghostty 终端（仅 macOS）
 │       ├── starship.nix       # Prompt
 │       └── tools.nix          # fzf, atuin, zoxide 等
 ├── lib/default.nix            # 构建辅助函数
@@ -100,13 +98,6 @@ just history          # 查看系统 profile 历史
 just show             # 显示 flake 输出
 ```
 
-Fish shell 中也定义了 abbreviation 可直接使用：
-
-```bash
-rebuild               # 自动选择 darwin-rebuild 或 nixos-rebuild
-update                # nix flake update
-```
-
 > **注意**：`just clean` 仅清理用户级 generation。NixOS 上如需清理系统级旧 generation，需要 `sudo nix-collect-garbage -d`。
 
 ## Shell
@@ -126,3 +117,18 @@ update                # nix flake update
 - 添加包: 编辑 `home/default.nix` 或 `home/dev/languages.nix`
 - 添加 Homebrew cask: 编辑 `modules/darwin/default.nix` 中的 `homebrew.casks`
 - 查包名: `nix search nixpkgs <关键词>` 或 [search.nixos.org](https://search.nixos.org/packages)
+
+## Secrets（1Password CLI）
+
+项目使用 [1Password CLI](https://developer.1password.com/docs/cli/) 的 `op inject` 在 Fish shell 启动时注入环境变量（如 API Key），而非 sops-nix。
+
+**工作原理**：`home/shell/fish.nix` 生成模板文件 `~/.config/op-env/env.tpl`（仅包含 `op://` 引用，无真实密钥，可安全提交），每次打开交互式 shell 时自动调用 `op inject` 解析模板并 `source` 到环境中。
+
+**前置条件**：需要设置 `OP_SERVICE_ACCOUNT_TOKEN` 环境变量来认证 1Password CLI。建议将其写入 `~/.config/fish/local.fish`（该文件被 gitignore，不会提交）：
+
+```bash
+# ~/.config/fish/local.fish
+set -gx OP_SERVICE_ACCOUNT_TOKEN "your-service-account-token"
+```
+
+> Service Account Token 可在 [1Password 开发者工具](https://my.1password.com/developer-tools/active/service-accounts) 中创建管理。若未设置该 token，`op-env` 会静默跳过，不影响 shell 正常使用。

flake.lock

@@ -61,11 +61,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776046499,
+        "lastModified": 1776136611,
-        "narHash": "sha256-Wzc4nn07/0RL21ypPHRzNDQZcjhIC8LaYo7QJQjM5T4=",
+        "narHash": "sha256-b2pu3Pb28W0bJzQVP3OJHZC5+dgOOeqjlli2WVakKEU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "287f84846c1eb3b72c986f5f6bebcff0bd67440d",
+        "rev": "8a423e444b17dde406097328604a64fc7429e34e",
         "type": "github"
       },
       "original": {