agent-secret-vault/scripts/create-vault-pass-archive.sh

#!/usr/bin/env bash
set -euo pipefail

REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
SRC="${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}"
OUT="${1:-$REPO_DIR/secrets/vault-pass.txt.zip}"

usage() {
  cat <<USAGE
Usage: scripts/create-vault-pass-archive.sh [output.zip]

Creates a password-protected archive containing vault-pass.txt.
Default source:
  ${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}
Default output:
  $REPO_DIR/secrets/vault-pass.txt.zip

The zip password is entered interactively. Do not print it in logs/chat.
USAGE
}

if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
  usage
  exit 0
fi

if [ ! -f "$SRC" ]; then
  echo "Missing source vault password file: $SRC" >&2
  exit 2
fi

if ! command -v zip >/dev/null 2>&1; then
  echo "Missing dependency: zip" >&2
  echo "Install it with: sudo apt install -y zip" >&2
  exit 3
fi

mkdir -p "$(dirname "$OUT")"
tmpdir="$(mktemp -d)"
cleanup() { rm -rf "$tmpdir"; }
trap cleanup EXIT
install -m 600 "$SRC" "$tmpdir/vault-pass.txt"

(
  cd "$tmpdir"
  # zip prompts for archive password interactively.
  zip -e -q "$OUT" vault-pass.txt
)
chmod 600 "$OUT"
echo "Created password-protected archive: $OUT"