fix: introduce SOPS key as ssm parameter

[klekovkinda]

Fixes #

[Copilot]

Pull request overview

Adds first-class support for supplying age private keys to the SOPS sync Lambda via SSM Parameter Store (SecureString + CMK), reducing plaintext exposure in synthesized Lambda environment configuration.

Changes:

• Introduces SopsSyncProvider.addAgeKeyFromSsmParameter(...) to register one or more SSM parameters and grant ssm:GetParameter + kms:Decrypt.
• Updates the Lambda runtime to fetch age keys from SSM (based on SOPS_AGE_KEY_PARAMS) and merge them with any statically configured SOPS_AGE_KEY.
• Expands documentation and tests (CDK template assertions + Go client unit tests + new snapshot).

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
src/SopsSync.ts	Adds provider API + env var wiring + IAM permissions for reading SecureString age keys from SSM.
lambda/main.go	Loads age keys from SSM at invocation time and sets SOPS_AGE_KEY for sops decryption.
lambda/internal/client/client.go	Adds SsmGetParameter (with decryption) to the AWS client wrapper.
lambda/internal/client/client_test.go	Adds unit tests for SsmGetParameter.
lambda/internal/client/__snapshots__/ssm_get_parameter.snap	Snapshot for GetParameter request input.
lambda/internal/client/mock.go	Extends mocks with GetParameter support.
lambda/main_test.go	Updates test mock to satisfy new client interface method.
test/secret.test.ts	Adds CDK integration tests asserting env var + IAM policy behavior for SSM-based age keys.
README.md	Documents SSM-based age key configuration and usage patterns.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[henrysachs]

this looks really cool!

[henrysachs]

Sorry for the late review on this. But thanks for implementing

loadAgeKeysFromSSM() now runs on every Create/Update before we know whether the current SOPS file actually uses age. Because SopsSyncProvider is a singleton Lambda, one broken SSM age-key parameter can fail unrelated KMS-only syncs that share the same provider.

I think the fix here should be to defer SSM age-key loading until after we have parsed the event and loaded the encrypted SOPS file, then inspect its metadata and only fetch SOPS_AGE_KEY_PARAMS when the current file actually uses age. That would remove the widened blast radius without changing the feature itself.