sops

[Cooper Maruyama (coopmoney)]

feat: Integrate SOPS (Age/KMS) and Flox/Direnv; remove dotenvx

Description

This PR replaces dotenvx with SOPS for environment variable encryption, defaulting to Age for the public template while retaining KMS as an optional configuration. It also integrates flox and direnv to provide reproducible development environments, automatically activating flox and adding custom CLI scripts to the $PATH.

Changes include:

• Secret Management: Migration from dotenvx to SOPS across application configurations (Next.js Docker, start scripts), build processes (Makefile), CI/CD workflows, and documentation.
• Developer Experience: Introduction of .envrc for direnv to auto-activate flox and expose packages/scripts/bin to the $PATH.
• Dependencies: sops and age added to flox manifest; dotenvx removed.

Related Issue

N/A

How Has This Been Tested?

• Verified direnv allow successfully activates the flox environment and adds packages/scripts/bin to the $PATH.
• Confirmed age-keygen and sops encryption/decryption functionality for .env.development.sops.
• Ran pnpm dev to ensure the Next.js application correctly loads environment variables via the new packages/scripts/bin/env.sh runner.
• Checked Makefile targets for env-decrypt/encrypt and ci-build-* to ensure SOPS integration.

---

 

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}