Commit your config to dotfiles

Goal: version-control your agentsync config and carry it across machines — without ever committing a cleartext secret or your private key.

1. Make sure secrets are referenced, not embedded. Scan your source for anything that looks like a raw credential and convert it to a ${secret:…} reference (see Secrets). verify will flag unresolved references:

   agentsync verify

2. Add the directory to chezmoi:

   chezmoi add ~/.agentsync

3. Confirm .state/ is ignored. agentsync gitignores its .state/ bookkeeping directory inside ~/.agentsync/. The encrypted vault (secrets/secrets.age) is tracked — that’s intentional and safe.

4. Commit and push through chezmoi as usual:

   chezmoi cd
   git add . && git commit -m "agentsync config" && git push

On a new machine

1. Pull your dotfiles with chezmoi, which restores ~/.agentsync/.

2. Place the age identity (your private key) at the path your agentsync.toml points to — distribute it through 1Password or your machine-setup flow, never git:

   mkdir -p ~/.config/agentsync
   # copy age.key into place, then:
   chmod 600 ~/.config/agentsync/age.key

3. Apply. The first apply re-establishes ownership of any pre-existing native config (backing it up first):

   agentsync apply --dry-run    # preview the backups + translation report
   agentsync apply

Never commit the age identity

The encrypted vault is safe to commit. The age identity (private key) is per-machine and is your only way to decrypt secrets — keep it out of git and back it up somewhere durable.