From f2a3ae9a4bd9ba00540bf1868a4ef6f1f772b43a Mon Sep 17 00:00:00 2001
From: Ismo Vuorinen <ismo@ivuorinen.net>
Date: Fri, 20 Mar 2026 04:20:51 +0200
Subject: [PATCH] feat(fish): add secrets.d for secret env vars

Add config/fish/secrets.d/ directory pattern to .gitignore while
allowing *.example and README.md through. Add README and example file
documenting the secrets convention. Source secrets.d/*.fish files in
exports.fish so secret environment variables are loaded automatically.
---
 .gitignore                                |  3 +
 config/fish/exports.fish                  |  9 +++
 config/fish/secrets.d/README.md           | 72 +++++++++++++++++++++++
 config/fish/secrets.d/github.fish.example |  5 ++
 4 files changed, 89 insertions(+)
 create mode 100644 config/fish/secrets.d/README.md
 create mode 100644 config/fish/secrets.d/github.fish.example

diff --git a/.gitignore b/.gitignore
index 0363fce..1784999 100644
--- a/.gitignore
+++ b/.gitignore
@@ -29,6 +29,9 @@ config/fish/completions/kubectl.fish
 config/fish/completions/orbctl.fish
 config/fish/fish_variables
 config/fish/fish_variables.*
+config/fish/secrets.d/*
+!config/fish/secrets.d/*.example
+!config/fish/secrets.d/README.md
 config/gh/hosts.yml
 config/git/credentials
 config/git/local.d/*
diff --git a/config/fish/exports.fish b/config/fish/exports.fish
index a3419a0..1392e48 100644
--- a/config/fish/exports.fish
+++ b/config/fish/exports.fish
@@ -180,6 +180,15 @@ if test -f "$DOTFILES/hosts/$HOSTNAME/config/fish/exports-secret.fish"
     source "$DOTFILES/hosts/$HOSTNAME/config/fish/exports-secret.fish"
 end
 
+# Source secret environment variables from secrets.d directory
+if test -d "$DOTFILES/config/fish/secrets.d"
+    for secret_file in "$DOTFILES/config/fish/secrets.d"/*.fish
+        if test -f "$secret_file"
+            source "$secret_file"
+        end
+    end
+end
+
 # Configure tide prompt
 set -gx tide_prompt_transient_enabled true
 set -gx tide_prompt_add_newline_before true
diff --git a/config/fish/secrets.d/README.md b/config/fish/secrets.d/README.md
new file mode 100644
index 0000000..740c8ac
--- /dev/null
+++ b/config/fish/secrets.d/README.md
@@ -0,0 +1,72 @@
+# Fish Shell Secrets Directory
+
+This directory contains sensitive environment variables like API tokens and credentials.
+
+## Usage
+
+1. Copy an example file (e.g., `github.fish.example`) to remove the `.example` suffix:
+
+   ```bash
+   cp github.fish.example github.fish
+   ```
+
+2. Edit the file and replace placeholder values with your actual secrets:
+
+   ```bash
+   $EDITOR github.fish
+   ```
+
+3. Reload your fish shell or source the exports:
+
+   ```fish
+   source ~/.config/fish/exports.fish
+   ```
+
+## Adding New Secret Files
+
+Create a new `.fish` file in this directory with your environment variables:
+
+```fish
+# Example: openai.fish
+set -x OPENAI_API_KEY "sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+```
+
+Common secret patterns:
+
+- `github.fish` - GitHub Personal Access Token (`GITHUB_TOKEN`)
+- `aws.fish` - AWS credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`)
+- `openai.fish` - OpenAI API key (`OPENAI_API_KEY`)
+- `anthropic.fish` - Anthropic API key (`ANTHROPIC_API_KEY`)
+
+## Security Best Practices
+
+- **Never commit actual secrets** - Only `.example` files are tracked by git
+- **Use specific permissions** - Consider `chmod 600` for secret files
+- **Rotate credentials regularly** - Update tokens when compromised
+- **Use environment-specific files** - Separate dev/staging/prod credentials
+- **Check before committing** - Run `git status` to verify secrets aren't staged
+
+## How It Works
+
+The `exports.fish` file automatically sources all `*.fish` files from this directory:
+
+```fish
+if test -d "$DOTFILES/config/fish/secrets.d"
+    for secret_file in "$DOTFILES/config/fish/secrets.d"/*.fish
+        if test -f "$secret_file"
+            source "$secret_file"
+        end
+    end
+end
+```
+
+Files ending in `.example` are ignored by the loader but tracked by git as templates.
+
+## Backward Compatibility
+
+This directory supplements the existing `exports-secret.fish` pattern. Both methods work:
+
+- **Legacy**: `config/fish/exports-secret.fish` (single file, still supported)
+- **New**: `config/fish/secrets.d/*.fish` (multiple files, recommended)
+
+Use whichever approach fits your workflow best.
diff --git a/config/fish/secrets.d/github.fish.example b/config/fish/secrets.d/github.fish.example
new file mode 100644
index 0000000..1a47a9e
--- /dev/null
+++ b/config/fish/secrets.d/github.fish.example
@@ -0,0 +1,5 @@
+# GitHub Personal Access Token
+# Copy this file to github.fish (remove .example) and set your token
+# Generate token at: https://github.com/settings/tokens
+
+set -x GITHUB_TOKEN "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"