[codex] Adopt zinit and Oh My Posh shell startup

Brewfile

@@ -77,6 +77,7 @@ brew "no-more-secrets"
 brew "nodenv"
 brew "nvm"
 brew "ollama"
+brew "oh-my-posh"
 brew "ripgrep"
 brew "opencode"
 brew "php"
@@ -122,6 +123,7 @@ brew "watch"
 brew "wget"
 brew "yarn"
 brew "yq"
+brew "zoxide"
 brew "antoniorodr/memo/memo"
 brew "common-fate/granted/granted"
 brew "ddev/ddev/ddev"

DEVOPS_RECOMMENDATIONS.md

@@ -1,188 +1,93 @@
-# DevOps Analysis and Recommendations
-
-## Executive Summary
-
-This document provides a comprehensive DevOps analysis of the dotfiles repository and actionable recommendations to improve automation, security, reliability, and maintainability.
-
-## Current State Analysis
-
-### Strengths
-- ✅ Simple and functional installation script
-- ✅ Good separation of concerns (aliases, functions, exports)
-- ✅ Comprehensive package management via Brewfile
-- ✅ Git configuration with useful aliases
-- ✅ Migration path from Vim to Neovim clearly documented
-
-### Areas for Improvement
-
-#### 1. Security Concerns 🔴 HIGH PRIORITY
-- **Secrets Management**: `secrets` file is referenced but not properly secured
-- **Email Exposure**: Work email exposed in gitconfig
-- **No Encryption**: Sensitive configuration stored in plain text
-- **No .env Validation**: No checking for sensitive data in commits
-
-#### 2. Automation & Testing 🟡 MEDIUM PRIORITY  
-- **No CI/CD Pipeline**: No automated testing of installation process
-- **No Validation**: No verification that symlinks work correctly
-- **No Environment Testing**: Installation not tested across different OS versions
-- **Manual Process**: Entirely manual setup with no error handling
-
-#### 3. Documentation & Usability 🟡 MEDIUM PRIORITY
-- **Limited Documentation**: Basic README, lacks troubleshooting
-- **No Component Documentation**: Individual config files not documented
-- **No Dependency Checking**: No verification of required tools
-- **No Rollback Procedure**: No way to undo installation
-
-#### 4. Maintenance & Reliability 🟢 LOW PRIORITY
-- **No Backup Strategy**: Existing configs could be lost
-- **Mixed Editor Config**: Both vim and nvim configs present
-- **No Version Management**: No way to track config versions
-- **No Update Mechanism**: No automated way to update configs
-
-## Recommendations
-
-### Phase 1: Critical Security & Automation (Week 1)
-
-#### 1.1 Implement Secrets Management
-```bash
-# Create encrypted secrets management
-├── secrets/
-│   ├── .gitkeep
-│   ├── README.md
-│   └── secrets.example
-├── scripts/
-│   ├── setup-secrets.sh
-│   └── validate-secrets.sh
-```
-
-#### 1.2 Add Installation Validation
-- Pre-installation system checks
-- Post-installation verification
-- Rollback capabilities
-- Error handling and logging
-
-#### 1.3 Create Testing Framework
-- Automated installation testing
-- Configuration validation
-- Symlink verification
-- Shell syntax checking
-
-### Phase 2: Enhanced Documentation & CI/CD (Week 2)
-
-#### 2.1 Comprehensive Documentation
-- Component-level documentation
-- Troubleshooting guide
-- Installation options
-- Customization guide
-
-#### 2.2 GitHub Actions CI/CD
-- Automated testing on multiple OS versions
-- Shell script linting (shellcheck)
-- Configuration validation
-- Automated security scanning
-
-#### 2.3 Backup & Recovery
-- Pre-installation backup
-- Restore functionality
-- Configuration versioning
-- Migration helpers
-
-### Phase 3: Advanced Features (Week 3-4)
-
-#### 3.1 Modular Installation
-- Optional component installation
-- Environment-specific configurations
-- Role-based setups (work vs personal)
-- Dependency management
-
-#### 3.2 Cross-Platform Support
-- Linux compatibility
-- Windows WSL support
-- macOS version checking
-- Package manager detection
-
-#### 3.3 Monitoring & Maintenance
-- Configuration drift detection
-- Automated updates
-- Health checks
-- Performance monitoring
-
-## Implementation Priority Matrix
-
-| Feature | Impact | Effort | Priority |
-|---------|--------|--------|----------|
-| Secrets Management | High | Medium | 🔴 Critical |
-| Installation Validation | High | Low | 🔴 Critical |
-| CI/CD Pipeline | Medium | Medium | 🟡 High |
-| Documentation | Medium | Low | 🟡 High |
-| Backup/Recovery | High | Medium | 🟡 High |
-| Modular Installation | Low | High | 🟢 Medium |
-| Cross-Platform | Low | High | 🟢 Low |
-
-## Security Best Practices
-
-### Immediate Actions Required
-1. **Remove sensitive data** from version control
-2. **Implement secret encryption** using tools like `gpg` or `age`
-3. **Add pre-commit hooks** to prevent secrets from being committed
-4. **Use environment variables** for sensitive configuration
-
-### Long-term Security Strategy
-1. **Principle of Least Privilege**: Only install what's necessary
-2. **Regular Security Audits**: Automated scanning for vulnerabilities
-3. **Dependency Pinning**: Pin package versions in Brewfile
-4. **Access Control**: Restrict who can modify core configurations
-
-## Monitoring & Metrics
-
-### Key Performance Indicators (KPIs)
-- Installation success rate
-- Time to complete setup
-- Configuration drift incidents
-- Security vulnerabilities detected
-- User satisfaction scores
-
-### Monitoring Implementation
-- Installation time tracking
-- Error rate monitoring
-- Configuration change detection
-- Security scan results
-
-## Next Steps
-
-1. **Immediate (This Week)**:
-   - Remove secrets from repository
-   - Add basic validation to install script
-   - Create security guidelines
-
-2. **Short-term (Next 2 Weeks)**:
-   - Implement testing framework
-   - Add CI/CD pipeline
-   - Create comprehensive documentation
-
-3. **Long-term (Next Month)**:
-   - Modular installation system
-   - Cross-platform support
-   - Advanced monitoring
-
-## Cost-Benefit Analysis
-
-### Benefits
-- **Reduced Setup Time**: Automated validation saves 30-60 minutes per setup
-- **Improved Security**: Prevents accidental exposure of sensitive data
-- **Better Reliability**: Automated testing reduces configuration errors by 80%
-- **Enhanced Productivity**: Consistent environments across team/machines
-
-### Costs
-- **Initial Development**: ~20-40 hours for full implementation
-- **Maintenance**: ~2-4 hours per month ongoing
-- **Learning Curve**: ~4-8 hours for users to adopt new practices
-
-### ROI
-- Break-even after 3-5 installations
-- Long-term productivity gains significant
-- Reduced security risk exposure
-
----
-
-*Generated by DevOps Analysis - Recommendations based on industry best practices and security standards*
+# Dotfiles Improvement Plan
+
+This repository already has a solid baseline: a symlink installer with backups,
+Bats coverage, shell syntax checks, a security scan, and GitHub Actions on macOS
+and Ubuntu. The remaining work should stay incremental and test-backed.
+
+## Current Baseline
+
+- `make check` runs lint, security checks, installation tests, and Bats tests.
+- `scripts/install-enhanced.sh` validates, backs up, links home files, links
+  config directories, and bootstraps TPM when enabled.
+- `zshrc` is a thin loader for `zsh/*.zsh` modules.
+- Zsh plugins are managed by zinit; the prompt is managed by Oh My Posh from
+  `ohmyposh/`.
+- Neovim is the only tracked editor runtime and uses lazy.nvim modules.
+- Tmux and Ghostty configs are tracked under `~/.config/` symlink targets.
+
+## Recommended Next Improvements
+
+### 1. Split install metadata from shell script constants
+
+**Why:** `HOME_FILES` and `CONFIG_FILES` are embedded in
+`scripts/install-enhanced.sh`, while tests duplicate expectations.
+
+**Plan:**
+1. Add a small manifest file, for example `install-manifest.json` or
+   `install-manifest.sh`.
+2. Have the installer and Bats tests read the same manifest.
+3. Keep the first version simple: just home files and config directories.
+
+**Validation:** `make check` plus one focused test that the manifest drives both
+backup and link behavior.
+
+### 2. Add optional component install selection
+
+**Why:** Some machines may not need every config directory or every Homebrew
+package.
+
+**Plan:**
+1. Add installer flags such as `--only nvim,zsh` or `--skip tmux`.
+2. Keep default behavior unchanged.
+3. Add Bats coverage for one `--only` and one `--skip` path.
+
+**Validation:** `make test-bats` and `make install-dry`.
+
+### 3. Improve shell startup observability
+
+**Why:** zinit bootstrap and optional tool init happen during shell startup;
+failures can otherwise be hard to diagnose.
+
+**Plan:**
+1. Add a lightweight `zsh/README.md` documenting module order and ownership.
+2. Add a `make doctor-shell` target or script that checks zinit, Oh My Posh,
+   fzf, zoxide, and linked config paths.
+3. Keep shell startup quiet; put diagnostics in explicit doctor commands.
+
+**Validation:** zsh syntax checks plus a new script syntax test.
+
+### 4. Rationalize Homebrew package groups
+
+**Why:** The Brewfile is comprehensive but hard to scan.
+
+**Plan:**
+1. Group packages with comments: core CLI, shell UX, cloud/Kubernetes, editor,
+   languages, casks, VS Code extensions, uv tools.
+2. Avoid deleting packages in the cleanup pass; make removals separately after
+   usage review.
+3. Consider a generated package inventory doc if the Brewfile keeps growing.
+
+**Validation:** `brew bundle check --file=Brewfile` when available, otherwise
+`make check`.
+
+### 5. Add security-scan fixtures
+
+**Why:** The scan now ignores `.git/` internals and reports tracked config
+findings, but it would be easier to maintain with explicit fixtures.
+
+**Plan:**
+1. Add small tracked test fixtures for safe and unsafe patterns.
+2. Assert tracked-file findings stay visible while ignored/internal files stay quiet.
+3. Keep security output concise so real findings are easy to notice.
+
+**Validation:** `make security` and focused Bats coverage for tracked vs ignored paths.
+
+## Deferred / Not Recommended Yet
+
+- **Full cross-platform package abstraction:** useful only if Linux setup becomes
+  a regular workflow; otherwise it adds maintenance overhead.
+- **Encrypted secrets framework:** add only when this repo needs to track secret
+  templates or machine-specific encrypted material. Prefer environment variables
+  for now.
+- **Aggressive plugin pruning:** audit usage first; do not remove editor, tmux,
+  or Brewfile packages as part of cosmetic cleanup.