pub fn decrypt_all(
source: &Utf8Path,
config: &Config,
dry_run: bool,
) -> Result<SecretReport>Expand description
Walk every *.age under source, decrypt to a sibling without
the suffix, and report the plaintext paths so the caller can
add them to the managed .gitignore section. Mirrors the
render::render_all shape: ignore-files honoured via
paths::source_walker, .yuiignore filters apply, .yui/
and .git/ skipped.
Returns Ok(SecretReport::default()) when [secrets] is off
(no recipients configured). Otherwise loads the identity once
and decrypts each .age file. The identity is X25519-only
here on purpose — apply must NOT trigger plugin / passkey
prompts every run.
Skips the passkey_wrapped ciphertext file: it’s encrypted to
passkey recipients (NOT the X25519), so trying to decrypt it
here would fail loudly. The unlock path handles it instead.