Update README, use repo-local key id file

Author: azlyth

.gitignore

@@ -3,3 +3,6 @@ volumes
 # GPG secrets directory - only track .gpg files
 gpg-secrets/*
 !gpg-secrets/*.gpg
+
+# GPG key IDs file
+.localmart-github-key-ids

Makefile

@@ -10,6 +10,7 @@ clean:
 
 clean-data:
 	rm -rf ./volumes
+	rm -rf frontend/.next
 
 deploy-frontend:
 	cd frontend && fly deploy

README.md

@@ -2,32 +2,81 @@
 
 localmart is a platform for local businesses to sell their products and services to local customers.
 
-## Prerequisites
 
-Docker, Docker Compose
+## Development
 
-## Usage
+### Prerequisites
+
+For development:
+- Docker
+- Docker Compose
+
+### Usage
 
 To start the next.js frontend, the Python backend, and the database, run:
 ```bash
-docker compose --build up
+make
 ```
 
-To clear the database
+To clear the database and the frontend next.js cache:
 ```bash
-rm -rf ./volumes
+make clean-data
 ```
 
-## Debugging Tips
-If the app is not loading porperly on your machine, try clear the cache and restart.
+### Debugging Tips
+1. If the app is not loading porperly on your machine, try:
+   - clearing the data with `make clean-data`
+   - restarting with `make`
 
-To rebuild the backend:
-```bash
-make
-```
-To rebuild the frontend, if NextJS is giving errors:
-```bash
-cd frontend/
-rm -rf .next
-make
-```
+## Secret Management
+
+We use GPG encryption to securely store sensitive files. The encrypted files are stored in the `gpg-secrets/` directory and can only be decrypted by authorized team members.
+
+### Prerequisites
+
+1. Install GPG on your system:
+   ```bash
+   # macOS
+   brew install gnupg
+
+   # Ubuntu/Debian
+   sudo apt-get install gnupg
+   ```
+
+2. Have your own GPG key pair and upload the public key to your GitHub profile
+   ([GitHub guide on adding GPG keys](https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account))
+
+### Managing Secrets
+
+The following commands are available:
+
+1. Import team members' GPG keys:
+   ```bash
+   # Import team members' GPG keys
+   make import-gpg-keys
+   ```
+
+2. Encrypt a file:
+   ```bash
+   # The file will be encrypted and stored in gpg-secrets/
+   make encrypt-file FILE=path/to/your/file
+
+   # Example: Encrypt staging environment variables
+   make encrypt-file FILE=gpg-secrets/staging.env
+   ```
+
+3. Decrypt a file:
+   ```bash
+   # Only works with files in the gpg-secrets/ directory
+   make decrypt-file FILE=gpg-secrets/your-file.gpg
+
+   # Example: Decrypt staging environment variables
+   make decrypt-file FILE=gpg-secrets/staging.env.gpg
+   ```
+
+### Notes
+
+- Only files in the `gpg-secrets/` directory with the `.gpg` extension are tracked in Git
+- Decrypted files are automatically placed in the `gpg-secrets/` directory
+- You must have your private key to decrypt files
+- The list of team members is maintained in the Makefile's `GITHUB_USERS` variable

utils/gpg_manager.sh

@@ -49,10 +49,9 @@ import_keys() {
         fi
     done
 
-    # Store the key IDs in a more permanent location for later use
-    mkdir -p ~/.localmart
-    mv "$key_ids_file" ~/.localmart/github_key_ids
-    echo "Imported keys have been stored in ~/.localmart/github_key_ids"
+    # Store the key IDs in the repository
+    mv "$key_ids_file" .localmart-github-key-ids
+    echo "Imported keys have been stored in .localmart-github-key-ids"
 }
 
 # Function to encrypt a file
@@ -64,7 +63,7 @@ encrypt_file() {
     fi
 
     # Check if we have stored key IDs
-    if [ ! -f ~/.localmart/github_key_ids ]; then
+    if [ ! -f .localmart-github-key-ids ]; then
         echo "Error: No GitHub keys found. Please run import-keys first."
         exit 1
     fi
@@ -75,7 +74,7 @@ encrypt_file() {
         if [ -n "$key_id" ]; then
             recipient_args="$recipient_args -r $key_id"
         fi
-    done < ~/.localmart/github_key_ids
+    done < .localmart-github-key-ids
 
     if [ -z "$recipient_args" ]; then
         echo "Error: No valid recipient keys found"