Highlights:
- read-only decrypt paths now use the official SOPS Go decrypt library for
render,exec,doctor, andverify - production/deploy machines no longer need external
sopsoragebinaries for read-only decrypt/render/exec/validation workflows; they still need Keyseal, encrypted files, and age private key material - external SOPS CLI remains required for mutating workflows:
add,edit, andupdatekeys - SOPS library compatibility warnings, such as older unencrypted comment warnings, are suppressed during
renderandexecbut reported deliberately bydoctor/verify - documentation now distinguishes developer/admin machines from production/deploy machines and calls out that servers need the age key, not the age CLI