refactor(eza): delegate base aliases to HM integration, drop redundant flags

AGENTS.md

@@ -2,7 +2,7 @@
 
 ## Overview
 
-Nix flake managing 3 devices: Mac Mini, MacBook Air (both aarch64-darwin via nix-darwin), and a Windows PC via NixOS-WSL (x86_64-linux). Single user `imbytecat` everywhere.
+Nix flake managing 3 devices: Mac Mini, MacBook Air (both aarch64-darwin via nix-darwin), and a Windows PC via NixOS-WSL (x86_64-linux). Single user `imbytecat` everywhere. Uses **Lix** (not stock Nix).
 
 ## Architecture
 
@@ -13,14 +13,13 @@ flake.nix
 └── nixosConfigurations.wsl          (x86_64-linux)
 ```
 
-- `lib/default.nix` — builders: `mkDarwin`, `mkNixos`. All hosts get shared modules + home-manager + catppuccin + lazyvim-nix + sops-nix.
+- `lib/default.nix` — builders: `mkDarwin`, `mkNixos`. All hosts get shared modules + home-manager + lazyvim-nix (as HM sharedModule). NixOS also gets `catppuccin.nixosModules.catppuccin`; home-manager imports `catppuccin.homeModules.catppuccin` directly in `home/default.nix`.
 - `modules/shared/` — both platforms: nixpkgs config, overlays, nix settings, Lix
 - `modules/darwin/` — macOS: system preferences, homebrew (casks/brews/masApps), fonts, fish shell, user
 - `modules/nixos/` — NixOS: base packages, docker, locale, user
 - `home/` — home-manager (shared across all hosts via `useGlobalPkgs`)
 - `hosts/*/` — per-host overrides (mac-mini: 24/7 server with sleep disabled; macbook-air: portable)
 - `overlays/` + `pkgs/` — custom packages (comment-checker)
-- `secrets/` — sops-encrypted secrets (age key derived from `~/.ssh/id_ed25519`)
 
 Config flows: `hosts/*` (host-specific) -> `modules/*` (platform) -> `home/*` (user-level, cross-platform)
 
@@ -63,13 +62,14 @@ sudo nix run nix-darwin -- switch --flake .#mac-mini
 - **First-time bootstrap requires sudo**: `sudo nix run nix-darwin -- switch --flake .#mac-mini` (not `darwin-rebuild` which doesn't exist yet).
 - **mise for version management**: Activated in `home/shell/fish.nix` via `mise activate fish | source`. Config in `home/dev/languages.nix` trusts all config paths.
 
-## Secrets (sops-nix)
+## Secrets (1Password CLI)
 
-- Encrypted with age, key derived from `~/.ssh/id_ed25519` (see `.sops.yaml`)
-- Secrets file: `secrets/secrets.yaml` — edit with `just secrets` (runs `sops`)
-- Decrypted at runtime via `home/secrets.nix`, exposed as env vars in fish: `AI_GATEWAY_BASE_URL`, `AI_GATEWAY_API_KEY`, `EXA_API_KEY`, `CONTEXT7_API_KEY`
-- sops-nix integrated via `home-manager` sharedModules in `lib/default.nix`
-- Never commit `*.dec.yaml`, `*.dec.json`, `*.plaintext` (in `.gitignore`)
+- **Not sops-nix** — secrets are injected at shell startup via `op inject` (1Password CLI).
+- Template: `home/shell/fish.nix` generates `~/.config/op-env/env.tpl` with `op://` references (safe to commit — contains no real secrets).
+- Fish function `op-env` runs on interactive shell init, calling `op inject --in-file` to set env vars: `AI_GATEWAY_BASE_URL`, `AI_GATEWAY_API_KEY`, `EXA_API_KEY`, `CONTEXT7_API_KEY`.
+- macOS: `programs._1password.enable = true` in `modules/darwin/default.nix`.
+- WSL: aliases `op` to `op.exe` (Windows interop) in `home/shell/fish.nix`.
+- Never commit `*.dec.yaml`, `*.dec.json`, `*.plaintext` (in `.gitignore`).
 
 ## Shell
 

home/default.nix

@@ -1,6 +1,5 @@
 {
   inputs,
-  lib,
   username,
   pkgs,
   ...
@@ -29,7 +28,6 @@
       duf # df
       procs # ps
       sd # sed
-      xh # curl/httpie
       jq # JSON
       yq # YAML
       wget

home/shell/fish.nix

@@ -18,25 +18,21 @@ in
     enable = true;
 
     shellAbbrs = {
-      # Navigation
+      # Navigation (one-shot, no need to recall in history)
       ".." = "cd ..";
       "..." = "cd ../..";
+    };
 
-      # File listing (eza)
-      ls = "eza --icons --group-directories-first";
-      ll = "eza -la --icons --git --group-directories-first";
-      la = "eza -a --icons --group-directories-first";
-      lt = "eza --tree --level=2 --icons";
+    shellAliases = {
+      # File listing (eza) — base aliases (ls/la/lt) from programs.eza
+      ll = "eza -lh";
+      lla = "eza -lah --time-style=long-iso";
 
       # Tools
       cat = "bat --paging=never";
       rm = "gomi";
       lg = "lazygit";
       vi = "nvim";
-
-      # Network
-      http = "xh";
-
     };
 
     interactiveShellInit = ''
@@ -64,12 +60,14 @@ in
         source ~/.config/fish/local.fish
       end
 
-      # 1Password → env vars (single op call, silent if locked)
+      # 1Password → env vars (single op call, silent on failure)
       function op-env --description "Load secrets from 1Password"
         if not type -q op; or not test -f ${envTpl}
           return 1
         end
-        for line in (op inject < ${envTpl} 2>/dev/null)
+        set -l output (op inject --in-file ${envTpl} 2>/dev/null)
+        or return 1
+        for line in $output
           string match -qr '^\s*(#|$)' -- $line; and continue
           set -l kv (string split -m 1 '=' $line)
           if test (count $kv) -ge 2

home/shell/tools.nix

@@ -62,11 +62,10 @@
   # ── Eza (ls replacement) ────────────────────────────
   programs.eza = {
     enable = true;
-    enableFishIntegration = false; # we use custom abbrs in fish.nix
+    enableFishIntegration = true;
     git = true;
     icons = "auto";
     extraOptions = [
-      "--color=always"
       "--group-directories-first"
     ];
   };
@@ -89,7 +88,7 @@
   # ── Zellij (terminal multiplexer) ────────────────────
   programs.zellij = {
     enable = true;
-    enableFishIntegration = true;
+    enableFishIntegration = false;
     settings = {
       show_startup_tips = false;
     };

modules/darwin/default.nix

@@ -35,6 +35,8 @@
     LaunchServices.LSQuarantine = false;
     dock = {
       autohide = true;
+      autohide-delay = 0.0;
+      autohide-time-modifier = 0.15;
       show-recents = false;
       mru-spaces = false;
       wvous-tl-corner = 1;
@@ -86,6 +88,7 @@
       "raycast"
       "spotify"
       "telegram-desktop"
+      "tencent-meeting"
       "termius"
       "visual-studio-code"
       "wechat"