Secrets with SOPS and Age
=========================

LocalDevStack can integrate an encrypted secrets workflow using **SOPS** and **Age**.

The goal is simple:

- Keep ``.env``-like secrets encrypted in Git
- Decrypt only when needed (locally) into runtime containers or build steps

Typical workflow (high level)
-----------------------------

1. Store secrets as ``*.enc.env`` (or similar) in a repo.
2. Keep Age private keys outside the repo (mounted into Tools container).
3. Use a helper (often called ``senv``) to decrypt into a target env file.

Safety notes
------------

- Prefer read-only mounts for secrets repos.
- Do not bake private keys into images.