#!/usr/bin/env bash
set -euo pipefail
: "${VAULT_ROOT:=~/infrastructure/vault}"
vr="$(eval echo "$VAULT_ROOT")"
for f in cloudflare gitea registry k8s; do
  p="$vr/secrets/$f.enc.yaml"
  [[ -f "$p" ]] || { echo "missing $p"; exit 1; }
  grep -q "sops:" "$p" || { echo "not encrypted: $p"; exit 1; }
done
echo "[OK] ciphertext"