Function secret_init 

pub fn secret_init(
    source: Option<Utf8PathBuf>,
    comment: Option<String>,
) -> Result<()>

yui secret init [--comment TEXT] — generate an age X25519 keypair on this machine, write the secret to the configured identity path, and append the public key to $DOTFILES/config.toml [secrets] recipients.

config.toml is the committed config (not the per-machine config.local.toml). That’s load-bearing for multi-machine use: recipients is the public-key list every *.age encryption wraps to, so machine B needs to see machine A’s public key after A runs yui secret init. Public keys are safe to commit — the ciphertext only opens with the matching secret, which never leaves the machine that generated it.

Migrating from yui ≤ v0.7.13

Older versions wrote the recipient into config.local.toml (gitignored), which silently broke multi-machine use. If you ran yui secret init against an earlier yui:

1. Open $DOTFILES/config.local.toml and locate the [secrets] recipients = [...] block.
2. Cut it and paste it into $DOTFILES/config.toml.
3. git add config.toml && git commit && git push.
4. On every other machine: git pull && yui apply once.

Subsequent yui secret init (e.g. on a new machine) appends directly to config.toml — no manual move needed.