Summary

• MEDIUM — SSH clone partial dir → HTTPS fallback fails. git clone git@... 2>/dev/null suppresses errors and can create a partial directory before failing; the HTTPS fallback then exits with "destination already exists" rather than our die message. Fix: rm -rf the partial directory inside the || group before the HTTPS attempt.
• MEDIUM — `sops --encrypt ... > "${_SECRETS_TMP}"`: failure fired `set -e` before the `[[ -s ]]` guard could print a remediation message. Added `|| die` with AGE_PUBKEY hint.
• MEDIUM — `nix-store --generate-binary-cache-key`: same pattern — `set -e` before `[[ -s ]]` guard. Added `|| die` with disk-space hint.
• LOW — Step 6 trap ordering: `_SECRETS_TMP` was created on one line but only added to the EXIT trap two lines later. Window between mktemp and second trap left the file uncovered. Fix: create both temp files first, then set one combined trap, then write to PLAINTEXT.
• LOW — `FOREMAN_WAIT_TIMEOUT=abc` (non-numeric) reached `[[ $ELAPSED -ge $MAX_WAIT ]]` → bash arithmetic error, not a clean `die`. Added `=~ ^[0-9]+$` guard immediately after expansion.
• LOW — `minisign -G ... -W` with no stdin redirect: an older binary that ignores `-W` would hang waiting for a passphrase. Added `< /dev/null` so it receives EOF instead.

Test plan

• `bash -n scripts/enroll.sh` — syntax clean
• Set up a failing SSH remote, verify `rm -rf` clears partial dir, HTTPS clone proceeds
• Break AGE_PUBKEY (set to garbage), verify `sops --encrypt` `|| die` fires with pubkey in message
• Remove nix from PATH, verify `nix-store` `|| die` fires with disk hint
• Set `FOREMAN_WAIT_TIMEOUT=not-a-number`, verify clean die at step 4 entry
• Verify `minisign -G` with `< /dev/null` completes correctly (no passphrase prompt)