AgentSkillsCN

sops-decrypt

将SOPS加密的YAML文件解密回.env格式。查找*.enc.yaml文件,解密并将YAML转换回dotenv。当用户提到“解密env”、“sops解密”、“解密秘密”、“恢复env”、“解密.env”、“恢复秘密”、“解密环境文件”时,就使用此技能。

SKILL.md
--- frontmatter
name: sops-decrypt
description: >-
  Decrypt SOPS-encrypted YAML files back to .env format. Finds *.enc.yaml files,
  decrypts, and converts YAML back to dotenv. Use when user mentions "decrypt env",
  "sops decrypt", "decrypt secrets", "restore env", "decrypt .env",
  "restore secrets", "decrypt environment files".
disable-model-invocation: true

SOPS Decrypt

Decrypt .enc.yaml files back to their plaintext .env originals.

Workflow

  1. Detect current state:

    bash
    python3 ${CLAUDE_SKILL_DIR}/../sops-setup/scripts/detect_sops.py <project-root>
    
  2. Verify prerequisites:

    • tools.sops.installed must be true — if not, tell user to install: brew install sops (macOS) or download binary (Linux)
    • age_key.exists must be true — if not, guide user to place their age private key at the expected path, or set SOPS_AGE_KEY_FILE env var
  3. Show encrypted files from project.encrypted_files. If empty, report "No encrypted files found" and exit.

  4. Use AskUserQuestion (multiSelect: true) — which files to decrypt. For each, show the target output name (e.g., .env.local.enc.yaml.env.local). If the target file already exists, note it will be overwritten.

  5. Decrypt each selected file (decrypt YAML, then convert to dotenv):

    bash
    sops --decrypt <file>.enc.yaml > <file>.dec.yaml.tmp
    python3 ${CLAUDE_SKILL_DIR}/../sops-setup/scripts/dotenv_yaml.py to-dotenv <file>.dec.yaml.tmp > <target-env-file>
    rm <file>.dec.yaml.tmp
    

    Where <target-env-file> is the encrypted filename with .enc.yaml suffix removed. Example: .env.local.enc.yaml.env.local

  6. Verify each decrypted file exists and is non-empty.

  7. Summary:

    code
    | Encrypted File | Decrypted To | Status |
    |---------------|--------------|--------|
    | .env.local.enc.yaml | .env.local | done |
    

    Remind user: Do NOT commit the decrypted .env files — they should be in .gitignore.

Key Rules

  • Always check that the age private key exists before attempting decryption
  • Always convert YAML→dotenv after decrypting (use the helper script)
  • Warn if a decrypted file will overwrite an existing one
  • Clean up .tmp files even if decryption fails
  • After decryption, remind user that plaintext .env files must stay out of git
  • If decryption fails with "no identity matched", the machine's key is not authorized — suggest running /devtools:sops-add-key on a machine that has access