# ───── Path C: agent-first ─────
# AI agents (MCP) read a single agent-readonly credential file. Humans operate
# normally with admin/developer roles. Paste inside s.make_project { ... }.

  sops = {
    enabled            = true,
    vault_id           = "<your-slug>",
    vault_backend      = 'restic,
    registry_endpoint  = "<your-zot-host>",

    actor_key_bindings = {
      developer = "developer",
      ci        = "cdci",
      agent     = "agent-ro",       # mapped to RO scope file
      admin     = "admin",
    },

    recipient_groups = {
      admin     = ["age1admin..."],
      developer = ["age1developer..."],
      agents    = ["age1agent..."],   # one age key per running agent instance
    },

    recipient_rules = [
      { path = "access\\.sops\\.yaml$",                   groups = ["admin", "developer"] },
      { path = "registry/admin-.*\\.sops\\.yaml$",        groups = ["admin"] },
      { path = "registry/developer-.*\\.sops\\.yaml$",    groups = ["admin", "developer"] },
      { path = "registry/agent-readonly\\.sops\\.yaml$",  groups = ["admin", "agents"] },
    ],
  },