pub fn secret_wrap(source: Option<Utf8PathBuf>) -> Result<()>Expand description
yui secret wrap — encrypt the X25519 secret at
[secrets].identity to every recipient in
[secrets].passkey_recipients and write the ciphertext to
[secrets].passkey_wrapped. Committing that ciphertext lets
the dotfiles repo carry the X25519 secret across machines
safely; on a new machine yui secret unlock taps the user’s
passkey device (Pixel / Bitwarden / YubiKey) once to recover
the plain X25519, after which everyday apply is plugin-free.