diff --git a/lib/git-crypt.sh b/lib/git-crypt.sh index 7972620..0a2825a 100644 --- a/lib/git-crypt.sh +++ b/lib/git-crypt.sh @@ -21,18 +21,29 @@ gcrypt_export_key() { gcrypt_verify() { local genome_name="$1" - local key_path="${KEYS_DIR}/${genome_name}.key" - info "Verifying git-crypt status for ${genome_name}..." - git-crypt lock + info "Verifying git-crypt configuration for ${genome_name}..." - if file "raw/private/.gitkeep" 2>/dev/null | grep -q "data"; then - success "Encryption verified: private/ directory is protected." + # `git-crypt status` reports the CONFIGURED status (from `.gitattributes`), not the + # lock/unlock status of the working tree. Encrypted lines have their labels right-aligned + # (with leading whitespace), so you CANNOT anchor on `^encrypted`. + # We filter by private/ and distinguish “encrypted” from “not encrypted” without + # relying on exact spacing. + local status_out encrypted_count not_encrypted_count + status_out=$(git-crypt status 2>/dev/null || true) + encrypted_count=$(printf '%s\n' "$status_out" | grep 'private/' | grep -cE '^[[:space:]]*encrypted:' || true) + not_encrypted_count=$(printf '%s\n' "$status_out" | grep 'private/' | grep -cE '^not encrypted:' || true) + + if [[ "$encrypted_count" -gt 0 ]]; then + success "Encryption configured: ${encrypted_count} private file(s) under git-crypt." + if [[ "$not_encrypted_count" -gt 0 ]]; then + warn "${not_encrypted_count} file(s) under private/ are NOT covered by the git-crypt filter — check .gitattributes (leak risk)." + fi + elif [[ "$not_encrypted_count" -gt 0 ]]; then + warn "private/ files exist but none are covered by the git-crypt filter — check the .gitattributes filter (leak risk)." else - warn "Encryption check inconclusive. Run 'git-crypt status' manually." + info "No private/ files present yet — nothing to verify." fi - - [[ -f "$key_path" ]] && git-crypt unlock "$key_path" } # ---------------------------------------------------------------------------