vm-skills/backup-sovereign/scripts/20_encrypt_plan.sh

#!/usr/bin/env bash
set -euo pipefail

# === METADATA ===
SCRIPT_NAME="$(basename "$0")"
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"

# === CONFIGURATION ===
: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
: "${AGE_RECIPIENT_FILE:=}"

# === FUNCTIONS ===
log_plan() { echo "[PLAN]  $(date -Iseconds) $*"; }
die()      { echo "[ERROR] $(date -Iseconds) $*" >&2; exit 1; }

main() {
    local last_run_file="$OUTPUT_DIR/last_run_dir.txt"

    [[ -f "$last_run_file" ]] || die "No last run pointer. Run 11_backup_apply.sh first."

    local run_dir
    run_dir="$(cat "$last_run_file")"

    [[ -d "$run_dir" ]] || die "Run directory missing: $run_dir"
    [[ -f "$run_dir/archive.tar.gz" ]] || die "Archive missing: $run_dir/archive.tar.gz"

    log_plan "=== Encryption Plan ==="
    log_plan "Method: age"
    log_plan "Run directory: $run_dir"
    log_plan "Input: $run_dir/archive.tar.gz"
    log_plan "Output: $run_dir/archive.tar.gz.age"
    echo ""

    log_plan "=== Recipient File ==="
    if [[ -n "$AGE_RECIPIENT_FILE" ]]; then
        if [[ -f "$AGE_RECIPIENT_FILE" ]]; then
            log_plan "File: $AGE_RECIPIENT_FILE"
            log_plan "Recipients:"
            while IFS= read -r line; do
                [[ "$line" =~ ^# ]] && continue
                [[ -z "$line" ]] && continue
                # Show truncated public key
                log_plan "  - ${line:0:20}..."
            done < "$AGE_RECIPIENT_FILE"
        else
            log_plan "[MISSING] $AGE_RECIPIENT_FILE"
        fi
    else
        log_plan "[NOT SET] AGE_RECIPIENT_FILE required for encryption"
    fi
    echo ""

    log_plan "=== Archive Info ==="
    local size
    size=$(stat -c%s "$run_dir/archive.tar.gz")
    log_plan "Archive size: $size bytes ($((size / 1024 / 1024)) MB)"
    echo ""

    log_plan "Next: ./scripts/21_encrypt_apply.sh (requires DRY_RUN=0)"
}

[[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@"