5ccf09b28d
- lib/env.sh: Two-tier secret loader (SOPS .env.enc > plaintext .env), remove ~/.netrc fallback - bin/disinto: Add age key generation and SOPS encryption during init, remove write_netrc(), add `disinto secrets` subcommand (edit/show/migrate), add sops+age to preflight warnings - .env.example: Annotate vars as [SECRET] or [CONFIG] - .gitignore: Allow .env.enc and .sops.yaml to be committed - BOOTSTRAP.md: Document SOPS + age setup, key backup, secret management - AGENTS.md: Update AD-005 and coding conventions for .env.enc Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
23 lines
355 B
Text
23 lines
355 B
Text
# Plaintext secrets (never commit)
|
|
.env
|
|
|
|
# Encrypted secrets — safe to commit (.env.enc is SOPS-encrypted)
|
|
!.env.enc
|
|
!.sops.yaml
|
|
|
|
# Per-box project config (generated by disinto init)
|
|
projects/*.toml
|
|
|
|
# Runtime state
|
|
*.log
|
|
*.log.*
|
|
*.log.old
|
|
state.json
|
|
*.lock
|
|
*.pid
|
|
metrics/supervisor-metrics.jsonl
|
|
|
|
# OS
|
|
.DS_Store
|
|
dev/ci-fixes-*.json
|
|
gardener/dust.jsonl
|