No description
reencrypt only rewrote .age files; the inline 'encrypted = { KEY = "base64" }'
vars in doot.doot were left encrypted to the old recipients, so after adding a
recipient they stayed undecryptable by the new key.
Now each inline var is decrypted, re-encrypted to the current recipients, and
its ciphertext literal swapped in place in the source (textual replace, not an
AST reprint - so the file's formatting and comments are untouched, and an
indirected or non-literal ciphertext is skipped with a warning).
Verified on the real config: all 8 inline vars re-encrypted to the new
recipients and decrypt correctly.
|
||
|---|---|---|
| crates | ||
| .gitignore | ||
| Cargo.lock | ||
| Cargo.toml | ||