#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
source "$SCRIPT_DIR/_common.sh"

: "${VAULT_ROOT:=~/infrastructure/vault}"
: "${AGE_KEY_DIR:=~/.config/sops/age}"
: "${AGE_KEYS_FILE:=~/.config/sops/age/keys.txt}"

main() {
  vr="$(expand_path "$VAULT_ROOT")"
  kd="$(expand_path "$AGE_KEY_DIR")"
  kf="$(expand_path "$AGE_KEYS_FILE")"

  echo "[PLAN] $(date -Iseconds) secrets-vault (age+sops)"
  echo "[PLAN] VAULT_ROOT: $vr"
  echo "[PLAN] AGE_KEY_DIR: $kd"
  echo "[PLAN] AGE_KEYS_FILE: $kf"
  echo
  echo "[PLAN] Will ensure age identity exists (keys.txt)."
  echo "[PLAN] Will write vault/.sops.yaml and encrypted templates under vault/secrets/."
  echo "[PLAN] Will NOT print secret plaintext."
  echo
  echo "[PLAN] Next: export DRY_RUN=0 && ./scripts/11_apply.sh"
}
main "$@"