fix: Encrypt secrets at rest with SOPS + age (#613)
- lib/env.sh: Two-tier secret loader (SOPS .env.enc > plaintext .env), remove ~/.netrc fallback - bin/disinto: Add age key generation and SOPS encryption during init, remove write_netrc(), add `disinto secrets` subcommand (edit/show/migrate), add sops+age to preflight warnings - .env.example: Annotate vars as [SECRET] or [CONFIG] - .gitignore: Allow .env.enc and .sops.yaml to be committed - BOOTSTRAP.md: Document SOPS + age setup, key backup, secret management - AGENTS.md: Update AD-005 and coding conventions for .env.enc Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
openhands
parent
28cdec3e7b
commit
5ccf09b28d
6 changed files with 210 additions and 66 deletions
6
.gitignore
vendored
6
.gitignore
vendored
|
|
@ -1,6 +1,10 @@
|
|||
# Secrets
|
||||
# Plaintext secrets (never commit)
|
||||
.env
|
||||
|
||||
# Encrypted secrets — safe to commit (.env.enc is SOPS-encrypted)
|
||||
!.env.enc
|
||||
!.sops.yaml
|
||||
|
||||
# Per-box project config (generated by disinto init)
|
||||
projects/*.toml
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue