Future feature: keyring rotate --hard command that re-encrypts all documents under a keyring with a fresh content key after member removal. This is the only way to truly revoke historical access (cached group keys become useless). Requires: download each blob, decrypt with old content key, re-encrypt with new content key wrapped under new group key, re-upload. Expensive — owner must be online and re-upload every blob. Layers on top of #87 (key history).
Future feature: keyring rotate --hard command that re-encrypts all documents under a keyring with a fresh content key after member removal. This is the only way to truly revoke historical access (cached group keys become useless). Requires: download each blob, decrypt with old content key, re-encrypt with new content key wrapped under new group key, re-upload. Expensive — owner must be online and re-upload every blob. Layers on top of #87 (key history).