Add smart SOPS age key management to bootstrap

- Format age keys with public key comments
- Append to existing key files instead of overwriting
- Detect duplicate keys by comparing public keys
- Preserve other existing keys in the file
- Use age library's ParseIdentities() for proper parsing

Author: speier

CHANGELOG.md

@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.6.7] - 2025-10-23
+
+### Added
+- **Smart SOPS age key management** - Bootstrap now properly handles age keys:
+  - Formats keys with public key comments (e.g., `# public key: age1...`)
+  - Appends to existing key files instead of overwriting
+  - Detects duplicate keys by comparing public keys (won't append the same key twice)
+  - Preserves other existing keys in the file
+
+### Changed
+- Bootstrap uses age library's `ParseIdentities()` for proper key file parsing
+
 ## [0.6.6] - 2025-10-23
 
 ### Added
@@ -162,7 +174,8 @@ bootstrap:
 - Support for Terraform and OpenTofu
 - CLI commands: plan, apply, destroy, list, output, clean
 
-[Unreleased]: https://github.com/moonwalker/comet/compare/v0.6.6...HEAD
+[Unreleased]: https://github.com/moonwalker/comet/compare/v0.6.7...HEAD
+[0.6.7]: https://github.com/moonwalker/comet/releases/tag/v0.6.7
 [0.6.6]: https://github.com/moonwalker/comet/releases/tag/v0.6.6
 [0.6.5]: https://github.com/moonwalker/comet/releases/tag/v0.6.5
 [0.6.4]: https://github.com/moonwalker/comet/releases/tag/v0.6.4

internal/bootstrap/runner.go

@@ -5,11 +5,13 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"regexp"
 	"runtime"
 	"strconv"
 	"strings"
 	"time"
 
+	"filippo.io/age"
 	"github.com/moonwalker/comet/internal/log"
 	"github.com/moonwalker/comet/internal/schema"
 	"github.com/moonwalker/comet/internal/secrets"
@@ -184,17 +186,56 @@ func (r *Runner) runSecretStep(step *schema.BootstrapStep) error {
 		mode = os.FileMode(modeInt)
 	}
 
+	// Format the value based on the secret type
+	var formattedValue string
+	if isSopsAgeKeySource(step.Source) {
+		// For SOPS age keys, format with public key comment
+		formattedValue, err = formatAgeKey(value)
+		if err != nil {
+			log.Warn("Could not parse age key for formatting, saving as-is", "error", err)
+			formattedValue = value
+		}
+	} else {
+		formattedValue = value
+	}
+
 	// Ensure value ends with newline (Unix text file convention)
-	if len(value) > 0 && !strings.HasSuffix(value, "\n") {
-		value = value + "\n"
+	if len(formattedValue) > 0 && !strings.HasSuffix(formattedValue, "\n") {
+		formattedValue = formattedValue + "\n"
 	}
 
-	// Write file
-	if err := os.WriteFile(targetPath, []byte(value), mode); err != nil {
-		return fmt.Errorf("failed to write file: %w", err)
+	// For SOPS age keys, check if the key already exists in the file
+	if isSopsAgeKeySource(step.Source) {
+		shouldAppend, err := shouldAppendAgeKey(targetPath, formattedValue)
+		if err != nil {
+			return fmt.Errorf("failed to check existing keys: %w", err)
+		}
+		if !shouldAppend {
+			log.Info(fmt.Sprintf("ℹ️  Key already exists in: %s", targetPath))
+			log.Info(fmt.Sprintf("✅ %s completed (%.2fs)", step.Name, duration.Seconds()))
+			return nil
+		}
+
+		// Append to existing file
+		f, err := os.OpenFile(targetPath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, mode)
+		if err != nil {
+			return fmt.Errorf("failed to open file for append: %w", err)
+		}
+		defer f.Close()
+
+		if _, err := f.WriteString(formattedValue); err != nil {
+			return fmt.Errorf("failed to append to file: %w", err)
+		}
+
+		log.Info(fmt.Sprintf("💾 Appended to: %s (mode: %o)", targetPath, mode))
+	} else {
+		// For non-age-key secrets, just write/overwrite
+		if err := os.WriteFile(targetPath, []byte(formattedValue), mode); err != nil {
+			return fmt.Errorf("failed to write file: %w", err)
+		}
+		log.Info(fmt.Sprintf("💾 Saved to: %s (mode: %o)", targetPath, mode))
 	}
 
-	log.Info(fmt.Sprintf("💾 Saved to: %s (mode: %o)", targetPath, mode))
 	log.Info(fmt.Sprintf("✅ %s completed (%.2fs)", step.Name, duration.Seconds()))
 
 	return nil
@@ -338,3 +379,76 @@ func NeedsBootstrap(config *schema.Config) bool {
 
 	return false
 }
+
+// formatAgeKey formats an age secret key with a public key comment
+func formatAgeKey(secretKey string) (string, error) {
+	// Remove whitespace
+	secretKey = strings.TrimSpace(secretKey)
+
+	// Parse the age identity to get the public key
+	identity, err := age.ParseX25519Identity(secretKey)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse age identity: %w", err)
+	}
+
+	// Get the recipient (public key)
+	recipient := identity.Recipient()
+
+	// Format with public key comment
+	formatted := fmt.Sprintf("# public key: %s\n%s", recipient.String(), secretKey)
+
+	return formatted, nil
+}
+
+// shouldAppendAgeKey checks if an age key should be appended to the file
+// Returns true if the key doesn't exist, false if it already exists
+func shouldAppendAgeKey(filePath, formattedKey string) (bool, error) {
+	// Parse the new key to get its public key
+	newIdentity, err := age.ParseX25519Identity(strings.TrimSpace(extractSecretKey(formattedKey)))
+	if err != nil {
+		return false, fmt.Errorf("failed to parse new key: %w", err)
+	}
+	newPublicKey := newIdentity.Recipient().String()
+
+	// Check if file exists
+	file, err := os.Open(filePath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			// File doesn't exist, we should create it
+			return true, nil
+		}
+		return false, err
+	}
+	defer file.Close()
+
+	// Parse all existing identities from the file
+	existingIdentities, err := age.ParseIdentities(file)
+	if err != nil {
+		// If file exists but has no valid keys (or is empty), we can append
+		if strings.Contains(err.Error(), "no secret keys found") {
+			return true, nil
+		}
+		return false, fmt.Errorf("failed to parse existing keys: %w", err)
+	}
+
+	// Check if our public key already exists
+	for _, identity := range existingIdentities {
+		if x25519Identity, ok := identity.(*age.X25519Identity); ok {
+			existingPublicKey := x25519Identity.Recipient().String()
+			if existingPublicKey == newPublicKey {
+				// Key already exists
+				return false, nil
+			}
+		}
+	}
+
+	// Key doesn't exist, we should append
+	return true, nil
+}
+
+// extractSecretKey extracts just the AGE-SECRET-KEY line from formatted content
+func extractSecretKey(content string) string {
+	re := regexp.MustCompile(`(?m)^AGE-SECRET-KEY-[A-Z0-9]+$`)
+	match := re.FindString(content)
+	return match
+}

internal/bootstrap/runner_test.go

@@ -4,7 +4,10 @@ import (
 	"os"
 	"path/filepath"
 	"runtime"
+	"strings"
 	"testing"
+
+	"filippo.io/age"
 )
 
 func TestExpandPath(t *testing.T) {
@@ -125,3 +128,151 @@ func getPlatformSopsPath(home string) string {
 	}
 	return filepath.Join(home, ".config", "sops", "age", "keys.txt")
 }
+
+func TestFormatAgeKey(t *testing.T) {
+	// Generate a real test age key
+	identity, err := age.GenerateX25519Identity()
+	if err != nil {
+		t.Fatalf("Failed to generate test age key: %v", err)
+	}
+	testSecretKey := identity.String()
+
+	formatted, err := formatAgeKey(testSecretKey)
+	if err != nil {
+		t.Fatalf("formatAgeKey() error = %v", err)
+	}
+
+	// Should contain the public key comment
+	if !strings.Contains(formatted, "# public key: age1") {
+		t.Errorf("formatAgeKey() should contain public key comment, got: %v", formatted)
+	}
+
+	// Should contain the original secret key
+	if !strings.Contains(formatted, testSecretKey) {
+		t.Errorf("formatAgeKey() should contain secret key, got: %v", formatted)
+	}
+
+	// Should have public key before secret key
+	lines := strings.Split(formatted, "\n")
+	if len(lines) < 2 {
+		t.Errorf("formatAgeKey() should have at least 2 lines, got %d", len(lines))
+	}
+	if !strings.Contains(lines[0], "# public key:") {
+		t.Errorf("formatAgeKey() first line should be public key comment, got: %v", lines[0])
+	}
+	if !strings.Contains(lines[1], "AGE-SECRET-KEY-") {
+		t.Errorf("formatAgeKey() second line should be secret key, got: %v", lines[1])
+	}
+}
+
+func TestExtractSecretKey(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "extracts from formatted content",
+			input:    "# public key: age1abc123\nAGE-SECRET-KEY-1ABC123DEF456\n",
+			expected: "AGE-SECRET-KEY-1ABC123DEF456",
+		},
+		{
+			name:     "extracts from plain key",
+			input:    "AGE-SECRET-KEY-1XYZ789\n",
+			expected: "AGE-SECRET-KEY-1XYZ789",
+		},
+		{
+			name:     "returns empty for no match",
+			input:    "some random text\n",
+			expected: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := extractSecretKey(tt.input)
+			if result != tt.expected {
+				t.Errorf("extractSecretKey() = %v, want %v", result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestShouldAppendAgeKey(t *testing.T) {
+	// Generate test keys
+	identity1, _ := age.GenerateX25519Identity()
+	identity2, _ := age.GenerateX25519Identity()
+
+	formatted1, _ := formatAgeKey(identity1.String())
+	formatted2, _ := formatAgeKey(identity2.String())
+
+	// Create temp directory for test files
+	tmpDir := t.TempDir()
+	testFile := filepath.Join(tmpDir, "test-keys.txt")
+
+	t.Run("should append to non-existent file", func(t *testing.T) {
+		shouldAppend, err := shouldAppendAgeKey(testFile, formatted1)
+		if err != nil {
+			t.Fatalf("shouldAppendAgeKey() error = %v", err)
+		}
+		if !shouldAppend {
+			t.Error("shouldAppendAgeKey() should return true for non-existent file")
+		}
+	})
+
+	t.Run("should append first key to empty file", func(t *testing.T) {
+		// Create empty file
+		os.WriteFile(testFile, []byte(""), 0600)
+
+		shouldAppend, err := shouldAppendAgeKey(testFile, formatted1)
+		if err != nil {
+			t.Fatalf("shouldAppendAgeKey() error = %v", err)
+		}
+		if !shouldAppend {
+			t.Error("shouldAppendAgeKey() should return true for empty file")
+		}
+	})
+
+	t.Run("should not append duplicate key", func(t *testing.T) {
+		// Write first key
+		os.WriteFile(testFile, []byte(formatted1), 0600)
+
+		shouldAppend, err := shouldAppendAgeKey(testFile, formatted1)
+		if err != nil {
+			t.Fatalf("shouldAppendAgeKey() error = %v", err)
+		}
+		if shouldAppend {
+			t.Error("shouldAppendAgeKey() should return false for duplicate key")
+		}
+	})
+
+	t.Run("should append different key", func(t *testing.T) {
+		// File already has key1
+		os.WriteFile(testFile, []byte(formatted1), 0600)
+
+		shouldAppend, err := shouldAppendAgeKey(testFile, formatted2)
+		if err != nil {
+			t.Fatalf("shouldAppendAgeKey() error = %v", err)
+		}
+		if !shouldAppend {
+			t.Error("shouldAppendAgeKey() should return true for different key")
+		}
+	})
+
+	t.Run("should detect duplicate in multi-key file", func(t *testing.T) {
+		// Write both keys
+		content := formatted1 + "\n" + formatted2
+		os.WriteFile(testFile, []byte(content), 0600)
+
+		// Try to add key1 again
+		shouldAppend, err := shouldAppendAgeKey(testFile, formatted1)
+		if err != nil {
+			t.Fatalf("shouldAppendAgeKey() error = %v", err)
+		}
+		if shouldAppend {
+			t.Error("shouldAppendAgeKey() should return false when key exists in multi-key file")
+		}
+	})
+}
+
+// Helper functions are not needed - using strings package directly