research+decision: git-crypt deep-dive → REJECTED 2026-04-21#38
Merged
research+decision: git-crypt deep-dive → REJECTED 2026-04-21#38
Conversation
Cartographer pass on git-crypt for the P2 BACKLOG row
*"Gitops-friendly key management + rotation — ADR first,
then pick one tool"*. Not a decision — input for the ADR.
Key findings:
1. v0.8.0 (2025-09-24), GPL-3.0, still pre-v1.0 with authors
reserving the right to break compat. 205 commits, 101 open
issues, stable but small-surface.
2. **Fundamental retraction-mismatch.** Authors explicit:
"git-crypt does not support revoking access to an encrypted
repository which was previously granted." Rotation requires
O(history) force-push + rewrite. Core Zeta-value
(retraction-native) misalignment.
3. **Binary diffs break code review.** Encrypted files appear
as opaque blobs; reviewer cannot tell a rotation from a
theft. SOPS's plaintext-keys-encrypted-values format
preserves review-grade diffs — likely decisive on its own.
4. **Metadata leaks by design.** Filenames + commit messages +
`.gitattributes` layout all visible; only contents hidden.
5. **Third-party GUI data-plane failures.** Upstream README
warns SourceTree + GitHub-for-Mac can leave files
unencrypted silently.
Good fit for: single-contributor repos, short-lived keys that
rotate by repo-scrap-not-revoke, configs where existence-is-public
is OK. The BACKLOG-named pilot (test-only NuGet API key in a
throwaway dev profile) fits — but "works for the pilot" does not
generalise.
Zeta scorecard in the research doc; SOPS + KMS and `age` both
score better on retraction + PQC path; the four-way ADR ranking
remains open.
Linked from the BACKLOG row as a "Research inputs (not yet an
ADR)" section so the ADR drafter has cited input ready.
Triggered by Aaron 2026-04-21 — "reserch gitcrypt for secrets
on backlog".
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds a research note on git-crypt intended as input material for an upcoming ADR on GitOps-friendly key management, and wires that note into the relevant BACKLOG row for easy discovery by the eventual ADR drafter/review panel.
Changes:
- Add
docs/research/git-crypt-deep-dive-2026-04-21.md(git-crypt evaluation / scorecard / references). - Add a “Research inputs (not yet an ADR)” link block under the existing BACKLOG item for GitOps-friendly key management + rotation.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| docs/research/git-crypt-deep-dive-2026-04-21.md | New research deep-dive doc intended to inform a future ADR; includes scorecard and cross-references. |
| docs/BACKLOG.md | Adds a reference from the relevant BACKLOG row to the new research doc. |
Comment on lines
+4
to
+9
| **Author:** Architect (Kenji) — cartographer pass, not a | ||
| decision. Feeds into the P2 BACKLOG row *"Gitops-friendly key | ||
| management + rotation — ADR first, then pick one tool"* | ||
| (`docs/BACKLOG.md`). | ||
| **Triggering ask:** Aaron, 2026-04-21 — *"while you are here | ||
| reserch gitcrypt for secrets on backlog"*. |
Comment on lines
+198
to
+201
| - `docs/security/CRYPTO.md` — crypto primitive inventory, | ||
| hash-based signatures mention. | ||
| - `memory/user_security_credentials.md` — nation-state | ||
| threat-model anchor. |
Comment on lines
+205
to
+211
| - **Mateo** (security-researcher) — primary on primitive | ||
| selection + PQC path. | ||
| - **Nazar** (security-operations-engineer) — primary on | ||
| rotation cadence + HSM integration. | ||
| - **Aminata** (threat-model-critic) — gate on the | ||
| nation-state adversary model. | ||
| - **Architect (Kenji)** — integrates + signs the ADR. |
…e artifacts Aaron after reading the cartographer pass: "git crypto no go i read your initial review" + "keeep the reserach" + "so i don't ask you tomorrow". Three values-level mismatches are the rejection rationale: 1. No access revocation — upstream authors explicit; once a user has the key, they have every historical version forever. Opposite of retraction-native (docs/CONFLICT-RESOLUTION.md Value #4). 2. Binary diffs break code review — reviewers cannot tell a key rotation from a key theft. 3. Metadata leak by design — filenames, commit messages, .gitattributes layout all plaintext. Encoded across three artifacts (research = rationale kept): - docs/WONT-DO.md — new "git-crypt for secrets management" entry under Engineering patterns (after Sakana AI Scientist, before Repo/process divider). Decision: 2026-04-21. Revisit- when: effectively never (architectural constraints, not missing features). - docs/BACKLOG.md — P2 Gitops-friendly key management row narrowed to the two surviving candidates (SOPS and age); git-crypt struck and git-secret ruled out by sibling reasoning. Research-inputs block retitled to indicate the decision is recorded. - docs/research/git-crypt-deep-dive-2026-04-21.md — REJECTED banner at the top so future-self sees the decision before reading the 250-line research. Kept as the durable "why we said no" artifact per Aaron's explicit ask. Research stays because "so i don't ask you tomorrow" means the durable artifact is the rationale, not a deletion target. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
AceHack
changed the title
2 tasks
AceHack
added a commit
that referenced
this pull request
Apr 23, 2026
…r cadenced audit) Aaron 2026-04-23 directive: "we probalby need some meta iteam to refactor the backlog base on current knowledge and look for overlap, this is hygene we could run from time to time so our backlog is not just a dump". Landed as FACTORY-HYGIENE row #54 (PR #166) + per-user feedback memory. 5-pass audit (overlap / staleness / priority / knowledge-absorb / document). Same cadence as sibling meta-hygiene rows (#5 / #23 / #38 / #46). Numbered #54 to avoid collision with #53 on the AutoDream branch (PR #155, still open). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
AceHack
added a commit
that referenced
this pull request
Apr 23, 2026
Aaron 2026-04-23: "we probalby need some meta iteam to refactor the backlog base on current knowledge and look for overlap, this is hygene we could run from time to time so our backlog is not just a dump". Wires the directive to the existing meta-hygiene cadence (same 5-10 round cadence as rows #5 / #23 / #38 / #46). Five passes per firing: overlap cluster / stale retire / re-prioritize / knowledge absorb / document via ROUND-HISTORY. Row #54 (rather than #53) to avoid collision with the AutoDream cadenced consolidation row on the research/autodream-extension-and-cadence branch (PR #155, still open) which already claimed #53. Classification per row #50: detection-only-justified — accumulated drift (overlap, staleness, priority-drift, knowledge-gap) is inherently post-hoc. Governing rule lives in per-user memory: feedback_backlog_hygiene_cadenced_refactor_look_for_overlap_not_just_dump_2026_04_23.md Self-scheduled free work under the 2026-04-23 scheduling- authority rule. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
AceHack
added a commit
that referenced
this pull request
Apr 23, 2026
…#166) * hygiene: row #54 — backlog-refactor cadenced audit Aaron 2026-04-23: "we probalby need some meta iteam to refactor the backlog base on current knowledge and look for overlap, this is hygene we could run from time to time so our backlog is not just a dump". Wires the directive to the existing meta-hygiene cadence (same 5-10 round cadence as rows #5 / #23 / #38 / #46). Five passes per firing: overlap cluster / stale retire / re-prioritize / knowledge absorb / document via ROUND-HISTORY. Row #54 (rather than #53) to avoid collision with the AutoDream cadenced consolidation row on the research/autodream-extension-and-cadence branch (PR #155, still open) which already claimed #53. Classification per row #50: detection-only-justified — accumulated drift (overlap, staleness, priority-drift, knowledge-gap) is inherently post-hoc. Governing rule lives in per-user memory: feedback_backlog_hygiene_cadenced_refactor_look_for_overlap_not_just_dump_2026_04_23.md Self-scheduled free work under the 2026-04-23 scheduling- authority rule. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * hygiene #54: address Copilot review — contributor-name + memory-path Two of the three findings addressed: - Replace "Aaron 2026-04-23" with "the human maintainer 2026-04-23" (+ "Aaron-scope boundary" → "Maintainer-scope boundary") per contributor-name guidance - Clarify the governing-rule memory lives in per-user memory (not in-repo); absolute path given; no in-repo pointer to a non-existent file Third finding (row #54 out of numeric order) will be replied inline with rationale — #53 is reserved for PR #155's AutoDream cadenced-consolidation row still open; #54 gives clean numbering on merge. Not a bug — intentional reservation. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
docs/research/git-crypt-deep-dive-2026-04-21.md— cartographer pass on git-crypt for the P2 BACKLOG row "Gitops-friendly key management + rotation".docs/WONT-DO.md+docs/BACKLOG.md).What's in the PR
docs/research/git-crypt-deep-dive-2026-04-21.md(new, 263 lines) — 10-section cartographer pass. REJECTED banner at the top so future readers see the decision before the research.docs/WONT-DO.md— new entry "git-crypt for secrets management" under Engineering patterns. Decision: 2026-04-21. Revisit-when: effectively never (architectural constraints).docs/BACKLOG.md— P2 row narrowed to the two surviving candidates: SOPS (KMS / Vault / age) andage.git-secretalso ruled out by sibling reasoning.Why git-crypt is out (three Zeta-values-level mismatches)
docs/CONFLICT-RESOLUTION.mdValue Round 28 — FsCheck LawRunner (Option B) + round-29 CI anchor #4)..gitattributeslayout all in plaintext.Additional (non-decisive) concerns: pre-v1.0 with compat-break rights, third-party GUI silent-plaintext leaks, non-compressible storage, no HSM/PQC story.
What remains for the eventual ADR
Candidate set = SOPS + KMS (long-lived secrets; plaintext-keys/encrypted-values → review-grade diffs; external KMS → clean rotation) and
age(ephemeral / PQC-curious). Hybrid posture (one primitive per use case) remains an explicit ADR option. ADR still gated on review panel (Nazar + Mateo + Aminata + Architect).Test plan
markdownlint-cli2on the three modified docs — local green.git-crypt init, no secrets added.Not in scope
🤖 Generated with Claude Code