disinto-admin/disinto
1
0
Fork 0
Code Issues 6 Pull requests 3 Projects Releases Packages Wiki Activity Actions

secrets migrate-vault: missing post-encrypt verification step #39

New issue
Closed
opened 2026-03-28 19:18:07 +00:00 by dev-bot · 5 comments
dev-bot commented 2026-03-28 19:18:07 +00:00
Collaborator
Copy link

Problem

In bin/disinto, the migrate-vault subcommand (line ~2145) calls encrypt_env_file and immediately removes the plaintext .env.vault without verifying that decryption works. If encryption silently fails, the plaintext is destroyed and secrets are lost.

Location

bin/disinto line ~2145:

migrate-vault)
  # ...
  encrypt_env_file "$vault_env_file" "$vault_enc_file"
  rm -f "$vault_env_file"                              # <-- no verification!
  echo "Migrated: .env.vault -> .env.vault.enc (plaintext removed)"

Fix

Add verification before deleting plaintext, matching the pattern already used by the migrate subcommand (line ~2135):

migrate-vault)
  # ...
  encrypt_env_file "$vault_env_file" "$vault_enc_file"
  # Verify decryption works before removing plaintext
  if ! sops -d "$vault_enc_file" >/dev/null 2>&1; then
    echo "Error: failed to verify .env.vault.enc decryption" >&2
    rm -f "$vault_enc_file"
    exit 1
  fi
  rm -f "$vault_env_file"
  echo "Migrated: .env.vault -> .env.vault.enc (plaintext removed)"

Affected files

  • bin/disintomigrate-vault subcommand (~line 2145)
## Problem In `bin/disinto`, the `migrate-vault` subcommand (line ~2145) calls `encrypt_env_file` and immediately removes the plaintext `.env.vault` without verifying that decryption works. If encryption silently fails, the plaintext is destroyed and secrets are lost. ## Location `bin/disinto` line ~2145: ```bash migrate-vault) # ... encrypt_env_file "$vault_env_file" "$vault_enc_file" rm -f "$vault_env_file" # <-- no verification! echo "Migrated: .env.vault -> .env.vault.enc (plaintext removed)" ``` ## Fix Add verification before deleting plaintext, matching the pattern already used by the `migrate` subcommand (line ~2135): ```bash migrate-vault) # ... encrypt_env_file "$vault_env_file" "$vault_enc_file" # Verify decryption works before removing plaintext if ! sops -d "$vault_enc_file" >/dev/null 2>&1; then echo "Error: failed to verify .env.vault.enc decryption" >&2 rm -f "$vault_enc_file" exit 1 fi rm -f "$vault_env_file" echo "Migrated: .env.vault -> .env.vault.enc (plaintext removed)" ``` ## Affected files - `bin/disinto` — `migrate-vault` subcommand (~line 2145)
dev-bot added the
tech-debt
 label 2026-03-28 19:18:07 +00:00
dev-bot added
backlog
 and removed
tech-debt
 labels 2026-03-28 21:20:42 +00:00
dev-bot self-assigned this 2026-03-28 21:25:08 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-28 21:25:08 +00:00
dev-bot commented 2026-03-28 21:38:57 +00:00
Author
Collaborator
Copy link

Blocked — issue #39

Field Value
Exit reason ci_exhausted
Timestamp 2026-03-28T21:38:57Z
### Blocked — issue #39 | Field | Value | |---|---| | Exit reason | `ci_exhausted` | | Timestamp | `2026-03-28T21:38:57Z` |
dev-bot commented 2026-03-28 22:03:38 +00:00
Author
Collaborator
Copy link

Blocked — issue #39

Field Value
Exit reason ci_exhausted
Timestamp 2026-03-28T22:03:38Z
### Blocked — issue #39 | Field | Value | |---|---| | Exit reason | `ci_exhausted` | | Timestamp | `2026-03-28T22:03:38Z` |
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-28 22:03:39 +00:00
dev-bot removed their assignment 2026-03-28 22:16:57 +00:00
dev-bot self-assigned this 2026-03-28 22:40:21 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-28 22:40:21 +00:00
dev-bot removed their assignment 2026-03-28 23:17:08 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-28 23:17:08 +00:00
dev-bot self-assigned this 2026-03-28 23:20:23 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-28 23:20:23 +00:00
dev-bot removed their assignment 2026-03-28 23:50:42 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-28 23:50:43 +00:00
dev-bot self-assigned this 2026-03-28 23:55:24 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-28 23:55:24 +00:00
dev-bot removed their assignment 2026-03-29 00:13:11 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 00:13:11 +00:00
dev-bot self-assigned this 2026-03-29 00:15:25 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 00:15:25 +00:00
dev-bot removed their assignment 2026-03-29 00:33:29 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 00:33:29 +00:00
dev-bot self-assigned this 2026-03-29 00:35:26 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 00:35:26 +00:00
dev-bot removed their assignment 2026-03-29 00:52:38 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 00:52:38 +00:00
dev-bot self-assigned this 2026-03-29 00:55:27 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 00:55:27 +00:00
dev-bot removed their assignment 2026-03-29 01:12:25 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 01:12:25 +00:00
dev-bot self-assigned this 2026-03-29 01:15:28 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 01:15:28 +00:00
dev-bot removed their assignment 2026-03-29 01:32:11 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 01:32:12 +00:00
dev-bot self-assigned this 2026-03-29 01:35:29 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 01:35:29 +00:00
dev-bot removed their assignment 2026-03-29 01:51:36 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 01:51:36 +00:00
dev-bot self-assigned this 2026-03-29 01:55:30 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 01:55:30 +00:00
dev-bot removed their assignment 2026-03-29 02:12:17 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 02:12:18 +00:00
dev-bot self-assigned this 2026-03-29 02:15:31 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 02:15:31 +00:00
dev-bot removed their assignment 2026-03-29 02:32:20 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 02:32:21 +00:00
dev-bot self-assigned this 2026-03-29 02:35:32 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 02:35:32 +00:00
dev-bot removed their assignment 2026-03-29 02:52:05 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 02:52:06 +00:00
dev-bot self-assigned this 2026-03-29 02:55:33 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 02:55:33 +00:00
dev-bot removed their assignment 2026-03-29 03:12:19 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 03:12:19 +00:00
dev-bot self-assigned this 2026-03-29 03:15:34 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 03:15:34 +00:00
dev-bot removed their assignment 2026-03-29 03:33:15 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 03:33:15 +00:00
dev-bot self-assigned this 2026-03-29 03:35:35 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 03:35:35 +00:00
dev-bot removed their assignment 2026-03-29 03:52:13 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 03:52:13 +00:00
dev-bot self-assigned this 2026-03-29 03:55:36 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 03:55:36 +00:00
dev-bot removed their assignment 2026-03-29 04:10:56 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 04:10:56 +00:00
dev-bot self-assigned this 2026-03-29 04:15:37 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 04:15:37 +00:00
dev-bot removed their assignment 2026-03-29 04:32:52 +00:00
dev-bot removed their assignment 2026-03-29 04:32:52 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 04:32:53 +00:00
dev-bot self-assigned this 2026-03-29 04:35:38 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 04:35:38 +00:00
dev-bot removed their assignment 2026-03-29 04:35:40 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 04:35:41 +00:00
dev-bot self-assigned this 2026-03-29 04:40:39 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 04:40:39 +00:00
dev-bot removed their assignment 2026-03-29 04:40:41 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 04:40:41 +00:00
dev-bot self-assigned this 2026-03-29 04:45:39 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 04:45:39 +00:00
dev-bot removed their assignment 2026-03-29 04:45:42 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 04:45:42 +00:00
dev-bot self-assigned this 2026-03-29 04:50:40 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 04:50:40 +00:00
dev-bot removed their assignment 2026-03-29 04:50:42 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 04:50:42 +00:00
dev-bot self-assigned this 2026-03-29 04:55:40 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 04:55:40 +00:00
dev-bot removed their assignment 2026-03-29 04:55:43 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 04:55:43 +00:00
dev-bot self-assigned this 2026-03-29 05:00:41 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 05:00:41 +00:00
dev-bot removed their assignment 2026-03-29 05:00:43 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 05:00:43 +00:00
dev-bot self-assigned this 2026-03-29 05:05:41 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 05:05:42 +00:00
dev-bot removed their assignment 2026-03-29 05:05:44 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 05:05:44 +00:00
dev-bot self-assigned this 2026-03-29 05:10:42 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 05:10:42 +00:00
dev-bot removed their assignment 2026-03-29 05:10:45 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 05:10:45 +00:00
dev-bot self-assigned this 2026-03-29 05:15:43 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 05:15:43 +00:00
dev-bot removed their assignment 2026-03-29 05:15:45 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 05:15:45 +00:00
dev-bot self-assigned this 2026-03-29 05:20:43 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 05:20:43 +00:00
dev-bot removed their assignment 2026-03-29 05:20:46 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 05:20:46 +00:00
dev-bot self-assigned this 2026-03-29 05:25:44 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 05:25:44 +00:00
dev-bot removed their assignment 2026-03-29 05:25:46 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 05:25:46 +00:00
dev-bot self-assigned this 2026-03-29 05:30:44 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 05:30:45 +00:00
dev-bot removed their assignment 2026-03-29 05:30:47 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 05:30:47 +00:00
dev-bot self-assigned this 2026-03-29 05:35:45 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 05:35:45 +00:00
dev-bot removed their assignment 2026-03-29 05:35:47 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 05:35:48 +00:00
dev-bot self-assigned this 2026-03-29 05:40:46 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 05:40:46 +00:00
dev-bot removed their assignment 2026-03-29 05:40:48 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 05:40:48 +00:00
dev-bot self-assigned this 2026-03-29 05:45:46 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 05:45:46 +00:00
dev-bot removed their assignment 2026-03-29 05:45:49 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 05:45:49 +00:00
dev-bot self-assigned this 2026-03-29 05:50:47 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 05:50:47 +00:00
dev-bot removed their assignment 2026-03-29 05:50:49 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 05:50:49 +00:00
dev-bot self-assigned this 2026-03-29 05:55:47 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 05:55:47 +00:00
dev-bot removed their assignment 2026-03-29 05:55:50 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 05:55:50 +00:00
dev-bot self-assigned this 2026-03-29 06:00:48 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 06:00:48 +00:00
dev-bot removed their assignment 2026-03-29 06:00:50 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 06:00:51 +00:00
dev-bot self-assigned this 2026-03-29 06:05:48 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 06:05:49 +00:00
dev-bot removed their assignment 2026-03-29 06:05:51 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 06:05:51 +00:00
dev-bot self-assigned this 2026-03-29 06:10:49 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 06:10:49 +00:00
dev-bot removed their assignment 2026-03-29 06:10:52 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 06:10:52 +00:00
dev-bot self-assigned this 2026-03-29 06:15:50 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 06:15:50 +00:00
dev-bot removed their assignment 2026-03-29 06:15:52 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 06:15:53 +00:00
dev-bot self-assigned this 2026-03-29 06:20:50 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 06:20:50 +00:00
dev-bot removed their assignment 2026-03-29 06:20:53 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 06:20:53 +00:00
dev-bot self-assigned this 2026-03-29 06:25:51 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 06:25:51 +00:00
dev-bot removed their assignment 2026-03-29 06:25:53 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 06:25:54 +00:00
dev-bot self-assigned this 2026-03-29 06:30:52 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 06:30:52 +00:00
dev-bot removed their assignment 2026-03-29 06:30:54 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 06:30:54 +00:00
dev-bot self-assigned this 2026-03-29 06:35:52 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 06:35:52 +00:00
dev-bot removed their assignment 2026-03-29 06:35:55 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 06:35:55 +00:00
dev-bot self-assigned this 2026-03-29 06:40:53 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 06:40:53 +00:00
dev-bot removed their assignment 2026-03-29 06:40:55 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 06:40:55 +00:00
dev-bot self-assigned this 2026-03-29 06:45:53 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 06:45:54 +00:00
dev-bot removed their assignment 2026-03-29 06:45:56 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 06:45:56 +00:00
dev-bot self-assigned this 2026-03-29 06:50:54 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 06:50:54 +00:00
dev-bot removed their assignment 2026-03-29 06:50:56 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 06:50:57 +00:00
dev-bot self-assigned this 2026-03-29 06:55:55 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 06:55:55 +00:00
dev-bot removed their assignment 2026-03-29 06:55:57 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 06:55:57 +00:00
dev-bot self-assigned this 2026-03-29 07:00:55 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 07:00:56 +00:00
dev-bot added
backlog
 and removed
in-progress
 labels 2026-03-29 07:23:26 +00:00
dev-bot removed their assignment 2026-03-29 07:23:26 +00:00
dev-bot commented 2026-03-29 07:24:33 +00:00
Author
Collaborator
Copy link

Blocked — issue #39

Field Value
Exit reason ci_exhausted
Timestamp 2026-03-29T07:24:33Z
### Blocked — issue #39 | Field | Value | |---|---| | Exit reason | `ci_exhausted` | | Timestamp | `2026-03-29T07:24:33Z` |
dev-bot added the
blocked
 label 2026-03-29 07:24:34 +00:00
dev-bot self-assigned this 2026-03-29 07:27:15 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 07:27:15 +00:00
dev-bot added
backlog
 and removed
in-progress
blocked
 labels 2026-03-29 07:28:30 +00:00
dev-bot removed their assignment 2026-03-29 07:28:30 +00:00
dev-bot self-assigned this 2026-03-29 07:32:16 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-03-29 07:32:16 +00:00
dev-bot commented 2026-03-29 07:33:58 +00:00
Author
Collaborator
Copy link

Blocked — issue #39

Field Value
Exit reason closed_externally
Timestamp 2026-03-29T07:33:58Z
### Blocked — issue #39 | Field | Value | |---|---| | Exit reason | `closed_externally` | | Timestamp | `2026-03-29T07:33:58Z` |
dev-bot added
blocked
 and removed
in-progress
 labels 2026-03-29 07:33:58 +00:00
dev-bot commented 2026-03-29 07:33:59 +00:00
Author
Collaborator
Copy link

Blocked — issue #39

Field Value
Exit reason no_push
Timestamp 2026-03-29T07:33:58Z
Diagnostic output 
Claude did not push branch fix/issue-39
### Blocked — issue #39 | Field | Value | |---|---| | Exit reason | `no_push` | | Timestamp | `2026-03-29T07:33:58Z` | <details><summary>Diagnostic output</summary> ``` Claude did not push branch fix/issue-39 ``` </details>
dev-bot added
backlog
 and removed
blocked
 labels 2026-03-29 07:46:03 +00:00
dev-bot removed their assignment 2026-03-29 07:46:03 +00:00
dev-qwen self-assigned this 2026-03-29 08:07:19 +00:00
dev-qwen added
in-progress
 and removed
backlog
 labels 2026-03-29 08:07:19 +00:00
dev-qwen removed their assignment 2026-03-29 08:17:07 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix/issue-387
fix/issue-381
fix/issue-379
fix/issue-234
fix/issue-194
pr-137
pr-134
pr-133
pr-126
fix/issue-14
fix/issue-21
chore/gardener-20260327-0004
fix/issue-1
v0.1.0
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
in-progress

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
in-progress
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#39
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?