- secrets/bookkeeping-sa.json.enc: team service-account key, encrypted with
AES-256-CBC + PBKDF2(100k iter) using a 48-char random passphrase. Safe to
commit to a public repo; the passphrase lives in the team password manager.
- scripts/decrypt-key.sh: one-liner that decrypts to ~/.config/gcp/ (mode 600)
and prints the service-account email so users know which address to share
their Sheet with.
- secrets/README.md: explains the crypto, decrypt flow, and rotation
procedures (passphrase rotation vs underlying GCP key rotation).
- README + DEPLOY.md + setup.md: install flow updated. Users no longer wait
for the admin to send a JSON; they git clone, run decrypt-key.sh with the
passphrase from the team password manager, and continue. Cuts one
out-of-band file transfer from the user experience.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
