Clarify zip password file diagnostics

scripts/install-vault-pass.sh

@@ -196,7 +196,26 @@ read_zip_password_file() {
   original_size="$(wc -c < "$VAULT_PASS_ZIP_PASSWORD_FILE" | tr -d '[:space:]')"
   without_nul_size="$(LC_ALL=C tr -d '\000' < "$VAULT_PASS_ZIP_PASSWORD_FILE" | wc -c | tr -d '[:space:]')"
   if [ "$original_size" != "$without_nul_size" ]; then
-    echo "VAULT_PASS_ZIP_PASSWORD_FILE appears to contain NUL bytes; provide a text password file instead." >&2
+    file_desc="$(file -b "$VAULT_PASS_ZIP_PASSWORD_FILE" 2>/dev/null || echo "unknown file type")"
+    cat >&2 <<ERR
+VAULT_PASS_ZIP_PASSWORD_FILE appears to contain NUL bytes; provide a text password file instead.
+
+Configured password-file path:
+  $VAULT_PASS_ZIP_PASSWORD_FILE
+Detected file type:
+  $file_desc
+
+This variable must point to a small plaintext file containing ONLY the zip archive password.
+It must NOT point to:
+  - secrets/vault-pass.txt.zip (the archive itself)
+  - ~/.config/vault-pass.txt (the Ansible Vault password file)
+  - any binary/key/archive file
+
+Fix one of these ways:
+  1. Create a plaintext zip-password file and set VAULT_PASS_ZIP_PASSWORD_FILE to that path.
+  2. Or set VAULT_PASS_ZIP_PASSWORD directly in a private local shell/env.
+  3. Or use INSTALL_VAULT_PASS_METHOD=url/manual/create instead of archive.
+ERR
     exit 4
   fi