Automattic
diff --git a/‎README.md‎
Lines changed: 3 additions & 3 deletions b/‎README.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/cli.rs‎
Lines changed: 7 additions & 9 deletions b/‎src/cli.rs‎
Lines changed: 7 additions & 9 deletions
diff --git a/‎src/commands/keys/rotate.rs‎
Lines changed: 55 additions & 27 deletions b/‎src/commands/keys/rotate.rs‎
Lines changed: 55 additions & 27 deletions
diff --git a/‎src/commands/status.rs‎
Lines changed: 12 additions & 77 deletions b/‎src/commands/status.rs‎
Lines changed: 12 additions & 77 deletions
@@ -121,16 +121,16 @@ On employee offboarding (or when rotating CI’s key), treat **age keys** (`keys
 
 ### What `keys rotate` does
 
-It updates `keys.pub`, then **re-encrypts each committed `.age` file** under `.a8c-secrets/` by reading that ciphertext from disk, decrypting with your current private key, and encrypting again to the updated recipient list. It **does not** read decrypted files under `~/.a8c-secrets/`. If you changed plaintext only there, run `a8c-secrets encrypt` **after** rotation when you want those values in git.
+It refuses to run until **`a8c-secrets status` shows every secret as “in sync”** (no encrypted-only, decrypted-only, or modified local copy). Then it updates `keys.pub` and **re-encrypts each `.age` file from the matching plaintext under `~/.a8c-secrets/<host>/<org>/<name>/`**, so new ciphertext matches your local decrypted files. If anything is out of sync, fix it with `decrypt` / `encrypt` (or remove stray files) and retry.
 
 ### Recommended order
 
 1. **Revoke or disable old credentials** at each provider as soon as your runbook allows (so stolen keys stop working at the API).
-2. **Run `a8c-secrets keys rotate`** — interactive: pick the recipient, confirm; the tool prints the new private key and re-wraps the existing `.age` files in the repo.
+2. **Run `a8c-secrets keys rotate`** — interactive: pick the recipient, confirm; the tool prints the new private key and re-encrypts `.age` files from your in-sync plaintext under `~/.a8c-secrets/`.
 3. **Update Secret Store / CI** (or equivalent) with the new private key; notify the team to `keys import` when the dev key changed.
 4. **Issue new provider credentials if needed**, update the decrypted secret files, then **`a8c-secrets encrypt`** — usually **`--force`** right after a key rotation. Commit `keys.pub` and `.age` changes (and any follow-up commits for new secret content).
 
-**Why age keys before new secrets in git:** if you `encrypt` and push **new** API material while `keys.pub` still includes a recipient who should no longer decrypt, anyone with that old dev key could decrypt that commit. Completing `keys rotate` first avoids encrypting new secrets to the old audience. Diffs right after rotation reflect **re-wrapping existing ciphertext**, not necessarily new provider values — those show up after you `encrypt` again.
+**Why age keys before new secrets in git:** if you `encrypt` and push **new** API material while `keys.pub` still includes a recipient who should no longer decrypt, anyone with that old dev key could decrypt that commit. Completing `keys rotate` first avoids encrypting new secrets to the old audience. Diffs right after rotation reflect **new ciphertext for the same plaintext** you had locally (age nonces differ each time), not necessarily new provider values — those show up after you change decrypted files and `encrypt` again.
 
 5. Team runs `a8c-secrets keys import && a8c-secrets decrypt` where needed.
 
 
@@ -124,11 +124,8 @@ EXAMPLES:
 Show the sync status of all secret files.
 
 Displays the repo identifier, how many public keys were read from keys.pub (2 expected),
-private key status, and each file's sync state:
-  \u{2713}  in sync                — decrypted plaintext matches encrypted .age content
-  \u{26a0}  modified decrypted copy — plaintext differs from .age (needs encrypt)
-  \u{2739}  decrypted only          — no .age file in repo (new, needs encrypt)
-  \u{25c7}  encrypted only          — no decrypted plaintext (needs decrypt)")]
+private key status, each file as a compact emoji triplet (📝 plaintext · 🔏 .age · ✅/❌/❓),
+and a legend explaining the rows. Example in-sync row: 📝✅🔏  config.json")]
     Status,
 
     /// Key management (show, import, rotate)
@@ -210,9 +207,9 @@ key for this repo identifier.")]
         long_about = "\
 Rotate one recipient in keys.pub: pick which public key to replace from an
 interactive list, confirm with y/N, then generate a new key pair, update keys.pub in place
-(preserving comments), and re-encrypt each .age file under .a8c-secrets/
-(decrypt the existing file from disk with your current private key in memory, then encrypt to the
-updated recipient list). Does not read ~/.a8c-secrets plaintext.
+(preserving comments), and re-encrypt each .age file under .a8c-secrets/ using the matching
+plaintext under ~/.a8c-secrets/<repo-id>/ (every file must already show \"in sync\" in
+`a8c-secrets status`).
 
 Requires a local private key that matches at least one line in keys.pub.
 After rotation, prints the new private key and next steps (Secret Store /
@@ -221,7 +218,8 @@ CI secrets depending on whether you rotated the key you hold locally).
 Recommended: run this before encrypting and pushing new provider/API secrets, so new material
 is not encrypted to recipients who should no longer have the old dev key. Still revoke or
 replace credentials at each provider as your process requires — this command does not expire
-API keys. After rotation, update secret file content and run encrypt (often --force).
+API keys. After rotation, update secret file content and run encrypt (often --force) when you
+change provider material.
 
 Requires stdout connected to a terminal so the new private key is shown on screen
 (do not redirect stdout). Requires stdin connected to a terminal for interactive prompts.",
 
@@ -3,11 +3,13 @@ use std::path::Path;
 use anyhow::{Context, Result};
 use inquire::{Confirm, Select};
 use std::io::IsTerminal;
+use zeroize::Zeroizing;
 
 use super::{PUBLIC_KEY_LIST_LEGEND, PublicKeyListRow};
-use crate::crypto::{CryptoEngine, PrivateKey, PublicKey};
+use crate::crypto::{CryptoEngine, PublicKey};
 use crate::fs_helpers::{self, REPO_SECRETS_DIR, SecretFileName};
 use crate::keys;
+use crate::models::secret_file_statuses;
 
 fn select_public_key_to_rotate(
     public_keys: &[PublicKey],
@@ -52,10 +54,9 @@ fn print_rotation_reminder() {
     );
     println!();
     println!(
-        "  • This command only re-wraps each committed `.age` file under `.a8c-secrets/` (read from \
-         disk, decrypt, encrypt to the updated keys.pub). It does not read ~/.a8c-secrets/. If \
-         local plaintext is ahead of `.age`, run `encrypt` after rotation when you want that \
-         content in git — otherwise git diffs here are crypto-only, not your pending plaintext edits."
+        "  • This command requires every secret to show \"in sync\" in `a8c-secrets status` first. \
+         It then re-encrypts each `.age` from the matching plaintext under ~/.a8c-secrets/, so \
+         new ciphertext matches your local decrypted files (not stale `.age` blobs if they had drifted)."
     );
     println!();
     println!("{PUBLIC_KEY_LIST_LEGEND}");
@@ -84,21 +85,25 @@ fn print_confirmation_plan(
         " - Update `{}` to replace the chosen public key line (other lines and comments unchanged)",
         keys_pub_path.display()
     );
+    let decrypted_hint = decrypted_dir_display
+        .as_deref()
+        .unwrap_or("~/.a8c-secrets/<repo-id>/");
     if age_files.is_empty() {
         println!(
             " - (No `.age` files under `{}` to re-encrypt)",
             secrets_dir.display()
         );
     } else {
         println!(
-            " - For each `.age` file under `{}`, decrypt ciphertext in memory with your current private key, then re-encrypt to the updated recipient list and write the file back",
-            secrets_dir.display()
+            " - For each `.age` file under `{}`, read plaintext from `{}`, then encrypt to the updated recipient list and write the `.age` file back",
+            secrets_dir.display(),
+            decrypted_hint
         );
         for name in age_files {
             println!("     - {name}.age");
         }
         println!(
-            "     (Each step uses the existing `.age` file on disk, not plaintext under ~/.a8c-secrets/.)"
+            "     (Preflight already verified each pair is \"in sync\" in `a8c-secrets status`.)"
         );
     }
     println!(" - Print the new private key to stdout");
@@ -131,17 +136,17 @@ fn print_confirmation_plan(
 }
 
 /// Applies key rotation after interactive confirmation: new keypair, `keys.pub` update,
-/// re-encryption of `.age` files, optional local private key file update.
+/// re-encryption of `.age` files from plaintext under `~/.a8c-secrets/`, optional local private key file update.
 ///
 /// `old_public_key` must be exactly one of the recipient lines currently in `keys.pub` (as
 /// returned by [`keys::load_public_keys`]). Recipients used for re-encryption are read from
 /// disk again after updating `keys.pub`.
 ///
-/// `private_key_for_decrypt` is the caller’s current age identity (typically from
-/// [`keys::get_private_key`]). It is used to decrypt **committed** `.age` files under
-/// `.a8c-secrets/` before re-encrypting them — not files under `~/.a8c-secrets/`.
-/// When `old_public_key` is the public key derived from this same identity, the local
-/// key file is updated with the newly generated private key.
+/// Callers must ensure every secret file is **in sync** (see [`crate::models::secret_file_statuses`]) before
+/// calling this function; re-encryption reads decrypted plaintext from disk, not ciphertext from `.age`.
+///
+/// When `rotating_owned` is true (the rotated recipient is the one derived from the user’s
+/// current local identity), the local key file is updated with the newly generated private key.
 ///
 /// Used by [`run`] and by unit tests (inquire’s `Select`/`Confirm` prompts are not wired for
 /// non-interactive subprocess tests; see crate tests in this module).
@@ -150,28 +155,27 @@ pub(crate) fn apply_key_rotation(
     repo_root: &Path,
     repo_identifier: &fs_helpers::RepoIdentifier,
     old_public_key: &PublicKey,
-    private_key_for_decrypt: &PrivateKey,
+    rotating_owned: bool,
 ) -> Result<()> {
-    let public_key_from_decrypt_private_key = private_key_for_decrypt.to_public();
-    let rotating_owned = old_public_key == &public_key_from_decrypt_private_key;
-
     let (new_private_key, new_public_key) = crypto_engine.keygen()?;
 
     keys::replace_recipient_public_key_in_keys_pub(repo_root, old_public_key, &new_public_key)?;
 
     let recipient_public_keys_after_rotation = keys::load_public_keys(repo_root)?;
 
     let secrets_dir = repo_root.join(REPO_SECRETS_DIR);
+    let decrypted_dir = fs_helpers::decrypted_dir(repo_identifier)?;
     let age_files = fs_helpers::list_age_files(repo_root)?;
 
     for name in &age_files {
-        let age_path = secrets_dir.join(format!("{name}.age"));
-        let ciphertext = std::fs::read(&age_path)?;
-        let plaintext = crypto_engine
-            .decrypt(&ciphertext, private_key_for_decrypt)
-            .with_context(|| format!("Failed to decrypt {name} during re-encryption"))?;
+        let decrypted_path = decrypted_dir.join(name.as_str());
+        let plaintext = Zeroizing::new(
+            std::fs::read(&decrypted_path)
+                .with_context(|| format!("Failed to read decrypted file {name}"))?,
+        );
         let new_ciphertext =
             crypto_engine.encrypt(plaintext.as_slice(), &recipient_public_keys_after_rotation)?;
+        let age_path = secrets_dir.join(format!("{name}.age"));
         fs_helpers::atomic_write(&age_path, &new_ciphertext)?;
         println!("  {name} — re-encrypted");
     }
@@ -188,7 +192,7 @@ pub(crate) fn apply_key_rotation(
     keys::print_private_key_to_stdout("New private key", &new_private_key)?;
 
     println!(
-        "NOTE: Only ciphertext already in each `.age` file was re-wrapped; ~/.a8c-secrets was not read."
+        "NOTE: Each `.age` was written from plaintext under ~/.a8c-secrets/ (after a full \"in sync\" preflight); local decrypted files were not modified."
     );
     println!(
         "NOTE: Rotate provider/API secrets separately as needed, then `a8c-secrets encrypt` (often `--force`) when committing new secret content."
@@ -230,6 +234,22 @@ pub fn run(crypto_engine: &dyn CryptoEngine) -> Result<()> {
         );
     }
 
+    let sync_rows = secret_file_statuses(
+        crypto_engine,
+        &repo_root,
+        &repo_identifier,
+        Some(&private_key_for_decrypt),
+    )?;
+    if sync_rows.iter().any(|(_, s)| !s.is_in_sync()) {
+        println!(
+            "All secret files must be in sync before rotating keys (same checks as `a8c-secrets status`)."
+        );
+        println!(
+            "Run `a8c-secrets status` for the per-file view and legend, then use `decrypt` / `encrypt` (or remove stray files) until every line shows 📝✅🔏, and retry."
+        );
+        anyhow::bail!("secret files are not all in sync; see `a8c-secrets status` and retry");
+    }
+
     print_rotation_reminder();
 
     let selection =
@@ -260,7 +280,7 @@ pub fn run(crypto_engine: &dyn CryptoEngine) -> Result<()> {
         &repo_root,
         &repo_identifier,
         &selection.key,
-        &private_key_for_decrypt,
+        selection.matches_local_private_key,
     )
 }
 
@@ -343,6 +363,10 @@ mod tests {
             let age_path = repo_dir.path().join(".a8c-secrets/secret.txt.age");
             fs::write(&age_path, ciphertext).unwrap();
 
+            let decrypted_dir = secrets_home.join(repo_identifier.as_path());
+            fs::create_dir_all(&decrypted_dir).unwrap();
+            fs::write(decrypted_dir.join("secret.txt"), plaintext).unwrap();
+
             let engine = AgeCrateEngine::new();
             let old_dev_public_key = old_dev_identity.to_public();
 
@@ -351,7 +375,7 @@ mod tests {
                 repo_dir.path(),
                 &repo_identifier,
                 &old_dev_public_key,
-                &old_dev_identity,
+                true,
             )
             .expect("apply_key_rotation");
 
@@ -432,6 +456,10 @@ mod tests {
             )
             .unwrap();
 
+            let decrypted_dir = secrets_home.join(repo_identifier.as_path());
+            fs::create_dir_all(&decrypted_dir).unwrap();
+            fs::write(decrypted_dir.join("secret.txt"), plaintext).unwrap();
+
             let engine = AgeCrateEngine::new();
             let old_dev_public_key = old_dev_identity.to_public();
 
@@ -440,7 +468,7 @@ mod tests {
                 repo_dir.path(),
                 &repo_identifier,
                 &old_dev_public_key,
-                &old_dev_identity,
+                true,
             )
             .unwrap();
 
 
@@ -1,18 +1,9 @@
-use std::collections::BTreeSet;
-
 use anyhow::Result;
 
 use crate::crypto::CryptoEngine;
-use crate::fs_helpers::{self, REPO_SECRETS_DIR, SecretFileName};
+use crate::fs_helpers;
 use crate::keys;
-use zeroize::Zeroizing;
-
-fn collect_all_files(
-    age_files: &BTreeSet<SecretFileName>,
-    decrypted_files: &BTreeSet<SecretFileName>,
-) -> BTreeSet<SecretFileName> {
-    age_files.union(decrypted_files).cloned().collect()
-}
+use crate::models::{SECRET_FILE_STATUS_LEGEND, secret_file_statuses};
 
 /// Expected number of `age` recipient lines in `keys.pub` (dev + CI).
 const EXPECTED_PUBLIC_KEYS: usize = 2;
@@ -69,80 +60,24 @@ pub fn run(crypto_engine: &dyn CryptoEngine) -> Result<()> {
 
     println!();
 
-    // Collect all known file names from both sides
-    let age_files: BTreeSet<SecretFileName> = fs_helpers::list_age_files(&repo_root)?
-        .into_iter()
-        .collect();
-    let decrypted_files: BTreeSet<SecretFileName> =
-        fs_helpers::list_decrypted_files(&repo_identifier)?
-            .into_iter()
-            .collect();
-    let all_files = collect_all_files(&age_files, &decrypted_files);
+    let rows = secret_file_statuses(
+        crypto_engine,
+        &repo_root,
+        &repo_identifier,
+        private_key.as_ref(),
+    )?;
 
-    if all_files.is_empty() {
+    if rows.is_empty() {
         println!("No secret files.");
         return Ok(());
     }
 
-    let secrets_dir = repo_root.join(REPO_SECRETS_DIR);
-    let decrypted_dir = fs_helpers::decrypted_dir(&repo_identifier)?;
-
     println!("Files:");
-    for name in &all_files {
-        let has_age = age_files.contains(name);
-        let has_decrypted = decrypted_files.contains(name);
-
-        let status = match (has_age, has_decrypted) {
-            (true, true) => {
-                // Both exist — compare if we have a private key
-                match &private_key {
-                    Some(key) => {
-                        let age_path = secrets_dir.join(format!("{name}.age"));
-                        let decrypted_path = decrypted_dir.join(name.as_str());
-                        let ciphertext = std::fs::read(&age_path)?;
-                        let decrypted_content = Zeroizing::new(std::fs::read(&decrypted_path)?);
-                        match crypto_engine.decrypt(&ciphertext, key) {
-                            Ok(decrypted)
-                                if decrypted.as_slice() == decrypted_content.as_slice() =>
-                            {
-                                "\u{2713} in sync"
-                            }
-                            Ok(_) => "\u{26a0} modified decrypted copy",
-                            Err(_) => "\u{26a0} cannot decrypt to compare",
-                        }
-                    }
-                    None => "? cannot compare (no private key)",
-                }
-            }
-            (false, true) => "\u{2739} decrypted only",
-            (true, false) => "\u{25c7} encrypted only",
-            (false, false) => unreachable!(),
-        };
-
+    for (name, status) in rows {
         println!("  {status}  {name}");
     }
+    println!();
+    println!("{SECRET_FILE_STATUS_LEGEND}");
 
     Ok(())
 }
-
-#[cfg(test)]
-mod tests {
-    use super::collect_all_files;
-    use crate::fs_helpers::SecretFileName;
-    use std::collections::BTreeSet;
-
-    #[test]
-    fn collect_all_files_returns_sorted_union_without_duplicates() {
-        let age = BTreeSet::from([
-            SecretFileName::try_from("b.yml").unwrap(),
-            SecretFileName::try_from("a.json").unwrap(),
-        ]);
-        let decrypted = BTreeSet::from([
-            SecretFileName::try_from("a.json").unwrap(),
-            SecretFileName::try_from("c.toml").unwrap(),
-        ]);
-        let all = collect_all_files(&age, &decrypted);
-        let ordered: Vec<String> = all.iter().map(ToString::to_string).collect();
-        assert_eq!(ordered, vec!["a.json", "b.yml", "c.toml"]);
-    }
-}