@@ -171,43 +171,119 @@ Config file location:
171171
172172opencode-sync uses [ age] ( https://age-encryption.org/ ) for encryption of sensitive files (auth tokens).
173173
174- ### Key Management
174+ ### How It Works
175+
176+ ```
177+ ┌─────────────────────────────────────────────────────────────────┐
178+ │ PUSH (Machine A) │
179+ ├─────────────────────────────────────────────────────────────────┤
180+ │ auth.json ──encrypt──► auth.json.age ──push──► Git Remote │
181+ │ (local) (key) (repo) │
182+ └─────────────────────────────────────────────────────────────────┘
183+
184+ ┌─────────────────────────────────────────────────────────────────┐
185+ │ PULL (Machine B) │
186+ ├─────────────────────────────────────────────────────────────────┤
187+ │ Git Remote ──pull──► auth.json.age ──decrypt──► auth.json │
188+ │ (repo) (key) (local) │
189+ └─────────────────────────────────────────────────────────────────┘
190+ ```
191+
192+ ** Decryption is automatic** during ` pull ` /` clone ` /` sync ` — but only if:
193+ - You have the private key on the machine (` ~/.config/opencode-sync/age.key ` )
194+ - Encryption is enabled in config (` encryption.enabled: true ` )
195+ - Auth sync is enabled (` sync.includeAuth: true ` )
196+
197+ ### Full Setup Flow
198+
199+ #### First Machine (Initial Setup)
200+
201+ ``` bash
202+ # 1. Run setup wizard
203+ opencode-sync setup
204+ # → Enter repo URL
205+ # → Enable encryption? Yes
206+ # → Sync auth tokens? Yes (if you want cross-machine auth)
207+
208+ # 2. Key is auto-generated. BACK IT UP NOW:
209+ opencode-sync key export
210+ # → Copy the AGE-SECRET-KEY-1... to your password manager
211+
212+ # 3. Initialize and push
213+ opencode-sync init
214+ opencode-sync push
215+ ```
216+
217+ #### Second Machine (Clone Existing)
218+
219+ ``` bash
220+ # 1. Import your key FIRST (before clone)
221+ opencode-sync key import " AGE-SECRET-KEY-1..."
222+
223+ # 2. Run setup with same settings
224+ opencode-sync setup
225+ # → Same repo URL
226+ # → Enable encryption? Yes
227+ # → Sync auth tokens? Yes
228+
229+ # 3. Clone - auth tokens are automatically decrypted
230+ opencode-sync clone git@github.com:user/opencode-config.git
231+ # ✓ Configs applied
232+ # ✓ auth.json decrypted automatically
233+ # → You're logged in!
234+ ```
235+
236+ #### Without Key Import (New Machine, No Auth Sync)
237+
238+ If you clone without importing the key:
239+ ``` bash
240+ opencode-sync clone git@github.com:user/opencode-config.git
241+ # ✓ Configs applied (opencode.json, agents, etc.)
242+ # ⚠ auth.json.age skipped (no key to decrypt)
243+ # → You'll need to re-authenticate in OpenCode
244+ ```
245+
246+ ### Key Management Commands
175247
176248| Command | Description |
177249| ---------| -------------|
178250| ` opencode-sync key export ` | Display private key for backup |
179251| ` opencode-sync key import <key> ` | Import key from backup |
180252| ` opencode-sync key regen ` | Generate new key (⚠️ old encrypted data lost) |
181253
182- ### Setting Up a New Machine
254+ ### Lost Your Key?
183255
184- 1 . On your ** existing machine** , export your key:
185- ``` bash
186- opencode-sync key export
187- ```
188- 2 . Save the key in your password manager (e.g., 1Password)
256+ If you lose your private key:
257+ - ❌ Encrypted auth tokens are ** unrecoverable**
258+ - ✅ Configs, agents, commands, themes are ** not encrypted** — still accessible
189259
190- 3 . On your ** new machine** , import the key before cloning:
191- ``` bash
192- opencode-sync key import " AGE-SECRET-KEY-1..."
193- opencode-sync clone git@github.com:user/opencode-config.git
194- ```
260+ ** Recovery steps:**
261+ ``` bash
262+ # 1. Generate a new key
263+ opencode-sync key regen
195264
196- ### Lost Your Key?
265+ # 2. Re-authenticate in OpenCode (get new auth.json)
266+
267+ # 3. Push with new encryption
268+ opencode-sync push
269+ ```
270+
271+ ### What Gets Encrypted?
197272
198- If you lose your private key, encrypted data (auth tokens) cannot be recovered. However:
199- - Your configs, agents, and other non-sensitive files are ** not encrypted ** and still accessible
200- - You can regenerate a new key and re-authenticate:
201- ``` bash
202- opencode-sync key regen
203- opencode-sync push # Push with new encryption
204- ```
273+ | File | Encrypted | Notes |
274+ | ------ | ----------- | ------- |
275+ | ` auth.json ` | ✅ Yes | OAuth tokens (if ` sync.includeAuth: true ` ) |
276+ | ` mcp-auth.json ` | ✅ Yes | MCP auth (if ` sync.includeMcpAuth: true ` ) |
277+ | ` opencode.json ` | ❌ No | Main config |
278+ | ` AGENTS.md ` | ❌ No | Global rules |
279+ | ` agent/ ` , ` command/ ` , etc. | ❌ No | Custom extensions |
205280
206- ### Important Notes
281+ ### Security Notes
207282
208- - Your private key is stored at ` ~/.config/opencode-sync/age.key `
209- - The key is ** never synced** to the remote repository
210- - ** Back up your key** to a password manager immediately after setup
283+ - Private key stored at: ` ~/.config/opencode-sync/age.key `
284+ - Key is ** never synced** to remote — stays local only
285+ - Encrypted files use ` .age ` extension in repo
286+ - ** Back up your key immediately** after setup to a password manager
211287
212288## Development
213289
0 commit comments