feat: disinto secrets add — store individual encrypted secrets #31

New issue

Closed

opened 2026-03-28 18:08:33 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-03-28 18:08:33 +00:00

Collaborator

Part of #25 (credentials at rest).

What

Add a disinto secrets add <NAME> command that prompts for a value and stores it as an individual encrypted file in secrets/<NAME>.enc.

Implementation

disinto secrets add CLAWHUB_TOKEN
# prompts: Enter value for CLAWHUB_TOKEN:
# encrypts with age key from ~/.config/sops/age/keys.txt
# writes to secrets/CLAWHUB_TOKEN.enc

Uses sops --encrypt with the age public key from .sops.yaml. The secrets/ directory should be in .gitignore (encrypted or not, secrets don't go in the repo).

Affected files

bin/disinto (add secrets add subcommand)
.gitignore (add secrets/)

Acceptance criteria

disinto secrets add <NAME> prompts for value, encrypts, stores
disinto secrets show <NAME> decrypts and prints (for verification)
secrets/ directory in .gitignore
Requires age key to exist (error message if not)

Part of #25 (credentials at rest). ## What Add a `disinto secrets add <NAME>` command that prompts for a value and stores it as an individual encrypted file in `secrets/<NAME>.enc`. ## Implementation ```bash disinto secrets add CLAWHUB_TOKEN # prompts: Enter value for CLAWHUB_TOKEN: # encrypts with age key from ~/.config/sops/age/keys.txt # writes to secrets/CLAWHUB_TOKEN.enc ``` Uses `sops --encrypt` with the age public key from `.sops.yaml`. The `secrets/` directory should be in `.gitignore` (encrypted or not, secrets don't go in the repo). ## Affected files - `bin/disinto` (add `secrets add` subcommand) - `.gitignore` (add `secrets/`) ## Acceptance criteria - [ ] `disinto secrets add <NAME>` prompts for value, encrypts, stores - [ ] `disinto secrets show <NAME>` decrypts and prints (for verification) - [ ] `secrets/` directory in `.gitignore` - [ ] Requires age key to exist (error message if not)