SOPS Decrypt

Decrypt .enc.yaml files back to their plaintext .env originals.

Workflow

1. Detect current state:

   python3 ${CLAUDE_SKILL_DIR}/../sops-setup/scripts/detect_sops.py <project-root>
   

2. Verify prerequisites:

   • tools.sops.installed must be true — if not, tell user to install: brew install sops (macOS) or download binary (Linux)
   • age_key.exists must be true — if not, guide user to place their age private key at the expected path, or set SOPS_AGE_KEY_FILE env var

3. Show encrypted files from project.encrypted_files. If empty, report "No encrypted files found" and exit.

4. Use AskUserQuestion (multiSelect: true) — which files to decrypt. For each, show the target output name (e.g., .env.local.enc.yaml → .env.local). If the target file already exists, note it will be overwritten.

5. Decrypt each selected file (decrypt YAML, then convert to dotenv):

   sops --decrypt <file>.enc.yaml > <file>.dec.yaml.tmp
   python3 ${CLAUDE_SKILL_DIR}/../sops-setup/scripts/dotenv_yaml.py to-dotenv <file>.dec.yaml.tmp > <target-env-file>
   rm <file>.dec.yaml.tmp
   

   Where <target-env-file> is the encrypted filename with .enc.yaml suffix removed. Example: .env.local.enc.yaml → .env.local

6. Verify each decrypted file exists and is non-empty.

7. Summary:

   | Encrypted File | Decrypted To | Status |
   |---------------|--------------|--------|
   | .env.local.enc.yaml | .env.local | done |
   

   Remind user: Do NOT commit the decrypted .env files — they should be in .gitignore.

Key Rules

• Always check that the age private key exists before attempting decryption
• Always convert YAML→dotenv after decrypting (use the helper script)
• Warn if a decrypted file will overwrite an existing one
• Clean up .tmp files even if decryption fails
• After decryption, remind user that plaintext .env files must stay out of git
• If decryption fails with "no identity matched", the machine's key is not authorized — suggest running /devtools:sops-add-key on a machine that has access