feat(hands): add infisical-sync Hand

[szponeczek]

Adds a new bundled Einstein Hand for syncing secrets between a self-hosted Infisical instance and each OpenFang agent's local credential vault.

What

• crates/openfang-hands/bundled/infisical-sync/HAND.toml — Security category Einstein Hand with schedule/memory/knowledge/vault tools
• crates/openfang-hands/bundled/infisical-sync/SKILL.md — Full agent instructions: auth flow, scheduled pull sync, push-with-create/PATCH-on-conflict, delete, error handling
• crates/openfang-hands/src/bundled.rs — Registration + new test
• crates/openfang-hands/src/registry.rs — Count updated 8→9

API correctness

• All endpoints on v4 (/api/v4/secrets)
• Push uses POST (create) → PATCH on 409 (update) — no false upsert
• Uses projectId param throughout (not deprecated workspaceId)

Testing

cargo build --workspace --lib ✅ cargo test --workspace ✅ cargo clippy -- -D warnings ✅

[pazureczek]

One issue from the previous round survives: the GET pull call still uses workspaceId instead of projectId.

Issue #1 (push flow): ✅ Resolved — correct POST then PATCH on 409, all in v4, projectId in body throughout.

Issue #3 (branch scope): ✅ Resolved — exactly 4 files, no Cargo.lock, no stray changes.

Issue #2 (projectId vs workspaceId): ⚠️ PARTIALLY resolved.

• The push endpoints (POST/PATCH body) were correctly updated to projectId ✅
• BUT the GET pull call in both files still uses workspaceId ❌

Required fixes:

1. HAND.toml — Phase 4 pull curl:
   Change: ?workspaceId=<PROJECT_ID>&environment=<ENV>&secretPath=/
   To: ?projectId=<PROJECT_ID>&environment=<ENV>&secretPath=/

2. SKILL.md — Section "List Secrets" curl example:
   Change: ?workspaceId=$PROJECT_ID&environment=$ENVIRONMENT&secretPath=/
   To: ?projectId=$PROJECT_ID&environment=$ENVIRONMENT&secretPath=/

Verification: Infisical v4 OpenAPI spec (GET /api/v4/secrets) explicitly lists projectId as the query parameter. workspaceId is not a recognized v4 parameter — it will be silently ignored or cause an error, meaning pull sync will not be project-scoped as intended.

[pazureczek]

Two "Sodality"-specific references in HAND.toml need to be genericised before this can merge upstream. Everything else is clean.

1. HAND.toml — description field (line 4)

Current:

description = "Autonomous secrets synchronisation between a self-hosted Infisical instance and the agent's local credential vault. Keeps every agent in the Sodality fleet in sync with a single source of truth, and lets agents push new secrets back to Infisical."

Replace "Sodality fleet" with something generic, e.g.:

description = "Autonomous secrets synchronisation between a self-hosted Infisical instance and the agent's local credential vault. Keeps agents in sync with a shared Infisical instance as the single source of truth, and lets agents push new secrets back to Infisical."

2. HAND.toml — system_prompt (Phase 0 opening paragraph)

Current:

keep the local credential vault in sync with a self-hosted Infisical instance and make Infisical the shared source of truth for every secret in the Sodality agent fleet.

Replace "Sodality agent fleet" with "your agent fleet" (or simply "the fleet"):

keep the local credential vault in sync with a self-hosted Infisical instance and make Infisical the shared source of truth for every secret in your agent fleet.

No other changes needed. All API calls use projectId consistently, the create/PATCH push pattern is correct, diff is exactly 4 files, tests and registry counts are updated. Fix these two strings and I'll approve.

[pazureczek]

All issues resolved: projectId consistent throughout (including GET query strings), push uses correct create→PATCH-on-409 pattern, branch scope clean (4 files only), no deployment-specific language.