Accept multiple age recipients in build preflight

deploy/build.sh

@@ -19,7 +19,10 @@ done
 if [[ -z "$AGE_KEY_FILE" ]]; then
   AGE_KEY_FILE="$HOME/.config/age/keys.txt"
 fi
-AGE_RECIPIENT="age1hkehkc2rryjl975c2mg5cghmjr54n4wjshncl292h2eg5l394fhs4uydrh"
+AGE_RECIPIENTS=(
+  "age1hkehkc2rryjl975c2mg5cghmjr54n4wjshncl292h2eg5l394fhs4uydrh"
+  "age1ducvqxdzdhhluftu5hv4f2xsppmn803uh8tnnqj92v4n7nf6lprq9h3dqp"
+)
 ENCRYPTED_SECRETS_FILE="${ENCRYPTED_SECRETS_FILE:-$PWD/creds/secrets.enc.env}"
 
 require_cmd() {
@@ -53,19 +56,25 @@ check_age_setup() {
   fi
   local has_key="0"
   if command -v age-keygen >/dev/null 2>&1; then
-    if age-keygen -y "$AGE_KEY_FILE" 2>/dev/null | grep -q "$AGE_RECIPIENT"; then
+    for recipient in "${AGE_RECIPIENTS[@]}"; do
-      has_key="1"
+      if age-keygen -y "$AGE_KEY_FILE" 2>/dev/null | grep -q "$recipient"; then
-    fi
+        has_key="1"
+        break
+      fi
+    done
   else
     # Fallback: best-effort text check for the public key comment
-    if grep -q "$AGE_RECIPIENT" "$AGE_KEY_FILE"; then
+    for recipient in "${AGE_RECIPIENTS[@]}"; do
-      has_key="1"
+      if grep -q "$recipient" "$AGE_KEY_FILE"; then
-    fi
+        has_key="1"
+        break
+      fi
+    done
   fi
 
   if [[ "$has_key" != "1" ]]; then
-    echo "Age key file at $AGE_KEY_FILE does not contain the expected public key ($AGE_RECIPIENT)." >&2
+    echo "Age key file at $AGE_KEY_FILE does not contain any expected public key: ${AGE_RECIPIENTS[*]}." >&2
-    if [[ -f "$repo_age_key" ]] && grep -q "$AGE_RECIPIENT" "$repo_age_key"; then
+    if [[ -f "$repo_age_key" ]]; then
       cat >&2 <<EOF
 Found the repository age key at $repo_age_key.
 Import it with: