ops-secret-synclisted

# OPS ► SECRET-SYNC Detect GitHub secrets that are stale relative to Doppler. Confirm before syncing. ## CLI/API Reference | Command | Purpose | |---------|---------| | `gh secret list --repo <owner/repo> --json name,updatedAt` | List GH repo secrets with timestamps | | `doppler secrets --project <proj> --config <env> --json` | List Doppler secrets with metadata | | `doppler secrets get <NAME> --project <proj> --config <env> --plain` | Fetch raw value for sync | | `gh secret set <NAME> --repo <owner/repo>` | Write secret to GH (reads stdin) | --- ## Phase 1 — Resolve arguments Parse `$ARGUMENTS`: - `--repo <owner/repo>` → target GitHub repo (required unless registry provides default) - `--project <proj>` → Doppler project name (required) - `--config <env>` → Doppler config/environment, e.g. `prd`, `stg` (default: `prd`) - `--dry-run` → report drift only, never write If `--repo` is missing, load `${CLAUDE_PLUGIN_DATA_DIR:-$HOME/.claude/plugins/data/ops-ops-marketplace}/registry.json` and let the user pick via `AskUserQuestion` (max 4 at a time). If `--project` is missing, run: ```bash doppler projects --json 2>/dev/null | jq -r '.[].slug' ``` and let the user pick via `AskUserQuestion` (max 4 at a time). --- ## Phase 2 — Fetch secret inventories Run in parallel (background both, then collect): ```bash # GH secrets (names + last-updated timestamps, ISO-8601) gh secret list --repo <owner/repo> --json name,updatedAt 2>/dev/null ``` ```bash # Doppler secrets (names