mCodex
diff --git a/‎CHANGELOG.md‎
Lines changed: 3 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
@@ -15,7 +15,9 @@
 
 ### Notes
 
-* Native rotation currently ships a stub implementation that returns `version: 1` and `reEncryptedCount: 0`. The full Secure Enclave envelope / versioned Keystore alias hardening will ship in a follow-up RC — the JS surface is stable so apps can wire up UI ahead of time.
+* **iOS rotation** updates the Keychain metadata via `SecItemUpdate`, preserving the original access-control attributes while bumping `keyVersion`.
+* **Android rotation** mints a fresh per-entry Keystore alias (`SensitiveInfo_<hash>_v<version>`) during lazy or eager re-encryption and deletes the stale alias after a successful rewrite.
+* Version state lives in a non-secret registry (`SharedPreferences` on Android, `UserDefaults` on iOS). Delete the app's data to reset.
 
 ## [6.0.0-rc.12](https://github.com/mcodex/react-native-sensitive-info/compare/v6.0.0-rc.11...v6.0.0-rc.12) (2025-12-16)
 
 
@@ -309,7 +309,7 @@ function RotationButton() {
 | Master key | Android Keystore (`AES/GCM`, StrongBox when available) | Secure Enclave-gated (P-256) + AES-GCM |
 | Authentication | BiometricPrompt (Class 3 preferred), device credential fallback | LAContext / Face ID / Touch ID / Optic ID |
 | At-rest integrity | AES-GCM authentication tag | AES-GCM authentication tag |
-| Key rotation | Versioned Keystore aliases, lazy re-encryption | Versioned KEKs, lazy re-wrap |
+| Key rotation | Versioned Keystore aliases, lazy re-encryption | Versioned Keychain metadata, lazy re-wrap (preserves original access control) |
 | Error classification | Typed `SensitiveInfoError` subclasses via `/errors` subpath | Same |
 
 Typed errors can be imported from the `/errors` subpath for tree-shakeable error handling: