---
description: "Use when working with SOPS secrets files (secrets.yaml). Never modify secrets.yaml files directly — always prompt the user to make changes using sops edit."
applyTo: "**"
---

# SOPS Secrets Files — Read-Only

Never modify any `secrets.yaml` file in this repository. These files are SOPS-encrypted and editing them directly (without `sops edit`) will corrupt the encryption and make the secrets unrecoverable.

## Rules

- **Do NOT edit `secrets.yaml` files** using file editing tools, even for renaming keys, restructuring blocks, or adding new entries.
- **Do NOT suggest patches or diffs** that target `secrets.yaml` files.
- **Always prompt the user** to make the change themselves using:

  ```bash
  sops edit <path-to-secrets.yaml>
  ```

- When a new secret key is needed (e.g., for a new SOPS reference in Nix code), tell the user the exact key name and value to add, and ask them to add it via `sops edit`.
- You may **read** `secrets.yaml` files (e.g., with grep to check key names) — reading is safe. Only writing is forbidden.

## Example

Instead of editing `systems/palatine-hill/secrets.yaml` directly, say:

> Please run `sops edit systems/palatine-hill/secrets.yaml` and add the following under the `kanidm:` block:
>
> ```yaml
> kanidm:
>   gitea_oidc_client_secret: "<your-generated-secret>"
> ```