feat(home): 添加 Vercel skills CLI 工具

- op inject 结果缓存到 ~/.cache/op-env/env.fish，shell 启动不再联网
- 新增 op-env-refresh（手动刷新）和 op-env-clear（清除缓存）
- mktemp + mv 原子写入，刷新失败保留旧缓存
- 更新 README 文档匹配新行为

AGENTS.md

@@ -2,7 +2,7 @@
 
 ## Overview
 
-Nix flake managing 3 devices: Mac Mini, MacBook Air (both aarch64-darwin via nix-darwin), and a Windows PC via NixOS-WSL (x86_64-linux). Single user `imbytecat` everywhere. Uses **Lix** (not stock Nix).
+Nix flake — 3 devices (Mac Mini, MacBook Air: aarch64-darwin; WSL: x86_64-linux). Single user `imbytecat`. Uses **Lix**.
 
 ## Architecture
 
@@ -13,95 +13,75 @@ flake.nix
 └── nixosConfigurations.wsl          (x86_64-linux)
 ```
 
-- `lib/default.nix` — builders `mkDarwin`/`mkNixos`, shared `sshKeys` constant (passed via `specialArgs`), `homeManagerConfig` helper. NixOS also gets `catppuccin.nixosModules.catppuccin`.
+- `lib/default.nix` — `mkDarwin`/`mkNixos` builders, `sshKeys` (via `specialArgs`), `homeManagerConfig`
-- `modules/shared/` — both platforms: nix/nixpkgs settings (Lix, overlays), fonts, `programs.fish.enable`, `services.openssh.enable`
+- `modules/shared/` — cross-platform: Lix, overlays, fonts, fish, openssh, 1password
-- `modules/darwin/` — macOS: system preferences, homebrew (casks/brews/masApps), 1Password CLI, user
+- `modules/darwin/` — system preferences, homebrew, user
-- `modules/nixos/` — NixOS: system packages, locale/timezone, docker, user
+- `modules/nixos/` — system packages, locale, docker, user
-- `home/` — home-manager (shared across all hosts via `useGlobalPkgs`), catppuccin theme
+- `home/` — home-manager (shared, `useGlobalPkgs`), catppuccin
-- `hosts/*/` — per-host overrides (mac-mini: 24/7 server with sleep disabled; macbook-air: portable)
+- `hosts/*/` — per-host overrides
-- `overlays/` + `pkgs/` — custom packages (comment-checker)
+- `overlays/` + `pkgs/` — custom packages (`comment-checker`)
 
-Config flows: `hosts/*` (host-specific) -> `modules/*` (platform) -> `home/*` (user-level, cross-platform)
+Flow: `hosts/*` → `modules/*` → `home/*`
-
-## Nix implementation
-
-All platforms use **Lix** (`nix.package = pkgs.lix` in `modules/shared/nix.nix`). Channels are disabled (`nix.channel.enable = false`) — flakes only.
 
 ## Commands
 
 ```bash
-# Justfile shortcuts (preferred)
+just rebuild mac-mini       # macOS host (darwin-rebuild)
-just rebuild mac-mini       # rebuild macOS host (on macOS)
 just rebuild macbook-air
-just rebuild                # rebuild WSL (linux only, default: "wsl")
+just rebuild wsl            # NixOS host (nixos-rebuild)
-just rollback               # rollback to previous generation (linux only)
+just check                  # eval without building (platform-aware)
-just check                  # eval configs without building (platform-aware)
 just update                 # nix flake update
-just up nixpkgs             # update a single flake input
+just up nixpkgs             # update single input
-just show                   # nix flake show
+just clean                  # nix-collect-garbage -d (user-level only)
-just clean                  # nix-collect-garbage -d (user-level only; NixOS system-level needs sudo)
+just rollback               # NixOS only — rollback to previous generation
 just history                # list system profile generations
-just lsp mac-mini           # generate .vscode/settings.json for nixd option completion
+just show                   # nix flake show
-
+just lsp mac-mini           # nixd option completion for VSCode
-# Direct (when just isn't available)
-sudo darwin-rebuild switch --flake .#mac-mini
-sudo nixos-rebuild switch --flake .#wsl
-nix build .#darwinConfigurations.mac-mini.system --dry-run   # validate (eval only)
-nix build .#darwinConfigurations.mac-mini.system             # validate (full build)
-
-# First-time bootstrap (nix-darwin not yet installed)
-sudo nix run nix-darwin -- switch --flake .#mac-mini
-
-# First-time bootstrap WSL (fresh NixOS-WSL has no git)
-nix-shell -p git --run "git clone <repo-url> ~/nix-config"
-cd ~/nix-config && sudo nixos-rebuild switch --flake .#wsl
 ```
 
-## Critical gotchas
+Note: `just check` and `just rebuild` have `[macos]`/`[linux]` variants — the justfile auto-selects by platform.
 
-- **Shared settings live in `modules/shared/`**: Fish, openssh, fonts, nix settings are enabled once in shared — don't re-declare in platform modules.
+## Gotchas
-- **SSH keys are centralized**: Defined as `sshKeys` in `lib/default.nix`, passed via `specialArgs`. Don't hardcode keys in platform modules.
-- **Neovim uses lazyvim-nix**: `programs.lazyvim` in `home/dev/neovim.nix` manages neovim via the `lazyvim-nix` flake input. Catppuccin nvim integration is explicitly disabled (`catppuccin.nvim.enable = false`) because LazyVim manages its own colorscheme. Don't use `catppuccin.enable` for nvim or the old `programs.neovim.plugins` approach.
-- **catppuccin module name**: Home-manager uses `catppuccin.homeModules.catppuccin` (imported in `home/default.nix`). NixOS uses `catppuccin.nixosModules.catppuccin` (in `lib/default.nix`). Don't use the old `homeManagerModules` name.
-- **Homebrew tap casks**: Casks from taps need full path (e.g. `"goooler/repo/fl-clash"`), not just the short name.
-- **`onActivation.cleanup = "zap"`**: Any brew formula/cask NOT declared in `modules/darwin/default.nix` WILL be removed on rebuild. Be comprehensive.
-- **First-time macOS bootstrap requires sudo**: `sudo nix run nix-darwin -- switch --flake .#mac-mini` (not `darwin-rebuild` which doesn't exist yet).
-- **First-time WSL bootstrap needs `nix-shell -p git`**: Fresh NixOS-WSL has no `git`. Use `nix-shell -p git --run "git clone ..."` to clone, then `sudo nixos-rebuild switch`.
-- **mise for version management**: Activated in `home/shell/fish.nix` via `mise activate fish | source`. Config in `home/dev/languages.nix` trusts all config paths.
 
-## Secrets (1Password CLI)
+- **Shared settings in `modules/shared/`** — don't re-declare fish/openssh/1password/fonts in platform modules.
+- **`sshKeys` centralized** in `lib/default.nix` via `specialArgs`. Don't hardcode.
+- **WSL aliases force-cleared** — `hosts/wsl/default.nix` uses `lib.mkForce {}`. All aliases via Home Manager only.
+- **Neovim = lazyvim-nix** — `programs.lazyvim` in `home/dev/neovim.nix`. `catppuccin.nvim.enable = false` (LazyVim manages colorscheme). The `lazyvim.homeManagerModules.default` is loaded as a sharedModule in `lib/default.nix`.
+- **catppuccin modules** — `catppuccin.homeModules.catppuccin` (home), `catppuccin.nixosModules.catppuccin` (NixOS). Not the old `homeManagerModules`.
+- **Homebrew `cleanup = "zap"`** — undeclared casks/brews get removed. `greedyCasks = true` upgrades even auto-updating casks. Shared → `modules/darwin/`, host-specific → `hosts/*/`. Tap casks need full path (e.g. `"goooler/repo/fl-clash"`).
+- **Ghostty macOS-only** — `enable = pkgs.stdenv.isDarwin`, `package = null` (Homebrew cask). Terminfo propagated via `ghostty.terminfo` in `modules/nixos/`.
+- **nix-ld on WSL** — `programs.nix-ld.enable = true` for VSCode Remote.
+- **home-manager `backupFileExtension = "bak"`** — set in `lib/default.nix`. Existing dotfiles get `.bak` suffix on conflict.
+- **mise** — runtime version management (`home/dev/languages.nix`). `trusted_config_paths = [ "/" ]` trusts all config files.
 
-- **Not sops-nix** — secrets are injected at shell startup via `op inject` (1Password CLI).
+## Environment
-- Template: `home/shell/fish.nix` generates `~/.config/op-env/env.tpl` with `op://` references (safe to commit — contains no real secrets).
-- Fish function `op-env` runs on interactive shell init, calling `op inject --in-file` to set env vars: `AI_GATEWAY_BASE_URL`, `AI_GATEWAY_API_KEY`, `EXA_API_KEY`, `CONTEXT7_API_KEY`.
-- macOS: `programs._1password.enable = true` in `modules/darwin/default.nix`.
-- WSL: aliases `op` to `op.exe` (Windows interop) in `home/shell/fish.nix`.
-- Never commit `*.dec.yaml`, `*.dec.json`, `*.plaintext` (in `.gitignore`).
 
-## Shell
+1Password CLI secrets are **cached locally** — shell startup reads `~/.cache/op-env/env.fish` (no network).
 
-Fish (not zsh). All tool integrations use `enableFishIntegration`. Key files:
+- Template: `home/shell/fish.nix` → `~/.config/op-env/env.tpl` (`op://` refs, safe to commit)
-- `home/shell/fish.nix` — abbreviations, interactiveShellInit, mise activation
+- Cache: `~/.cache/op-env/env.fish` (plaintext, `chmod 600`, outside git/nix store)
-- `home/shell/tools.nix` — fzf, atuin, zoxide (`--cmd cd`), direnv, bat, eza, yazi, btop, zellij
+- Auth: `OP_SERVICE_ACCOUNT_TOKEN` in `~/.config/fish/local.fish` (gitignored)
-- `home/shell/starship.nix` — prompt
+- Refresh: user runs `op-env-refresh` manually (needs network). Atomic write (mktemp + mv), failure keeps old cache.
+- Clear: `op-env-clear` removes cache file.
+- `local.fish` is sourced **after** the cache, so it can override env vars per-machine.
 
 ## Home Manager option API
 
-These options were renamed in recent home-manager; use the new names:
+Use the new names:
 - `programs.git.settings.user.{name,email}` (not `userName`/`userEmail`)
 - `programs.git.settings.*` (not `extraConfig`)
 - `programs.delta.{enable,options}` (not `programs.git.delta.*`)
 - `programs.delta.enableGitIntegration = true` (must be explicit)
-- `programs.ssh.matchBlocks."*".addKeysToAgent` (not top-level `addKeysToAgent`)
+- `programs.ssh.matchBlocks."*".addKeysToAgent` (not top-level)
-- `programs.ssh.enableDefaultConfig = false` (set explicitly)
+- `programs.ssh.enableDefaultConfig = false`
 
-## Nix LSP & formatter
+## Nix tooling
 
-- LSP: `nixd` (not `nil`). Provides nixpkgs/option completion.
+- LSP: `nixd`. Formatter: `nixfmt`. Linter: `statix`.
-- Formatter: `nixfmt`. Run: `nixfmt <file.nix>`
+- All in `home/dev/languages.nix`.
-- Both installed via `home/dev/languages.nix`.
+- `just lsp <host>` generates `.vscode/settings.json` from `.vscode/settings.base.json` (gitignored output).
-- VSCode settings for nixd option completion: `just lsp <host>` (generates `.vscode/settings.json` from `.vscode/settings.base.json`)
 
 ## Tool usage
 
-- **Always use the `nixos_nix` MCP tool** when searching for nix-darwin / NixOS / home-manager options. Query with `source=darwin/nixos/home-manager` and `type=options/packages` to find available options before writing config. Do not guess option names or value types — verify first.
+- `opencode.jsonc` configures `just-lsp` (LSP) and `mcp-nixos` (MCP).
+- **Always use `nixos_nix` MCP** to look up nix-darwin/NixOS/home-manager options before writing config. Don't guess option names.

README.md

@@ -1,6 +1,6 @@
 # Nix Config
 
-使用 [nix-darwin](https://github.com/nix-darwin/nix-darwin) + [NixOS-WSL](https://github.com/nix-community/NixOS-WSL) + [Home Manager](https://github.com/nix-community/home-manager) + [Flakes](https://nix.dev/concepts/flakes) 声明式管理三台设备的系统配置。
+nix-darwin + NixOS-WSL + Home Manager + Flakes 声明式管理三台设备的系统配置。
 
 ## 设备
 
@@ -12,117 +12,114 @@
 
 ## 快速开始
 
-### macOS (Mac Mini / MacBook Air)
+### macOS
 
-1. 安装 [Lix](https://lix.systems/)（Nix 的社区分支，nix-darwin 官方推荐）：
+1. 安装 [Lix](https://lix.systems/)：
 
 ```bash
 curl -sSf -L https://install.lix.systems/lix | sh -s -- install
 ```
 
-2. 克隆仓库并首次构建：
+2. 安装 [Homebrew](https://brew.sh/)（nix-darwin 不会自动安装）：
+
+```bash
+/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+```
+
+3. 克隆仓库并首次构建：
 
 ```bash
 git clone <repo-url> ~/nix-config
 cd ~/nix-config
-# 首次（nix-darwin 尚未安装）：
+sudo nix run nix-darwin -- switch --flake .#macbook-air
-sudo nix run nix-darwin -- switch --flake .#mac-mini
-# 之后日常重建：
-sudo darwin-rebuild switch --flake .#mac-mini
 ```
 
-### WSL (Windows PC)
+之后日常重建：`just rebuild macbook-air`
 
-1. 安装 [NixOS-WSL](https://github.com/nix-community/NixOS-WSL/releases)：
+### WSL
+
+1. 启用 WSL 并更新内核：
+
+```powershell
+wsl --install --no-distribution
+wsl --update
+```
+
+2. 安装 [NixOS-WSL](https://github.com/nix-community/NixOS-WSL/releases)：
 
 ```powershell
 wsl --import NixOS C:\wsl\nixos nixos-wsl.tar.gz
 wsl -d NixOS
 ```
 
-2. 首次初始化（全新的 NixOS-WSL 没有 `git`，需要借助 `nix-shell` 临时引入）：
+3. 首次构建：
 
 ```bash
-nix-shell -p git --run "git clone <repo-url> ~/nix-config"
+nix shell nixpkgs#git
+git clone <repo-url> ~/nix-config
 cd ~/nix-config
 sudo nixos-rebuild switch --flake .#wsl
 ```
 
-> 首次 rebuild 完成后 `git`、`just` 等工具会由配置声明安装，此后可直接使用 `just rebuild` 重建。
+之后日常重建：`just rebuild wsl`
 
 ## 仓库结构
 
 ```
-├── flake.nix                  # 入口：输入源 + 输出配置
+flake.nix                      # 入口
-├── flake.lock                 # 依赖锁定文件
+hosts/                         # 主机特定配置
-├── hosts/
+modules/
-│   ├── mac-mini/default.nix   # Mac Mini 特定配置
+  ├── darwin/                  # macOS 模块
-│   ├── macbook-air/default.nix# MacBook Air 特定配置
+  ├── nixos/                   # NixOS 模块
-│   └── wsl/default.nix        # WSL 特定配置
+  └── shared/                  # 共享模块
-├── modules/
+home/                          # Home Manager 配置
-│   ├── darwin/default.nix     # macOS 模块（Homebrew、系统偏好等）
+  ├── dev/                     # 开发工具
-│   ├── nixos/                 # NixOS 模块
+  └── shell/                   # Shell 配置
-│   │   ├── base.nix           # 基础包
+lib/default.nix                # 构建辅助函数
-│   │   ├── docker.nix         # Docker 配置
+overlays/ + pkgs/              # 自定义包
-│   │   ├── locale.nix         # 区域 / 语言
-│   │   └── default.nix        # 入口（用户、shell）
-│   └── shared/                # 共享模块（Nix 设置）
-├── home/                      # Home Manager 配置
-│   ├── default.nix            # 入口 + 用户级包
-│   ├── theme.nix              # Catppuccin 主题
-│   ├── dev/                   # 开发工具
-│   │   ├── neovim.nix
-│   │   ├── languages.nix      # 语言运行时、LSP
-│   │   └── git.nix
-│   └── shell/                 # Shell 配置
-│       ├── fish.nix           # Fish shell
-│       ├── starship.nix       # Prompt
-│       └── tools.nix          # fzf, atuin, zoxide 等
-├── lib/default.nix            # 构建辅助函数
-├── overlays/                  # 自定义包覆盖
-└── pkgs/                      # 自定义包
 ```
 
-**配置层级**：`hosts/*`（主机特定） → `modules/*`（平台模块） → `home/*`（用户级，跨平台共享）
+配置层级：`hosts/*` → `modules/*` → `home/*`
 
 ## 日常使用
 
-项目提供 [`justfile`](justfile)，首次 rebuild 后即可使用：
-
 ```bash
-just rebuild <host>   # 重建系统（自动选择 darwin-rebuild / nixos-rebuild）
+just rebuild <host>   # 重建系统
 just update           # 更新所有 flake 输入
-just up <input>       # 更新单个输入，如 just up nixpkgs
+just up <input>       # 更新单个输入
-just check            # 检查配置是否能正常 evaluate
+just check            # 检查配置
-just clean            # 清理旧 generation 并回收空间
+just clean            # 清理旧 generation
-just rollback         # 回滚到上一个 generation（仅 NixOS）
+just rollback         # 回滚（仅 NixOS）
-just history          # 查看系统 profile 历史
+just history          # 查看 profile 历史
 just show             # 显示 flake 输出
 ```
 
-Fish shell 中也定义了 abbreviation 可直接使用：
-
-```bash
-rebuild               # 自动选择 darwin-rebuild 或 nixos-rebuild
-update                # nix flake update
-```
-
-> **注意**：`just clean` 仅清理用户级 generation。NixOS 上如需清理系统级旧 generation，需要 `sudo nix-collect-garbage -d`。
-
 ## Shell
 
-使用 **Fish** 作为默认 shell，搭配：
+Fish + Starship + Atuin + Zoxide + FZF + Direnv，Catppuccin Mocha 主题。
 
-- **Starship** — 跨平台 prompt
+常用自定义：
-- **Atuin** — shell 历史搜索
+- fish abbreviation → `home/shell/fish.nix`
-- **Zoxide** — 智能 cd（`cd` = zoxide, `cdi` = 交互选择）
+- 添加包 → `home/default.nix` 或 `home/dev/languages.nix`
-- **FZF** — 模糊搜索（Ctrl-R 历史, Ctrl-T 文件, Alt-C 目录）
+- Homebrew cask → `modules/darwin/default.nix`
-- **Direnv** — 自动加载项目环境
-- **Catppuccin Mocha** — 统一主题
 
-### 自定义
+## Environment
 
-- 添加 fish abbreviation: 编辑 `home/shell/fish.nix` 中的 `shellAbbrs`
+1Password CLI `op inject` 获取环境变量，本地缓存后离线可用。
-- 添加包: 编辑 `home/default.nix` 或 `home/dev/languages.nix`
+
-- 添加 Homebrew cask: 编辑 `modules/darwin/default.nix` 中的 `homebrew.casks`
+模板文件 `~/.config/op-env/env.tpl` 由 `home/shell/fish.nix` 生成，仅包含 `op://` 引用，可安全提交。
-- 查包名: `nix search nixpkgs <关键词>` 或 [search.nixos.org](https://search.nixos.org/packages)
+
+Shell 启动时只读取本地缓存（`~/.cache/op-env/env.fish`），不联网。首次使用或密钥变更后需手动刷新：
+
+```bash
+op-env-refresh   # 从 1Password 获取并缓存（需联网）
+op-env-clear     # 清除本地缓存
+```
+
+认证需要在 `~/.config/fish/local.fish`（gitignored）中设置：
+
+```bash
+set -gx OP_SERVICE_ACCOUNT_TOKEN "your-service-account-token"
+```
+
+未设置 token 时 `op-env-refresh` 会提示错误，不影响已有缓存的正常使用。

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775994227,
+        "lastModified": 1776190523,
-        "narHash": "sha256-4VKeWtl9dEubrgpy9fSXkXbjBZlNXPNlQQM5l1ppHv4=",
+        "narHash": "sha256-qfZWzaWuXfbF487cXj43uT7HWtqF45A+g7g59fOPYsk=",
         "owner": "catppuccin",
         "repo": "nix",
-        "rev": "d0a9a21ed8e235956a768fc624242ec9a3e15575",
+        "rev": "2eefec08414e2f90824bf2b508ea38ef6f295dfa",
         "type": "github"
       },
       "original": {
@@ -61,11 +61,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776046499,
+        "lastModified": 1776184304,
-        "narHash": "sha256-Wzc4nn07/0RL21ypPHRzNDQZcjhIC8LaYo7QJQjM5T4=",
+        "narHash": "sha256-No6QGBmIv5ChiwKCcbkxjdEQ/RO2ZS1gD7SFy6EZ7rc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "287f84846c1eb3b72c986f5f6bebcff0bd67440d",
+        "rev": "3c7524c68348ef79ce48308e0978611a050089b2",
         "type": "github"
       },
       "original": {

flake.nix

@@ -37,7 +37,7 @@
       mylib = import ./lib { inherit inputs; };
     in
     {
-      # ── macOS hosts ─────────────────────────────────────
+      # ── macOS 主机 ──────────────────────────────────────
       darwinConfigurations = {
         mac-mini = mylib.mkDarwin {
           hostname = "awesome-mac-mini";
@@ -54,7 +54,7 @@
         };
       };
 
-      # ── NixOS hosts (WSL on Windows PC) ─────────────────
+      # ── NixOS 主机（Windows PC 上的 WSL）──────────────
       nixosConfigurations = {
         wsl = mylib.mkNixos {
           hostname = "awesome-wsl";
@@ -67,7 +67,7 @@
         };
       };
 
-      # ── Packages ────────────────────────────────────────
+      # ── 自定义包 ─────────────────────────────────────────
       packages = nixpkgs.lib.genAttrs [ "aarch64-darwin" "x86_64-linux" ] (
         system:
         let

home/default.nix

@@ -20,12 +20,11 @@
   home = {
     username = username;
     homeDirectory = if pkgs.stdenv.isDarwin then "/Users/${username}" else "/home/${username}";
-    stateVersion = "24.11";
+    stateVersion = "25.11";
   };
 
-  # ── User-level packages ────────────────────────────
   home.packages = with pkgs; [
-    # Modern CLI replacements
+    # 现代 CLI 替代工具
     dust # du
     duf # df
     procs # ps
@@ -34,28 +33,29 @@
     yq # YAML
     wget
 
-    # System info
+    # 系统信息
     fastfetch
     tealdeer # tldr
 
-    # File management
+    # 文件管理
     gomi
+    ouch # 压缩/解压
 
-    # Nix tools
+    # Nix 工具
     nix-output-monitor # nom
-    nvd # nix version diff
+    nvd # Nix 版本对比
-    nh # nix helper
+    nh # Nix 辅助工具
     just
 
-    # AI coding agent
+    # AI 编程代理
     opencode
     comment-checker
+    skills
 
-    # Misc
+    # 其他
     ffmpeg
     pandoc
   ];
 
-  # XDG directories
   xdg.enable = true;
 }

home/dev/git.nix

@@ -1,4 +1,4 @@
-{ ... }:
+_:
 
 {
   programs.git = {
@@ -34,9 +34,7 @@
         nerdFontsVersion = "3";
         showBottomLine = false;
       };
-      git.pagers = [
+      git.pagers = [ { pager = "delta --paging=never"; } ];
-        { pager = "delta --paging=never"; }
-      ];
       update.method = "never";
       disableStartupPopups = true;
     };

home/dev/languages.nix

@@ -2,15 +2,16 @@
 
 {
   home.packages = with pkgs; [
-    # ── Language runtimes ──
+    # ── 语言运行时 ──
     nodejs
     go
     bun
+    python3
 
-    # ── Package management / version management ──
+    # ── 包管理 / 版本管理 ──
     uv
 
-    # ── LSP servers ──
+    # ── LSP 服务器 ──
     bash-language-server
     gopls
     typescript-language-server
@@ -21,7 +22,7 @@
     nixd
     just-lsp
 
-    # ── Linter / Formatter ──
+    # ── 代码检查 / 格式化 ──
     biome
     ruff
     shellcheck
@@ -30,7 +31,7 @@
     statix
     stylua
 
-    # ── Code intelligence ──
+    # ── 代码智能 ──
     ast-grep
   ];
 
@@ -41,6 +42,7 @@
     globalConfig = {
       settings = {
         trusted_config_paths = [ "/" ];
+        all_compile = false;
       };
     };
   };

home/dev/neovim.nix

@@ -1,7 +1,7 @@
-{ ... }:
+_:
 
 {
-  # Disable catppuccin/nix neovim integration — LazyVim manages its own colorscheme
+  # 禁用 catppuccin/nix 的 Neovim 集成 — LazyVim 自行管理配色方案
   catppuccin.nvim.enable = false;
 
   programs.neovim = {
@@ -22,7 +22,7 @@
       lang.docker.enable = true;
     };
 
-    # Catppuccin Mocha colorscheme (managed by LazyVim, not catppuccin/nix)
+    # Catppuccin Mocha 配色方案（由 LazyVim 管理，非 catppuccin/nix）
     plugins = {
       colorscheme = ''
         return {

home/shell/fish.nix

@@ -1,78 +1,135 @@
-{ config, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 
 let
   envTpl = "${config.xdg.configHome}/op-env/env.tpl";
+  envCache = "${config.xdg.cacheHome}/op-env/env.fish";
 in
 {
-  # ── 1Password env template ──────────────────────────
+  # ── 1Password 环境变量模板 ─────────────────────────────
-  # op:// references only — no real secrets, safe to commit
+  # 仅包含 op:// 引用 — 无真实密钥，可安全提交
-  # Kept outside ~/.config/op — that dir must be 700 and owned by op CLI
+  # 放在 ~/.config/op 之外 — 该目录必须是 700 权限且属于 op CLI
   xdg.configFile."op-env/env.tpl".text = ''
-    AI_GATEWAY_BASE_URL={{ op://Private/AI Gateway API/URL }}
+    set -gx AI_GATEWAY_BASE_URL "{{ op://Developer/AI Gateway API/URL }}"
-    AI_GATEWAY_API_KEY={{ op://Private/AI Gateway API/credential }}
+    set -gx AI_GATEWAY_API_KEY "{{ op://Developer/AI Gateway API/credential }}"
-    EXA_API_KEY={{ op://Private/Exa API/credential }}
+    set -gx EXA_API_KEY "{{ op://Developer/Exa API/credential }}"
-    CONTEXT7_API_KEY={{ op://Private/Context7 API/credential }}
+    set -gx CONTEXT7_API_KEY "{{ op://Developer/Context7 API/credential }}"
   '';
 
   programs.fish = {
     enable = true;
 
     shellAbbrs = {
-      # Navigation (one-shot, no need to recall in history)
+      # 导航（一次性命令，无需记录历史）
       ".." = "cd ..";
       "..." = "cd ../..";
     };
 
     shellAliases = {
-      # File listing (eza) — base aliases (ls/la/lt) from programs.eza
+      # 文件列表（eza）— 基础别名（ls/la/lt）来自 programs.eza
       ll = "eza -lh";
       lla = "eza -lah --time-style=long-iso";
 
-      # Tools
       cat = "bat --paging=never";
       rm = "gomi";
       lg = "lazygit";
-      vi = "nvim";
     };
 
     interactiveShellInit = ''
-      # No greeting
       set -g fish_greeting
-
-      # PATH
       fish_add_path $HOME/go/bin $HOME/.bun/bin
+      ${lib.optionalString pkgs.stdenv.isDarwin ''fish_add_path "/Applications/Visual Studio Code.app/Contents/Resources/app/bin"''}
 
-      # Sudo: double Escape to prepend sudo
+      # 双击 Escape 在命令前插入 sudo
       bind \e\e 'fish_commandline_prepend sudo'
 
-      # WSL clipboard
+      # WSL 剪贴板
       if set -q WSL_DISTRO_NAME
         alias pbcopy clip.exe
         alias pbpaste "powershell.exe -noprofile -c Get-Clipboard"
-        alias op op.exe
       end
 
-      # User-local overrides
+      # Windows Terminal：发送 OSC 9;9 使新标签页/窗格在同一目录打开
+      function __wt_osc9_9 --on-variable PWD
+        if test -n "$WT_SESSION"
+          printf "\e]9;9;%s\e\\" (wslpath -w "$PWD")
+        end
+      end
+
+      # 1Password → 环境变量（本地缓存，启动时不联网）
+      # 启动时仅加载缓存；手动执行 op-env-refresh 拉取/更新
+      # 通过 OP_SERVICE_ACCOUNT_TOKEN 认证（在 ~/.config/fish/local.fish 中设置）
+      function op-env-refresh --description "Fetch secrets from 1Password and cache locally"
+        if not type -q op
+          echo "op-env: op CLI not found in PATH" >&2
+          return 1
+        end
+        if not set -q OP_SERVICE_ACCOUNT_TOKEN; or test -z "$OP_SERVICE_ACCOUNT_TOKEN"
+          echo "op-env: OP_SERVICE_ACCOUNT_TOKEN is not set" >&2
+          return 1
+        end
+        if not test -f "${envTpl}"
+          echo "op-env: template not found: ${envTpl}" >&2
+          return 1
+        end
+        set -l cache_dir (path dirname "${envCache}")
+        if not mkdir -p "$cache_dir"; or not chmod 700 "$cache_dir"
+          echo "op-env: cannot prepare cache dir: $cache_dir" >&2
+          return 1
+        end
+        set -l tmp (mktemp "$cache_dir/.tmp.XXXXXX")
+        or begin
+          echo "op-env: mktemp failed" >&2
+          return 1
+        end
+        if not op inject --in-file "${envTpl}" > "$tmp"
+          command rm -f "$tmp"
+          echo "op-env: inject failed; old cache kept" >&2
+          return 1
+        end
+        # 替换缓存前记录旧变量名
+        set -l old_vars
+        if test -f "${envCache}"
+          set old_vars (string match -rg 'set -gx (\S+)' < "${envCache}")
+        end
+        if not mv "$tmp" "${envCache}"
+          command rm -f "$tmp"
+          echo "op-env: cannot replace cache file" >&2
+          return 1
+        end
+        for var in $old_vars
+          set -e $var
+        end
+        if not source "${envCache}"
+          echo "op-env: cache written but could not be sourced" >&2
+          return 1
+        end
+        echo "op-env: refreshed"
+      end
+
+      function op-env-clear --description "Clear cached secrets"
+        if test -f "${envCache}"
+          for var in (string match -rg 'set -gx (\S+)' < "${envCache}")
+            set -e $var
+          end
+          command rm -f "${envCache}"
+        end
+        echo "op-env: cleared"
+      end
+
+      # 加载缓存的密钥（即时，不联网）
+      if test -f "${envCache}"
+        source "${envCache}"
+      end
+
+      # 用户本地配置（OP_SERVICE_ACCOUNT_TOKEN、机器特定覆盖）
       if test -f ~/.config/fish/local.fish
         source ~/.config/fish/local.fish
       end
-
-      # 1Password → env vars (single op call, silent on failure)
-      function op-env --description "Load secrets from 1Password"
-        if not type -q op; or not test -f ${envTpl}
-          return 1
-        end
-        set -l output (op inject --in-file ${envTpl} 2>/dev/null)
-        or return 1
-        for line in $output
-          string match -qr '^\s*(#|$)' -- $line; and continue
-          set -l kv (string split -m 1 '=' $line)
-          if test (count $kv) -ge 2
-            set -gx $kv[1] $kv[2]
-          end
-        end
-      end
-      op-env
     '';
   };
 }

home/shell/ghostty.nix

@@ -3,7 +3,7 @@
 {
   programs.ghostty = {
     enable = pkgs.stdenv.isDarwin;
-    package = null; # installed via Homebrew cask
+    package = null; # 通过 Homebrew cask 安装
     settings = {
       font-family = "Maple Mono NF CN";
       font-size = 14;

home/shell/starship.nix

@@ -57,11 +57,11 @@
         truncation_length = 3;
         truncation_symbol = "…/";
         substitutions = {
-          Developer = "󰲋 ";
+          Developer = "󰲋";
-          Documents = "󰈙 ";
+          Documents = "󰈙";
-          Downloads = " ";
+          Downloads = "";
-          Music = "󰝚 ";
+          Music = "󰝚";
-          Pictures = " ";
+          Pictures = "";
         };
       };
 

home/shell/tools.nix

@@ -19,7 +19,7 @@
     ];
   };
 
-  # ── Atuin (shell history) ────────────────────────────
+  # ── Atuin（Shell 历史记录）─────────────────────────────
   programs.atuin = {
     enable = true;
     enableFishIntegration = true;
@@ -33,11 +33,11 @@
     };
   };
 
-  # ── Zoxide (smart cd) ───────────────────────────────
+  # ── Zoxide（智能 cd）──────────────────────────────────
   programs.zoxide = {
     enable = true;
     enableFishIntegration = true;
-    options = [ "--cmd cd" ]; # cd/cdi instead of z/zi
+    options = [ "--cmd cd" ]; # 用 cd/cdi 替代 z/zi
   };
 
   # ── Direnv + nix-direnv ─────────────────────────────
@@ -50,7 +50,7 @@
     };
   };
 
-  # ── Bat (cat replacement) ───────────────────────────
+  # ── Bat（cat 替代）────────────────────────────────────
   programs.bat = {
     enable = true;
     extraPackages = with pkgs.bat-extras; [
@@ -59,7 +59,7 @@
     ];
   };
 
-  # ── Eza (ls replacement) ────────────────────────────
+  # ── Eza（ls 替代）─────────────────────────────────────
   programs.eza = {
     enable = true;
     enableFishIntegration = true;
@@ -70,14 +70,14 @@
     ];
   };
 
-  # ── Yazi (file manager) ─────────────────────────────
+  # ── Yazi（文件管理器）────────────────────────────────
   programs.yazi = {
     enable = true;
     enableFishIntegration = true;
     shellWrapperName = "y";
   };
 
-  # ── Btop (system monitor) ───────────────────────────
+  # ── Btop（系统监控）──────────────────────────────────
   programs.btop = {
     enable = true;
     settings = {
@@ -85,7 +85,7 @@
     };
   };
 
-  # ── Zellij (terminal multiplexer) ────────────────────
+  # ── Zellij（终端复用器）──────────────────────────────
   programs.zellij = {
     enable = true;
     enableFishIntegration = false;

hosts/mac-mini/default.nix

@@ -1,13 +1,13 @@
 { ... }:
 
 {
-  # ── Mac Mini specific ─────────────────────────────────
+  # ── Mac Mini 专属配置 ────────────────────────────────
-  # Always plugged in — 24/7 server role
+  # 常驻供电 — 全天候服务器角色
 
-  # Touch ID for sudo
+  # Touch ID 验证 sudo
   security.pam.services.sudo_local.touchIdAuth = true;
 
-  # ── Never sleep ─────────────────────────────────────
+  # ── 禁止睡眠 ────────────────────────────────────────
   power.sleep.computer = "never";
   power.sleep.display = "never";
   power.sleep.harddisk = "never";
@@ -15,17 +15,17 @@
   power.restartAfterPowerFailure = true;
   power.restartAfterFreeze = true;
 
-  # ── Wake on LAN ──────────────────────────────────
+  # ── 网络唤醒（WoL）─────────────────────────────────
   networking.wakeOnLan.enable = true;
 
-  # ── Screen Sharing (VNC) & pmset ─────────────────
+  # ── 屏幕共享（VNC）& pmset ──────────────────────────
   system.activationScripts.postActivation.text = ''
     # VNC
     launchctl enable system/com.apple.screensharing
     launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist 2>/dev/null || true
-    # Disable Power Nap
+    # 禁用 Power Nap
     pmset -a powernap 0
   '';
 
-  system.stateVersion = 5;
+  system.stateVersion = 6;
 }

hosts/macbook-air/default.nix

@@ -1,11 +1,16 @@
 { ... }:
 
 {
-  # ── MacBook Air specific ──────────────────────────────
+  # ── MacBook Air 专属配置 ─────────────────────────────
-  # Portable — battery-conscious settings
+  # 便携设备 — 注意电池续航
 
-  # Touch ID for sudo
+  # Touch ID 验证 sudo
   security.pam.services.sudo_local.touchIdAuth = true;
 
-  system.stateVersion = 5;
+  # ── 刘海屏适配 ──────────────────────────────────────
+  homebrew.casks = [
+    "thaw" # 刘海屏菜单栏管理工具
+  ];
+
+  system.stateVersion = 6;
 }

hosts/wsl/default.nix

@@ -1,6 +1,10 @@
-{ username, ... }:
+{ lib, username, ... }:
 
 {
+  # ── Shell ─────────────────────────────────────────────
+  # 移除 NixOS 默认别名（ls/ll/l）— 由 Home Manager eza 管理
+  environment.shellAliases = lib.mkForce { };
+
   # ── WSL ──────────────────────────────────────────────
   wsl = {
     enable = true;
@@ -11,5 +15,5 @@
   # ── nix-ld (VSCode Remote, etc.) ────────────────────
   programs.nix-ld.enable = true;
 
-  system.stateVersion = "24.11";
+  system.stateVersion = "25.11";
 }

justfile

@@ -17,7 +17,7 @@ rebuild host:
 # Rebuild and switch to new system configuration
 [linux]
 [group('build')]
-rebuild host="wsl":
+rebuild host:
     sudo nixos-rebuild switch --flake .#{{host}}
 
 # Check configs evaluate without errors
@@ -86,6 +86,6 @@ lsp host:
 # Generate .vscode/settings.json with LSP option completion
 [linux]
 [group('tools')]
-lsp host="wsl":
+lsp host:
     @jq --arg h "{{host}}" '."nix.serverSettings".nixd.options = {"nixos":{"expr":"(builtins.getFlake (toString ./.)).nixosConfigurations.\($h).options"},"home-manager":{"expr":"(builtins.getFlake (toString ./.)).nixosConfigurations.\($h).options.home-manager.users.type.getSubOptions []"}}' .vscode/settings.base.json > .vscode/settings.json
     @echo "Generated .vscode/settings.json for {{host}}"

lib/default.nix

@@ -7,7 +7,7 @@ let
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDRTOo48gzzRGT+bF9dzJCFJu61YgsQVONFtxU9kTPIg"
   ];
 
-  # Shared home-manager configuration block
+  # 共享的 Home Manager 配置块
   homeManagerConfig = username: {
     home-manager = {
       useGlobalPkgs = true;
@@ -24,7 +24,7 @@ let
   };
 in
 {
-  # ── NixOS host builder ──────────────────────────────
+  # ── NixOS 主机构建器 ─────────────────────────────────
   mkNixos =
     {
       hostname,
@@ -53,7 +53,7 @@ in
       ++ extraModules;
     };
 
-  # ── nix-darwin host builder ─────────────────────────
+  # ── nix-darwin 主机构建器 ────────────────────────────
   mkDarwin =
     {
       hostname,

modules/darwin/default.nix

@@ -6,13 +6,13 @@
 }:
 
 {
-  # ── Primary user (required by nix-darwin) ──────────
   system.primaryUser = username;
 
-  # ── 1Password CLI ───────────────────────────────────
+  # ── 免密 sudo ────────────────────────────────────────
-  programs._1password.enable = true;
+  security.sudo.extraConfig = ''
+    ${username} ALL=(ALL) NOPASSWD:ALL
+  '';
 
-  # ── User ───────────────────────────────────────────
   users.knownUsers = [ username ];
   users.users.${username} = {
     home = "/Users/${username}";
@@ -21,7 +21,7 @@
     openssh.authorizedKeys.keys = sshKeys;
   };
 
-  # ── macOS system preferences ───────────────────────
+  # ── macOS 系统偏好设置 ────────────────────────────────
   system.defaults = {
     LaunchServices.LSQuarantine = false;
     dock = {
@@ -35,21 +35,25 @@
       wvous-bl-corner = 1;
       wvous-br-corner = 1;
     };
-    finder = {
+    finder.FXPreferredViewStyle = "clmv";
-      AppleShowAllExtensions = true;
-      FXPreferredViewStyle = "clmv";
-    };
     NSGlobalDomain = {
       AppleShowAllExtensions = true;
       InitialKeyRepeat = 15;
       KeyRepeat = 2;
     };
+    CustomUserPreferences."ch.sudo.cyberduck" = {
+      # 永久禁用捐赠提示（日期设为遥远的未来）
+      "donate.reminder.date" = 253402300799000;
+    };
   };
 
   # ── Homebrew ───────────────────────────────────────
   homebrew = {
     enable = true;
-    greedyCasks = true; # always upgrade casks even if they auto-update
+    greedyCasks = true; # 即使 cask 自动更新也始终升级
+    # 已废弃：Homebrew 将于 2026-09 后移除 --no-quarantine
+    # 待所有 cask 通过 Gatekeeper（签名且公证）后移除此项
+    caskArgs.no_quarantine = true;
 
     taps = [
       "goooler/repo"
@@ -59,11 +63,12 @@
       "mole"
     ];
 
-    # GUI apps
+    # GUI 应用
     casks = [
       "1password"
       "brave-browser"
       "cherry-studio"
+      "cyberduck"
       "dbeaver-community"
       "discord"
       "feishu"
@@ -88,6 +93,7 @@
 
     # Mac App Store
     masApps = {
+      "iPreview" = 1519213509;
       "Microsoft Word" = 462054704;
       "Microsoft Excel" = 462058435;
       "Microsoft PowerPoint" = 462062816;
@@ -98,7 +104,7 @@
     onActivation = {
       autoUpdate = true;
       upgrade = true;
-      cleanup = "zap"; # remove anything not declared above
+      cleanup = "zap"; # 移除所有未声明的内容
     };
   };
 }

modules/nixos/default.nix

@@ -10,21 +10,18 @@
     ./docker.nix
   ];
 
-  # ── System-essential packages ──────────────────────
   environment.systemPackages = with pkgs; [
     curl
     git
     ghostty.terminfo
   ];
 
-  # ── Locale / Timezone ──────────────────────────────
   i18n = {
     defaultLocale = "en_US.UTF-8";
     supportedLocales = [ "en_US.UTF-8/UTF-8" ];
   };
   time.timeZone = "Asia/Shanghai";
 
-  # ── Default user ───────────────────────────────────
   users.users.${username} = {
     isNormalUser = true;
     shell = pkgs.fish;
@@ -32,6 +29,5 @@
     openssh.authorizedKeys.keys = sshKeys;
   };
 
-  # ── sudo ───────────────────────────────────────────
   security.sudo.wheelNeedsPassword = false;
 }

modules/shared/default.nix

@@ -5,5 +5,6 @@
   ];
 
   programs.fish.enable = true;
+  programs._1password.enable = true;
   services.openssh.enable = true;
 }

modules/shared/nix.nix

@@ -11,7 +11,7 @@
     warn-dirty = false;
   };
 
-  # Disable channels — we use flakes exclusively
+  # 禁用 channels — 仅使用 flakes
   nix.channel.enable = false;
 
   nixpkgs = {