env-to-fnoxlisted

# env-to-fnox: Migrate `.env` to fnox [fnox](https://fnox.jdx.dev) keeps secrets out of your repo by storing only **references** in a `fnox.toml` and resolving the real values from a vault at run time. `fnox.toml` never contains a secret value, so (in solo repos) it is safe to commit. This skill walks a `.env` file through to fnox, defaulting to **Bitwarden Secrets Manager** (the `bitwarden-sm` provider + `bws` CLI). > **Two Bitwarden products — don't confuse them.** *Secrets Manager* (`bws` CLI, fnox > `type = "bitwarden-sm"`) is purpose-built for app/dev secrets: a machine-account **access > token** scoped to one project, read **and** write, no master-password unlock, works > headless/CI. The older *Password Manager* (`bw` CLI, fnox `type = "bitwarden"`) is your > personal vault — read-only from fnox and references items by name. This skill uses Secrets > Manager; see the note in step 4 for the Password Manager variant. fnox is provider-agnostic — Secrets Manager, 1Password, age, the OS keychain, AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault are all supported. Swap the provider block in step 4 for a different backend. ## When to use - A repo has real secrets sitting in `.env` / `.env.local`. - The user wants secrets out of plaintext / out of version control. - Setting up secrets management for a new project. ## Workflow Work through these in order. Verify a real secret resolves before deleting anything. ### 1. Analyze the existing `.env` Read the `.env`