docs: streamline getting started experience

Consolidate installation and quick start into a single guide, remove
redundant installation page, and improve navigation flow.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: domenkozar

docs/astro.config.mjs

@@ -17,7 +17,6 @@ export default defineConfig({
 					label: 'Getting Started',
 					items: [
 						{ label: 'Quick Start', slug: 'quick-start' },
-						{ label: 'Installation', slug: 'installation' },
 					],
 				},
 				{

docs/src/content/docs/index.mdx

@@ -8,7 +8,7 @@ hero:
     file: ../../assets/houston.webp
   actions:
     - text: Get Started
-      link: /introduction/
+      link: /quick-start/
       icon: right-arrow
       variant: primary
     - text: View on GitHub
@@ -33,18 +33,18 @@ This coupling creates vendor lock-in, runtime failures, poor developer experienc
 SecretSpec separates these concerns:
 
 <CardGrid>
-	<LinkCard 
-		title="WHAT secrets are needed" 
+	<LinkCard
+		title="WHAT secrets are needed"
 		href="/reference/configuration/"
 		description="Declared in secretspec.toml"
 	/>
-	<LinkCard 
-		title="HOW requirements vary" 
+	<LinkCard
+		title="HOW requirements vary"
 		href="/concepts/profiles/"
 		description="Managed through profiles"
 	/>
-	<LinkCard 
-		title="WHERE secrets are stored" 
+	<LinkCard
+		title="WHERE secrets are stored"
 		href="/concepts/providers/"
 		description="Configured via providers"
 	/>
@@ -55,33 +55,33 @@ This separation enables portable applications, early validation, better tooling,
 ## Features
 
 <CardGrid>
-	<LinkCard 
-		title="Configuration Inheritance" 
+	<LinkCard
+		title="Configuration Inheritance"
 		href="/concepts/inheritance/"
 		description="Share common secrets across projects using extends"
 	/>
-	<LinkCard 
-		title="Type-Safe Rust SDK" 
+	<LinkCard
+		title="Type-Safe Rust SDK"
 		href="/sdk/rust/"
 		description="Generate strongly-typed structs from your configuration"
 	/>
-	<LinkCard 
-		title="Smart Discovery" 
+	<LinkCard
+		title="Smart Discovery"
 		href="/quick-start/"
 		description="Import existing secrets from .env files automatically"
 	/>
-	<LinkCard 
-		title="CLI Tools" 
+	<LinkCard
+		title="CLI Tools"
 		href="/reference/cli/"
 		description="Check, set, and run commands with secrets injected"
 	/>
-	<LinkCard 
-		title="Multiple Providers" 
+	<LinkCard
+		title="Multiple Providers"
 		href="/concepts/providers/"
 		description="Support for Keyring, dotenv, 1Password, LastPass, and more"
 	/>
-	<LinkCard 
-		title="Early Validation" 
+	<LinkCard
+		title="Early Validation"
 		href="/concepts/overview/"
 		description="Catch missing secrets before your application starts"
 	/>

docs/src/content/docs/installation.md

@@ -3,6 +3,45 @@ title: Quick Start
 description: Get up and running with SecretSpec in minutes
 ---
 
+import { Tabs, TabItem } from '@astrojs/starlight/components';
+
+## Installation
+
+Choose your preferred installation method:
+
+<Tabs>
+<TabItem label="Static Binary">
+
+```bash
+curl -sSL https://secretspec.dev/install | sh
+```
+
+</TabItem>
+<TabItem label="Devenv.sh">
+
+Add to your `devenv.nix`:
+
+```nix
+{ config, ... }:
+{
+  # Secrets are automatically populated from secretspec.toml
+  env.DATABASE_URL = config.secretspec.secrets.DATABASE_URL;
+  env.REDIS_URL = config.secretspec.secrets.REDIS_URL;
+}
+```
+
+</TabItem>
+<TabItem label="Nix">
+
+```bash
+nix-env -iA secretspec -f https://github.com/NixOS/nixpkgs/tarball/nixpkgs-unstable
+```
+
+</TabItem>
+</Tabs>
+
+## Getting Started
+
 Follow these steps to get started with SecretSpec:
 
 ## 1. Initialize `secretspec.toml`

docs/src/content/docs/quick-start.md docs/src/content/docs/quick-start.mdxdocs/src/content/docs/quick-start.md renamed to docs/src/content/docs/quick-start.mdx

@@ -1,91 +1,84 @@
 ---
-title: Configuration Reference
-description: Complete reference for secretspec.toml configuration
+title: secretspec.toml Reference
+description: Complete reference for secretspec.toml configuration options
 ---
 
-SecretSpec uses two configuration files:
-- **`secretspec.toml`** - Project-specific secret requirements (checked into version control)
-- **`config.toml`** - Global user configuration (stored in user config directory)
+## secretspec.toml Reference
 
-## secretspec.toml Format
+The `secretspec.toml` file defines project-specific secret requirements. This file should be checked into version control.
+
+### [project] Section
 
 ```toml
 [project]
 name = "my-app"              # Project name (required)
 revision = "1.0"             # Format version (required, must be "1.0")
-extends = ["../shared"]      # Optional inheritance
-
-[profiles.default]           # Default profile (required)
-DATABASE_URL = { description = "PostgreSQL connection", required = true }
-API_KEY = { description = "External API key", required = true }
-REDIS_URL = { description = "Redis cache", required = false, default = "redis://localhost:6379" }
+extends = ["../shared"]      # Paths to parent configs for inheritance (optional)
 ```
 
-### Key Fields
-
-| Section | Field | Type | Required | Description |
-|---------|-------|------|----------|-------------|
-| `[project]` | `name` | string | Yes | Project identifier |
-| | `revision` | string | Yes | Must be "1.0" |
-| | `extends` | array | No | Paths to parent configs |
-| `[profiles.*]` | `description` | string | Yes | Secret purpose |
-| | `required` | boolean | Yes* | Is value required? |
-| | `default` | string | No** | Fallback value |
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `name` | string | Yes | Project identifier |
+| `revision` | string | Yes | Format version (must be "1.0") |
+| `extends` | array[string] | No | Paths to parent configuration files |
 
-*Unless `default` is provided  
-**Only when `required = false`
+### [profiles.*] Section
 
-## Global Configuration
-
-Located at:
-- **Linux/macOS**: `~/.config/secretspec/config.toml`
-- **Windows**: `%APPDATA%\secretspec\config.toml`
+Defines secret variables for different environments. At least a `[profiles.default]` section is required.
 
 ```toml
-[defaults]
-provider = "keyring"              # Default provider
-profile = "development"           # Default profile
+[profiles.default]           # Default profile (required)
+DATABASE_URL = { description = "PostgreSQL connection", required = true }
+API_KEY = { description = "External API key", required = true }
+REDIS_URL = { description = "Redis cache", required = false, default = "redis://localhost:6379" }
 
-[projects.my-app]
-provider = "1password://vault/Production"
+[profiles.production]        # Additional profile (optional)
+DATABASE_URL = { description = "Production database", required = true }
 ```
 
-### Provider URIs
+#### Secret Variable Options
+
+Each secret variable is defined as a table with the following fields:
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `description` | string | Yes | Human-readable description of the secret |
+| `required` | boolean | No* | Whether the value must be provided (default: true) |
+| `default` | string | No** | Default value if not provided |
 
-| Provider | Simple | URI Examples |
-|----------|--------|--------------|
-| Keyring | `keyring` | `keyring:` |
-| 1Password | `1password` | `1password://vault`<br>`1password://vault/Production` |
-| Dotenv | `dotenv` | `dotenv:`<br>`dotenv:/path/to/.env` |
-| Env | `env` | `env:` |
-| LastPass | `lastpass` | `lastpass://folder` |
+*If `default` is provided, `required` defaults to false  
+**Only valid when `required = false`
 
-## Practical Example
+## Complete Example
 
 ```toml
 # secretspec.toml
 [project]
 name = "web-api"
 revision = "1.0"
+extends = ["../shared/secretspec.toml"]  # Optional inheritance
 
+# Default profile - always loaded first
 [profiles.default]
 APP_NAME = { description = "Application name", required = false, default = "MyApp" }
 LOG_LEVEL = { description = "Log verbosity", required = false, default = "info" }
 
+# Development profile - extends default
 [profiles.development]
-DATABASE_URL = { description = "Database", required = false, default = "sqlite://./dev.db" }
+DATABASE_URL = { description = "Database connection", required = false, default = "sqlite://./dev.db" }
 API_URL = { description = "API endpoint", required = false, default = "http://localhost:3000" }
+DEBUG = { description = "Debug mode", required = false, default = "true" }
 
+# Production profile - extends default
 [profiles.production]
-DATABASE_URL = { description = "PostgreSQL cluster", required = true }
-API_URL = { description = "Production API", required = true }
-SENTRY_DSN = { description = "Error tracking", required = true }
+DATABASE_URL = { description = "PostgreSQL cluster connection", required = true }
+API_URL = { description = "Production API endpoint", required = true }
+SENTRY_DSN = { description = "Error tracking service", required = true }
+REDIS_URL = { description = "Redis cache connection", required = true }
 ```
 
-## Configuration Precedence
+## Profile Inheritance
 
-1. Command-line flags (`--provider`, `--profile`)
-2. Environment variables (`SECRETSPEC_PROVIDER`, `SECRETSPEC_PROFILE`)
-3. Project config (`[projects.{name}]`)
-4. Global defaults (`[defaults]`)
-5. Built-in defaults
+- All profiles automatically inherit from `[profiles.default]`
+- Profile-specific values override default values
+- Use the `extends` field in `[project]` to inherit from other secretspec.toml files