Symlink-deployed dotfiles. The manifest lists every tracked file (one repo-relative path per line, optional macos/linux tag). This is a content repo for the homedir-manager engine — the .homedir-manager.conf marker opts it in, and the engine symlinks each manifest entry into $HOME at the mirrored path.

Edit files in place — they're symlinks into this repo. Then git commit. That's it. Run homedir-manager install only on a new machine or after adding a NEW file to the manifest.

• homedir-manager install --dry-run — preview actions, change nothing.
• homedir-manager install — deploy. Idempotent. Pre-existing files are moved to ~/.dotfiles-backup/<timestamp>/, never overwritten.
• homedir-manager audit — scan for leaked secrets, deploy drift, and bad perms.
• sh test/run.sh — run this repo's own tests.

Secrets never live in this repo. fnox is the single mechanism: each secret is a declared entry in ~/.config/fnox/config.toml (a reference, not a value) and is resolved at runtime by the tool that needs it. Shell config wraps each tool so it runs under fnox exec; for a one-off, withsecrets <tool>. General setup, conventions, and patterns are documented with the engine (homedir-manager/share/SECRETS.md).

1. git clone https://github.com/obra/dotfiles ~/git/dotfiles
2. Clone the homedir-manager engine into ~/git/homedir-manager and run ~/git/homedir-manager/bootstrap.
3. homedir-manager install
4. Sign in to your password manager (op signin or rbw unlock).