Fix bootstrap SOPS age key path resolution on macOS

- Bootstrap now resolves SOPS age key paths to platform-specific locations
- macOS without XDG_CONFIG_HOME: ~/Library/Application Support/sops/age/keys.txt
- macOS with XDG_CONFIG_HOME: $XDG_CONFIG_HOME/sops/age/keys.txt
- Linux: ~/.config/sops/age/keys.txt (or $XDG_CONFIG_HOME if set)
- Fixes issue where SOPS couldn't find bootstrapped keys on macOS
- Added comprehensive unit tests for path resolution logic

Author: speier

CHANGELOG.md

@@ -7,6 +7,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.6.5] - 2025-10-23
+
+### Fixed
+- **Bootstrap SOPS age key path resolution on macOS** - Bootstrap now correctly saves age keys to the platform-specific path that SOPS expects:
+  - macOS without `XDG_CONFIG_HOME`: `~/Library/Application Support/sops/age/keys.txt`
+  - macOS with `XDG_CONFIG_HOME`: `$XDG_CONFIG_HOME/sops/age/keys.txt`
+  - Linux: `~/.config/sops/age/keys.txt` (or `$XDG_CONFIG_HOME/sops/age/keys.txt`)
+  - Previously, bootstrap always saved to `~/.config/sops/age/keys.txt` on all platforms, causing SOPS to fail finding keys on macOS
+
 ## [0.6.4] - 2025-01-07
 
 ### Fixed
@@ -144,7 +153,9 @@ bootstrap:
 - Support for Terraform and OpenTofu
 - CLI commands: plan, apply, destroy, list, output, clean
 
-[Unreleased]: https://github.com/moonwalker/comet/compare/v0.6.3...HEAD
+[Unreleased]: https://github.com/moonwalker/comet/compare/v0.6.5...HEAD
+[0.6.5]: https://github.com/moonwalker/comet/releases/tag/v0.6.5
+[0.6.4]: https://github.com/moonwalker/comet/releases/tag/v0.6.4
 [0.6.3]: https://github.com/moonwalker/comet/releases/tag/v0.6.3
 [0.6.2]: https://github.com/moonwalker/comet/releases/tag/v0.6.2
 [0.6.1]: https://github.com/moonwalker/comet/releases/tag/v0.6.1

comet.yaml

@@ -16,9 +16,14 @@ generate_backend: false
 #   - name: sops-age-key
 #     type: secret
 #     source: op://vault/infrastructure/sops-age-key  # Your 1Password path
-#     target: ~/.config/sops/age/keys.txt
+#     target: ~/.config/sops/age/keys.txt  # Automatically resolves to platform-specific path
 #     mode: "0600"
 #
+#   # Note: For SOPS age keys, bootstrap automatically resolves the target path:
+#   #   - macOS without XDG_CONFIG_HOME: ~/Library/Application Support/sops/age/keys.txt
+#   #   - macOS with XDG_CONFIG_HOME: $XDG_CONFIG_HOME/sops/age/keys.txt
+#   #   - Linux: ~/.config/sops/age/keys.txt (or $XDG_CONFIG_HOME if set)
+#
 #   # Optional: Check required tools
 #   - name: check-tools
 #     type: check

internal/bootstrap/runner.go

@@ -5,6 +5,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"runtime"
 	"strconv"
 	"strings"
 	"time"
@@ -224,15 +225,60 @@ func (r *Runner) runCheckStep(step *schema.BootstrapStep) error {
 	return nil
 }
 
-// expandPath expands ~ and environment variables in paths
+// expandPath expands ~ and environment variables in paths.
+// It also handles SOPS age key path resolution on macOS.
 func expandPath(path string) string {
+	// Handle special case for SOPS age keys on macOS
+	// SOPS uses different default paths depending on XDG_CONFIG_HOME:
+	// - If XDG_CONFIG_HOME is set: $XDG_CONFIG_HOME/sops/age/keys.txt
+	// - On macOS without XDG_CONFIG_HOME: ~/Library/Application Support/sops/age/keys.txt
+	// - On Linux without XDG_CONFIG_HOME: ~/.config/sops/age/keys.txt
+	if strings.Contains(path, "sops/age/keys.txt") {
+		resolvedPath := resolveSopsAgePath(path)
+		if resolvedPath != "" {
+			return resolvedPath
+		}
+	}
+
 	if strings.HasPrefix(path, "~/") {
 		home, _ := os.UserHomeDir()
 		path = filepath.Join(home, path[2:])
 	}
 	return os.ExpandEnv(path)
 }
 
+// resolveSopsAgePath resolves the SOPS age key path to match what the SOPS library expects.
+// This ensures bootstrap saves the key where SOPS will actually look for it.
+func resolveSopsAgePath(path string) string {
+	const sopsAgeKeyPath = "sops/age/keys.txt"
+
+	// If path doesn't contain the SOPS age key path, don't modify it
+	if !strings.Contains(path, sopsAgeKeyPath) {
+		return ""
+	}
+
+	// Check if XDG_CONFIG_HOME is set
+	if xdgConfigHome := os.Getenv("XDG_CONFIG_HOME"); xdgConfigHome != "" {
+		// Use XDG_CONFIG_HOME if set (works on all platforms)
+		return filepath.Join(xdgConfigHome, sopsAgeKeyPath)
+	}
+
+	// Platform-specific defaults when XDG_CONFIG_HOME is not set
+	home, err := os.UserHomeDir()
+	if err != nil {
+		return ""
+	}
+
+	if runtime.GOOS == "darwin" {
+		// macOS: ~/Library/Application Support/sops/age/keys.txt
+		// This matches what os.UserConfigDir() returns on macOS
+		return filepath.Join(home, "Library", "Application Support", sopsAgeKeyPath)
+	}
+
+	// Linux/others: ~/.config/sops/age/keys.txt
+	return filepath.Join(home, ".config", sopsAgeKeyPath)
+}
+
 // NeedsBootstrap checks if any bootstrap steps need to be run
 func NeedsBootstrap(config *schema.Config) bool {
 	if len(config.Bootstrap) == 0 {

internal/bootstrap/runner_test.go

@@ -0,0 +1,127 @@
+package bootstrap
+
+import (
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+)
+
+func TestExpandPath(t *testing.T) {
+	home, _ := os.UserHomeDir()
+
+	tests := []struct {
+		name     string
+		input    string
+		xdgHome  string
+		expected string
+	}{
+		{
+			name:     "regular tilde expansion",
+			input:    "~/test/file.txt",
+			xdgHome:  "",
+			expected: filepath.Join(home, "test", "file.txt"),
+		},
+		{
+			name:     "sops age key on macOS without XDG_CONFIG_HOME",
+			input:    "~/.config/sops/age/keys.txt",
+			xdgHome:  "",
+			expected: filepath.Join(home, "Library", "Application Support", "sops", "age", "keys.txt"),
+		},
+		{
+			name:     "sops age key with XDG_CONFIG_HOME set",
+			input:    "~/.config/sops/age/keys.txt",
+			xdgHome:  filepath.Join(home, ".config"),
+			expected: filepath.Join(home, ".config", "sops", "age", "keys.txt"),
+		},
+		{
+			name:     "non-sops path is not affected",
+			input:    "~/.config/other/file.txt",
+			xdgHome:  "",
+			expected: filepath.Join(home, ".config", "other", "file.txt"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Set up XDG_CONFIG_HOME environment variable
+			if tt.xdgHome != "" {
+				os.Setenv("XDG_CONFIG_HOME", tt.xdgHome)
+				defer os.Unsetenv("XDG_CONFIG_HOME")
+			} else {
+				os.Unsetenv("XDG_CONFIG_HOME")
+			}
+
+			result := expandPath(tt.input)
+
+			// Skip macOS-specific test on non-macOS systems
+			if runtime.GOOS != "darwin" && tt.name == "sops age key on macOS without XDG_CONFIG_HOME" {
+				// On Linux, expect ~/.config path
+				expectedLinux := filepath.Join(home, ".config", "sops", "age", "keys.txt")
+				if result != expectedLinux {
+					t.Errorf("expandPath() = %v, want %v (Linux)", result, expectedLinux)
+				}
+				return
+			}
+
+			if result != tt.expected {
+				t.Errorf("expandPath() = %v, want %v", result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestResolveSopsAgePath(t *testing.T) {
+	home, _ := os.UserHomeDir()
+
+	tests := []struct {
+		name     string
+		input    string
+		xdgHome  string
+		expected string
+	}{
+		{
+			name:     "returns empty for non-sops path",
+			input:    "~/.config/other/file.txt",
+			xdgHome:  "",
+			expected: "",
+		},
+		{
+			name:     "resolves with XDG_CONFIG_HOME set",
+			input:    "sops/age/keys.txt",
+			xdgHome:  filepath.Join(home, "custom-config"),
+			expected: filepath.Join(home, "custom-config", "sops", "age", "keys.txt"),
+		},
+		{
+			name:     "resolves macOS default without XDG_CONFIG_HOME",
+			input:    "sops/age/keys.txt",
+			xdgHome:  "",
+			expected: getPlatformSopsPath(home),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Set up XDG_CONFIG_HOME environment variable
+			if tt.xdgHome != "" {
+				os.Setenv("XDG_CONFIG_HOME", tt.xdgHome)
+				defer os.Unsetenv("XDG_CONFIG_HOME")
+			} else {
+				os.Unsetenv("XDG_CONFIG_HOME")
+			}
+
+			result := resolveSopsAgePath(tt.input)
+			if result != tt.expected {
+				t.Errorf("resolveSopsAgePath() = %v, want %v", result, tt.expected)
+			}
+		})
+	}
+}
+
+// getPlatformSopsPath returns the expected SOPS age key path for the current platform
+func getPlatformSopsPath(home string) string {
+	if runtime.GOOS == "darwin" {
+		return filepath.Join(home, "Library", "Application Support", "sops", "age", "keys.txt")
+	}
+	return filepath.Join(home, ".config", "sops", "age", "keys.txt")
+}