🔄 Sync shared files from ws-meta

.vitepress/data/env.reference.yaml

@@ -90,6 +90,23 @@ envs:
           - A **space-delimited** list of repository names *(`debian`, `additional`, `trixie`)*.
           - A boolean `true` or `*` value to disable all repositories.
 
+      disable_restrictions:
+        type: string
+        default: null
+        since: 0.2.2
+        reference: /tools/apt
+        example: x11 mail
+        description: Disables specified APT install restrictions or all restrictions.
+        longDescription: |
+          The workspace ships with a set of preference files that block
+          GUI/desktop and other packages that have no use inside a headless
+          container *(`x11`, `desktop`, `mail`, `printing`, `daemons`,
+          `language-pack`, `obsolete`)*.
+
+          Accepts either:
+          - A **space-delimited** list of restriction names.
+          - A boolean `true` or `*` value to disable all restrictions.
+
       update_cache:
         type: boolean
         default: false
@@ -105,6 +122,35 @@ envs:
         since: 0.0.20
         description: Disables password-less `sudo`.
 
+      github_token:
+        type: string
+        default: null
+        since: 0.2.2
+        example: ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+        description: GitHub personal access token for the workspace and `gh`.
+        reference: /editor/authentication
+        longDescription: |
+          Authenticates the workspace's GitHub provider and, when the
+          opt-in `gh` feature is installed, runs `gh auth login --with-token`.
+          Terminal `git` HTTPS auth is not wired — use SSH or a credential
+          helper.
+
+          For vault entries, prefer `type: file` over `type: env`. The
+          latter writes to `~/.zshenv` and leaks the token to interactive
+          shells.
+
+      github_token_file:
+        type: string
+        default: /run/secrets/workspace/auth_github_token
+        since: 0.2.2
+        description: Path to a file containing the GitHub personal access token.
+        reference: /editor/authentication
+        longDescription: |
+          **GitHub token lookup precedence:**
+
+          1. `WS_AUTH_GITHUB_TOKEN_FILE` *(this variable)*.
+          2. `WS_AUTH_GITHUB_TOKEN` *(env var)*.
+
       password:
         type: string
         default: null
@@ -119,7 +165,7 @@ envs:
       password_file:
         type: string
         default: /run/secrets/workspace/auth_password
-        since: 0.1.3
+        since: 0.2.0
         description: Path to a file containing the plaintext password.
         reference: /editor/authentication
         longDescription: |
@@ -144,7 +190,7 @@ envs:
       password_hashed_file:
         type: string
         default: /run/secrets/workspace/auth_password_hashed
-        since: 0.1.3
+        since: 0.2.0
         description: Path to a file containing the Argon2 hashed password.
         reference: /editor/authentication
         longDescription: |
@@ -190,49 +236,49 @@ envs:
       statusline_disable:
         type: boolean
         default: false
-        since: 0.1.3
+        since: 0.2.0
         reference: /tools/claude
         description: Disables the Claude Code statusline.
 
       statusline_hide_context_bar:
         type: boolean
         default: false
-        since: 0.1.3
+        since: 0.2.0
         reference: /tools/claude
         description: Hides the context usage bar in the Claude statusline.
 
       statusline_hide_git:
         type: boolean
         default: false
-        since: 0.1.3
+        since: 0.2.0
         reference: /tools/claude
         description: Hides git branch and status in the Claude statusline.
 
       statusline_hide_lines_changed:
         type: boolean
         default: false
-        since: 0.1.3
+        since: 0.2.0
         reference: /tools/claude
         description: Hides lines added/removed in the Claude statusline.
 
       statusline_hide_model:
         type: boolean
         default: false
-        since: 0.1.3
+        since: 0.2.0
         reference: /tools/claude
         description: Hides the model name in the Claude statusline.
 
       statusline_script:
         type: string
         default: /etc/claude-code/statusline.zsh
-        since: 0.1.3
+        since: 0.2.0
         reference: /tools/claude
         description: Path to the statusline script.
 
       statusline_shell:
         type: string
         default: zsh
-        since: 0.1.3
+        since: 0.2.0
         reference: /tools/claude
         description: Shell used to execute the statusline script.
 
@@ -332,7 +378,7 @@ envs:
       trusted_domains:
         type: string
         default: null
-        since: 0.1.3
+        since: 0.2.0
         example: >-
           https://github.com,https://stackoverflow.com
         description: >-
@@ -373,7 +419,7 @@ envs:
       store_url:
         type: string
         default: null
-        since: 0.1.3
+        since: 0.2.0
         example: http://feature-store.local:8080
         reference: /editor/features#feature-store
         description: URL of a ws-feature-store instance used as a local mirror.
@@ -746,43 +792,11 @@ envs:
         type: string
         default: >-
           1password auto-venv docker encode64 fzf-history git
-          golang helm kubectl npm python pip safe-history
+          golang helm kubectl npm python pip
           ssh-agent yarn zsh-autosuggestions
         example: kubectl npm python pip
         description: Enables built-in `oh-my-zsh` plugins.
 
-      safe_history_ignore_failed:
-        type: boolean
-        default: true
-        reference: /editor/terminal
-        description: Prevents failed commands from being persisted to history file.
-        longDescription: |
-          When `true`, commands that exit with a non-zero status are kept in the
-          current session's history *(accessible via up-arrow)* but are **not**
-          written to `$HISTFILE`.
-
-          Only successful commands are persisted across sessions.
-
-      safe_history_ignore_secrets:
-        type: boolean
-        default: true
-        reference: /editor/terminal
-        description: Prevents commands containing secrets from entering history.
-        longDescription: |
-          When `true`, commands matching built-in secret patterns
-          *(e.g. `TOKEN=...`, `--password=...`, `Authorization:` headers, `curl -u`)*
-          are blocked entirely, they don't appear in the session history or on disk.
-
-      safe_history_secret_patterns:
-        type: string
-        default: null
-        reference: /editor/terminal
-        description: Additional pipe-delimited regex patterns treated as secrets.
-        longDescription: |
-          Accepts a **pipe-delimited** list of regex patterns appended to the
-          built-in secret patterns. Commands matching any pattern are excluded
-          from history entirely.
-        example: my-corp-token|INTERNAL_KEY=
 
 deprecated:
   WS_APT_UPDATE_REPOS: