fix: status lists untracked filter-marked files; warn on plaintext blobs

CONTRIBUTING.md

@@ -25,7 +25,7 @@ cargo build
 cargo test
 ```
 
-All 95 tests should pass (33 unit + 40 integration + 16 GPG integration + 6 cross-compatibility). They cover:
+All 112 tests should pass (34 unit + 56 integration + 16 GPG integration + 6 cross-compatibility). They cover:
 - AES-256-CTR encryption/decryption round-trips
 - HMAC-SHA1 known-answer vectors
 - Key file TLV serialization/deserialization
@@ -34,6 +34,8 @@ All 95 tests should pass (33 unit + 40 integration + 16 GPG integration + 6 cros
 - Key name validation
 - Full E2E: init → encrypt → lock → unlock (integration)
 - Status, export-key, quiet mode, error messages (integration)
+- Status: default focused output (tracked + untracked filter-marked only), `(untracked)` suffix on untracked filter files to distinguish prospective vs actual encryption, `-a/--all` includes non-filter files, `-e` only files with encrypted blob, `-u` only WARNING files needing re-encryption, WARNING + summary for filter-marked files with plaintext blob, named-key filter, filenames with spaces, clear error outside a git repo, works without `gitveil init`, `-f` skips files deleted from the working tree, gitignored files are excluded (integration)
+- Status: `has_git_crypt_filter` recognizes default and named-key filters (unit)
 - Edge cases: empty files, binary files, multi-key lock (integration)
 - Pipe deadlock regression: many-file and large-blob status, unlock, lock (integration)
 - Global config: XDG resolution, keyring path save/load/remove, permissions (unit)

README.md

@@ -285,19 +285,27 @@ Omit the output file to write to stdout.
 
 ### `gitveil status`
 
-Show encryption status of tracked files.
+Show the encryption status of files in the repository.
 
 ```
-gitveil status [-e] [-u] [-f]
+gitveil status [-e] [-u] [-a | --all] [-f | --fix]
 ```
 
 | Option | Description |
 |--------|-------------|
-| `-e` | Show only encrypted files |
-| `-u` | Show only unencrypted files |
-| `-f, --fix` | Re-encrypt files that should be encrypted but aren't |
+| _(none)_ | List files marked for encryption (the actionable set), tracked + untracked |
+| `-e` | Show only files whose committed blob is encrypted |
+| `-u` | Show only files marked for encryption whose blob is plaintext (the set needing re-encryption — pair with `-f` to fix) |
+| `-a, --all` | Include files **without** the git-crypt filter too (verbose `git-crypt`-style listing) |
+| `-f, --fix` | Re-stage tracked files whose committed blob is plaintext but should be encrypted (skips files deleted from the working tree; never auto-adds untracked files) |
 
-The status command uses batched subprocesses (3 total, regardless of repo size) instead of spawning one per file. On a Unity project with ~4,000 files it completes in ~130 ms vs ~65 seconds for git-crypt -- roughly 500x faster.
+By default, status is focused on files governed by a git-crypt filter — for a large repo this is the actionable subset. Tracked **and** untracked filter-matched files are shown. Use `-a/--all` for the full `git-crypt`-style listing that also includes non-filter files.
+
+When a filter-marked file's committed blob is plaintext (typically because it was staged before `.gitattributes` took effect), `*** WARNING ***` is appended to its line and a summary at the end suggests `gitveil status -f`. Untracked filter-marked files appear with an `(untracked)` suffix to make it clear that the file on disk is still plaintext — it'll be encrypted on staging.
+
+Works without `gitveil init` -- the command is informational and can be used to audit filter coverage before initializing. If filter-marked files were committed without init, status surfaces them as WARNINGs.
+
+Performance: at most one `git ls-files` per category, one batched `git check-attr`, and one batched `git cat-file` regardless of repo size. On a Unity project with ~4,000 files it completes in ~130 ms vs ~65 seconds for git-crypt -- roughly 500x faster.
 
 ## Named Keys
 

src/cli.rs

@@ -85,17 +85,23 @@ pub enum Commands {
         output_file: Option<PathBuf>,
     },
 
-    /// Display the encryption status of tracked files
+    /// Display the encryption status of files in the repository
     Status {
-        /// Show only encrypted files
+        /// Show only files whose blob is encrypted
         #[arg(short = 'e')]
         encrypted_only: bool,
 
-        /// Show only unencrypted files
+        /// Show only files marked for encryption whose blob is plaintext
+        /// (the set needing re-encryption — pair with -f to fix)
         #[arg(short = 'u')]
         unencrypted_only: bool,
 
-        /// Re-encrypt files that should be encrypted but aren't
+        /// Show every file, including files without the git-crypt filter
+        /// (verbose git-crypt-style listing)
+        #[arg(short = 'a', long = "all")]
+        all: bool,
+
+        /// Re-stage files that should be encrypted but aren't
         #[arg(short = 'f', long)]
         fix: bool,
     },