From 711e6501901e2af0ce63c8a7b5c73e4a4da2c5e0 Mon Sep 17 00:00:00 2001
From: Agent <agent@example.com>
Date: Sun, 29 Mar 2026 08:10:35 +0000
Subject: [PATCH] fix: secrets migrate-vault: missing post-encrypt verification
 step (#39)

---
 bin/disinto | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/bin/disinto b/bin/disinto
index d6b8c6e..5da58e1 100755
--- a/bin/disinto
+++ b/bin/disinto
@@ -2150,6 +2150,12 @@ disinto_secrets() {
       fi
       _secrets_ensure_sops
       encrypt_env_file "$vault_env_file" "$vault_enc_file"
+      # Verify decryption works before removing plaintext
+      if ! sops -d "$vault_enc_file" >/dev/null 2>&1; then
+        echo "Error: failed to verify .env.vault.enc decryption" >&2
+        rm -f "$vault_enc_file"
+        exit 1
+      fi
       rm -f "$vault_env_file"
       echo "Migrated: .env.vault -> .env.vault.enc (plaintext removed)"
       ;;