fix(secrets): keep env, deployed, and repo in sync after every mutation#9
Merged
Merged
Conversation
Closes #7. Root cause was env-vs-disk drift after rotate, not a real encryption failure: secrets_rotate updated the .age file correctly, but the shell's exported $VAR stayed at the value loaded at startup, so verification via $VAR (or anything that read it) showed the old token. Changes: - secrets_rotate, secrets_add, secrets_add_file, and the new secrets_remove now auto-update the current shell so $VAR matches disk immediately. No manual secrets_refresh needed. - _get_secrets_repo_dir auto-detects $HOME/Projects/dotfiles when DOTFILES_REPO_DIR is unset, so the repo's sensitive/ folder stays current for git-status verification without per-shell config. - _secrets_sync_to_repo gains a "delete" mode and warns to stderr (instead of silently no-op'ing) when no repo can be resolved. - New secrets_remove VAR_NAME [--yes]: drops mapping line + .age file + repo copy + deployed plaintext (file secrets) + env var, with audit-log entry and confirmation prompt. Tests: 11 new bats covering remove (plain + file), repo auto-detect, sync warning, and help text. Full suite 403/403, shellcheck clean.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #7.
Root cause of #7 (TL;DR)
secrets_rotatewas working correctly — the deployed.agefile was being updated. The bug was env-vs-disk drift:load-secrets.shexports$VARonce at shell startup, and rotate didn't refresh it, so any verification that read$VAR(gh, curl,secrets_showwithout--raw, etc.) saw the old value and looked like rotate had failed silently.What this PR does
secrets_refreshrequired (easy to forget)DOTFILES_REPO_DIR$HOME/Projects/dotfiles; warns if neither resolvesrm+ syncsecrets_remove VAR_NAME [--yes]_secrets_sync_to_repodeletion pathmode=deleteargsecrets_rotatemapping sync to repofalse(mapping never changes in rotate)true(defensive idempotency)secrets_removecovers both plain and file secrets. For file secrets it also removes the deployed plaintext file atdest_path.Test plan
~/.local/bin/bats tests/*.bats→ 403/403 (11 new tests for remove + auto-detect + sync warning)~/.local/bin/shellcheck scripts/load-secrets.sh→ only pre-existing SC1091 infobash -nandzsh -nsyntax check onload-secrets.sh./setup-linux.shto refresh~/.dotfiles/scripts/load-secrets.shsecrets_rotate <SOME_TEST_VAR>→ confirmecho $VARshows new value immediately, no manual refreshgit statusin repo → confirmsensitive/<file>.secret.ageshows as modified (sync to repo worked)secrets_remove <SOME_TEST_VAR>→ confirm mapping line gone,.agedeleted, repo also reflects deletionNotes
*.decfiles insensitive/were stale plaintext from oldsecrets_decryptruns. Already covered by.gitignore. Not deleted in this PR — runsecrets_cleanlocally to remove them.secrets_helpupdated to documentsecrets_remove, the auto-detect behavior, and the no-manual-refresh guarantee.🤖 Generated with Claude Code