From aaac5b5b7c7c6f48cfea227b4d544468ab2ddd3b Mon Sep 17 00:00:00 2001
From: a-kenji <aks.kenji@protonmail.com>
Date: Wed, 25 Jun 2025 17:30:59 +0200
Subject: [PATCH] pkgs/clan: Improve error message on `clan secrets users add`

Improve error message on `clan secrets users add [user] --age-key
`AGE-PLUGIN-YUBIKEY`

Since there is no way to get the recipient through the AGE-PLUGIN-YUBIKEY,
we should fail fast and give an actionable error to the user.
---
 pkgs/clan-cli/clan_cli/secrets/types.py       |  6 +++++
 .../clan_cli/tests/test_secrets_cli.py        | 25 +++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/pkgs/clan-cli/clan_cli/secrets/types.py b/pkgs/clan-cli/clan_cli/secrets/types.py
index 8d809a16a..7e1512028 100644
--- a/pkgs/clan-cli/clan_cli/secrets/types.py
+++ b/pkgs/clan-cli/clan_cli/secrets/types.py
@@ -21,6 +21,12 @@ def secret_name_type(arg_value: str) -> str:
 def public_or_private_age_key_type(arg_value: str) -> str:
     if Path(arg_value).is_file():
         arg_value = Path(arg_value).read_text().strip()
+    elif arg_value.startswith("AGE-PLUGIN-"):
+        msg = (
+            f"AGE-PLUGIN keys cannot be used directly as they are plugin identifiers, not recipient keys. "
+            f"Please provide the corresponding age1 public key instead. Got: '{arg_value}'"
+        )
+        raise ClanError(msg)
 
     public_keys = get_public_age_keys(arg_value)
 
diff --git a/pkgs/clan-cli/clan_cli/tests/test_secrets_cli.py b/pkgs/clan-cli/clan_cli/tests/test_secrets_cli.py
index e6d72ccaa..2fac4f9ca 100644
--- a/pkgs/clan-cli/clan_cli/tests/test_secrets_cli.py
+++ b/pkgs/clan-cli/clan_cli/tests/test_secrets_cli.py
@@ -1050,3 +1050,28 @@ def test_secrets_key_generate_gpg(
                     ]
                 )
             assert output.out == "secret-value"
+
+
+@pytest.mark.with_core
+def test_secrets_users_add_age_plugin_error(
+    test_flake_with_core: FlakeForTest,
+) -> None:
+    """Test that AGE-PLUGIN keys raise proper error message"""
+    with pytest.raises(ClanError) as exc_info:
+        cli.run(
+            [
+                "secrets",
+                "users",
+                "add",
+                "--flake",
+                str(test_flake_with_core.path),
+                "testuser",
+                "AGE-PLUGIN-YUBIKEY-18P5XCQVZ5FE4WKCW3NJWP",
+            ]
+        )
+
+    error_msg = str(exc_info.value)
+    assert "AGE-PLUGIN keys cannot be used directly" in error_msg
+    assert "plugin identifiers, not recipient keys" in error_msg
+    assert "corresponding age1 public key instead" in error_msg
+    assert "AGE-PLUGIN-YUBIKEY-18P5XCQVZ5FE4WKCW3NJWP" in error_msg