fix: Encrypt secrets at rest with SOPS + age (#613)

- lib/env.sh: Two-tier secret loader (SOPS .env.enc > plaintext .env),
  remove ~/.netrc fallback
- bin/disinto: Add age key generation and SOPS encryption during init,
  remove write_netrc(), add `disinto secrets` subcommand (edit/show/migrate),
  add sops+age to preflight warnings
- .env.example: Annotate vars as [SECRET] or [CONFIG]
- .gitignore: Allow .env.enc and .sops.yaml to be committed
- BOOTSTRAP.md: Document SOPS + age setup, key backup, secret management
- AGENTS.md: Update AD-005 and coding conventions for .env.enc

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

lib/env.sh

@@ -7,8 +7,12 @@ set -euo pipefail
 # Resolve script root (parent of lib/)
 FACTORY_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 
-# Load .env if present
-if [ -f "$FACTORY_ROOT/.env" ]; then
+# Load secrets: prefer .env.enc (SOPS-encrypted), fall back to plaintext .env
+if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
+  set -a
+  eval "$(sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" 2>/dev/null)" || true
+  set +a
+elif [ -f "$FACTORY_ROOT/.env" ]; then
   set -a
   # shellcheck source=/dev/null
   source "$FACTORY_ROOT/.env"
@@ -24,13 +28,10 @@ if [ -n "${PROJECT_TOML:-}" ] && [ -f "$PROJECT_TOML" ]; then
   source "${FACTORY_ROOT}/lib/load-project.sh" "$PROJECT_TOML"
 fi
 
-# Forge token: new FORGE_TOKEN > legacy CODEBERG_TOKEN > ~/.netrc
+# Forge token: new FORGE_TOKEN > legacy CODEBERG_TOKEN
 if [ -z "${FORGE_TOKEN:-}" ]; then
   FORGE_TOKEN="${CODEBERG_TOKEN:-}"
 fi
-if [ -z "${FORGE_TOKEN:-}" ]; then
-  FORGE_TOKEN="$(awk '/codeberg.org/{getline;getline;print $2}' ~/.netrc 2>/dev/null || true)"
-fi
 export FORGE_TOKEN
 export CODEBERG_TOKEN="${FORGE_TOKEN}"  # backwards compat