Improve age key guidance in build pre-flight checks

deploy/build.sh

@@ -31,24 +31,38 @@ check_age_setup() {
     return
   fi
   require_cmd sops
+  local repo_age_key="$PWD/creds/age-key.txt"
   if [[ ! -f "$AGE_KEY_FILE" ]]; then
     echo "Age key file not found at $AGE_KEY_FILE. Copy creds/age-key.txt or set SOPS_AGE_KEY_FILE." >&2
     exit 1
   fi
+  local has_key="0"
   if command -v age-keygen >/dev/null 2>&1; then
-    if ! age-keygen -y "$AGE_KEY_FILE" 2>/dev/null | grep -q "$AGE_RECIPIENT"; then
+    if age-keygen -y "$AGE_KEY_FILE" 2>/dev/null | grep -q "$AGE_RECIPIENT"; then
-      echo "Age key file at $AGE_KEY_FILE does not contain the expected public key ($AGE_RECIPIENT)." >&2
+      has_key="1"
-      echo "Ensure your ~/.config/age/keys.txt includes the repo key (see creds/age-key.txt)." >&2
-      exit 1
     fi
   else
     # Fallback: best-effort text check for the public key comment
-    if ! grep -q "$AGE_RECIPIENT" "$AGE_KEY_FILE"; then
+    if grep -q "$AGE_RECIPIENT" "$AGE_KEY_FILE"; then
-      echo "Age key file at $AGE_KEY_FILE is missing the expected public key comment ($AGE_RECIPIENT)." >&2
+      has_key="1"
-      echo "Install age-keygen to verify keys or copy creds/age-key.txt." >&2
-      exit 1
     fi
   fi
+
+  if [[ "$has_key" != "1" ]]; then
+    echo "Age key file at $AGE_KEY_FILE does not contain the expected public key ($AGE_RECIPIENT)." >&2
+    if [[ -f "$repo_age_key" ]] && grep -q "$AGE_RECIPIENT" "$repo_age_key"; then
+      cat >&2 <<EOF
+Found the repository age key at $repo_age_key.
+Import it with:
+  mkdir -p "$(dirname "$AGE_KEY_FILE")"
+  cat "$repo_age_key" >> "$AGE_KEY_FILE"
+Or set: SOPS_AGE_KEY_FILE="$repo_age_key"
+EOF
+    else
+      echo "Ensure your ~/.config/age/keys.txt includes the repo key (see creds/age-key.txt)." >&2
+    fi
+    exit 1
+  fi
 }
 
 echo "Running pre-flight checks..."