# ───── Path A: single-team ─────
# Paste inside your s.make_project { ... } block. Replace <placeholders>.
# Bootstrap requires SOPS_AGE_RECIPIENTS env var (comma-separated age public keys)
# because no recipient_groups are declared in this template.

  sops = {
    enabled            = true,
    vault_id           = "<your-slug>",
    vault_backend      = 'restic,
    registry_endpoint  = "<your-zot-host>",
    # master_key_path absent → resolves from ~/.config/ontoref/config.ncl::vault.master_key_path.
    # Override per-project only when this project requires a different key.

    actor_key_bindings = {
      developer = "developer",
      ci        = "cdci",
      agent     = "ontoref",
      admin     = "admin",
    },
  },