Module secret 

age-based file encryption for the secrets pipeline.

*.age files in source are decrypted to a sibling without the .age suffix on every apply, and the sibling lands in the managed # >>> yui rendered <<< section of .gitignore so the plaintext never gets committed. From the apply walker’s perspective the sibling is just another regular file — link it to target like any other dotfile.

Why a separate module from render.rs

*.tera and *.age both produce a sibling-without-suffix and both wire that sibling through the .gitignore managed section, but they’re different operations: rendering needs Tera contexts and yui-when headers; decryption needs an age identity file and recipient validation. Keeping secret::* self-contained also means the crypto stays out of render.rs, which a casual reader expects to be pure-text manipulation.

v1 scope: X25519 only

[secrets] identity is an X25519 secret (AGE-SECRET-KEY-1…) and recipients = […] are X25519 public keys (age1…). yui secret init produces both.

Plugin-backed identities (YubiKey / FIDO2 passkey / Touch ID / TPM / 1Password) need age’s plugin feature plus callback plumbing to drive the plugin binaries’ interactive prompts — a worthwhile follow-up but real implementation work, kept out of v1 to ship the simple flow first.

Structs

SecretReport

Per-apply summary of what the secrets walker did. Mirrors RenderReport’s shape so the apply orchestrator can union managed-path lists across both pipelines.

Functions

decrypt

Decrypt ciphertext (the bytes of a *.age file) using the supplied identity. Returns the plaintext on success.

decrypt_all

Walk every *.age under source, decrypt to a sibling without the suffix, and report the plaintext paths so the caller can add them to the managed .gitignore section. Mirrors the render::render_all shape: ignore-files honoured via paths::source_walker, .yuiignore filters apply, .yui/ and .git/ skipped.

encrypt

Encrypt plaintext to one or more recipients. The output is the binary age format (the same bytes a *.age file holds on disk).

generate_x25519_keypair

Generate a fresh X25519 keypair. Returns the serialised secret (write this to the identity file) and the corresponding public recipient string (add this to [secrets] recipients).

load_identity

Load an age X25519 identity from path. The file is expected to be the output of age-keygen / yui secret init: lines beginning with # are comments, the first non-comment line is the AGE-SECRET-KEY-1… secret.

parse_recipient

Parse an X25519 recipient string (age1…).

strip_age_suffix

Strip the .age suffix from a path, if present. Returns None when the path doesn’t end in .age (so callers can short-circuit non-secret files in a uniform walk).