Add --sops mode to encrypt harvest and manifest data at rest (especially useful if using --dangerous)

2025-12-17 18:51:40 +11:00 · 2025-12-17 18:51:40 +11:00 · 33b1176800
commit 33b1176800
parent 6a36a9d2d5
12 changed files with 760 additions and 117 deletions
--- a/enroll/ignore.py
+++ b/enroll/ignore.py
@ -73,6 +73,10 @@ class IgnorePolicy:
            yield raw

    def deny_reason(self, path: str) -> Optional[str]:
+        # Always ignore plain *.log files (rarely useful as config, often noisy).
+        if path.endswith(".log"):
+            return "log_file"
+
        if not self.dangerous:
            for g in self.deny_globs or []:
                if fnmatch.fnmatch(path, g):