vm-skills/backup-sovereign/scripts/21_encrypt_apply.sh

#!/usr/bin/env bash
set -euo pipefail

# === METADATA ===
SCRIPT_NAME="$(basename "$0")"
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"

# === CONFIGURATION ===
: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
: "${AGE_RECIPIENT_FILE:=}"
: "${DRY_RUN:=1}"
: "${REQUIRE_CONFIRM:=1}"
: "${CONFIRM_PHRASE:=I UNDERSTAND THIS WILL CREATE AND ENCRYPT BACKUPS}"

# === FUNCTIONS ===
log_info()  { echo "[INFO]  $(date -Iseconds) $*"; }
log_error() { echo "[ERROR] $(date -Iseconds) $*" >&2; }
die()       { log_error "$@"; exit 1; }

require_confirm() {
    [[ "$DRY_RUN" == "0" ]] || die "DRY_RUN=$DRY_RUN (set DRY_RUN=0 to apply)."

    if [[ "$REQUIRE_CONFIRM" == "1" ]]; then
        echo ""
        echo "CONFIRMATION REQUIRED"
        echo "Type the phrase exactly to continue:"
        echo "  $CONFIRM_PHRASE"
        read -r input
        [[ "$input" == "$CONFIRM_PHRASE" ]] || die "Confirmation phrase mismatch; aborting."
    fi
}

main() {
    require_confirm

    local last_run_file="$OUTPUT_DIR/last_run_dir.txt"
    [[ -f "$last_run_file" ]] || die "No last run pointer. Run 11_backup_apply.sh first."

    local run_dir
    run_dir="$(cat "$last_run_file")"

    local archive="$run_dir/archive.tar.gz"
    [[ -f "$archive" ]] || die "Missing archive: $archive"

    [[ -n "$AGE_RECIPIENT_FILE" ]] || die "AGE_RECIPIENT_FILE is required for encryption."
    [[ -f "$AGE_RECIPIENT_FILE" ]] || die "AGE_RECIPIENT_FILE not found: $AGE_RECIPIENT_FILE"

    local encrypted="$run_dir/archive.tar.gz.age"

    log_info "Encrypting with age..."
    log_info "Input: $archive"
    log_info "Output: $encrypted"
    log_info "Recipients: $AGE_RECIPIENT_FILE"

    age -R "$AGE_RECIPIENT_FILE" -o "$encrypted" "$archive"

    local enc_size
    enc_size=$(stat -c%s "$encrypted")
    log_info "Encrypted size: $enc_size bytes"

    log_info "Encryption complete."
    log_info "Next: ./scripts/30_generate_proof.sh"
}

[[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@"